Monday, 30 October 2017

Is there a role for social media to solve the "web of trust" issue?

Public key encryption is a great system - it allows private communications to someone simply by knowing their public key.

The issue is that of "identity". There is no real way to know that someone's public key is theirs. Yes, the key is accompanied with additional information such as name, and email address, and that is signed by the private key so we know it all goes together. However we don't know it is not all simply made up by someone else.

This is solved in many ways - I have a PGP key fingerprint on my business cards. This means that after a face to face meeting, someone can check the person they actually met matches a public key they find on the internet. They still do not know for sure that the person they met is Adrian Kennard, but they know they are communicating with the person they met (assuming I am not giving someone else's key out for some obscure reason).

The other way is a "web of trust" - when you meet someone, and by some means you confirm their identifying information in their public key matches up to them (check passport, driving licence, etc), then you counter sign their key. This is what happens at key signing parties (honest, that is all, it is not some euphemism).

The idea is that with people signing other people's keys you can create a chain of signatures from someone you know personally to the key you want to check. And indeed, by having multiple paths, and a score of "trust" in each signature, you can create a threshold for trusting the "web".

This ultimately allows you to trust people you do not know without the need for a trusted central authority model. Obviously, if trusted central authorities, like banks, and companies house, actually participated, that would help massively.

So how could we improve the web of trust?

Well, I wonder if this is actually a role the likes of Facebook could take on. This already creates a web of contacts, and most of my "friends" I know personally and can be sure the Facebook persona is the person I know. They would need to prompt people to confirm how well they know their friends, not when they follow but maybe a few months later. But ultimately that could mean allowing a signature chain to be created to join up digital keys...

I have not worked out the details - as one issue is that not everyone has keys, and I have not told Facebook my public key, but done right it could mean people that do put public keys on Facebook could get a load of addition signatures based on a web of social media trust.

I have also not tried to work out how the whole thing could be heavily trolled.

Comment?

Winter is coming

Just occasionally I find something I thought I knew, and have known for all my life, comes in to question, and today it is the very definition of the word "Winter".


To me, that has always been "the cold bit of the year". There are four seasons (we're talking UK here). I had not really considered if they are equal parts of the year of if Spring and Autumn are somehow smaller or not. But for me, Winter has always been the bit where it is cold, and Summer the bit where it is hot.

But when exactly does winter start and end? Well, if I had to think about it I would clearly put the middle of Winter as the Winter solstice - around 21st December. It is the point when the days finally start getting longer and so there is more sun and more heat and we are finally "coming out" of winter.

Indeed, a bit of research shows the term "midwinter" dates back to the 12th Century, and is "around the winter solstice". That makes it the middle of winter.


Therefore, if I had to pin any dates on it, I would say it just over six weeks before to just over six weeks after the Winter solstice. So starting early November and going on until late February.

Interestingly, the UK met office define winter as the whole months December, January and February, largely for convenience of making it whole calendar months for each season. In some ways this fits with the fact I would say February is usually colder than November, simpler from my own memory and experience.

I found a nice graph which seems to show that February is colder than November, which fits my feeling on the matter. I am told this is partly because the seasons lag slightly due to the way the Earth retains heat (or lack thereof). So logically the middle of Winter may be the Winter solstice, but temperatures lag by a few weeks.


Even so, from a purely astronomical point of view, I would still have firmly places my idea of Winter centred around the Winter solstice.

The met office, and several other sources, say this is not the case! They say that from an astronomical point of view Winter STARTS on the Winter Solstice and runs to the Spring equinox. Summer STARTS on the Summer solstice and runs to the Autumn equinox.

This just does not fit with my view of winter, or of "midwinter" being the Winter solstice, a view that clearly dates back hundreds of years.

How did this happen - how did astronomers decide that the shortest day, which is clearly somewhere within the "cold bit of the year" would be the START of Winter, and not the middle?

It makes no sense to me, sorry. It can only mean I have misunderstood what "Winter" actually means for my whole life. Am I alone? What next, making Pluto a planet?

Saturday, 28 October 2017

Twitter Troll

I am not that good at being a "troll" in that I think a key part of being a troll is lying. Maybe I have that wrong, but I think it is the case, and I am really not good at lying.

Even simple "winding up", the very essence of "trolling", I fall down at.

So when I recently took on the roll of a twitter troll I really was massively out of my depth. It all started with this...


Yes, the popular comic Dilbert had made a reference to a specific twitter user by username, @coffeesixhairs.

By some fluke of timing, when I saw this I went to twitter and somehow the username was available, so I got it. I am @coffeesixhairs!

I decided the name would be "Anonymous Troll" to match the cartoon, and then what should I pick for an image? Well I went for Wally in dark glasses as that would clearly be enough to fool the average PHB.

I did consider only tweeting Wally comments from old cartoons, and I have managed that with the first two tweet replies, just. It seems like it will be a lot of hard work to keep that up, and, much like Wally, I am a bit allergic to hard work.

So I don't really know what to do next - I am not naturally a troll. At least one follower thinks I am in fact Scott Adams, and I feel bad about that. And that is why I am coming clean, to be honest.

Maybe I should sell @coffeesixhairs? Or give it away? Or just delete it? Moral dilemma!

P.S. @coffeesixhairs has 280 character tweeting!!!!

BT Light user scheme

This is a bit of history...

When BT were the only telco in the UK, one of the things they had was a light user scheme. This was a totally automatic system which meant that if you used below a certain number of call "units" in a month you got an automatic discount per unused unit off your line rental.

It meant those not making any calls, or few calls, got line rental at a much lower level. It was the "social" tariff of the day as there were no "call bundles" or crap like that.

I remember those days, BT was simple to deal with, and they had sensible compensation for faults. Why did we ever change? Oh well...

I had a phone line, and back then I was living seriously on a budget. I also had a BT calling card allowing you to enter a long code on a phone box to make a call on your home phone bill. That itself was fun, as the payphone sent a DTMF sequence reporting its number and you could hear it do that. I did decode that once using calling party clear calls to the payphone.

The fun thing was that calls from my home phone line were circa 5p per unit, and calls using BT calling card were circa 10p per unit, both on my home phone bill.

I used Mercury when it was launched. It meant that most actual calls were made with a prefix and a code and charged by Mercury and not BT. So my BT usage was "light". As such I benefited from the light user scheme.

Bit I did, occasionally, use my BT calling card. And those calls appeared on my bill. As this meant some usage then the light user scheme rebate was impacted by my calling card usage.

However, the calling card had the impact that each 5p I spent reduced the rebate as one unit, and not each "unit" I spent (remember the calling card charges 10p/unit not 5p/unit).

I complained, and was told the advert/leaflet was not the "formal" price list, and that explained the actual rules. So I asked for the price list.

I got a thicker glossy brochure that said the same, the rebate is unused units not unused money spent. But it too had the caveat of not being the formal price list.

Eventually after many calls to BT they put me on the mailing list for the actual price list, and it was a big blue binder (later to be two binders) with every single service BT sold, and the pricing. From fractions of a penny for some services to millions of pounds for others. It was really interesting for a geek like me. It was a really useful reference many times when dealing with BT for many years.

It said the same, unused "units" get a rebate, not unused "5p spent". I won my argument over like 25p of line rental.

They eventually changed the rules not to allow use of Mercury for the social tariff, which is a lot like what we see now, charging more if you dare use someone else for your calls. Now it is charging more if you dare use someone else for your broadband, and we (AAISP) are on the receiving end of that bad contract being allowed under UK telecoms regulation. I see the need for a social tariff, but not the need for a price that depends what else you but from competitors.

But there is a funny story, such that I should thank BT for their ineptitude, hugely. I would not be here today if not for the above story. I'd be working for some large telecoms company still, I bet.

One day the courier that delivered the frequent (every week to two) updates to the formal BT price list (yes, on paper), accidentally mixed up the two distinctive Tyvek envelopes and delivery my update to someone else in Bracknell, and his update to me. Or may be the other way around. But the courier wanted to fix it when he realised, and the result is I ended up in touch either the other telecoms pedant in Bracknell, now a friend of mine, Kev. We went on to make FireBrick after many meetings in a pub, and that is the basis of our Internet service at AAISP.

So thank you BT for being so inept that I signed up for the BT Price List.

Friday, 27 October 2017

Advantage anyone not using Openreach?

There is a village where a friend of mine provides the villagers with broadband via WiFi, if they want.

In theory he competes with me. I (as AAISP) could provide them with broadband (internet access) via their phone lines.

We work on a pretty level playing field here - he has costs and so do I. To be honest it is a nuisance that my services "requires a phone line" to work and his does not. That is a disadvantage to start with. Thankfully they all have a phone line, phew.

Some of them do not need to make any calls on that line, or few calls, or won't need to once they have internet and VoIP systems. So they are prefect candidates for OFCOM's latest idea, a cheap phone line for people that only want a phone line only. Reduced to only £11.99 a month and no call packages, instead of £18.99 a month.

If they buy from my friend for their broadband, they can continue with that £11.99 package from BT and the reliability of that hard wired phone line for incoming calls and emergencies.

If they buy from me (as AAISP) they will now be stung by a price hike from BT to £18.99 with a call package they do not need. The "line only" package will not be allowed. It is allowed for my friend to offer broadband via WiFi, but not for me.

That did not used to be the case!

Suddenly, due to an OFCOM ruling, the "access to an Openreach metallic path" for broadband now has an extra cost. An extra £7/month.

I think we pay our way - we pay to access those wires, and a fair price. So why are we penalised by this. Please OFCOM, explain the logic of this change.

Why does access using Openreach now come with an extra £7/month catch - a cost my potential customer will have to pay that was not there before? Of course I say that but one company using Openreach is immune, and that is BT Retail themselves as they can choose to make a line+broadband bundle.

TBH, I am shocked that Openreach (as a logically separate part of BT) is not up in arms over this. They should be, as they will lose business over it. There is now a £7/month advantage to anyone not using Openreach wires to offer internet access!

BT can fine you for getting broadband elsewhere?

OFCOM have announced some changes which seem to allow BT to fine people for getting broadband elsewhere!

Basically, if you have a phone line only from BT, with no call packages, it is likely soon to be available for only £11.99, which is great.

However, if you then come to someone like AAISP for broadband, then BT will hike your phone line price up to £18.99 because you dared to buy broadband from a competitor.

This seems to be a deliberate move by OFCOM, which is really weird as OFCOM actually state "Ofcom also wants to help people who buy a telephone service fromone[sic] provider and broadband from another."

So far on twitter all OFCOM have said is things like "we consider that there is already a highly competitive bundles market offering these consumers better value for money" and pointed back to their web site. They have since confirmed this is what they intend though! It also seems that they clearly recognise that BT will offer a "bundle" which will effectively negate the £7 price hike if you go with BT for phone line and broadband. Also, their tweet makes no sense as "these customers" are those wanting phone line from one provider and broadband from another. These people cannot get a "bundle" for the two because they are different providers. These are the people OFCOM claim they want to "help".

To be clear, we are not comparing "buying a bundle" with "buying separately", which is something OFCOM mention and expect the bundle to be better value, which makes sense. No. We are comparing "NOT buying a bundle from BT" with "NOT buying a bundle from BT". Why the difference in price?

It is no different that saying BT can increase line price if you buy a mobile phone from someone else, or buy a particular brand of washing powder. It makes no sense.

It is also not clear what BT customers, that do not make calls, get for this extra £7/month exactly. After all the broadband side is paid by the other ISP independently. If customer get no more service from BT for this extra money charged then it is just a fine, plain and simple.

Assuming this insanity goes ahead it really is unclear how the actual mechanics of it will work.

It is not clear if OFCOM expect ISPs like AAISP to warn potential customers of the BT fine when buying from us. I doubt the availability checker tells us that this will happen, so that will be difficult. Maybe that will be added to the checker so we can warn people. I can imagine ADR cases over this, and we'll have to start "by buying broadband from us, BT retail will fine you £7/month by way of extra line rental - are you sure you want to go ahead?". I suspect the ASA may even have something to say if we did not include that cost in adverts.

It is not clear how BT will do this in their contract with the customer. I mean, what if a husband buys phone line from BT and the wife buys broadband from AAISP on the same line. Husband won't have broken any contract with BT, so why the penalty? Also what of a case of someone that buys phone line only from BT and their employer buys broadband (from other ISP) on the same line for working at home? Will employer be expected to compensate the employee the extra £7/month in such cases? Will that be taxable benefit in kind or just expenses?

It is not clear how Openreach will notify wholesale line customers when broadband is "attached" to the line so that they know to hike the price. I have not seen B2B/XML messages for that yet. Or will there be a new Openreach service to block ADSL or FTTC being added to a line? That will be tricky when moving line and broadband in one go.

Importantly it is not at all clear how the hell this cannot be seen as hugely anticompetitive and damaging to smaller ISPs that use Openreach lines for broadband, especially those not doing wholesale line rental.

What gets me is the clear and obvious group of people that want a "phone line" only tariff in the first place, i.e. no call bundles, are people that want the line only to support broadband, yet OFCOM seem to try and exclude exactly those people from this arrangement. It makes no sense at all.

Small ISPs without wholesale line rental packages are going to be screwed. And those that try to take it on face a nightmare of R&D for B2B XML and way more if they try to offer calls as well.

What should happen?

It is clear that BT Retail should offer a line only package, as they used to long ago, for people that do not want call bundles. There is a clear need for PSTN lines without calls. The wholesale price for the PSTN line is low - BT Retail can still make a profit offering a line only package with no call bundle.

You could argue that I am, being daft - AAISP offer line only for £10 so we are competing with BT on the line only part, why would I want BT charging less? The simple answer its thinking of out customers who should not have to change line providers if they don't want to.

It is also clear to me that whether or not someone pays another ISP to put broadband on that line (something the other ISP pays BT for separately) should not have any impact on this. Just as the customer's choice of mobile phone contract, or choice of washing powder, should not impact it.

It baffles me, given OFCOMs stated aim to help people buying from multiple providers, why they have not come to the same conclusion.

What are AAISP doing about it?

I am all for competing fairly, really. I fully understand buying separately can cost more, and if we are one part of that then fair enough. I don't mind competing in bundles. But to make it so that someone buying separately not only has the extra overall cost of doing that, but also gets fined by one of the providers, that is crazy and really seems anticompetitive to me.

We already offer a phone line with no calls for £10 inc VAT per month to support broadband from us. So moving line to us and taking broadband avoids the £7/month price hike, which is good. We don't try to compete on price, but the bundle does not work out too badly even so. But why should people be effectively forced to move the phone line part. We offer no calls, so people that want incoming calls or occasional outgoing calls will not find what we offer suitable. We do offer a package to move a BT number to VoIP at the same time, which helps address this in part. But we don't want to force people to move their lines to us if they don't want to.

If we can tell a customer is on this special tariff when ordering, we'll add a warning about the BT fine. I doubt we'll be able to tell though as I don't think OFCOM really thought this through somehow.


P.S. Some more thoughts...

BT have this tariff that is line only, and a condition will be that you must not have broadband on it. I already covered the case of someone else having broadband on it... But...

What if you get broadband from someone via WiFi/WISP or fixed 4G router or even Virgin. Will BT charge more for their line rental in that case too?

If so, that really does highlight how fucking stupid this is.
If not, then really does highlight how anticompetitive this is if a small ISP indirectly stings you for £7/month extra because they use DSL over Openreach lines but a WiFi/WISP does not. How can we compete on a level playing field with that?

Basically the only way this makes sense is if OFCOM consider that ISPs using SMPF and FTTC on a line are not paying their way for that access. Is that really what OFCOM think?

Picking holes in a TV show, again...

I had an old episode of Stargate Universe on, S1E19 Incursion, Pt 1...

There is a scene where Young vents the air from the room in which Telford is held, killing him, and then he goes in and resuscitates him. This is to defeat the brain washing that he has suffered.... Fair enough, that is the plot.

For a change, the issue I have is not a technical one, but an issue with the subsequent scene between Young and Scott. Here Scott explains that if Young have explained that taking Telford to the brink of death would fix the brainwashing he would be behind him 100%, and Young asks if he has to explain all his decisions, and hopes not as then there would be a "problem".


I am wondering why the writers decided to do it like this. Obviously there is an important point of suspense if the audience do not know this is why Young appears to be acting this way, I get that. But why the confrontation with Scott in that way.

After all, the military clearly need a chain of command and soldiers who do not question orders. That stands to reason, but at the same time the military have to operate within certain (somewhat wide) limits, and torturing and killing a prisoner along with a civilian (yeh, Telford was in Rush's body, complicated) is clearly outside those limits. Saying "I was just following orders" is not a good defence, so when that happens it is surely a soldiers duty to question those orders? If nothing else it is pragmatic for the commanding officer to explain his actions if he wants such outrageous orders followed.

The writers could have engineered that Young managed to do this without an opportunity for others to question him, and create much the same suspense as to why he was doing it. The could even have had a more caring "You have to trust that I will do the right thing" type discussion. To me, they created a situation where we now know that Young does do the right thing, and had good reason for his actions, but is simultaneously an arsehole that does not even try to earn the respect of his troops. Maybe that is what they were going for, but it does seem an odd choice.

Bugger, I am not really a literary critic, honest...

Sunday, 22 October 2017

Fraudsters get £120,000 in email scam - who is to blame?

An interesting story in the Guardian yesterday, ‘We lost £120,000 in an email scam but the banks won’t help get it back’.

The story is relatively simple, and one of those cases where the victim of the fraud was the couple that lost the money.

I have spoken out about banks and credit/debit card fraud before, where the bank are the ones being defrauded (someone lies to a bank pretending to be me, the bank believe them and give them money) - in such cases the victim is the bank not the account holder. However, this story is one where the couple in question have been defrauded, not the bank.

They were lied to by a fraudster claiming to be solicitors, and given the fraudsters bank details to which to make a large payment. The story is not 100% clear on how the email exchange was done such that it was with the fraudster and not the actual solicitors, and suggestions are that the solicitors were hacked - but that is not even necessary for such a fraud.

Twitter is abound with cries for changes. Basically, the bank did what they were told and sent money to a specific sort code and account. The CHAPS form the couple filled in will have had the warning about them not checking names, and the bank staff should have explained that, so: "presumably, they knew what they signed up for".

Who is to blame?

We all look for someone to blame, but it is perfectly possible that nobody is to blame - that the fraudster defrauded the couple, and they sent money to the wrong place, simple as that. From the story, the bank simply did as instructed (with the explained caveat that they don't check the name). If the solicitors email systems were hacked and they were negligent then maybe they have some blame, but this scam could quite easily have happened without the solicitors actually being involved or doing anything wrong.

Should banks check the name on payments?

The issue here is people are surprised banks don't check the recipient name, and are saying that they should. You can see why, and on the face of it I would agree, except...

I am not in banking, but we deal with banks and customers and I can be pretty damn sure that this would not work.

Every day people pay us by bank transfer and get the reference wrong. We tell them the sort code, the account number, and the reference, and people manage to just about get two out of three right. If we had to tell them recipient name, as well then they would get it wrong a lot. If the recipient name had to match then a lot of payments would fail, services would get cut off, late payment charges applied, and arguments about whether people quoted the right name or not would ensue.

We digitally sign the email we send with the bank details on it, by the way.

Even worse, do you know what your bank use as the 18 character version of your name - this is what BACS has for a name, 18 characters. Your account will have one. But even I do not know. I could be:-
  • MR AJ KENNARD
  • MR A J JENNARD
  • MR A KENNARD
  • MR ADRIAN J KENNARD*
  • MR ADRIAN KENNARD
Or any of these without the MR, or any of those with REV instead. Actually the one with a * is too long, so most systems would send MR ADRIAN J KENNAR instead. So I don't even know what to tell people as the recipient name to pay me, and it is not a lot easier for companies - which may use trading names, or have complicated abbreviations to fit in 18 characters.

Just for high value payments?

Arguably, if this was only high value payments, maybe it could be done with some manual sanity check by the receiving bank. After all, CHAPS payments have a fee, which I guess could be made higher to cover that manual work.

So fraudsters would do more frauds on payments that fit within BACS or fast payment levels, but actually, it is not hard for fraudsters to work with this and still get the large payments.

In the story the fraudster made a company - this makes sense as it is easy to make a company and then, as the company is legitimate, easy to get a bank account. So all they have to do is make a company in a similar name.

That means that either the banks manual checks for a match pass, as name is close enough, or simpler still, the fraudsters use the similar name in their instructions, e.g. "Pay STEED PARTNERS LTD, sort code, X, etc" when the company they are dealing with is Steed & Steed. What normal person would spot that as an error? Indeed, I bet loads of people would just follow the instructions even if a very different name - how many times have you seen companies with a well know trading name that is actually some limited company you have not heard of?

I checked there is not a Steed Partners Ltd, but googling for Steed Partners Ltd gets the Steed & Steed web site all over the place.

So basically checking names would have stopped the specific fraud, but will not stop future frauds which simply need to take a few more steps. It will also have a side effect of breaking many genuine bank transfers and causing a lot of hassle because of that.

What about signed email?

Well, sadly, signed emails still are not common or simple. One of the big issues is that any system typically needs blind trust in third parties (like https uses certificate authorities) or a web of trust (complicated for end user to manage), and some degree of user involvement in the process (not being gullible).

Bear in mind, what I said about about Steed Partners Ltd. Once such a company is made and bank account made, a domain name can be obtained, and properly digitally signed with https, and certified signed email set up. The whole lot can be branded to look like the real solicitors, and the whole process can probably be done for under £100 within a couple of days.

So to scam someone, you just have to find someone that is dealing with those solicitors and send them an email (from your similar looking email address) with contact details for payment, and even (your) phone contact details and link to (your) https web site which shows the same contact details. No need to hack the solicitors email or phone system even, and calls can be made and received to confirm the payment, etc. It is quite easy to say that the email and phone number are your direct contact details. It is easy to get a number in the same area code even.

I do think proper email signing would help a lot in many case, but it would drive fraudsters to be slightly more sophisticated. Getting people using signed emails is a long game - and one I hope will happen eventually.

Paying HMRC

Someone did suggest banks should have details of known payees and check them. Sounds good, but hang on a second - they do that...

Firstly, if I owe HMRC they send a letter (aka demand) and they have the good sense to include bank details on that. As such, I never have any trouble paying HMRC large sums of money :-(  I am not sure why the couple were paying a solicitor they had not dealt with before, rather than just HMRC - perhaps there are reasons.

Similarly if I want to pay someone I simply put the name in the on-line banking, and known common payees are listed...


What is interesting here is that even though AAISP are listed if you check, Steed & Steed are not! Maybe they should contact their bank and get themselves listed. It seems to be a BACS level thing, so should apply to all banks.

Other ideas!

Maybe the banks should simply adopt a similar view to couriers - and when paying by CHAPS, for a small extra fee you can insure the payment (with a pay out if it turns out to be some sort of fraud). I expect it might be a large fee, and I bet people would turn it down - but if that happens the banks would have an even clearer case for "not our fault".

How did they know?

One thing I have not touched on - how did the fraudster know to send the fake email? Well, there may be ways, if an inheritance, check obits, etc. The other thing people forget is that scammers can spam millions of people with one in a million happening to be dealing with that solicitor that day - it works for bank site phishing frauds. But obviously a better way is if you can access the genuine email, either the solicitors or a load of end user email accounts. Just passively searching emails could find the details you need, but intercepting can ensure a genuine email from the solicitors is removed. For this scam to have worked, there may be more to it that a random email to someone that happens to be expecting an email, and it is guess work at this stage. It will be interesting if we see how the story pans out.

Conclusion...

At the end of the day, be careful, double check, especially when paying such large sums. As long as people are gullible there will be fraud, and all the checks and technology we put in place will not stop that, sadly.

P.S. As per one of the comments, assuming it is correct, it was the email of the couple in question that was "hacked", so there is nobody but the fraudster to blame really. The police really should be investigating - follow the money, trace who made the company, CCTV of cash withdrawals, etc.

Wednesday, 18 October 2017

Social care / low income mobile tariffs

For a very long time, since before it was BT, there have been special BT tariffs for low income customers. It used to be a "light user scheme", which fell foul of competition from the likes of Mercury for a bit, but has changed over the years.

The principle is that the majority land line provider, BT, has to offer a social care special tariff for people on low income to ensure they can afford a means of communications. It is now called "BT Basic" and "Basic aims to keep phones ringing in the most vulnerable households by charging as little as possible: £5.10 a month." which is not bad.

Indeed, that should perhaps be good enough, but so often these days an actual landline is not what people want, need, or use. Indeed, even £5 a month is a lot more than you need to spend if you go for some really simple "pay as you go" SIM card on a cheap mobile - and remember, non-smart phones can be purchased SIM free for like £9!

So the real question is should mobile operators be required to provide a special low income tariff. I expect they would want to only have to offer to those on benefits.

What would such a package need to offer?

This is just my musings from what I know of how it works...

Many of these things are covered by PAYG packages. What would make sense is a consistent package, basically the same on all of the major networks, with the same costs, so people can make sure they get the right package if they are on benefits and just need to stay in touch.

Obviously it has to be SIM only - the packages that include the "latest phone every 6 months" can only do so by charging enough on an ongoing basis. Cheap SIM free phones are readily available, so this is not a problem for someone on low income that needs to stay in touch. No, it does not get them a nice "smart-phone", but they do cost money, sorry.

In general mobile phone companies can still make some profit on incoming calls, it is not ideal these days, but basically there is a good argument that keeping a SIM live on the network is almost no cost, and even the occasional incoming call can cover that cost. So it makes a lot of sense if such a package has no ongoing rental. That way someone can stay in touch if they have no income and people call them. Some PAYG packages work like that. The same applies to incoming SMS. If you have no money at all and cannot afford to make any calls apart from 080 numbers, people can still call you back.

Freephone calls from mobile are now set up to ensure the mobile operator gets some reverse payment for the call, and so such a service could offer freephone calls (080 at least, even if not 00800) for no charge. The recipient pays.

Mobile data is a tricky one - I image that is not "needed" for a social care package, but maybe that is changing and actually it is becoming more important. It makes a lot of sense if this is pre-pay and charged but at some sensible rate. The whole "data" and "access to the Internet" debate is somewhat separate.

I guess outgoing calls make sense to charge on a simple pre-pay, pay as you go basis, but something the operator can manage like 1p/minute to normal numbers and something sensible for actual SMS. I suspect that this is close to cost price for a lot of operators, but this is a social "low income" package here.

Special numbers - a good gesture would be to allow 030 numbers to be free, or a certain number of minutes per month free. This is tricky as they will cost the mobile operator, but they are unlikely to be abused as they are numbers only for government and registered charities. It would make sense for the universal credit helpline to move to an 0300 number for this. I am puzzled as to why they are on an 03 and not an 030 number now!

International calls - a fair price on a pre-pay basis may make sense.

I would be in favour of such a tariff not allowing any sort of premium rate calls or texts at all. They can be a trap for those on low income, especially gambling...

So what do you think?

Should the big mobile operators be obliged to offer such a tariff to people on benefits?

(Yes, as I say, some PAYG tariffs are damn close, but should there be a defined tariff and all operators offering it?)

55p a minute

As reported a lot in the news, the leader of the opposition raised questions of the Prime Minister over the 55p/minute universal credit helpline number.

There have been many stories on this, that 55p/minute is a rip off.

But what is going on? Is the helpline set up on some super expensive premium rate number?

No it is not.. It was on an 0345 number. This is a number charged at normal rates - the same as calling a normal landline. It is nor premium rate, no money from calls goes to the recipient. It is no different in cost to the millions of normal landline numbers in the country.

You would be hard pushed to find which tariff has the 55p/minute charge, and apparently there is one, a mobile package that, when calls are out of bundle, does actually charge 55p/minute for calling normal landline numbers and so for calling the helpline.

The issue is a stupid issue blowed out of all proportion. It is not an expensive number it is an expensive mobile phone contract which is expensive for all numbers.

Pay as you go mobile SIMs are readily available charging a few pence per minute, and in fact most mobile and landline contracts have an "inclusive minutes" package which includes such calls at no extra cost at all. If someone chooses a mobile contract that charges 55p/minute to call normal numbers, that is their look out - there are a lot of alternatives.

What really annoys me about this is that I would love to get the Prime Minister discussing loads of things, real issues that cause problems, but instead we have parliamentary time wasted on a contrived news story like this.

Some poor telecoms manager will be over budget now after being forced to quickly change it to a freephone number, so will be paying a surcharge for incoming calls from mobiles, when previously they did not have to pay for incoming calls and 99% of callers were not paying either as it was in their call bundle.

Is the country now run purely on news stories, even made up ones?

P.S. I have had some interesting comments on this (here and irc). Basically, if the criticism was valid it would surely equally apply to say, my Doctor's surgery, who have a normal Bracknell landline number which would also be 55p/minute on that tariff. Should everyone that could possibly be called by someone on low income be forced to run 0800 numbers?

P.P.S. Holy crap, there are scammers with web sites quoting 0844 (very expensive) numbers that presumably simply call through to the actual number...

Monday, 16 October 2017

Recording

Audio recording of conversations is a tricky business, and call recording is one aspect. The rules and advice and laws have changed. Some aspects are simple telecommunications and "interception" laws, and some can fall in to data protection where the identity of a living individual is apparent from the recording. Even with data protection laws, caveats like "public interest" and "preventing or detecting crime" come in to play. So it is not simple.

We, as a communications provider, sell telephony services where call recording is a standard feature. If you have a number from us even if connected with a mobile SIM, or VoIP phone, we can record calls and email them to you as a standard feature at no extra cost. It is really very useful.

Personally, I record all calls. As a business (A&A) we record all calls. Indeed, for business it is so common it is to be expected and you don't even have to say that calls are recorded (we think).

There are issues with "why" the calls are recorded and "who" gets to access those recordings.

Now, as a service we offer, it is important that our customers understand the rules on the recordings of calls they make or receive.

So later in the year (or next year), in light of GDPR, we need to work it all out. The plan it to make some proper legal advice on call recordings, when and how. I'll be blogging on the matter, and A&A will have advice for customers as much as we can.

At the end of the day, the fact a call was recorded usually only comes up when someone wants to deny what they said, or agreed. Once you get to that the fact you recorded the call is not the issue, it is the fact someone lied, or broke a contract, that matters. They cannot get out of that by saying they did not know the call was recorded. That is saying "If I knew it was recorded I would have told the truth" which is not going to wash with any judge, I suspect.

So watch this space on that...

But there is something weird that happened today. A public body wants a meeting, but their "policy" is (a) you cannot bring a solicitor, and (b) you cannot record the meeting. The second point is odd, well both points are odd, but especially as they say they will be recording the meeting and will send a copy of the recording...

Policy!

They say this is "policy"! Policy is a lovely term and we see it all the time. We have encountered BT policy as a company. We counter such things saying "A&A policy is X". When anyone spouts "policy" they are dictating something as an immutable rule when not considering that the other party may legitimately have their own conflicting "policy" on such matters.

It is my policy to record all meetings... This is one reason it is not me going tomorrow.

Let's record...

So we have pondered some legal points - if all participants of the meeting know it is recorded and know that we will get a copy of the recording, is there any legal impediment to us covertly recording the meeting? I think not... I am not a lawyer, but it is an interesting legal point. Comments?

You also have to wonder why, though? I can think of two reasons. The main one is for them to be able to edit the recording before providing a copy. That is not, in any way, a stated intention, and would be unethical I feel. The other is to hold copyright on the recording - but one could make your own transcript using the recording to ensure accuracy and hold your own copyright on the transcript - so not a useful right to retain. Either way, something wrong with not allowing both parties to make a recording. Neither party making a recording may be a valid thing in some cases, but hard to see why a public body would want such an "off the record" meeting, and they have not said they do. It just makes no sense to refuse us making a recording when they will and provide us with a copy!

So, what do to... We will have two see...

I find myself in one of those situations where I would love to say more - to say which public body, and what is at stake. As you may imagine, doing so at this stage could be a problem legally. But it is an interesting legal point, and I know several legal minds read my blog - so comment away...

What is the law on recording a meeting?

P.S. Thanks for all the interesting comments. Meeting went well enough and no sign of a coverup, which was a surprise. Not something we can say more on at this stage. Solicitors next. Sounds like the no-recording is just bullshit policy crap (incompetence rather than malice).

Blip

I'd thought I'd share one of the challenges of my day today - a very minor thing but it shows why some software can be such a nightmare. Maybe I can explain it in a way that is easy enough for non engineers to understand.

Sometimes a computer may be doing something wrong. That happens. One example which customers will have noticed is our "blip graph".

What is wrong is pretty obvious in that it is meant to have red (logouts) and green (login) bits, and until a few minutes ago it was only green. It is not a big deal, or highest priority, which is why I am looking today and not yesterday. We use it mostly to identify issues with the network, so it is useful and did need fixing.

What did you change?

One of the key steps in diagnosis of something like this is to look at what you changed. You then try and see if there is some link between what you changed and what is going wrong. In many cases you can just look at the changes and the error sticks out like a sore thumb.

A perfect example would be if I had, for some reason, been working on the code that creates the blip graph from the database, or if I had been working on the code that puts the blip counts in to the database.

I would be able to look at my change, and wonder why my own testing had not shown the problem as well. There are tools to show me exactly what I changed.

It is also really useful if a problem is reported quickly as you also remember why you changed something and what you were trying to actually do as well.

We changed everything and nothing!

The problem is that we changed everything because we have done a major upgrade on clueless. We have also changed nothing, in that none of the code has been changed, just built on the new machine.

The code that makes the blip graph has not changed, and the code that displays the blip graph has not changed. Clearly the database is working as we have some of the blip graph. Indeed, it really made no sense.

Error logs?

One of the key things that lots of systems have are error logs, and we check these. But there are no errors being reported by the system that generates or displays the blip graphs after the upgrade, and were not in the past. So no clues there...

How did it ever work?

After a lot of digging I have found the cause, and it leads to one of those special things that can so often happen with software. HOW THE F*CK DID THIS EVER WORK?!

The "digging" took quite a few hours, because there simply was no logic to it. Nothing had been changed recently in the code, and no errors showing.

I quickly worked out that the displaying side was probably OK, but the database has zeros for the "logouts". The code to record the data looked the same for both login and logout, so how could it only be recording one side?

The eventual bug was a stupid mistake on my part in the code, written 8 years ago. I was comparing a data and time value with a time field in one case because of a simple typo. For the login side I did not have the same typo. It was subtle.

The problem is that the database server used to (silently) decide that I meant to just compare the time part, and get one with it and "just worked". Now, some change in the date/time logic in the database means that it considers the comparison not to match - though not an error, so it (silently) does nothing, instead.

The fix was therefore very simple, and now we have working blip graphs. Just one of dozens of small things to check today. So, if you do see thinking no quite right on clueless, do let us know.


I hope that gives some insight in to the perils of programming.

Sunday, 15 October 2017

Clueless

I do feel it worth acknowledging the work of the A&A ops team, and especially Jimi and Brucey, for the upgrade today. They are not alone and we have all been involved in the planning for this. Even those not in the ops team have helped out and tested things, and thanks to customers to ongoing feedback.

We have a core server which has logically been the main database and control pages for everything we do for nearly 20 years. It has had many upgrades, but has got to the stage that we really need to do something new and a big upgrade.

A lot of functions are already moved to new servers, with extra redundancy. The database server moved to a cluster of sql servers. Lots of internal VLANs and VPNs. lots of backup servers. And much more we can now move and diversify.

But today was the big upgrade of "clueless".

It is interesting to think how "clueless" has changed over the years - at the start it was very much "the" key database server albeit only for our dialup services and even then accounts were very much separate. Now it covers many more services but is far less critical being mainly a front end for staff and customer use. Even so, it is an important server.

For those that do not know, this is the origin of "clueless" is a cartoon from June 2000.


It is that old in origin. Yes, we have a "pointy" as a test platform for clueless...

The changes are supposed to be simple, but the upgrade is operating system, and apache, and mysql, and, well everything. Apache config has changed enough that despite of a lot of planning and testing it has taken hours of work today to get it right. Scary how many things run on clueless, at least for now.

But all tools and scripts, and there are a lot, needed rebuilding and testing and fixing,

There will be some things not fixed until tomorrow, but the basics are all working and the important things were sorted first. Well done all.

Friday, 13 October 2017

Another little gem in the OFCOM CoP

There is another little gem in the OFCOM Broadband Speed Code of Practice in 2.23

When network infrastructure providers or wholesalers make available the live access line speed that is actually received on the customer's specific line, ISPs must use this as the basis for speed estimates (rather than using an access line speed range for similar lines) in circumstances where they will be using the same infrastructure and access technology to provide service. This must incorporate the measures of contention derived from the testing outlined in paragraph 2.20, and should still take the form of a range, where possible.

So, let's make sense of this. Normally the requirement is to provide a range of estimated speed that are the 20th and the 80th percentile speed of "similar customers", and set a guaranteed minimum of 10th percentile speed. As I say this makes one in ten lines faulty by definition.

But consider one of those random one in ten that are faulty, getting service. They complain. The ISP "canna change the laws of physics captain" and it gets no better, so the customer gets a refund and leaves to another ISP.

So new ISP ideally gets to see the sync speed, or gets from a carrier new speed figures based on the carrier knowing the actual sync speed. This gives a few problems :-
  1. Knowing the new sync speed it is still necessary to report a "range" ("where possible"). Well, the only range allowed is 20th and 80th percentiles, but this is a sample size of one! The 20th and 80th percentiles are the actual sync speed of that one sample. How could a range be given? What are the rules for working out that range. I can only assume it is going to be not possible, or the range will have to use some other, perhaps saner, criteria than percentiles.
  2. Assuming the ISP just makes shit up and picks a range from below the actual sync to above the actual sync in some arbitrary and undefined way, and then, of course, picks an arbitrary minimum guaranteed speed that is even lower, what then? Well now the customer migrates to a new ISP, using the same modems and the same line, and getting the same speed. All that has changed is that now they no longer has cause to complain.
This helps the customer how, exactly, OFCOM?
This helps the ISPs or gives them any incentive to change things or invest, how, exactly, OFCOM?

Maybe the existing ISP, on complaint, can offer to "migrate you to us, at not charge, here are your revised speed estimate and guarantee"? Who knows...

Wednesday, 11 October 2017

Small world, it is...

So, my Daughter is in Paphos in Cyprus on holiday along with several others in the family, or as perhaps I should call them "minions" :-)


She just bought something and it came with a silly plastic toy, as things sometimes do...


Well, they looked at the bottom of the toy...


Yes, that is right, Bracknell - which is where we live...


Which is pretty amazing, being that she is over 2,500 miles away.

But you think that is fluke, look at the postcode.

Yes...

RG12 1QS...

That looks familiar...

You may know an ISP whose office is in RG12 1QS. They must be one of the buildings next to us!

(Thanks to James for sending me the pics / story).

Concrete example of 10th percentile issue

Given OFCOMs idea that one in ten lines are faulty it may help to provide a concrete example of the problem here and explain quite how daft this really is. For example, it is not, as some may assume, the slowest 10% of lines in the country.

A friend of mind has a broadband line, it is close to the cabinet, so the forecast sync speeds on 20th to 80th percentile are 79Mb/s to 80Mb/s. He gets 79.912Mb/s. He has no complaints.

The 10th percentile is for "similar lines" and so BT will have banded lines that are that close together and sampled them and looked at the range of speeds that such lines can get so as to find 10th, 20th and 80th percentile. This means some aggregation. I don't know for sure but this could a band of line lengths 0-500m from cabinet. BT will have done some level of aggregation - we may even be able to find what, but it does not matter for this explanation, so we'll assume 500m line length bands for now.

The 10th percentile is 74Mb/s. This means that lines in that "band", i.e. "similar" lines sync are a range of speeds from below 74Mb/s up to 80Mb/s. Indeed, many would probably sync well above 80Mb/s if the sync was not capped.

One in ten of these lines will get below 74Mb/s - that is the very definition of "10th percentile". Whilst the occasional line will actually have a fault (less likely on such short lines) and still sync at a lower speed, the main reason for being below 74Mb/s will be the line length from the cabinet.

So, assuming this is, say, a 0-500m band it could simply be that everyone over 450m from the cabinet gets less than 74Mb/s, a simple fact that they are a certain line length away. Not something anyone can change.

So imagine such a person at say 490m away is getting 73Mb/s. The line may be perfect. The modem may be perfect. There may be nothing that can be done to make the line better of the sync faster whilst using this technology.

Yet, that person is one of the "one in ten" deemed faulty by OFCOM. They can insist the ISP tries to make the line better, engaging engineering time and effort. They can even insist on a refund. Simply because they are one of the "one in ten of lines" below the 10th percentile for "similar lines".

Now, let's look at their neighbour, who is, say 510m away. They may find they are in a 500m-1km band, and get lumped in with such lines for their forecasts. Being so close to the top end they may be in the top 10th percentile, even though they sync at a lower speed, say 70Mb/s. So their line is not deemed to be "faulty". Indeed, they could find themselves with a 50Mb/s guaranteed minimum, have an actual fault on their line dropping it to 51Mb/s and not be caught by the code of practice.

Please explain to me how this mad system where arbitrary bands of one in ten people at various line lengths (depending on arbitrary choices of "similar" line groupings BT do) are to be deemed to be faulty is meant to actually help consumers? It is not like these people are more or less likely to have a fault, or that they are good candidates for some changes in technology so as to improve speed, or even that they have "slow" lines, they are simply "one in ten".

A graph may help explain...


Tuesday, 10 October 2017

One in ten UK broadband lines are faulty, says OFCOM ?

We have had this in the past and once again we seem to be facing another (voluntary, phew) broadband speed code of practice from OFCOM.

Our reply to the latest consultation is here (pdf).

But once again the big issue here is that OFCOM consider any lines where the speed is below the 10th percentile of speeds for similar lines to be "faulty".

This means :-
  1. The customer can expect the ISP to try and "fix" the line, taking up to 30 days to do so.
  2. The customer can expect to be allowed to exit with no penalty and to get a refund of upfront costs if not fixed within 30 days.
Now, if the line is actually faulty, as some will be, this is all very reasonable. But the threshold is not a "fault threshold" as determined by measuring the speed of similar lines that are not faulty. It is set to the 10th percentile of speeds of similar lines.

This means OFCOM are defining that one in ten lines are faulty, end of story... In fact, this is a moving target. If some part of those lines are faulty and fixed, all that does is push up that threshold.

In fact, assuming the ISP can get a refund from Openreach or the carrier then it is in their interests NOT TO TRY AND FIX such lines. If they do, they will end up with more and more lines that are NOT FAULTY but below the 10th percentile if they do start fixing the genuinely faulty ones. Those lines simply cannot be "fixed" and so just cause even more hassle for the ISP. An ISP will actually want a load of low speed faulty lines that are not complaining so as to reduce the 10th percentile level.

The problem is that if you are unfortunate enough to be in that bottom 10th percentile, and bear in mind that one in ten people will be, you may well have a service that is indeed doing the best it can and there is no fault whatsoever on the line that can be fixed by anyone.

It is as bad as trying to say that every school should be above average or some such. It makes no sense. Why on earth do OFCOM still insist on this nonsense in the code of practice. Why do so many large ISPs agree with OFCOM by signing up to their code of practice? Are BT plc really saying one in ten of their lines are faulty. I am glad A&A don't say that to be honest.

I wonder if any other countries in the EU or the world publish stats on broadband take up, and how many of those lines they consider faulty. The UK must be leading the way with 10% of all lines being faulty by definition of the regulator.

I have to wonder if there is any other industry in the UK, or in the world, where the regulator defines that one in ten of the things you sell are faulty, regardless of what you do, even to the extent that customers can get a refund on that basis? Imagine if OFWAT defined that the lowest 10th percentile of water pressure was a fault and water companies had 30 days to fix or else refund the customer. This is basically what OFCOM are saying about broadband.

We'd love to sign up to the CoP, as it has many good things, but until this fundamental issue is fixed I don't see how we can. We simply do not agree that one in ten UK broadband lines are faulty, sorry. When there are faults we fix them (whatever speed that means you line gets when faulty).


The fix?

Have the modem providers, e.g. Openreach for most FTTC/VDSL, and BT Wholesale or others for most ADSL, define a realistic "fault threshold" which is the lowest speed for non faulty similar lines. Use that as the reference, and have them guarantee that to the ISPs who can pass on that guarantee to the end users. Not complicated!

Monday, 9 October 2017

SolarSystem alarm and web sockets

It needs saying again, web sockets are awesome - so simple. I have them properly plugged in to my new alarm system - see the video.


So next step is probably to release the web socket library on GitHub as well. The alarm system is being worked on to integrate even more - the next step is an interactive floor plan showing PIRs, door and window sensors, doors opening, all sorts, in real time on a floor plan.

Saturday, 7 October 2017

Websockets are awesome

There are some things that modern browsers do that most people do not realise, and which are awesome. One is svg, which is a whole other blog post, but the other is websockets.

They are awesome as they allow a web page to connect to some resource and keep that connection alive and open whilst that page is open, and asynchronously send or receive data on that connection.

Yes, this seems like something that has been possible on an RS232 cable for a while, but actually from a user interface point of view it is pretty big. It allows messages (blocks of data) to be sent and received. I am using JSON objects, but it could be anything.

My main application, and why I put together my own websocket server library, is to allow my alarm system to do stuff using web sockets. It means we should be able to do a floor plan with images of PIRs and doors and all sorts, updating in real time, and clickable to do things. That will be magic for installing the alarm and walking around with an iPad, but also for remote monitoring. Imagine making a page with embedded security camera footage, and so on in with sensors and doors and so on.

Today I bolted on the web socket library to the core alarm system, and all I added were a few lines of code to mirror the keypad on the system. It just worked, and a couple of lines of javascript and it looks magic.


Thursday, 5 October 2017

Apple TV

I posted back in April...



And finally with the latest release, some 6 months later, my Apple TV is no longer asking my Apple password every time I try to watch anything.

I have to say that their support is pretty crap. Periodically, every month or two, I have called, and every time I get someone that is polite and nice and well trained in placating complaining customers. They will take on the case and be my point of contact. They will stay with it until it is resolved. They understand how frustrating it is. The customer interaction training is excellent, if not the technical support behind the scenes.

Every time they have something to delay matters, such as their support people wanting times/dates of the issue, and so on.

Often it was "they wanted to know X", but that was weeks of months before and nobody emailed me or called me to say they were now waiting for something. I had to brave using my Apple TV again, get pissed off with it, and after a few drinks, feel up to the conversation with them again. Hard work.

Irony now - friends of mine can no longer use their Apple TV at all, just not accepting their password at all. Ooops.

So, now, do I go for a 4K Apple TV as I have had a 4K TV for years now? Probably.

I feel like a sheep!

Next step with A&A tariffs

I am pleased with the work so far on our (A&A) tariffs, and I'd like to thank all those that have taken the time to thank us for the changes.

The Quota Bonus seems to be working well and has given people a big safety net for variable tariffs at all levels. Obviously the extra Quota at the lower levels, and the top up that does not expire is a huge improvement also.

So, what is next?

Terabyte on BT back-haul? This would be huge if we can pull it off. We launched our terabyte based tariffs some time ago now, but only on the Talk Talk back-haul. We managed to get a deal with TT that worked for us and allowed these higher tariffs. It was hard work for the team (mostly Alex), but can we do the same with BT? It is hard work as the way we are charged, and the amounts we are charged, vary between carriers, and over time. In some cases we can manage time limited deals, and in some cases these can pass through to tariff changes and offers.

The big issue is that what we buy and what we sell are not quite aligned, and never will be. We buy big aggregate circuits and back-haul bandwidth, but sell individual lines and usage and the Internet access to which that connects. With the normal way that usage is sold (95th percentile) you can have usage that does not matter at all until it hits the top 5% levels, and then it matters a lot. That is almost impossible to map to something we can sell. We have tried in the past with units tariffs changing usage levels during the day and even the middle of the night, but peak usage moves and changes. We have moved to simpler total-usage allowances now.

We think we have something with BT, and we hope that this month, or possibly next month, we can finally start doing the terabyte usage packages on BT back-haul. Yes, you may ask how we are unsure of the BT deal we have - sorry, but it is complicated, really. This will mean that Home and SoHo packages can be changed as needed from 200G up to 1TB and change from month to month as you wish. Indeed, it will allow us to allow balancing of usage between lines on different back-haul and tariffs.

It will be a bonus for people on BT backhaul (not 20CN, sorry) who will be able to simply regrade to higher terabyte usage if they need.

Something more for SoHo users? We have different Home and SoHo packages and there are some differences - some extras on SoHo. I'll be very frank and explain that SoHo is mostly more expensive because we know a business product is usually more expensive and we consider it more of a business package. The problem is that the Home package is so good, it is quite a subtle difference, so I want to make it more so. Offer more for the business customers that are paying more.

The concept is simple - allow sharing usage over multiple sites, not just the lines on one site. We may have to do something where people have lots of sites where the usage is a separate number of extra terabytes over a whole estate, but where it is simply two or three sites then simple usage sharing as we do between lines on one site - over all sites - may make a lot of sense.

Pretty much a pre-requesit of this is the BT terabyte, else it gets very complicated with what can share with what. So, again, considering for this or next month.

FTTC being a lot more flexible? The minimum term on FTTC is an issue, 12 months normally - and we reduced to 6 months (at our cost) for Home::1. BT Wholesale are officially dropping this requirement (for new lines) in January and we hope to follow suit.

We don't know how it will work on Talk Talk lines, and we may be able to offer a choice of no install but 12 month term, or a fee to install and no 12 month term. The whole trade-off of min term and install charges may be something we can make more general, which would be a nice feature I think.

This will be January at the earliest, sorry.

So what do we do?

All a bit in the air, but reasonably confident, and I think it is unusual to share such speculative plans with customers - but A&A is not "usual". Feed back (comment here) welcome.

Tuesday, 3 October 2017

Sudafed

One of the nice things about the people that read my blog is that I get some expert opinions on all sorts of matters in the comments, and this may be one where legal, pharmaceutical or medical opinion may abound. So bring it on...

Sudafed is a brand of decongestant and one of them is Pseudoephedrine hydrochloride. It works well as a decongestant.

But buying this stuff can be an issue. They make a lesser decongestant which, to be frank, does not work (for me).

My understanding is that the big issue is that this stuff can be used as the basis for some nasty drugs. Yes, I have seen Breaking Bad. I once tried to buy some when in the US and you would not believe the hassle - passport needed, and even then I think they managed to break their own rules allowing a non US / non Canadian to buy the stuff.

It is over the counter, so a serious medication. But to be frank, when I have a nasty cold, this is what does the trick to clear my head and my chest and sort it out. The other stuff they do just gives me a headache. This works well. As I understand it, there is a possible side effect of increasing blood pressure, so one to watch out for if you are hypertensive. I am, but never have had an issue with this stuff, and I do check.


My problem here is that last year, over the end of the year, I had a really bad cold. It literally lasted for months and I managed to crack my ribs coughing so badly at one point. Yes, I went to the doctors, and they could do nothing and confirmed that lots of people had a really bad cold for months. It was not some silly "man flu", and a lot of the time I was in bed. This was really very unpleasant and lasted for months.

During this I was, at various points, taking maximum doses of paracetamol, ibuprofen and sudafed for several weeks at a time. I take the instructions seriously, and do not take more than allowed. Indeed, I tend to try and take less than maximum dose if I can. But I had a cold for MONTHS, and so did get through a few packs of decongestants.

Oddly, since then, I have had more sniffles and colds than usual. My doctor is not concerned. I get another full check up in a few months anyway. They are also not concerned if I occasionally do take sudafed for a cold. It works. They do ask that I check my blood pressure, that is all. I do that.

The problem is the pharmacist in Tesco in Warfield. She decided I was taking too much! Initially just a query, then an outright refusal to ever sell me it on the basis that I was on blood pressure meds. Well, reading the advice on this you should check with your doctor, which I have done, but no, she simply will not sell me any. Oddly, she will not sell my wife any either on the basis she is on blood pressure meds, when, in fact, she is not!!!

So is this for my health? If it is, I am sure the doctor would say. I do not buy this a lot. Well, I did not, until the day I was banned!!!

Now, what do I do - well what any sane person would do, I stockpile it!

So by banning me, I actually have loads on hand as every other pharmacy, even boots on-line, is more than happy to sell it, so now I am tempted to take a tablet at the slightest sniffle or congestion. To be flank, I am not, as I would rather not take any medication unnecessarily. But banning me has had the opposite effect on availability for me. So why do it?

Why ban me from a medication that the doctor's surgery are happy I take occasionally if I need it? Why create a situation where I end up stockpiling it just in case and so am MORE tempted to take it than I would be otherwise? How stupid is that?

Oh well, this is the same for many systems of regulation and control - they can often create the opposite effect to what they intend...

Amber Rudd - you do not need to understand encryption

Amber Rudd has made it clear that she feels she does not need to understand encryption. See BBC article here.

Really this is not actually an issue on encryption at all. You do not need to understand it, no.

That said, the principles are not hard to understand, and Amber Rudd could take the time to understand those principles. I am sure there are many trusted advisers who will be happy to explain them. It would help understand the sneering and patronising responses if she understood why her suggestions and comments are so comically stupid.

But let us try to put this in terms a politician should be able to understand.

There is an activity which is common in modern society. We'll try and understand how any activity could be considered for legislation, whether encryption or not.

That activity is conducted by bad actors. In this instance the bad actors are terrorists and extremists, one of the statistically lowest threats we face in modern society, but an issue which is disproportionately important to politicians for some reason.

That activity is conducted by good actors. Indeed, it is used by a lot of people every day. It is hard to find anyone that does not absolutely rely on this activity every day, either directly or indirectly. Everyone with a bank account relies on this activity.

Now, because the activity is conducted by bad actors, it seems that something must be done. It is worth bearing in mind that this is not always the case, and indeed, given that the bad actors in this case, terrorists, represent less of a danger than slipping on a banana skin, the idea of not doing anything is not completely stupid.

So what can be done about this activity. Can it be banned? Can it be restricted? Can it be changed? Can it be controlled? Well, this is where understanding the activity may help, but let us assume it can be controlled in some way for a moment.

The next question, assuming some legislation can be made that will somehow restrict or control the activity, what are the consequences of doing so?

There are two main issues.
  1. Will the restrictions impact the bad actors at all?
  2. Will the restrictions impact the good actors at all?


In this case, we can look at the activity being encryption and we look at these points.

Will the restrictions impact the bad actors at all?

MATHS EXISTS! No matter what law you make it is possible for the bad actors to make use of encryption. It is impossible to un-invent mathematics and encryption.

So, we know the answer to point 1 - will this impact the bad actors? Well, not really - they can move on to other apps, other tools, their own apps. They do not even need to do anything difficult or complex. Even if what they do is illegal, they can still do it. There are even ways of hiding what they are doing so you cannot tell so cannot convict them of breaking those laws. See the video at the end of this post for how to encrypt with pen and paper and dice. Maths cannot be un-invented, sorry.

[update: some useful comments on this below] I agree that it is not quite so simple. I cannot say that terrorists will simply use other apps. I can say that open source communities and privacy activists make good quality apps and not some dodgy "home grown" broken crypto, and they are even working on ways to make those apps invisible to police states and oppressive governments, so the apps to use will exist. It seems odd that terrorists would not make use of them. The issue here is that catching one terrorist by such a measure is not worth it - indeed, if you could guarantee to catch every terrorist ever it still would not be worth it - they still are so few and harm so few - we need evidence based laws and policies and it amazes me terrorists are even on the radar ahead of bee stings.

Will the restrictions impact the good actors at all?

UNDERMINING ENCRYPTION CREATES WEAKNESSES THAT CRIMINALS WILL EXPLOIT!

This has been seen over and over again, and the industry is in a constant battle against criminals. A lot of criminals that cost millions of pounds every day one way or another, and exploit companies, and normal people. Unlike terrorism, this is a big issue impacting a lot of people. The battle is now at the stage that the best defence against criminals is end to end encryption which means that even the intermediate companies cannot see the communication. This is because attacks on the data via those intermediate companies is a real threat where criminals can get in (technically or social engineering, etc). So people rely on this level of security, all the time, every day, for their banking, their medical records, everything.

So, now we know, any attempt to restrict encryption will impact the good actors. They will not be motivated to use other apps or do encryption themselves - why would they, as Amber Rudd says, normal people do not care if their WhatsApp chat is encrypted end to end or not (until they are victim of a crime, obviously). Only the bad actors will in fact be motivated to use alternatives.

So, you do not need to understand encryption really.

You just need to know that this activity is used for a minor threat (terrorism) and that any attempt to control it will not impact that threat but will impact all of the good uses of the activity.

Now you can make a choice of how to address the issue.

This is no different to seeing that terrorists use white vans, so banning them!
This is no different to seeing that terrorists use an underground map, so banning them!
This is no different to seeing that terrorists use ball point pens, so banning them!

It is a simple exercise to understand the options and consequences of those options and making the best decision for the country as a whole.


Monday, 2 October 2017

Amigo Loans being thick

As some of you have asked, why did I not lend money rather than guaranteeing it to Amigo?

Well, I was sort of bullied in to it - I have lent money before to others, and nearly a decade later do not see it repaid. I am out of pocket to well in to six figures now. I should learn, and not lend to friends or relatives, ever. It is always a mistake. (to be fair, one relative, where I applied a charge on her property, was good, thanks)

Am I a miserly old sod? I think not, as there are so many cases I give gifts and money, but when they push too far and I cannot really afford to "give", I have made the mistake of "lending". I would say to anyone considering it, just don't. If you cannot afford to give, then do not, simple as that. Really, if you cannot afford it now, say no!

The guaranteeing a loan thing was a half way house, not lending, not actually, but being there as guarantor, just in case. It does not work. It is amazing amounts of hassle, especially with Amigo Loans. They hassle like mad.

Tonight I got really cross, and sadly the call was not recorded or I would post it.

It was a simple matter - Amigo - give a settlement figure and bank details to make settlement. How hard is that as a request?

They KEPT on saying "it can take 3 to 5 days for the payment to arrive".

I had to shout a lot at them to explain that BACS allows FAST PAYMENTS that take a few seconds normally and at worst a couple of hours (though I have never seen more than a minute to two). They seemed not to understand this. They are, IMHO, fucking stupid.

The UK banking system has had fast payments for years now. Strangely enough when making a loan Amigo are happy to boast that you can have the money within 24 hours. Indeed "Borrow up to £10,000 within 24 hours" is big on https://www.amigoloans.co.uk

So they fully understand that money can be transferred quickly. When it suits them!

Yet offer to settle a loan and now it is suddenly 3 to 5 working days during which interest will accumulate at the massive rate they charge.

Let's be clear, for comparison, they are charging 49.9% APR. BoE base rate is 0.25% APR, so one 200th of the rate. Even my mortgage is 0.59% APR. To charge 49.9% APR interest is extortion.

I have explained that, having made payment, if they charge interest purely on the basis that their internal systems take time to realise that they have been paid, I will have to consider that fraudulent and worthy of reports to FCA and police. I should not have to resort to such threats. What ever happened to ethics (I ask when looking at 49.9% APR, D'Oh).

So I am charging 1% APR, is that fair? Will I get paid? Will it just live on for decades like others to which I have loaned money? Who knows? I hope not.

I really think this is the end now - no more loans to anyone - ever! Why does it take so long to learn these lessons. Why are people close to you so keen to stitch you up? Life is not fair.

P.S. Sorry I need to explain more, maybe

When a friend or family member asks for money, as a gift, and you can, then fine, give it. Ideally do so if you can before they ask..

When they ask for so much it causes you problems, then maybe say it is a problem. What if they then say "OK, lend it to me and I'll pay it back"? Well in that case it is a FUCKING LOAN, and needs to be PAID BACK.

It is not a hard concept, really, is it?

P.P.S if I borrow £10 as my round and no cash in the pub, I feel compelled to make sure I make a point of paying it back!