2020-06-01

The new rules (Wales, June 2020) - a little different to England

The new rules (here) come in two force 1st June, and are similar to those in England, but not quite the same. These are the main changes that I can see.

Section 8 covering leaving home is replaced. This now covers leaving or staying outside your local area, and being indoors with someone not of same household or carer. This is different to England which simply covers sleep-overs. There are a similar (non exhaustive) list of reasonable excuses as before. There is also an 8A which, unlike England, requires you to work from home if you can.

There is a similar restriction on gatherings, but unlike England allowing up to 6 outside from any household, 8B restricts to two households maximum in Wales.

What does this mean:
  • Like England, gatherings from different households indoors are not allowed, except for some reasonable excuses. Note, Wales has a non-exhaustive list of excuses for such gatherings, so slightly better than England.
  • Like England, being outside is now fine in itself - but you are restricted to your local area - so no trips to Barnard Castle for the Welsh. This means we could expect some police checks on people driving still, maybe, as they may want to check you are not outside your local area.
  • Like England, gatherings are still not allowed outside, but the restriction is more than two households, not more than 6 people as in England.
  • Welsh has not added the elite athletes exceptions present in English legislation.

I am unsure how this works if someone in England leaves their local area and goes to Wales. The Welsh rules cover being away from your local area, so that is probably not allowed.


2020-05-31

The new rules (England, June 2020) - Barnard Castle trip definitely legal now!

We heard a lot on the news of the rules being relaxed, but in practice the actual rules are what is in the law, and finally we can see that here from tomorrow (1st June).


Firstly, from me personally: The virus is still out there, you can spread it and have no symptoms, and people can die if you do, including people you care about! Please wash hands as much as you can! Please stay away from other people as much as you can! Please try and do work from home if you can!

So, what are the key changes?
  • Relaxed rules: The previous restrictions on "leaving home" and "being away from home" have gone, replaced with restrictions on "staying overnight somewhere away from home". There are a similar list of exceptions with a few minor changes. This basically means "going outside" is allowed, no need for reasonable excuse now.
  • Enhanced rules: The previous restrictions on "gatherings" has been extended to cover private as well as public, and has been better defined. It covers "indoors" of 2 or more people (yes, 2 people is a gathering), and "outside" of more than 6 people. The definition has been cleaned up. Previously private gatherings were not restricted as long as you were away from home with reasonable excuse (including, to everyone's amusement, to "exercise" with one person from another household).
  • Changes: The exception for work purposes is now just that - no longer says you should work from home if you can. We also see elite athletes allowed in various exceptions. Several additional types of venues are now allowed to open.

What this means...
  • We should have seen the end of random police stops, and road blocks, as being outside is allowed as normal now, unless a gathering of more than 6 (so the Westminster Bridge clap remains illegal).
  • You can gather with up to 6 people outside even if all from different households, and social distancing is still not a legal requirement (but please do it!). This means you can gather in someone's garden as that is outside.
  • You cannot "gather" in someone else's house, even as just 2 people not from same household, without one of the excuses/exceptions applying.
  • Employers may be asking more people to come back to offices and work, as the requirement to work from home where possible no longer exists. They still need to meet normal Health and Safety rules, but how that plays out is not as clear cut. It is quite possible that an employer could make an assessment that means temperature check, masks, and hand sanitisers is all they need, who knows.
  • There is no issue with travelling, even to Barnard Castle, as leaving home and being outside is simply allowed now. The only issue is if you travel far enough that you would have to stay overnight in a place other than your home - though simply driving over night is probably allowed.
  • This is ENGLAND ONLY which creates odd effects on the border.
It is also worth noting that whilst section 6 has a non-exhaustive list of "reasonable excuse", allowing some wiggle room (e.g. a drive to check your eye sight), section 7 does not. The allowed reasons for a gathering are a complete list, meaning no wiggle room.
Is it sensible? Maybe, from what I have been reading (on the Internet) the risk of transmission is way lower outside, the fresh air, wind, UV light, and more space, all helping reduce transmission risk. So the restrictions being on "inside" does make more sense, so maybe we have more sane rules at last. We'll have to see.

2020-05-20

Case study: Payments and trust (Monzo)

Credit (and debit) cards are immensely useful, and I am even more appreciative of them after the fiasco with a holiday refund. Amex were great.

But there is always a balance of trust with customer and supplier, and a range of ways to manage that. Cards provide a good means to handle suppliers that fail. Direct Debits also offer some high level of bias towards the customer, which is very important because of how easy it is to collect payments. This ability to claim for a mistake helps ensure Direct Debits are rarely used for fraud.

For the most part, whichever type of payment is used, where supplier and customer are both honest, all goes well. Sadly when one or the other is not so honest, or even something unexpected, like a global pandemic, happens, the way you pay for things matters.

But some times, as a supplier, you want a reliable payment that you know cannot be clawed back or reversed. This is, of course, a huge bias towards the supplier, and away from the customer, but it is also rather "traditional" in that cash payment was always irreversible.

Bank transfers via BACS, or fast payments, provide this - they are like cash, and generally impossible to reverse as the person paying. Obviously the person paid can send money back if they want. They do create an audit trail, you know where the money went (unlike cash), which helps with any possible fraud.

As a business we do a lot with Direct Debits. This puts a lot of control in the hands of the customer who can make a DD guarantee claim at any time, and we would have to reimburse the bank. Thankfully this is rare, but it does allow some opportunity for fraud by a rogue customer using someone else's bank details. This is one reason why suppliers are expected to check the bank details of new DD instructions where they can. That is not so easy.

Thankfully Monzo have opened up an interesting new option for us - a deposit by fast payment!

We have started asking for a deposit, for new accounts, optionally, for some services (VoIP and L2TP). Just £10 paid by bank transfer as part of the order process. We see it instantly, and it provides the bank details for setting up the Direct Debit for on-going payment.

We have even set it up so that we will automatically send the money back in a few days if the order does not go through.

Whilst we face very little fraud, we have found some services, like VoIP, have had issues. Providing the service instantly, even in the middle of the night, means that false/fraudulent details do not show up for a couple of days, or much longer. Until now we have actually blocked some types of out-of-hours VoIP orders because of this, which is not ideal.

Taking payment by card would be an option, but that too is rather biased to the card holder, and does not allow us to validate bank details for Direct Debit. We have had cases of card fraud too.

The deposit is optional, but we are making it so that the order can go ahead instantly if you make a deposit. At the end of the day this is not about the £10, it is that a scammer will not want to send any money. If it is their account, those account details can go to the police if there is fraud. They are creating much more of a paper trail by sending money. Of course if they have compromised someone else's account they can send a deposit, but I am sure they have more interesting things they can send money towards than our services in such cases. I hope so.

This means we have opened up the VoIP ordering at any time of day if you pay a small deposit. Ongoing payments are then by Direct Debit, which give the customer a lot of control if we do anything wrong, but we are able to ensure we have the right bank details that match the deposit. It seems to me to be a good trade off - the trust/risk is biased to us for first £10 and then to customer ongoing by Direct Debit.

We have been running it for a few days, and in spite of it very clearly being optional, so far, every new customer has chosen to pay a deposit - which is really great news. Apart from one test we ran to ensure we do auto-refund, nobody has given up on an order after paying a deposit, either.

It is a very different approach to taking credit cards, which is so common these days, and I think it is working well. And it is all down to Monzo providing the instant feedback for us via a web hook for the incoming payment.

If someone does not want to pay a deposit, that is fine, but it means accounts staff checking the order during office hours, and adds a small delay. So it is a choice people can make if they want, either way.

I am really pleased that Monzo have meant this is now possible. It is a shame the major existing banks did not think it worth while providing this level of control and information to their customers really. Well done Monzo!

P.S. Sales pitch - if you are a business and need this type of integration, we know people that can help you (some A&A customers we work with).

2020-05-16

Holiday refund

Like many, in those heady care-free days of 2019, I booked a holiday, and now it is not happening.

If you are stuck without a refund for your cancelled holiday, do keep reading for some of the options I explain below.

The amount does not really matter - for anyone booking a major holiday, whether a few hundred pounds, thousands, or tens of thousands, it will be a lot to them. That is how we all work. There is a BBC article about a school holiday firm not refunding people - it seems to be happening a lot. In my case, having had debt in my life in the past, I try to make a rule of not spending money I don't have. Sadly, this holiday was for my family (those that can sensibly go on a cruise) and co-ordinating a cruise they all were happy to go on, with dates they could all go, for 7 people, was not easy. So when I managed it I snapped it up, extending my mortgage to pay for it. If I had any inkling about 2020 I would not have done that, obviously. So, in short, like everyone else stuck with an intransigent holiday firm right now, this is a lot of money to me.

When the "lockdown" started we had no idea how long it would last. The cruise was planned for June, and my grandson is so looking forward to it - I even made him a countdown clock he has by his bed with days, hours, minutes, seconds to the cruise on it. We sort of hoped it would still be on, but understandably we were concerned at going on a cruise due to the close quarters of so many people.

NCL had cancelled some cruise, but not ours. Then they launched a Peace of Mind scheme. This allows you to cancel up to 48 hours before sailing for a credit of what you paid against a future cruise by 2022. This is great deal compared to their normal cancellation policy/terms. I can see a lot of people going for this, especially with the perceived dangers of being on a cruise.

But this was, itself, a bit cunning. It means that lots of people leave their money with NCL, voluntarily, rather than getting a refund. Well played NCL.

I did consider it, but sadly it makes no sense for me. The effort of organising 7 people and a date and the right cabin was hard enough - I have been trying for years. The chance of that cabin coming up at all is slim, and it being on a suitable date to a suitable destination is pretty much zero. The time limit means that even if I found other suitable cruises, we would end up wasting some of the money. So no, I decided to wait. That said, I was getting concerned in case NCL waited until the last minute to cancel.

Finally, on 24th April, they cancelled the cruise. This was, in many ways a relief. Given the financial uncertainty facing us all, I would rather put the money back on my mortgage than spend it on a cruise. Also, I was uncertain a cruise was a good idea at all at the moment. So, yes, phew, I could get my refund.

However, the wording of the NCL notice cancelling the cruise was odd. It said they would give me a "refund" by way of a cruise credit and 25% bonus, and that if I wanted the "lesser refund" of just what I paid, I could fill in a form (not yet available) and wait 90 days. Well, no, the terms are crystal clear and have no ambiguity at all - they have to refund me within 14 days, simple as that. Obviously I could choose to agree alternatives, but if not, it is refund. In light of the wording I contacted them, on Twitter, and Facebook (and once I found the email address) by email.

I got a ticket reply saying they would answer in 48 hours. But nothing, not for 5 days, and then only confirming their idea of a cruise credit or refund in 90 days.

A few days later my NCL account page showed a cruise credit, but even with a 25% bonus it was around half of what I had paid, and expired next March. That is not a good deal!

This got silly with various exchanges, with them continuing to refuse to acknowledge their own contract terms.


Then they posted that "Terms and conditions are subject to change". I was fuming! Nothing in their contract allows them to change terms like this.

Obviously a change to the contract like this would not normally be legal. Even if their terms allowed such changes that would probably fall foul of consumer protection legislation. The Competition and Markets Authority are also looking in to this. This makes it clear that refunds should always be a clear option and paid in a timely manor.

They backed down a bit, saying the terms at the time I booked do apply, but still refusing to acknowledge that they have to refund me in 14 days. They really went in to "head in sand mode"...

Am I being reasonable? Are they?

One thing to get out of the way is the question of whether I am being unreasonable. After all, these are somewhat unprecedented times.

If you have ever been on a cruise (not just NCL) you will know how petty they can be - even an "all inclusive" cruise, sold using those exact words, will find you able to drink as much whisky or wine as you like, but paying $5 for a bottle of water or a coffee. It is unbelievable, and takes a lot of getting used to.

All I am asking is the they do what they agreed, nothing more, and this is what they agreed in the case of "circumstances beyond our control" such as "epidemic". This was not something they did not foresee in their contract. Given how petty they are I feel entirely justified is simply asking that they do what they agreed, nothing more, nothing special. And I fully endorse that they are offering a range of alternatives for those that want them, including bonus credits and discount holidays. Well done.

But one has to think of the bigger picture. If everyone expected them to do what they agreed (something we used to call "normal" for contracts), they would go bust, wouldn't they? Well maybe, but they are offering attractive alternatives, and if many take those, they have it covered, one would hope.

One argument is that holiday companies are having to wait for refunds from their suppliers, and hence unreasonable to expect them to pay up as per their terms. This is not a good argument, as it basically means a short term cash flow issue for a business, which is exactly what a loan is for. The government are even backing business loans for just this sort of reason. It is not fair to expect consumers to lend money, interest free, without any choice in the matter. In my case it is literally costing me interest!

So, basically: if they had asked to borrow my money; if there was clear protection in case they go bust; and if they were paying competitive interest on the loan; then maybe I would consider it reasonable. Otherwise, no, sorry, even in these circumstances (especially in these circumstances) I do not think they are being reasonable.

What are my options

There are some options, and this is perhaps where this blog post will be helpful to others in the same situation.

Waiting / taking up their offer

One option is to accept what they say, agree new terms waiting 90 days for a refund, or accepting the cruise credit. As I say, a cruise credit is unlikely to be something I could use in the time limit, but my main concern is whether they go bust, and if they do, it is unlikely I will ever see my money from them. So no thanks.

Dispute/chargeback

This is a useful one if you pay by card, as the card schemes all have a dispute/chargeback process. Basically it allows you to dispute a charge and if agreed, to get the money back.

The only issue is that it can take a couple of months, it seems. I also get the feeling it is reliant on the card company getting the money back, so if the company goes bust before the dispute is resolved, it may not work.

When I got the message about terms changing, even though several days to go before the 14 days were up, I took that as them saying they would not honour the contract, so I put in a dispute on Amex - why not?

Holiday Insurance

Holiday insurance may be an option. It has possible issues, and this is one for the lawyers to comment on I am sure. I bet every insurance company has a team of people making sure they know exactly where they stand.

One possible issue I have heard, and cannot be sure of, is what happens if I pay for someone else to go on holiday. Does my insurance cover that, after all, if they don't get the holiday I have not lost out. Does their insurance? After all, they have not lost money. In my case this was a holiday for 7 people - would I only get my share back from my holiday insurance?

I also don't know what happens if you accept a cruise credit instead - you have not lost out then, so does insurance cover it. If they later go bust, it is the credit, not a holiday that you have lost. I have no idea if that is covered.

I also hear that some insurers no longer cover COVID-19 issues for holidays booked after a certain date (mine was well before).

It remained an option for me if all else fails. 

Consumer credit act

This is a biggie - if you pay by credit card you have extra protection, as the card company end up jointly liable with the supplier for providing the goods and services. Liable for the whole lot even if you only pay part (e.g. a deposit) on a credit card. And this liability is on the card company even if the supplier goes bust. So long term this is a massive consumer protection for you.

Obviously it could take time, which is no help if you need the money now, and sadly it does have an upper limit, which won't be an issue for most people.

What I don't know if whether accepting a cruise credit would remove this option - one for the lawyers to comment on.

County court

This is always an option when someone breaks a contract, and the Money Claim Online web site makes it quite easy. It costs a bit, but that is added to the claim.
  • In a perfect case, you issue a claim and the defendant coughs up. This happens a lot when the defendant is simply in the wrong, and they know it, like NCL do.
  • In a slightly less perfect case you issue a claim and they ignore it. Two weeks later you get judgement by default (one click on the web site) which takes a day or so. At that point you can pay for bailiffs to go round and collect money or goods. NCL have a Southampton office, or maybe the bailiffs could find an NCL ship in a UK port :-)
  • Sadly if they do put in a defence, no matter how daft, it goes to a hearing, which takes time. It probably takes a lot more time in "lockdown" as well.
Given my options, and the time the Amex dispute could take, this was a real consideration. I even sent a formal "notice before action" after I had waited 7 days to allow me this option (you have to do that before you take someone to court giving them time to pay up instead).

Statutory demand

One option I had forgotten, and was suggested on twitter, was a Statutory demand.

The principle is simple, any company that cannot pay its debts as they become due has to be wound up. If you are owed more than £750 you can serve a Statutory Demand for the money. They get a few weeks to pay, and if not, then you have to go to court and get a winding up order, forcing the company in to liquidation.

This is tricky, if they don't pay you wind them up (which costs money) and may not see any money. The idea is that no company ignores a Statutory Demand, and would rather pay what, for them, is a relatively small sum than be forced in to liquidation.

One issue is that NCL (Bahamas) Ltd is a UK establishment of a foreign company. Given a UK office, I may be wrong, but I am reasonably sure I could take them to court and even send bailiffs - I have no idea if it is possible to actually wind up such a thing.

So I decided to basically rule this out, especially as I have never done one before.

What happened

Amex are stars! What can I say!

I put in the dispute on the web site - it is simple - find the transaction, answer a couple of questions and put in a one line description. I did that.

The next day, I got around to making up a PDF with screen shots of the terms, and discussions to prove I had tried to resolve it and that the cruise was cancelled, etc. This is to upload on to the dispute.

But I could not find the dispute, it was not there. I checked "closed" disputes, and there it was. I was about to get cross at them rejecting my dispute, but clicked on it to see :-


Wow, just wow, this was in under 24 hours. I had not even loaded my "evidence" yet. What can I say. A couple of days later it shows on my Amex app. A quick message to Amex, and the credit is being sent to my bank.

I really have to thank Amex for making that such a quick and easy option. I am really impressed with their customer service. This was causing a lot of stress for me, and is such a weight off my mind now.

Two weeks later, NCL still show the cruise credits and no indication of the chargeback, they even called me trying to get me to book more cruises with my cruise credits, and they really did not understand the whole concept of being in breach of contract. Crazy. It may be some time before we remotely consider a cruise, let alone with NCL.

2020-05-06

Cycle lane logic?

There are number of separated cycle path / footpaths on the estate where I live, and I use these a lot, both walking and cycling. As a cyclist I always notice the people walking on the wrong side :-)

However, I wondered if there was any logic to the way the sides are chosen. So I decided, on my walk this morning, to take a few pictures and see if there was indeed any logic to it.

I am not sure there is.

The first one is off the main road outside the estate, so at that end there is no preference for which side would be better as a cycle lane. However, at the other end (2nd image) one side goes on to the footpath and the other on to the road. It makes sense that the side that goes on to the footpath is the footpath, and so it is, very logical.


The next one is not so obvious. On one end, one side goes on to the footpath straight on, and the other at right angles. However, on the other end (2nd picture) one side has no footpath, so makes sense to be the cycle lane, as shown. Not that daft.


The next one is much more obvious. As you see on the approach (1st picture) the foot path continues in to the cycle path and serves several houses, so pretty much has to be the footpath side. The other end is just on to the road, so no preference. Good choice.


This final one does annoy me when cycling. At one end (1st picture) it is just on to the road, but at the other end (2nd picture) the left side has no path, it goes on to the road, yet they have chosen to make the cycle path the other side, with a give way. OK, they would have had to put the pole the other side, but that is the sign saying which side is which.


So maybe there is no logic at all and it is just random, who knows.

2020-05-02

JSON all the things

I have a feeling that industry is moving away from XML and towards JSON...

Just a feeling, but even HMRC, who used to used XML for VAT and do for RTI, have moved to JSON for MTD (VAT).

Fundamentally XML is too complicated - especially with name spaces. The options in XSD (which is the common way to define what is valid in an XML file) is also a bit of a mess - defining the order of the XML objects even, which is a pain if you ever work with any XML. JSON does not expect values in an object to be in any order (just in an array).

JSON is simpler in many ways, but there are differences. The type of a simple value can be more than just text (as you have in XML), it can be null, boolean, number, or text. Javascript tents to just convert between things seamlessly in most cases. It does get to be fun in arrays where each value can be a different type, even an object or array itself.

JSON also makes it a lot easier to create and process using languages like Javascript, obviously.

As it happens, at A&A, we have been working on new APIs for our control systems (more on that another day), and these are all JSON based too. But this week I have started on some work on the accounts system.

I now have JSON for documents, i.e. invoices. We currently allow customers to access invoices in XML, PDF, Plain text, and HTML, and as of now also JSON. You can ask for a JSON attachment to be automatically included in your invoice emails if you wish - digitally signed, obviously.

Whilst we have loads of work behind the scenes improving the way the accounts work, this JSON interface should be pretty stable now.

2020-04-23

Be reasonable

Update: New rules 13th May change the examples that are reasonable.

This is a blog about a little bit off the way laws are drafted. I am not an expert on legal drafting, and not a lawyer - however, laws are meant to be understood - as a member of the public I should be able to work out if something I am about to do is legal or not, even if that means I need a bit of help to understand the way laws are written. I'd be delighted in any feedback from those that are experts.

I'm picking, topically, on section 6 of The Health Protection (Coronavirus, Restrictions) (England) Regulations 2020 as amended. In particular, it basically says, in 6(1) that you need a reasonable excuse to leave home.

So that gives us a test - is my excuse a reasonable excuse or not. If that is all it said, it would be somewhat open to interpretation, and my view could be very different to yours. This is an issue where one party is a policeman and disagrees on what is and is not reasonable.

Of course, I would hope, being public health legislation, not public order, that any excuse that does not pose a public health risk should be considered reasonable. It is shame there is not paragraph clarifying the basis of a reasonableness test. Surely taking your household for a drive to a secluded spot for a picnic should be reasonable, clearly, as not a health risk as you do not interact with anyone. Even more reasonable if you ensure well serviced car, enough fuel, and driving carefully. Sadly this is not so simple, and we know the police are quite clear on that not being reasonable, so we need clues. We need to know how to apply this reasonableness test.

6(2) of the regulations helps, it defines reasonable as including... and a list of things. The use of the word "including" here is very important as it means it is a non-exhaustive list. It means some thing may be reasonable but not on the list. Sadly it gives no real idea how to tell if things not listed are or are not reasonable. So, for example, I would consider feeding a horse reasonable, but that probably comes under 6(2)(h) as a legal obligation under animal welfare laws.

This is where a computer programmer and a lawyer would diverge somewhat. To a computer programmer the rules in 6(2) are simple tests - if you pass any then you are reasonable. If not then there is an implicit final "generally reasonable" test, but the wording of the tests in 6(2) would not have any bearing on that "generally reasonable" test.

However, the wording does matter. The items in 6(2) are not simply positive things. They do not say "this is reasonable" and "that is reasonable", no, they say "this is reasonable except in this case", and "that is reasonable, if another thing applies".

This is quite clever in a way as it uses examples to couch the boundaries of the test, to say what goes in and what goes out - where the line is drawn.

So, for example, 6(2)(ga) to visit a burial ground or garden of remembrance, to pay respects to a member of the person’s household, a family member or friend; says visiting a burial ground is reasonable, but only in some cases. It has caveats, and they matter. It is was just that visiting a burial ground was reasonable the clause would not go on to say member of the person’s household, a family member or friend at all, so this means that visiting someone you don't know is not in fact reasonable.

So even though 6(2) is a non exhaustive list, using "includes", every restriction or caveat in the clauses in 6(2) effectively define the edge - line beyond which something is not reasonable, for those things that are listed.

Looking at 6(2)(b) to take exercise either alone or with other members of their household; the caveat is either alone or with other members of their household matters, and so exercise with someone else is not reasonable. As I say, as a computer programmer it would be different - exercise with someone else would simply fail 6(2)(b) but a "generally reasonable" test would not consider why it failed 6(2)(b), or that 6(2) has a test relating to exercise in it with caveats. However in English, those caveats start to matter as we list "exercise" and they say where the line is drawn. Exercise itself is not something not listed, and so possibly also included, because 6(2)(b) does cover exercise.

Looking at 6(2)(f) to travel for the purposes of work or to provide voluntary or charitable services, where it is not reasonably possible for that person to work, or to provide those services, from the place where they are living; seems to clearly relate to doing work (or volunteering, etc) but it has a caveat of not being possible to do it from where you are living. Again, the clause covers working, so you would not consider it reasonable to go out to work when you can do it at home - even if that is not a public health issue.

Of course, the use of "includes" does allow for something completely different to be reasonable and not be in the list. Ideally something that is obvious to all that it is clearly reasonable. But anything that is in the list with deliberate constraints clearly defines the boundary and implied directly what is beyond that boundary and hence not reasonable.

Sadly, 6(2)(f) also has the caveat "to travel", which directly implies that outside of that caveat, working away from home at all is not a reasonable excuse.

Sadly, on that last point, as 6(1) now needs an excuse to simply be outside, it suggests doing work that is not travelling for work, outside your home, is no longer reasonable.

Oddly even 6(2)(k) in the case of a minister of religion or worship leader, to go to their place of worship; is a problem as such a minster can go to their place of worship, but then no longer has a reasonable excuse to be there, or even to travel back home!

Some clauses just muddy the water, like 6(2)(l) to move house where reasonably necessary; effectively defining reasonable excuse as a thing that you need to do because is reasonably necessary! That is not helpful...

P.S. Stay home!

2020-04-22

Going to work?

Update: Fixed on 13th May

Drafting legislation is obviously a complex issue, and needs a lot of work.

As we have seen, the regulations for COVID-19 are badly drafted, with many things people consider "loopholes". The original legislation was, after all, done in a rush.

Thankfully the civil servants have has several weeks now to carefully draft some amendments to fix some of the issues, so these should be really good now, obviously.

Some issues:-
  • Previously you could leave home for one reason but then did not have to have a reason for being "outside". I.e. you could leave for exercise and then decide to go and have a picnic. As long as not a gathering of more than 2 people not from the same household in a public place, that was legal, even if the police said it was not and fined people.
  • Previously if you have a party at your home with lots of friends, it was clearly a gathering, but not in a public place, so you (at home) were not breaking the law. Any of your friends that left where they live with reasonable excuse and then decided to come to your party would also not be breaking the law. Even so, police would break up parties and fine people.
  • Previously if you left home for exercise, went to the park, you could sit on the bench for a while, even have lunch. What mattered is why you left home.
The changes at 11am today address some of these, and are listed here.

They fixed interesting things like in paragraph (1)(b), for “over the age of 18” substitute “aged 18 or over”; and in sub-paragraph (i)(iii), for “Department of Work” substitute “Department for Work”.

But one of the changes is this :-

(4) In regulation 6—
(a)in paragraph (1), after “leave” insert “or be outside of”;


This means that it now reads :-

6.—(1) During the emergency period, no person may leave or be outside of the place where they are living without reasonable excuse.
This covers a lot of previous loopholes. Now you no longer just need an excuse to leave where you live, but to be outside (yes, your garden is still counted as inside your home for this). So the picnic is not longer valid, and neither is the house party (not because a gathering, but because the people there have no reasonable excuse for being outside their own home). Sadly it may also mean the rest during a long walk is a problem. I am actually a tad surprised that "returning home" is not in itself a reasonable excuse.

However, what concerns me is that they did not update the actual list of reasonable excuses having now changed the context.

Notably the reasonable excuse: (f) to travel for the purposes of work or to provide voluntary or charitable services, where it is not reasonably possible for that person to work, or to provide those services, from the place where they are living;

Now, previously, it was OK to leave home to "travel for the purposes of work" (if you could not do that work at home), and, having left home with reasonable excuse, you could, well, do the work!

Yes, the list is not exhaustive, but given how the police seem happy to fine people when they were covered by the list it is tricky doing anything not on the explicit list. Arguably the specificity of the use of the word "travelling" for work in the list highlights anything other than travelling as not being "reasonable". A simple fix would be to remove the "to travel" part, so "for purposes of work" (where you can't do it from home) would be covered, including any travelling.

But the excuses don't list actually "doing work", or "being at your office", or anything that is not actually "travelling". And this reasonable excuse has to cover not just leaving your home, but being outside your home.

So now it seems they have plugged the loophole allowing a picnic, but made supermarket workers illegal sat at their tills. Indeed, if you are an MP sat in parliament right now, which of the reasonable excuses do you have for not being at home?

Really? This is the competence level of our current parliament?

2020-04-19

BGP

Border Gateway Protocol is a thing that happens very much behind the scenes in the Internet and not something anyone outside the industry should have to know anything about. So this post is going to try and really dumb down some of the technical issues.

Firstly I'll try and explain what BGP is, and a couple of the challenges that have come up over the years. Some were an urgent issue that made us all realise a risk that was not known before. The others are more of a gradual change in best practice that needs doing, in my view.

Extra dumbed down

  • For the Internet to work - there has to be a "road map" so that your Internet provider can direct traffic.
  • Roads change, and so there is a way to update this road map with new instructions (that's BGP).
  • There can be errors in these instructions, and bad people can give wrong instructions.
  • This is all something that is being worked on. It is complicated.
Thanks to Simon Crowe #FBPE@UHDDreamer for some inspiration on the above.

What is BGP

First off, BGP is the way internet providers manage routing of internet packets. It involves, normally, an ISP communicating with another ISP over some link to say what they can route for them.

It is not fundamentally complicated, and I recall one occasion talking to someone working for a major peering point about us plugging in to them. We (AAISP) use FireBrick routers, and I had personally written the ethernet drivers, IP, TCP, and BGP protocols from scratch for our equipment. We plugged it in and it worked as expected. The idea that we were not using CISCO, or Juniper, or some other common vendor, was a shock at first, but bear in mind that not only are these all well defined and published standard protocols, they are designed to allow a degree of tolerance to errors.

Our code worked as designed and to the standard, and in some ways was way faster than some vendors. I was pretty proud of the design.

For anyone to be able to take part in BGP you need to agree with another ISP, over something called "peering" which is ISP to ISP, or "transit" which is where an ISP gets "the Internet" from some larger company. In both cases, and especially the latter, there are filters on what you can "announce" to the world via BGP

As a system, this should work. I cannot "announce" someone else's routes to transit - they won't let me. I cannot "pretend" to be some part of Facebook's network, for example, and hijack their traffic. If everyone that allows and connection to the BGP network had such filters all would be well, and mostly it is.

This issue is that some parts of the world are not as robust, and so rogue routes can be announced. It can be (and often is) a mistake, or it can be malicious. Hijacking someone's routes can be a way to break security (getting new certificates for https), or just causing disruption to their network and traffic. It is a concern for the industry as a whole.

Just to explain, unlike your broadband router which has only one route to the internet, your ISP has many peers and transit and routes to send data. That is why BGP is needed in the first place.

Path overload issue

One incident that happened was where someone made a simple typo on a configuration (more details here). A setting which they thought was a number to quote was in fact how many times to quote it. This created a message in the routing which was unexpectedly long and caused some special edge case in the code for longer data.

The problem was a bug in some makes of router which meant that it could not cope, and broke routing. It created invalid data that was sent on.

Now, I hate to say this, but my memory is sketchy on this, but the solution was to not forward invalid data. We realised this and ensured FireBricks would not do so (a config setting with a default not to, called "ignore-bad-optional-partial") even though the specification said we should. We had new code within days to ensure FireBricks could not be part of the problem - even before the RFC (standard) on this was created.

Some times the industry has to act quickly as even though the cause of the issue was a mistake, it could be exploited as an attack.

TCP RST issue

Another issue that became apparent was the way the BGP links between ISPs are set up. They use a normal TCP connection. Now TCP works on IP and IP has a "TTL" or "hop count" which stops IP packets going to far. A convention in BGP (not part of the spec for BGP or TCP) was to set up TCP session to "peer" links with a one hop TTL. This means the TCP connection cannot got more than one hop to the directly connected router. This makes sense as the peer is directly connected on a link one hop away.

The problem that came up was that someone could inject a TCP packet called a RST, with a faked source address, sent on the Internet, which when it arrives closes the TCP connection for the BGP session itself. This drops all routing, and causes disruption. Repeatedly done it can take down a link, or set of links, completely and cause a lot of problems.

The first fix was a way to digitally sign the TCP packets. We, at FireBrick created this feature to allow it to work for BGP, and a few of AAISPs peers required signed BGP sessions. This works using a password at a low level and so ignoring the rouge RST packet.

It turns out there is a way simpler way to fix the issues called "TTL security". Instead of using a hop count of 1, use a hop count of (maximum) 255, but make sure the peer checks it is 255. The reason this works is a packet from anywhere else on the Internet will see this hop count go below 255 as it drops at each "hop" on the way.

Again, FireBrick implemented TTL security, not just setting the required hop count, but checking it based on number of hops allowed/expected (usually no intermediate hops).

Using RPKI

There are still issues with BGP, even with all of these steps.

The main one is that someone can "inject" a route in to the system that is not genuine. They can do so alongside the genuine route, or inject a more specific route. This hijacks all of the traffic.

As I said before, where transit providers check their customer routes, this cannot happen. But some countries are a bit more lax.

The "fix" is double edged - it involves a way to certify that a route is correct, specifically that it is to the right "autonomous system". But the downside is that puts someone in control of certifying the route is correct. Who has that power?

This was a controversial issue in that, for example, the whole of Europe is controlled by RIPE. So if a Dutch court demand RIPE remove a route, they would have to. This puts huge power in the Dutch courts. The same applies in the US and every other registry where a local court could command a change. To be clear, actual routing is handled by the ISPs, but the issue comes when they all work on one authority as to what is valid. I am not sure that has now been fixed in RPKI, but happy to be corrected on this point.

The other issues is that certification can lead to mistakes, causing routes not to work based on some technicality.

Not everyone is checking these certificates, and even then the system will not be bullet proof if the origin AS is spoofed (I think). So any errors will cause partial failures. These are massively difficult to diagnose. What does an ISP do when just some of the Internet cannot see some of its network? In most cases the networks not routing will have no contract or direct relationship with the ISP in question. That is hard to diagnose and fix.

In the long term, this is generally good. Even with the risk of a court attack, the industry can work around if needed. That is a last resort, and measures to avoid rogue routes are a good idea.

If the major transit providers start filtering routes checking RPKI then that alone will solve the problem of rouge routes - but if they all filtering what they receive anyway from customers, that would avoid the issue without RPKI. So is it worth it?

But as I say, this is all behind the scenes policy and technical issues for ISPs and transit providers. It will be sorted by ISPs and industry as a whole around the world. We are all working to improve the security and reliability of the Internet.

Who should do what and when?

[new section after original post] I have been learning more on the whole RPKI thing. Overall it is a good idea as it blocks some types of attack. It is not perfect, it does not block all types of attack, and is, itself, prone to new types of attack via courts and also new mistakes, but it helps. It helps a lot with some types of mistakes, which have been a cause of issues as you can see above. It is best practice, which is important. So that is why we (AAISP) are doing it.

There seem to be three steps that make this work.
  1. Everyone should be signing their routes - i.e. ensuring they have signed route details saying which routes via which AS, so they can be checked by the Internet as a whole. AAISP have signed routes for some time and are currently working on ensuring some hosted routes for customers are also signed. This is the first step, else RPKI could not work at all - you cannot check routes if you have nothing against which to check them.
  2. The big players, the transit providers, need to filter based on RPKI. This, with step 1, basically stops all route injection attacks in their tracks, and problem solved.
  3. Smaller edge ISPs should also filter routes. This is mainly to catch the peering sessions and pick up mistakes. If transit are filtering, this is a mopping up exercise - an attack or mistake could impact a small group of peering ISPs maybe, not the Internet as a whole. Such ISPs probably already filter peering to some extent anyway, but RPKI is a good start for making this better and more automated.
So if you felt things in the industry were not moving fast enough, you could make a site and allow tweets saying people have "unsafe" Internet. But if you did that, should you say that the edge ISP has unsafe internet or maybe work out which transit they are using and say that transit provider is unsafe?  Maybe if the edge ISP is not signing routes, highlight that. But really, who should you "shame". The edge ISPs filtering is a good idea, but the last steps involved for completeness - the signing and the transit filters, they are what matter here. Personally, don't try shaming people, talk to them!

But to be clear, AAISP were doing 1, we are now nagging transit re 2, and we are working on 3. The last stage is complex as it means development and testing in our core routers - not something you do during a pandemic.

It is interesting that, even with recent publicity, we have one customer concerned that we will be deploying RPKI filtering - feeling it will break things and even accusing us of breach of contract. This kind of shows it is not a simple matter to deploy quickly.

There is also an excellent post by Andrew Aston on the issue of shaming ISPs: here.