2018-05-29

Winding down

I am in this odd phase of a holiday all booked which is in only 9 days, 18 hours, 0 minutes, and 26 seconds away. Oh, do I have a countdown app on my phone? Maybe... I'm sort of putting off work I should do until after the holiday now.

Got a message from one of my cohorts today...


"Cagney's" is one of the restaurants on the ship. It seems I am not the only one "winding down".

I am packed as much as I can be, which is also unusual for me. OK yes, maybe the packing is getting a bit OCD here. Being weeks away I have labeled every cable and attached velcro cable ties to each, and put in labelled plastic boxes, and well, it is almost like I am bored or something!

If I was a normal employee, this would be a couple of weeks of very low productivity for my employer. The irony is that I will get work done whilst on holiday too.

I also have a list of things still to pack, and keep adding to it - latest being my hat, which will be needed assuming it is sunny. I even listed passport, just in case I am so tied up being careful to pack what is on the list and I forget some of the basics. Yes insulin and needles are on the list too!

Is there a word for "fear of forgetting something". I bet there is.

Even so, I expect to do the new FireBrick release before I go. The latest alpha has been tested a lot and very stable, and the last bits are just about ready. Lots of work on the true random number generator in the FB2900, and the entropy from other sources for key generation. It has taken a bit longer than expected but it is important to get it all right. The ACME stuff is very cool and easy to use now.

2018-05-25

Analogue phones, 1876 to 2025, RIP

Analogue phones have been around a long time, but BT plc have finally announced that in the UK the analogue phone will be gone by 2025.

I have been saying this for a while, traditional landlines are on the way out. People use mobiles for calls, if they call at all as people tend to "message" and "text" and "FaceTime" a lot more these days, or so it seems to me.

But the end is in sight - BT plc t/a Openreach will stop selling analogue phone service, and even ISDN phone services, in only 5 years time (2023) and stop actual services 2 years later in 2025.

For actual phone calls the alternatives are mobile and VoIP. For businesses, services like webRTC to call from your browser. I have been using VoIP for a long time now, in fact I am not sure how long, but over a decade at least.

This will be a challenge to some industries where analogue lines are still used for alarm monitoring systems, lifts, and just as a backup.

It will also be interesting to see how OFCOM cope as voice telephony becomes simply an "over to top" service just like web pages, email, or things like FaceTime, which are out of their remit. It will also be interesting if this move is followed by the death of the "phone number" as a thing.

A&A have been selling broadband using the analogue copper pair simply as a carrier for the broadband for a long time. We don't do "landline" phone service. So for us, for these existing services, we simply migrate them to the data only variants rather than a "phone service with no calls" as we have now.

The bigger challenge is the existing broadband customers that have a phone line from someone else and broadband with us. They will need to realise that they have to change at some point in the next 7 years. Thankfully we already offer a means to migrate to a broadband only service and (where a BT number) port the number to VoIP which we can even point to a mobile SIM if needed. Even with our small customer base that represents an average of several lines per day that need moving in order to be finished in only 7 years!

But for now, no change. We need to wait for BT to have these new SOTAP and SOGEA services rolled out, which is likely later this year.

We live in interesting times...

2018-05-23

Pick a card, any card... @monzo a winner

I have blogged a few times on issues with banks, and indeed, only yesterday, had the fun with Barclays wanting me to text a short code after they authorised a card payment.

So I thought it time to give a bit of a review of a couple of cards for personal use, Monzo and Starling, and how my views have changed slightly.

For my non techie friends and relatives - download the Monzo app on your smart phone and follow the instructions to get one now... Just do it!

Summary

I prefer Monzo now, they are a proper bank now, and less hassle. I am recommending Monzo to my friends.

Both Monzo and Starling accounts have a number of key features:-
  • Instant set up using a smart phone - you need photo of ID and short video clip and your details, and sorted.
  • Both have "account switch" systems to move DDs and payments from another bank, but you don't need to close your existing bank account - nothing stops you having more than one bank!
  • The account does all the usual things like direct debits, faster payments, and so on. You can have you salary paid in to them. They are proper bank accounts.
  • Both offer overdrafts.
  • Both do Apple pay.
  • Both do live updates of spending on the phone app.
  • Both allow third parties to send money using a debit card! i.e. charge someone's debit card to put money in to your account. That is cool, you can send someone a link to pay you money!
  • Both allow API integration with your own systems so you can see transaction details live on your own computer system if you are geeky enough to want that. It is cool for geeks, honest.
  • Both allow you to disable and re-enable the card as you wish.
  • Both allow separate spending pots / savings pots to partition off your money.
There is not a lot to decide between them, but I have listed some of the key differences I have noted below and why I prefer Monzo now.

I feel they are especially good for anyone living on a budget and wanting to carefully manage their money.

Monzo

I got a Monzo card when it was in beta (my son got one in alpha), and was a pre-payment Mastercard with quite a nice phone app. Back then there was a waiting list even. I used in UK and US and worked well.

It has moved on massively since then. It is a proper bank, and they have neat features like warning you of a Direct Debit the day before, and you have to love the "ka-ching" sound when using the card. They now have Apple pay as well.

Some key advantages to Monzo:-
  • The app clearly shows the limits on usage, e.g. daily card usage amounts and so on.
  • They have a warning of DD payments the day before.
  • They show declined card transactions and the reason why declined, very useful if there is some fraud, or you simply mistyped the expiry date!
  • The API (and app) has way more detail including sender bank sort code and account number and showing the proper reference on payments and Direct Debits.
  • The "ka-ching" sound effect when you spend money
  • Really simple means to send payments between Monzo card holders you know, or near you, and the reference allows lots of text and even emojis, and reaction emojis as well making easy to acknowledge a payment with a smiley face.
  • That really bright orange!

Starling

I got a Starling card later than Monzo, and one of the key things that impressed me was the instant set up. At the time Monzo had a waiting list which I am assuming they do not now. Also, not only did I have a working bank account in minutes, with sort code and account number, it was on Apple pay instantly even before I has the card. Next day it popped up offering an overdraft (though I don't use one). The day after the card arrived and it was in very cool packaging!

Whilst Apple pay is a bit gimmicky, I do like it, and use it, so I started using Starling for my day to day spending instead of Monzo. I also asked them about spending limits on the card as the app does not show it and they said there was no limit. With that I decide Starling was the card for me and pretty much stopped using Monzo at all. Indeed, a card that would just work for any amount I had on it, that was going to be my main bank account now. Finally a card that would do what I wonder, or so I thought.

I ran in to a few snags and basically they were not interested in fixing at all. One was that there were no details of sender sort code and account on payments, and another is the Direct Debits do not show the actual payment reference so you cannot relate to a specific DD notice for an individual invoice. Whilst both are minor issues, my concern was their reluctance to do anything or consider either an issue.

Then, recently, I found that they misled me over the spending limit on the card and actually it is £10,000. They also said that fast payments were £10,000 in 24 hours too, so having moved money to Starling to pay something more than £10,000 (only option was a single transaction for full amount as was on a web site) I could not move all the money back to a different account. It then turns out that this was also mis-information and that the £10,000 fast payment limit is per transaction! To this day I don't know if the £10,000 card limit is per transaction or per day...

To my surprise, even days after alerting them to these issues and misinformation a friend contacted me to ask about Starling limits as they too had multiple contradictory statements from Starling about limits, and they wanted to buy a £16,000 car but did not want embarrassment by having the card declined. They too were considering new banks like Starling because of the hassle of traditional banks and their over zealous and often misdirected "fraud protection" systems, and the appalling way you are treated once they are triggered. So it seems Starling have not learned. This is a real shame. Mistakes are one thing, not learning is another.

Now Monzo have Apple pay, I have basically stopped using Starling. Monzo have limits but they say what they are in the app, no ambiguity!

Their only possible saving grace is that Starling do business accounts now (in limited cases), and if that has a sane API (with sender sort code and account as well as full reference) that may be useful.

To be fair, some other features...
  • Pay interest on credit balances, which is nice.
  • Do some stuff with € it seems.
  • It seems foreign cash withdrawals may be better.

Amex

Clearly neither Monzo nor Starling will help with any larger transactions. Monzo is great for day to day spending, but if and when I want to spend more, I cannot trust them to work because of usage limits. Also, I am wary of Barclays or Lloyds or other banks because of the hassle and attitude the second you trip their fraud systems. To be honest the attitude is perhaps the worst part.

So, it seems, the best way forward is an Amex card. They have a reputation for not dicking people about. I hope it is well founded. Early days (1st month) but we will see. So far only hassle is pizza hut don't seem to take Amex. Otherwise no problems at all. I'll blog more on this if/when I really put them to the test but that may be some time. It is almost sad that I am deliberately putting everything I do through Amex to make sure they build up my credit rather than using Monzo.

The good news is they do have an app and it has real time alerts. It is a bit odd, in fact, as the alerts flag up in the Apple Wallet in real time, and the Amex app lags behind by minutes. But the end result is I can see spending in real time just the same Monzo or Starling, which is nice. It also means any fraud can be sorted really quickly.


I hope that has been useful - I appreciate an Amex card is not for everyone - I have a wide range of readers and friends and I know some have used Amex Platinum for years (and have more money than sense, some of them), but some have almost no income and struggle, so it is a tad hard making a blog post that works for that range of people - maybe I have succeeded this time. I know that, thinking back to when I was really broke, a Monzo card would have been perfect.

New toy (Mag card reader/writer)

Much like barcodes are a bit of a hobby, magnetic cards have been for a long time. I made my first mag card reader using a Sony walkman cassette head mounted on a block of wood, over 30 years ago...

Back then magnetic stripes were the main way bank cards worked, even for cash machines, long before we had chips in cards. Oddly, they are still quite common in the US but I understand chip and PIN is catching on. They are also used for some door entry systems.

Well, on a whim, I got one of these :-



Of course, really, most people have no need for a card reader, and even less use for a card writer.

Now, in my case, we sort of do. We have a nice card printing machine, which will also encode mag stripes on cards. The driver code is written by me (as had no linux drivers). We sell printed cards, including encoding mag stripes on cards for customers. We used to have a card reader and it seems to be missing, hence my buying a new one. It is useful for checking things if needed. But I thought I'd order one that writes, why not? I got an MSR Pro USB reader/writer. Seems easy to use, and very flexible.

To be honest, unless you have a mag card based control system of some sort, a door entry system, or maybe handling mag cards is part of the business (like us), you probably have no "legitimate" use for a reader or writer.

Of course there are probably fun uses for this, and also not so legal uses, especially if there are places that only use the mag stripe in some way for bank cards. These are few and far between, but I noted when in the US they not only used the mag stripe but also print the "name" from it on the receipt.

I am not sure I have the nerve to do it, but I could, for example, recode a card so that instead of track 1 containing ^KENNARD/ADRIAN^ it could contain ^SERVICE/INCLUDED^ so that in the US it prints that on the receipt just to confuse them. Would that be "legal"? I have no idea (and even less so for US law). The card remains the issuers property but this is not "damaging" or even defacing their property, and it can be undone by re-writing the original coding. It is not done in order to defraud anyone (even in US, tips are supposedly optional). So might even be legal. Of course there may be specific laws covering this (there is a law on changing ESN in mobile phones, would you believe!). That said, I am not sure I'd want to get caught doing it...

The more dodgy thing to do, is to recode the other details, copy someone's card mag stripe to another card. Now, these days, with chips being used rather than mag stripes, it is not going to work. If done to defraud someone it would be very illegal.

So whilst this is a fun toy, it is really only any use for things like checking we have correctly coded cards, and debugging the code that drives the card printing machine. So I would not suggest you rush out and buy one...

P.S. First thing was packet dumps from my machine whilst running the card reader s/w to double check it was not sending every card I scanned to China.

2018-05-22

Holiday tech

I am off on a cruise next month. I am still amazed my mates and I manage to rustle up what it costs, but it makes for a fun holiday each year.

But I am taking tech, I do that, and so do my mates. We all have work to do.

This year I plan to take the proper desktop Mac I use. Because I can, and the suite has a nice useful table for it. So I have a flight case for it!

But there is more - I expect to do some work - there are "sea days" on this cruise. So FireBricks, ethernet, fibre, and all sorts, just to be able to work on this stuff. So I expect to take some "tech" with me...



Of course I also want to take pictures and videos, so even more tech.

That said, I do plan to have some time relaxing, honest.

2018-05-21

If you wanna be the best, if you wanna beat the rest, medication's what you need

OK sorry, that slogan was from some old TV show and was "dedication" not "medication", but so easy to change in your head.

Amlodipine is the latest they have me on for blood pressure. I changed from Indapamide to this, and it is, err, interesting.

First off, the Indapamide made me very "on-edge" but I could get work done, but was out of breath all the time.

Now on Amlodipine it is different. The first thing was going off the Indapamide meant I was hypo (low blood sugar) and had to quite drastically lower my insulin. Hypo is pretty easy to spot and to fix, if you have snacks.

Then put on Amlodipine I was hyperglycaemic, which is harder to spot. You feel more tired, which is easy to dismiss. But you also find infections, spots, acne, boils, and all sorts within days. Not at all nice. High blood sugar can be a real pain, and take a while to recover. Though, low blood sugar can be dangerous in very short timescales too. It is harder to die from high blood sugar, generally, but not nice.

What is key is any change of any medication, even if unrelated to diabetes, do the blood sugar tests like mad, even if only for a few days! Other unrelated medication like these drugs for blood pressure can have a massive impact!

Amlodipine has massively pushed up blood sugar and I am on almost twice the daily insulin now. That alone is strange.

Routine is everything - change anything from routine and it all goes to shit. I had this at the weekend, with being late for my usual breakfast. OK breakfast is a costa coffee and sausage roll, but normally at 8:30. My body does not understand weekends. On Sunday, my blood sugar went from high 7 to low 4 in 20 minutes and by 9:30 I was shaking. Going on holiday, along with a few time zone changes, is going to be, err "fun". I'll cope. There is 24 hour pizza on the ship!

As long as I stick to routine now, I think I have it sussed, finally. Much higher insulin, but breakfast, some light lunch, a proper dinner (with Gliclazide) and a few drinks... The daily routine works and keeps me on balance. It amazes me sleep for 8 hours+ works to be honest as during the day that would not, so clearly my body learns a routine and adapts.

It was so much easier when my body regulated this crap entirely by itself! One day we'll have stem cell or artificial replacement pancreas implants, but for now, I inherited this crap from my mum. Not her fault, obviously, and she has had a way harder time than I have. But that's life.

2018-05-19

Apple used to be good at this!

Once again I am moaning about Apple!



My issue is on-going watching of a TV series... A simple task which incidentally Netflix has well sussed.

Once upon a time it took several clicks to get from the main menu in to the TV shows and select the show, but at least at that point it knew which episode you were watching and where you had left off within the episode.

Then, wonder of wonders, the "TV" menu in the Apple appeared, and at power on it would be basically one-click to continue watching what you had been watching, in the right show and the right point in the show. This was finally almost as slick as Netflix.

Now, as you will see in the video, they are being extra special.

It remembers where you were, what series, what episode, and where in that episode. It shows on the main page when you turn it on, offering you "Up next" as "Continue" watching that episode. One click to play it.

But then it goes horribly wrong for no apparent reason. It says you need to install Netflix! If you cancel that you see the series of shows, and the episode you are on selected ready to play. If you select, then again, you have to install Netflix.

Why?

If you go up several levels of menu, in to TV shows, pick purchased items, and all items, and scroll to find the show you were watching, you eventually find it is there but is offering to show episode 1. So you then have to find the episode you were watching if you can remember, and play.

It plays, with no Netflix needed, and carries on from where you stopped (within that episode)...

I just don't get it! It makes no sense. It seems to only be some series, but it baffles me how they release such broken code with such serious bugs in it. Seriously, Apple used to be good at user interface - it was their thing.

2018-05-16

GDPR

I am not planning to say a lot here at this stage, but I suspect people would be rather surprised if I did not comment a little on GDPR. I remind you all I am not a lawyer. I'll try to cover the basics...

Is this a big change?

You would be forgiven for thinking it is. To be honest, I think for the most part the basic principles have not changes a lot, and if you were "doing it right" before, you are probably "doing it right" now. There are changes, yes, but it seems to me that the biggest change is around "accountability". Under GDPR you are expected to have a lot more processes in place, and be able to show that. Before, if you did things right you may have more easily got away without all of the paperwork to prove that was the case, but GDPR puts a lot of onus on the paperwork and accountability... GDPR also has big fines which is what is actually making people jump!

"Consent" has changed...

As a basis for processing personal data the use of "consent" has changed, in rather odd ways. For a start it has to be "freely given" so cannot be in exchange for some service, which is interesting. But also it has to be revokable. Some of the rules on proving you got consent (i.e. not default pre-ticked boxes) have changed a bit too. And of course the accountability to show you actually got consent is clearer now.

The upshot of this, and paraphrasing the advice from our lawyer, is that anyone relying on "consent" as the basis for processing, is crazy.

I know I am seen as speaking for A&A here on my blog in spite of my caveats on the matter, so to be clear, A&A do not use "consent" as the basis for processing. It is far too difficult, and fragile a basis for doing anything really. Why would we - you can withdraw it at any time...

Extra rights

Not that many to be honest, you had loads of rights before, but maybe a few more now. One thing is that subject access requests are to be free. This is likely to be a pain for many companies.

Once again, with an A&A hat on, pretty much everything we have on you is available on the web pages now (accounts or control pages), and indeed, I expect some level of "full SAR" to be in there soon anyway, depending on if anyone starts asking for lots of data. I'd rather people do not go mad on 25th asking for data, to be honest, as basically we are not the bad guys here hoarding loads of personal data on people, and never have been. A lot of replies will be referencing the data you can access anyway. That is not to say we won't welcome suggestions and feedback on this all.

Privacy at the core of the business

This is where A&A are a bit different, and I had a long chat with out company lawyer on this the other day. Obviously we have been working on this for months, but he was impressed how we do take privacy seriously at every level as a matter of course really. It has made his job a bit easier as basically we are not changing what we do, but doing the paperwork to document what we do and so on. Not only is the company simply not in the "business" of selling / processing personal data in the first place, but we have myself and key staff on the case every day challenging everything we do, or consider doing, from a privacy standpoint.

Some changes at A&A

To be honest, the whole process has meant we are looking more closely at some aspects of what we do, and so some things like the way we identify customers that call/irc/email/etc may be tightened up a bit. We need the right compromises of helpful and secure. We did a lot of this last year with controls over levels of security on accounts and two factor authentication so as to give our customers a choice of the level of security (or paranoia) they felt was needed for their data. That was all done before we even really considered GDPR, just how we work and how we can be better at privacy!

But obviously we welcome feedback, if you feel we are too strict or not strict enough on verifying you as a customer, please do tell us. The whole process here is a lot about learning the right balance to ensure people have the right level or privacy and convenience.

OK, the real reason to read this - those annoying emails to re-conform consent!

We have all had them, heck they are filling the inbox for us all - asking to reconfirm "consent" before 25th May.

I don't know what to say to be honest. I do not think a single one of these emails is from someone that I actually gave consent to in the first place!!!

We've had them sent to mailerdaemon@somedomain at the office, clearly not an email address anyone used or consented to marketing (or any other) emails to.

The only light at the end of the tunnel is that, if we are lucky, all of these muppets delete us from their mailing lists for fear of fines related to GDPR.

But, really, none of them should have us on the mailing list anyway under existing privacy and data protection laws, FFS! If only the ICO had enforced the laws we had, this would have not been an issue, IMHO.

If you have a lawful basis to have someone's details and send them email, GDPR does not really take that away, and so you do not need these stupid emails asking to re-consent.

Anyone considering sending such emails over the next week or so - talk to someone that understands GDPR properly, i.e. @neil_neilzone

2018-05-14

(mis) targeted adverts

OK I get that there is a lot of tracking.

I get that if I search on the Internet for green jelly babies, I'll start seeing adverts for people selling green jelly babies.

What I do not get is how people actually pay advertisers to bombard me with adverts for the very thing I have just purchased by the very company from which I have just purchased it.

That has to be the daftest thing possible?

Arrrrg!

Will GDPR help, like fuck it will...

P.S. I am assuming that posting this (with names) on my blog (for all the world to see) is morally no different to clicking "like" on it (for all the world to see)? Is it? Is it legally wrong?

2018-05-13

Looking forward to a holiday

It looks like the holiday is on - another cruise, after much hassle with banks (quelle surprise).

Once again working with my friends on this so we can get a nice cabin on an NCL ship. It is 9 days around Norway and Scotland next month.

I am once again really looking forward to this, and I hope it will be relaxing. It will be a lot of drinking and playing cards!

Holidays are funny things. To be honest, the biggest benefit of a holiday in many ways is that people know I am on holiday and do not hassle me. I could take a holiday at home (and I know people that do that) with much the same effect except in my case I know people would hassle me anyway as they would know I am not on a "proper" holiday. Maybe I need to "fake" a cruise one year!

This is a bit different because it is the same. I.e. it is a holiday I have done almost exactly the same once before, with the same people, on the same ship to mostly the same places. Later in the year so weather should be better for the hot tub.

It is always rather odd doing that - you "know the ropes" and so do not spend half the holiday learning what you need to know. A normal holiday can involve a lot of that, and when you are doing something like a cruise you learn a lot of the cock-ups and special cases and incomprehensible rules they have which spoil the holiday. You also learn the things you wish you had brought with you. A second time we should not fall foul of any of them.

We did this once in Rhodes, a second holiday a month later than the first, and it was really quite different. The hat I lost the first time was recovered from the restaurant owner that though he could keep it :-) But the second time of any holiday is always very different in so many ways, and a different experience in itself.

Once again sailing from UK (Southampton) which is so much nicer than flying somewhere first. I cannot stress this enough. One thing I am doing is taking my Mac with me, the cabin has the space, rather than a laptop. This is one more heavy bit of luggage, but all that means is the taking from car, walking like 10m to the luggage drop off, and done. They take to the cabin (I have a nice flight case for it on order). Taking an extra, heavy, flight case on an actual flight would be a lot of hassle. A cruise is the holiday, unlike a flight which is getting to the holiday, so starting in the UK a short drive away really is just so much less stressful, and the same coming back. Flying home is one of the worse parts of so many holidays.

Whilst NCL are a pain, and have lots of issues, the actual holiday is not bad, and they have cabins that start from a few hundred pounds for a nice trip. So I am hoping a second instance of the same holiday will work well and be relaxing. We can but hope.

I have also had fun with making FireBricks cope with the challenges of high latency (satellite) links, which I think we have sussed, but I don't rule out more work on that from the cabin. Last time it was DNS timeouts.

I hope to do loads of videos and pictures once again. Not sure I'll do the daily blog, but we'll see.

2018-05-12

Real banks are shit, but "challenger" banks are more shit, maybe?

[I've added some constructive comments at the end of the blog now]

I have had a lot of issues with Barclays over the years, especially where card payments are declined for no good reason (and where they allow fraudulent ones that are so obvious to anyone that it is fraud, against Barclays, it is unbelievable).

So I am very wary of using Barclays for anything, and hence have Monzo and Starling accounts. Both are great at letting you know what happens in real time on mobile apps and recommended to most of my friends. For most people both work well, but I have to say I would now recommend Monzo.

But, it seems, neither can do the job of a "proper" bank, in my view.

I am booking a cruise with my (rich) friends. As I have blogged before we take turns for holidays, and between us we are doing another cruise. The total comes to more than £10k between us. I'll no doubt post pictures and videos at the time (next month). I know that is a lot of money.

So, paying over £10k on my Barclays card - risky - it could bounce, decline, fail, go wrong in so many ways, and I am wary. As I say, it is a lot of money. To be honest the most likely is they allow the cruise and then block my card without telling me and make my life difficult when I want to buy a coffee.

But I have my shiny new Starling Bank card, and I asked them, back in December, if there are any spending limits using the card. I was advised of top up, and ATM usage limits and told that otherwise there was no limit. I asked at the time as we were sorting a rather expensive car for my son, and wanted to ensure it worked. Sadly Tesla don't take debit cards (WTF?) so was not the issue. Seems it would have been if they did!

I have spent the last 6 months thinking my Starling card had no spending limit, so I decided the safest tactic for this cruise was move the money to Starling, and then pay on card. They declined it! UNLIKE Monzo they do not log or show they declined it on the app. I had to ask on the chat thing. They declined as they have a £10k limit. It seems that previously they LIED TO ME about the limits, or lack thereof.

Now I find they can do nothing to fix this, and I cannot even send the money BACK to my Barclays account to try paying with the Barclays debit card as sending money out has the same limit! Before you ask, yes, I tried to resolve this with them before making a blog post and putting on twitter - had they resolved it, e.g. "I'll temporarily allow a higher level, try now", then I would have been impressed and not cross at all.

This is starting to be show stopping for use of Starling, and I will go back to Monzo for some stuff and Barclays for other. It really seems that these "challenger" banks are just playing around and not "proper" banks at all. Shame.

Anyway, the money, carefully collected together, is held to ransom almost, in my Starling account, and I do not want to lose the cruise booking over this. So I decide, that is OK, I can borrow from my mortgage reserve for a few days. I am not above using my mortgage reserve for a holiday, that is what these things are for. What do I find?, well Barclays have broken the mortgage contract (IMHO) and reduced my reserve with no notice to only £1k available. What the hell? If we manage to get this cruise sorted it will be a miracle. So I'm threatening to sue Barclays now over that...

Seriously, do no "proper" banks exist?

P.S. I could not send the money back to another account (well not all of it) as they stated there was a £10k “in any 24 hours” limit. However, experimenting, you can simply send more than one payment in a row. So yet more misinformation.


What would help is:-
  • Clearly stating actual limits in the app like Monzo do,
  • Ensuring staff understand and can explain them correctly.
  • Allowing customers to change them to suit their spending, ie £10k is way too high for a lot of people who would be happier with a much lower limit
  • Allow time limited pre-advice of large payment via app with face/finger security, and password, and PIN or whatever.
  • Please have the app show when a card is declined, and the reason, like Monzo do!
  • Maybe even a link/button to "enabled this transaction if you would like to try again in next hour" restricting to exact amount and merchant to exceed a limit...

2018-05-11

Change of mindset

I have worked on embedded coding for a long time.

I worked on mobile phones, and before that 6502 and Z80 and (I forget exactly) other stuff. I have written code for home made gadgets made from wire wrapped 6502 boards I put together myself and designed myself. I have written code for ticket machines for tote betting on race courses! I designed the Walthamstow dog track jackpot bet thing from several decades ago and made the big display board they had work with it. Those were the days - coding was challenging but much easier to grasp every aspect, to understand how the logic gates worked to make the processor tick at every level. Life was simpler in so many ways :-)

Nearly 20 years ago we (FireBrick) did something amazing with an H8 micro controller, making IP packets flow using an Ethernet controller. It was 10Mb/s Ethernet, and needed to be read byte by byte in and out of the processor using code, but it worked, and we actually coded TCP. We made a usable firewall product!

That was huge. You would never get TCP on a BBC Micro. Well, technically, I bet I could, but really really limited. If nothing else the memory was an issue, as a BBC micro had 32K of RAM if you were lucky. That is not a lot of TCP packets!

Of course something like a PIC 16C84 was more fun in many ways and it had what, tens of bytes of memory, I forget... (OK, I checked, it is 36 bytes of memory). No, that is not enough to generate a TCP/IP(v4) header even! I liked those PICs...

So my view on embedded devices extended to talking TCP and hence the things that could do, like http as a web control interface. My mindset moved on...

But times move on.

Now we finally have had TLS and https on FireBricks for a while now. Until now, I really did not feel talking TLS was an embedded controller thing. But we have the code. We have the algorithms for the negotiation and encryption, and the code for the TLS and well, it is a thing, even on a small ARM controller. We're even looking at some of the hardware crypto processors now.

So now I have to have the mindset that a small embedded controller has no real excuse not to talk proper encrypted https and similar protocols.

For a lot of my life that would be madness. It is hard to get my head around some days!

I look forward to the next 20 years!

2018-05-10

It feels wrong somehow

I just paid for a copy of Word. I have never done that before in my life! I don't think I have paid for any Microsoft office product (i.e. I have never had to as not using one). It was actually a copy for Word for my Mac at around £100.

Why would I do this?

Well, short answer, BT.

They provide bills in RTF (Rich Text Format) only. No idea why not in PDF. We have tried to get them to see sense. They don't have to stop providing in RTF for those that want but just add that extra link on the portal for PDF, pretty please.

If you google you will find loads and loads and loads of ways to open RTF or convert RTF to PDF or PS, or LaTeX or text or whatever. Apparently TextEditor on Mac will open RTF, as will LibreOffice. So will unrtf on linux, but no, the magic RTFs that BT make are not handled by any of them. I even tried Wordpad on a windows VM! No joy. It seems to be XML (not ZIPPED) and says it is a Word document, but nothing can open it. Very frustrating.

So, an actual copy of Word - it was risky - if that did not open, what then? More shouting at BT? Refusing to pay until they fix it?

One time we had a VAT inspection, and VAT office threatened to disallow a lot of VAT if we could not produce the bill on paper or some readable format, which proved very hard. I think, at the time, they used an older RTF that would open, but was hundreds of pages long, so VAT inspector literally had to wait around half an hour for the document to open to see the front page with VAT details. That was very nearly very costly for us.

Their portal does not say how much the bill is (I think it used to, hence having paid the above bill) so we need to open it somehow, and usually someone in BT will load the RTF in to Word and save as PDF and email us, but I am guessing they are on holiday, and it is kind of handy to know how much we owe. Why are they so backward!

Now, my paid for copy of Word did work, though it would not export as a PDF (generates an error)! Thankfully, being a Mac, I just say "print" and select PDF and bingo, sorted.

Such a faff. It is not so much the £100, it is paying Microsoft. That just seems so wrong somehow.

Buzz off

I am not a fan of wasps or hornets, though I am pretty sure I have never actually been stung.

So picture the scene, I am sat in the bath this morning, (maybe don't picture the scene), and suddenly there is this loud buzzing and banging and crashing around in the bathroom around me!

I got a glimpse of what appears to be a huge wasp of some sort - that thing is about 2cm long! It was literally knocking stuff over crashing in to things.

My bath is actually a shower/bath and steam thing with sides, and a top and sliding doors that close completely - obviously to keep water and steam in. The doors were closed very quickly, and it does a job at keeping a wasp out, thankfully.

I ended up spending ages waiting for the damn thing to go away, or rather just go quiet, as it did, which was worrying.

Fortunately the water does not go cold very quickly when the doors are closed. Eventually I did get out, and it was walking on the floor very slowly. I think I can thank my air conditioning for making the bedroom and bathroom 20 for that. It was expelled out of the window - actually, my wife did that (thank you, dear).

I have no idea what it is! Some (on twitter) suggested a European hornet, some suggested Asian hornet, and someone said it may just be a normal wasp but a queen. None of those are at all appealing in any way.

So now the air vent in the ceiling is sealed with tape until I can find a fine mesh to put in it or something. If I'm found suffocated in the morning because every tiny gap to the outside has been sealed up, you'll know why.

2018-05-09

Did https kill my blog

Seriously, hits are down like 50%, and I wonder if it is https?

I hope not. Maybe I should test it. Surely that is not the cause.

2018-05-07

The problem with SNI (and domain fronting) - Heisenberg's SNI?

HTTPS/TLS means that a browser or app or client can access a website or other resource over an encrypted link.

Now, the way this usually works is things like https://aa.net.uk/ where the browser makes a connection and as part of that connection its says it wants aa.net.uk so the server knows to serve the certificate and key for aa.net.uk.

The problem is that the name of the service (SNI) is in the clear and so some censorship systems can spot this and block it.

Now, we have some generic hosting environments. Cloud services. The nice thing is they have loads of IP addresses for all sorts, so hard to block.

Domain fronting fools this but sending a different SNI (asking for a specific certificate, in the clear) that is "OK" and then talking to a server that is not the same as the SNI.

This fools censorship systems.

Some cloud services are blocking "domain fronting" like this (why?).

OK this is hard to explain... We could do SNI after DH logic, making it so the service you want is encrypted. But as that is before you authenticate (as you cannot authenticate yet as that depends on SNI) it could be "man in the middle" but if it is then the next step of authenticating will fail.

It is like Heisenberg - you can either see what "domain name" is being requested, or you allow the connection, one or the other.

So the logic is simplified - your have two choices :-
  • You can detect what someone is accessing (see the SNI)
  • You can allow a connection to work
Basically no way to detect it and allow it to work. It is one or the other, only!

Does TLSv1.3 do this, I have not checked. If not then maybe TLSv1.4 will.

Clearly this is possible, and necessary, ASAP. It seems a real shame to me that the SNI was ever "in the clear".

Discounts and surcharges

One of the things that apparently confuse people, it seems, if that whenever you see a discount you have to see the flip side, that the un-discounted amount is much like a surcharge.

For example, I just saw this on facebook (with someone making the same point).

Yes, it says "free delivery" but a discount of 10% for collection.

I.e. the pricing clearly allows them to sell (food I think) for the discount price, so the extra 11% on top of that is a surcharge for deliveries.

That is very much not "free delivery", is it!

The trick is to always look at the other side of things.

Let's look at BT!

Now, BT have finally launched the rather odd lower price line rental for people with no broadband. It is described here. It is quite a lot cheaper than normal, £7/month off.

But let's look at this the other way around. What it is, in fact, can been seen as a £7/month surcharge if you get broadband. Even with another supplier than BT for the broadband.

How the hell has OFCOM allowed this basically anti-competitive behaviour - how are they allowed to link their price to competing providers independent services? Well, OFCOM actually encouraged and/or mandated this crazy scheme.

Interesting, broadband via your mobile does not impact the line rental. But on face value, broadband via cable, wifi, or other means would impact the price. It just says "Broadband with another supplier" is not allowed (but says mobile is OK). They actually say broadband via Virgin means you DO NOT get the discount. So this is nothing to do with the line being shared access to the copper or anything like that, it is simply a surcharge for taking a broadband service!

I am surprised it is even legal for this sort of linking of price to independent services from other providers. I cannot help feeling it should not be legal. It would be like us giving a discount on broadband if you use Daz washing powder.

However...

I have not found the formal contract terms - it used to be easy, so if someone finds them, let me know. But that web page is very clear about you having broadband - so presumably if your spouse, parent, child, friend, etc, has broadband installed at your house then the discount still applies (or rather the surcharge does not apply)?

Maybe two neighbours can install broadband for each other, and just use the wifi through the wall :-)

Ideally it means checking the exact terms to be sure.

P.S. Just to clarify, the discounted price is £11.99 from BT. A&A do a "line for broadband use" for £10 (no calls allowed) which obviously applies with having the broadband (only available with broadband).

2018-05-05

Network appliances and https

One of the challenges we have is how we have a network appliance like the FireBrick and https from the start...

We have a really good system for setting up the FireBrick with a proper hostname on the internet and https using ACME and Let's Encrypt, but we have to take a step back here...

This is a problem for everything from WiFi APs, switches, routers, firewalls, and indeed any network devices, is how to get started, and is an issue that is going to be really hard to solve.

Most such devices need some sort of initial set up, and the way to do that is a web page. So how does that work?

http

The simplest is just http, so you may, for example, connect a FireBrick to a laptop and access http://10.0.0.1/ to talk to it. That works, but is insecure http.

Now, http works, and is a simple protocol and works when connected directly to the FireBrick via  cable with no security issues. But it is something browsers are increasingly saying is BAD BAD BAD in red letters!


So not good. What would be better if a way to do https, somehow...

https

Using https is way better, it stops the browser getting upset. The problem is that there is no way to get a certificate for https://10.0.0.1/ for obvious reasons.

So what do people do - and to be honest, I am interested in feedback here.

What I have seen is devices that provide a certificate for their domain, some-ap.com. It will not match 10.0.0.1, but you can override on the browser to carry on. Oddly I see many that go for a non standard port as well like 8443 instead of 443 - why is that?

But nothing you do can actually guarantees the security, but you want the warnings to be minimal.

FireBrick

What we are planning to do is make a simple self signed cert to match the request, i.e. one for 10.0.0.1 if that is what you used. It means a warning, as you would expect, but you can then access the FireBrick via https, and avoid passive snooping. That is a step more than just using http.

The future?

We do need something!

Maybe some flag in the self signed cert? Maybe something that means browsers are less fussy if the connected device is local subnet, TTL 1 TCP working, and the cert confirms the MAC address, or something. I think even that could use spoofed MAC to divert a switch, but harder to do.

What we need is some way to say to a browser, yes, warn this is not that secure, but don't go all alarm bells ringing because clearly it is locally directly connected somehow (e.g. TTL 1, MAC in cert). So that embedded s/w in network appliances have some way to allow that initial and direct config to work via https. Maybe we need CAs that are MAC OUI level somehow?

I can't think of a clean way to do this to be honest. It has to have warnings, but can there be a standard way to do this that minimises the scary warnings somehow?

Something to ponder.

P.S. Interesting, some browsers send the IP as the SNI, e.g. 10.0.0.1, but some send no SNI if an IP address. All adds to the fun. Latest FireBrick alpha has the self signing code for testing now.

2018-05-04

Junk calls, what can we do in A&A

Understandably after I was cross a junk call some people say "your work for a telco".

So, first off, I do, but I don't expect special treatment. Anything we can do for me, we should be able to do for any of our customers. OFCOM have some brain dead plans on CLI which will fix nothing in this area, so I will not even bother to link to them.

I have been pondering what A&A can do?

Well, one simple step is have anonymous call reject (ACR) on the normal (01/02) numbers which has a message "This number has been changed to" and quote a number with an unusual prefix, like 033 or 055 or 056. These are not expensive to call, but I bet junk callers will just move on to the next mark and not dial an alternative number.

But what else can we do?

At present, we do not see the underlying CLI for most callers where the CLI is withheld. As a telco that is something we are "allowed" to see. What we cannot do is pass it on to any of our customers. We have several carriers, and it is complicated. We can definitely have access to withheld CLI from one, but that depends on a factor outside our direct control at the moment, and we are working on it. We may be able to get from another carrier. In an ideal world, all the incoming calls would provide a CLI even when withheld. Obviously we need to audit our systems to be 100% sure we do suppress such CLI from our end users as well, though I am pretty sure we have that sorted.

If there is some police investigation we do have details of the way calls are routed in and out for long enough to allow some tracing of calls back through connected carriers if needed. In that respect we don't need to see withheld CLI. The police could investigate. But I assume most people would not want to involve police time on such nuisance if they can avoid it.

So, let's assume we get the withheld CLI in due course, what can we do?

Well, we have been working on ways we can provide customers with easy ways to block things. Not just blocking specific caller CLIs but ideally blocking withheld CLIs. We need some way to dial a code, or click on a CDR record, to say "block this caller" even when the end user cannot see the number being blocked. We can only really add that extra step fully when we have withheld CLIs.

But even where we have a block, I wonder what else to do - the simple answer is a message "This call is blocked", or an ACR level "This number does not accept calls where CLI is withheld, redial without withholding your CLI, usually by prefixing the call with 1470".

But do we want to offer users more choice, like "Fuck off and die in the pits of hell" as a message? Would such a message be break of some legislation on offensive communications? What if the communication is from a machine?

One idea was an ACR of "This number does not accept calls where CLI is withheld, redial without withholding your CLI, usually by prefixing the call with 1470, or hold to be connected if you agree to pay £5/minute to the recipient for handling this call"...

Now this would be a fun one, you'd want that on the call recording, obviously, but whilst we would not have a way to make the call expensive, the junk caller hanging on the line and being connected could be deemed to have entered in to a contract there. No need to rely on PECR or ICO or anything else, if they are a junk caller then they have agreed to pay for the call.

I can't work out a wording of "if you are a junk caller" that I can be confident would be legally enforceable. Maybe " if your call is in breach of the privacy and electronic communications regulations" on the end of that message would suffice. Then a hospital calling from withheld would be able to hold and talk without fear of a bill.

Would it put them off? Who knows! Would it make for a fun county court claim, maybe, just maybe...

Anyway, some time, A&A will no doubt have some more options for our voice customers. Watch this space.

How can we have effective laws against cold callers?

So, today, once again, we get a call (no CLI) claiming to be from "Boiler Cover UK".

The guy kept phoning, would not take no, or "fuck off", for an answer, denied he was selling something (clearly he is selling boiler cover, and indeed said so on some calls), denied breaking any regulations or laws (well, PECR for one!), and I had to threaten to call the police before he stopped calling. Though, they have calls before and I bet we get more next month.

It just pisses me off in the extreme.

I'm tempted to involve the police, as its has got to the stage of criminal harassment now. But it seems a lot of work for the police, and they are pretty stretched on more serious matters really, so not really reasonable.

Sadly the PECR is basically useless, as I found from personal experience, as the only recourse you can take yourself is to sure for damages and judges are not always prepared to accept "wasting your time" as damages in any way. Yes, in theory, the ICO can fine people, but we know from experience that even when presented with tens of thousands of call recordings, each of which is a breach, they won't do anything!

We need the law to have a civil cost of like £50 for such calls minimum. That way I can sue! If everyone called by these bastards sued for £50 they would soon stop, indeed, if only a small percentage sued, they would stop.

We probably should have some extra protection such that no contract is valid if created on receipt of one of these unlawful calls. That way I could take the call, sign up for what they are selling, pay by card (so as to establish the money trail). Have the bank claw back the payment because contract unlawful, and sue for damages now we know who is actually taking the money.

That way normal people would actually see every unsolicited cold call as a means to MAKE MONEY off these scumbags, as at least some compensation for the hassle caused.

I almost wonder if the actual individual callers should per made personally liable. After all, normally, working for some criminal does not absolve you of personally committing a crime, so surely working for someone that commits acts that are unlawful under regulations like the PECR should not absolve you personally from liability resulting from that.

If people knew that working in a call centre making outgoing marketing calls risked fines and civil costs personally, they would have nobody to make the damn calls.

OK, is this post a tad ranty? Yes, I am pissed off in the extreme with this arsehole. Sorry.