2021-08-29

Solar System goes live

As I have said, I have been working on a number of boards as part of a project that provides access control and alarm functions in a modular way: https://github.com/revk/SolarSystem

I have test systems on my bench, and I now have a small system at home. It is all working well and has helped me iron out some of the bugs.

But this week is the first proper system with 28 live WiFi nodes, meshed, and linked to the back-end cloud control. Scary stuff. It has bell boxes, keypads, PIRs, reed switches on doors, fire alarm inputs, even a panic button in a disabled toilet. Importantly it has a lot of doors. The design is pretty robust, and the whole project is all open source.

My case is packed, and boxes of tools and parts are all ready. It was a lot of work making all the modules. A lot of time with a steady hand with tweezers. I even have half a dozen spares, just in case.

So the night before I head off to start the install, I have imposter syndrome kicking in. How did I think I could possibly design and make a complete access control and alarm system from scratch (PCBs and s/w)? Well, seriously, I need to give myself a kick - I have been doing this shit long enough to know this is bullshit. It will be fine.

Assuming all is well (and I know there will be teething problems, bugs, and features, all of which will need addressing), my next big challenge is whether I can progress this in to a proper product to sell. At the very least, to make the modules (as pictured above) something we can legally sell.

In the mean time, other hackspaces that are interested, do get in touch, and I can help you set up such a system.

2021-08-28

NHS covid pass

I decided to check how I get an NHS COVID19 pass / QR code.

Update: Thanks to all that pointed out the couple of subtle clues on how to get an NHS login, which I missed initially.

I googled, and it seems you can ask for a letter or get it digitally, cool. But you need an "NHS login".

Well, I don't know what an NHS login is, but there is this helpful site, https://help.login.nhs.uk which tells you all about it. Nice.

This looks comprehensive. But I don't have an "NHS login", so let's try the "How to set up [an] NHS login"... https://help.login.nhs.uk/setupnhslogin/


OK, we have "What is NHS login" and "What you need to set up an NHS login" (yes, an "an" this time). There are other pages with more information on how to prove who you are, etc. There is the "Where can you use NHS login". OK, good.

Update: For those saying "just use the NHS app", I'm in Wales now, and it does not work!

Update: Oooh, it says clicking the button lets you create a login there, missed that the first time, but the the actual login page does not say that.

But call me thick, and maybe I am being blind here, but where is the "Register for an NHS login" or "Create an NHS login" link or "how to" on that? I looked around and cannot find it. It does not seem to actually tell you "How to set up NHS login" at all, missing that one crucial step of how you start the process!

I kept looking and I found the NHS COVID pass page, https://covid-status.service.nhsx.nhs.uk which has a login link.

Nothing about registering or creating an NHS login on there either. What am I missing.

Well, on a whim, I clicked on the "Continue with NHS login" link, even though I don't have one. Is continuing with NHS login when I don't have one "hacking"? A breach of The Computer Misuse Act 1990 maybe? You then get a login page...

Well, I don't have an "NHS login". What I did not spot initially was the "If you do not have an NHS login" bit. This seems to be the first clue that maybe I can make one if I enter my email address anyway. Why is this hidden away behind a "Continue with NHS login" link?

So now I get the option to "Set up a new NHS login". This is what I had been looking for all along. How the hell is this not on the the help site, or, well, anywhere before you actually try and "login"?

Update: One page for COVID19 Pass does say "You will need an NHS login to use these services. You'll be asked to create one if you do not have an NHS login already" but the page you then go to does not say that, just "continue with NHS login".

Anyway, I continued to create an NHS login. You go on through a few info pages, and create a password, and then this error...

Well, that is helpful. Giving that the previous page was password selection, and I used the browsers password manager to make a "secure" password, I naturally assume it is as password issue. So I try entering a password manually. I tried several passwords, simpler and simpler, and no joy. It simply would not work.

Then, on a whim, I tried a different email address. Just to be clear, that first page does do some validation on email addresses, e.g. ...

So I really had no reason to expect that it was unhappy with my valid email address. But indeed, using a different email address, it actually allowed me to proceed beyond the password set up. I have emailed them asking that they correct my email address, obviously.

When it came to mobile checking, I decided to use an 07 number, rather than trying 01 number, as clearly it is a stupid web site.

The domestic (48 hour!) QR code does not need any more than name, DOB, NHS number. The other longer pass needs ID image and a video and I'm waiting for that to be confirmed now. However, having seen someone else's, I note that the document says this...

OK, so it has an expiry, but how exactly does that expiry "protect you data privacy". The barcode does not fade after 30 days. The "data" is still in the expired barcode, and can still be read. So how exactly does the expiry protection anything - how does it do any more than cause inconvenience for the user?

Indeed, I am told if you request a COVID letter, there is no expiry - so do they not care about your data privacy when sending a letter, or was that just a lie? Having an expiry actually makes "data privacy" worse - if you printed the QR code, you will have to dispose of that securely somehow every time it expires. Why not just be honest?

And finally... The Welsh site https://gov.wales/nhs-covid-pass-prove-your-vaccination-status says :-

But the "domestic" QR code it gives you says ...

So how do I get a QR code valid in Wales?

2021-08-05

Review how emergency services handle location data from the public.

I found an interesting web site which does rather highlight some of the issues with what 3 words, w3w.me.ss. Well worth a look.

Sign the petition!

Whilst it is a fun application, a novelty, I personally do not feel it has any place being promoted by emergency services. And this post is my honestly held personal opinion, as always.

If they want to "handle" w3w addresses from the public, that may make some sense, as it is popular. If the app if given to them free of charge (as seems to be the case), and if they take any w3w address with some caution, checking the location by other means if possible, then yes, fine.

But reports on social media (including from people I personally know) suggest that w3w is not just "promoted" by emergency services but actively preferred to the extent that call handles will refuse to take simple o/s grid references and insist on a w3w address. For one recent case, the police force in question confirmed that they should have taken an o/s grid reference. But in practice this seems not to be the case.

What seems worse is stories of people being talked through downloading the app on an emergency call. This is quite incomprehensible. Even if you want a w3w address for some reason, it is far quicker to send someone to the w3w web page (what3words.com) which shows your location. The only possible reason to download the app is so the user has the app on their phone. It is a purely marketing activity, as someone is more likely to use w3w if they have the app. Do we really want emergency services actively engaged in time consuming marketing activity for third party closed commercial apps, during an emergency call?

As I say, much of this is anecdotal, but social media is full of this, as highlighted by w3w.me.ss.

What is especially odd is that w3w's own terms and conditions are not consistent with use in an emergency. They expect you to read, understand, and agree many thousands of words before use, and expect you to check the terms before every use. This is not sensible for the caller, and the emergency call handling staff, to do in an emergency situation where time is critical. Also, the terms prohibit use where it could lead to someone dying, which is often the case in an emergency. Given these clear terms, it makes no sense emergency services would even be considering w3w usage, let alone promoting it. It is almost as if they did no checks at all on how it works or even just reading the terms.

There are ways to get location from callers, not just (long standing, open standard) alternatives like o/s grid references or even simple latitude/longitude, but means that don't involve any reading out, like SARLOC or AML. These should be available to emergency services. Even if there is need for a caller to give a different location, knowing where the caller is puts that in context and helps eliminate errors, whatever format is used.

So, in order to try and address this, I have made a petition. It calls for "Review how emergency services handle location data from the public." which I think is fair.

Sign here! And do share the link to get some traction, if you agree this needs reviewing. Of course, if you feel strongly enough, it is also worth contacting your MP over this.