* Posts by Lee D

4232 publicly visible posts • joined 14 Feb 2013

UK.gov to tech industry: Hands up who can help cut teachers' admin

Lee D Silver badge

Re: It really doesn't need the Tech Industry to help with this

Never got the justification for not having schools being 9-5, Mon-Fri, same number of weeks as the average working Joe.

Sure, make the last couple of hours nothing more than "supervised play" for the younger kids but give the kids a work ethic, gives teachers predictable hours, everyone work year-round, kids can take holidays whenever and have plenty of extra time to catch back up, most parents don't have to have special arrangements to look after their kids.

The rest of your stuff has problems with it. But I never got the school year thing at all.

Probably the best thing - class your pupils by ability, not age. If you fail to progress, you used to go back and resit a year. There's no reason you can't put that in - many countries have that operating still.

P.S. if you don't assess teachers somehow, you will just generate a culture of whackball "fun" teachers who are incredibly popular but teach absolute nonsense. I know. I could name you some now, I'm related to at least one of them.

Lee D Silver badge

I work IT in schools (always have, primary to further education, state and private, 20 years experience):

Yes, almost every classroom has an interactive whiteboard, projector, PC (of some kind), sound system, etc.. The cost isn't huge. About £5000 per classroom, at best? A whole school upgrade would generally be done every 4 years, on average (or 25% a year, etc.)

Now they are old-hat and being replaced with giant touchscreens. Same cost, but no separate wiring (no power + VGA/HMDI into the ceiling, no speaker cabling at all, etc.).

Laptops to the kids is still not common, but I work in a school with 1:1 iPads (i.e. an iPad or Chromebook each) - it is however a private boarding school, but it's not unusual for a state secondary (or Academy) to have such too.

I'd estimate in a school with 1000 kids you'd likely have AT LEAST 50k-100k of IT investment a year. Not including staffing/outsourcing. In-house servers, maybe, hundreds of PCs, dozens of whiteboard/touchscreens, all kinds of nice back-end storage, switching, routing, leased-lines, the works. Just for your average secondary.

Such costs are lost in the noise of any building work. Literally, error-margin afterthoughts - even with cabling costs. The IT department (as in actual techies) may well be funded to the same tune as, say, a maths department, or ICT (i.e. teaching computing) department.

Portacabins are used for a reason - planning permission is hard to come by and expensive. Temporary portacabins are cheap and don't require planning. You often can't expand school sites as you can't justify buying land or building on "school playing fields" (which have special rules in land use). That portacabin is a trick to put more pupils into a school and save you lots of money as a taxpayer. One portacabin likely costs enough to fund an IT department, by the way.

A school building project for, say, 5 permanent classrooms, might cost you upwards of a million pounds to implement. There are strict rules on making profit (even as a private school!), how much you must set aside for emergencies, what financial agreements you can get yourself into. Hence 5 classrooms - so 150 extra kids in a state school, less than 10% growth on your average state - will cost you orders of magnitude more than anything the IT costs for the whole site. It would take you 5-10 years to get the planning permission. In that time, your intake may well have increased by way more than 10%, especially if near a city. The staffing going up 10% will swamp the building costs, which would swamp the IT costs, which are likely cheaper than the "temporary" portacabin solution on its own.

And any decent school IT Manager manages their budget, tests, trials and prototypes like any IT department of a large corporation with 100+ staff would (current staffing ratios in some schools can approach 1 staff :4 pupils if you include all the estates, maintenance, IT, HR, admin, social care, etc. staff).

P.S. The tech is HEAVY. Name another IT place where you would expect every user to log off every hour, move to the other side of the school, log on there and get teaching in less than a couple of minutes? For 1000+ users? With mobile devices, site-wide wifi, etc. Registration is electronic, medical records, assessment (including national exams), the kids and staff have VLE access (basically work-from-home remote-desktops), VPN, almost all marking, commenting, evidence, target tracking, etc. is done on school IT systems, everything from a text home because Johnny was five minutes late and is he playing truant, to site-wide CCTV, access control, remote servers and remote secondary data locations, IP telephony, etc.

The schools of old aren't comparable. The tech is necessary and integrated to everything you do. Even receiving new pupils into your database is an electronic transfer from the local authorities. And yet all the IT costs less than that portacabin, which is really a cheap-out trick because of planning laws.

And, state or private, primary or secondary, the situation is pretty much the same, only the scale of pupil numbers differs, not the ratio of tech.

My pupils and staff created 1 million Google Docs documents in the last 2 years. It cost us £0 to do that (Google Apps is free for schools). Now imagine the supporting systems to facilitate that. Microsoft licensing is my biggest single item expense, and that's charged per Full Time Teaching Employee Equivalent (i.e. if I have only 40 FTE staff, I pay for only 40 copies of Office, Windows, RDP licences, etc.).

Don't blindly knock IT in schools, because it's probably the best value IT you'll ever see and heavily used and integrated into the business. Question what use is being made of it in lessons, sure, but the IT in lessons is almost irrelevant to the overall cost of even a couple of teachers.

Top Euro court: No, you can't steal images from other websites (too bad a school had to be sued to confirm this little fact)

Lee D Silver badge

Indeed:

From Reg's own T&C's:

"8.2 You retain all your ownership, copyright and other interests and rights in your comments but by posting any comments on our Website you grant us a non-exclusive irrevocable and royalty free worldwide licence to use, modify, alter, edit copy, reproduce, display, make compilations of and distribute such comments throughout our Website."

Literally, The Register has to make us agree to give them the right to copy our comments, or they wouldn't be able to show them to anyone else!

This text is as much subject to copyright as any work of art or fiction, whether or not I surround it with little funny symbols and warnings. All that's happened is that I've granted The Reg (and only The Reg) a right to use it. If you copied my comment to your Facebook, you broke copyright law. A technicality, maybe, but you MIGHT be able to argue "fair use" (but that's another issue entirely and works on the basis that because everything is copyright by default, fair use law carves out a tiny minor exception to allow people to take the piss out of what I say without getting sued).

Lee D Silver badge

"What if you can't find the copyright holder? Are you supposed to just not use an image in case there is a copyright?"

What if you can't find the owner of the handbag in the shopping center? Are you supposed to just not take the cash inside and spend it, in case someone happens to own it?

If you don't have permission, you don't have permission.

If you can't *GET* permission, then you still don't have permission.

If you can't find the person, even when trying, or even know who the person is to get permission, then you DEFINITELY, CATEGORICALLY, don't have permission.

And "orphaned works" laws exist, similar to how sometimes the police will let you keep lost property if you hand it in and nobody claims it. But it's not as simple as just deciding for yourself whether or not you tried hard enough to find the owner.

In this case, it's a handbag which was found in a "travel agents", who knew who the owner of the handbag was because they'd had it placed there as a promotional item, but nobody bothered to ask them, or him, before taking the handbag for themselves and even then offering the contents of the handbag out to the general public.

(Yes, let's not get into the whole "deprivation required for theft", I'm not claiming it's theft, I'm giving you an analogy, not a legal argument).

The consequences of your interpretation of the law are dangerous. Pink Floyd's Dark Side of the Moon is owned by Pink Floyd and/or their respective artists and agents, whether or not you know who drew the album art, but certainly irrespective of whether you could be bothered to phone up and find out who owned that art, or lyrics, or melody, or sheet music. You can't copy that music, no more than you can copy this guy's image, without their permission. That may be granted on an individual basis ("Hey, guys, can I copy this?"), implicit within a licence (i.e. you bought a licence for public performances or distribution which says you can make copies) or implied based on ordinary copyright law (i.e. just because you have a CD or a radio doesn't mean you can record it and put it on the Internet).

The law really isn't that difficult to comprehend, nor the reasons for its existence, no matter how slightly inconvenient it may be to just ask "Hey, guys, can I do this?", and has been in place for hundreds of years.

I can no more just assume that I can start handing out copies of the latest Terry Pratchett novel to people on street corners than I can pinch an image off Google Search and use it to do whatever I like.

Lee D Silver badge

Re: Hyperlinking OK though

Hyperlinks can be traced, tracked, pursued and shut down by the person hosting.

But "Insert Hyperlinked Image" is not the same as "show the URL of a hyperlink", however. The court doesn't clarify what it means there, probably deliberately.

However, there are a number of websites where when you hyperlink, if it detects an invalid "referrer" field in the URL request, it substitutes the image with a placeholder image telling you where to licence from.

Hyperlinks are very different. It's a signpost. Hey, look, you can find that image over there -->

Not "This image, that I copied verbatim into my presentation, and didn't credit anyone for".

Lee D Silver badge

Copyright is automatic. If you don't know whether or not you have the "right to copy" (copyright) then you don't have it.

It takes seconds for someone to crop off a copyright notice on an image and repost it, and you would be taking that to mean that the author allows and justifies that use by default and you can be held blameless for that? That's sadly not a sensible solution. Sure the guy who removed the notice is "in the wrong" but that doesn't mean that everyone who then touches that cropped image is blameless and able to use that image in perpetuity, for any purpose, for free. Try that argument with any stock library image and see how far it gets you in court, whether or not you knew it was a licensed image.

It's like saying "Nobody had nailed this wallet down, so I thought I'd just help myself to everything inside".

Like software, or books, or music, or anything else: if you do not have an explicit licence saying you are free to copy it, distribute it, use it, etc. then you aren't. That can be as simple as "Hey guys, this is freeware" up to a full EULA. But if it says nothing next to that download of "Photoshop CS FULL VERSION.torrent", it doesn't mean you're licensed to use it.

Copyright is really easy. Unless you've been given it explicitly, you don't have it. Even if you're holding the original photo in your hand, you can't necessarily take a photo of it and use that as your desktop wallpaper.

Of course you can "get away" with it for decades, there have been commercial games with stolen assets inside them. That doesn't mean that the law doesn't apply, just that it missed a particular instance. I'll give you a hint: XQuest 2 from the DOS days contains a sound file of Homer Simpson saying "Doh" when you hit a particular object. I guarantee you that it's not properly licensed. But nobody has noticed. If, however, that game was re-released today and became the Angry Birds at the top of Google Play, do you really think that Matt Groening's lawyers would just ignore it?

P.S. I create games, and every single byte is licensed and accounted for - my code, library code, audio, visual and other assets, I can trace the history of every one back to a download location and licence file and/or saved emails from the author granting permission. It takes seconds to do, and saves you an awful lot of hassle.

Hell, I licenced the avatar that I use on forums, because I came to use it everywhere as a tiny GIF many years ago and then found the origin and realised that you *cannot* download it anywhere else. So I paid a pittance for a personal, non-commercial licence.

IPv6: It's only NAT-ural that network nerds are dragging their feet...

Lee D Silver badge

Re: Mobile devices / 4G networks

I believe both 4G and DOCSIS have IPv6 support as a strict requirement.

So they do have IPv6 (in fact, Google says 25% of their searches come from IPv6 IPs, most of them mobile carriers), and your phone and network has to support it. But maybe they aren't using it "by default".

However, in the same vein, though DOCSIS specifies IPv6 as a requirement, Virgin Media still don't offer IPv6 to their customers.

Lee D Silver badge

Why are you using IP addresses in that manner?

I know precisely two IP addresses (and one mask) for my entire site.

One internal (gateway and DNS). One external. Everything else is listed in the DNS and or literally doesn't matter so long as it's in the DHCP ranges (never make security access decisions based solely on membership of a subnet, it's trivially easy to discover the subnet and deploy a device with an unused address in that range).

Why would any outside entity need to know the IP of an internal machine that doesn't already have access to the internal DNS server?

Why would any internal entity need to know the IP of anything internal, they just query DNS.

I literally keep a spreadsheet for a single range of statics, that I manage - and I couldn't tell you what any one of them related to without checking the spreadsheet. But for sure "ping servername" will give you the IP and check it's up in one move.

The problem here is places referring to IPs, not that the format of IPs may be changing.

Honestly, if worst came to the worst and DNS died and DHCP died, I could just give any machine any address in the subnet and it would work, or deploy literally any DHCP server over that subnet and have it work. I could run that from my mobile phone today (provided I remembered to put it into the switch management as an allowed DHCP server).

Stop referring to IPs and suddenly IPv6 makes no difference to your working practice at all. What machine? OFFICEPC-0054. What gateway? The .1 of the range (or .254 or whatever you want to use). What server? SERVER1.domain.com. What UNC path? Hang them all off "storage.domain.com" using DFS or something.

That people build systems where ANYTHING other than the gateway and primary DNS (and maybe secondary DNS) is on a fixed and well-known IP-address really worries me. Everything from IP migration to server replacement, to what happens if the DHCP lease file disappears tomorrow, all kinds of issues resolved by just referring to things by name.

I literally couldn't tell you the IP of a printer, a network switch, a telephone (or even the telephony SIP master box), a PC, a server or anything off the top of my head. It literally doesn't matter. Much more important that they are on the right VLAN (e.g. telephony, printing, CCTV, access control, etc.) and know how to talk to other machines (e.g. default gateway) than anything else. I mean, there's a list somewhere for anything important, but for sure it wouldn't make an ounce of difference if I just picked any IP except gateway and DNS and just changed it to anything else because "I'd forgotten what that VM used to use". Everything would still authenticate where necessary, pick up settings allocated to it, be accessible to other machines, etc.

Lee D Silver badge

*cough*

Rights groups challenge UK cops over refusal to hand over info on IMSI catchers

Lee D Silver badge

You really need to change your network then. Are we talking top half or bottom half?

Also live "just inside the M25", and can go anywhere in the North part of London and always get 4G, indoors, outdoors, miles from the nearest town, or otherwise.

Hell, it's only giffgaff, which is an O2 backend I believe. But also a 4G Three SIM in an Huawei box that is my entire Internet connection (no landline, etc.). And I have taken that box everywhere too.

Amazon meets the incredible SHRINKING UK taxman

Lee D Silver badge

Re: Just say No to Amazon

If what they do is perfectly legal, it's NOT Amazon we need to blame. Any corporation in their position is doing the same, whether they are in the news or not, and you'd never know or make a fuss or call for a boycott.

The stupidity is that this is legal to do and it wouldn't take much at all to tax everything they do "fairly" (i.e. how we think they should be taxed, not how the legal numbers fall).

No corporation of any significant size is *EVER* going to pay more tax than they are legally required to. It's just that simple. So, if governments are complaining about a company not paying enough tax, it means THEY HAVEN'T BEEN TAXED PROPERLY. Otherwise they'd be before a court.

Literally, the solution to this last time was to change the laws of taxation so they couldn't escape VAT by using Guernsey (remember when all the Amazon DVD's came from there?), so Starbucks can't claim to be making no money because their US arm charges 100% of their profit to license their logo and name, etc.

If legal taxation isn't capturing enough revenue, it's the taxation that's at fault, not the taxpayer (which Amazon are!).

First low-frequency fast radio burst to grace our skies detected at last

Lee D Silver badge

Re: Uh, am I the only one

And to only last 2ms and never be repeated over decades, it's the universe's most inefficient radar.

These things are literally blips, probably caused by the little "spikes" that you see poking out of any non-spherical object (because it's spinning ridiculously fast), literally a beam shooting out, at random, powerful enough to reach across the cosmos (but not back in any vaguely sensible time!).

You know when you have those "two spheres meeting" graphics that look like an hourglass (because of gravity) and around the middle you have a beam at right angles just shooting out? It's that kind of thing. Something spinning stupendously vast, with a tiny narrow beam coming out of it, which only ever skirts us once by sheer chance and could spin for a billion years without actually pointing out exact way again (the angular arc required to hit Earth from that distance is incredibly tiny).

This is why they are rare, fleeting, impossible to predict, rarely repeat, and yet intense enough to notice when you go looking for them in the data.

Apple takes an axe to its App Affiliate Program

Lee D Silver badge

Re: yes, I have hundreds of Apple devices

Clarification:

I work for schools, and have for 20 years, with Mac suites, hundreds of individual pupil /staff iPads, staff iPhones, etc.

We've revoked all those devices / decisions because of the way Apple handle our business (support, complaints, legal obligations - GDPR, complaints process, acknowledging recorded-delivery letters sent to their head offices, all sorts) . They have literally ZERO interest in supporting hundreds of thousands of pounds worth of Apple devices.

And though the above poster's "easy replacement" may be nice for him, you're paying through the nose for that service on the product price, with no advantage over other types of devices. Literally, for the price of a suite of Macs and appropriate service, I can get two or more suites of PCs with the same. And when they fail, I can generally fix them for minimal cost even outside of the support contract.

I've also got any number of tales of people who take their stuff back to the Apple store only to not have them be as helpful because "they didn't pay for Apple Care" (even to the point that Apple tried to wheedle their way out of providing statutory EU warranty cover if people hadn't paid for Apple Care).

If you think I'm just throwing arguments out there without them being based on real-life events, you're mistaken. Hey... find me an Apple GDPR-compliance statement that I could use in a court of law to prove I only gave my data to GDPR-compliant organisations. You won't find one, like you wouldn't find DPA-compliance statements (which Google, Microsoft, etc. all do). Sure, you see a lot on there - news stories, "GDPR" download-your-data etc. functionality, "promises" to fulfill it, "as part of our GDPR work" but what you can't get is "Are you GDPR-compliant?" in writing. Until April, their data protection statements literally carried wording to the effect "We could store your data anywhere, at any time, as necessary". That's NEVER been legal under DPA.

(There's a reason they can't do GDPR too - iCloud is nothing more than MS Azure and Amazon instances spread all over the globe, and there are Reg articles about just that).

Your golden-boy, wonder-child device is from a company that you should never do business with because despite being "the biggest" they can't do things like reply to serious legal concerns, provide a GDPR compliance statement, or provide a modicum of support to huge customers.

Lee D Silver badge

Never do business with Apple. They honestly don't care about you, from tiniest old granny through to hugest corporation.

Not just in a "heartless businessman" way, they will just screw you over when they see fit as they have "no need" for you as they demonstrate here.

It's one of the many reasons I don't deal with them any more (yes, I have hundreds of Apple devices, no, I've never once got a satisfactory answer from Apple, and most of the time they just have nobody capable of dealing with my queries at all).

As far as they are concerned, they toss a product at you and they're done. That's it.

I honestly find nothing redeeming in their designer "design" (i.e. looks pretty, works badly in practice), their product range, their services, their customer service, their business handling, their internal processes (e.g. taxation, staffing, etc.) or anything else. It's always been the same.

Literally, my policy as an IT guy for personal support (and lately, business, because they have no idea how to do business so lost us as a customer): Apple? You're on your own, mate, sorry. Take it back to your Apple geniuses who you're paying to fix all that stuff.

It's like asking my mechanic dad to repair a Tesla.

CableLabs sends its time lords to help small-cell mobile nets

Lee D Silver badge

Why does it need such tight timing? I mean, frequencies, yes, but why inter-base-station timing like that?

Surely any connected device (e.g. a dumb GSM chip) nowadays is operating in the nano second ranges, and there are handshakes and regular updates to the clients... so the clients aren't going to get out of sync with the base-station. And base-stations are presumably operating entirely independently and on different frequencies and handshaking to one another.

So why does one base station have to be so perfectly synchronised to the next within the microsecond ranges for what it basically a large wireless network on reserved frequencies? We don't have that for any other wireless technology that uses all the same tricks and phase-shifting and all sorts as anything that 5G will do.

"The R&D team's distinguished technologist for wireless Jennifer Andreoli-Fang said the rise of microcells poses problems for the of GPS as a synchronisation standard: .... ***and the devices are often deployed indoors where they can't see the satellites.***"

So if they're not seeing the satellites at the moment, what does 5G need them to see satellites for, and why in fact does 5G say that seeing the satellites perfectly isn't even sufficient? I'm confused. I can't imagine any signalling scenario on this kind of level where you need perfect timing synchronisation between two stations which couldn't work it out on their own as part of the signalling handshaking process and maintain it all the while they are in contact and re-handshake if recovering from a fault.

And, hell, surely 5G should just be nothing but protocols-over-IP by now? Haven't we learned yet?

I feel a plead... a plead for speed: FastMail naps amid network blunder

Lee D Silver badge

Re: nice outage

You don't need to run your own mail server (though I have done for decades, it's not that hard and pretty low maintenance once it's up).

Buy a domain with email forwarding.

Use that domain for emails.

Forward them to... whoever... Google if you like. And then when they annoy you, switch the forwarding.

Literally a few quid a year, a domain of your own, someone handles all the mail stuff, you can switch at any time, and configuration is "sign in and put your mail forwarding destination address in this box".

Hey, presto, problem solved. Even if the domain hosts give you gip, just transfer the domain out to the other million-and-one companies that have this.

I do that. But I just push the DNS for the domain to my mail server, which checks the basics (postfix + postgrey + spf checks, there are a thousand one-page tutorials on setting it up - no need for AV on mail unless you're an idiot, or you're forwarding to a private mailbox, and if you forward to something like GMail they'll check it for you anyway), and then forwards the mail to both a GMail account and an internal account that I can get via IMAP (so even if I realise Google stopped working last week... I just pick up all the missed email from that secondary account).

Honestly, it was an hour or so to rent a VPS (I actually have a dedi from Kimsufi now, ridiculously cheap), set up Postfix, and then a couple of days of casual testing (i.e. send myself an email at my different domains from work, home, friends, etc. and check they arrive as intended). That was 10 years ago last time I did that, and the config has moved through four machines (on different hosts) and never needed more than tiny tweaks (i.e. I blacklist certain emails that escaped into the wild using a Postfix virtual alias to REJECT *just* that email@mydomain.com while still forwarding anything else @mydomain.com).

I reckon you could own a domain and forward to any webmail you like (and keep that target email secret) for the price of a UK domain - what... a tenner a year? Or less.

You could run a VPS for the same price. I've seen them being £1 a month or less, and email forwarding doesn't take any resources at all.

Cache of the Titans: Let's take a closer look at Google's own two-factor security keys

Lee D Silver badge

It's also very nice.

Can I log into my Windows network with it without paying a huge per-user, per-year license?

Generally the answer is no.

2FA for web services and other things is easily done via everything from Google's own TOTP authenticator, to email, to SMS. Sure there are ways to intercept the latter but then you have bigger problems anyway.

The problem is securing access to machines just as much as access to online services, however.

2FA devices won't really take off until I have one device that logs me in at work, authenticates all my browsing, works with my bank, and does it automatically and for a seriously minimal price (and comes with a switch on it that does all the same for home). There's literally nothing stopping that happening.

(P.S. multiOTP is one project I deployed recently and has a free credential provider that can intercept normal and RDP Windows logins... but it's TOTP, HOTP, etc. and not device-dependent. Guess what... the commercial version with the device part and licensing for it costs silly money again. But if we have an open-source credential provider for Windows, there doesn't seem to be much reason to distinguish software from hardware authentication, and the irony is if you're paying money for hardware keys, you have to pay even more for the software licencing.)

Sitting pretty in IPv4 land? Look, you're gonna have to talk to IPv6 at some stage

Lee D Silver badge

Re: NAT

Reverse proxies also allow access to IPv6 websites when you have no internal IPv6 whatsoever. Kind of the point of a proxy, in fact.

Lee D Silver badge

As always, it's not the technicality it's the hypocrisy.

You can't write articles that have the following quotes and keep a straight face while you're claiming that you don't need IPv6 as a priority:

---

"That this has finally happened, though, means we're being told more loudly than ever that we no longer have an excuse."

"As the world moves to IPv6, you need to support it for your internet-facing devices. Expect people using your extranet portal to insist on IPv6. Expect people with whom you establish IP tunnels over the internet to demand it too. So, you could take the unilateral decision to stick with just IPv4 on your internet-facing setup, but as the world changes it'll leave you behind."

"You therefore need to start supporting IPv6, even if your heart still belongs to IPv4."

"You still need to support IPv6 to some extent, even if you're not deliberately using it."

"but externally you have to support both IPv4 and IPv6 if you're to ensure that everyone can get at, say, your website."

"Let's imagine you have a web server, because you probably do. In our brave new world, you need to make it available to people via both IPv4 and IPv6 – because like it or not, there will soon be people out there who only do IPv6 and you increasingly need to support them."

---

Why should I tolerate an article from a group of people who writes telling me what I *should* / *must* / *ought to* do, every month, for years, without fail when a) I've already done that, b) they haven't even done it themselves!

Lee D Silver badge

*COUGH*

dig AAAA theregister.co.uk

....

Still nothing. Coming on to 8 years of me saying this now. It only took 6 years to get SSL'd, though.

And the bit about running dual-stack on everything is a nonsense. What you run internally makes absolutely no difference at all. Sort out your edge first, so you can talk modern protocols OUT. The inside bit literally doesn't matter as you'll never run out of addresses or see any IPv6 advantage on an internal network, unless you literally have 16,777,216 devices inside your network (the limit of the 10.0 ranges).

To my knowledge, there's not a single piece of software that *demands* IPv6 internally all the way to the net. However, it won't be long before websites *demand* that you access them over IPv6. So all you need is your edge/gateway/router/proxy to support IPv6 and translate / proxy accordingly (gosh, if only there was a technology that could perform Network Address Translation.... oh, no, sorry, some fools condemned all that because "IPv6 would fix it all"... all that stuff that's not actually broke...)

Think tank calls for post-Brexit national ID cards: The kids have phones so what's the difference?

Lee D Silver badge

Re: No Excuses!

I don't want ID cards.

Not because I don't want to be identified.

Because they should not be linking databases of who I rent from, where I work, what countries I go to, what local council account I use, etc.

It's unnecessary feature-creep. IDing me is fine. Absolutely. I'm required to ID myself already in all the reasonable circumstances necessary.

What's NOT right is having legal permission to join all those databases together, as the Manchester ID card trials found out. That information is there is people need to know it. Law enforcement. Anti-terrorism. But it's not automatic.

But with previous ID card trials and this suggestion, it's about linking them all together. So the local council bin-collection company knows that you went on holiday, etc. That's where it gets dumb and unnecessary and even the vaguest of links helps abuse from the very lowest independent criminal up to the highest echelons of society (hey, look, we now have a database of every voter, where they live, what they voted for, and we can target the sloppy recycling bin habits of all the opposition voters). Not saying it would happen, not for decades, but it can't happen while you don't join the databases.

You have to assume that one day we'll get a Trump/Hitler hybrid who will be able to access such information legally and use it for nefarious purposes. Currently, passport and driving licences aren't linked. Two separate offices, two separate renewals, you can't use your driving licence photo on your passport or vice-versa. When you start lumping them all into "one online account", the potential for misuse, compromise and errors in linking (i.e. you can't prove that you're NOT the paedophile that got accidentally linked to your record, because all your ID is linked) increases enormously.

Gimme an ID card.

Make it compulsory-carry.

No problem at all.

But keep it SEPARATE. And don't require people like landlords, mobile phone providers, etc. to link into that database as it's only ever going to go wrong and you'll get things like landlords checking you have no speeding convictions (I have none, I don't really care about specific circumstances, but the general principle) before renting to you.

Dixons Carphone: Yeah, so, about that hack we said hit 1.2m records? Multiply that by 8.3

Lee D Silver badge

That's basically how any Android-Pay like scheme works.

My HSBC card got "another number" when entered into Android Pay, which is hidden even from me but used whenever there's a bonk-transaction.

In theory, that code could change at will. But if you're relying on "super secret numbers" rather than "the user knows what's being done" then you have security back-to-front.

Most EU banks text you immediately for every transaction. Except for the UK arms. Who only ever do it - if you're lucky - for transactions over, say, £500 or £1000.

Early experiment in mass email ends with mad dash across office to unplug mail gateway

Lee D Silver badge

Indeed... my comment is that Exchange in particular just doesn't have that by default.

Hell, it doesn't have a lot of things by default.

Lee D Silver badge

Re: Net send

A long time ago there was no such thing as permissions. As kids we use to do this all the time. The only obstacle was not running winpopup on the destination machine (which meant the message did nothing). But if you wanted to "opt in", just run winpopup and net send would show you your incoming messages.

By default, net send was unprivileged, broadcast-wide, and anyone running winpopup would see the messages. The solution by most places was "turn off winpopup".

Lee D Silver badge

I have to say, it bothers me that email isn't still "send in batches 15 minutes after you pressed Send." The number of users who just press send without thinking... Don't even get me started on "Exchange can just revoke that email, can't it?" Not once it's left our boundaries, pal, and then it's purely an honour arrangement as to whether it actually does anything at the remote end.

And why does it need third-party software to manage a release queue? (I want "papercut for email"... email to the queue, if it's tiny and not dodgy, off it goes, otherwise the user is flagged and has to release via a secondary method to actually send it). I never worked out why Windows server doesn't just buy Papercut and put it in the OS, then steal the idea for email too.

I've never done an accidental send-to-all, even dealing with mass-mailing, but there's been a few close ones that were caught by the "No, look, let's be sensible and email a couple of internal people first and check it works as we hope".

FBI boss: We went to the Moon, so why can't we have crypto backdoors? – and more this week

Lee D Silver badge

Re: Eggs out of pancakes

The analogy is really simple.

He wants a single skeleton key that opens every door in the land.

Would you *give* someone a master key to your house? Would you give the police a copy of your keys? Whether or not they "only" use them when authorised to do so, and though you could justify it as "it saves police time as they'll be able to get into places when they have a search warrant without needing the owner's co-operation", it's a really, really bad idea. Because such a key's existence totally compromises everyone's security (as it will also open all the big City banks, etc.), access to that key can't be controlled if so many organisations require it, and the criminals only need see that key once to open EVERYONE'S home.

It's a really, really, really dumb idea.

Now... there might well be a way to implement it. There are a number of encryption schemes built around combinations of access keys, where you only need to hold a certain number of them to open the encryption while ordinary users still have encryption/decryption keys as normal and can't open other's messages. But their very existence is a huge chasm of potential compromise.

And exactly those people who you NEED to decrypt their communications won't ever use such a system for anything they don't want the FBI etc. to know. It's just that simple. It's like giving everyone a safe that the government can always open and then expecting criminals to put all their ill-gotten gains and bank vault plans into it. It's ridiculous.

Organisations need to accept that encryption is a double-edged sword, and a feature that you can't uninvent - you would be much better off putting all your resources into old fashioned policing and spying than trying to ensure that the criminals haven't used an encryption that's impossible to break. After all - at some point they have to decrypt those things, and that's your avenue, not mass surveillance and breaking into every machine on the planet and filtering out everyone's Facebook posts.

Literally, the signal-to-noise of what they want plummets the second that you capture ordinary people in the loop, so they're not helping anyone. This was always my argument against the "acres of datacentres" tripe. Maybe they do have those. But, guess what? All that does it make it even harder to spot what you were after compared to just tailing the guy you're interested in and putting a bug on his computer. At great expense.

Encryption is like "deception". It's a natural part of life now. And you can't just demand that criminals "never deceive you" or that you should be given the ability to always tell when they are being deceptive. We all are carrying devices that can run open-code that provides military-grade encryption written by people who are nothing to do with the US government, capable of encrypting hundreds of megabytes of data a second without even flinching, to the point that the encryption is irreversible within the age of the universe with current technology. Give it up. Sure, you USED to be able to not have to deal with that. Now you can't.

If the PGP / Zimmerman suit had prevailed, you might have had some control. But any mathematician with a numerical recipes book, any decent coder, anybody with a copy of Maple or Matlab or similar can give you a maths puzzle that you can never reasonably solve without having to do more than include a library or run a function. And every member of the public has a device in their pocket that's encrypting hundreds of connections an hour.

There is no backdoor that you can reasonably use.

Ecuador's Prez talking to UK about Assange's six-year London Embassy stay – reports

Lee D Silver badge

Re: So much hostility

Please note - the public uproar over everything they discovered has been minimal.

Disgusting as it is, people don't care and thus tolerate such things. Guantanamo is STILL OPEN how many years later, and our "closest ally" is holding people without trial in a foreign country still, despite two presedential terms of promising to close the place (which doesnt' fix the problem, merely stops it propogating).

Pretty much, nobody cares about anything he released - Snowden, Manning or Assange. But it got them into jail or exile for talking about it, despite Wikileaks calling itself "anonymous", "secure", "protecting its sources", etc.

Tech Shutdown Blows: IT chaos cost Brit bank TSB almost £200m

Lee D Silver badge

It doesn't say that those people KNEW they'd made a new account...

Shock Land Rover Discovery: Sellers could meddle with connected cars if not unbound

Lee D Silver badge

Re: Same applies to other vendors...

It won't be long before there's a SORN-like online process for transfer of ownership. The V5C should be an online document in this day and age, and there's no reason you can't have it tie into a Government Gateway account or similar like driving licences/passports do.

Proof of ownership is then no different to the hire-car-codes for licensing. You generate a code, give that to the organisation asking for proof of ownership, they don't get all your details but have a proof that it MUST be you it's registered to.

There's already electronic querying of finance status, write-off, insurance status, MOT status, driving licences, etc. Online car registration is just the next logical step. In fact, you can already do it: https://www.gov.uk/sold-bought-vehicle but it's the bit about proving it that needs to be added.

Their incentive? With electronic registration, no more "no logbook" / "logbooks in the post" kind of sales , hoping that the seller sent it off in time, etc. - you just do it there and then with your smartphones, from the literal second of ownership. Which means they get the right person when you go through a camera with a brand new car.

Sysadmin trained his offshore replacements, sat back, watched ex-employer's world burn

Lee D Silver badge

Re: Retired

I left a workplace under some very hostile conditions after they shock-audited me, hated that I passed with flying colours, but yet failed to implement even a single detail from the audit reports that fell against them (one of which was literally "decided who should be on this IT committee" - six month later, they hadn't been arsed to even come up with a list of random names).

My systems are always documented. But documentation is NOT there to teach a random idiot how to do my job. It's there to guide an equivalent professional through the peculiarities and quirks of the system.

They got my documentation. Obviously. There's no way I would refuse that. But they wanted handover. By this point, I was well-prepared and they'd made the mistake of allowing me to accumulate so many holiday days, rolled-over holidays that I missed, days in lieu etc. that they covered my notice period perfectly. So the answer was, basically, no.

And they expected me to hand over an IT system to a guy whose only previous career was managing a BMX track. I kid you not. He was supplied with the documentation, as per their request (because nobody else understood it either!), there was a one-day "handover" (which consisted of my saying to BMX-guy: "You're going to disable all my access, remove my cards, change all the critical passwords, and then sign-off that I've done so and have no further access to the system") and then I walked.

Within a month all the senior team had left. Most of the staff had changed. Everything from the website to the access control was re-done (presumably because they just didn't know how to do anything, and I was friends with the access control guys so they still used to gossip about what was going on there after I'd left). They must have spent £50k+ replacing systems they didn't understand, or couldn't work (because they were slightly technical and had things like CLIs, and not just click-and-drag things that cost a bomb to do a worse job).

But I know that I had a book of information, that anyone with the slightest IT knowledge could have just rolled open and got everything they needed in seconds, and none of that would have been necessary. And I handed it over. And they were too dumb to realise that they'd lost more money replacing me with BMX guy that they also have to pay than if they'd just kept me on and made even a token gesture towards compliance with their own (£10k!) audit.

It's a really expensive way to lose an employee of many years. And five people sued them for unfair dismissal that year. And they were investigated by government departments because of multiple whistleblowers.

Lee D Silver badge

Re: One move and we shoot

As someone pointed out above:

Being asked to train your replacements isn't compatible with "being made redundant". You're redundant if the role substantially changes or no longer exists. Not if they just decided they'd like someone else to do it. That you're being asked to document or train people in how to do your entire job probably means your role isn't redundant.

No different to saying "Hey, John, get out, I found a kid who can do your job for £10 less". Sure, you can do that. But you can't just do it blindly and unquestioningly and without attracting a LOT of unwanted attention on your HR processes.

"Insubordination" doesn't cover "I object, and I've voiced my objections, and I believe others around me will voice theirs, and by the way general feeling in this company is against these plans".

HR are not the sole determination of what's right and wrong, no matter what they might think.

Lee D Silver badge

Re: Logic bombs are unprofessional

Sorry, but that you were using your own personal licence to run business functions reflects worse on you, but reflects badly on them whether or not they throw you out.

My first question would be: Who audited licences, was it included in the licence list, and why did nobody notice that the company hadn't paid for it?

And, no, I wouldn't have let you "uninstall" it, either. I'd have just disconnected and/or wiped the machine. If you don't understand why, you've probably never had to sack someone.

HPE supercomputer is still crunching numbers in space after 340 days

Lee D Silver badge

Re: "SSDs fail at an alarming rate in space"

Nonsense.

Hard drives, even with the best SMART monitoring in the world, fail unpredictably a large portion of the time. Any large hard drive survey will show you that.

And sometimes they fail so quickly even WITH SMART monitoring that you don't stand a chance of being able to do anything about it.

Reporting bad-sectors may be a symptom of imminent failure, but only so far as coughing up your lungs is a symptom of death. There are many other ways to die without doing that.

Lee D Silver badge

Re: "SSDs fail at an alarming rate in space"

Counterpoint:

Since replacing most desktops WD Blues with the cheapest-shite Crucial 128Gb SSDs, I've not had a single drive failure over 200+ machines in over 2 years, compared to several a year.

If you compare versus Seagate, including server-grade SAS drives, I literally got a failure a week on those after 6 months in deployment.

Your (or my) anecdotal evidence means nothing compared to someone like that cloud-storage firm who publish annual failure numbers across millions of drives.

I can name 4 private individuals whose hard drives crashed unrecoverably in the last year. I can't name one SSD anyway - in fact I've never seen an SSD fail, and I have a Samsung 850 EVO in my laptop for... 4 years?

P.S. All the SSDs I use do not experience any special treatment. I don't change a single software option (they were seen as a sacrificial in-production test where easy replacements - the original hard drives - were to hand any time I need them), no special write-caching, no disabling of swap, nothing... just a straight clone of the existing (sometimes years-old) image of Windows.

I'm not saying they're infallible. But in real-world, heavy user use, and worst-case configurations, where I expect them to fail... not one has so far.

2FA? We've heard of it: White hats weirded out by lack of account security in enterprise

Lee D Silver badge

Re: SMB

How would you get there without a) a RADIUS-authorised network port / computer, b) running network health reporting where Windows has to certify that it's online and clean and policy-compliant, c) your users would then have to log in via 2FA, d) only such users would be on that VLAN, able to talk to that server, etc.?

SMB is largely an exposed protocol. You don't 2FA that, you can't, not securely at all. You secure access TO the network that would allow you to see it. It's like asking whether WSUS requires 2FA... it shouldn't be exposed to people who aren't already authenticated properly.

P.S. multiOTP is a RADIUS server. Configured right your machines could use it for network access and you'd be stuck on an unprivileged VLAN without it.

But in reality for most setups, the 2FA here is "you're physically connected to the internal network and/or you've logged in over the VPN". Not "does SMB support OTP?".

Lee D Silver badge

Seeing as I just did this at my place, yes cost does come up. 2FA on Windows login is - indeed - stupendously expensive.

We rolled out multiOTP on all RDP remote desktops (with the multiOTP "credential provider" in Windows). Takes a bit of fiddling but free and compatible with Google Authenticator. There's LDAP integration and a Hyper-V test image if you want to give it a whirl, or it can run on any Windows server. Works for RDP on standalone machines (if you want to use it at home), not just terminal servers (with central querying and offline caching).

By default it only applies it to RDP logins on the machines you install it on. But it can also block ordinary logins and demand TOTP keys just the same, so test with RDP and if it works like you want, roll it out for all desktop logins. And it can also function as a RADIUS server which gives you a lot more scope for usage.

Wordpress we have deployed a 2FA login for.

I'm slowly working down to Exchange OWA and basic-website-wrapping (it's possible but it's a faff involving reverse proxies and splash screens). If anyone knows a good free solution for either, that doesn't involve that Microsoft Forefront thing, or emailled tokens (pointless for securing webmail!) then let me know!

At the moment looking at Apache wrapped in a module that pushes unknown users to a form, which can be used to query multiOTP but it's a bit of hack.

Google Chrome: HTTPS or bust. Insecure HTTP D-Day is tomorrow, folks

Lee D Silver badge

Re: stuck on HTTP

Any website without TLS can have its content modified on the fly by any entity in the path of the request/response.

Thus any website could have malicious javascript (coin miners, etc.) inserted into it, which the website or visitor wouldn't be able to detect, and the ISP could change adverts to their own, add tracking code (actual real-life cases, impacting your security and privacy, as well as the funding stream of the websites you visit, etc. etc. etc.), and all kinds of other issues - even something in your router (as per recent firmware problems with some routers allowing compromise by "redirecting" your web traffic.

HTTPS is a good thing. Just not sure about "by default". Technically, it's insecure. Yep. Absolutely 100% correct, so there's no problem highlighting that. The problem will come when it becomes difficult to say "Yes, I bloody know that's an insecure website for the billionth time, shut up already".

Lee D Silver badge

Re: It's funny to see that now...

"to a point where some countries and companies MITM every connection,"

They can only do that if you have physical access to the machines at either end, that's kind of the point of encryption. Commercial MITM requires you to trust a certificate that you would not encounter in the wild and would not be trusted by default in your browser.

Governments may be different but, pretty much, they can demand you just send them the data, they don't have to decrypt it - but to decrypt it requires the end-point's co-operation. You can't sniff a connection to Facebook from a Chinese PC without Facebook or the browser manufacturer being complicit - and you can't "break" it by using other certs without cert-pinning going ape and warning the user.

However, that said, working in a school I have a *legal requirement* to monitor every web access. Thus I have no option but to MITM every connection with an internal cert, and denying anything that doesn't present or tries to bypass that cert.

Unfortunately, it's just not as simple as "just work out what pages the user is looking at that they shouldn't" any more.

And that's just a UK school. Imagine what some of the big companies that deal with industrial espionage, military projects, etc. have to do to comply with what they need to..

As Corning unveils its latest Gorilla Glass, we ask: What happened to sapphire mobe screens?

Lee D Silver badge

Re: You are already getting what you want

An aftermarket case on a fragile object is in no way comparable to an object designed not to be fragile.

That's like saying "Hey, just wrap your car in bubble wrap because we forgot to bother with the bumpers".

Lee D Silver badge

Recess the screen. All this "fragile screen on top" nonsense has to stop. Even the Gameboy recessed the actual vulnerable screen and then put a clear-glass fake screen over the top. You look at every big-name portable device of long-ago... the Psions and so on. The screens are all recessed and bevelled. There's a reason for that... it makes more sense than this nonsense.

I would gladly pay more for a screen that's literally a flat-square piece of glass (thus cheap and easy to replace) recessed inside a plastic shell with rounded corners. As it is, I end up buying plastic cases that replicate just that scenario with the ridiculous "edge-to-edge" screens where the slighest impact destroys the screen and the surround can literally never be allowed to warp (I have 270+ iPads in front of me... all of the ones that are damaged, the aluminium casing has been whacked in shattering the glass and making it nigh-on impossible to repair... a simple rubber edge between would have saved them all except the ones that people literally trod on).

Windows Server 2019 tweaked to stop it getting clock-blocked

Lee D Silver badge

Re: 1 second

Think also of OTP tokens and things like that.

Don't account for leap seconds and in a couple of years time you are 30+ seconds out which means that no TOTP system (like Google Authenticator, banking apps, etc.) will generate the right codes if they are using different clocks that do (e.g. in a smartphone).

Leap seconds aren't that hard, and assuming everything from "I'll just count the seconds and divide by 365" is as blinkered as these kinds of omissions. If you're designing a major operating system designed to do everything from trade stocks to secure servers to integrate on a mass scale, date and time is very important to get right and there are enough gotchas that you already have to design around it, rather than bodge it in later.

UNIX started off on the right idea ("Store the number of microseconds that have elapsed since midnight 1/1/1970" and then account for all changes in the way that you DISPLAY them taking into account things like leap-seconds, time-zones, historical changes, etc. (i.e. convert to day, month, year, hour, etc.), not the way that you handle the number itself (which has little relation to real-time, but you can just increment it once a microsecond and have something else handle the logic of what that second was actually called - e.g. 01:59:59 or 01:59:60 or 02:00:00 etc.. when necessary.

Trouble is that it means keeping an accurate historical and future list of every change (and mistake?) made in those interpretations, for every timezone on the planet, etc. That's why you always just pull in date and time conversion functions and the "tz" packages, and NEVER try to fudge your own even if you think you know everything.

British Airways' latest Total Inability To Support Upwardness of Planes* caused by Amadeus system outage

Lee D Silver badge

Re: Why???

You'd also think that a place as big as Heathrow would be able to have a secondary air traffic unit on the other side of the airfield that could be used if, say, a fire alarm went off in one of them.

Fork it! Google fined €4.34bn over Android, has 90 days to behave

Lee D Silver badge

Re: You can't fork Android

And probably always will be.

I don't think this case will change that, no different to expecting Steam to open up their source code.

What they are arguing is that you can't FORCE people to use Google Play in order to use Android.

Lee D Silver badge

"the requirement to preinstall Google Search and Chrome"

- Yep, no need to force this on people. However, can we please learn that you need to be able to REMOVE THE JUNK THAT THEY PREINSTALL. Whoever "they" are. This will mean a lot of "Samsung Internet Browsers" being installed, fine, activated by default, fine, but it will also mean that they'll make it a pain in the butt (or even impossible) to remove them and JUST have Chrome even if that's what the user wants.

"payments to phone makers to make Google Search the default"

- Not sure how this hurts, as such, as surely other people could pay those makers to be the default? So long as it's changeable? Is this any different to Apple being paid to direct people to Google? That could hurt if that went to court based on this case.

"and restrictions on creating "forks" of Android."

- Yep, no need for this, they just can't call it an Android phone etc.

Samsung’s new phone-as-desktop is slick, fast and ready for splash-down ... somewhere

Lee D Silver badge

Re: ...however!

Mini projectors are cheap.

Lee D Silver badge

Developers?

And Dex isn't just about Android, is it?

https://www.theregister.co.uk/2017/11/10/linux_on_galaxy_video_demo/

Ubuntu and Eclipse. That could be perfect for a developer, web designer, etc. on the move as well as one who needs to test their results on mobile.

And the price is reasonable, much more than I would expect to be honest, but I can't afford the Samsung phone to go with it, so maybe that's why.

But I think I'd quite happily consider running Ubuntu off my phone as an emergency/portable desktop, if I was a salesman, developer, IT contractor, etc. Much more so than an iPad. Hell, I'd do it and just keep the Dex bit on me for the "just-in-case" of needing a laptop and not having one, or a presentation (plug phone into Dex into HDMI projector). You can also get a mini-projector for peanuts nowadays. You could have a full Linux desktop setup on an airplane seat with things that you can slip into your pocket.

It seems to me to have a lot of uses, it's just a shame that the phones to do it are so expensive (and even my old S4 Mini / S5 Mini could probably be a serviceable desktop with the right OS).

Microsoft to pay new bounties for identity services holes

Lee D Silver badge

I don't think there's much of anything like Banyan Vines left in AD, Samba would have found it by now if there was, I should imagine. Whether in inter-compatibility testing, or legacy protocols that they try to support, or anything else.

And given that Samba can be a full AD domain controller, I reckon they've had stumbled across / recommended against any such code.

Hell, to be honest, SMBv1 and v2 are already dead BECAUSE they're so insecure. That's how those worms of a few years ago propagated and even that was seen as "Why the hell does the NHS have that option enabled any more anyway?"

The crowd roars and Ruckus joins in with 802.11ax kit

Lee D Silver badge

Which is like not sending a response packet to a DoS.

They've still used up the airwaves, fought with existing clients, and spoke over them to request anything. Sure, you're not propagating that situation but without protocol changes there's no way to say "shut up and don't ask again" or isolate such requests from the parts that actual data-transferring clients are using.

Additionally, what you're doing then is ignoring random "who's there" probes, which is going to affect auto-join of all kinds (remember - the clients are dumb and may just be trying to connect to favoured network while connected to an unfavoured one, which they can't because you ignore their probes).

At best this is a minor tweak, that will impact legacy clients (maybe in protocol-breaking ways?) and not actually help all that much (e.g. if you have even 11Mbps clients, the probes are an incredibly TINY fraction of the data that they would transmit just to stay online once connected, and mostly passive - SSIDs are broadcast quite openly and clients pick up, they don't really transmit until you join - this is how the old WEP-cracking tools of old worked, they could determine the SSID and WEP key without broadcasting a single byte of data over the airwaves. It's the "thousands of clients" bit that's the problem, and ignoring a portion of them still doesn't make it any better - they're old so they're likely to re-transmit more often to get an answer!).

This is hype at best. If you are so congested that can't fit in a client scanning for SSIDs it might want to join, then you don't stand a chance of transmitting any kind of useful data to any connected client anyway.

10,000 clients sensing networks at even 11Mbps (i.e. taking up the most chunk of spectrum, while also taking the greatest portion of their allocated data to do so) is literally lost in the noise.

The problem comes not from the responses given, but the sheer "waiting time" for the airwaves to be clear before it's safe to broadcast any kind of request at all, and that's determined by the protocol of the client, not the AP.

Lee D Silver badge

That's all very nice but surely it requires everyone to be using 802.11ax on the client end too. As always, you still have to deal with legacy clients in legacy fashions, and as most things dial down to legacy connections when they get weak signal or bad responses, 99% of "heavy traffic" management is surely just dealing with the DoS from legacy clients.

And surely here one of the flaws is using the same channel for data as we do for client-querying. All those thousands of devices saying "What are you offering?" constantly shouldn't be interfering with a client that's already joined the network and is passing data, surely?

You wanna be an alpha... tester of The Register's redesign? Step this way

Lee D Silver badge

You've got time to pee about like that, but:

- No IPv6 still.

- You still can't link my old posts under previous usernames (but same id!) to the badge/stats

- I can't search through my own (or another user's) comments to find a particular thing I posted.