Posts by Lee D

Re: Obligatory "Office 365" Joke

To be honest, I'm only running a tiny little place here (a prep school) but:

Better than 1 day of downtime a year in the last few years (in fact, I'd say about 48 hours total over those years over 4-5 incidents).

Now I'm not running any number of seriously major services, but I have websites, databases, 100's of people accessing information 24/7, remote desktops, in-house desktops, hundreds of mobile devices, email, etc. etc. etc.

The day of downtime is usually only "the power is going off" (notification from the electricity board) and it's usually a Saturday (so not at all critical).

Achieving decent uptime isn't difficult. GUARANTEEING it is incredibly difficult. I couldn't, at any point, have GUARANTEED we'd be up the next day to any serious extent. The leased lines aren't THAT reliable. The servers might well fall over. I could easily fudge the network config and take things down. Microsoft could de-activate all my servers. There's a range of things outside my reasonable control as just an IT department.

But *achieving* better rates than that isn't difficult. Does that give me place to trash-talk MS? In jest, sure. In all seriousness, no, we're in entirely different businesses with entirely different requirements.

What irks me, though, is companies complaining about 365 Exchange downtime when they don't have any other kind of backup. Is it not possible to have a local Exchange server work in collaboration with the 365 Exchange to ensure you're up even when it's down? Or to failover your MX to the secondary mail for your domain? I thought this was the first lesson in "enterprise IT", no?

Use 365/Azure, by all means. But there's nothing stopping you having backups, alternatives, failovers, secondaries etc. to keep yourself running.

Complaining that your single points of failure are down is really a show that you didn't specify the system well enough to start.

Re: GUI good

Please enable a particular feature for all users within a particular OU that are not contained in their own group and who don't have a mailbox, or find all things created after a certain date that don't begin with the word "OLD".

By the same token, random selection - like manually picking out "those people who are going to work in that building we just built", which involves moving people/computers into OU that didn't exist before - is MUCH easier done on a GUI than a CLI.

Though possible with both, it very much depends how well the interface was written and whether or not it was created with such specifics in mind.

GUI's are good for lots.

CLI's are good for lots.

Choosing one over the other as a global default is usually a mistake and always results in loss of flexibility even if - technically - one could sit there and press buttons / select boxes manually to achieve the same.

Re: How?

Because licensing costs.

I agree it's probably not the same level of performance. Trust me, I'm no Microsoft fan.

But with virtualised architecture nowadays, there's almost nothing in the way of Microsoft OS staying up long enough to allow you to do this on the same hardware. We're not talking "I put Linux on a PC", we're talking dozens of hypervisors in separate datacentres running hundreds of virtual machines. HyperV - and the High Availability clustering tools in Server 2012/2016 - are more than capable of keeping them all up, moving them around, spinning up new instances and isolating runaway processes inside them.

You want to know how you know that? Office 365. Windows Azure. Just about all the web services running on Microsoft OS.

Please stop parroting the arguments against 80's/90's Windows installs. It makes us look out of date and stupid.

Now... why does CERN and the top supercomputer not run it? Because you can't code it to optimise to get 100% out of it. You can literally alter the OS on Unix/Linux if you so desire. That's why they do it - to get every inch out of machines that are constantly at full load. Customisability. Doing things not envisioned by Microsoft with the OS. Pruning every last unwanted line of code out of it. And not paying per-core for MILLIONS of cores. That's why.

Could you do it on MS? Quite likely. It'll take a performance hit but there's no real reason you couldn't. The problem is more that it's not designed for that. There's things like HPC Server and compute-cluster versions of Windows. They don't make those just to keep them in a box at MS. People use them. And pay for them. They've been in the Top100 supercomputer lists. It's perfectly feasible and viable.

So please, stop that nonsense. Yes, if it were me, there would not be a single copy of Windows running anywhere. But to say it's not capable of the above, where Top100 has requirements LUDICROUSLY above even things like "running a national government database", is a nonsense. It's more than adequate, easy to source, easy to maintain, easy to manage etc. to do the latter task. Otherwise people who make those big-end clusters and racks full of servers would never even support it, let alone actual build, sell and use it.

To be honest, for a HMRC IT system, you could set it up today and get yourself as many 9's as you wanted, so long as you paid the price on hardware and infrastructure, not even so much the software.

"You can opt-out" is not the same, legally speaking, as "You have opted-in".

I didn't opt-in. Therefore you don't have permission.

And once GPDR comes in, it's even more explicit about this to reflect current case-law in this area.

The question really is:

At what point would Argos consider it "goodwill" to honour it, rather than have to go to court to argue the definition of reasonable if someone were to make a fuss?

I'm guessing a couple of hundred quid for a "one-off gesture of goodwill" is cheaper than admission of fault, or a court case

Re: Why change anything?

Because not only does such an instance "corrupt" the jury's opinion, it could make it difficult to find future jurors who are blissfully unaware or unaffected by previous dissemination of information (e.g. those in the jury for a retrail will have heard about the rumours that got the previous guy done for contempt when he told everyone about them).

It's about eliminating the need for charges because people don't do it, and seeing how prevalent it is and whether it *does* affect anyone / any case, rather than saying it must immediately be clamped down on more harshly than it already is.

In courts, you are a robot. You hear evidence. You are sometimes asked to DISREGARD statements. Then you have to judge as if you'd never heard them. Some people can do this (i.e. I see people's salaries all the time because I manage several IT finance / HR systems, but I cannot ever act upon that information even if I could do so privately), others can't. If people are going to be on a jury, they are deliberately (in the UK at least) random members of the public and thus from a wide range of education and vocational backgrounds, and it's not up to them to think for themselves about the case. It's not "do you think he actually did it", as some people think. It's "has the prosecution put forward a case that proves he did it beyond reasonable doubt, based solely on the evidence you've heard in this room and been told to consider". They are very different interpretations and it's hard to make juries understand that.

Removing any kind of temptation to subvert that (by punishing even the most flippant of abuses harshly) is the only way to make people say "Well, I SUPPOSE I have to find him innocent based on this evidence, even though I *know* he did it, because otherwise I'll get into trouble".

As it is, I believe that juries have their phones handed in, are isolated on long cases etc.

Re: TBH

Nope.

Colouration is fine.

The cretin is the person who didn't splash TEST SYSTEM over every dialog box and window title to ensure that no matter what colour was chosen it couldn't be confused with the live system.

I'd even put in a big scary warning when you load it up or close it down.

The user isn't at fault, as such, but not rebooting your computer because "it takes a long time "means the IT team are rubbish or the user is paranoid (reboots on my systems are on the order of 20-30 seconds and I don't do anything particularly special, and only a handful are actually SSD).

If you have colouration options, those also NEED TO BE TESTED don't forget.

But there's no reason not to have big annoying warnings everywhere to discourage you from using the testing version for anything serious.

I don't think you want to be parachuting out of a low-altitude quadcopter that's still in motion.

That's not even a Bond stunt, that's just suicide.

They need their own data to be processed in a legally-compliant country more than either.

As such their data is gone. They can still process our data if we want to let them. We can't process their data, though, without negotiating an exception, which means they can't bring their businesses over.

Every EU-owned company just got told to cut off the UK arm of their business, effectively, if they process EU data.

That's the software. That's the boring bit.

Re: Wasps

Emergency calls are another matter entirely. If *ANYTHING* technologically gets in their way, Apple have not just failed but broken the law too, most likely.

More likely: Someone broke my nose last night and now I can't call my parents. Put on your makeup and it doesn't recognise you any more. Train it to the makeup face and it doesn't recognise the un-made-up one. Change your hairstyle and it won't let you in, etc. etc. Drag queens are really going to have a hard time, or start carrying two iPhones...

Though it should have a passcode, we've basically gone back to the lock screen being as secure as a passcode. Maybe slight convenience added, but if that's at the cost of ANY security whatsoever, then it's downhill.

Then it should TAKE NO ACTION.

Until it's something capable of reasoned thought such that it could explain it's reasoning in a court of law (i.e. decades away from happening).

In your thought-experiment example, the machine has no concept of whether the 5 people who die if it does nothing are terrorists chasing the one innocent person who would die if it pulled the lever.

Whichever way around you put the lever (i.e. to squish or not squish either party/parties in the absence of further command), it cannot make that decision in a reasonable manner without contextual understanding of the implications.

Until it's capable of that reasoning, and it's proven in a court to be that capable, the MACHINE should not be left in any position where inaction will cause more harm than ANY SPECIFIC ACTION. This is why industrial controls are "fail-safe", etc.

Even then, it's a horribly contrived situation with no right answer (i.e. even a human would struggle depending on a very, very, quick split-second decision and getting the right answer, e.g squishing the cop chasing the group of muggers instead of the muggers because it's "less people dead" and a court would recognise that and hold them pretty blameless).

It's either responsible for all its own actions (in which case it gets brought before a court as an independent entity and has to find its own representation, etc. and the manufacturer won't defend it or take responsibility for it) or it's not (in which case it's a machine made by a company which gave it poor defaults and put it into a situation where it was required to think when it wasn't capable of that).

Re: Can't wait

"No one said Apple were bad at business. It's making decent tech they suck at."

Beat me to it, and is exactly my prime complaint.

However, they do suck at business too. As someone who's just ditched £250k of Apple equipment in a school as they have NO education support department, really don't care, even about written complaints of the simplest order, and refuse to confirm ANYTHING (even their name) in writing whatsoever. I was literally REFUSED details of their complaints procedure by their head of written complaints. They have no interest in future business or their customers whatsoever.

Literally, Apple sell product. That's all they do. They - and their customers - have no care for if that product is any good, or what happens after you buy their product.

A company that can make the HIGHEST PROFIT MARGIN in the industry is not one you want to do business with as a consumer. It means that most of your money is spent, not on the product or services, but on bullion sitting in a bank. Your *value* for money is pitiful with an Apple product.

They are also only the third-best-selling phone company (Samsung and Huawei now, believe it or not), worse for tablets, and have absolutely pitiful penetration in their other markets.

Nobody says they can't sell. But what they sell is snake-oil and "design" (which in this case means "looks pretty" and has NOTHING to do with actual design, i.e. ease of use, innovation, fitness for purpose etc.). Their phones are just slabs of screen, that's it. That's not "design".

Apple are a "designer brand", not a technology manufacturer. You buy because it's Apple and has the Apple logo, and receive a bog-standard product at ENORMOUS markup to show off to your friends. It's consumerism of the worst kind.

I have no objection to people buying them. I just make it clear that I have absolutely no interest in it. When it doesn't work? Yeah, take it back to the people you bought it from. They made enough on it that they can afford to replace it 20 times over for free, so I have no interest in struggling to save your photos off it, or getting you a replacement screen, or whatever. You haven't bought a computer, so don't bring it to me to fix.

And when you can't work out why all your storage is gone, or you can't install an app, or iCloud is sucking up all your data, or it gets stuck in an iTunes login loop (as happened back in Feb/Mar rendering every iPad useless for the day) remind me again how "intuitive" it is.

As far as I'm concerned, that extra money you pay Apple is a lifetime service contract with them, because I have no interest in those devices, can generally do nothing for you, and have no interest in trying any more given Apple's attitude to their users and anyone trying to help them.

Re: It is easier to automate the damn highway

We had one. It's called the train network.

Automated vehicles already operate all over parts of London (Docklands Light Railway for instance).

What we need is a massive shakeup where we basically convert roads to railways (not literally, but the same kind of idea of join the network and leave and little opportunity to go wrong while you're on it) and give people automated cars (the word 'cars' works for both scenarios) that *can* use them or not.

Massive infrastructure project, yes, but really it would put car companies out of business because nobody's car would be any different to the one next to it. Can't see it happening for political reasons, nothing to do with the infrastructure. Hell, how many billions were spent drilling a hole for HS2? You could probably repave a lane of every motorway for that price.

Re: And this is why people we have spam.

Because if everyone complained about every spam, nobody - spammers or complainers - would ever get anything done.

Also, how do you complain? Forward the text? Who to? Though there are some places that will take them (like 7726), they are not the same on each network and there is no definitive "ICO" on where you can report text spam (because they would INUNDATED IN SECONDS). And reporting to that number does NOTHING. I once got the same text weeks apart from the same number, reported as spam, no action or response.

Also, forwarding the text doesn't forward where you received it from (making it practically useless in my opinion), or whether that number was even genuine.

And, literally, nothing happens. I've reported dozens of obvious spam (i.e. my phone number just doesn't exist out there, but somehow people get it and text it with spam) and nothing happens, no response, all the companies/ombusdman involved say "Don't bother sending it to us", practically.

To be honest, 4.5% complaining seems HIGH. I imagine the rest just deleted the text. Which is fine if it's one text. But what if it's 20 from different companies? And if it's 20, how long does it take to complain about those 20?

Sorry, but although I am a champion complainer when I think I can get action on something, text spam just isn't worth my time.

Re: "El Reg on Firefox on Debian"

Shut up.

Last time they messed with it is when we got all the new-layout junk with the huge side-adverts.

Re: @Lee D Fait accompli, mate

This was precisely my intention - age of civilisation / life, not distance.

Distance is only a factor on communications, but even 100 light years is a significant barrier to communication. Would you have much to talk about with a 1900's generation if their reply won't be received until 2100? Not really.

But the tiny overlap - of the space age, compared to the entirety of life from amoeba to space age - is incredibly tiny and unlikely, especially so if you add constraints like the Drake equation (which is what people assumed I was talking about) and communication distances.

For 99.999999999% (probably more, I can't be bothered to count the 9's) of life's existence on Earth, we have been unreceptive to space-based communications. Let's not even get into "how long would life actually take to form on those planets, and would it ever be obliterated by changes in circumstance, e.g. orbit, etc.?" Just an infinitesimal amount of time for which they would be communicating at our level - i.e. between being able to communicate, and us being of any interest whatsoever to them - means it is extraordinarily unlikely that even without all the physical barriers (which may dissipate under new technologies) that we'd be around simultaneously to communicate with each other at all.

I remember being on the receiving end of a complaint from a customer that their website that I managed for them was "gone". After much digging, the FTP site was completely empty. Given that only I had the access codes, it was quite strange as I hadn't touched that customer's site in months.

They were paying 123-Reg for FTP hosting, I set it up for them and they just paid it each year, so it wasn't really much to do with me, and I had backups so recovering it wasn't a big deal. But then I obviously told the customer what happened, and they complained to 123-Reg.

I got a really stroppy call from them soon after saying that I was lying, etc. etc. etc. So after much discussion, and getting through to the only guy who actually had techy access, I got to the bottom of the problem: They couldn't tell me who logged into FTP. When. From where. What was done. What backup those files were on. No way to restore from their backups. Nothing whatsoever.

So they could not disprove my "You just trashed the storage for the account, didn't you?" assertion. And they had to concede. Especially given as they had NO WAY to even say "Ah, but you logged in just before the files were reported missing" or whatever.

Shortly after, they lost all the custom anyway, but I couldn't fathom how a major web-host hosting business FTP servers at the prices they charge could not maintain the most basic of access logs.

Re: @ LeeD

Because most of these compromises are not deep-level technical staff. They are front-users with smartphones taking screenshots or just saving everything they can see and then selling it off to make up for their minimum wage when they move from company to company every week.

But then... let's go through this.

Does your application admin need access to the live production database? No.

Does you network tech? No. Especially not if even the usual users don't.

Does your DBA? Possibly

Does you Sysadmin? Probably not. Maybe it's possible to compromise the database but he doesn't need access to the data inside database itself.

In fact, the only places where the data will appear are DB admins and live web-interfaces.

Centralise those. Make them accountable. Audit their access. And then if the ENTIRE db is compromised, you know who to go to.

Everyone else? They won't be able to compromise your entire database, only portions, and will similarly leave a very plain audit trail which can be tracked - by the portions of compromise if nothing else.

It's not about stopping the possibility entirely. It's about taking reasonable measures. And if your database keeps going wandering, and is this important and contains these kinds of details, reasonable measures are the above because you don't NEED that kind of access. It could even involve things like "watermarked data" entries where little red herring data is inserted into each user's account when they request large data (even as simple as altered capitalisation, changed spacing etc.) so that any leaks stand a good chance of pointing a finger at a particular dump by a particular user in a court of law. It's how things like map-theft is caught - by slightly misplacing a few entities that doesn't affect the usage of the map but means that you can tell if someone else just copied your map data/map directly rather than happened to collect the same information.

That nobody implements such measures, that customer support are able to give me all kinds of details about myself immediately, and that nobody is every publicly fined/caught for being the source of the leak suggest that nobody in those kinds of businesses takes data security seriously in the first place.

When there are no consequences, of course data thefts like this will happen.

Put in logs, measures, difficulties, audits,c ontrols and consequences and they'll greatly reduce, if not stop altogether.

You think WhatsApp For Business is going to work out cheaper than 3.5p per message?

If people cared about the cost, they'd just use email notifications anyway.

Re: Nominet

"Buy your personalised name.ford.self-driving domain today! Only 70 squilion dollars a year!"

Re: Obession with (free) Wi-Fi

"I wish you could add a flag to a WiFi connection to say 'connect to this, but don't allow any traffic out until the VPN is up'"

You can.

You install a proper software firewall.

You set it to treat all Wifi networks except your home as "untrusted".

Then you allow VPN out on untrusted networks.

Granted, Windows Firewall can probably do it but I haven't used that since it was implemented. Back in the day I used to use ZoneAlarm to do this, nowadays, it's more likely Comodo Internet Suite (like hell am I going to pay for a firewall).

That this ISN'T bog-standard to anyone working in IT is the real problem. I don't even care if the Wifi is encrypted - I KNOW that the VPN is encrypted, that the endpoint can only ever be my chosen endpoint, and that no compromised machines on that encrypted network can hurt me.

That people DO NOT install a software firewall on their laptop really worries me. The Wifi card is basically "plugged in" to whatever you connect to by default and you have NO hardware defence against that. I'm waiting for the day someone makes a Wifi card with built in hardware firewall on it.