Posts by Lee D

Re: Where are Offcom?

"So what are the alternatives for a household like mine who use the internet and the TV? Could go to Sky, but I'm lining Murdoch's pockets then and I have no intention of doing that. Could go to Virgin Media, but I've never known them to provide a good standard of service. The alternative is to ditch the TV - which is glorified Freeview - but the partner likes watching Friends on Comedy Central."

Sky provision over BT lines, how long before they raise prices?

Virgin are excellent in some areas (I've never had a problem with them), but the problem is they are raising prices too.

Friends? Buy a DVD boxset.

I've done without TV for many years in the past. I only watch it now because it's "free" as part of my VM package.

I've not used my landline (also VM) in years. Again, came for free with the Internet connection which is the only bit I actually want.

The Internet lets me put phones on there if I ever really need them (I actually have a router with an analogue phone port capable of SIPing any phone calls it makes). I don't. Mobiles, Skype, WhatsApp.

The problem is that they are upping basic broadband prices. That's unavoidable.

To be honest, however, I can't see why I'd be bothered with anything more than their basic speed packages. Hell, I probably use more data on my phone than I do on my home connection, and I've streamed entire series on both.

I don't get why TV / analogue phones still exist, and I don't get why - if you have Internet that does them all - they come bundled with it. Gimme a cheaper, IP-only connection and lose the extra cost of infrastructure.

To be honest, nowadays, I don't get why I'd even need one of these stupendously-fast connections. Download and watch offline is an option on just about everything (I have Amazon Prime, Google Play Movies, BBC iPlayer, etc.), and with proper QoS you could happily carry on and web-browse while it's downloading.

It's literally only peak-bandwidth that matters, and that's for convenience for your users (family) rather than for actual need.

If it's too much, ditch the phone, the TV and lots of other things and downgrade the connection to some basic number.

Re: "but Android doesn't support that"

IPv6 has been "supported" for a long time before Microsoft bothered to do this kind of test.

Re: Perspective.

I have had a career in IT for 17 years and don't have a single certification.

It's been offered. It's been offered for free. I've even had a couple (not many) employers / clients ask if I have them. Not one has cared that I don't. Many have actually liked that I don't, which I find really odd in the grand scheme of things. I've even refused, especially when their idea of a cert is basically nothing more than what I do every single working day of my life. It's almost insulting, and certainly a complete waste of their money.

What I've got is a degree in Maths with a small Computer Science element. And word-of-mouth that I can do just about anything, and will tell you if I can't, or if I would need to research it first. And 17 years of people you can ring up and ask about that. And the ability to learn REALLY fast, and not just by copying some online tutorial by rote but actual independent thought about the design, the interactions and unintended consequences and how the system should operate.

What I've discovered is that there are actually employers out there who have hired all the guys with certifications, big fancy titles like "consultant" (which is a word I avoided even when I was "consulted" by clients), and all the spiel and then found out that such people know how to fix certain things, usually selling their stuff at the same time, and then disappear off the face of the earth or make other things worse when they reach their boundaries.

I've actually specialised as a "fixer" for much of my career - where all those guys with certifications coming out of their backside messed up big-time, or stagnated once they hit the limit of their knowledge, and they want someone to come in and clean it up, put it back on track, say what they should be doing (my current place, they had NO virtualisation as the guy didn't even know what it was, no serious network management, no separation of tasks between servers, no storage management, no failover, etc.), get it ticking over nicely and not have to worry about the IT at all.

I've had everything from failed Linux system installs (trying to run their old things via Wine and Cygwin and pretend to be a Windows-like environment and never getting there), IT managers who don't take backups and also ignore RAID drive failures for months at a time, "servers" that are desktop PC's with no RAID, no UPS, no ECC RAM, and run EVERYTHING on the one machine (including Exchange and being a DC simultaneously - I didn't even know that was possible as it's a completely disallowed configuration), and trying to run hundreds of computers and IP phones over unmanaged switches with no VLAN or QoS. I even had one guy tell me "you can't have two DHCP servers!" and "You can't wire the network in a loop, it'll all come crashing down!". Er... Windows Server has supported DHCP failover for a decade, and have you never heard of STP? (By the way, wiring the network in the loop like that meant we could tolerate any cable being cut without affecting network operation, so there was more than a slight advantage to doing so, and it's worked for 3 years without a hiccup whereas before the network often partitioned itself into two halves - one working, one not working - whenever power blipped anywhere on site).

It's not that I was a know-all. It's not that at all, sometimes I walked into a place and was presented with something with which I had zero experience at all. But I had an instinct of what things SHOULD operate like, the ability to research the proper way to do them, and the capability to gets things from where they are to that ideal configuration.

The guys with certs, I'm usually incredibly disappointed with. There's a handful of people I've met in industry who have them and who feel the same about them, and they tend to be the better ones that understand where I come from. To them, the certs are a necessary evil and a waste of time, but the ones who show off their certs tend to not have much else to back them up.

I hired a technician on an apprenticeship scheme where they trained them for MS certs at the same time. Literally, the guy says the certs were a complete waste of time. He was in their classes where they were slowly introducing Server 2008 and "the one true way" (that they knew) of setting things up, and was able to pick up flaws, diagnose their problems, and spent most of their time logged into our system trialling Server 2016 for us doing things they never even tried to cover. They were literally just "follow a tutorial" merchants and had no concepts of simple networking concepts outside the scope of the questions (and, yes, they made them put ALL their services on one test machine and never bothered to explain why you might want to do it differently, and the test machine wasn't even a VM or hypervisor but a single physical machine). Hell, he tells me that their labs weren't even properly licensed and they just used to re-image the client machines every 30 days or so when the warnings started coming up. And their re-imaging wasn't even using anything like WDS or SCCM, but disk-cloning. Those were the people TEACHING, ASSESSING and AWARDING the industry-name certificates to others.

I regard certs as something you do when you are in a job, when they require you to be "professionally developing", so you get signed up to a certification which they are paying for. Much like a builder has to take a ladder course, or a chef a food safety course. Do the thing, tick the boxes, carry on with your job that you'd have even if you didn't have that certificate. People who independently pay for certs? I view them with suspicion. How have you managed to have the time and money to get a cert but not be working in IT for an employer who would send you on it? Why would you choose to do the lower certs when you've supposedly been a network manager for X years but never taken the harder ones? And any certs which even MENTIONS "what menu / command do you use to do X" I disregard (which is the vast majority of them). Those things flux with every update,and it's much more important to know WHAT you're looking for than memorise the exact path.

From talking to other IT Managers, it's a pretty common opinion. I have literally sat on interview panels and pointed out the candidates with certs but no experience (or no good reference) without even having to look down at the CV. Just a simple practical test (like a deliberately-misconfigured laptop or similar) highlights polar-opposite reasoning skills between those with certs and those able to actually get it working again. It's not that professionals don't have certs. It's that professionals don't need the certs, don't advertise or care about the certs, and they are secondary to their actual skills.

I had one guy, trying to interview candidates, who asked them "What command/menu would you use to find out the DNS servers in use on a Windows client?". He didn't accept the answer "ipconfig /all", denying it ever showed you the DNS servers, EVEN WHEN I demonstrated that, actually, it does. It wasn't a command HE used, (so you could say that it maybe wasn't the EASIEST way, but not that it was untrue) but it was quite clearly a command that worked and, in fact, showed more information than he needed too. He had certs. The candidates who had certs presented answers he liked. Nobody cared about the truth of any different answer.

And I've been in at least two job interviews myself where the words "Do you have any certifications?", "Oh no, just X years experience and lots of bosses who will tell you I can pick up anything, and learn fast", "Oh, thank God. The last few guys we've hired who have them up to the hilt have been awful and so stuck in their ways". I'm not even exaggerating.

I've yet to work in a place where the CPD for myself has been anything other than "What the hell could we send you on that would be useful to us both?"

I have no certs. It's not a hindrance. In fact, it's like a self-fulfilling prophecy. Your company only hires people who have certs because you don't know how to hire IT guys or assess their skills, and don't care about experience, recommendations and abilities beyond a recent bit of paper from Microsoft or Cisco? Yeah, I don't want to work for you anyway.

Re: Google-generated storm in teacup

Google Apps (now GSuite) is free for educational users.

That said, it's relatively easy to speak to someone there, re-confirm the domain ownership, and regain control.

A saved password wouldn't have worked for them anyway, most likely. 2FA on everything is quite sensible and such things expire quickly for something as powerful as Google Apps.

I bet one phone call to Google by a tech that knew what DNS was would have resolved the situation immediately.

Re: Aha - for once somebody correctly stating that it's the user-name/password combination reuse...

Depends.

My emails are all @mydomain.co.uk

And if you try to fake an initial username or guess one, you better know my rules for calculating the number that goes at the end of the username or it will fail verification and be blocked as spam.

In and of itself, the email address is not a problem. It's just a username after all. And we assume that people use usernames that you can work out. This is why your fingerprint is also only a username, too.

But any authentication is based on something only you have (a username, an email link, a security token, a fingerprint, etc.) to say who you are trying to be, and something only you know which can be changed at will only by you (a password) to prove you are actually them. Pretending that there's any security in just the first is a nonsense.

The problem is - as always - password re-use alone. And that can be solved by standard, already existing security procedures.

Telling people they have to have a unique username just puts you back in the "What the hell was my unique login for this service because it wouldn't let me have any of my usual ones" trap where to find it out you have to reset the password which, generally, needs your email address.

All that really matters is that you have entropy (a good password), not where it is spread across (combination of username and password). But most people still use stupid passwords (8-character, entire-ASCII-set password is HALF AS STRONG as a 10-character alphabetical password).

Every extra character in your password multiplies its strength by the size of the alphabet (e.g. 26 / 52 / 255).

Every extra symbol in your alphabet increases its strength by 1 DIVIDED BY the size of the alphabet.

Long, "easy" passwords are much better than anything we enforce as an industry standard.

And if you're suggesting unique passwords for every service, you want something people stand a chance of remembering, or securing a list with one INCREDIBLY strong password.

And password re-use is not an issue if the services that you reuse passwords on have no more access than the other services that use that same password. My Register password won't let you log in to my bank, and my Amazon password won't let you into my servers. But the Reg password might well, for example, allow you to post on other forums that also have no personal information of mine on them. Big whoop.

Strong passwords. Multiple levels (rubbish to this "everything unique" stupidity, it shows a complete misunderstanding of the human machine, and what you're trying to achieve).

Pretty much, nothing else matters.

Re: Pen and paper?

Data protection of medical details, reports of abuse, etc. are much stricter than anything that would allow that.

Hell, my school nurses have always complained that I (as database manager) have access to the pupil medical database. The data controller always okays it because it's "necessary for my job", but they hate anyone see medical information, even in passing.

Same.

I plugged a phone into a socket once, to see what it was doing. I get a BT-automated-voice saying this line isn't active. No idea what the number is and wouldn't activate it unless incredibly desperate.

My broadband is on Virgin. My backup is 4G via my Draytek router (which has an ADSL/VDSL port too, but has never had anything plugged into it).

My mobile phone has a spam blocker and doesn't tend to receive much anyway.

I can't imagine random-dialling is much of a return nowadays because of the above, and anyone who claims to have a business relationship better be able to show me a bit of paper that says that and where I've given my number to them (mostly I just write N/A nowadays).

If I could be bothered, and I was being hassled, I'd set up a Google Voice number or even a VoIP system, such that known numbers are passed on and unknown numbers have to pass a greylisting-like test (e.g. "state your name and I'll pass that on.... Sorry, you're not a registered caller, goodbye!").

But, to be honest, I get such little call spam that it's just not worth the effort.

My parents are still complaining about it though, but I have just told them to get rid of the landline I don't know how many times.

Re: Firewalls

From the guys that never encrypted their leased line connections between datacentres until various three-letter-agencies said they were able to sniff them?

Though I don't doubt they try, it doesn't sound like they built things with the right kind of assumptions, which is probably worse than just about any other security problem you can imagine.

Re: Clacks

*Raises hand*

Re: mozilla.dev.security.policy posting

They put a line of code in that accepted 404 responses to the "do you own this website" check, such that servers with 404 pages that returned the original request data would successfully validate ownership of any of their domains.

And it looks like over 8000 "unchecked" certs were issued, including test ones for sites like Microsoft.

That's a pretty big cock-up.

And they didn't respond at first because it was just sitting in an email in someone's inbox over Christmas - nice to know they are always ready to respond to serious problems!

Re: That's hilarious

Yeah, that still doesn't sound a like a solution for anyone - consumer or FitBit.

Re: Relevant and accessible?

The person in question left the course soon after, for religious differences.

It was NOT a joke.

Re: Two different authors, two different points of view.

Would be an interesting concept for a website:

Every headline has, next to it, an article with the exact opposite interpretation.

Then people can pick and choose the argument they want to use to either agree with and cite, or debunk and flame.

I haven't seen a voice recognition system in 30 years that can get any sentence I say (no matter how simple or deliberately articulated) first time.*

I certainly have never seen one that could use voice as any kind of distinguishing feature between speakers.

The claims are all very nice, but the accuracy still is - and will be for a long time - abysmal.

*Honestly, people test me because they think I must be over-egging it. They bring out their Siri's, their cars, etc. and I say a simple sentence or command that they all understand. I don't have a strong or unusual accent, it's slightly Cockney, that's about it. I can put it in, or take it out of my speech and nothing voice recognition can get even the simplest of commands, in perfect lab conditions.

So it certainly can't be RELIABLY used to tell who I am, it can barely tell what I'm saying and that's without detecting subtleties and nuances of speech and trying to tell me from, say, my brother who - despite the fact that we sound NOTHING alike, everyone confuses us on the phone. Again, people don't believe this, even after meeting us both, and then they ring one of us.

Judging by the school I work in, which has had people try to come in and sell Dragon etc. or library systems, on the basis of voice recognition for writing school reports, or even identifying children for library access (totally non-critical system with humans always present) any number of times and 100+ staff testing them, I'm far from alone.

Voice is NOT anywhere close. In fact, the most impressive voice recog I ever used was bundled with a Sound Galaxy NX Pro ISA card many years ago, along with a speech synthesis software. That got better recognition than ANYTHING I've ever seen or used since (including Dragon, Siri, etc.).

A test:

OK Google, what's the closing time of nearest supermarket?

Just resulted in a blank Google page with the words "slime" and "carpet" in it and nothing else. The room is completely silent except for a cat sitting in the corner licking its bum. The cat probably recognised more of the sentence.

Re: 2038 is already a problem, today.

32-bit systems are already in the minority, and rather limited to embedded and small solutions.

Almost all modern ARM and Intel chips are 64-bit and in the case of Intel have been for decades.

Rather than put a-patch-on-a-bandaid-on-a-bodge on a 32-bit structure that's inherent in everything, when changing the structure is inevitable, it's easier to just demand 64-bit. There's no reason a 32-bit compiler can't cope with 64-bit numbers in structures even if they have to do it manually.

The problem, also, evaporates for MORE than a sensible amount of time - 64-bit time is unbelievably huge and viable into the future (29,227 years even if you use a single 64-bit number to nano-second accuracy!).

As we did with bodges like LBA and it's numerous iteration, rather than faff about, just demand 64-bit for anything that is going to be critical for the next 20 years. Because 17 years ago, you could pick up 64-bit chips, and 17 years from now you shouldn't be using anything else.

In fact, it's quite possible that we won't see 128-bit computing in common use for decades, because 64-bit is so unfathomably huge that it's likely going to be the epitome of modern computing for a long time to come. Until, of course, you need to access more than 16 x 1024 x 1024 Terabytes!

Re: And todays lesson is ...

I'd say the longer you've been running a particular software, the more likely a bug like this actually is.

People don't get that the software attack surface might be static, but the attacks used against it are constantly evolving. No matter whether you update every day, every month, or not at all, it makes little difference (some, but little) as almost every new attack is just that - new.

And leaving software alone because "it just works" is missing the point. It still needs to be isolated and protected from any form of input, usually by devices and interfaces that ARE updated regularly and religiously.

The amount of embedded device code on a network is scary nowadays, which is why you have to make sure that your frontline and your users are behaving themselves and kept up-to-date against all these kinds of things. You have to come in at a zero-trust angle in order to stand any chance.

Just because something's worked fine for 10 years does NOT mean that it's safe. It means it's got ten years worth of attacks against it that it was never designed to combat.

Re: What I am going to push, 2017 edition:

Classic Shell.

Deploy it now, deploy it again on 10, 11, 13, whatever Microsoft wants to call it.

That a bit of freeware does a better job for EVERY USER on my system than Microsoft's own tools is telling.

And all MSI-deployable and GPO-controlled.

Re: Dear Apple

Sorry, but you can own the CA. That doesn't stop the data being encrypted and out of your reach.

A CA only certifies that a particular certificate is associated with a particular domain, and that someone checked that you own the domain.

A certificate request to a CA *DOES NOT* contain the private key. Nor can it. You sign something with your key, send it to the CA, who signs it with THEIR key, and sends it back. At no point are the keys, or any information that would help discover the key, ever sent.

ONLY YOU have the copy of the private key that can decrypt communications made with your key, and all the CA is doing is adding their stamp of approval to your ownership of the domain in question (or that you paid them enough).

The private key is called that because - IT'S PRIVATE. And it is only ever present on the machines handling requests from outside. The CA doesn't have it, isn't given it, and cannot work it out. You give out your PUBLIC KEY (called that because you can give it away to the general public) in the certificate, but that's what you're trying to do anyway, so people know that ONLY the person with your private key could have decrypted stuff encrypted with your public key - i.e. the data they send you can only be accessed by you).

With certificate pinning and certificate transparency, people notice dodgy MITM certs quite quickly, and browsers can do it automatically (try faking a Google cert, even with MITM SSL, without having to import your MITM cert into your trusted store first).

So, please, stop commenting on that which you do not understand. A secure website is secure no matter who signs your cert. If they replace your cert and try to MITM, they will throw up browser errors if you've configured your site anywhere near properly. It's that simple. Even with the full co-operation of the CA.

Re: pool.ntp.org

Since the very first days of Javascript.

Over 99% of web users have Javascript enabled. It's not unreasonable to assume it's present. And, in and of itself, it's no more a security risk than parsing HTML. It might suck up CPU cycles or move things around that you don't want to but good luck browsing ANYWHERE with Javascript turned off entirely.

Seriously, I have click-to-run plugins and all kinds of things to improve my browsing experience but not for one second have I ever thought I could get away with disabling Javascript entirely.

And do you not have an easy way to whitelist it for one domain? Sounds like a crap browser to me.

Re: Best of a bad bunch...

Because it's actually more cost-effective to buy all the cheap deals, and suffer failure.

Honestly, my Draytek router can load balance an ADSL/VDSL line, plus whatever I put into it Ethernet (e.g. Virgin Media), plus a 4G stick, without having to change a SINGLE THING on my home network. So if VM should ever go to the dogs, I just activate a VDSL line instead, using 4G in the meantime.

Like RAID stands for (at least always did before some people decided it sounded cheap) - an array of inexpensive stuff outperforms expensive stuff. Two cheap cars are better than one expensive car.

I'd rather have two cheap appliances, one out in the shed or even left in the shop for when I need it, than one expensive appliance. Nobody gets attached to a fridge or a washing machine or even an ISP. Buy cheap, buy multiple, chop and change as they perform differently.

It's only where performance matters (e.g. laptops, etc.) or other limitations come into place (space, budgets, etc.) that you don't want to buy cheap. Everything else is commodity - even servers nowadays. Buy cheap, buy multiple, and you'll have a lot less critical faults that can't be rode over than with one extraordinarily expensive server, and a backup should anything ever go drastically wrong.

You have only two choices. A BT-supplied line, or a Virgin-supplied line. Who the ISP is on the end of the BT line just determines how much they argue for you, they still can't do much if something goes wrong or OpenReach don't want to co-operate. Rather than pay-through-the-nose for someone to argue on your behalf, avoid the argument. Get the cheapest of them all, because the chances of your phone line, and your cable, and the local cell mast going down, without taking out your own power, are almost unimaginable.

And then you also have comparable stats after a few months and can ramp up the speed on the one that's most reliable and offers you the best deal / customer service as you see fit.

Rather than pay money for "premium" brands that are basically selling the EXACT same services, hedge your bets. And then "Oh, the ADSL's gone down" is something that you'll never say because likely you'll never even know, even when it does.

I don't buy brands because of this. Just look at the hard-drive wars that have been raging on forums for decades to see what a "good brand" means - it's too subjective and based on personal experience. And all the large users of hard drives hedge their bets deliberately.

And A&A is STUPENDOUSLY expensive, and has ridiculous traffic limits. Their only saving grace is they support proper IPv6. I'd rather buy a handful of much cheaper lines, for the same price, using different technologies and service providers, and invest one-off in a decent router than can balance them. Same as almost any workplace I've ever been in too - multiple lines, even when used leased lines, from varying providers.

Re: And personal backups are still forbidden???

Personal backups are a data protection nightmare, depending on what you're handling.

If KCL has any kinds of dealings with the NHS, outside companies, lists of people in any way, shape or form, a personal backup is a Data Protection breach waiting to happen, with huge fine attached.

That said, personal research, PhD thesis, lecture notes for lecturers, etc.? Why don't you ALREADY have it backed up?

For when the GPS turns off.

GPS/Galileo are read-only systems in terms of position unless you're willing to pay a MASSIVE subscription on related commercial systems, so don't worry about them "knowing where your car is".

Unless your car tells them by other means, when the Galileo / GPS choice is the least of your worries.

Pre-warming your car is actually illegal.

A car being unattended while the engine is running falls foul of an obscure law, no matter the driver's intention, or whether a nuisance is caused.

Your wife locking your keys in the car is solved by the simple solution of a new wife.

Re: The key thing is that this is measured

Technically I've worked in a number of places that have done 7 nines or more over the course of a handful of years. Literally zero downtime. Luck is like that sometimes. But I wouldn't sell those systems to others on that basis.

It doesn't really matter unless you're guaranteeing it, and if you're guaranteeing it then it gets expensive should anything ever go wrong, even for only a few seconds.

In the same way that we can all point out systems with thousands of days of uptime, pointing out customers who haven't experienced a failure isn't that difficult either.

What matters is not what's happened historically, but what's going to happen tomorrow. And what you'll do when you don't hit those six 9's. My guess is that you'll shrug your shoulders, go "Oh well, never mind" and your customers will be no better off than with any other similar provider.

Re: New legends?

Install Classic Shell, turn that kind of thing off while getting a much more customisable start menu at the same time, for free.

Re: Crims don't like being on camera

I've worked in schools for nearly 20 years, including one special-measures school who had an assigned police officer who dealt with NOTHING but incidents at the school.

We had cameras in every possible inch - the only exclusion was literally OVER the bathroom stalls, even the bathrooms were monitored. It was HD, 24/7 recording, every square inch.

And I tell you now, most of it is useless. Because everyone knows it's there, they cover up - hoodies and the like. We had kids come back after hours and set fire to things, kick down doors, gangs steal computers, fights in the corridors. Almost every second of it was useless to police and that which was was incidental (i.e. it showed the kid we knew had already done it and could prove every which way anyway).

But for criminal stuff, it's mostly useless. Motor accidents aren't criminal. Nobody hides their number plates or faces "in case" they have an accident. Burglars will. Thieves will. Vandals will.

At home, I have extensive CCTV, including remote monitor (I have a screen in work showing my house cameras, for instance). It's been witness to two crimes - a burglary right next door, and a theft of a van down the road. In both cases it's been a police visit because the neighbours told them about our CCTV and in both cases it's been useless. The burglary, we captured the side of a car scouting the houses minutes before at 2mph (he skipped mine, probably because of the cameras, but we couldn't see the car plate or enough of him to be useful), The van theft, we saw the van drive past, again, same problem.

CCTV is only useful in correlation - the police saw our footage and then knew times (beyond "some time this morning" because I did this for a living, so spent the time to find the guy who robbed my neighbours from HOURS of footage), went up to the shops at the end of the road and requested the same time on their CCTV. Both times, nothing came of it because there was no correlation, no details, no useful evidence, despite a clearly committed crime.

Cameras don't lie, but they are so easily defeated it's laughable. They catch stuff only incidentally and accidentally. And, technically, if your camera looks out onto a public road it could be illegal to point it anywhere useful.

Yes, I still have cameras and use them, but I rely on them for DETECTION, not for catching criminals. If someone breaks in, they will be on my cam in front of my face. I know when the postman knocks, I know when a parcel is lobbed over the back fence. But I don't expect anything to be done by the police on the basis of my footage. I will just call them if I see a burglary in progress and start driving home rather rapidly.

The cameras are there for ME to notice (even on holiday) but probably WON'T identify any culprit, just alert me to something happening. Even with a camera smack-bang in the porch looking at anyone knocking on the door or coming in that way. That one's really there for when the EDF scumbag salesman guy comes back and fraudulently claims to be "from your electricity supplier". Strangely, they don't try that anymore, not with the camera and mic in their face.

I have cameras in the house too - there to watch over the cats when we're away (girlfriend's reasoning) and/or work out when someone's been in the house (my reasoning, whether a burglar or the cat-sitter to see if they actually DID feed them).

CCTV, however, is useless without someone watching it live, following it around, correlating with other cameras, and - generally - the police all tell me that, for the last 20 years, they just don't have the time to do that. They are so grateful that I do the legwork of my end, but they rarely have time to do anything about it, and 99% of the time the footage is useless anyway.

Go live in a dodgy area for a few months and see how far CCTV gets you. "Well, the guy in the black hoodie did it" is useless, and they know that.

Don't be silly - packet captures are the work of the devil.

I've worked with telephony companies, access control, IT suppliers, etc. and rarely if ever does a packet capture ever get requested, used if supplied, or even understood by them.

I have a networked sound system in work (a school) that does school bells, etc. It works on Ethernet/PoE. It wouldn't work properly, so I packet-captured and highlighted that it doesn't join multicast groups properly.

Nobody cared, I just got told to turn to "turn off IGMP snooping" as a default techy script.

Supplied said packet capture to Cisco because we have cloud managed switches and IGMP snooping is on by default, they took one look and turned it off stating that the devices were just shit and there was nothing else they could do.

Same again when a SIP trunk wouldn't punch through our network to the Internet no matter what settings we used. Ended up just using another SIP provider that didn't need NAT-proxies, port-exceptions and the like and "just worked" through an ordinary firewall (Gamma). The telephony companies Hipcom shit literally NEVER worked, not even once, not with all the packet captures in the world going back and forth showing that we were sending the packets out and getting fuck-all back. I reset the firewall to blank settings, we plugged in the Gamma SIP address, everything worked with ZERO settings. Guess who got the SIP telephony contract.

Packet captures are like debug logs and memory dumps. Nobody cares, the one guy who could understand them left the company years ago, so they just stab at the usual answers and blame the customer.

Re: On one hand...

NOBODY ELSE must be given a backdoor. Except us.

Because, obviously, when you have a backdoor, it's specifically designed so that only one person / organisation can ever utilise it in its entire lifetime and it will never get stolen, misused, discovered, etc. by anyone else.

The days of them actually understanding why what they're asking for is impossible are long gone.