* Posts by Andrew Dancy

16 posts • joined 9 Apr 2009

Peers to HMRC: Digital tax reforms 3 days after Brexit? Hold your horses, how 'bout 3 years...

Andrew Dancy

Re: Gap in the market?

Sadly not, although that does give a wonderful mental vision!

I meant more Alec Guinness...

Andrew Dancy

Gap in the market?

I'm seriously considering knocking up a simple app to do this, especially now it looks like they've backtracked and only require you to enter the nine box numbers from the VAT return. Although there are lots of spreadsheet bridges there seems to be a gap in the market for a simple standalone app for people who keep their records separately (spreadsheet, old-school desktop accounting software, etc) and don't mind just typing nine numbers into boxes once every three months and pressing a button.

As mentioned the main obstacle seems to be getting approved by HMRC to actually be able to access the API. That and coming up with a suitably snazzy name. I'm tempted by something like Hector - bonus points if anyone can remember him, and the word sums up HMRC's approach to MTD quite appropriately!

Brit boffins build 'quantum compass'... say goodbye to those old GPS gizmos, possibly

Andrew Dancy

eLORAN?

I recall reading a few months ago there had been a UK Gov report into the vulnerabilities of GPS (it's not just navigation - GPS timing signals are used for all sorts of scary things like synchronising electrical grid frequencies and regulating frequency slicing on the mobile phone networks). The conclusion was that jamming or solar events leading to a loss of GPS would have potentially catastrophic effects on modern life.

They suggested a number of solutions, one of which was eLORAN . Basically an update of the old LORAN navigation network used until the mid 90s it would provide both location and timing (whilst many other GPS alternatives only do one or the other) whilst being virtually impossible to jam due to the much lower frequencies used. Unfortunately a trial a few years ago was kyboshed when other European countries turned off their transmitters (rumour has it there was pressure from the Commission not to support tech which could rival Galileo), so there's currently only one transmitter running (enough to support timing but not location, which needs multiple transmitters).

Setting up a chain of eLORAN transmitters would have the same utility as a British GPS system and would be considerably cheaper!

Enterprise smartphone buyers still pretty dopey about updates

Andrew Dancy

We've just gone through Cyber Essentials Plus and the assessor did check that all company mobiles were running the latest patched version of the OS (in our case iOS). He used a combination of reporting from our MDM system plus spot-checking a few devices at random.

I can thoroughly recommend CE and CE+ as it's not too onerous and for once it seems to actually focus on real-world risks (e.g checking that your perimeter firewall actually blocks malicious URLs, your AV stops dodgy attachments, your users don't run as admin and you can't run downloaded exe files without a warning).

The one that caused us some problems (and it's actually a good one) was although we'd patched systems up to date, there are some Microsoft patches that only actually apply if you make a registry change. Thus we failed as the scanning software correctly reported that some of the patches weren't live. The solution there was to push the relevant registry key via Group Policy.

Bank of England to set new standards for when IT goes bad

Andrew Dancy

Re: BoE IT systems

Until a few years ago they actually had several thousand direct customers as staff and pensioners had accounts with the Old Lady. No credit card, but a rather fancy cheque book with sort code 10-00-01 . And back in the good old days they had ridiculously cheap loans and mortgages. Mind you no chance of an overdraft facility - if you went a penny overdrawn you'd get a polite but formal letter telling you not to do it again.

They also used to have a number of commercial accounts for Government departments such as HMRC

All scrapped by Mervyn King as part of his drive to turn the bank into a giant economics thinktank and get rid of everyone actually interested in banking. This after a certain Scottish chancellor shafted Eddie, the previous governer, by removing all the regulatory bits and handing it to the idiots in the FSA.

Oculus Rift whiffed, VR fanbois miffed

Andrew Dancy

Re: Enforced updates?

+1 - we always timestamp as part of our code signing process as otherwise you get exactly this issue - when your cert expires anything signed with it won't know that the cert was valid at the point it was signed.

The only problem you sometimes get is that the main timestamping servers run by all the big CAs are notoriously flakey and completely unsupported - if they break then you just have to find another one. Not helped by the fact that Authenticode signing uses a different method of timestamping from pure RFC3161 and not all timestamp servers support both formats.

What we really need is someone to offer cheap signing certs and provide a decent reliable timestamping server. Unfortunately LetsEncrypt have said they don't want to go into that area as they would be the obvious choice...

Who's using 2FA? Sweet FA. Less than 10% of Gmail users enable two-factor authentication

Andrew Dancy

Yes. They have various backup options including SMS to your phone, scratch codes, etc, but they definitely do bog standard TOTP as I have it on my google account right now.

Andrew Dancy

There's a surprising amount of mis-information and mis-understanding about Google's 2FA here. Probably not helped by the fact 2FA can mean lots of different things to different people and vendors use the term for all sorts of things.

However proper 2FA means RFC6238, popularly known as Time-Based One Time Protocol (or TOTP for short). This is a standard devised by the Initiative for Open Authentication (OATH - not to be confused with Oauth!) and because it's an open standard there are loads of implementations of it. Google Authenticator and Microsoft Authenticator are the obvious ones, but even things like Symantec VIP (used for PayPal 2FA) is actually a tweaked version of TOTP and can be kludged to let you use a standard TOTP app instead of having to buy a PayPal dongle.

The key thing about TOTP is that it's entirely offline - no need for SMS or an internet connection. You simply put a seed value into your authentication app (usually by means of a QR code) and away you go. Some apps don't let you back up the seed, so the simple answer there is to either save the QR code image file in a safe place, or print it out and stick it in a fireproof safe/leave a copy with your lawyer/insert paranoid method here.

There are also quite a lot of server side implementations of TOTP now, and it's really easy to implement in code as well - there are libraries for all the major programming languages. So really, if you have a website which needs authentication, there's no excuse not to support it.

The latest standard that's emerging is FIDO (also known as U2F) but I personally don't like this one as it requires a physical key/dongle.

Source: I wrote a Windows TOTP server application a few years ago that my company still uses to provide mandatory 2FA for our corporate VPN.

Former Mozilla dev joins chorus roasting antivirus, says 'It's poison!'

Andrew Dancy

Re: Don't tar all AV with the same brush

Fair point, but it's all about making life difficult for the attacker and protecting against 99% of threats. Let's face it - we'll never get 100% perfection but in most cases we don't need that.

Andrew Dancy

Don't tar all AV with the same brush

I tend to agree with O'Callahan to some extent - when it comes to traditional AV. That's increasingly redundant as it won't easily detect new threats until updated, can be exploited, is often bloated, etc.

However in the last few years there have been some interesting next-gen AV products appearing which do seem to still have a place in our battery of security measures. Products like Webroot and Cylance (I'm sure there are others but these are the two I've heard of) which don't just do the traditional scanning of files but also monitor system behaviour. For example if a process suddenly starts writing to lots of different files one after the other, they'll alert to say this might be ransomware encrypting all your files. From that point they'll also log rollback data so that when you say "oh s**t it is ransomware!" they can undo all the changes made by that process, block it and automatically fire a report off to the mothership to analysis.

As has been said above it's all about layers - AV is one part of a solution amongst software restriction policies, firewalls, user education and a large pointy stick.

'Oi! El Reg! Stop pretending Microsoft has a BSOD monopoly!'

Andrew Dancy

A tech variant of trainspotting?

I'd hazard a guess the pic was East Croydon station as they were using the old display system there up until quite recently. If memory serves me it only got ripped out when they filled in the old foot tunnel and put the new bridge in - about 2013 I think.

Tim Cook: EU lied about Apple taxes. Watch out Ireland, this is a coup!

Andrew Dancy

Re: Just dumb

I'm pretty sure you'll find Romania is 16% as they have a flat tax - corporation tax, income tax, tax on self employment, etc are all the same rate - 16%. Nice and simple and virtually impossible to avoid.

C For Hell: Data centre meltdown for irate customers as C4L GOES TITSUP

Andrew Dancy

Re: @AC

Agreed - didn't mean to say it was their fault as it does look like a Juniper issue from what has been said so far. I was just commenting on the ironic timing. I've always taken the view that everyone in the IT industry is going to have problems some day, it's how they deal with them that matters and so far (to an outsider) their communication has been reasonable.

Virgin Media broadband goes titsup for 3 hours

Andrew Dancy
FAIL

We had a National Ethernet line out for about 90 minutes in the end. What was frustrating was that we couldn't get through to Virgin and nor could our hosting provider (who supposedly have direct access to senior Virgin technical contacts). We ended up getting our info from a combination of the UKNOT mailing list and the Andrews & Arnold IRC chatroom.

We eventually found out from other sources that a router overheated in their Poplar POP. They failed over to a standby router, but after about 30 minutes that one went bang as well apparently.

The Linx issue was separate, as mentioned previously.

Still, to be fair to them (and believe me that's difficult!), it's the first outage of the Ethernet service we've had since it went live about 9 months ago...

BBC website now unbroked

Andrew Dancy
FAIL

Siemens?

The BBC website hosting isn't done by Siemens now is it? According to Lord Gnome's wonderful organ they have been doing a less than stellar job with the rest of the BBC tech infrastructure recently...

BT's great hole of Ilford still causing grief

Andrew Dancy
Stop

Pics of the damage

Apparently pics of the damage can be seen here: http://www.flickr.com/photos/23919135@N00

Biting the hand that feeds IT © 1998–2019