Thoughts on Infosec, 2014 – first day

I usually post a show report about Infosec somewhere, and for various painful reasons, this year it has to go here. And this year I’m at a bit of a loss.

Normally there’s a theme to the show; the latest buzzword and several companies doing the same thing. I wasn’t able to spend as long as normal there today, thanks to the RMT, but I think it’s probably “Cloud Security” this year. As with “cloud” anything, this is a pretty nebulous term.

Needless to say, the first day of the show lacked the buzz, with a smaller than usual number of visitors, haggared by disrupted journeys, mooched around the booths.

I was a bit surprised to see very little on the “heartbleed bug”, although there were a couple of instances. Either the marketing people didn’t understand it, or had uncharacteristically been put in their places.

One stand that’s always interesting is Bit9, a company after my own heart with alternatives to simple virus scanning. They went on a spending spree earlier in the year and have purchased and integrated Carbon Black. This is technology to allow their customers to monitor exactly what’s happening on all their (Windows) computers; which applications launch with others, what initiates a network connection and so on. It’s all very impressive; a GUI allows you to drill down and see exactly what’s happening in excruciating details. What worries me is the volume of data it’s likely to generate if its being used for IDS. There will be so much it’ll be hard to see the wood for the trees. When I questioned this I was told that software would analyse the “big data”, which is a good theory. It’s one to watch.

Plenty of stands were offering the usual firewalls. Or is that integrated solutions to unified threat management. Nothing has jumped out yet.

At the end of the day there was a very sensible keynote address by Google’s Dr Peter Dickman that was definitely worth a listen. All solid stuff, but from Google’s perspective as an operator of some serious data centre hardware. He pointed out that Google’s own company is run on its cloud services, so they’re going to take care of everyone’s data as they would their own. Apparently they also have an alligator on guard duty at one of their facilities.

I was a bit saddened to see a notice saying that next year’s show will now be in early June and Olympia. I’ve got fond memories of Earls Court going back more than thirty years to the Personal Computer World show. And Earls Court just has better media facilities!

 

Direct Response monitored alarms fail to show

Not to an alarm call out, but they had an appointment at 9am today to talk about their monitoring service. At 9:30 they called to say they weren’t coming with the excuse that they’d tried to call to confirm the appointment but couldn’t get through. Except they confirmed it yesterday afternoon and there’s someone on the hot-line number they claim to have used since 6am today.

Okay, they double booked slots and got caught with their pants down and this is the best they could come up with, but a company trying to sell an ARC service, not showing for an appointment has to be the biggest no-no going. LOL!

They’re actually possibly worth talking to, because they use the rather interesting Risco panels. Risco is an Israeli company, and they’re upping the game by integrating CCTV and IDS in one system with PIR detectors that will take a snapshot of what triggered them and sending to the ARC. The lady on the phone said they just wanted to demonstrate this, and I couldn’t resist even though we’re happy with the British-made Texecom kit (although we use Risco beam sensors already).

However, this is the same Direct Response that got hauled before the OFT and clobbered in 2009 for telling porky pies about their monitored alarms getting a priority response from the police. The caller also claimed the alarms were made in Iran (“or somewhere like that”). And they’re still using the same old sales tactics (“We are calling as part of an awareness campaign, and four people in your area will be selected at random for a free alarm worth £999”, without mentioning the £400 installation fee up front and claiming a £5/week monitoring fee – I’ll be pleasantly surprised if this bit is true).

The appointment’s been re-made for 9am on Monday. Let’s see. In fairness, I did warn the first and second callers that they hadn’t called a normal householder. All they gotta do is Google me.

Chauvet Obey 40 blacks out when you change fixture

I needed to test some DMX controlled lighting figures recently, and after looking around I decided to get an Chauvet Obey 40 controller. It’s not the cheapest, but it won’t break the bank, and it supports more channels than the entry level models – and does scenes and sequences (chases).

The design looks fairly straightforward. If you want simply use it to control light fixtures manually you need only press the button for the fixture in question on the left and then use the faders corresponding to the channels you want to adjust until you get just the right shade of puce. You can toggle multiple fixtures on and off, and control them in batches. So far so good.

Having got this set up, I was horrified to discover that when you de-select a fixture the Obey 40 turns it off! This means you can’t go through adjusting all your lights in turn. Apparently the unit was designed to work in programmed mode, where you set up scenes and sequences of scenes and cycle through them. It can do that, okay. If that’s all you want.

After tearing my hair out for several hours I discovered, by accident, that if you press the Auto/Del button to toggle the “Auto Trigger” light on the LED display to “on”, the desk works the way you might hope – select the fixture(s) you want, adjust it and then select another fixture. This is, apparently, the “Auto Bank Playback” mode, which suggests it may not work so well if you have things programmed in a bank but this hardly seems to matter for manual control. Just make sure it’s sequencing through an empty bank.

This appears to be an undocumented feature, and was news to the helpful people at Chauvet in Nottingham. I get the feeling this was something that irritated them about the design, too.

So – if you’re stuck in the same position, trying to get manual control, the non-intuitive answer is to turn it in to “auto” mode. My unit was manufactured in April 2013; this may not apply to other units, which may have different firmware.

Additional: If you don’t mind the “programming” light blinking away like mad, you can also control it manually in programming mode – just don’t bother saving the scene.

Mark Shuttleworth’s Ubuntu Edge Dream

Mark Shuttleworth’s software company, Canonical Ltd, trying to raise $32M to build the first 40,000 units of a smart-phone type device that can run Ubuntu Linux. I predict he’s raise the money, and make the handsets. But the idea will tank anyway. Here’s why.

The concept of a ‘phone capable of running a desktop OS is easy to understand. When you want to use the desktop Ubuntu side you plug it in to a real monitor and keyboard – say one at home and one in the office. When you’re on the move it will run Android Linux (for Android is simply Linux with an Android graphical shell). You carry your environment with you, and carry on working wherever you are, assuming you have a monitor and keyboard available. If you run the Ubuntu graphical environment on the move, using the handset’s touch-screen it’s going to be pretty painful.

People investing about £600 will get a ‘phone, if they’re ever made. Is this an investment, or a pre-ordering deal? I think it’s up to you whether you invest enough to get a ‘phone, or buy even more equity as an investment in the future of the device, but I suspect a lot of people will simply be after the latest gadget. Whether £600 is too much for the Penguinistas, remains to be seen.

I think they stand a good chance of raising the money because they’re selling a dream that’s been around in various forms since the dawn of personal computing. One of the early incarnations would be the Apple IIc, which looked a bit like a portable typewriter when cut free from its monitor. With it you could carry your computer back from the office, but it didn’t catch on. Then, came the Tandon Data Pac, a hard disk cartridge. With a cartridge slot in PCs at the locations you needed to work, you could carry the important part of your environment with you. In those days, Microsoft didn’t do anything prevent hard disk transplants, so this was a realistic idea. But it didn’t catch on. Whether there are 40,000 people in the world who still have this dream is a good question.

Now we have laptop/notebook/netbook PCs, which are easy enough to carry in a briefcase if you get the right kind. I have always had the right kind, starting with the Cambridge Z88, moving on to the Sony Vaio and currently the Lenovo S10-3. At around 1Kg, they’re truly portable but although the Lenovo is modern, it was only on the market for a year or two as the 10″ screens format isn’t for well received by the masses. They demands big and fast, and they aren’t really worried about the battery life as long as they look cool. People often ask me “where can I get one of those”, and I tell them. (Currently only Asus and Acer producing a highly portable laptop/netbook). The snag is that when they get one they then “must” run Office 365, or some similar bloatware that a small CPU can’t handle fast.

If you don’t need battery life and the ability to work on the move, but simply want to carry your PC to and from the office, there are small form factor machines also from ASUS and Acer. If you want really small there’s the Fit-PC2 which can actually fit in a pocket. I must admit, I bought one because I thought it was a neat design. These are all Intel based and can run unmodified Windows, and yet they haven’t really caught on either. The Ubuntu Edge will not run Windows; it runs Linux. This means it won’t run Microsoft Office, ever. My experience has shown this is a big problem for a lot of people. There’s nothing wrong with OpenOffice; it’ll work with Microsoft Office files and vice versa. It’s free, whereas Microsoft Office costs and small fortune. Yet in nearly every case, people who I’ve set up with OpenOffice for cost reasons have hankered after the Microsoft version, and most have gone out and bought it (or otherwise acquired it) within a year.

The CPU for the Ubuntu Edge has yet to be announced, but based on size, battery life and heat dissipation it’s very unlikely to be Intel, or even Intel compatible. The only thing that will fit will be RISC, and given the binary nature of Linux distributions it’ll be the second-best choice of ARM. Or will its users be expected to compile everything from source? No. It’ll be an ARM and the models that are capable of running Linux with a GUI at nearly the right speed will still rip through the battery at an alarming rate.

The final nail in its coffin will be the way people currently commute with their computing environment. This comes down to cheap and cheerful thumb drive, if you can find a ubiquitous Windose PC at both ends, or on-line applications such as Google Docs if you’re really serious about it; all your data and applications on every web browser, and impossible to lose at that. If you can find a keyboard and monitor at both ends, you’re probably going to find a web browser anyway so why bother to carrying your stuff on a mobile ‘phone instead? It’s a solution to a problem that has been a “difficult sell” for 30 years, and which has now been solved by the Internet. Okay, this allows you to use an Android ‘phone between PCs, but you could just get an Android ‘phone to plug that gap in your life.

CPC charging for free delivery! Well, not quite…

CPC Farnell is great. Most of the time. They’re a well established supplier of electronic bits and pieces (components) and they’ve recently branched out in to various other items of hardware. The prices are good, the service is spot on, and they’re based in England with sensible people at the end of the ‘phone. Their catalogue and web site is best suited to professional purchasers who know what they want and can see behind the manufacturer’s marketing descriptions, but that’s just fine. They’re box shifters, but they’re very good box shifters.

Last week they had a “special offer” for free delivery, even for small orders. I needed some cables forgotten from an earlier main order, so took advantage of the offer, only to discover on the paperwork that I was nonetheless charged! Being a good company to deal with in the past, I gave them a call. Apparently some genius there made the “free delivery” offer, but the web site software knew nothing about it and has been telling everyone they’ve been hit with a handling charge ever since. I suspect their operators are getting a bit hacked off with the complaints, although they’re still professional and courteous and friendly.

So if you’re reading this, and are wondering about whether you’ve been stitched up, relax. They haven’t gone mad; their on-line ordering system is just a bit trailing-edge. I’m still happy to recommend them as a supplier. And as far as I know, they pay all their UK taxes.

 

Lighttpd in a FreeBSD Jail (and short review)

Lighttpd is an irritatingly-named http daemon that claims to be light, compared to Apache. Okay, the authors probably have a point although this puppy seems to like dragging perl in to everything and there’s nothing minuscule about that.

I thought it might be worth a look, as Apache is a bit creaky. It’s configuration is certainly a lot simpler than httpd.conf,although strangely, you tend to end up editing the same number of lines. But is it lighter? Basically, yes. If you want the figures it’s currently running (on AMD64) a size of 16M compared to Apache httpd instances of 196M.

But we’re not comparing like for like here, as Lighttpd doesn’t have PHP; only CGI. If you’re worried about that being slow, there’s FastCGI, which basically keeps instances of the CGI program running and Lightttpd hands tasks off to an instance when they crop up. Apache can do this (there’s the inevitable mod), but most people seem happy using the built-in PHP these days so I don’t think FastCGI is very popular. It’s a pity, as I’ve always felt CGI is under-rated and I’m very comfortable passing off to programs written in ‘C’ without there being an noticeable performance issues. Using CGI to run a perl script and all that entails is horrendous, of course. But FastCGI should level the playing field and allow instances of perl or any other script language of your dreams to remain on standby in much the same way PHP currently remains on standby in Apache. That doesn’t make perl or PHP good, but it levels their use with PHP on Apache, giving you the choice. And you can also choose  high-performance ‘C’.

This is all encouraging, but  I haven’t scrapped Apache just yet. One simple problem, with no obvious solution, is the lack of support for the .htaccess file much loved by the web developers and their content management systems. Another worry for me is security. Apache might be big and confusing, but it’s been out there a long time and has a good track record (lately). If it has holes, there are a lot of people looking for them.

Lighttpd doesn’t have a security pedigree. I’m not saying it’s got problems; it’s just that it hasn’t been thrashed in the same way as Apache and I get the feeling that the development team is much smaller. Sometimes this helps, as it’s cleaner code, but it’s statistically less likely to have members adept at spotting security flaws too. I’m a bit concerned about the FastCGI servers all running on the same level, for example.

Fortunately you can mitigate a lot of security worries by running in a jail on FreeBSD (it will also chroot on Linux, giving some degree of protection). It was fairly straightforward to compile from the ports collection, but it does have quite a few dependencies. Loads of dependencies, in fact. I saw it drag m4 in for some reason! Also the installation script didn’t work for me but it’s easy enough to tweak manually (find the directory with the script and run make in it to get most of the job done). The other thing you have to remember is that it will store local configurations in /usr/local on BSD, instead of the base system directories.

To get it running you’ll need to edit  /usr/local/etc/lighttpd/lighttpd.conf, and if you’re running in a jail be sure to configure the IP addresses to bind to correctly. Don’t be fooled: There’s a line at the bottom that sets the IP address and port but you must find the entry server.bind in the middle of the file and set that to the address you’ve configured for the jail to have passed through. This double-entry a real pooh trap, especially as it tries to bind to the loopback interface and barfs with a mysterious message. Other than that, it just works – and when it’s in the jail it will happily co-exist with Apache.

I’ve got it running experimentally on a production server now, and I’ve also cross-compiled to ARM and it runs on Raspberry Pi (still on FreeBSD), but it was more fun doing that with Apache.

When I get time I’ll do a full comparison with Hiawatha.

iPhone 5 – I don’t want one

As I write this, Tim Cook is demonstrating the iPhone 5. So far it looks just as bad as the iPhone 4S, but 20% lighter and thinner. Oh yes, it has a new Apple A6 CPU this time around, which is apparently faster and less power-hungry, but it still eats batteries at an alarming rate. Apple claims the battery will last 8 hours in 3G or WiFi mode. The Apple A series processors are, of course, ARM cores to Apple’s specification manufactured by Samsung. I haven’t heard anything about that changing.

As smart phones go, the iPhone is a pretty poor offering. Here’s why:

Apple’s iOS is a right mess. It’s built on left-overs from the NeXT, it’s a pain to develop in (who needs another Object-based version of C when we’ve had C++ for ages, and the  system libraries are awkward, to say the least). I wouldn’t say Android is brilliant, but it’s got an excuse. This is supposed to be a premium product, yet the software engineering has lost the plot.

You can’t change the battery. This is shameful. Batteries have a limited life, and by fixing the battery in, Apple is limiting the life of the ‘phone, so you’ll need to buy another one each year. You can’t even carry a spare battery with you to help out when it goes flat.

You can’t upgrade the memory. The basic model is 16Gb, with 32Gb costing $100 more and the 64Gb $100 more than that. Flash memory is cheap and plentiful, and Apple is trying it on. Buy a Smartphone with a memory card slot.

The iPhone 4S was a terrible ‘phone. The sound quality was awful. You could always tell when someone was using one. It remains to be seen whether the iPhone 5 is any better, but given Apple could release such a terrible ‘phone last time, why should anyone give them a second chance?

This is definitely another item for the fanbois; those with an interest in conspicuous consumption. Anyone else needing a Smartphone should look elsewhere.

 

Western Digital Red Series review

I’ve got a SATA drive throwing bad sectors – not good. Its a WD Cavier Green, and it’s about a year old. But I’ve hammered it, and it was cheap. An IDE drive throwing bad sectors is never good –  once the problem is visible it’s on the way out. I doubt WD would replace it under warranty as its not on a Windows box and I therefore can’t download and run their diagnostic, but we’ll see about that.

And anyway, Western Digital  launched the ideal replacement two weeks ago – the Red series. Unlike the Green, it’s actually designed to run 24/7 – cool and reliable. They’re pitching it squarely at the NAS market, for RAID systems with five or less drives, they say. Perfect, then. And a good market offering given that last month’s IDC low-end storage forecast predicted an 80% gowth in the small/home office NAS market over the next five years.

The Red series launches with 1Tb, 2Tb and 3Tb versions, with 1Tb on each platter.

I checked the specifications with scan.co.uk – 2ms access times too! Lovely! Hang on, that’s too damn good. I suspect someone at Scan has gone through the specification sheet to add the access time to their database and found the only thing on the list measured in milliseconds. Actually it can withstand a 2ms shock! WD doesn’t mention the access times, or the spin-speed come to that (about 5400 given the hum).

Well, having now checked one of these beasts out, the access times are obviously something they’d want to keep quiet about. In comparison with the Cavier Green, which is supposed to be a low-impact desktop drive, it’s about the same on writes and about 30% slower on reads. However, once it’s in position it is about 30% faster streaming. This would be handy for an application where single files were being read, but not so brilliant if you’re jumping about the disk at the behest of multiple users – which is the intended market for this thing. Real-world performance remains to be seen, but I don’t think it’s going to be as quick as a Cavier Green, and they’re slow enough.

So why would anyone want one of these?

Compared to the Cavier Green, the red is rated for 24/7 use. Compared to the Black series, or anyone else’s nearline drives, its performance is terrible, but it is cheaper and much cooler with a lower power consumption.

If you want performance at this price point the Seagate Barracuda drives are cheaper and a lot faster, but Seagate don’t rate them for continuous use. The Hitachi Deskstar, on the other hand, is rated for 24/7 operation even though it’s a desktop drive and it outperforms the WD Red by quite a margin too. But hang on – WD recently acquired Hitachi’s HD operation so that’s a WD drive to. So for performance go for the Baracuda and for best performance running 24/7 go for the Deskstar.

The WD Red is basically a low-performance near-line drive except that it’s  not, actually rated as being as reliable as the real near-line drives. But it is claimed to be more reliable than the Green series, and they do run just cool and just as quiet (subjectively). Is it worth the 35% price premium over the Green? Well, actually, sitting here with a failing Green, the Red with the three-year warranty is looking attractive for my data warehousing application. This isn’t NAS, it’s specialised, and I need low-power (cool) reliable drives to stream large files on and off. They could be just the job for that.

As an afterthought, comparing them with the Black, they also lack the vibration sensors to protect them in a data centre environment or a box chocked full of other drives. The idea of putting them in a rack server as a low-power alternative looks less attractive than it did.

Using ISO CD Images with Windows – Burn.Now problems

When CD-R drives first turned up you needed special software to write anything – originally produced by Adaptec but they were soon overtaken by Nero, with NTI and Ulead having lower cost options. Now, when you get a PC it will usually come with one of the above bundled, and Microsoft has added the functionally to Windows since XP (for CD, if not DVD). This is not good news for the independent producers, but Microsoft’s offering doesn’t quite cut the mustard, so most people will want something better.

My new Lenovo PC came bundled with Corel Burn.Now. Corel recently bought the struggling Ulead, and this is fundamentally the same product as Ulead burn.now. Unfortunately Burn.Now is also pretty feeble – it just can’t do the basics.

To duplicate a CD you need to copy all the data on it. Pretty obvious really. If you’re not copying drive-to-drive it makes sense to copy the data to a .ISO image on your hard disk. You can then transfer it to another machine, back it up or whatever; and write it to a new blank disk later. Burn.Now will create a CD from an ISO image, but if you ask it to copy a disk it uses its own weird and whacky .ixb format. Some versions of Burn.Now gave you the choice, but not the new Corel. It’s .ixb or nothing. This matters, because whilst everyone can write .ISO files, only Burn.Now can write from  .IXB format.

Burn.Now is crippled. What about Microsoft’s current built-in options? You can actually write an ISO image using Windows 7 – just right-click on the file and select “Burn disc image”. Unfortunately there is no way to create such a file with Windows. To do this you need add Alex Feinman’s excellent ISO Recorder, which basically does the opposite: Right-click on the CD drive and select Create Image from CD/DVD.

Unfortunately ISO Recorder doesn’t read all disks – it won’t handle Red Book for a start. This is a bit of a limitation – was its author, Mr Feinman concerned about music piracy? Given Windows Media Player can clone everything on an Audio CD without difficulty, his conciousness efforts won’t make a lot of difference.

So – Windows is its usual painful self. If you just want to simply create an image of a CD or DVD with no bells and whistles, go to UNIX where it’s been “built in” since the 1980’s (when CD-ROMs first appeared). Just use the original “dd” command:

# dd if=/dev/acd0 of=my-file-name.iso bs=2048

An ISO file is simply a straight copy of the data on the disk, so this will create one for you. You can write it back using:

# burncd -f /dev/acd0 data my-file-name.iso fixate
Or
# cdrecord dev=1,2,3 my-file-name.iso

Burncd is built in to FreeBSD (and Linux, IIRC), but only works with atapi drives. In the example it assumes the CD recorder is on /dev/acd0 (actually the default).

Cdrecord works with non atapi drives to, but has to be built from ports on FreeBSD and for other platforms it’s available here – along with lots of other good stuff. The example assumes the device is 1,2,3 – which is unlikely! Run cdrecord -scanbus to locate the parameters for your drive.

Once you have your ISO file, of course, you could use Windows to write it. The choice depends on whether you have strongly held views on whether Windows is a worthy desktop operating system. Corel Burn.Now is, however, a long way from being a worth CD/DVD writing utility.

Warning about “fulfilled by Amazon”

Beware – ordering something “fulfilled by Amazon” is no guarantee they’ll look after you. I ordered something with a driver CD – due to bad packaging (from Amazon) it turned up with a mangled CD, although the item was pretty robust and looks okay. Well – ordered through Amazon so they’ll sort it out…

Well no. Get this:

Me: Item arrived in poor quality packaging from Amazon (direct). Badly squashed – product box was 2″ high, Amazon outer only 1″ high. CD with driver software in same box as product visibly damaged and unreadable. Can’t tell if product itself is okay but appears unbroken.

Amazon Rep: Hello, my name is *****. I’ll be happy to help you today.

Me: Hi. I think I might have messed up with the UI. This relates to “<piece of hardware>”

Me:  Order # **************

Amazon Rep: I am sorry for the condition in which your order arrived.

Me: It’s hopeless packaging. It was squashed and the CD bent around the scanner – wrecked!

Amazon Rep: Thanks, Frank.

Amazon Rep: May I know the name of the item that arrived in a damaged condition? Me: Sure – as above. Specifically “<piece of hardware>”

Me: I ordered this direct from Amazon because I thought it might be better supported than the others available. Do you have the software available for download?

Me: There’s a bar-code on the box, but no hint of the manufacturer or a web site where I might find the software

Amazon Rep: I see that you have placed order for this scanner with the seller ‘M&S’ and it is ‘Fulfilled by Amazon’.

Me: Marks and Spencer?

Me: ’twas definitely in Amazon packaging.

Amazon Rep: Yes, the order is fulfilled by Amazon.

Me: Did the steamroller go over it before or after you posted it?

Amazon Rep: This item was labeled ‘Fulfilled by Amazon’. Items labeled ‘Fulfilled by Amazon’ are sent to you directly from an Amazon.co.uk Fulfillment Centre.

Me: Thanks – I know – that’s why I chose to get it from you as your delivery is generally hassle-free. But this doesn’t help with the mangled CD. Fortunately the scanner itself is made of ABS and designed for grease monkeys to drop it so it looks like it survived. But it’s just a brick without the CD.

Amazon Rep: Unfortunately, we are unable to create a replacement order for the items that are fulfilled by Amazon.

Amazon Rep: Could you please return the item for a full refund?

Me: No. I just want the software. If you’d like to pick it up subject to the distance selling regulations 2000 you’re welcome to do so – and I’ll tell warn everyone else about this crazy policy – but the software would be preferable for all concerned.

Amazon Rep: Could you source the software CD from your local store?

Me: Alas not, it’s not got any makers name on it, or that of the manufacturer. It’d make more sense to download it but there’s no clue as to who made it.

Amazon Rep: If you can source it from your local store, I can issue a partial refund.

Amazon Rep: If you wish to receive a full refund, you’re welcome to return it for a full refund.

Me: Distance selling regulations – you have to collect it if you want to go the refund route. Are you based in the USA? This is a European sale.

Amazon Rep: We will waive the return shipping charges, Frank.

Me: No, sorry, you won’t waive any shipping charges as you’re not allowed to make any. According to the Distance Selling Regulations you are required to send someone around to collect it at your expense. All I need to do is hand it over. But I’d much rather have the software.

Me: Please can you just tell me who produced (or sells) this thing, I’ll go to the web site and download it.

Amazon Rep: The manufacturer of this scanner is ‘SainSpeed ‘.

Me: Okay – thanks I’ll check the SainSpeed web site.

Me: they don’t have one :-(

Amazon Rep: I am sorry to hear about this, Frank.

Me: I’m flabbergasted. I thought Amazon was a safe place to buy things!

Amazon Rep: This is not a common occurrence, Frank.

Amazon Rep: We value this kind of customer feedback, as it helps us to provide the best possible service. I will forwarded your comments to the relevant department here.

Me: Okay. Is there any way you can get me a disk? if not, can you swap out the complete package?

Amazon Rep: Unfortunately, our system will not allow us to create a replacement order for the seller items, Frank.

Amazon Rep: If you prefer, you can return the item for a full refund, Frank.

Me: If you want to pass this on to the seller (if you reckon it’s not you) then please point me at them. Visa reckons it’s you (this is also governed by the Consumer Credit Act).

Amazon Rep: I understand your concern, Frank.

Amazon Rep: I am sorry for the inconvenience caused.

Amazon Rep: You have placed this order with the seller ‘M&S’ and it is ‘Fulfilled by Amazon’.

Me: So what am I supposed to do? Wait for you to collect this one and order another one?

Amazon Rep: In this case, I request you to return the item for a full refund.

Amazon Rep: Could you post it?

Me: Okay – you’ve got the address. Come and collect it. Meanwhile I’ll get Visa to recharge the value to my account. You contract was with Visa. Visa will pay you when the contract is fulfilled. I won’t pay Visa until their contract with me is fulfilled. Okay?

Me: So when do you want to pick it up?

Amazon Rep: In order to resolve this issue, we need to talk to you via phone. I will be happy to connect a call for you.

Amazon Rep: May I know your contact number?

<later>

Me: I’m on the ‘phone to one of your friends!

Me: Thanks for your help.

Amazon Rep: You’re welcome.

Amazon Rep: Thank you for chatting with Amazon.co.uk. We hope to see you again soon. Have a Great Day!

 

So, buying something from Amazon isn’t any guaranteed they’ll sort out any problems – even if their packaging is the problem. The subsequent telephone call went down the same route. I insisted on getting the software, not messing about with posting it back to them. Eventually they gave me the ‘phone number for this mysterious supplier:  0845-609-0200. I wouldn’t normally list a ‘phone number here, but a quick check revealed that it was the widely published customer service number for Marks and Spencer! I was skeptical, and queried this and asked where the number came from but they insisted that it really was the Marks and Spenser selling through Amazon. (The nature of the device – a diagnostic interface – is highly suspicious).

I’ll call Marks and Spenser tomorrow. It could be interesting. Amazon isn’t off the hook buy a long way.