Posted on

Dodgy “bulk email” operators

I’m forever receiving emails from “bulk email” companies that claim to be “opt-in” but are using addresses that are culled from elsewhere. The elsewhere basically means they’re not real email addresses and could not possibly have been the subject of an opt-in.

After replying to these with an unsubscribe request (on the assumption that they might be legitimate, but have accidentally purchased a dodgy list) I though I’d list them here if the emails don’t stop.

If your name is on this list and you think you’re innocent and can prove it, it will, of course, be removed. If the mail header shows it’s coming from your server and you’ve ignored unsubscribe requests you can explain why. Your protestations will be published along with the other evidence, and Internet users can decide your innocence or guilt.

05th June 2012 Tech Users Centre, Inc. 60 Cannon St. London
05th June 2012 mynewsdesk.com
05th June 2012 Simply Media Network, LTD., 48 Charlotte St, London (aka Comunicado Limited 6/43 Bedford St)
03rd June 2012 panopticsi.com
02nd June 2012 Marketing Empire UK (websitedesigncity.co.uk)
01st June 2012 quickmailing.co.uk (Smilepod, 23 Rose Street
Covent Garden )
01st June 2012 Comunicado Limited 6/43 Bedford St
01st June 2012 domainmail (on behalf of Insured Health)
31st May 2012 National Training Resources Limited
31st May 2012 backbonemarketing.co.uk, backboneconnect.co.uk PO Box 4380 Tamworth.
31st May 2012 Comunicado Limited 6/43 Bedford
29th May 2012 Nuance Communications
25th May 2012 Comunicado Ltd, 6/43 Bedford Street
24th May 2012 Oxeta
24th May 2012 www.datadeals.co.uk
24th May 2012 Comunicado Limited
22nd May 2012 Accountingoffice.co.uk, 199 New Road, Skewen
16th May 2012 Consulmax (emaila-company.co.uk)
16th May 2012 domainmail (webdoctor.org)
11th April 2012 Easymailit.com

Posted on

Panicky public gets scammer’s charter for cookie law

Are you worried about websites you visit using cookies? If so, you’re completely wrong; probably swept up in a tide of hysteria whipped up by concerned but technically ignorant campaigners. The Internet is full of such people, and the EU politicians have been pandering to them because politicians are a technically illiterate bunch too.

A cookie is a note that is stored by your web browser to recall some information you’ve entered in to a web site. For example, it might contain (effectively) a list of things you’ve added to your shopping cart while browsing, or the login name you entered. Web sites need them to interact, otherwise they can’t track who you are from one page to another. (Well there are alternatives, but they’re cumbersome).

So what’s the big deal? Why is there a law coming in to force requiring you to give informed consent before using a web site that needs cookies? Complete pig-ignorance and hysteria from the politicians, that’s why.

There is actually a privacy issue with cookies – some advertisers that embed parts of their website in another can update their cookies on your machine to follow you from one web site to another. This is a bit sneaky, but the practice doesn’t require cookies specifically, although they do make it a lot easier. These are known as tracking cookies. However, this practice is not what the new law is about.

So, pretty much every small business with a web site created more than 12 months ago (when this was announced) or written by a “web developer” that probably didn’t even realise how their CMS used cookies, is illegal as from today. Probably including this one (which uses WordPress). Nonetheless, head of the ICO’s project on cookies, Dave Evans, is still “planning to use formal undertakings or enforcement notices to make sites take action”.

What’s actually going to happen is that scamming “web developers” will be contacting everyone  offering to fix their illegal web sites for an exorbitant fee.

The ICO has realised the stupidity of its initial position and now allows “implied consent” – in other words if you continue to use a web site that uses cookies you will be considered to have consented to it. Again, this is a nonsense as the only possible problem cookies are tracking cookies, and these come from sources other than the web site you’re apparently looking at – e.g. from embedded adverts.

So – if you want to continue reading articles on this blog you must be educated enough to know what a cookie is and not mind about them. As an extra level of informed concent you must presumably agree that Dave Evans of the ICO and his whole department is an outrageous waste of tax-payers money. (In fareness to Dave Evans, he’s defending a daft EU law because that’s his job – its the system and not him, but he’s also paid to take the flack).

Posted on

Claire Perry’s porn prohibition set to make politicians look foolish

The government is going to protect us from pornography on the Internet. Our children will at last be safe from depravity and corruption. Hurray! Claire Perry MP (Conservative) has accused Internet service providers of being complicit in exposing children to pornography and wants something done about it. Specifically she wants ISPs to filter the filth, unless a subscriber specifically wants to receive it. David Cameron has now jumped on her bandwagon, clearly without first checking to see which way it’s heading or whether the wheels are properly attached.

This isn’t going to be popular with the consumers and producers of Internet-delivered pornography, but that’s their problem. What worries me are the technical issues, and the consequences of trying to implement any form of censorship.

Let me make this clear: IT WON’T WORK. There is no technical solution available that can prevent porn from being transmitted over the Internet, and there never will be. It’s simply not possible for a computerised filter to tell the difference between porn and everything else, and it will become much harder if you give people a reason to avoid detection. About the best you can do is block known porn websites, and if the site promoters cooperate (i.e. keep them on fixed addresses) then you’re going to get a reasonable level of protection. And porn publishers, at present, are likely to cooperate. They’ve no interest minors viewing their wares, because minors don’t have the credit cards to pay for it. And besides, it’s a multi-million pound industry which includes many serious people with children of their own and similar concerns to the rest of us.

However, as soon as you start blocking these sites at ISP level, porn publishers will have to change tactics, as they’ll want to evade such draconian filtering. Legitimate producers will suffer; the vacuum will be filled by others underground, joining the leagues of the cyber-criminals, operating from agile addresses on servers operating outside jurisdictions that care. Claire Perry’s bright idea won’t work. It’s not better than nothing; it’s worse.

The porn operators would disguise their sites to avoid the filter, and in order that customers might find them, spam everyone using every means possible as they did in the late 1990’s. Right now you need to go looking to find it – a simple Google search away. If Perry gets her way it’ll be delivered to everyone’s Inbox, Facebook page, Skype and every other instant messaging technology you can think of, It’ll be encrypted and impossible to filter. It’ll be indiscriminate; kids will receive it too. If such a law was enforced, all encrypted content would have to be blocked as there is no way of telling what it is. This means farewell to, Skype, secure connections to your bank, private email, working from home on a VPN… Okay, it’s not realistic as well as being unenforceable.

The Internet dealt with issues similar to this twenty years ago, before the politicians were involved, but if the technicalities aren’t for you (as they aren’t for Perry and Cameron), there are plenty of other parallels. Society’s attempts to ban bad things that some people still want always seem to make things worse. I need hardly mention prostitution, drugs and alcohol, but I will. Making drugs illegal when so many people want to use them has simply improved the margins for the suppliers. Where there’s money to be made, people will find ways to smuggle drugs; and if the whole business is illegal then it’s certainly going to be completely unregulated. And it’s not a lack of resources and commitment. If we can’t stop people supplying drugs to inmates of a high security prisons we stand no chance of banning drugs anywhere else.

Similarly, it’s folly to attempt to ban pornography transmission on the Internet. There is no way to do this technically, and any attempt that simply makes it more difficult will give the criminals a huge advantage over the legitimate publishers, making regulation impossible.

The government is allowing crazy headlines out about this consultation and what they’re going to do. No doubt they’ll be consulting with child psychologists, women’s rights campaigns, children’s charities and a few suits from big business ISPs. Why don’t they consult the right people first – computer scientists. Ask the most important question:  “Is it possible?” Committees can spend as much time as they like navel-gazing on the moral and policy issues, but that’s not going to change anything if it can’t be implemented. It’s just going to make them look stupid.

 

Posted on

What is all this Zune comment spam about?

People running popular blogs are often targeted by comment spammers – this blog gets hit with at least 10,000 a year (and very useful for botnet research) – most of it is semi-literate drivel containing a link to some site being “promoted”. Idiots pay other idiots to do this because they believe it will increase their Google ranking. It doesn’t, but a fool and his money are soon parted and the comment spammers, although wasting everyone’s time, are at least receiving payment from the idiots of the second part.

But there’s a weird class of comment spam that’s been going for years which contains lucid, but repeated, “reviews” about something called a “Zune”. It turns out that this is a Microsoft MP3 player available in the USA. The spams contain a load of links, and I assume that the spammers are using proper English (well, American English) in an attempt to get around automated spam filters that can spot the broken language of the third-world spam gangs easily enough. But they do seem to concentrate on the Zune media player rather than other topics. Blocking them is easy: just block any comment with the word “Zune” in, as it doesn’t appear in normal English. Unless, of course, your blog is about media players available in the USA.

This really does beg the question: why are these spammers sicking to one subject with a readily identified filter signature? I’ve often wondered if they’re being paid by a Microsoft rival to ensure that the word “Zune” appears in every spam filter on the planet, thus ensuring that no “social media” exposure exists for the product. Or is this just a paranoid conspiracy theory?

An analysis of the sources shows that nearly all of this stuff is coming from dubious server hosting companies.  A dubious hosting company is one that doesn’t know/care what its customers are doing, as evidenced by continued abuse and lack of response to complaints. There’s one in Melbourne (Telstra!) responsible for quite a bit of it, and very many in South Korea plus a smattering in Europe, all of which are “one-time” so presumably they’re taking complains seriously even if they’re not vetting beforehand. It’s hard to be sure about the Koreans – there are a lot but there’s evidence they might be skipping from one hosting company to the other. Unusually for this kind of abuse there are very few in China and Eastern Europe, and only the odd DSL source. These people don’t seem to be making much use of botnets.

So, one wonders, what’s their game? Could it be they’re buying hosting space and appearing to behave themselves by posting reasonable-looking but irrelevant comments? Well any competent server operators could detect comment posting easily enough, but in the “cheap” end of the market they won’t have the time or even the minimal knowledge to do this.

I did wonder if they were using VPN endpoints for this, but as there’s no reverse-lookup in the vast majority of cases it’s unlikely to be any legitimate server.

Posted on

Can’t get PuTTY and FreeBSD with OpenSSH to do a Certificate Login – Myths

Following yesterday’s post about issues getting “Server Refused Our Key” errors when trying to use PuTTY to log in to FreeBSD with a certificate, I thought I’d just lay to rest a few myths I’ve seen on various web sites where people have tried to explain how to do this. It’s easy to see how these myths develop – I’ve laboured for years under the misapprehension that I needed to do something or other when it was just a coincidence it had started working the first time the idea came to me. So here goes with a few of the myths. If you’re not getting this to work, it’s not for one of these reasons:

Myth: You need to specify 0600 permissions for the authorized_keys file (or the .ssh directory)

Simply not true. It may be a good idea to stop others from reading your keys, although they are “public” keys and won’t let anyone else in anyway (unless a they have a suitable cracking tool and a lot of processing power – and I mean a lot). Only your private key needs to be a secret. The only stipulation is that they must only writeable by the user – 0644 is okay, 0664 or 0666 isn’t.

But as I mentioned yesterday, you MUST ensure that your home directory is also not world-writable! You mustn’t have 0777 permissions! 0755 is okay, as is 0711. I’ve not seen this documented anyway, but it’s true for FreeBSD 7.0 to 9.0.

Myth: OpenSSH requires the authorized_keys file to be owned by the user trying to log in

Again no – it simply doesn’t. It has to be readable to that user (not just root) – this may be because it’s world readable or group readable for the user in question. It might as well be owned by root:wheel as long as it’s Other read bit is set.

Myth: If you’re using SSH2, you need a file called authorized_keys2

This might be true on some installations, but not current ones! I’ve no reason to believe that this file would even be considered, never mind required. The file used is defined in the /etc/ssh/sshd_config, and on current versions of FreeBSD (7.0-9.0) it’s definitely authorized_keys

Myth: You must generate the keys using the OpenSSH keygen utility on FreeBSD – puttygen doesn’t work

Well, there’s a bit of truth in this, but not much. Put simply, the format is different, but this only extends as far as the header and comment.

OpenSSH keys look like this:

ssh-rsa AAAAB3NzaC1y… very long line … sXi+fF noone@example.com

PuTTYGen Keys look like this:

---- BEGIN SSH2 PUBLIC KEY ----
Comment: "no one@example.com"
AAAAB3NzaC1y … long line, possibly with breaks … sXi+fF
---- END SSH2 PUBLIC KEY ----

You can convert one to the other using any text editor of your choice, as long as it handles long lines properly (like vi).

I can see there could be all sorts of fun and games if you simply cut/pasted these end ended up with extra line breaks, spaces or truncation – but the key data and its encoding is exactly the same, and that’s the bit that makes it work or not.

If you generate your key using OpenSSH tools you will need to load it into PuTTY Gen and write a Private .ppk key on your Windoze box. Or not. It’s just a text file and you could put the appropriate wrapper on it, but you might as well just use PuTTY Gen.

Myth: You need to edit /etc/ssh/sshd_conf to enable certificate login

No you don’t. The default values as shipped work just fine. Because the file consists of commented out lines of parameters with their default values, I suspect people though that some have been confused about whether the ‘#’ needed to be removed before the parameter came in to effect. They don’t – you only need to remove the comment if you want to change the default value. If you do remove the comment, but don’t edit the value, it’ll make no difference to anything.

What’s Real

In my experience, problems are almost always down to either directory permissions (see above) or errors transcribing public keys from one machine to another – and chaos and confusion caused by the abovementioned myths!

 

Posted on

PuTTY, FreeBSD and SSH certificate logins

I’ve just gone crazy trying to figure out why PuTTY kept getting a “Server Refused Our Key” error when I tried to log in to a host using a certificate for the first time. Looking around the web, there are a lot of interesting theories about how to generate the certificates, and out of desperation I tried them all – nothing worked. So, for what it’s worth, here’s what does.

Generate your certificate on FreeBSD using the OpenSSH utility:

ssh-keygen -t rsa

With the default options this will create a couple of files in the .ssh directory within your home directory, and by default they’ll be called “id_rsa” and “id_rsa.pub”. In other words, if you’re user ID is fred the files will be in /usr/home/fred/.ssh/ with the above names. One’s private, the other is public.

You need to add the public key to the list of authorised keys in the .ssh directory:

cat id_rsa.pub >> ~/.ssh/authorized_keys

(The name authorized_keys with the American spelling is set in /etc/ssh/sshd_config)

Next you need to get the private key back to the machine running PuTTY. It’s just text – you can cut/paste it into a text editor and save it. For PuTTY to use it, however, it needs to be converted in to PuTTY’s own format, which you do using the PuTTY Key Generator, puttygen.exe. Run this, click on the Load button and read in your text file, then use the Save Private button to put write the .ppk file somewhere safe. You may wish to set a passphrase on it if there’s any chance someone else can get hold of it!

You may now get rid of the id_rsa.* files on the FreeBSD host, although you might want to add the public key to more than one user on more than one host – it’s a “public” key so there’s no harm in using it all over the place.

It is possible to use PuttyGen to make the keys and copy them to the FreeBSD host instead. A lot of people seem to have had trouble with this in the past (myself included), and it’s probably easier not to, especially if you’re going to use the keys in OpenSSH format for other purposes on the FreeBSD host anyway.

You’ll see a lot about setting the files in .ssh in some very restricted ways – basically all you need to do is ensure that they’re only writable by you. You can make your .ssh directory only readable by you if you wish but it won’t stop it from working. Also, the default /etc/ssh/sshd_config files is fine, and you don’t need to uncomment anything (in spite of what you might read). The default settings are all good, and all commented out, as it says on the top of the file. (Not quite true now – see 2024 update below)

Now, here’s the trick! What will cause a problem, as I eventually figured out, is if your home directory is writable by others. Don’t ask me how or why this should be true, but I tried this after I’d tried eliminating everything else on comparing working and non-working boxes. I know this for sure with FreeBSD 8.1 – ensure your home directory is drwxr-xr-x (or possibly less).

The final stage is to set up a session profile in PuTTY. This isn’t a tutorial for PuTTY, so I’ll be brief. In the options category open to Connection/Data and set the auto-login username you wish to use (if you haven’t already). Then under Connection/SSH/Auth select the private (.ppk) file you want to use. Remember, you can use this file with as many hosts and user accounts as you’ve added the public key to the .ssh/authorized_keys file. Save the session, and that’s it done. If it doesn’t do it for you, take a look in /var/log/auth.log.

Update 2024:
And finally, twelve years later, there’s a problem. newer versions of SSH will barf at RSA keys. You’ll get a “The server refused our key” message and something like this in auth.log…

 sshd[1539]: userauth_pubkey: signature algorithm ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]

Don’t worry – there’s a quick fix. In /etc/ssh/sshd_config add the following line somewhere that makes sense.

PubkeyAcceptedAlgorithms +ssh-rsa

You might want to use soemethign other than RSA keys going forward, but this is an update to a 2012 article – watch out for a new one.

Posted on

Government’s red-herring email law

The government (UK) launched a red herring at the Internet today, and the news media has lapped it up. “We’re brining in a new law to allow security services to monitor email and other Internet traffic.” This is actually referring to the fact of the communication; not its content.

The TV news has subsequently been filled with earnest spokespersons from civil liberties groups decrying the worst Big Bother laws since New Labour got the boot – anything to get their silly mugs in front of a camera. Great news drama – the Conservatives moving over to the dark side.

Wake up people! What they’re proposing is just not possible. Blair already tried it in a fanfare of announcements and publicity, but anyone who knows anything about how email and the Internet function can tell you that it’s not even technically possible on so many levels.

1) Email does not necessarily use an ISP’s mail server or web mail service. Home users probably do; any company or organisation will most likely use their own. If anyone wanted to avoid snooping, they would too.

2) Users of commercial mail services are anonymous if they want to be. With a few minutes effort it’s possible to hide your IP address, or use an untraceable random one, and there’s no other trail leading back to an individual. The international criminals being targeted will know the tricks, for sure.

3) The security services already have the powers to do this, and do use them.

4) If the ISP is outside the UK, then what?

When the Blair government announced something similar I had to write to the government department concerned asking for the details. I heard about it from the general news. Apparently I, as an ISP, needed to keep records for a year – but records of what, exactly? They didn’t contact me to warn me it was happening; they can’t as there is no register of ISPs. There’s no definition of what counts as an ISP either. And needless to say, the government department concerned didn’t write back with the details.

So why is the current government making this announcement about an announcement now? Could they be wanting to change the news agenda? As usual they can rely on the media types to completely miss the fact it’s nonsense. Eventually the BBC got Andrew Mars on to comment, but I suspect his interview snippet was severely edited to suit their agenda.

Posted on

Warning about “fulfilled by Amazon”

Beware – ordering something “fulfilled by Amazon” is no guarantee they’ll look after you. I ordered something with a driver CD – due to bad packaging (from Amazon) it turned up with a mangled CD, although the item was pretty robust and looks okay. Well – ordered through Amazon so they’ll sort it out…

Well no. Get this:

Me: Item arrived in poor quality packaging from Amazon (direct). Badly squashed – product box was 2″ high, Amazon outer only 1″ high. CD with driver software in same box as product visibly damaged and unreadable. Can’t tell if product itself is okay but appears unbroken.

Amazon Rep: Hello, my name is *****. I’ll be happy to help you today.

Me: Hi. I think I might have messed up with the UI. This relates to “<piece of hardware>”

Me:  Order # **************

Amazon Rep: I am sorry for the condition in which your order arrived.

Me: It’s hopeless packaging. It was squashed and the CD bent around the scanner – wrecked!

Amazon Rep: Thanks, Frank.

Amazon Rep: May I know the name of the item that arrived in a damaged condition? Me: Sure – as above. Specifically “<piece of hardware>”

Me: I ordered this direct from Amazon because I thought it might be better supported than the others available. Do you have the software available for download?

Me: There’s a bar-code on the box, but no hint of the manufacturer or a web site where I might find the software

Amazon Rep: I see that you have placed order for this scanner with the seller ‘M&S’ and it is ‘Fulfilled by Amazon’.

Me: Marks and Spencer?

Me: ’twas definitely in Amazon packaging.

Amazon Rep: Yes, the order is fulfilled by Amazon.

Me: Did the steamroller go over it before or after you posted it?

Amazon Rep: This item was labeled ‘Fulfilled by Amazon’. Items labeled ‘Fulfilled by Amazon’ are sent to you directly from an Amazon.co.uk Fulfillment Centre.

Me: Thanks – I know – that’s why I chose to get it from you as your delivery is generally hassle-free. But this doesn’t help with the mangled CD. Fortunately the scanner itself is made of ABS and designed for grease monkeys to drop it so it looks like it survived. But it’s just a brick without the CD.

Amazon Rep: Unfortunately, we are unable to create a replacement order for the items that are fulfilled by Amazon.

Amazon Rep: Could you please return the item for a full refund?

Me: No. I just want the software. If you’d like to pick it up subject to the distance selling regulations 2000 you’re welcome to do so – and I’ll tell warn everyone else about this crazy policy – but the software would be preferable for all concerned.

Amazon Rep: Could you source the software CD from your local store?

Me: Alas not, it’s not got any makers name on it, or that of the manufacturer. It’d make more sense to download it but there’s no clue as to who made it.

Amazon Rep: If you can source it from your local store, I can issue a partial refund.

Amazon Rep: If you wish to receive a full refund, you’re welcome to return it for a full refund.

Me: Distance selling regulations – you have to collect it if you want to go the refund route. Are you based in the USA? This is a European sale.

Amazon Rep: We will waive the return shipping charges, Frank.

Me: No, sorry, you won’t waive any shipping charges as you’re not allowed to make any. According to the Distance Selling Regulations you are required to send someone around to collect it at your expense. All I need to do is hand it over. But I’d much rather have the software.

Me: Please can you just tell me who produced (or sells) this thing, I’ll go to the web site and download it.

Amazon Rep: The manufacturer of this scanner is ‘SainSpeed ‘.

Me: Okay – thanks I’ll check the SainSpeed web site.

Me: they don’t have one :-(

Amazon Rep: I am sorry to hear about this, Frank.

Me: I’m flabbergasted. I thought Amazon was a safe place to buy things!

Amazon Rep: This is not a common occurrence, Frank.

Amazon Rep: We value this kind of customer feedback, as it helps us to provide the best possible service. I will forwarded your comments to the relevant department here.

Me: Okay. Is there any way you can get me a disk? if not, can you swap out the complete package?

Amazon Rep: Unfortunately, our system will not allow us to create a replacement order for the seller items, Frank.

Amazon Rep: If you prefer, you can return the item for a full refund, Frank.

Me: If you want to pass this on to the seller (if you reckon it’s not you) then please point me at them. Visa reckons it’s you (this is also governed by the Consumer Credit Act).

Amazon Rep: I understand your concern, Frank.

Amazon Rep: I am sorry for the inconvenience caused.

Amazon Rep: You have placed this order with the seller ‘M&S’ and it is ‘Fulfilled by Amazon’.

Me: So what am I supposed to do? Wait for you to collect this one and order another one?

Amazon Rep: In this case, I request you to return the item for a full refund.

Amazon Rep: Could you post it?

Me: Okay – you’ve got the address. Come and collect it. Meanwhile I’ll get Visa to recharge the value to my account. You contract was with Visa. Visa will pay you when the contract is fulfilled. I won’t pay Visa until their contract with me is fulfilled. Okay?

Me: So when do you want to pick it up?

Amazon Rep: In order to resolve this issue, we need to talk to you via phone. I will be happy to connect a call for you.

Amazon Rep: May I know your contact number?

<later>

Me: I’m on the ‘phone to one of your friends!

Me: Thanks for your help.

Amazon Rep: You’re welcome.

Amazon Rep: Thank you for chatting with Amazon.co.uk. We hope to see you again soon. Have a Great Day!

 

So, buying something from Amazon isn’t any guaranteed they’ll sort out any problems – even if their packaging is the problem. The subsequent telephone call went down the same route. I insisted on getting the software, not messing about with posting it back to them. Eventually they gave me the ‘phone number for this mysterious supplier:  0845-609-0200. I wouldn’t normally list a ‘phone number here, but a quick check revealed that it was the widely published customer service number for Marks and Spencer! I was skeptical, and queried this and asked where the number came from but they insisted that it really was the Marks and Spenser selling through Amazon. (The nature of the device – a diagnostic interface – is highly suspicious).

I’ll call Marks and Spenser tomorrow. It could be interesting. Amazon isn’t off the hook buy a long way.

Posted on

The PAT man cometh

I’ve had bad experience with PAT testing companies in the past – a service of dubious merit often run on disingenuous lines because people believe something terrible will happen if they don’t have a bi-annual test (or annual if they can be persuaded there’s some law or other stating they need to). Still, if it makes the punters happy why should I deprive them of portable appliance testing companies of a living.

But, PAT testers can damage kit. They don’t do it often but once is too much, and their automated boxes and tick sheets are banned hereabouts – replaced with a proper inspection and assessment of all aspects of electrical and mechanical safety, not just earth leakage.

Unfortunately one site we look after had a visit from a PAT tester in December. Then, this month they had a power cut, and all their PCs went blank in spite of maintained UPS units, which had all been serviced in November. My heart sank when I saw the green label of a PAT tester on our UPS units – had they blown up all the inverters or what?

The batteries tested okay, both in the units and on the bench when I opened one to check. Then the penny dropped: The idiots had plugged the PCs in to any old socket on the back of the unit. Some of the sockets are surge-protected, some are maintained (battery backed). They’d just reconnected the cables by starting at the bottom and working up, so it was pure chance as to whether the PCs were on a maintained socket or not – in fact most weren’t.

Do I blame these “fully trained” PAT testing operatives? Well no – they haven’t got much concept of what they’re actually doing and the training consists of plugging something in, pressing a button, and checking to see whether the red or green light comes up. (Some may be competent electrical engineers, but its certainly not a requirement). But please keep them away from me and my equipment.

Posted on

FBI VoIP system conference call intercepted by Anonymous?

Major embarrassment today as Anonymous intercepts a conference call between several European and American law enforcement agencies, according to something I’ve just seen on the BBC. It’s on YouTube right now if you want to hear it for yourself, click here.

It got my attention – someone breaking into a VoIP system would. But on further investigation it’s pretty obvious to me that it wasn’t an intercept at all. The clues are in the intercepted email  and the start of the recording – Anonymous read an email circular inviting people to the conference call, where the access number and password were given.

This makes the authorities concerned seem even more incompetent that if they’d had their VoIP service compromised.