CPC charging for free delivery! Well, not quite…

CPC Farnell is great. Most of the time. They’re a well established supplier of electronic bits and pieces (components) and they’ve recently branched out in to various other items of hardware. The prices are good, the service is spot on, and they’re based in England with sensible people at the end of the ‘phone. Their catalogue and web site is best suited to professional purchasers who know what they want and can see behind the manufacturer’s marketing descriptions, but that’s just fine. They’re box shifters, but they’re very good box shifters.

Last week they had a “special offer” for free delivery, even for small orders. I needed some cables forgotten from an earlier main order, so took advantage of the offer, only to discover on the paperwork that I was nonetheless charged! Being a good company to deal with in the past, I gave them a call. Apparently some genius there made the “free delivery” offer, but the web site software knew nothing about it and has been telling everyone they’ve been hit with a handling charge ever since. I suspect their operators are getting a bit hacked off with the complaints, although they’re still professional and courteous and friendly.

So if you’re reading this, and are wondering about whether you’ve been stitched up, relax. They haven’t gone mad; their on-line ordering system is just a bit trailing-edge. I’m still happy to recommend them as a supplier. And as far as I know, they pay all their UK taxes.

 

Edward Miliband in confusion over tax

Edward Miliband had just announced he’s going to restore the 10p rate of Income Tax if anyone is stupid enough to vote for him. Interesting. He’s going to pay for it with a divisively-named “Mansion Tax” on properties worth more than £2M. This may be appealing for the numerically challenged, but does it makes sense? What are the figures  The BBC is reporting this kind of stuff without bothering to work it out.

First off, how many houses are worth more than £2M? No one really knows, but according to the Land Registry, 1,620 houses worth £2M+ were sold in 2012. Let’s say they change hands every ten years on average, so there are about 16,000. I don’t know if this is the correct figure, but hacks reporting the story aren’t even asking the this question.

How much did it cost when Gordon Brown scrapped the 10p rate of income tax?  Apparently it raised £3.5B. I’ve seen 7Bn bandied about, but £3.5Bn was the figure Alistair Darling was working with (according to reports in the Guardian at the time). So that works out at £218K tax a year per £2M house in the country. That’s more than 10% of the value of the asset. It’s not that difficult for someone in London to end up living in a £2M house but to otherwise be of limited wealth; it’s their house not their income. They certainly won’t be earning the kind of money to pay such a huge levy – they could very well be pensioners, albeit likely to have a relatively good private pension. But not that good!

So the arithmetic doesn’t work; is anything else thought through?

In Bradford today, Miliband said: “We would put right a mistake made by Gordon Brown and the last Labour government.”

Funny that. In 2008 he said of abolishing  the 10p rate, “When you make a big set of changes in the tax system, some people do lose out. That is a matter of regret. Of course it is. But overall these changes make the tax system fairer.”

So having a 10p rate of tax is unfair? Taxing an asset value is certainly unfair.  Today he’s proposed to do both.

And that’s before you start looking at the practicalities – who knows the value of a property? A lot of it is already owned by overseas companies in order to avoid disproportionate taxation anyway.

 

Lighttpd in a FreeBSD Jail (and short review)

Lighttpd is an irritatingly-named http daemon that claims to be light, compared to Apache. Okay, the authors probably have a point although this puppy seems to like dragging perl in to everything and there’s nothing minuscule about that.

I thought it might be worth a look, as Apache is a bit creaky. It’s configuration is certainly a lot simpler than httpd.conf,although strangely, you tend to end up editing the same number of lines. But is it lighter? Basically, yes. If you want the figures it’s currently running (on AMD64) a size of 16M compared to Apache httpd instances of 196M.

But we’re not comparing like for like here, as Lighttpd doesn’t have PHP; only CGI. If you’re worried about that being slow, there’s FastCGI, which basically keeps instances of the CGI program running and Lightttpd hands tasks off to an instance when they crop up. Apache can do this (there’s the inevitable mod), but most people seem happy using the built-in PHP these days so I don’t think FastCGI is very popular. It’s a pity, as I’ve always felt CGI is under-rated and I’m very comfortable passing off to programs written in ‘C’ without there being an noticeable performance issues. Using CGI to run a perl script and all that entails is horrendous, of course. But FastCGI should level the playing field and allow instances of perl or any other script language of your dreams to remain on standby in much the same way PHP currently remains on standby in Apache. That doesn’t make perl or PHP good, but it levels their use with PHP on Apache, giving you the choice. And you can also choose  high-performance ‘C’.

This is all encouraging, but  I haven’t scrapped Apache just yet. One simple problem, with no obvious solution, is the lack of support for the .htaccess file much loved by the web developers and their content management systems. Another worry for me is security. Apache might be big and confusing, but it’s been out there a long time and has a good track record (lately). If it has holes, there are a lot of people looking for them.

Lighttpd doesn’t have a security pedigree. I’m not saying it’s got problems; it’s just that it hasn’t been thrashed in the same way as Apache and I get the feeling that the development team is much smaller. Sometimes this helps, as it’s cleaner code, but it’s statistically less likely to have members adept at spotting security flaws too. I’m a bit concerned about the FastCGI servers all running on the same level, for example.

Fortunately you can mitigate a lot of security worries by running in a jail on FreeBSD (it will also chroot on Linux, giving some degree of protection). It was fairly straightforward to compile from the ports collection, but it does have quite a few dependencies. Loads of dependencies, in fact. I saw it drag m4 in for some reason! Also the installation script didn’t work for me but it’s easy enough to tweak manually (find the directory with the script and run make in it to get most of the job done). The other thing you have to remember is that it will store local configurations in /usr/local on BSD, instead of the base system directories.

To get it running you’ll need to edit  /usr/local/etc/lighttpd/lighttpd.conf, and if you’re running in a jail be sure to configure the IP addresses to bind to correctly. Don’t be fooled: There’s a line at the bottom that sets the IP address and port but you must find the entry server.bind in the middle of the file and set that to the address you’ve configured for the jail to have passed through. This double-entry a real pooh trap, especially as it tries to bind to the loopback interface and barfs with a mysterious message. Other than that, it just works – and when it’s in the jail it will happily co-exist with Apache.

I’ve got it running experimentally on a production server now, and I’ve also cross-compiled to ARM and it runs on Raspberry Pi (still on FreeBSD), but it was more fun doing that with Apache.

When I get time I’ll do a full comparison with Hiawatha.

Using ISO CD Images with Windows

When CD-R drives first turned up you needed special software to write anything – originally produced by Adaptec but soon overtaken by Nero, with NTI and Ulead having lower cost options. Now, when you get a PC it will usually come with one of the above bundled to do the job, and Microsoft has added the functionally to Windows since XP (for CD, if not DVD). Not good news for the independent producers, but Microsoft’s offering doesn’t quite make it so you do need something else.
My new Lenovo PC cable bundled with Corel Burn.Now. Corel recently bought the struggling Ulead, and this is fundamentally the same product. Unfortunately Burn.Now just doesn’t cut it – it can’t do the basics.
To duplicate a CD you need to copy all the data on it. Pretty obvious really! If you’re not copying drive-to-drive it makes sense to copy the data to a .ISO image on your hard disk. You can then transfer it to another machine, back it up or whatever, and write it to a new blank disk later. Burn.Now will create a CD from an ISO image, but if you ask it to copy a disk it uses its own weird and whacky .ixb format. Some versions of Burn.Now gave you the choice, but not with the new Corel one. This matters, because whilst everyone can write .ISO files, only Burn.Now can use .IXB.
So Burn.Now is no use. What about Microsoft’s current built-in options? You can actually write an ISO image using Windows 7 – just right-click on the file and select “Burn disc image”. Unfortunately there is no way to actually create such a file with Windows. To do this you need add Alex Feinman’s excellent ISO Recorder, which basically does the opposite: Right-click on the CD drive and select Create Image from CD/DVD.
I’ve yet to find an easy way of creating an ISO image using files and Lenovo’s Corel Burn.Now, but you can at least create a disk and then copy the ISO image off for archive and later duplication.
Unfortunately ISO Recorder doesn’t read all disks – it won’t handle Red Book for a start. This is a bit of a limitation – was Mr Feinman concerned about music piracy? Given Windows Media Player can clone everything on an Audio CD without difficult it won’t make a lot of difference.
So – Windows is its usual painful self. If you just want to simply create an image of a CD or DVD with no bells and whistles, go to UNIX where it’s been “built in” since the 1980’s (when CD-ROMs first appeared). Just use the original “dd” command:

dd if=/dev/acd0 of=my-file-name.iso bs=2048
An ISO file is simply a straight copy of the data on the disk, so this will create one for you. You can write it back using:

# burncd -f /dev/acd0 data my-file-name.iso fixate
Or
# cdrecord dev=1,2,3 my-file-name.iso

Burncd is built in to FreeBSD (and Linux, IIRC), but only works with atapi drives. In the example it assumes the CD recorder is on /dev/acd0 (actually the default).
Cdrecord works with non atapi drives to, but has to be built from ports on FreeBSD and for other platforms it’s available here http://cdrecord.berlios.de/old/private/cdrecord.html – along with lots of other good stuff. The example assumes the device is 1,2,3 – which is unlikely! Run cdrecord -scanbus to locate the parameters for your drive.

Horseburgers

A large minority of the UK population isn’t going to be at all surprised to hear horse DNA has been found in processed meat products – they’re already vegetarian/vegan or at a minimum, they choose organic meat products. The remainder either don’t know, or don’t want know. Either way, with the information on how animals are farmed widely available, I haven’t got a lot of sympathy with their current predicament.

But if you’re going to eat processed meat products, what’s so bad about horse? I’ve just been listening to an American campaigner on the radio warning that people go around the US buying old nags at auction and shipping them to Europe for food – horses that were probably pets (or from his soap-box, a race horse) and treated with drugs you wouldn’t give a farm animal such as phenylbutazone. He was particularly keen on mentioning this. Look it up – it’s an anti-inflammatory drug also given to people with arthritis and similar problems. It has side effects, including some rare but serious ones. Okay, so you wouldn’t want to dose anyone without good reason, but to get a dose from eating horse meat you’d have to literally eat the whole horse. And that would be one dose. I’m sure he was really motivated by the “horses are pets and we shouldn’t eat pets” attitude, but the BBC didn’t question his motivation at all.

So am I saying it’s okay to eat horses with phenylbutazone in their system? Well I wouldn’t eat it, but I wouldn’t eat any farmed meat, which is chocked full of legally introduced medication and kept, killed and processed in decidedly worrying conditions. Horses with shots of bute are no different to me. Think about it – if you don’t even know what species the meat is, you certainly can’t say much about where it came from. Actually finding a bit of horse in a beefburger sample changes nothing – it’s always been dodgy.

One thing you can probably say for certain is that New Labour and news media will be whipping up a bit of hysteria about this. They did it with the BSE crisis in the 1990s – remember that? Thousands will die due to eating disease contaminated meat? Of course it didn’t happen. They did it again when in power, in an over-reaction to Foot and Mouth, presumably to prevent the Conservative opposition playing the same trick on them. This is going to run and run (it’s bound to turn up everywhere following the inevitable further tests that are doubtless being considered right now).

If what’s in your meat worries you, become vegan (dairy products and eggs aren’t clean either). Otherwise, be aware that the meat processing business is pretty grim with this kind of thing going on behind the scenes all the time – and live with it. Can we have some real news now?

Nominet finally goes to court

Nominet Logo

If you’ve never heard of Nominet, you should have. It’s the organisation that manages most of the domain names ending in .uk. It was set up in 1996 as a company when the previous arrangements (known as the Naming Committee) became overwhelmed. The Naming Committee granted the use of domain names to their rightful owners for no charge, but only their rightful owners. Nominet charged, and was more relaxed about who it sold things to – being too picky meant less income, and it needed income to cope with the increased demand for Internet services.

The snag with this new arrangement was that it allowed speculators to register as many domain names as they wished, with a view to charging end users money to use something they’d pre-registered. This is known as cyber-squatting, although people in this business prefer to call themselves “domainers”.

Nominet was created for the benefit of Internet users in the UK, not cyber-squatters. Unfortunately, cyber-squatters register more domain names than anyone else (as they would), and started to get an undue influence based on their size. Cyber-squatters make various claims about how they’re important for a “vibrant market” in domain names, but there’s no benefit to society in such a market. You could say they’re trading in something that should be free to legitimate users. Some would go as far as to call them parasites. If any cyber-squatters or domainers wish to explain exactly why the label is unfair, please enlighten me.

Anyway, the Nominet board isn’t stupid and has, in recent years, done a lot to skew things in favour of UK Internet users. Not enough as far as I’m concerned, but they’re trying to look after the majority. The cyber-squatters don’t like this, and have started personal attacks on Nominet’s CEO, Lesley Cowley in an attempt to get rid of her with a view to installing someone more of their liking. What’s really upset them was a consultation to allow people to register names directly under .uk, without a .co.uk or .org.uk. For example, Tesco could have been tesco.uk, as is often the case in other countries. Legitimate UK ownership would have been verified, like in the old days, but they would also have cost more. Cyber-squatters hated the idea, because their current stock-pile of .co.uk names would have been somewhat devalued! They had to defeat Nominet in order to preserve their “investment”. The rest of us would have quite like to see the speculators clobbered, although I’ve never had the feeling that was Nominet’s intention.

Nominet has finally had enough, and late this afternoon launched a High Court action against Graeme Wingate and his company That Internet Ltd, citing “[unacceptable] harassment and victimisation of our staff”. What this is really about is whether Nominet is run for the benefit of everyone, or the cyber-squatters.

 

Vauxhall Helicopter Crash

I wouldn’t normally want to pre judge the reasons for an Air Accident but I’m getting a bit fed up with the twaddle appearing on the BBC and radio about the incident today where a helicopter appears to have hit a crane. Listening to Kate Hoey, MP for Vauxhall, making political points over it on the BBC just now is too much. Checking the NOTAMs for London, the following is in force between 07 Jan 2013 17:00 GMT and 15 Mar 2013 23:59 GMT.

HIGH RISE JIB CRANE (LIT AT NIGHT) OPR WI 1NM 5129N 00007W, HGT 
770FT AMSL (VAUXHALL, CENTRAL LONDON), OPS CTC 020 7820 ####
12-10-0429/AS 2.

A NOTAM, or notice to Airman, is issued to all pilots and they’re required to check them against their flight plan in case there’s anything important they need to know about. In my day it was done on paper – now it’s on-line and really easy to check. This is basically saying there’s a crane erected that’s 770′ high at this location in Vauxhall. It’s lit at night (but not during the day). Keep at least a mile away.

It was clearly foggy, so the pilot should have given it a wide berth. On the face of it, it appears he didn’t. Eyewitnesses don’t report anything unusual about the helicopter.

Helicopters are supposed to be flying in to London over the Thames in order to provide a “safe” landing area in the event of trouble. (That’s safe to the people on the ground, at least). It appears to have been broadly in the right place. Ms Hoey is being populist, but then again, that’s her job.

 

Update 13:30

News reports now say that the helicopter had diverted; this might explain why the pilot wasn’t aware of the crane it the original route went nowhere near it, although flight plans should have diversion plans and NOTAMs for diversions should also be checked.

Much is now being made of people who said the lighting wasn’t good enough. Lighting in daylight isn’t normal (or useful) anyway, and neither is it any good in fog (day or night).

However, having seen aerial shots (they’re all up there with helicopters) the crane doesn’t appear to be at the location specified in the NOTAM. That could turn out to be a story, but I’m not on the ground to check it.

The NOTAM (reproduced above) doesn’t actually give an accurate Lat and Long – it actually puts the crane next to the Kennington Oval. Normally NOTAMs in central London are a lot more precise – a couple more digits of accuracy. This is starting to look like a story, and you saw it here first.

 

Red October or Red Herring

Kaspersky Labs has announced that someone had been conducting a hitherto unknown campaign wide-scale international espionage, dubbed Red October, for many years. Except it that I don’t think it has.

The story broke quietly on Friday in the Washington Post and has been repeated over some Internet news sites and blogs, almost verbatim, yesterday and today. Although keen for breaking news (especially where international intrigue is concerned), one should really take a step back and match the claims with the substance.

You can find the report here, although not the the Kaspersky site. It’s not the subject of any press release I’ve seen. No one could be contacted at Kaspersky for comment. Hmm. Specialist IT security sites, like Steve Gold’s IT Security Pro, aren’t treating this as a top story either. The only reason I’m hitting the keyboard is that people keep drawing it to my attention.

The report (assuming it isn’t a hoax) does contain a good analysis of what appears to be a new-ish botnet, although one that’s not very widespread (we’re not talking about Flame V2 here). Kaspersky has a lot of smart cookies working for them, and they do some very valuable research, but reading the posts on the subject you’d think they’d uncovered the next Watergate or similar. Perhaps they have, but all I’m seeing details so far  is of another botnet.

If their analysis is correct, the perpetrators do seem to be targeting government and diplomatic sites in particular, but this isn’t actually novel. They’ve identified targets in most of the developed world, with the interesting exception of England and China. As the code appears to be of Russian origin, and not particularly well obfuscated, it’s also noteworthy that the majority of the attacks have been launched against Russian targets.

So, as it stands, this looks like a competent investigations of a botnet. Well done Kaspersky. Now lets get some sleep.

 

New Java exploit in the wild

Today AlienVault reported yet another vulnerability in Java, similar to CVE-2012-4681. Their head of Labs Jaime Blasco got hold of it and has been playing with it on a fully patched Java installation, and according to them, it works. If you fancy trying  it yourself, here are the details.

With Java embedded in to most web browsers (and if you don’t know about yours, it’s probably is), this is serious stuff. All you need do is go to a web page with some nasty embedded Java on it (by following a link in an email) and your machine is vulnerable to takeover. If you want to check whether Java is enabled on your browser, click here and check the version. If it returns “”No working Java was detected on your system…” then you’re okay. Right now, the only good Java is a dead one.

When Java first appeared as a cross-platform application language, much play was made of it being “sandboxed”, so a Java application was insulated from other applications and the host operating system. It didn’t take long for features to be added to allow it to manipulate files on the local system, providing obvious ways to break out. Security consists of guessing the ways this may occur and blocking them. This is a recipe for disaster unless the code is very taught. Opening the gates and then screening is the opposite of secure system design.

I realised something was wrong when a Sun evangelist tried to sell me on the idea of embedded Java – “We’ve reduced the footprint to 4Mb”. This was back in 1998, and 4Mb of ROM  on an embedded system was a hell of a lot. And it’s not just the size – 4Mb of code for doing what should be pretty straightforward stuff rang alarm bells. I don’t know about embedded Java, but the current JVM running on PCs is now talking in Gb. It’s hugely inefficient, which is a price you might choose to pay, but from a security point of view there’s no way you’re going to have that much code without all sorts of nasty stuff lurking away forgotten. Which explains why it keeps on coming out to bite us.

The only way to avoid your PC (or Macintosh or Linux box) being compromised is to disable the JVM until Oracle issue a patch for it.

 

Bitlocker, PGP and TrueCrypt encryption broken (sort-of)

ElcomSoft has released a utility called Forensic Disk Decryptor that can get the data off encrypted hard drives without knowing the password. According to their web site it:

  • Decrypts information stored in three most popular crypto containers
  • Mounts encrypted BitLocker, PGP and TrueCrypt volumes

Amazing!

In complete decryption mode, Elcomsoft Forensic Disk Decryptor will automatically decrypt the entire content of the encrypted container, providing investigators with full, unrestricted access to absolutely all information stored on encrypted volumes.

Wow!

Elcomsoft Disk Decryptor PackageReading the technical details further, it’s not quite so amazing – they haven’t found a back-door to these encryption algorithms. Instead they’re examining the machine’s core (memory/RAM in user-land parlance) and pinching the key when they find it. This does, unfortunately, require that the machine in question is already running and decryption to be taking place ‘cos its user has already entered the password. This isn’t has hopeless as it sounds as there may be a core-dump (hibernation file) kicking around on an unencrypted hard disk, and indeed this is a known technique (one of very few) for getting data off these drives. Other methods are  scaring your suspect with a slap on the wrist if they don’t cough up the password, or running a trojan on the suspect’s PC (questionable legality).

According to ElcomSoft’s CEO, Vladimir Katalov, “Our customers asked us for a tool like this for a long, long time. We’re finally releasing a product that’s able to access encrypted volumes produced by all three popular crypto containers.”

ElcomSoft is a company that certainly knows what it’s doing, and this tool appears to automate a process that’s a PITA to do manually, but Mr. Katalov’s miraculous claims for the product shouldn’t unduly worry the user’s of this technology. It’s probably a good tool but it can’t do anything that wasn’t possible before.