Normal Bloke’s Identity Stolen

A colleague of mine recently received an email from his bank (genuine for once) thanking him for updating his card password.

Which he felt was strange because he hadn’t.

He called his bank and the automated line told him his balance was over GBP2,000. He then got through to a human who said it was under GBP200. The alarm was raised when the extra charges appeared to be on his card paying some financial institution my colleague had never heard of.

Anyway, the plot thickens.

A few days later this colleague of mine starts to realise how little postal mail he’s had. Not just him, the rest of the household too. So he spots the postman in the street and enquires.

“Yeah, well you were in the post office the other day getting it stopped, weren’t you?”

“No I wasn’t.”

“Oh shit,” The postman said as he got out his mobile and dialled the office to raise the alarm.

Apparently someone had just turned up to the local branch and ordered a hold on the mail to his address. The post office quite rightly has informed the police.

Amazingly, the next day my colleague gets some post. But it’s a little strange, because it’s some newsletter from the local church and, well, they don’t send out stuff to him. Conclusion? His identity has been stolen and the fraudster is collecting any new bank cards, replacing the genuine mail with fakes.

Now the next part of this is somewhat more personal. A week or two ago I booked tickets online to see the new Batman film but I couldn’t remember my Visa card password. So I clicked the forgotten password and was prompted for my date of birth and card expiry date, easy enough to remember/find out. Then I needed to set a new password.

And that was it. No security checks. No email to confirm the action by clicking the link within, no phone call to confirm intent, nothing.

Hardly any wonder people are now complaining that this lackluster security measure is being forced upon them.

Karcher K294MD Pressure Washer

Decided the car really needs a clean. As does my girlfriend’s. The good old bucket and sponge may be cheap and cheerful but fun it is not.

And so after reviewing various resources about pressure washers, went to Argos and brought home a Karcher K294M Delux unit, feeling £99.99 poorer as a result.

I assembled the machine yesterday afternoon and discovered two screws that no only required a start type driver bit but also an extension that they fit deep within the pastic mould.

One further problem. The British weather wasn’t “Sunny with occassional showers” it was in fact “heavy cloud with frequent showers” and as a result I couldn’t test the bloody thing. I returned to it this afternoon to fit the screws properly only to find one had gone walkies. Still I at least managed to power it on and use the variable power lance. Seems to work OK.

One problem I did spot was that our outside tap, despite it being connected to the mains supply, only gave me almost eight litres per minute. This model requires eight litres per minute so hopefully the motor won’t burn out prematurely, but the K380 model I was considering turns out to need ten litres per minute. Make sure you time how long it takes to fill a ten litre bucket with water FROM THE HOSE as a sensible test before you buy of of these things!

And the cars STILL need washing…

The car in front is a Nissan

No, it is not a Toyota, despite what their marketing materials may claim.

I made an observation late that week. I am often driving along single carriageway roads to and from work. The UK’s road speed limit for such out of town roads is usually 60mph. Often, I am in a queue of vehicles traveling at less than this speed. Why am I “held up”?

It seems common that the car in front of everyone, with only the open road ahead of itself, is a Nissan Micra. What is it about their drivers I wonder? I refuse to believe Nissan manufacturer their cars with an automatic “drive slower than conditions allow” computer on board. I wonder whether they are statistically less likely to be involved in a road traffic crash of some nature?

If you own a Nissan Micra, do me a favour. Please examine your rear view mirror at an increased frequency and note that when you have more than three vehicles apparently sitting under your bumper, you should take a look at increasing speed to nearer the limit (where conditions allow, sensibly). Thanks!

Spying on your neighbour

Can this really be legal?

Today I heard of the case where someone had planted a small microphone in their side of a hedge, wired to speakers inside their house, for the purposes of listing to everything their neighbours say in their back garden.

Obviously, upon discovering the listening device, the neighbours being bugged called in the police who allegedly stated that the size of the microphone was so small they were powerless to stop it. I understand the bugged are now forced to avoid their back garden when conversing.

I am led to believe that the apparent bugging is one weapon designed to make the neighbour’s life hell and force them to move out. The source who tells me this says the bug owner has successfully forced one householder out of their house and into the old people’s retirement home across the road.

I have no idea why this person or these people are doing what they are alleged to have done. I am told they want to clear out the locals they personally dislike. I suspect there is a great deal more to this.

But the principal remains that a person should be able to enjoy conversing on their own land without fear of being permanently bugged. Surely such an instance falls foul of our (UK) privacy, harassment or even telecommunications laws?

UK ENUM Conference

So I attended a conference today held in London to learn about and develop commercial ideas concerning ENUM.

ENUM allows businesses and individuals to publish their telephone number (fixed or mobile) within DNS records so that VoIP clients and providers may look them up and provide a more direct connection to number owners.

The initial goal is reasonably simple, and has to be to gain traction. Imagine the NHS has 500 telephone numbers that it operates as 0800 freephone numbers to allow customer (patients) to contact various local departments. The cost of each minute of every call is borne by the NHS so ultimately by the British taxpayer. Now the NHS also has VoIP connectivity and decides to advertise their 0800 numbers through DNS using ENUM. Subsequently, every time someone using VoIP decides to call any of those 0800 numbers their VoIP provider will find the 0800 number in the ENUM DNS listings for the NHS and will connect the caller to the medical department using VoIP alone – at no cost to either party (usually).

Clearly with this approach there is scope for financial savings. That said, there remains considerable work needed to achieve even this small goal, let alone the potential options further down the road.

In case you were wondering, ENUM is an international standard being implemented by individual countries separately through their respective Governments. The UK Government, through regulator OFCOM, has assigned the design, implementation and ongoing administration of the project to UKEC who, in turn, have contracted much of the work to Nominet. Nominet administer and maintain the .uk gTLD – when you buy any domain ending .uk it is ultimately sold by Nominet although almost always through a reseller (“registrar”) like GoDaddy.

So we now have a basic goal with example and a non-profit company to drive it forward. Part of the reason Nominet were awarded the contract was their intentions to market the ENUM provisioning as a resellable product. And here’s where the majority of blank faces emerged. The audience consisted of any parties interested in becoming ENUM registrars, effectively reselling the service of adding your telephone number to the DNS system. To be more accurate, the audience actually consisted mainly of people in the telecoms and ISP industry wanting to know what ENUM was and whether there was any commercial potential for them or whether it might actually screw them out of their revenue.

The message from Nominet was very clear on one matter. The end is in sight for minute revenues. This means your current fixed line telephony bill of 10p per minute connected to someone with a different geographic area code will be reduced to nothing. Your mobile network tariffs will no longer give you minutes in your bundle as calls to your mates will be free. Don’t ask for a timescale on this although the impatient amongst you could always hook up with VoIP today and extend your reach to your mobile phone provided you can install a VoIP client and connect via WiFi.

To be honest, the Marketing Director of Nominet introduced the commercialisation of ENUM as a set of current ideas rather than anything more concrete. He was, literally, waiting for suggestions from the audience. The common thread that was registration of the number would likely end up free, with registrars making their profits from value-added services. It was suggested one way would be to operator publicly accessible directories of businesses with their advertising online and a simple click to call mechanic.

There are two current matters in my mind that restrict uptake and promotion by business (registrars).

  1. You can list more than just a VoIP endpoint with your telephone number, but what else is currently undefined and may be regulated for privacy reasons. This does have potential for more far reaching consequences
  2. You still cannot obtain a telephone number for life, or extend it. The number you can register have to come from a Communications Provider (CP) like BT. If you move providers can cannot take your number, you’ll have to register your replacement number instead. And because the ENUM system converts a number into DNS (02071234567 becomes 7.6.5.4.3.2.1.0.2.4.4.e164.arpa – the software will do this for you!) you should be able to extend this yourself by addition additional digits and sending these through to your local phone system just like an automatically dialed extension.
  3. Each registration must go through a verification agency to ensure the registrant really does own the telephone number being registered there will be an additional cost (read: Higher bar to entry).
No doubt business models will emerge from this but for now ENUM remains in the cot after birth, ready for the world to sit up and really take notice and exploit its full potential.

Asterisk and Amazon EC2

Given the clear advantages of cloud computing and the industry momentum (slowly) toward VoIP and complementary technologies (think XMPP) I thought it might prove an interesting exercise to install Asterisk on an Amazon EC2 instance.

My preferred operating system is Debian GNU/Linux. Instances are available with Debian (various versions) pre-installed. Theoretically it should be only a few steps to get Asterisk running.

Here’s where reality kick in. Hard. Asterisk has certain features like conferencing that are attractive and in some cases necessary to have. These features require accurate timing as normally provided by hardware except in this case where we actually have a virtual hardware machine with no telephony equipment connected. To provide a timing substitute Zaptel provide the ztdummy kernel driver.

Which means compiling Zaptel against your currently installed Linux kernel. This cannot be done under Debian. The version of the compiler (gcc) is different to that which compiled the kernel. To compile with the correct, older, gcc, you’ll need to boot the OS Amazon used to compile the kernel.

Over to Fedora Core 4 we head. Now, I managed to compile, install and actually run ztdummy on the Amazon developer image, however by this time I’d really had enough. Suffice it to say I was in no mood to start transferring kernel module files across to my Debian instance to pursue the matter.

There are a couple of people who have written up instructions on getting Asterisk to work on EC2. Neither I believe install the ztdummy kernel module. So they are essentially crippled one way or another.

Amazon: If you are listening, let us sysadmins do what we do best. Let us build our O/S including our own Linux kernel! So much time has been wasted due to this restriction!

Amazon Cloud Computing Alternatives

So there have been plenty of web sites and services affected by today’s big Amazon S3 outage. Smugmug, Twitter, WordPress.com and JungleDisk amongst the casualties to various degrees. Developers have been venting their frustration at seeing their applications fail because of something they relied on.

So what are the alternatives?

Any CTO will tell you that moving parts are your IT department’s weakest link in reliability terms. If you build a company on a single server will you have more, or less, moving parts that building it on a large computing farm as Amazon provides? Such an absolute measurement is of course a waste of time as that one server of course could die at any moment making you wish you’d relied on the cloud. Yet the cloud may also experience downtime.

Amazon does however have the advantage that it hides it’s redundancy from you. If you were to try to match it, you’d likely end up with RAID, and hot standard servers. Trust me, you don’t want to rely on that scenario without spending time and money testing your backup solutions.

So cloud computing might have occasional outages but at least there are engineers on hand 24×7 to fix them on your behalf. All part of the service, Sir. With your own equipment, you are on-call 24×7 shared with your colleagues. Assuming you have some.

Ultimately money can only buy you the best commercially available solutions. Amazon are not the only cloud computing service providers but as they happen to have financial muscle and experience on their side I would go so far as to say they will likely be the best overall. You mileage may vary, naturally.

Remember, Amazon use commodity hardware under the assuming that bits of their network will fail at random. They have constructed software to operate on top of this in a distributed manner to detect failures and try (as best as their programmers can code) mitigate against issues as they arise. I am sure that once analysed the software will be updated to minimise disruption caused by today’s failure as well as similar ones.

But seriously, even Amazon can only go so far. The human brain can only think up so many scenarios and code so many mitigation rules on. Oh, and testing all these situations can also be a real challenge.

It is still a damned site better than relying on your own company to build a similar system in-house.