* Posts by Andrew Dancy

32 publicly visible posts • joined 9 Apr 2009

Software devs targeted as British tax authority makes fraud allegations

Andrew Dancy

Re: Clearing up some misconceptions

That's covered - there are rules that cap the amount that you can claim for R&D done by another company, and there are also rules around 'connected parties'.

Also, a couple of years ago they came up with a clever way to further reduce misuse - when you claim for R&D you can either take a deduction on corporation tax payable or surrender the relief for a cash credit. If you choose the latter the cash is now capped at 3x your total PAYE/NI bill for the year. Don't employ any staff and thus don't pay much tax? Fine, you'll only be able to claim a very small cash credit, so all you'll be able to do is carry forward the loss. Don't make a profit for three years? You then lose the carried forward losses.

Andrew Dancy

Clearing up some misconceptions

A number of commentards above have said that R&D was a scheme to benefit the big boys. That's not actually true as we're talking specifically here about the SME R&D scheme. Yes the definition of SME is quite wide (turnover of up to £100m) but big companies use a different scheme called RDEC which has quite different rules.

I've done the R&D claim myself for a tech business I co-founded and we've been claiming for years. The first year we claimed, HMRC assigned our tax affairs to a specialist office in Portsmouth that primarily handled pharmaceutical companies (as historically most R&D claims have been in this sector). They asked a few questions about the project, how we'd calculated our costs, then that was it. Subsequent years the claim was waved through. This is probably because every year I prepare a couple of pages based on HMRC's manual at https://www.gov.uk/hmrc-internal-manuals/corporate-intangibles-research-and-development-manual/cird80000 explaining what the project is, who was working on it, and breaking down the costs we claimed under the relevant categories of expenditure.

I note that from April 2023 onwards it'll be mandatory for companies making a new R&D claim to do exactly what we've been doing voluntarily for years.

I'm not surprised HMRC are cracking down on claims - as others have mentioned fraud is rife, particularly in the tech sector. I attended a webinar a few years back where a few of the more ethical claims companies (ones that only charge a few percent and don't make up their claims) were open about the fact a number of large claims companies blatantly encourage their clients to fiddle the figures (which was costing them business when they refused to do likewise).

Pirate, cause that's what most of the dodgy claims companies are!

Victims of IT scandal in UK postal service will get fresh compensation

Andrew Dancy

Re: Lawyers

The Solicitors Regulation Authority (who are the body who actually regulate solicitors - the Law Society are more like a trade body or union) are investigating, but their work is likely to be kept completely under the radar until they are ready to refer cases to the Solicitors Disciplinary Tribunal.

Moreover if there are potential criminal charges then that will delay things as the SRA will have to let any criminal case go first.

Andrew Dancy

Re: Bollocks

Most of the Private Eye articles were actually written by, or with the support of, Nick Wallis. Incidentally, his website at https://www.postofficescandal.uk/ should be required reading and I'd urge people to buy his book as well (sales from the book go to a charity that supports the affected sub-postmasters).

Karl Flinders at Computer Weekly has also been on the case since the early days and deserves a lot of credit. Also, although this will probably pain people to read, the Daily Mail have been very strong on the campaign for many years (they actually have a surprisingly strong track record for old-fashioned campaigning journalism, even if it's often drowned out by the crazy)

Andrew Dancy

Re: "has promised to pay £900 per claimant as part of reasonable legal fees to prepare their claim"

However in this case most of the work has already been done, as this is for sub-postmasters who were part of the original Group Litigation Order. Also, most of them are already working with a particular firm who have been doing a lot of pro-bono work on this already, so that £900 multiplied by a reasonable number of sub-postmasters will actually go a long way.

In case people are wondering the legal fees that were swallowed up by the original settlement didn't in the main go to the lawyers. The majority went to the litigation funder (essentially a lender who will lend money for big lawsuits in return for a chunk of the resulting settlement/award - it's an expensive business as if you lose the funder is on the hook for the costs on both sides).

BadgerDAO DeFi defunded as hackers apparently nab millions in crypto tokens

Andrew Dancy

Aaah! A snake!

I can't believe no-one has commented on the sub-heading for the article when you see it on the main news page. I've just wasted several minutes reliving my youth as a result! https://www.youtube.com/watch?v=EIyixC9NsLI

Pressure builds on Nominet as members demand to know leadership's contingency plans for when they’re fired

Andrew Dancy

Re: Can we apply pressure to the big 10?

I'm sure I have seen somewhere that a number of the big 10 (I believe it's several of the foreign owned ones) have long-standing policies to abstain from all votes on the basis it would be inappropriate to get involved in the running of foreign infrastructure.

Palantir and UK policy: Public health, public IT, and – say it with me – open public contracts

Andrew Dancy

Re: Start blaming the governemnt for the spread of Covid-19.

Look, I'm one to give the Government a kicking as much as the next man, but only when it's deserved. There are some pernicious false facts doing the rounds which everyone repeats as gospel - I'd expect better of El Reg readers. Please, please don't just repeat so called facts without actually checking first.

The actual cost of Test and Trace (it's not called Track and Trace, that's a deliberate mis-naming by people who peddle the misleading information to remove the Test bit) is £4bn . The £22bn was what has been allocated for the entire Covid response, not just Test and Trace, and only a portion of it has actually been spent.

Of the £4bn almost all has been spent on the Test element of Test and Trace - for example setting up the labs that process the PCR swabs in all four home countries cost about £1.6bn. Then there's each test - there have been about 90m tests and it's estimated each test costs about £10-20 in total.

And don't get me started about the lies people peddle about the NHS app...

NHS COVID-19 contact tracing app is leaving some unable to access government self-isolation grants

Andrew Dancy

No idea what the other apps are doing, but as you say it may be down to less opportunities for exposure.

And yes, good spot - either 'less sensitive' or 'more specific' - take your pick!

Andrew Dancy

The problem is that the wrapper app *can't* suppress those notifications.

In short, the NHSX devs found that the official Google/Apple API is too sensitive and triggers based on very basic criteria. They found a way to be able to fine-tune the criteria so that it only actually triggers self isolation in the app if their more sensitive criteria is triggered (side note, they are trying to get Google/Apple to either back-port their improved algorithm into a future version of the API or get them to provide more raw data with the API on bluetooth signal strength so the algorithm can be further refined and tweaked by the various national apps)

However due to the way the API alerting is implemented it's not possible for the wrapper app to catch and suppress the original alert, only to then follow it with their own which is based on their more accurate analysis of what little information the API makes available to the wrapper app.

As for why the report button isn't available this is a consequence of the privacy model - Google/Apple only approve national apps to use the API if the app itself has no way of collecting information on an individual. Since pressing a button to claim the grant would inevitably require being able to identify the end user (as otherwise how do you pay them the grant) the devs had to pull that feature at the last minute or risk GApple rejecting the app.

Brit MP demands answers from Fujitsu about Horizon IT system after Post Office staff jailed over accounting errors

Andrew Dancy

Re: Background listening

Unfortunately there was one in 2013 as a direct result, and at least one more is known to be very likely to be linked to this scandal.

Andrew Dancy

Investigative journalism at it's best

This whole sorry saga does show the importance of good, solid, long-term investigative journalism. In this case there are a number of people who have doggedly pursued the truth over many years. The real heroes in this are Computer Weekly and Nick Wallis. Computer Weekly first picked up the story in 2004 and have run with it ever since then. The then-editor Tony Collins is also instrumental in exposing other disasters relating to software, including the Mull of Kintyre crash.

Nick Wallis picked up the baton in 2010 and has steadfastly pursued the story ever since. He's the source of most of the BBC articles, he's the co-author along with Richard Brookes of all the Private Eye coverage, and his regular blogging all throughout the legal process is absolutely compelling reading (https://www.postofficetrial.com/) . He's also the presenter of the Radio 4 series that's just ended and will also be presenting a Panorama about the scandal in a couple of weeks.

In the mainstream press although it will pain many to hear, the Daily Mail have been solid in pursuing and keeping this story in the public eye for a number of years now and actually have a pretty good track record in campaigning/investigative journalism.

Defending critical national infrastructure... hmm. Does Zoom count as critical now?

Andrew Dancy

Re: Does Zoom count as critical now?

Zoom made a breaking change in their backend (I believe it's to do with an encryption change) which meant they had to force-upgrade everyone to Zoom 5. There was a one month window after Zoom 5 first launched, but the backend was cut over on May 30th at which point anyone on older Zoom would no longer be able to connect. Sounds like for some reason your tablet was still trying to download an old Zoom client.

Australian contact-tracing app sent no data to contact-tracers for at least ten days after hurried launch

Andrew Dancy

Some facts

I'm not impressed with Kieran's article and it's causing a lot of confusion and concern (as many other sites are just copy/pasting the information without checking). I know I'll get downvoted for this but here's some facts to clear up a lot of the wilfull mis-information doing the rounds.

1. No, the app was not developed by Cambridge Analytica or Dominic Cummings or Marc Warner or anyone like that. People who jumped on that bandwagon mis-understood a different NHS contract. The app has been developed by Pivotal (part of VMWare) along with NHSX's in-house team.

2. No you don't need the app running in the foreground. The iOS app uses some clever techniques to allow it to run just enough in the background to be able to continue functioning. The Android app has some nifty code to allow it to parse the iOS bluetooth beacon format to maintain cross-app compatibility

3. The app does not track your location. The Android app only asks for location services because for some insane reason Google decided that Bluetooth permission is tied to Location (e.g you have to ask for the latter in order to get the former). The iOS app does not ask for location permissions and the Android app does not actually use location data.

4. The app appears to be well written and uses good security practice (strong crypto, certificate pinning, UK hosted API endpoints, etc). There have been some false tweets about the crypto not being secure but that's based on a mis-understanding of how APK was decompiled.

Disclaimer - I'm not involved in any way with the app, I'm director of a company which spent a lot of time yesterday pulling the app apart to see how it actually ticks.

Tribunal halts all Information Commissioner's Office cases because UK data watchdog can't print or organise PDFs

Andrew Dancy

Same in the county courts

We've got a similar issue - we'd love to send PDF bundles to the County Court but most courts still insist on printed bundles. To be fair the Judiciary would also love PDF bundles (they all have laptops and iPads now) - the sticking point appears to be the court clerks (who are the gatekeepers). We're trialling a system which is already used in a lot of the crown courts and some of the higher appeal courts - lets you ingest documents and then automatically indexes them, adds the appropriate cross-references between documents, etc. Then all parties can either just use a link to access the bundle directly in an interactive dataroom, or if you need to go old-school the bundle can be exported as a PDF (with automatic internal hyperlinks) or printed out for the terminally old-fashioned.

We're actually hoping to be able to use Covid-19 to force this issue; there was a change to the Civil Procedure Rules rushed out a few days ago which shows the Court Service is moving in the right direction but it's a chicken and the egg situation - no-one wants to be the first to use an electronic bundling system as until there is a successful precedent there is a risk that you could get censured by the Court for not having provided the documents in an approved form.

PS. One positive effect of Covid is that HMCTS have generously agreed that the email size limit for court service mailboxes will be lifted from 10mb to 25mb (except Judges who are already allowed to send/receive emails up to 150mb).

Iran tried to hack hundreds of politicians, journalists email accounts last month, warns Microsoft

Andrew Dancy

Re: And in other news...

To be fair, it's just an implementation of TOTP (so you can use any TOTP app such as Google Authenticator, you don't have to use the Microsoft one. It still means the seed values are known by Microsoft so it's probably not perfect for tinfoil hat types, but it's certainly better than SMS based authentication which is trivial for a major player to compromise.

Peers to HMRC: Digital tax reforms 3 days after Brexit? Hold your horses, how 'bout 3 years...

Andrew Dancy

Re: Gap in the market?

Sadly not, although that does give a wonderful mental vision!

I meant more Alec Guinness...

Andrew Dancy

Gap in the market?

I'm seriously considering knocking up a simple app to do this, especially now it looks like they've backtracked and only require you to enter the nine box numbers from the VAT return. Although there are lots of spreadsheet bridges there seems to be a gap in the market for a simple standalone app for people who keep their records separately (spreadsheet, old-school desktop accounting software, etc) and don't mind just typing nine numbers into boxes once every three months and pressing a button.

As mentioned the main obstacle seems to be getting approved by HMRC to actually be able to access the API. That and coming up with a suitably snazzy name. I'm tempted by something like Hector - bonus points if anyone can remember him, and the word sums up HMRC's approach to MTD quite appropriately!

Brit boffins build 'quantum compass'... say goodbye to those old GPS gizmos, possibly

Andrew Dancy


I recall reading a few months ago there had been a UK Gov report into the vulnerabilities of GPS (it's not just navigation - GPS timing signals are used for all sorts of scary things like synchronising electrical grid frequencies and regulating frequency slicing on the mobile phone networks). The conclusion was that jamming or solar events leading to a loss of GPS would have potentially catastrophic effects on modern life.

They suggested a number of solutions, one of which was eLORAN . Basically an update of the old LORAN navigation network used until the mid 90s it would provide both location and timing (whilst many other GPS alternatives only do one or the other) whilst being virtually impossible to jam due to the much lower frequencies used. Unfortunately a trial a few years ago was kyboshed when other European countries turned off their transmitters (rumour has it there was pressure from the Commission not to support tech which could rival Galileo), so there's currently only one transmitter running (enough to support timing but not location, which needs multiple transmitters).

Setting up a chain of eLORAN transmitters would have the same utility as a British GPS system and would be considerably cheaper!

Enterprise smartphone buyers still pretty dopey about updates

Andrew Dancy

We've just gone through Cyber Essentials Plus and the assessor did check that all company mobiles were running the latest patched version of the OS (in our case iOS). He used a combination of reporting from our MDM system plus spot-checking a few devices at random.

I can thoroughly recommend CE and CE+ as it's not too onerous and for once it seems to actually focus on real-world risks (e.g checking that your perimeter firewall actually blocks malicious URLs, your AV stops dodgy attachments, your users don't run as admin and you can't run downloaded exe files without a warning).

The one that caused us some problems (and it's actually a good one) was although we'd patched systems up to date, there are some Microsoft patches that only actually apply if you make a registry change. Thus we failed as the scanning software correctly reported that some of the patches weren't live. The solution there was to push the relevant registry key via Group Policy.

Bank of England to set new standards for when IT goes bad

Andrew Dancy

Re: BoE IT systems

Until a few years ago they actually had several thousand direct customers as staff and pensioners had accounts with the Old Lady. No credit card, but a rather fancy cheque book with sort code 10-00-01 . And back in the good old days they had ridiculously cheap loans and mortgages. Mind you no chance of an overdraft facility - if you went a penny overdrawn you'd get a polite but formal letter telling you not to do it again.

They also used to have a number of commercial accounts for Government departments such as HMRC

All scrapped by Mervyn King as part of his drive to turn the bank into a giant economics thinktank and get rid of everyone actually interested in banking. This after a certain Scottish chancellor shafted Eddie, the previous governer, by removing all the regulatory bits and handing it to the idiots in the FSA.

Oculus Rift whiffed, VR fanbois miffed

Andrew Dancy

Re: Enforced updates?

+1 - we always timestamp as part of our code signing process as otherwise you get exactly this issue - when your cert expires anything signed with it won't know that the cert was valid at the point it was signed.

The only problem you sometimes get is that the main timestamping servers run by all the big CAs are notoriously flakey and completely unsupported - if they break then you just have to find another one. Not helped by the fact that Authenticode signing uses a different method of timestamping from pure RFC3161 and not all timestamp servers support both formats.

What we really need is someone to offer cheap signing certs and provide a decent reliable timestamping server. Unfortunately LetsEncrypt have said they don't want to go into that area as they would be the obvious choice...

Who's using 2FA? Sweet FA. Less than 10% of Gmail users enable two-factor authentication

Andrew Dancy

Yes. They have various backup options including SMS to your phone, scratch codes, etc, but they definitely do bog standard TOTP as I have it on my google account right now.

Andrew Dancy

There's a surprising amount of mis-information and mis-understanding about Google's 2FA here. Probably not helped by the fact 2FA can mean lots of different things to different people and vendors use the term for all sorts of things.

However proper 2FA means RFC6238, popularly known as Time-Based One Time Protocol (or TOTP for short). This is a standard devised by the Initiative for Open Authentication (OATH - not to be confused with Oauth!) and because it's an open standard there are loads of implementations of it. Google Authenticator and Microsoft Authenticator are the obvious ones, but even things like Symantec VIP (used for PayPal 2FA) is actually a tweaked version of TOTP and can be kludged to let you use a standard TOTP app instead of having to buy a PayPal dongle.

The key thing about TOTP is that it's entirely offline - no need for SMS or an internet connection. You simply put a seed value into your authentication app (usually by means of a QR code) and away you go. Some apps don't let you back up the seed, so the simple answer there is to either save the QR code image file in a safe place, or print it out and stick it in a fireproof safe/leave a copy with your lawyer/insert paranoid method here.

There are also quite a lot of server side implementations of TOTP now, and it's really easy to implement in code as well - there are libraries for all the major programming languages. So really, if you have a website which needs authentication, there's no excuse not to support it.

The latest standard that's emerging is FIDO (also known as U2F) but I personally don't like this one as it requires a physical key/dongle.

Source: I wrote a Windows TOTP server application a few years ago that my company still uses to provide mandatory 2FA for our corporate VPN.

Former Mozilla dev joins chorus roasting antivirus, says 'It's poison!'

Andrew Dancy

Re: Don't tar all AV with the same brush

Fair point, but it's all about making life difficult for the attacker and protecting against 99% of threats. Let's face it - we'll never get 100% perfection but in most cases we don't need that.

Andrew Dancy

Don't tar all AV with the same brush

I tend to agree with O'Callahan to some extent - when it comes to traditional AV. That's increasingly redundant as it won't easily detect new threats until updated, can be exploited, is often bloated, etc.

However in the last few years there have been some interesting next-gen AV products appearing which do seem to still have a place in our battery of security measures. Products like Webroot and Cylance (I'm sure there are others but these are the two I've heard of) which don't just do the traditional scanning of files but also monitor system behaviour. For example if a process suddenly starts writing to lots of different files one after the other, they'll alert to say this might be ransomware encrypting all your files. From that point they'll also log rollback data so that when you say "oh s**t it is ransomware!" they can undo all the changes made by that process, block it and automatically fire a report off to the mothership to analysis.

As has been said above it's all about layers - AV is one part of a solution amongst software restriction policies, firewalls, user education and a large pointy stick.

'Oi! El Reg! Stop pretending Microsoft has a BSOD monopoly!'

Andrew Dancy

A tech variant of trainspotting?

I'd hazard a guess the pic was East Croydon station as they were using the old display system there up until quite recently. If memory serves me it only got ripped out when they filled in the old foot tunnel and put the new bridge in - about 2013 I think.

Tim Cook: EU lied about Apple taxes. Watch out Ireland, this is a coup!

Andrew Dancy

Re: Just dumb

I'm pretty sure you'll find Romania is 16% as they have a flat tax - corporation tax, income tax, tax on self employment, etc are all the same rate - 16%. Nice and simple and virtually impossible to avoid.

C For Hell: Data centre meltdown for irate customers as C4L GOES TITSUP

Andrew Dancy

Re: @AC

Agreed - didn't mean to say it was their fault as it does look like a Juniper issue from what has been said so far. I was just commenting on the ironic timing. I've always taken the view that everyone in the IT industry is going to have problems some day, it's how they deal with them that matters and so far (to an outsider) their communication has been reasonable.

Virgin Media broadband goes titsup for 3 hours

Andrew Dancy

We had a National Ethernet line out for about 90 minutes in the end. What was frustrating was that we couldn't get through to Virgin and nor could our hosting provider (who supposedly have direct access to senior Virgin technical contacts). We ended up getting our info from a combination of the UKNOT mailing list and the Andrews & Arnold IRC chatroom.

We eventually found out from other sources that a router overheated in their Poplar POP. They failed over to a standby router, but after about 30 minutes that one went bang as well apparently.

The Linx issue was separate, as mentioned previously.

Still, to be fair to them (and believe me that's difficult!), it's the first outage of the Ethernet service we've had since it went live about 9 months ago...

BBC website now unbroked

Andrew Dancy


The BBC website hosting isn't done by Siemens now is it? According to Lord Gnome's wonderful organ they have been doing a less than stellar job with the rest of the BBC tech infrastructure recently...

BT's great hole of Ilford still causing grief

Andrew Dancy

Pics of the damage

Apparently pics of the damage can be seen here: http://www.flickr.com/photos/23919135@N00