Posts by Andrew Dancy

Re: Clearing up some misconceptions

That's covered - there are rules that cap the amount that you can claim for R&D done by another company, and there are also rules around 'connected parties'.

Also, a couple of years ago they came up with a clever way to further reduce misuse - when you claim for R&D you can either take a deduction on corporation tax payable or surrender the relief for a cash credit. If you choose the latter the cash is now capped at 3x your total PAYE/NI bill for the year. Don't employ any staff and thus don't pay much tax? Fine, you'll only be able to claim a very small cash credit, so all you'll be able to do is carry forward the loss. Don't make a profit for three years? You then lose the carried forward losses.

Re: Lawyers

The Solicitors Regulation Authority (who are the body who actually regulate solicitors - the Law Society are more like a trade body or union) are investigating, but their work is likely to be kept completely under the radar until they are ready to refer cases to the Solicitors Disciplinary Tribunal.

Moreover if there are potential criminal charges then that will delay things as the SRA will have to let any criminal case go first.

Re: Can we apply pressure to the big 10?

I'm sure I have seen somewhere that a number of the big 10 (I believe it's several of the foreign owned ones) have long-standing policies to abstain from all votes on the basis it would be inappropriate to get involved in the running of foreign infrastructure.

Re: Start blaming the governemnt for the spread of Covid-19.

Look, I'm one to give the Government a kicking as much as the next man, but only when it's deserved. There are some pernicious false facts doing the rounds which everyone repeats as gospel - I'd expect better of El Reg readers. Please, please don't just repeat so called facts without actually checking first.

The actual cost of Test and Trace (it's not called Track and Trace, that's a deliberate mis-naming by people who peddle the misleading information to remove the Test bit) is £4bn . The £22bn was what has been allocated for the entire Covid response, not just Test and Trace, and only a portion of it has actually been spent.

Of the £4bn almost all has been spent on the Test element of Test and Trace - for example setting up the labs that process the PCR swabs in all four home countries cost about £1.6bn. Then there's each test - there have been about 90m tests and it's estimated each test costs about £10-20 in total.

And don't get me started about the lies people peddle about the NHS app...

No idea what the other apps are doing, but as you say it may be down to less opportunities for exposure.

And yes, good spot - either 'less sensitive' or 'more specific' - take your pick!

Re: Background listening

Unfortunately there was one in 2013 as a direct result, and at least one more is known to be very likely to be linked to this scandal.

Re: Does Zoom count as critical now?

Zoom made a breaking change in their backend (I believe it's to do with an encryption change) which meant they had to force-upgrade everyone to Zoom 5. There was a one month window after Zoom 5 first launched, but the backend was cut over on May 30th at which point anyone on older Zoom would no longer be able to connect. Sounds like for some reason your tablet was still trying to download an old Zoom client.

Some facts

I'm not impressed with Kieran's article and it's causing a lot of confusion and concern (as many other sites are just copy/pasting the information without checking). I know I'll get downvoted for this but here's some facts to clear up a lot of the wilfull mis-information doing the rounds.

1. No, the app was not developed by Cambridge Analytica or Dominic Cummings or Marc Warner or anyone like that. People who jumped on that bandwagon mis-understood a different NHS contract. The app has been developed by Pivotal (part of VMWare) along with NHSX's in-house team.

2. No you don't need the app running in the foreground. The iOS app uses some clever techniques to allow it to run just enough in the background to be able to continue functioning. The Android app has some nifty code to allow it to parse the iOS bluetooth beacon format to maintain cross-app compatibility

3. The app does not track your location. The Android app only asks for location services because for some insane reason Google decided that Bluetooth permission is tied to Location (e.g you have to ask for the latter in order to get the former). The iOS app does not ask for location permissions and the Android app does not actually use location data.

4. The app appears to be well written and uses good security practice (strong crypto, certificate pinning, UK hosted API endpoints, etc). There have been some false tweets about the crypto not being secure but that's based on a mis-understanding of how APK was decompiled.

Disclaimer - I'm not involved in any way with the app, I'm director of a company which spent a lot of time yesterday pulling the app apart to see how it actually ticks.

Re: And in other news...

To be fair, it's just an implementation of TOTP (so you can use any TOTP app such as Google Authenticator, you don't have to use the Microsoft one. It still means the seed values are known by Microsoft so it's probably not perfect for tinfoil hat types, but it's certainly better than SMS based authentication which is trivial for a major player to compromise.

Re: Gap in the market?

Sadly not, although that does give a wonderful mental vision!

I meant more Alec Guinness...

We've just gone through Cyber Essentials Plus and the assessor did check that all company mobiles were running the latest patched version of the OS (in our case iOS). He used a combination of reporting from our MDM system plus spot-checking a few devices at random.

I can thoroughly recommend CE and CE+ as it's not too onerous and for once it seems to actually focus on real-world risks (e.g checking that your perimeter firewall actually blocks malicious URLs, your AV stops dodgy attachments, your users don't run as admin and you can't run downloaded exe files without a warning).

The one that caused us some problems (and it's actually a good one) was although we'd patched systems up to date, there are some Microsoft patches that only actually apply if you make a registry change. Thus we failed as the scanning software correctly reported that some of the patches weren't live. The solution there was to push the relevant registry key via Group Policy.

Re: BoE IT systems

Until a few years ago they actually had several thousand direct customers as staff and pensioners had accounts with the Old Lady. No credit card, but a rather fancy cheque book with sort code 10-00-01 . And back in the good old days they had ridiculously cheap loans and mortgages. Mind you no chance of an overdraft facility - if you went a penny overdrawn you'd get a polite but formal letter telling you not to do it again.

They also used to have a number of commercial accounts for Government departments such as HMRC

All scrapped by Mervyn King as part of his drive to turn the bank into a giant economics thinktank and get rid of everyone actually interested in banking. This after a certain Scottish chancellor shafted Eddie, the previous governer, by removing all the regulatory bits and handing it to the idiots in the FSA.

Re: Enforced updates?

+1 - we always timestamp as part of our code signing process as otherwise you get exactly this issue - when your cert expires anything signed with it won't know that the cert was valid at the point it was signed.

The only problem you sometimes get is that the main timestamping servers run by all the big CAs are notoriously flakey and completely unsupported - if they break then you just have to find another one. Not helped by the fact that Authenticode signing uses a different method of timestamping from pure RFC3161 and not all timestamp servers support both formats.

What we really need is someone to offer cheap signing certs and provide a decent reliable timestamping server. Unfortunately LetsEncrypt have said they don't want to go into that area as they would be the obvious choice...

Yes. They have various backup options including SMS to your phone, scratch codes, etc, but they definitely do bog standard TOTP as I have it on my google account right now.

Re: Don't tar all AV with the same brush

Fair point, but it's all about making life difficult for the attacker and protecting against 99% of threats. Let's face it - we'll never get 100% perfection but in most cases we don't need that.

A tech variant of trainspotting?

I'd hazard a guess the pic was East Croydon station as they were using the old display system there up until quite recently. If memory serves me it only got ripped out when they filled in the old foot tunnel and put the new bridge in - about 2013 I think.

Re: Just dumb

I'm pretty sure you'll find Romania is 16% as they have a flat tax - corporation tax, income tax, tax on self employment, etc are all the same rate - 16%. Nice and simple and virtually impossible to avoid.

Re: @AC

Agreed - didn't mean to say it was their fault as it does look like a Juniper issue from what has been said so far. I was just commenting on the ironic timing. I've always taken the view that everyone in the IT industry is going to have problems some day, it's how they deal with them that matters and so far (to an outsider) their communication has been reasonable.