* Posts by flibble

36 publicly visible posts • joined 28 May 2010

On the 12th day of the Rackspace email disaster, it did not give to me …

flibble

Re: Right.

"Unless the ransomware was installed much earlier and waiting for the command signal."

That doesn't really matter? The backups will still contain the data. Might mean you have to do a partial restore (to avoid restoring the ransomware), but there wouldn't be any data loss.

Rackspace rocked by ‘security incident’ that has taken out hosted Exchange services

flibble

Re: It's all down

As an update (for one of my contracts I have a mail account that was hosted on rackspace, indirectly via another managed serviced provider) our service provider managed to complete the transition of the domain over to O365 yesterday and sent us all new login details and we're now receiving new emails fine.

We're expecting that everything sent between sometime Thursday and the DNS updating sometime on Sunday has been lost, in most cases unrecoverably - in some cases the sender will have got an 'undelivered message' report.

I was using a local mail client (MacOS Mail) so it had all my older messages locally and I was able to copy them all to a local mailbox before deleting the old account (a necessary step, as MacOS Mail only allows you to have one exchange connection for each account) and then setting up a new account using the new login details.

My colleagues that were using OWA (Outlook Webmail, basically) have no access at all to emails prior to the outage. It's not clear if we'll ever get access to those old emails, but if we do my best guess is it'll be weeks away.

We've no idea if any data was accessed by the attackers.

flibble

Re: It's all down

Surely the correct answer is “we got one of our other teams to spin up a bunch of SMTP relays to queue the mail so nothing will be lost”?

flibble

It's all down

"Some of Rackspace’s hosted Microsoft Exchange services have been taken down by what the company has described as a “security incident”."

As I understand, all hosted Microsoft Exchange services have been taken down for all customers.

Only some customers are directly affected by the "security" incident; i.e. only some customers will suffer data loss or stolen data.

Most disappointing was the poor communication from rackspace - it was about 24 hours from the first outage to the time they admitted they'd taken servers down themselves, and all that time all they said was they were "investigating".

This is my favourite part of the question/answers:

"Will I receive mail in Hosted Exchange sent to me during the time the service has been shut down?

Possibly"

Atlassian comes clean on what data-deleting script behind outage actually did

flibble

Re: Yeah, their DR window wasn't accurately or clearly communicated to their customers

"What if it wiped the lot?"

They have an automated DR recovery for full recovery, so that would have gone much better. The problem here was the need to restore only some of the data, which they didn't have any automation for.

Compsci student walks off with $50,000 after bug bounty report blows gaping hole in Shopify software repos

flibble

Really a large flaw in github

I think anyone that has authorised external services to access GitHub one way or another has run into this issue if they're paying attention. I've had to create secondary GitHub accounts (with more limit permissions) multiple times to be able to generate tokens with sufficiently limited privileges (or at least not massively over reaching permissions), and having that many extra GitHub accounts hanging around creates other potential problems.

It's something GitHub really need to address. There are a lot of tokens out there, it's pure luck that there haven't been more incidents.

BT providing free meals to coax its healthy customer support staff back into office as calls rocket amid pandemic

flibble

Re: WFH

It's nuts. Either they're wilfully ignoring government guidance due to egotistical / incompetent management, or people really can't work from home due to incompetent management that haven't heard of things like business resilience planning.

As you note, it's particularly ironic given BT advertise themselves as experts on deploying remote working.

Whatever the reason, you can pretty much guarantee at least one of the call centres is going to be a new epicentre for COVID-19 infections and put extra unnecessary pressure on the NHS - thanks BT!

IBM veep partly blamed Sopra Steria for collapse of £155m Co-Op Insurance Agile project

flibble

Re: Poor user documentation?

It probably depends how good the bug reports are.

If it was a good bug report, it makes very clear what the alleged defect is, then someone aware of the specification (assuming such a thing existed in this 'agile' project) could close the defect off fairly easily.

About 80% of the defects I see from customers are "Printing doesn't work in release 4. We checked release 3 and it doesn't work there either." - even though I know release 3 went through a full test where **the same tester** verified printing was working. Defects like that tend to take a ridiculous amount of back and forth to eventually discover that the defect is "printing doesn't work when the printer driver isn't installed" or something equally ridiculous. And then release 5 goes into test and a "Printing doesn't work in release 5" defect gets raised... welcome to my personal hell.

Auf wiedersehen, pet: UK Deutsche Bank contractors plan to leave rather than take 25% pay cut for IR35 – report

flibble

"We can be let go at a moment's notice."

So can employees (albeit with notice pay, but many contractors have notice periods in their contracts too - though some contractors no longer include them in contracts due to concerns about IR35).

"We can be held financially liable for mistakes or bad work."

So can employees. It's very rare that either are actually sued, and the majority of contractors are insured against the risk so there's no actual risk.

"Market conditions can change, benching us for months at a time."

This happens to employees too.

"If we are sick, we get nothing."

Statutory sick pay is £94.25 per week - or annually less than £5K. It's better than nothing, but nowhere near enough to live on. Both employees and contractors are generally advised to insure against getting sick. (Some employers do pay full pay to employees off sick, though usually only for a strictly limited period of a few weeks a year.)

"Clients can decide not to pay us."

Happens to employees too. In both the contractor and the employee case it rarely happens.

"Clients can go bust, leaving us unpaid."

Happens to employees too. (They can usually reclaim some money from the Insolvency Service, though anyone on over £28K will not get the payments capped as if they only earned £28K.)

"Agents can decide not to pay us."

"Agents can go bust, leaving us unpaid."

I'll give you those two. They're relatively rare though, and not all contractors work through agencies.

flibble

Re: I currently collect £24k VAT

You compared £51k of tax going to the Treasury in the contractor situation to £23,755.34 in the permie, whereas the correct comparison is £27,000 vs £23,755.34 due to the treasury paying the £24K in VAT back to the client.

There's then the harder question of whether that comparison is valid at all, given I believe it's compared an employee on £60K with a contractor billing £120K+VAT. The tax take from the employee is 40% of income (£23755.34 divided by £60,000) whereas for the contractor it is 22.5%. Many people would say that means the contractor is playing less tax.

UK contractors planning 'mass exodus' ahead of IR35 tax clampdown – survey

flibble

Re: Anonymous Contractor

Yes, essentially you're going on the lines I meant. I don't think there's many contractors on £200 per day so it's probably more realistic to compare a higher figure, and (on reflection) it's likely best to compare similar take home pay/benefit. 220 days is probably slightly on the low side too as that's more "days off" than an average premie takes I believe - but your figure is justifiable if (say) the contractor is doing training on their own time (something the genuine contractors often do, but the people that are really 'disguised employees' tend to do less in my opinion).

It's really hard to come up with hard figures due to all the variables. As I mentioned in another post, the contractor calculator is quite biased towards being pessimistic for the contractor case due to the narrative they want to put across - once you add in the flexibility of the outside-IR35 contractor (i.e. ability to defer earnings to later tax years if they want, closing company & taking profits at the 10% entrepreneurs rate, using lower tax rates of other family members, more flexibility over pension payments, deferred payment of tax, reclaiming travel expenses to their "temporary" place of work, etc) it can easily skew towards the contractor - depending on the generosity of the employee's benefits and how much the person values those benefits.

flibble

" It really doesn't make sense to tax someone as an employee when they don't get the benefits of full employment."

Can you explain why this is please? Our tax system is mostly trying to be based on tax paid being related to how much you earn, not the details of the contract between you and the company paying you. Surely what benefits you are / aren't getting are something you negotiate when agreeing on the T&Cs and the rate rate? Should employees earning the same pay different rates of tax depending on whether they've negotiated 30 or 60 days of paid holiday a year?

flibble

Re: re: contractors are not prepared to be unfairly treated

" To say contractors get paid double a permie is nonsense"

It's not necessarily nonsense, it just turns out it applies to some situations and not others. I've found it's a reasonable rule of thumb (and it's generally comparing gross salary to gross day rate), though it can fall over in the employee benefits are generous and are things you want (I suspect many contractors choose not to get private medical cover). Sounds like the permie position works well for you - congrats!

flibble

Re: Anonymous Contractor

"We, contractors, pay more than 3.3% in effective tax” than permies (https://www.contractorcalculator.co.uk/comparing_taxes_contractors_versus_employees.aspx) More when you also include VAT."

Why would you include VAT given it's paid by the client? (and in most cases then claimed back by the client, it's a zero sum game).

As for the 3.3% - sure, that does appear to be accurate in the very specific situation that contractorcalculator outlines, which to some extent is biased by the narrative they want to create. In reality, the majority of us know the outside-IR35 contractors (particularly the higher paid ones) do better in most situations - e.g. pension contributions made direct from a company avoid NI that the employee can't (unless their employer operates a salary sacrifice scheme, which many don't and even if they do is less flexible), reclaiming travel to "temporary workplaces", the PSCs that pay dividends to family members other than the fee earner, deferring income, extracting profits by closing company & claiming entrepreneurs relief, and so on.

flibble

Re: Anonymous Contractor

"I made the jump to contracting and I pay 5 times as much tax as I did as a permie and jumped from paying 25% of my income as pay to 32%.

Under which metric would you say I'm paying less tax?"

Under the metric where your situation is compared to a permie with the same take home pay (or the same gross earnings) - including adding in any benefits like pension. That is after all the ethos of our tax system - the amount of tax paid is intended to be proportional to what you earn.

I presume someone will now respond saying "ah, but the permie gets holidays". That's right, but why should whether the person gets paid holidays or not affect how much tax they pay? And that "paid holiday" is taxed, it's not like it's a tax free benefit.

In my opinion the tax system is just far too complex; it'd be better to go back to a significantly system - e.g. entirely dump all the nonsense of employee NI and roll it into income tax.

GlaxoSmithKline ditches IR35 contractors: Go PAYE or go home

flibble

I’m unsure if you meant the above literally, but if you did this actual guidance seems to disagree - the default position if a contract is found inside ir35 is that the company receiving the service will make some tax deductions but otherwise pay the payment to the contractor’s own company as before:

https://www.gov.uk/guidance/april-2020-changes-to-off-payroll-working-for-intermediaries#your-responsibilities-from-6-april-2020

In many ways the end effect is the same as if the service company did not exist though, and admittedly in the case of a contractor only having inside IR35 contracts then it doesn’t make sense to have/use a PSC in most cases.

It’s important to remember though that there are few if any inherent reasons why a person who does not receive holiday pay should pay less tax than an employee who does. The lower costs for the employer by not paying holiday pay etc should be catered for in the pay the former person negotiates, giving them extra income to compensate for the lack of benefits.

Dropbox would rather write code twice than try to make C++ work on both iOS and Android

flibble

The qualifiers in the original sentence are I believe important; it's not that Swift generates more efficient, compact code than C++, it's that it's far easier to do so in Swift and that Swift has far fewer ways for junior to mid-level devs to shoot themselves in the foot. Swift I believe also has a much richer set of standard libraries than C++, which removes lots of need for pulling in third party code - e.g. Swift has a built in for handling URLs, I'm pretty sure C++ still doesn't.

If you're writing high frequency trading code, C++ is definitely where it's at. If you're writing run of the mill mobile apps, you'll get far more done with fewer bugs using Swift. Automatic reference counting is a massive improvement manual memory management - less code and less bugs, and wins over GC on performance, peaks, efficiency, etc.

Even on mobile, there are cases where C++ makes sense. It's all about using the right tool for the right job. The original article from Dropbox makes a number of very good points.

(Aside: I'm unsure if by 'compact' the OP meant 'small compiled binary' or 'without unnecessary boiler plate in the source code'.)

World's favourite open-source PDF interpreter needs patching (again)

flibble

Re: I ain't afraid of no ghosts

Which one exactly are you suggesting people use that's preferable?

e.g. the gnu fork doesn't seem to have changed since 2014, so I would presume is exploitable using the majority of the last 5 years of bugs found: http://git.savannah.gnu.org/cgit/ghostscript.git/commit/

Upgraders rejoice! The 2018 Mac Mini heralds a return to memory slots!

flibble

That's a SATA SSD though, and a 7 year old one at that.

Mac's use PCIe connected SSDs these days, as do most other laptops. A 480GB corsair MP510 has 3480MB/s read, 2000MB/s write, and at £118 quid (according to scan) is less than a third of the price of the 512GB *upgrade* for the Mac mini (which will set you back £360).

I'd be quite happy with a Mac mini that used a standard PCIe flash card. It's not clear why Apple feel the need to solder the flash storage to the motherboard on desktop PC's.

When something's weird in your ImageMagick upload, who ya gonna call? Ghostbusters!

flibble

Re: This cannot be good

I don't know if it's the case or not, but your post makes it sound like you're running ghostscript on essentially untrusted input and that you're giving it significantly more permissions than it needs to perform the conversion (ie. it has permissions to access other data on your system).

ghostscript may have bugs in it's implementation, but if the above is true then in my opinion you have an issue in your architecture. Isolating the conversion into a service that has no more permissions than necessary would make a lot of sense to me - i.e. the 'screambox' anonymous coward suggests in the next post.

That said, my understanding is these exploits apply to postscript interpretation, so if you are correctly invoking ghostscript's PDF engine then these bugs may not affect you.

GDPRmageddon: They think it's all over! Protip, it has only just begun

flibble

HSBC not wanting to comply with GDPR

I've already made my first GDPR data portability request, to HSBC - requesting nothing more than all the readily available transaction data from my current account. The GDPR requires them to supply this in a 'structured, commonly used and machine readable format' - I suggested csv.

They've replied saying I have to either sent the request via snail mail to their DPO or make the request whilst physically in a branch - whilst the ICO is quite clear you can make your request in any fashion (including via social media!), and other than verifying your identity a company must accept requests made in pretty much any fashion. (I made my request via secure messaging after logging into HSBC's online banking portal including 2FA, so my identity is in no way in doubt.)

I've replied pointing out that their attempt to delay my request is contrary to the law, and eagerly await they next delaying tactic.

All I want is my transactions in a way I can put them into Excel so I can search/filter them, as that makes it simpler to complete my tax return. If the banks hadn't insisted on almost completely crippling midata then I'd have been able to get this data without a battle. There's so many different ways that banks could have easily make customers data accessible that they just have themselves to blame if they receive many GDPR related fines over the coming months.

BT plots to slash pension benefits for 32,000 staff

flibble

Re: "making sure they remain affordable to the company"

"Ahhhh, screw the workers then"

Well yes and no - what do you think happens if the scheme becomes unaffordable to the company? I'm pretty certain it means that the workers get screwed, just in a different and less expected way - ie. mass redundancies, or the company ultimately going bust and the pensions ending up in the Pension Protection Fund.

It's a difficult balancing act. Have BT management got it right? No idea, there doesn't seem to be anywhere near enough data published to make a judgement on that, but I'm pretty certain they're right to consider whether the scheme is affordable to the company in the medium-long term, and I hope they and the unions have a proper balanced discussion about how to ensure that.

flibble

Well, here's the thing - you're welcome to make that offer to pay a fraction of what BT is asking, and they are at liberty to decline it and cancel your service.

Employees of BT have that same choice - if what BT are offering in terms of pay and benefits doesn't properly reflect your value, you have the right to find an employer that does correctly value you. (It's also important to note that all the benefits already accumulated, and those accumulated up until any changes come in, are not going to be changed - as I understand it, this is about how future benefits are earned.)

If BT are undervaluing their staff, then this may come as quite a shock to them if a significant percentage ups and leaves....!

flibble

Woah, BT still had an open defined benefits pension scheme?

Frankly I'm astonished that BT still has such a scheme that (apparently?) was/is still open to new joiners?

These must be as rare as hen's teeth these days - certainly I've never worked at a company that has one, and there's absolutely no way my current company could even come close to affording to set up such a scheme.

I'm sure it won't be a popular opinion, but with ever increasing life expectancies keeping such a scheme open (on the same terms/benefits/payments as historically) would have essentially been a huge pay rise for the staff and some very quick back of the envelope calculations pretty strongly indicate that BT has no choice but to change things if they want to remain competitive. They've already effectively admitted that they need to build out a full fibre network and retire their copper network - and that puts them in direct competition with new comers like cityfibre, hyperloop and so on that are building full fibre networks and have none of the historical baggage or regulatory constraints that BT has.

From the union's statement, it's unclear if they actually recognise the reality of the situation and are prepared to make compromises to ensure the long term survival of BT.

Payroll glitch at DXC leaves former staff in employment limbo

flibble

Payments in lieu of notice would (I would think) be deemed payable on the day employment ended, and hence taxable then. The tax treatment of PILONs is even more complicated as they can sometimes be tax free.

If you instead remain employed for your notice period, the pay would (as you say) be taxed in the new tax year, and it would extend the period you were employed by the company, and legally you generally couldn't start a job with a new employer till the end of the notice period (unless you arrange with them to leave earlier, in which case they may well argue they don't need to pay the rest of your notice pay).

Employer's generally do the former as they'd rather just end the employment relationship asap.

flibble

Redundancy pay (upto £30K) is tax free; the article seems to be referring to amounts that were taxable but were taxed at a potentially incorrect rate - ie. other amounts like notice pay, pay for holidays accrued but not taken, and so on. If your employer is well organised and the amounts are due before your leaving date these are often/usually taxed on a normal tax code rather than an emergency one.

flibble

I don't remember that being mentioned in the article - is there more details somewhere?

I think this is where it gets complicated, and goes slightly beyond what I've experienced (as a business owner that has to deal with all this paperwork from the other side).

It's not that unusual for a P45 to be issued in a different tax year to the leaving date; it's the leaving date that's important rather than the issue date. (Issue date is at the lower right of Part 1A, the leaving date is in box 4.)

Is there any discrepancy between when the pay was *due* and when it was paid? It sounds like (given the leaving date was March 31 according to the elreg article) the payments may have been due then, so should (probably) be taxed when they were due, ie. the previous tax year, regardless of when they were actually received by the ex-employee.

In theory some of this should be less of a problem now that historically, as RTI means information is sent to HMRC in real time. In practice I'm not sure it's actually playing out like that.

flibble

So whilst this sounds like a disorganised clusterf*ck, based on my understanding the P45 situation and tax situation sound correct. It's perfectly legal to issue a P45 before all redundancy payments are made, and any payments made after the P45 is issued must be taxed on the emergency tax code (0T). The employer MUST NOT issue more than one P45, and the timing the P45 should be issued with depends on when the employment legally ends (which again, may well be before all payments are made).

The employee can reclaim any overpaid tax (due to the 0T code) from HMRC.

I'd suggest the affected people get advice from ACAS.

UK.gov departments accused of blanket approach to IR35

flibble

Re: Stop taking the p***

If the permie salary is exactly the same as the contractor would take home for the same work, then you're better off taking the permie role! IT contractors usually attract a higher rate of pay than permies, for various reasons.

The key point however is that none of the items you mention (holiday pay, sick pay, pensions) are funded from taxation (sick pay use to be state funded, but for many years now it's been a cost to the employer in almost all cases).

The state pension is different of course, and most IT contractors will be entitled to a full state pension due to the quirky way National Insurance works.

(For completeness, there are a couple of minor quirks, eg. paternity pay, though the amount the state pays is trivial compared to an IT contractors rate so it's essentially inconsequential.)

The question then becomes: why should a contractor pay less tax than a permie, for the same take home pay, when the contractor is actually getting essentially the same benefits from the state as the employee does?

The generally trotted out answer is because the contractor is taking more risk; but that's why they charge more than permies.

I've been on all three sides of this (ie. an employee, an employee and an IT contractor); my main conclusion is the income tax system in this country needs to be massively simplified. National Insurance is now basically nothing more than a tool used by politicians to keep people in ignorance of the real tax rate they're paying.

Ofcom wants automatic compensation for the people when ISPs fail

flibble

Ofcom really seem to have missed the mark on this one.

The ISPs are at the mercy of either BT Wholesale or OpenReach, and there is nothing in this proposal that will force those two companies (both of whom have a pretty solid monopoly) to change their behaviour or actually allow the ISPs to negotiate fair contracts.

Yes, there's the occasional case where the ISP themselves make a mess of things, but compared to the mess OpenReach make it's incomparable (not to mention the amount OpenReach/Wholesale charge for fixing faults that should not even be chargeable).

The best laugh is the £30 compensation for missed appointments. Even if you're just on the living wage, a day's holiday essentially has a cash cost to you of over £60, and an actual value of far more. Conversely, if BT OpenReach turn up and you've popped out, they charge you/the ISP (IIRC) £130+VAT. That kind of asymmetry is a sure sign of an abusive and unfair monopoly.

(Yes, I've responded to the consolation to say this. I'd implore everyone else to do so too.)

D-Link sucks so much at Internet of Suckage security – US watchdog

flibble

Re: WTF

"Complaint is not on CVEs. Complaint is regarding misrepresentation"

The complaint does (essentially) cover CVEs /as well as/ misrepresentation.

To quote 'Count 1' from the actual court filing (linked from the article):

"In numerous instances, Defendants have failed to take reasonable steps to secure the software for their routers and IP cameras, which Defendants offered to consumers, respectively, for the purpose of protecting their local networks and accessing sensitive personal information."

Google's Grumpy code makes Python Go

flibble

Re: Yes, its you.

"Is using pthreads REALLY so hard?"

From my experience of reviewing code other people have written that uses pthreads over the last 18 or so years: Yes.

pthreads has the building blocks there, but they're error prone, poorly though out, and use concepts that are too low level to be directly useful.

An example: condition variables. Almost everyone that uses them wants a process-scope semaphore (unix semaphores are an optional part of POSIX iirc, and certainly NOT part of pthreads). Almost everyone that uses gets the implementation details wrong, by either handling the related locking wrong, or not correctly dealing false wakeups, or not holding the lock whilst signaling, etc, etc.

pthread_detach is another example of a tool that's often welded but ends in tears half the time.

The sad fact is, the majority of software developers out their can't use pthreads correctly. When that many get it wrong, the problem is IMHO not the developers.

In its current state, Ubiquiti's EdgeSwitch won't have much of an edge on anyone

flibble

Firmware/reliably issues put me off ubiquiti kit

This seems to be a bit of a theme with the ubiquiti kit; decent hardware (for the money) but overall difficultly getting things actually working properly. It's disappointing to hear these issues spread out to the switches too.

I have a single unifi WAP and it appears to work great - significantly more reliable than the built in wifi on the Vigor which it replaced. I've been hugely put off deploying anything further though as it seems unifi have persistent issues with firmware, where things frequently only work in beta firmware, but often the beta breaks other things.

Roaming seems to be a particular issue that unifi simply haven't been able working reliably; there's a ton of complaints out there including this sequence:

http://www.revk.uk/2016/08/iphone-unifi-dhcp-issue.html

http://www.revk.uk/2016/08/maybe-it-was-unifi-after-all.html

http://www.revk.uk/2016/09/unifiapple-getting-worse.html

If someone with the experience & connections of revk can't get roaming working reliably in a pretty simple domestic environment, what chance do the rest of us stand?

I'm still looking out for a reasonably priced range of WAPs that work reliably and actually roam properly (suggestions welcome).

Nuisance caller fined a quarter of a million pounds by the ICO

flibble

According to the statement of affairs on companies house, the company also owes £75K in VAT to HMRC, approx 8K in PAYE and various other amounts including apparently business rates - and has absolutely no assets.

It smells like there's an awful lot more to this story. The law allows directors to be held personally liable for company debts - without more details it's hard to see if those fully apply, but it would seem the small number of cases where the ICO or HMRC actually try to hold the directors personally liable is not a sufficient deterrent prevent behaviour like seen here.

Doc develops RSI-reducing rolling mouse

flibble
Unhappy

Doesn't seem to ship to the UK

If there's a UK shipping option on their website I can't see it - I get sent to amazon.com, which refuses to ship the mouse to a UK address.

iPad queues worldwide

flibble

queues in Glasgow? er no...

Not sure when that Glasgow photo was taken, but at 9:30AM there was no queue and you'd be in and out with an iPad in 5 minutes. There were a few bemused looking photographers at the store entrance though.