* Posts by NeverMindTheBullocks

45 publicly visible posts • joined 10 Dec 2010

Facebook, WhatsApp, Instagram deplatform themselves: Services down globally


Re: Scuttlebutt in the tech community on twitter is that it's a BGP issue.

Starting to get corroboration of this in the media.



Re: Scuttlebutt in the tech community on twitter is that it's a BGP issue.

Every single FB tracking cookie or other service on the internet simultaneously trying to phone home and getting no answer, so trying again, and again, and again....


Scuttlebutt in the tech community on twitter is that it's a BGP issue.

Allegedly they stopped advertising their BGP routes for reasons unknown atm. They can't get in remotely to fix it because they can't route to the network.

Add to this the security system that controls access to the building needed depends on their LDAP servers, which are inaccessible, so they have also locked themselves out physically.

Internal Comms are down because the corporate comms solution is FB Messenger and WhatsApp so no-one can talk to anyone else easily to come up with a solution.

This could take a while.

BOFH: On a sunny day like this one, the concrete dries so much more quickly


Re: Informal poll on whether you've ever had to do something like this

No so much Resurrection as Resuscitation.

In the dim and distant past I did a stint as a support bod at a large London investment bank.

As part of their BC/DR processes we were scheduled to come in over a weekend to carry out a controlled power down of the data center under simulated outage conditions. Building power isolated, Switch to generator power, fail over to the remote DC somewhere in Hertfordshire, onto battery backup (they had an entire sub-basement full of lead acid battery's on heavy duty racking) and then gracefully power everything down before bringing building power back online, recovering the DC and re-connecting to the remote DC to resync everything.

All went well with the shut down, UPS took the load as the building power was cut. Generators came on line and ran for an hour before being shut down again and leaving the building on battery power while we ran through the shutdown routine for the DC.

The problem came when we started powering the kit back up. Most of the servers came back just fine

but the rows of cabinets containing a couple of hundred IBM PS/2's performing non-essential (i.e. not trading floor related) tasks remained ominously quiet. Turned out the last time they were shut down was 3 years previously during the last test, and 90% of them had failed to boot due to stiction. Cue myself and 2 other support staff armed with rubber mallets from the FM stores working our way up and down the aisles, pulling servers from the cabinets, opening the cases, whacking the drives a couple of times and replacing them back in the racks to see if they would boot. We got them all back eventually but it was a lot more overtime than had been planned for.

UK industry calls for delay of IR35 off-payroll tax rules to private sector


Meanwhile we find out that as part of the roll out of the changes in the Public Sector the Civil Service Head of People (Not a creepy title at all) was suggesting to Public Sector managers in a letter to departments that they should consider shopping contractors who left the Public Sector as a result of the changes, to HMRC.

Copy of the Letter here - NHS Wales Website.


Relevant paragraph on page 6.

"Hiring managers must discuss the contractor’s intention to stay with them. Permanent conversion or longer-term extensions to contracts beyond April may be attractive to some, offering role security. Hiring managers must also make it clear that by remaining in the public sector and having their tax affairs managed through payroll makes them compliant with the off-payroll rules. If it appears they are choosing to go and work in the private sector to simply maintain ‘outside of IR35 status’ you could consider informing HMRC, who may take action to investigate the contractor’s tax affairs further. "

Money laundering and crypto-coin legislation could hurt open-source ecosystem – activists


Re: Ahh, old timers

The currency markets aren't the problem here.

In order to use Cryptocurrency to actually buy or sell things you have to have bought them with fiat currency at some point, unless you are in the fortunate position to have mined them yourself, but that puts you in the extreme minority.

In the real world fiat currency, from an individual point of view, is very, very stable - Venezualan hyper inflation etc being edge cases. If you buy something for £X today then you should be able to buy the same thing for £X tomorrow, sales, discounts etc not withstanding. Real world prices are largely unaffected by the currency markets, and when they are the effects are minimal, a few percentage points either way at most and most of the time these fluctuations are absorbed by manufacturers and vendors in order to retain customers.

If you buy cryptocurrency for £X today and then buy the same amount tomorrow, X is going to have a markedly different value and you will get a different quantity of cryptocurrency for your fiat currency. This means that the effective price you pay for a thing with Cryptocurrency will vary dramatically based on the fiat value of the cryptocurrency at the time you acquired it. This matters because in order to realize the value of your cryptocurrency you either have to convert it into tangible assets or back into fiat currency directly.

If you buy £5000 of Bitcoins today and tomorrow you use that to buy Gold then there is a good chance you will get less gold for your Bitcoins than you would if you had just bought it with £5000 in fiat. Of course there is also a chance that you will get more than £5000 of gold, but that's the gamble with cryptocurrency, it's all speculation driven by a very volatile market that is open to manipulation by individuals or groups of individuals with the ability to execute very large transactions.

Until the real world value of Cryptocoins against assets becomes protected from the speculative value and achieves real stability they will remain an investment tool rather than a day to day currency.

UK taxman told to chill out 'cos loan charge is whacking tax dodgers and whoopsies alike



Maybe try reading the report. In particular the selection of witness statements here. Inclusing a Locum social worker and jobbing IT freelancers. We are not talking about high net worth individuals or celebrities.


You have also completely misunderstood the legislation. These were employment agencies signing up workers and paying them through these schemes, not the workers own companies, assuring them that HMRC are aware of them and that they had been approved by legal experts.

HMRC have been aware of these schemes for over a decade and they had been declared under the HMRC DOTAS process. HMRC chose not to do anything about them. They are now not chasing the scheme providers, but the individuals who were signed up to them, many of them unaware of the arrangements or accepting the claims of the scheme providers.

This is no different to the Govt. deciding to raise income tax by a penny, backdating it 10 years and then demanding that everyone pay the extra tax, despite the fact that thay had paid everything they were supposed to at the time and charging interest and penalties on top. With no means of appeal.

Windrush immigration papers scandal is a big fat GDPR fail for UK.gov


Not Vital Interests.

"As for actual data processing, Article 6 provides for the lawful processing of data where "processing is necessary in order to protect the vital interests of the data subject or of another natural person"."

On a technical note re. the article Article 6, Para(1(c)) does set out the use of Vital Interests however this needs to be read in conjunction with the relevant recital, in this case Recital 46.



This clarifies that Vital Interests should only be used where no other Legitimate Basis can be relied on and processing " is necessary to protect an interest which is essential for the life of the data subject or that of another natural person" such as "humanitarian purposes, including for monitoring epidemics and their spread or in situations of humanitarian emergencies, in particular in situations of natural and man-made disasters."

The intent for Vital Interests is that it should only be used in life saving situations where no other form of consent or other basis is available. In this case that would be difficult to prove.

Article 5(e) is the applicable reference here as you point out.


"Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; "

It also includes archiving in the public interest, scientific, historical or statistical research.

Since the purposes for which is was collected was to prove legitimate and lawful arrival in the UK for the data subjects an their dependants then keeping records for 75 Years or longer would be perfectly reasonable.

GCHQ's infosec crew plans to 'scale up' Web Check to improve uk.gov site security


Re: National Cyber Security Centre Is One You Might NOT Want Messing Around With Your 'Jewels'

What makes you think they are not "messing" anyway?

If you are on the web and are of even a passing interest to the security services then this has been done to you already, they just haven't told you what they found. In this case they will tell you, and how to fix it, but only if you are a Public Sector body.

The service is essentially the same as you would get if you paid a professional testing company to do an external scan of your services, it's just been automated a bit and made available to Public Sector organisations for free. Along the lines of the Qualys SSLLabs service but with extra advice and guidance on how to fix whats found.

If you're looking for an excuse to break out the tinfoil headgear, this isn't it.

FYI: There's a cop tool called GrayKey that force unlocks iPhones. Let's hope it doesn't fall into the wrong hands!


Re: Woah! Some much tin foil, so many hats.....


It's not your phone that anyone would be interested in.

What about journalists working in repressive regimes, human rights activists trying to prosecute those in authority, whistleblowers in authoritarian governments.

Any of these and more could have their lives and work compromised by those in authority who want to shut them up by getting "evidence" from their phones.

I doubt the company selling these devices will be particularly fussy about who they sell them to. You may not have much to worry about but many many others will as a result of this.

Most IT contractors want employment benefits if clobbered with IR35


Re: Sick Pay?

Re: Sick Pay

What we are talking about here is not Statutory Sick Pay that you get when signed of sick longer term but getting paid for the odd days here and there that you ring in sick for.

A permie off for a couple of days with the flu or a dodgy belly will still get paid. A contractor doing the same won't be. No workee, no payee.


Re: Contractor rights

No, Corporation Tax is on profits, not turnover.

So take out:



Pension contributions


That leaves taxable profits on which 20% is paid.

What's left after that is profit available to the business for reinvestment or disbursal as dividends to shareholders.

Dividends attract a minimum 7.5% tax for receipts over £5000 at the basic rate, rising to 32.5% at the higher rate.

The dividend tax allowance was abolished 2 years ago so corp0ration tax paid can no longer be counted against income tax. In effect it gets taxed twice.


Don't forget carrying insurance to back up that responsibility.


Income Tax? Check

Dividend Tax? Check

Employees NI? Check

Employers NI? Check

Corporation Tax? Check

VAT? Check

So the suits swanned off to GDPR events leaving you at the coalface? It's really more IT's problem


Re: B2B vs B2C

Where did you get that information from? If you didn't collect it directly from the individuals then you are not the data controller and you don't need to worry about consent. That's down to the Customer who provided it to you. In that scenario you are the Data Processor. You sill need to be complaint but the rules are slightly different.

Even if you are the controller you don't automatically need consent, that's just one of the possible criteria for the Lawful Basis for processing. You do need to work with those customers at a business level to ensure that they pass on the appropriate privacy notices to their employees that explain why you are holding their data an what you intend to do with it. You also need to be able to respond to SAR's from them and delete data under RtbF.

The first thing you should be doing is getting the Lawyers to give you a view on your status as Controller or Processor for the different data sets you hold (assuming you know what they are). Everything else follow from that.

BAE accused of flogging mass-spying toolkits to assh*le autocrats


And this weeks "No Shit Sherlock" award goes to...

Seriously, anyone who thinks this stuff isn't happening is kidding themselves. BAE, and the rest of the defense industry, will sell to anyone they can as long as it's legal*

*For varying interpretations of the term.

First working Apple Mac ransomware infects Transmission BitTorrent app downloads


Re: So now official websites have files with viruses, uh?

Whats going on is that Transmission was specifically targeted by the scammers in the knowledge that it is widely used around the world. Exactly how they managed it remains to be seen, but fundamentally they set out to break into the distribution of Transmission and upload a malware infected version signed with an revoked but otherwise legitimate looking developer certificate.

You can put the tinfoil hat away. There is no great conspiracy here. Just a particularly cunning exploit of a popular application by scammers looking to make money.

You're a cybercrime kingpin. You need a new evil lackey. How much do you tell them?


I think the hackers have got at the article

Considering the atrocious grammar in bits of it.

Spending Review: GDS gets £450m, Cabinet Office budget slashed


I submit my VAT, Corporation Tax, NI and Income tax online. I also pay it all online via my Bank. What exactly is this going to deliver other than adding a couple of extra layers to the websites to make it slower to get to the bits I actually want to use?

BitLocker popper uses Windows authentication to attack itself


Would hibernation defeat the boot password?

We have Bitlocker with a boot password here, however many users simply hibernate their laptops instead of shutting them down as the startup process is so slow.

Would this work if a stolen device had been put into hibernation, even with a boot password?

Former parking ticket bloke turns out to be cybersecurity genius


"An ex parking fine processor, eh?

Didn't realise the best cybersecurity gurus were utter bastards. Time will tell if things turn out."

You've not read BOfH then?

Cops use terror powers to lift BBC man's laptop after ISIS interview


Re: "Yes, go on kiddies, mod me down"

Not so much Ad Hominem as On The Nail judging by the ratio of Down votes to Up votes on the original and your response.

Coat for Sir?

Potent OWA backdoor scores 11,000 corporate creds from single biz


Re: OWA used by smartphones

Yes it is. However, as others have commented, the real issue here is not that the OWA service was used to gain access to domain credentials, but how the offending DLL was installed on the server in the first place, and how the server config was manpulated to load the malicous DLL in place of the legitimate one. That was the cause of the breach, everythng else was the effect.

Are you a Tory-voting IT contractor? Congrats! Osborne is hiking your taxes


No they don't.

In the Public Sector there are rules that say if you are in a contract for more than 6 months, paying more than £200 per day then you have to provide evidence to the client that your Tax and NI payments are compliant with IR35, either inside or outside.

If you work in the same general location (whether in the Public or Private sectors) for more than 2 years then you can no-longer claim travel and subsistance costs. Location is very broad, so 12 months with one London Client followed by 18 Months with another London Client would be caught by this rule (30 months in one location). If the commute doesnt fundamentally change (Next Client is in Leeds for example) then the rule applies.

Other than that there are no restrictions on how long you can contract with the same client, nor is length of engagement an indicator of your status under IR35.

Cause of Parliamentary downtime on Microsoft Office 364½ revealed



There is such a service in place.

FCO Services ( the services division of the Foreign Office) provides and supports a formally Accredited application services platform that includes Office 265, delivered via the PSN and Internet specifically for use with material that may need delivering to out of the way places and embassies in countries that may be somewhat less than respectful of our National Security. Or simply for handling more sensitive material at home.

My life under Estonia's digital government


Re: the previous posts - ANPR

No, a vehicle of interest is one that has been reported stolen has previously been associated with criminal activity, or is connected to a known or wanted individual. There is no link between the ANPR database and the DVLA systems for tracking registration, MOT etc. If a vehicle is stopped these can be manually checked or they can be checked if a vehicle is reported for other reasons.


Re: the previous posts - ANPR

You might want to have a read of this then.


"How it works

As a vehicle passes an ANPR camera, its registration number is read and instantly checked against database records of vehicles of interest. Police officers can intercept and stop a vehicle, check it for evidence and, where necessary, make arrests. A record for all vehicles passing by a camera is stored, including those for vehicles that are not known to be of interest at the time of the read that may in appropriate circumstances be accessed for investigative purposes. The use of ANPR in this way has proved to be important in the detection of many offences, including locating stolen vehicles, tackling uninsured vehicle use and solving cases of terrorism, major and organised crime. It also allows officers’ attention to be drawn to offending vehicles whilst allowing law abiding drivers to go about their business unhindered."


Re: the previous posts

The 2007 attacks on Estonia were in 2007. That's 8 years ago now, and since then there has been no similar incidents affacting that country. Lessons were learned from those attacks, not just in Estonia but accross NATO. Estonia now hosts the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE). In the last 8 years Estonia's digital society has survived and prospered, it has not resulted in the loss of services or other disruption.

ANPR in the UK only provides information on vehicles that are already flagged as being "of interest" to the Police. If they stop a vehicle that is not already on the system they have to request a specific check be carried out before they can take action. This means multiple calls to DVLA, Insurance Companies and others. The Estonian System is real time, see the number plate, check the records, take action.

Estonia didnt start with a clean slate, they started from the same position as most other European governments, including the UK. What they did was deliver what UK politicians have been promising and failing on for years. To take the disparate government systems and integrate them in such a way that data exchange becomes a practical and realistic proposition. There was no rip and prelace process, they used middleware technology and services to allow them to communicate in a meaningful way as well as delivering brand new services such as the e-ID system. It worked becasue they had clear principles from the outset and they stuck to them.

All of this is possible, what it takes is political vision and the will to follow it through. Having a proper understanding of delivering public IT systems and being able to properly run procurement and contracts would help as well. Sadly successive UK governments seem to be unable to do any of these things.

SME IT contracts? That's the last thing Whitehall wants – report


Expect to see the Cabinet Office FLEX contract with Fujitsu extended as well. It's bad enough actually getting them to do anything now, let alone when they are told to start handover.

Mummy, what's the point of Evgeny Morozov's tedious columns?



... what was the point of this article?

£100 MILLION poured down drain on failed UK.gov IT projects - in just ONE YEAR


It's not about the technology

It's about the contracts and procurement processes.

Govt. procurement is simply not up to scratch when going up against the big suppliers. Their commercial and contracts people are far more experienced and far better at negotiating contracts that the civil servants are. This is why you end up paying for decommissioned sites because no-one thought to put in a clause to the contract that meant you didn't have to pay for stuff you didn't use any more.

It's the same across the board. Look at the excesses of MoD spending caused by badly drafted contracts. Or spending on NHS supply contracts rather than IT.

3D printed guns: This time it's for real! Oh, wait – no, still crap


Don't see the problem

Anyone dumb enough to try and use one of these is more likely to kill themselves than anyone else, thus removing themselves from the gene pool. Job Done.

DVLA website GOES TITSUP on day paper car tax discs retire


Missing the point

Those pointing out how smart they were about renewing early etc are missing the point. The old system worked very well and had done so for number of years. Even if you left it to the last minute it was one of the few Gvt. services that could be relied on to work when you needed it.

Whatever the fucktards at GDS did, they broke what was previously a perfectly good service.

'Stop dissing Google or quit': OK, I quit, says Code Club co-founder



"...and GDS, a state IT contractor largely staffed by web designers."

Oh come on, that's being most unfair to web designers.

Roll up, roll up for the Reg Readers' Ball


Do I actually have to talk to anyone...

or can I just drink the free beer?

Windows XP market share GROWS AGAIN, outstrips Win 8.1 surge


Re: end customers haven't pulled their heads out of their arses

Except they aren't.

Rule one only applies when your customer can go elsewhere. Like it or not, there are no practical alternatives for enterprise class operations who want to maintain continuity for their desktop environments. Despite all the discussion about porting to Linux or use of VM's or compatibility modes etc, in practical terms these are as much if not more work to implement in the current timescales than going down the MS upgrade path.

Realistically, if you wanted to get of the Windows merry-go-round you should have started planning the jump 5 years ago when MS extended the end of life to 2014. You'd be about ready by now if you had.

As far as MS are concerned in this, Rule One can go screw itself.

You can whinge all you like about whether MS is right or not to do this, it doesn't change the fact that they are doing it. They told the world they were going to do it, gave the world an extra FOUR YEARS to deal with it and now everyone is getting all upset that they are actually doing what they said they were going to do 12 years ago.

The numbers of XP desktops out there, still in daily production use indicates that the IT world has had it's head up it's collective arse the whole time.

Whinging about it and claiming the customer is always right is just the verbal equivalent of ramming it that bit further up there, when push comes to shove you're still going to end up eating shit.


Re: That has got to be embarrassing for Microsoft

This isn't embarrassing for MS at all.

They announced end of life of XP in 2002. 12 Years ago. They refreshed the date in 2008, 6 years ago. The only people this is embarrassing for are the ones who have sat on their hands for over a decade and done nothing to plan for the change.

2002 - Windows XP EOL announced as 2010

2008 - Windows XP EOL extended to 2014

2009 - Windows 7 released

2011 - Windows 8 released.

2014 - Windows XP EOL.

So EOL on XP was announced 7 years before Windows 7 was released and Win8 hadn't even been announced. Windows 7 has been available for 5 years and Windows 8 (for all it's issues) has been available for 3 years.

So again, how exactly is it embarrassing for MS that end customers haven't pulled their heads out of their arses and done something about it in spite of having 12 years to plan for it?

Dell charges £16 TO INSTALL FIREFOX on PCs – Mozilla is miffed


Doesn't even take 10 minutes

It's an automated build process, you did the work for them by ticking the box.

So: Just how do you stop mobile users becoming leaky lusers?


It's not about techniology, it's about risk.

The "problem" comes down to one of risk management. What is the risk to the assets involved versus what access to those assets is worth to the organisation and what it would cost them should they be compromised.

Once you have an understanding of the risks and costs you can start to look at mitigating those risks and the cost of mitigation versus value of the assets and the benefit of allowing mobile access.

In technology terms the solutions are already out there, the question is; do they provide a sufficient reduction in risk to justify the expenditure against the business benefit?

Henge Docks Docking Station


Nice idea but lacking one thing

If I plug my MacBook into one of these I can't use the screen, only my desktop monitor. FIne if you only ever use one display, but not so great for those of us who run the MacBook acreena nd a seperate monitor as well.

Anonymous, LulzSec go legit with PayPal boycott


It's not him

It's her.

Mercedes is a girls name.


If it is....

Then they are going to have their work cut out. According to the Anonymous IRC twitter feed they have over 20k accounts closed so far.

EU may re-ignite carbon trading following hack attack


Re: How crooks make money from this.

This isn't a case of opportunist hackers this is serious organised crime getting involved.

It works because anyone can apply for a carbon trading account subject to some basic, but it seems easily faked, background checks.

The mechanism is that they will compromise a legitimate trading account and transfer the carbon certificates to one or more compromised accounts or companies in another countries. Most have been in the former eastern block countries. They end up in a dummy which is then used to sell the certificates on the open spot market and the resulting cash siphoned off.

Because the only identification on the certificates is the serial number, and the only way to check ownership is to go back to the original issuing body and follow the trail of trades associated with those certificates traders assume that ownership is proof of legitimacy. Once the certificates have been stolen the thieves disappear with the cash. The whole issue is compounded by the fact that in a number of jurisdictions there is no requirement for the purchaser to return goods when they are shown to have been stolen.

By the time the whole mess is sorted out, ownership proved and the trades traced the perpetrators are long gone.

Carbon trading registry suspends ops following hack attack


Rightly or wrongly

the carbon trading market is a reality. What is also a reality is the laughable levels of security in place around what is a multi-million Euro market.

Account security it limited to a pre-generated user ID and passwords on a 90 day expiry. No tokens, no additional verification of identity, just a simple account that lets you trade millions of carbon certificates. Apart from a rather perfunctory plea not to answer phishing emails there is no further advice on the registry website on securing the accounts or managing access.

For something this valuable ( Holcim Romania lost something in the region of 20M Euro ) you'd think they could put in some decent security or at least offer advice to their account holders.

PARIS concocts commemorative cocktail


Easy to do without the sugar and icecream.

Same glass but fill with crushed ice first.

Brown or Green booze in first ( Tia Maria, Kahlua / Midori, Creme de Menth)



Black Vodka

The Ice makes it easier to layer up the drinks and adds some texture to the whole thing.

Slice of Lemon for the sun and a straw. Then drink. Carefully.