* Posts by PVecchi

41 posts • joined 27 Jan 2014

European recommendations following Schrems II Privacy Shield ruling cast doubt on cloud encryption practices


Re: What about Office Suites?

If it's used only by your organisation to process non personal data then it's OK.

If you use it to process and transfer personal data of clients or third parties that have not signed an informed consent then your DPO is doing it wrong.

Please note that the "informed" part of the informed consent is also important. Your DPO cannot assume that the user and the data subjects may be fully aware of the implications of what they are signing.

If you ask "Is it OK for you to use Microsoft Teams?", that's not informed consent.

The data subjects, that includes also any other identifiable person you may mention in your conversations even if they are not employees, haven't been informed that by allowing their data to be processed in clear by Microsoft their are OK to waive their fundamental right to privacy. Today they may say OK for a badly performing chat platform, tomorrow they may be asked to do the same for other platforms.

While each one of us could make an informed decision in regards to the information we want to share on LinkedIn, Facebook, Twitter, The Register, etc. and evaluate carefully what we want to say, we may not realise how much more we give away during an informal chat on Teams while we are using it and when we think we are not.


What about Office Suites?

I guess most still wonder if they can/should use Office365, G Suite and similar to process EU citizens personal data.

The short answer is: No, you are violating data subjects fundamental right to Privacy (art. 7 and 8) as stated by the EUCJ.

You could do it if you obtain informed consent from the users, as their personal data will be often shared in Azure AD, and the people you are writing about/contacting by email/adding to your CRM/etc...(data subjects) stating clearly that their personal data will be transferred to a data importer (Microsoft/Google/etc) which, regardless if the contract is signed with a EU subsidiary and stored in EU, cannot ensure an adequate and equivalent level of protection and by doing so it will violate their right to privacy (and contribute to support the expansion of surveillance capitalism business models but that's another issue).

Some more info: https://joinup.ec.europa.eu/collection/joinup/news/privacy-shield-invalidation

These transfers fall under the Use Case 6 of the EDPB recommendations as the text you are writing in Word or the emails you are sending out are all processed in clear so at present you are not able to use those tools without violating people's privacy and naturally that will make your organisation also non GDPR/DPA compliant.

EDPB's recommendations can be found here: https://edpb.europa.eu/sites/edpb/files/consultation/edpb_recommendations_202001_supplementarymeasurestransferstools_en.pdf

Meet the open sorcerers who have vowed to make Facebook history


What has IMAP got to do with Facebook?

Dear Andrew,

I know that being a journalist is hard especially because lots of research should be done before writing stuff.

IMAP played a good role in email servers and client for many years but we see that is anyway being replaced by Open Source implementation of MAPI and on the client side with ActiveSync as they are more efficient.

I have no idea what relation there may be between a Facebook replacement and IMAP. Maybe Laguna has a new secret extension of IMAP in the making?

While we wait to know more the rest of the world is using XMPP for chat using clients or implement distributed platform using ActivityPub or similar protocol to sync instances.

Facebook alternatives are out there, Diaspora being one of them, and the fact that billions of users aren't using them is due to the fact that people got used to instant gratification, some call it convenience, given by the fact that they can sign up and give away their private data straight away without having the time or will to consider the implications.

I'm all for an exam, lasting at least half an hour, where users have to read all the T&C of Public Cloud services, answer a questionnaire, digitally sign a waiver stating that their data can (will) be used for any profit making activity the Corporation can think of and only then allow access.

The same should naturally be applied to all sites that use Google Analytics and related services.

I bet after a while users and companies will find that is a lot more convenient to install their own chat or email server. The additional bonus is that we'll have more people that know what to do in IT instead of outsourcing everything to the so called "Cloud".

GCHQ unit claims it has 'objectively' made the UK a less desirable target to cybercrims


Re: Another outsourcing agency?

Which is a copy paste of the guidance published by, the now rebranded, CESG:



Can we safely assume that NCSC, up to now, has been just a rebranding and outsourcing agency?

I can't see any evidence to the contrary.


Another outsourcing agency?

I read their report and I'm surprised to see they had to fix, or asked third parties to fix, obvious issues and implement basic policies that should have been in place a long time ago.

Not sure if they tried to simplify the message to make the report readable to all but I've got the impression that a junior technician could have spotted and fixed all the issues they described.

Implementing SPF & DMARC doesn't seem a great achievement but I suppose now their emails will finally go through basic spam filters. Not sure how many phishing attempted will be avoided as in most modern email platform no SPF means no emails.

Web Check could actually be a good service as it helps telling sysadmin do update servers and write better web apps.

The only useful thing NCSC have done, because it had the leverage to do it, is to issue take down notices for the few fraud sites hosted in UK.

Apart from that I don't see the usefulness of NCSC. They may be linked to GCHQ but they haven't impressed me with their strategy or their technical capabilities up to now.

They outsourced all their infrastructure, they haven't even installed a threat management platform but they are renting it from BT (the same one I'm running. it doesn't take a genius to setup) so they have only a partial view of the threats,

I'm pretty sure GDS could have been as good in coming up with those action point and resolutions without the need of creating another outsourcing agency.

NHS: Thanks for the free work, Linux nerds, now face our trademark cops


Re: Nice idea but...

I guess you are right.

You are a techie specialised on Microsoft stuff so why would you have to learn something else.

The NHS will renew the contract with Microsoft so hundred of millions will be spent in licencing and updates, some of the stuff won't work as there is no driver & MS isn't going to develop a new one for you but at least you will be able to say is not your fault.

That upgrade process will take several years and hundred of millions must be spent on new hardware and training personnel which is not use to the new version of Windows and the software that will run on it.

In a few years time nobody will want to even look at changing things as stuff more or less works.

We'll get near the renewal time, new proposals to break the lock-in will flow in, a team will decide to lead by example, NHS will say "that sounds like a great idea, show me a prototype and give it a name I can use to promote it as if it were an NHS project", working platform sorted and tested but used just to get a small discount from Microsoft.

Rinse and repeat.

The same happens in many other organisation. You know it and we know it but some try to do the right thing instead of the most convenient one.


Re: "no smart card support"

Not sure if you noticed but someone didn't just "google it", someone actually did something about it:


Just saying.


It's not as simple as that.

There have been discussion, changes and expectations of support from the management.

As I wrote in my comment below they could have fixed it very easily but probably it required too much thinking effort.

NHoS is not a competitor or doing anything similar to what the NHS is doing so we could go to court and maybe win but it is not the approach we prefer and we don't want to waste NHS' money in legal battles as patients need them most.


Re: So familiar

We are not all Linux geeks.

Some are fantastic techies that must be confined in writing good code others are out there presenting that code as a package and a SKU for maintenance and support usable by the public sector procurement.

That unfortunately allows procurement to present a competitive offer to the usual suppliers to get discounts so it doesn't work all the time as $vendor will just drop the price to keep the lock-in going.

The issue is that HW, SW, security, support, maintenance, electricity, cross application lock-in, etc... are seeing as different costs by different departments.

If they simply put together the costs over 3/5 years it would be easy to see that their costs will be cut at least in half with Open Source and Linux.


NHoS means NHoS is not NHS

NHoS is not a product or a service that could benefit from similarity in the name or the logo or that could create confusion on the market that could lead to damage to the goodwill and reputation of the NHS.

To the contrary.

Some of the member of the NHoS core team have worked or are working in the NHS or related projects and got together with the intent of providing a free and Open Source solution that can (and does) satisfy the needs of its users while removing the licensing costs and increase security.

The idea was there even before the WannaCry ransomware wrecked havoc in some NHS Trusts but that incident pushed the team to start doing something about it and so they did without asking pretending anything from anybody.

NHoS is a valuable asset available for free to the NHS for the NHS for the benefit of all the employees and subsequently for all the patients that are being treated by the NHS as it's the start of a project that could have saved hundreds of millions in licensing fees which could have been reinvested in providing actual care.

We accept that Mr Stephen Winfield is just doing his job so the issue is with the management at the NHS which is aware of the project, they are probably aware that could change the status quo and bring huge benefits to the NHS but decided not to grant NHoS the use of a name and a logo, which could have only help in promoting the project internally, stating clearly the limits of its use.

It could have been as simple as that.

Think about it when someone complains the NHS has no money, few hundred millions saved in licensing could be a drop in the ocean, some say, (like many other ignored drops) but could also help in saving lives.

Paolo Vecchi

CIO (Chief Italian Officer) of the now disbanded NHoS

UK Data Protection Bill lands: Oh dear, security researchers – where's your exemption?


Re: Logging the lot

If it was for boosting the economy it may be, kind of, OK but as that's not in the original GDPR it smells fishy.

Some say... that the usual lobbyists promoted a feature that may be available on their Cloud platform very soon... naturally at a premium.

I wouldn't be surprised.


Logging the lot

Chapter 60 says:

A controller (or, where personal data is processed on behalf of the controller by a processor, the processor) must keep logs for at least the following processing operations in automated processing systems—

(a) collection;

(b) alteration;

(c) consultation;

(d) disclosure (including transfers);

(e) combination;

(f) erasure;


IANAL but as there is no definition of what an APS is and the retention period so I may be led to think that we'll have to log also access to each email or contact page in a CRM as they all contain PII.

If that's the case then many applications in use aren't compliant and those that are will generate so many logs that would make it impractical for many SMEs to comply.

I've checked the Explanatory notes and it doesn't define the logging requirements any better.

Any additional PoV?

Former UK.gov IT man and Python king's guide to neural networks


Re: Well...

Well... his advice was so good that they had to make up a "Cloud first" policy to stop an Open Source first policy. I guess other parts of the Government received pressures as a successful Open Source policy could have killed someone's' monopoly on the public sector and the nation.

He wrote also a nice set of recommendations that since he left hasn't been updated just in case civil servants discovered better ways to do things:


Relevant official page linking to that document cannot be found any more.


Re: Well...

I can confirm Tariq IS a very decent chap and it's a real shame that gov.uk hasn't understood that as we need guys (& gals) like him around.

Microsoft drops Office 365 for biz. Now it's just Microsoft 365. Word


As we all expected

Microsoft 365 Business... integrates Office 365 Business Premium with tailored security and management features from Windows 10 and Enterprise Mobility + Security....

... priced at US $20 per user, per month.


Ubuntu 'weaponised' to cure NHS of its addiction to Microsoft Windows


And probably he hasn't read that most of the issues and costs Munich is having are related to maintaining legacy Windows systems that they cannot migrate neither to another version of Windows or upgraded to Linux as the vendor is not around any more.

In the meantime WannaCry happened and LiMux techies have been seen going around smiling all the time.


PCoIP and Citrix can do the job but as things progressed there are other technologies (yes OK vendors) that are way more efficient in delivering Linux and Windows virtualised desktop from the same infrastructure. I agree anyway that, especially during the transition period, is probably better to provide a NHSBuntu virtual desktop than replace the OS on the device (quite likely with BIOS/chipsets tailored to work only with Windows).


Re: NHSbuntu and users with disabilities?

Haven't personally tested any accessibility features but as NHSBuntu carries on all the accessibility features built into Ubuntu I believe pretty much everything is covered.

More info here: https://wiki.ubuntu.com/Accessibility/Links


Re: Smartcard recognition, really?

"The issue is with SmartCard authentication for specific roles which you can only do with Windows OS clients due the software provided by NHS Digital."

I found myself in quite a few situations where the provider/vendor said their application/smart card reader works only with Windows, which turned into "I see you made it work perfectly but we don't support it" to then announcing that their tech team made a huge effort and now they support Linux as well. All in matter of days/weeks.

I would not be surprised if within days there is a client working perfectly with NHS Digital software.


Re: Not a *buntu fan, but more power to 'em!

It could be an idea to look at NHSevuan for those allergic to systemd or NHSMint if they really want a Windows 7 look and feel without the pain ;-)

IT system lets biz opt out loads of EU patents from Unified Patent Court at once


Re: It'd be nice...

You answered yourself ;-)

If you were a patent lawyer would you recommend to apply for a patent in 1 location or you would prefer to charge your customer to apply in many countries?

Then if you were a large patents holder you would want to drag the little ones in every court around Europe so that they run out of cash before they can prove they actually have patent rights.

One European court could make things better if all patent requests will be treated equally with no fast track for some large Corporations.

Data-center-building-block upstart Nimboxx 'missing in action'


Maybe is not all over?

It is a very sad story & one that reminds me why I choose to limit the risks of working with US VC backed companies.

The reasons for this sudden closure are unknown to me yet but the way the Hong Kong based investors acted is totally out of order.

Whatever happened I guess they had a few dollars left to send out a communication and deal with an orderly shut down. Nope, they went for the power plug.

Very sorry for the Nimboxx HCI side but even more for the VERDE VDI team with which I worked for years.

Rumors say that something is happening, hopefully the VERDE team will be rescued & maybe the the whole of Nimboxx will be revived.

The last post: Building your own mail server, part 1


Not just emails

It is true that if you only want a mail server at home then it's not worth it and you are better off with a VPS but is that the only use you'll make of that server?

If you plan to have a home server then use it as a firewall, a media server, a file server, etc... while you use it also as a local relay server which fetches and send emails using your VPS where you are pointing your primary MX record. Like that it makes sense and you get the best of both platforms.


Re: Fixed IP?

It's easier to configure things if you have a static IP but is not a must.

You can search for dynamic DNS on your preferred search engine and you'll find a few that are free or others that cost anyway very little.

The other option is to buy a domain from a hosting provider which generally provides a basic mail server for a tenner a year and "fetchmail" you emails from there with your local server.


Knowing what you are doing

Setting up an email server in Linux is generally quite easy, for those that have the skills, but then we've got to take in consideration that not everyone know how to deal correctly with firewall rules, filtering, certificates, etc...

An easier route would be to use Webmin and the fantastic Authentic theme (https://github.com/qooob/authentic-theme) to reduce the risk of misconfiguring something and open your server to attack.

For those that want an even easier life a product like Collax with 5 users and Zarafa Community could provide a free but business grade all-in-one platform that provides MS Exchange like features ready to be used in about 15 minutes without having to learn a single command (http://www.collax.com/en/products/collax-business-server/overview/).

It's good to "decentralise" the Internet but make sure your servers are configured properly and don't become spam bots or nodes for the next DDoS attack.

Three things you need to break down those company silos


Re: Interesting logic about Open Source

I totally got the point and I agree that having to deal with different tools in an organisation can be difficult and costly. Moreover if it happened a few years ago Open Office wasn't anyway, in my opinion, good enough to satisfy the requirements of most businesses without considerable investments.

Nowadays I wouldn't hesitate to recommend LibreOffice in organisations of all sizes as Microsoft Office doesn't make sense for about 98% of the users.

The interesting thing that I see happening is that some organisations listen to some consulting companies saying that they've got to go digital/cloud/etc so they start ripping off ties with legacy systems that relied on MS Exchange/Outlook(?) & MS Office libraries to go fully "digital".

Naturally those are the same organisation that refuse to move to other Open Source solutions as it would be too costly to rip off Microsoft from their systems. The only positive side of this is that, once the board realises the CIO has been a total incompetent & Cloud is not the nice fluffy thing they've been lead to believe, the hard work would have been already done & Enterprise grade Open Source solutions can be implemented with no issues at all.


Interesting logic about Open Source

It would be great to understand how many people were in that department and for how long they spent "about a person-day per week" asking "How do I...".

I bet that didn't happen when they moved from MS Office 97 to 2010/2013 and had to convert lots of documents as there are incompatible formats also within MS families of products.

So instead of praising and supporting a department that understood Open Source can bring benefits to the organisation the recommendation has been to go back paying the equivalent of "about a person-day per week" worth of licenses/support/EA/etc..

Don't know when that happened but considering that the UK Government has chosen ODF as the official file format and that LibreOffice can work with "legacy" formats, like those used by Microsoft, very well then today's best recommendation would be to promote its use across the whole company.

Scale Computing: Not for enterprise, but that's all part of the plan


Re: KVM keeps getting better all the time

"And it is nowhere nearly feature complete"? Could you elaborate on that?

Not sure which features are supposed to be missing & which use case are suppose to satisfy.

KSM is very good but then it depends on your type of workloads and if the reduced memory usage compensates the added CPU overhead.


Re: Awwww hell ....

For HA we've been using DRBD+Pacemaker+etc for quite a long time & it works beautifully.

Now we switched to a HCI vendor with which you can start with 2 nodes so it takes care of the HA as well.

To move VMs we use StarWind V2V converter or a simple Clonezilla which does a server/slave migration from VMWare to a KVM infrastructure very easily.


A well targeted product for a very large market

This side of the pond about 95% of the market is made of SMEs which the EU defines by having between 50 to 250 employees but in some countries they include also microbusinesses with 10.

It often seems like people that write IT articles are affected by a sort of Top Gear Syndrome. It's a lot of fun to talk about Lamborghini but, as you rightly said, the vast majority of SMEs need a Ford Mondeo or a Toyota for their company car fleet.

I see resellers flogging VMWare+SAN kit to SMEs that don't needed it for a lot more than a Scale kit so it should be about time that businesses realise that they are being ripped off by people interested in their quarterly targets more than satisfying customer requirements.

For once that there is a vendor (well, I know of another one) that is on the market to satisfy the real requirements of SMBs we should be praising them and say thank you.


Re: Alternatives

"Gippa", like many other professionals specialised in datacentre infrastructures, uses Ganeti as he's an highly skilled engineer especially around OpenStack but when you try to use it to create standardised, efficient and scalable appliances for the SMB market then there are better options available.

Then of course you can roll your own HCI but most SMBs appreciate the fact that they can use Scale which can provide great services at a price tag that can be a lot lower than VMWare based stuff and it's easier to manage.

Don't panic as Server 2003 rushes towards end of life


I would go for Zarafa but I'm surely biased as I've been using it (and selling it) for many years replacing very happily SBS, Exchange and now even Office365 and GoogleApps.

If you are looking for a full AD replacement try also Univention.

Nutanix looking for a way to burst VMware's bubble


Re: Open HCI coming out of stealth

Well, that's a proper home lab :-)

Anyway you probably will be partially impressed if you test NodeWeaver as you are already using the excellent Scale Computing HC1000.

There are a just a few noticeable difference: NodeWeaver NW-110, which is aligned with the HC1000, includes 512Gb of SSD cache, starts doing its job nicely also with 2 nodes and 3 nodes cost just a bit more than a single HC1000. The rest of the features seem to be roughly the same. We are working mainly on the EU market so we haven't seen Scale Computing much yet but we are winning a lot against Nutanix and naturally VMWare.


Re: Open HCI coming out of stealth

The only thing that is still in beta of Nodeweaver is marketing but we are working on it. NodeWeaver, after a few years of development, testing and having been in production also in mission critical environments is a product that's ready for prime time. So prepare 2 or 3 servers in your home lab to start testing it ;-)


Open HCI coming out of stealth


Not sure if you were referring to us but we are, with NodeWeaver, one of those Open HCI coming out of stealth.

We haven't done much media noise yet but the presentation of the product at a recent "Cloud" event in the UK generated a lot of interest (and sales).

Nutanix, Scale Computing and Co are incredibly good products which are aiming to the Enterprise market where hundreds of nodes are the norm but what about the 95% of the European market which is made of SMEs?

Does every company in the UK need to spend £100K+ to setup an efficient hyper-converged/hybrid cloud infrastructure? Maybe not. Maybe a lot of businesses would like to start with a couple of nodes investing very little and then scale-out by adding appliances or converting existing VMWare servers into HC nodes as it takes 5 minutes.

Then does the hypervisor really matter? We've chosen KVM as we think is a lot more efficient than others but that doesn't stop you migrating existing VMWare, Xen, Hyper-V workloads with no or little modifications. If the "Cloud style" management of the infrastructure is so easy and you can easily integrate to other management suites through API why the customer should pretend to use VMWare as hypervisor?

Sorry about the self promoting rant but we think that there is a market out there that needs to know they can afford Enterprise class products that provide the same features found in Nutanix or EVO:RAIL and that those products can be in most cases more cost effective than any Cloud service.


Disclamer: if you haven't noticed I'm personally involved in the promotion of NodeWeaver and many other Open Source & Linux based product so the views expressed are certainly conditioned by it.

Microsoft vs the long arm of US law: Straight outta Dublin


Re: Ah yes, those pesky international treaties....

"so you force the data carrier to allow access to everything going back and forth through the fiber-optics?" Sorry but that has been happening for quite a while.

While GCHQ/NSA shouldn't spy on everyone in their own countries they are allowed to "monitor" communication that are coming in and out of their borders. For pure coincidence most of Cloud services people use are hosted in the US so GCHQ is happy as they can tap into that and NSA & Co are happy as they have the data they want about "aliens" at home.

Then it happens that NSA & Co help the US economy to the detriment of ours (apart from the fact that using US Cloud we don't use local nerds) they are known to perform a good amount of industrial espionage. Nice guys, isn't it?

Big Brother

Office365 secured by MoD?

Just remembered that I received an email from an Office365 user where one of the hops was RIPE says that network is reserved to MoD & that specific address is named to the "Defence Interoperable Network Services Authority".

Can anyone tell me if that's a glitch/misconfiguration or if the DINSA is just offering services to Microsoft to make our Internet experience more "secure"?


"What can a UK customer do?"

Very nice article by a professional I respect but he ends it leaving apparently no hopes to the reader.

It's true that GCHQ is exchanging favours with the NSA as they find it difficult and time consuming as well to follow the procedures set by UK laws but that at least it's a local issue.

The point is that there are alternatives coming up all the time as finally UK and EU providers (not owned by a US Corp) are catching up.

Even Linux servers installed on-site are becoming easy to manage, provide most of the services you get from Office365 and cost even less. On-site services have the added benefit of helping creating a "distributed" Internet so that at least our friends in GCHQ will have to do some work instead of easily getting our data from US Cloud services or from transit nodes that connect us to the rest of the world.

EU ministers respond sleepily to Viv Reding's 'Snowden wake-up call' on data protection


Re: Spooks and lobbyists will neuter this

Copy/Paste machine ready to go. Will they at least make the effort of changing a bit the text provided by the usual US Corp?

Now that also the UK Parliament is up and running with Office365 laws will be approved even faster as lobbyists from around the world will be able to "help" MPs editing their amendments in real time without the risk of leaving copies of the original documents around.

It's quite ironic to read and then respond to privacy related articles while seeing 4 banners dedicated to Microsoft Cloud around it.

Microsoft closing in on Apache's web server crown


Microsoft IIS is the perfect solution for non active sites

I suppose that Simon Sharwood wanted to play an early April Fool joke. He surely has checked the data and seen that somebody just dumped millions of inactive sites on IIS just because they had unused servers available.

Looking at the real data Apache is running more than 50% of the active servers worldwide.

Mail Migration


Is it another migration out of MS Exchange?

It's just that we see many that finally understand that there are other solutions that can do the same job, require a lot less HW and cost a lot less.

Anyway I think we need a bit more info to give you an idea about complexities and amount of time required.

For me moving users away from MS Exchange is quite simple as we have a migration tool that just grabs users and their datastore from one system and moves them to the other but you've got to keep in consideration the transfer rates you can get to calculate how long it's going to take.

Do you plan to move them all in one go?

Are the servers on the same network?

What read and write transfer rates do you get from the 2 servers?

Size of the current database?

Are the attachments store within the database or on file system? Are they already deduplicated?

If they are still in the evaluation phase then I recommend to add to the list Zarafa Groupware, you get MS Exchange features but as I said above it's lighter, cost effective and it's also Open Source if you plan to do some integrations.


Biting the hand that feeds IT © 1998–2021