Tech support call

Earlier today, I fielded a tech support call from a relative. They’d been forced to sign up to one of my least favourite things, a “customer portal” which is clearly a better and more secure way of fetching documents than having them e-mailed.

“I signed up but now it won’t accept my e-mail address and password!”

Watching them via TeamViewer, it became apparent that the relative was doing that classic “civilian” thing of Googling for “CompanyName login” rather than remembering or using a bookmark for the portal’s login page.

And what was the top hit on Google for this particular company’s name with “login” after it?

The WordPress login page for the back end of their website. Branded similarly, it looked close enough to the actual portal login page to confuse.

Car insurance

Occasionally, when having a few pints with my team after work, we talk about all the things we’ll build when we’ve made our fortune and are just doing software development for fun. A decent network file system, a good e-mail client (yes, I have read the book about the years spent developing Chandler), holiday and HR tracking that doesn’t totally suck, …

I think it’s time to start dreaming about branching out and reforming other industries, though. Last week, I got an e-mail saying my car insurance was due to renew. It quoted me fifty quid more than last time, which seemed like a suitable slap in the face for another accident-free year.

So I spent twenty minutes of my life typing details into the two big price comparison websites, plus the one big independent insurer who won’t participate in them, and eventually found it cheaper somewhere else. So I purchased it.

I then phoned my existing insurer to cancel (because their website is completely broken and won’t let me log in) and got offered a matching price.

Gaaaaaaaaaaaah.

I told them as politely as I could manage to jog on. Having wasted all that time shopping around, I’m stuffed if I’m going to play their game.

We desperately need an insurer with the balls to offer people their best price in the automated renewal. Yes, I don’t doubt that there is a nice profit to be made from the nine out of ten people who lack the time or energy to argue with an automatic renewal for a slightly higher price, but surely there’s an alternative profit to be pursued from customer loyalty?

I’ll let you know when I raise some venture capital and found the above.

SFP for the Mikrotik

My Mikrotik router continues to Just Work. Unfortunately, it has five ethernet ports and I have six things I want to connect to it. So to get that one extra port, I’ve had an old 24-port switch (which I had lying around) sitting in the cupboard, sucking up power and generating heat for the sake of tying three ports together.

No longer!

SFP module providing a sixth ethernet port

As you can see in the picture, I’ve taken advantage of the Mikrotik’s SFP slot to insert a module which provides one more copper ethernet port. SFP is more normally used to provide fibre interfaces, but you can use it for normal gigabit ethernet too.

I first tried this some years ago, procuring the cheapest copper ethernet SFP module I could find (I think it was made by Cisco). Unfortunately this particular standard isn’t very, and it didn’t work. So I eventually gave in and bought one made by Mikrotik themselves. This plugged straight in and provides 1Gbps to my NAS. So the 24 port switch is finally retired and things are a bit less toasty in the cupboard.

Advanced Installer

If you need to produce a Windows installer for your software, my advice would be to forget the ancient NSIS, bypass the disappointment of WiX (yes, it’s free, but it requires a lot more work for the same results in my opinion), prise open your corporate wallet and spring for Advanced Installer.

The pricing is somewhat robust, especially if you want the editions which will do things like IIS setup, but the reason they can charge that much is that it Just Works. Typically, an installer is something you’ll spend a couple of weeks setting up and integrating with your continuous integration, and then you won’t touch it from one year to the next after that.

This being the case, having a comprehensive UI for modifying it is much much better than faffing about writing “code” or XML which you’ve forgotten all the details for by the time you next touch it. To be clear, though, Advanced Installer does produce plain-text files which you can check in to version control and then feed to its command-line mode to build yourself an MSI or an EXE.

Security needs to be easy for mortals

Narrator: It isn’t.

Two short stories from a long weekend…

The success story

Microsoft are a bit stingy (in my opinion) by not including Bitlocker (the option to encrypt your disks) in home versions of Windows 10. It’s 2020, and this stuff should be on by default for everyone. Privacy matters.

Having said that, I sprung £40 for a nice reader offer in PC Pro, upgraded my new personal laptop to Windows 10 Pro, and found it had encrypted the drive for me – no need to turn it on specially. Nice! This encouraged a spot of optimism which lasted until…

The less successful story

I finally got round to buying a second Yubikey this weekend – with a second one set up (and kept in a very different place to the first), it should be possible to start relying on this and no other method of two factor authentication. A “security key” like this is much nicer than TOTP codes from your phone, not least because you don’t have to scroll through 40 of it (and you can’t be socially engineered into disclosing it over the phone or by e-mail).

I got it working, but it was quite a battle. LastPass is happy to let you register multiple Yubikeys, but it won’t start prompting you to use one on your phone (via NFC) unless you disable other 2FA methods first. Their UI and documentation are not great at explaining this.

For extra “fun” I then loaded up my air-gapped computer for working with my PGP master key (also known as an old Raspberry Pi – old enough not to have WiFi). In gnupg, writing private keys to a “card” such as a Yubikey is a destructive option which removes them from your keyring on disk. Fortunately the tutorial I used in the first place anticipated this, so I had a back-up of my secret key. However, it turns out that re-importing this doesn’t “un-stub” all the keys you wrote to the card. You have to completely wipe it from the keyring and import it again.

Then you run into some misbehaviour with pin/password prompts and have to Google for a config setting to fix that.

Then you discover newer Yubikeys require a longer “admin PIN” than your older one.

Then you discover the default tutorial on Yubico’s website doesn’t anticipate you having sub-keys for all three of encrypt, sign and authenticate, thus your first attempt wrote the wrong keys to the Yubikey.

Finally, you think it’s over, and you discover that GPG doesn’t really cater for the idea of multiple “cards” having the same keys on them, so you need to hack up a script to delete its knowledge of which card serial number has what secret keys on it, and run this either on a schedule or when a USB device is inserted.

I got there in the end, but given what a battle it was, I suspect the other people in the world with a twin-security-key setup like this are a select minority indeed. I really hope someone is making this stuff dead simple so it can be sold into the corporate world – then maybe one day home users will expect and demand it, and it will just work. Should give us all more time to harvest bacon from the passing flying pigs.

I haven’t even got to discovering how many of the small group of sites which support U2F allow you to have multiple devices registered, but no doubt most of them limit you to one…

A new slice of Pi

Until last week, if you’d asked me what the longest-lasting computer I’d owned was, I would have said the laptop I had at university (lasted six years). It turns out I was wrong. It’s this:

Original Raspberry Pi Model B

This has been my always-on home “server” since about 2012, and it’s been pretty solid. It must have eaten an SD card or two, but that’s par for the course.

I finally pensioned it off because the CPU isn’t up to running rdiff-backup (one doesn’t think of such things as CPU-intensive, but to a computer which is roughly equivalent to a Pentium II, it certainly is). So it’s finally been replaced by a Pi 4 – let’s see if that lasts to a full decade, though the difference in running temperature is pretty significant.

Building a “WhatsApp phone” for someone else

If you have a less-technical relative and you’d like to sort out video chat capabilities for them, then this is for you.

You will need:

  • A spare smartphone. It doesn’t have to be a powerhouse – in my case, I dug a Nexus 4 that goes back about five years out of my desk; you can get good-enough Android phones for this purpose for £100-ish these days, or even a bit less.
  • The target friend or relative’s mobile phone number and WiFi details (network name and password)
Un-retired for one last score: my smartphone-before-before-last

Step 1 is to factory reset the phone and configure it up. I tend to just make a new Google account in cases like this, on behalf of my target user (assuming you’re setting up an old Android device – you’re on your own with old iPhones). Naturally, that Google account should be set to forward all e-mails to the target user’s real e-mail address, and make sure you lock it down with two factor auth.

Step 2, install WhatsApp. When prompted for a phone number, give it the target user’s mobile phone number. You’ll now need them to tell you the six digit code it will text to them. Once you have this you can activate WhatsApp on their mobile number. Add the contacts you want them to be able to speak to (presumably including yourself!) and do a bit of testing (be clear that you’re messaging on behalf of the target and will be shipping the device to them shortly).

Once you’ve activated WhatsApp with the code, they can use it on this phone forever, and they don’t need to move their SIM card in if they don’t want to. In my case the user already has an old Nokia that only needs charging once a fortnight, and they’re happy to stick with that for calls and SMS.

Step 3, secure the phone. Put an unlock PIN on it which you can tell the target user on the phone (or otherwise out of band), and tell the phone to encrypt itself (you had to do that explicitly in older versions of Android – remember?)

Step 4, optionally, install any other apps you might be glad for the target user to have (e.g.: Microsoft Teams, Signal Messenger, …)

Step 5 is optional, but preferred. If the target user won’t be putting a SIM card in the device, then it will need to be joined to their WiFi network. To save talking them through this over the phone (and, indeed, talking them through finding out what their WiFi details are), you need to:

  • Find out their WiFi details. In my case, I had a Windows laptop in front of me which had been connected to their WiFi in the past. To fish out the credentials, run ‘netsh wlan show profiles’ from the command prompt, followed by ‘netsh wlan show profile name=”Their Network Name” key=clear’ to print out the network password
  • Now you need to configure the phone with these details. I’m not sure if there is a way to add a network to Android without connecting to it – I went for the maximum reassurance option of connecting to it.
    • But wait, the target user and their network are 150 miles away – how did I do that, I hear you ask? Well, I temporarily updated the guest WiFi network on my own router to have the same network name and password as the target. Messy, but gives the greatest reassurance that this will work out of the box when I ship the phone.
      • Actually, if you really want all the gory details, I added an extra guest network to my Mikrotik router with the target details – but many routers won’t support that option.

Step 6, get the phone to the target user. I’ve arranged for mine to be picked up by a courier and overnighted to the target user. Assuming the courier doesn’t lose it, I’ll update this post and confirm if it all worked.

David, what video conferencing service should I use?

Oddly enough, that’s a question I’ve been asked a few times in the past few weeks.

There are many choices for this kind of thing. Zoom has a few privacy concerns attached (even if the Prime Minister doesn’t accidentally tweet your meeting ID). Microsoft Teams is pretty decent if you happen to know someone with an account via work (and an employer who doesn’t mind it being used for non-work stuff). HouseParty sucks up battery life like it’s going out of fashion.

My answer, at least for various church things, has been Jitsi Meet – it appears to Just Work and is really simple, since all people have to do is follow the link to the meeting you set up (and enter the password if you set one). It also provides a UK phone number for users to dial in if they don’t have a computer with a camera on it.

Synology DS218j

Or, “why I’m not giving Dropbox money, and you might not want to either”.

Particularly since going paperless, I’ve been pondering where to store my digital files. The days of keeping everything on a PC under the desk in the corner are long over – I have multiple different devices including my smartphone, and I want at least some subset of my working files on all of them. Then there’s backup, sharing selectively with others, encryption, …

I’ve used Dropbox for quite a few years now – it has widespread adoption and various voluntary groups I’m part of use it as a handy way to share files. One might not be thrilled by placing data in the hands of a US mega-corporation, but at least it gives some hope of central management, rather than e-mailing stuff around which is doomed to remain on people’s machines long after they have no further need for it.

However, understandably, Dropbox want people to move from their free tier to paying them money. And if you’re on the free tier, every folder which other people share with you counts towards your quota – not just the quota of the person sharing it.

Before giving in and paying them their pound of flesh, though, I did some maths on the back of an envelope:

Even factoring in the cost of buying the hardware, and the electricity to run it, hosting some Network Attached Storage (NAS) at home looks like an option worth exploring – as long as the kit lasts more than five years, it should be cheaper than Dropbox. And there’s something to be said for having private and personal data hosted at home on hardware under my control.

Look out for part 2 of this series, in which I’ll explain why I went for the Synology and my initial findings from setting it up.

Virtual Coffee Breaks

Note to my biographer and any future historians researching my life: this post was written on the night Prime Minister Boris Johnson announced a UK-wide lockdown to limit the spread of COVID-19. At the time, I was holed up in my flat in Oxfordshire and working from home.

I’ve been running these for a week now. They work, and they’re very helpful to those like me who live alone.

Times and joining details: dnorth.net/vcb