Author Archives: David North

Virtual Coffee Breaks

Note to my biographer and any future historians researching my life: this post was written on the night Prime Minister Boris Johnson announced a UK-wide lockdown to limit the spread of COVID-19. At the time, I was holed up in my flat in Oxfordshire and working from home.

I’ve been running these for a week now. They work, and they’re very helpful to those like me who live alone.

Times and joining details: dnorth.net/vcb

How much bandwidth do I need?

With everyone in the UK who possibly can working from home, now seems like a good time to share what wisdom I can on bandwidth. You might well be looking at your home internet and wondering if it’s up to snuff, after the first couple of days working from home – did your video/audio conferences break up? Did screen sharing work?

As it happens, I use an ISP who provide me some handy graphs, so here’s the past 24 hours on my VDSL / Fibre To the Cabinet link at home:

Click for bigger version

What can we deduce from this (apart from “David watches too much TV”)? The first thing to note is that the graph is on a non-linear scale – 1mbps (megabit per second) is the same distance from zero as 10mbps is from 1, and as 100mbps is from 10.

The black line near the top denotes the maximum theoretical speed of my line, which is close to 80mbps – about the best you can do on this type of service. But do I need it? Or could I be managing quite well with the 11mbps ADSL I used to have?

The green line denotes data I’m downloading, and the red denotes data I’m uploading (i.e. sending somewhere else as opposed to fetching).

Well, here are some notes – the plural of anecdote is not data, but these might be of use to you:

  • Non-work stuff (Netflix and Amazon) peaks at more (17mbps) than work stuff, which never exceeded 10mbps
  • As you might expect, video and audio conferencing requires meaningful upload bandwidth as well as download – the MS Teams calls I was on from 0930 to 1045 and 1530 to 1630 use an equal(ish) amount in both directions. This kinda makes sense as I was sending video and audio outbound as well as receiving it.
  • Audio-only conferences, even with screen sharing, are less bandwidth-hungry – see for example 1330 to 1450. Presumably there would have been more outbound bandwidth if I’d been the one sharing my screen, rather than viewing someone else’s.
  • As well as having a lower average and peak throughput in each direction, the work stuff clocked up a total of less than 2GB sent and 4GB received. Contrast that with 14GB downloaded on Tuesday (when I was at work all day) by Netflix alone.

Bottom line, if your broadband can cope with streaming video without interruptions and stuttering, it can probably cope very well with a normal working day. The only time my FTTC service is actually coming into its own is streaming 4k video – everything else, especially the business applications, is extremely well optimized to use as little bandwidth as possible .

However, it’s worth noting that my ADSL had just under 1mbps of upstream capacity (the A stands for asymmetric) – so some of those audio/video conferences would have really struggled there. Having 20mbps upstream on FTTC makes a big difference for that sort of application.

I must admit the results were something of a surprise to me – the 18-way MS Teams call peaking at 5mbps in particular – but if you think that every 5mbps at the user end adds up to that much needed at Microsoft’s end, you can see why they’re keen to keep it efficient.

Of course, it helps to have an ISP which works hard to avoid any congestion at their end, giving your traffic the clearest possible path to the wider internet. Thanks to AAISP – not the cheapest, but the best – I can be confident that the handful of audio/video issues today were “the other end” and not me – the graph shows a complete lack of packet loss and a nice low latency throughout.

Best of luck working from home…

Feature parity, the easy way

This one goes back a few years, but still has something to teach us all…

Back when I was church treasurer, the desktop software we used was fine, but clunky. I grafted multi-user capabilities onto the single-user package by checking the software into SVN and launching it from a script which grabbed a lock before updating and launching. Then at the end, it would commit with a progress bar.

This all seemed a bit hateful (and yet is still in use and working well, nine years later), so I looked around for something modern. The ideal solution would be web-based, so it could be used by multiple people from different systems, and not tied to a single OS (i.e. Windows).

Paxton Charities Accounting is “the other one” in this nice market, and we tried moving to it. Their website notes that both their desktop software and their “online” version have exactly the same features, with seamless migration between them – no small achievement, and one I was professionally curious about…

It only became apparent to me once we’d signed up for it how they achieve this – and the stench of genius almost made my eyes water.

Their “online version” is the desktop software, but you launch it over remote desktop from a Windows server at their end!

I’m still torn over whether this is very clever or very nasty – it certainly killed my hopes of being able to use this stuff on Linux* or mobile clients, though in the end it was the rather clunky 1990s feel to the software, a significant step backwards from what we already had, that made us decide not to go with Paxton. The robust quarterly costs were noticeable too (presumably quite a lot of it going to Microsoft for the terminal server per-client licensing).

*Yes, there are remote desktop clients for Linux, but I never found one which coped with the SSL used by this particular application.

Staying ahead of the Curve

This one is mostly thanks to Paul Ockenden’s PC Pro column. The magazine has survived the changing IT landscape well and a subscription is good value for money, IMO.

As mentioned a couple of months back, one annoyance about my new smart watch is Samsung Pay, which Monzo do not support. Given their client base, and given also that such “legacy” banks as Nationwide and the Co-Op (neither famed for their IT) have managed to support it, a conspiracy theorist would wonder if Monzo are deliberately taking a stand against fragmentation of payment services. But it’s probably a good old-fashioned lack of developers.

Either way, an “aggregator card” like Curve – which supports Samsung Pay et al – is a neat way round this. It simply “forwards” transactions to the underlying card, which can be any MasterCard or Visa (switch between them in the Curve app). As well as fixing lack of support for Samsung Pay on Monzo, this could also be useful to anyone with a “work” credit/purchasing card, since none of the banks seem in any hurry to add even basic Google Pay support to these.

Naturally, having another layer involved in the transaction should make you a bit nervous in cases of large purchases or anything where a refund might need to be requested – especially since your finance team at work might not be too keen on finding out you’re using a third party card “in front” of your company issue one.

However, the solution to this seems simple – use Curve for the small(er) stuff when out and about, e.g. travel and subsistence. It’s things like paying for the tube which is so much easier with phone/watch than digging the right card out of your pocket – and for the big ticket items, you’re probably sitting at your desk with plenty of time to fish out the actual card and use it directly.

Downsides? Well, the items appearing on the underlying card statement are all prefixed with “CRV*” – you do still get the original merchant details after that, but it makes it a bit harder to follow and makes a slight hash of logos and stats on Monzo.

Also, activating the Curve card on Google Pay and Samsung Pay requires confirmation text messages, which failed to arrive for me until I phoned Curve and they fixed something at their end.

All that sorted though, I should finally be able to use Google Pay when travelling for work, and use my watch to pay via Monzo in places which don’t support American Express.

Grandstream HT801

Everyone wall mounts their electronics with sticky back velcro, right?

In a final postscript to my new internet … now that my landline number is on VoIP, it diverts straight to my mobile. But that leaves me with a couple of analogue handsets which no longer do anything.

(Actually, they play an amusing message saying “this is a broadband-only line, please don’t disconnect it”).

For myself, I’d probably bin them and leave it at that, but there are a couple of reasons to want to keep them working on VoIP – first, most “old fashioned” phone handsets are much easier to hold next to your face for an hour that a smartphone which gets annoyingly warm and is quite heavy.

Secondly, when relatives stay with me (the same relatives who still use landlines to call me), they expect the old phone handsets to work.

I had a Zoom 5801 in my electronics box (goes all the way back to 2011), but although I got it working against the A&A VOIP service for incoming calls, outgoing calls got a busy tone. In the end I got fed up of poking its hateful configuration interface, threw it away, and ordered a Grandstream HT801 from Amazon.

So, have things got better in ten years? Well, sort of. On the downside, the Grandstream needs rebooting after some settings changes and takes forever to come back; on the upside, after a certain amount of prodding, I have it working both ways and it even supports IPv6! I’ve got it set to IPv6 only, which means no NAT to get in the way of VOIP traffic, and it works well.

I have it connected to the analogue phone extension ring in my flat, and it manages to ring line-powered handsets as well as a cordless phone. The AAISP support site links to the UK/BT settings; it’s a boring amount of copy/paste to fill them in, but once done, it has the right ring and dial tones, and even manages to display the caller ID.

Of course, as you can see in the picture, they clearly should have printed “Grandstream” on it the other way up to make it wall mount with the ports on the bottom.

P.S.: The automatic firmware update URL is for an IPv4 only hostname. I changed to s3.dualstack.eu-west-1.amazonaws.com/gs-firmware – no idea whether it will work yet, but seems better than a setting which I know won’t!

P.P.S.: There is no encryption on AAISP’s VoIP service at the time of writing, so you don’t want to use it away from trusted networks – VPN up first. Last time I asked I got told that calls on the PSTN aren’t encrypted anyway, which is true as far as it goes but not the leg of the call I’m most worried about. May be time to ask again. To be fair, they are not alone in this decision – most other VoIP providers are the same.

Update, mid-March – first incoming call Just Worked. Quality exactly the same as before, but of course the other party was still on a copper landline.

A&A update

DSL Gear

The day finally arrived. The broadband switch went through around 7AM, so I spent five minutes reconfiguring the router once I got up, and it’s all working perfectly.

The port of my landline number to VoIP was a little less smooth – it spent most of Friday “in limbo” with calls neither ringing the handsets at home nor landing on VoIP – but by 6pm all was well.

So far the whole service Just Works including the IPv6. Result!

There’s one more post to follow on what I’m doing to keep my old landline handsets working.

Innotech Get It Right™

During last week’s heating issues, I needed to send someone a link to download the Windows software for our heating controller. I grabbed the link I made a note of nine years ago and tested it quickly before sending:

[[email protected]:~]$ wget https://innotech.com/DownloadFiles/Software/icomm_v130_rel19.exe                                 (02/02 19:25)
--2020-02-02 19:25:41-- https://innotech.com/DownloadFiles/Software/icomm_v130_rel19.exe
Resolving innotech.com (innotech.com)… 2606:4700:3037::6812:28dc, 2606:4700:3031::6812:29dc, 104.18.40.220, …
Connecting to innotech.com (innotech.com)|2606:4700:3037::6812:28dc|:443… connected.
HTTP request sent, awaiting response… 200 OK

Two things about this please me greatly:

  • Cool URIs don’t change. I had no doubt that the software would still be available; it’s used for a range of devices some of which are still for sale. But that the same link from 2011 still works is impressive.
  • The download happened over IPv6! Naturally, this isn’t because a random HVAC supplier has rolled it out explicitly for their website; they’re using CloudFlare. And why not? Takes care of the SSL, caches those downloads closer to global customers and thus saves bandwidth, keeps you up to date without you having to lift a finger. CloudFlare’s control panel doesn’t let you turn IPv6 off if you’re on their basic package – it rightly explains that there is no good reason to do so.

That htpasswd file of yours has got to go

If you’re my sort of nerd (which I suspect many of my readers are), this story or something like it will probably have happened to you.

Flashback: the summer of 2009. I’m setting up a private website, access for which needs to be restricted to a handful of friends. So I do the obvious thing:

htpasswd -c /srv/auth/my-site.htpasswd david

The htpasswd tool allows you to maintain a simple file of usernames and password hashes, then you just hook it up to your Apache (other web servers are available) with a few lines of config, like this:

<Location /private/>
    AuthType Basic
    AuthName "Top secret"
    AuthUserFile /srv/auth/my-site.htpasswd
    Require valid-user
</Location>

And now, when you visit the location, your browser pops up the usual dialog box:

The ’90s called, they want this dialog box back

Maybe, like me, you rounded it off by providing a simple scripted interface for users to reset their passwords if they forgot them.

And there the matter rested, in my case for over a decade. However, logging in to the aforementioned site yesterday, I realised there are several things wrong with all this (seen with the benefit of, ahem, 2020 hindsight):

  • Most password managers can’t fill in the dialog box most browsers use for HTTP basic authentication, so you have to copy/paste (or worse, use a well known password and never change it)
  • Why does a dinky little private site I run which we all use twice a year need its own password database? Yet another thing to remember, or risk people re-using a password on. Is it using an up to date, properly salted password hashing mechanism? I don’t even know.
  • This doesn’t allow for two factor authentication, which I view as practically mandatory for internet-facing systems these days.

Like me, you’ve probably had a vague intention to retire your various examples of this setup for years, but have been put off from doing so because it’s not clear what else can be done without adding a huge pile of complexity. Perhaps I can help you with that…

By using the mod_auth_openidc Apache module, you can swap basic auth for “sign in with Google” in about ten minutes.

Their site explains how. Don’t be put off by the references to the now-defunct Google+; the underlying APIs still exist and work. I did have to work out a couple of extra tweaks:

    OIDCRemoteUserClaim email
OIDCScope "openid email"

It’s not the nicest Apache module I’ve ever worked with, as it will segfault the process if you get its configuration wrong (e.g. leaving out the above). It also needs extra config if you’re running behind a proxy and the user-facing port number is different to the back end. But still, it’s packaged for Debian and once you have it working, it stays that way.

Finally, if you don’t have a Google Apps domain with all your users in it, and instead just want to restrict people to signing in with a whitelist of allowed Google/GMail accounts, you simply do this:

Require user [email protected] [email protected]

Result. Naturally, as well as meaning one fewer account for your users to worry about (realistically, they all had Google accounts already), this means that password reset, second factors, etc. etc. are all now Google’s problem, not yours.

Go get rid of your basic auth; the rest of the internet thanks you in advance.

Train strain

The good news is, this post is not just me ranting into the void … I have written to my MP about some of the ideas at the end.

I’ve been missing my 26-30 Railcard badly. Combined with booking as far in advance as possible (12 weeks) and split ticketing, it was possible to get the cost of travelling first class between Oxford and Cheshire down to a just-about-bearable level. But with that nice fat discount no longer available to me because of advancing age, I’ve been back to standard. And I hate it. Take last Sunday’s journey, for instance:

  • I had to print off my (many many split) tickets from the machine in Oxford; there still seems to be no paperless ticketing on this route.
  • As usual, the train was a mere four carriages (three normal and one first). This really feels like taking the p**s on a Friday night, but even a train before 10AM on a Sunday was pretty busy – the food trolley just about made it through, but one more standard carriage would have made a big difference.
  • The rolling stock is getting a bit tatty, and the amount of space allowed in the standard seats wasn’t very generous to begin with. You can just about use a laptop at a funny angle, but it gets tricky if you want to fit your overpriced cup of tea on the little fold-down table as well…
  • There was a rail replacement bus for the last two stops, adding the best part of an hour to the process. (Thought experiment: would I have been refunded the extra for that leg if I’d paid for first class?)
  • The bus had better legroom, comfier seats and much less of a crowd than the train!

And as usual, we’ve had an annual price rise without the service getting any better. The XC Trains Limited accounts for 2019 aren’t available yet, obviously, but the dividend the shareholders enjoyed in 2018 looks suitably chunky.

Positive suggestions for going forward, then…

  • The government should legislate to put an end to the split ticketing nonsense. Force advance fares from A to Z to be capped at the same price that can currently be achieved by booking in smaller legs. This will be fairer to consumers and put a stop to the environmental impact and delays caused by people like me having to print six or more bits of cardboard for a single journey.
  • Print-your-own or barcode-on-smartphone tickets should be an option on all routes. If the companies won’t buy the equipment, make them pay the postage to send out the paper tickets in advance
  • More carriages, more carriages, more carriages.
  • Consider reducing the number of seats and increasing the leg room and table space.
  • Rail replacement busses which take longer than the train they replace should count as a delay and thus come with the associated compensation to passengers.

Some of this is not easily done overnight, but the first two are easy and way overdue.

Trouble in the basement

Heating controls

Last Saturday at St Columba’s was a fun one. As any fule kno, the last Saturday in January is the traditional occasion to have a Burns Night Supper, where haggis is enjoyed and the life of Robert Burns celebrated. I was expecting to slice up the world’s supply of swede, and do my master-of-ceremonies bit.

What I wasn’t expecting was to discover a heating fault. As I’ve covered previously, I’m one of the people who knows how this system works, having been on the committee which oversaw it being procured and installed in 2011 (and re-programmed the logic so it actually worked as we wanted it to).

I should admit before going further that I didn’t manage to work it all out on my own – I had some help from another amateur who knows more electronics than me, and we’ve since had the professionals in.

There were a number of things wrong, the first of them being that the mechanical on/off button on the boiler broke so it was stuck in the off position! Yay for duct tape…I felt a bit better about having been stupid enough to turn it off when British Gas’s engineer admitted it was a common fault on this particular boiler. The boiler also defaults to a target water temperature of 20 degrees when reset which is … displeasing.

The second, annoyingly, was a failed pump. It doesn’t matter how well your boiler is working, if you have no pump to push the hot water round the heating circuit, you’re out of luck.

Fortunately, when we put all this in, we took the recommended option of dual redundant pumps! The controller switches between them once a week to ensure they wear out evenly, and after nine years of hard service, one of them broke. The good news, as you can just about see in the picture above, is that there’s a hardware switch to force it to stick with one pump or the other. So now we’re just waiting for a repair/replacement on the failed one, but all is working in the meantime. This sort of thing is exactly why you want a “hot spare” in critical systems.