The Food Delivery War (Deliveroo, Just-Eat, UberEats) Comparison and Analysis

food-delivery

There is no doubt in my mind that being able to order food online and have it arrive at your home or business half an hour later is a wonderful thing, but not all services get it right, and some get things badly wrong. We collectively decided in our office that we'd use each service daily for 1 month and review the performance and shortcomings of each on this blog. This isn't a conventional tech related article but we think its something of interest. We'll go through each service provider in the order we tested them and provide an insight into the strengths and weaknesses of each service, finally we'll summarise the three and give our views. If you find this article useful and interesting then please rate it. 

 

 

Deliveroo

Now Deliveroo is probably the best known provider in the market, and I do like the branding even if its a little juvenile, but how about the actual service?

Deliveroo has a phone App, and a website, both of which work fine. You are required to supply your email address and phone number (which can be a landline which is great). The entire registration journey was simple to follow and easy to do.

The selection of outlets available via Deliveroo is reasonable (we're in the city centre here) and the general layout and operation of the website is good. 

Placing an order is a simple matter of selecting the restaurant, selecting food by adding it to a basket and then checking it out. Some restaurants allow changes to food items such as add/remove sauces, topping, and so on, but some don't and that's more the restaurant than deliveroo's fault. 

Once the order is placed, your taken to a map showing the outlet and your home/office which updates every few seconds. There can be a significant delay between the ordering and the assignment of a rider, the rider arriving at the restaurant and any changes on the map, and this is because delivery agents (riders) can pick and choose which delivery they will take, meaning the restaurants further out can be waiting literally HOURS for someone to transport your food. Regardless, Deliveroo keeps you informed of the process so you know when someone has taken the job and when the food is actually collected, after which the map will update showing the location of the agent (rider) and this is really helpful in judging arrival time. 

The competence of the delivery agents is extremely variable with some unable to read street signs and house numbers whilst others able to quickly arrive at the correct premises. In our test period we found that around 80% of agents found the property quickly and easily (it is very obvious and clearly marked) with the other 20% ranging from wandering around, going to the wrong premises and even just dumping the food and running after marking it delivered. There is no way on Deliveroo to rate the agent (rider) or even the restaurant so deliveroo has no way to track performance and penalise those who fail miserably and this I think is an area that needs urgent improvement. 

In the event that the agent just cut and run, or delivered the wrong order, Deliveroo were quick to respond and just refunded our order, which was great for us but I'm not sure if that information is fed back into the network to penalise the rider or outlet for their respective cockup. 

 

UberEats

A latecomer to the food delivery business, Ubereats seeks to capitalise on its taxi business by using that same resource to deliver food, and why not. The UberEats website rejects our email address as 'invalid' even though its not of course, and further demands a mobile phone number before it will proceed. We used an iPad Pro with a SIM card as the mobile number, and had to register up a gmail account to get past the invalid email nonsense. Poor design and coding aside we eventually managed to get registered and a text message was sent to our iPad with a code to verify and we're up and running. 

The ordering process is very similar to Deliveroo, with a matrix of restaurants to select, food items to select and then the old basket add before checkout. One thing you do notice with UberEats is the multiple entries for the same restaurant at a different location. For McDonalds as an example we have 6 different listings for 6 different locations, and we have to choose which one we want. That makes no sense. Surely we should have one listing and UberEats Decides which outlet to order from based on distance? 

After we've check'ed out were presented with a similar screen to deliveroo showing the outlet and delivery agent and again this map updates periodically. As with Deliveroo UberEats suffers the same loooong delays on some deliveries simply because they don't have enough resource and allow delivery agents to pick and choose what they collect and deliver, but unlike Deiveroo, UberEats doesn't keep you informed of the process and your just left watching the map with the expected delivery time shifting further into the future with each update. In one instance we were waiting just over 2 hours for a delivery and there's no way to cancel it and no indication as to the holdup. This can be frustrating especially when your dinner break is an hour between 12:00 and 13:00. 

When considering delivery agents and their competence, UberEats was slightly better than Deliveroo with approximately 90% of agents finding the location and delivering the food quickly and easily. The remaining 10% just drove into the street and tried to call the mobile number that we'd been forced to use during registration, this is as I said before a SIM card in an iPad Pro so its not going to ring no matter how many times you call it. Some agents eventually prized themselves out of their cars and came to the gate whereas others just marked the food as delivered and drove off. UberEats DOES have a system to rate the delivery agent AND the restaurant and that's awesome, but, you don't get to choose who you have deliver the next order. When ordering your shown the rating of the delivery agent, but whether its 50% or 99% is pot luck and you don't get a say in it. The rating is however quite accurate and those with a low rating were indeed the ones who didn't show up or delivered our food elsewhere. 

When there was a cockup, UberEats was nearly impossible to reach with us eventually having to leave a message via their website, but they did eventually get back to us and credit the account for the errors. The website is also under development with links like FAQs taking you to a 404 not found page. 

One point to note here, UberEats has absolutely no facility to change the mobile number you used when your signed up. We would have loved to change that to the office landline so we'd be able to receive calls, but we can't and we're stuck with a number from an iPad pro. 

 

JustEat

Just-eat has been around for a while now and tends to offer restaurants that are further out of town and not available on the other two which is nice. Just-eat unlike Deliveroo and UberEats is not limited to city centre restaurants and for that we're grateful. 

The sign-up process was painless and unlike UberEats it accepted our email address and allowed us to enter a landline. The range of restaurants was reasonable and accessing them was also ok. The ordering process is a little more clunky than the other two but it's certainly do-able once you get used to having to 'Add' a subtraction to an order. The checkout process was fine but that's where it stops. We've got no order tracking and we're left in the dark as to the status of our order. That's not to say that they didn't show up, in most cases they did but you certainly feel the loss of the realtime tracking provided by the other two. The reason for this loss of tracking is because each restaurant will use its own people to make the delivery so just-eat is simply the order taker, not the deliverer. 

Delivery times were rarely what was quoted with at hour being the norm, but Just-eat does allow you to enter a delivery 'note' into which we could enter "Press door phone and side entrance" which was a neat future and meant that some delivery agents actually came direct to us without going to reception first. Just-eat has a rating system allowing us to rate both the food and delivery time but not the delivery agent and its not immediately obvious how to get to this screen. 

Just-eat does allow you to have more than one address which we found especially useful so we could use the same account for both office and home whereas the other two needed a separate account for each that was awkward to use and was unable to be used with their APPs.

Just-eat provide online chat and a number to call when it all goes wrong and they were fairly quick to respond and issued a refund where needed. 

Notwithstanding the delivery times and lack of tracking, we felt Just-eat did ok and we'd certainly use them again. 

 

Price Variance

In order to correctly study the price differences between services we found a restaurant that is on all three services, and we ordered the exact same items on each, here's how they compare...

Service Food Cost Delivery Charge Total
Deliveroo £21.00 £3.15 £24.65
UberEats £19.35 £2.50 £21.85
Just-Eat £21.00 £2,50 £23.50

 

On a single order your looking at a saving of £2.80 (or 11%) when selecting UberEats over Deliveroo, but over a year of ordering assuming you're spending £50 a week on deliveries over 48 weeks you would save £264. Its worth noting at this point that Deliveroo offers a monthly payment plan of £11.49 which then gives free delivery on all orders (delivered by Deliveroo). If your a regular buyer then this may work out in your favour but we didn't take this option and its not included in the table above. Neither ubereats or just-eat offer such a programme. 

 

Summary and Thoughts

Some studies we've read suggest that 70% of restaurant business will be via delivery, but there's no guarantee and the services above are going to be the ones leveraging that change but is it all good news? Well not for the local Pizza, Chinese or Indian takeaway's who traditionally dominated the home delivery market with their own drivers, now relegated to the sidelines by the big three, and we're hearing of restaurant owners who are being pressured into paying the big three to delivery their food over and above the delivery fee that we're paying, but for us as consumers it can only be good. 

None of these services allow ordering from more than one restaurant at a time. When you have a city centre environment and our office we often found some people wanted food A and others food B but we could only order one. This wouldn't seem to be an impossible issue to solve and would give one provider a lead over the other but no sign of it yet. 

We also found the 'delay' before anything was delivered to be annoying but understandable. A suggestion here would be to have a realistic delivery time based on capacity and an option to cancel the order if its too far in the future. 

We sincerely hope you find this article of use and would appreciate your comments and ratings. 

 

Continue reading
  254 Hits
  0 Comments
254 Hits
0 Comments

The curious case of Traffic Exchanges

TrafExchange

Traffic Exchanges are not a new phenomenon but have in fact been around for at least 10 years if not longer, but they do come and go each rarely surviving more than a few years. The concept is a simple one, you browse someone else's website and they'll view yours. At this point we break these down into two groups, auto and manual. With a Manual traffic exchange each user selects sites to view, usually for a selected time and earns point for this. Those points are then spent with other users viewing your site(s). In auto, a browser (either program, plug-in, extension or just javascript) cycles through websites automatically usually for less points per view. Some of the more advanced exchanges allow specific geo-targeting, refer, and even an attempt at search engine -> site simulation with varying degrees of reliability. In most cases you can of course pay for points which are then consumed by users. None of the research and testing done for this article involved paying for anything. 

The aim of all this is threefold. Firstly, website traffic from human visitors can be an opportunity to convert into sales providing what you're selling is something of interest but with auto surf there absolutely zero chance of this.

Secondly, some advertising networks pay per view rather than the more normal per click or conversion, these networks whilst generally immune to fraud can be fooled by traffic exchanges generating negligible income for site owners.

Thirdly, search engine positioning as well as ordering of ad banners on networks is driven by complex algorithms, some of which may (or may not) be influenced by the increased presence of visitors to a site. In reality I can find almost zero data to support this belief but the persistence of such traffic exchanges would tend to suggest there must be something to it. Many of the sites listed below use different terminology for the actual 'points' such as minutes, tokens or credits but for the purpose of this article I shall just call them points as the principle is much the same. 

During the research I've searched, located, signed-up and tested as many traffic exchanges as I could find and will list them here together with my observations which I hope will be helpful.

Traffic Exchange Websites

RankBoostup.com

A bright and clearly produced site from Australia that looks maintained. This site is purely a traffic exchange and it does it very well. Auto-Surf is done with a browser plug-in and there's one for both Firefox and Chrome. Whilst it doesn't show every visit it does show the number of visits per day and with that we can match that to visitors fairly accurately. This site offers a few more options for a recurring fee of $10 allowing limits to be set as well as geo-targeting, referrer spoofing and several others. For an extra $10 you can buy 12k points. If your just starting out then this one is a fairly easy one to get with and won't cost the earth. 

FollowLike.net

A fairly recent entry to the market, Followlike.net provider some features not often seen such as OK.ru, Vimeo, Reverbnation, ask.fm, VK, Mix, Dilgo, Pocket, Folkd, Reddit and 9Gag to name a few. I've tested a few of these and found it to work and it provides accurate tracking of your accumulated points. The auto-surf works although it views sites in a pop-up window which you then can't easily mute in most browsers. Firefox has a plug-in that auto-mutes all new windows so that was an easy fix. Interestingly this site is hosted in the UK on Webfusion. If your looking to have a shot then this one is definitely worth checking out and with recurring plans starting at approximately $5 for 5k points.

Hitleap.com

Very clean and modern layout and simple easy to understand operation from Hong Kong. Auto-surf is by an application and this works well in Windows (Linux version also available). You can have up to three websites listed. Geo-targeting and bounce reduction are available at a cost starting at $15 approximately per month which includes 10k points. Certainly worth a try if this is something you want to explore.  

otohits.net

Another good example of how to do it from France, clearly laid-out and with manual approval of sites it's a safe bet that it's regularly maintained. Even on the free account you can have referrer spoofing, user-agent overriding, Click simulation, scrolling simulation and geo-targeting and in our tests works exactly as advertised. Auto-surfing is again via an Application and this works well. There isn't a recurring fee, but points can be purchased for as little as 2 euro (about $3) for 1.5m points. OtoHits also offers an API for integrating your applications but I haven't explored this option. 

10khits.com

Nice clean design from the USA. In testing this site works as described and has fairly accurate tracking of visits and for a recurring fee of $29 you can have geo-targeting, referrer spoofing as well as 200k points, 45 websites and more. Auto-surfing is done via an Application (Windows) that you can set and forget. Certainly a serious competitor in this marketplace. 

AddMeFast.com

This exchange has been around for a good number of years and offers far more than just traffic exchange and in fact the traffic exchange is quite poor but its still worth listing especially if you want human Facebook, Twitter, Youtube, Pinterest or Soundcloud likes and follows. The actual tracking of where your points are going is non-existent but tracking visits to a site that has zero normal visitors does indicate that it is working as advertised. There are paid plans starting at £199 per WEEK but these apparently give unlimited points although I'm not sure how that actually works. 

LinkCollider

Another long lived exchange which offers much of the same, but includes blogger posts and some others but this site has some non-functionality and unreliability that would suggest its no longer actively maintained such as StumbledUpon Posts and I think most people know that StumbledUpon became Mix quite some time ago. The auto-surf is also broken and only surf's a few sites before stopping and even if you set no-referrer it still uses linkcollider.com as the referrer in the web requests. Apart from this its certainly worth a look with recurring monthly plans starting at £20 for 5k points. 

Manyhit.com

Manyhit.com, hosted in the USA is Unlike other players in that it suggests you could actually earn real $ by surfing sites but in testing this wasn't the case. No matter how many sites I surf'ed the 'account' still showed $0. Judging by the "This banner URL is incorrect" everywhere, this site may well no longer be maintained but is listed for completeness. 

Somiibo

Whilst this site from the USA promises much its complexity and reliability issues with its 'auto-surf' software move it down the list. Because of the issues I wasn't able to successfully test this site and I can't say if its maintained or not. They have a recurring monthly package $14.95 and I'm sure for that you'd find things would work as expected, but for this article I was only testing the free account. 

9hits.com

I've included this one because I really like the site design, its the best I've seen so far and it seems to have some sweet features such as Macro's. Unfortunately the only way to auto-surf is with their Application and the windows version requires FLASH which I'm simply not prepared to inflict on my PC. Recurring monthly premiums are only $6 for 100k points which is very reasonable but again couldn't test due to FLASH. I suspect this one is worth keeping an eye on. 

YouLikeHits.com

Another site that's been around for a while and only supports manual web surfing. Points can be purchased at a rate of $10 for 3k without any recurring charges. After adding a site, accumulating some points there were trackable visitors so this one works as advertised. This site also offers completing surveys as a way to accumulate points but I didn't try any of those. 

The Dangers

So, you've got a PC somewhere running an auto-surf, or even a browser on your PC running in the background viewing sites, but you don't know what those sites are going to be. They could be malware infested sites, bitcoin harvesting sites, Denial of Service sites, Sites that attempt to deposit files on your PC or even sites with illegal pornography and its all traceable back to YOU. (See our blog article on Tracking). Whichever way you throw it, your trusting these sites to monitor and vet all the links with them which they simply don't do. In the test we ran there were a few instances of porn and a few more of malware but nothing we couldn't handle because we were monitoring it. 

Socialmedia Purchasing

As you will no doubt find the majority of these sites also provide an option to 'purchase' using your points, socialmedia metrics such as followers, likes, etc. This is not a great idea because whilst search engines do use your total followers as a positive metric, they are more focused on the quality of your socialmedia proponents. If you consider the rep or footprint of a socialmedia profile is based on that entities posts, likes, dislikes and follows then your rep is based on the rep of those who post about you, follow you and like you. For a normal real person socialmedia account that's great and these accounts have reputation and normal activity, but the ones your buying on these sites will have thousands (or more) likes, follows and shares that are clearly fake, unrealistic and ignored by Google so don't waste your time and money. 

Backlink Purchasing

It is no secret that quality backlinks can greatly enhance your sites appearance in search engines, but likewise poor quality backlinks can greatly damage your appearance in search engines. Your site will rank far higher with just one good quality backline than 1000 poor quality ones, but how can you judge quality? Simple, anything you BUY on sites like the above are POOR no matter what they tell you and these will damage your ranking. The only way to obtain QUALITY backlinks is with effort and perseverance. As a point of interest it has been a long standing weapon in SEO that competitors can be knocked off their spots by spamming their sites with thousands of poor quality backlinks, so please don't spam yourself out of search engine existence. 

Summary

I am not sure of the actual benefit from traffic exchange and there's no guarantee that its not going to hurt your rankings rather than improve them, but website ranking especially in Google is something that takes months to affect and during this articles research the timeframe was about a week. I can see some benefit assuming the users browsing your sites have the Alexa Toolbar or similar plug-ins (that sends all the domains you visit back to a server somewhere, which personally I think is a ridiculous idea) and these would be influenced by the increased traffic. As for having any effect on search engine ranking I cannot see how unless the surfers first went to the search engine page, entered some keywords, paged through until it found your site and then clicked it, all of which is quite complex and unpredictable.

In order to track the effectiveness of these traffic exchanges, I used a different URL with each and then dumped the log files and compared to the reported figures. All the ones I could test came out with about the right number of hits give or take, but be aware that tracking social media likes/follows is far more complex. . Just considering Facebook then FB Likes would require these sites have linked your FB account and had access granted to an App on your FB account in order to accurately register likes and follows which none of them seem to do. Google, Twitter, Linkedin all have a similar method for tracking.  

I'm going to leave it running for a few more weeks with a couple of theses sites and see what, if anything happens to ranking or placement and I'll update the article with the results. 

I'd be very interested to hear if anyone has another take on this? please leave a comment. 

 

Continue reading
  1157 Hits
  0 Comments

Copyright

© 2019 GEN

1157 Hits
0 Comments

Spring Clean your Personal Computer

1

Modern operating systems like Windows and MacOS generate vast volumes of needless data during normal operation by design. For almost as long as these operating systems have existed there have been tools to clear down the needless data and optimise files, tables and configuration to speed up operation. One of the first of these tools was "Norton Utilities" created by Peter Norton in 1982 for MS-DOS (later sold to Symantec in 1990). In the intervening 35 years Operating systems have become over more advanced and demanding and the number of competing tools increased. We, as a solution provider have used most of these tools over the years but recently we've focused on a powerful and lightweight tool from MacPaw. 

MacPaw, a Ukrainian company has been producing "ClearMyMac" for many years and are now very much the market leader in this space. Recently MacPaw entered the Windows market space with "CleanMyPC" and with their proven track record we adopted this product as our core offering for Windows users. This article is going to review both products and highlight the key features of both. 

CleanMyMAC  

For as long as we've been using Apple products, CleanMyMac has been a pre-requisite and it brings a comprehensive toolbox to the platform. The most signifiant of which is its junk removal feature which can free up a significant volume of space on each run but removing Cache Files, System Logs, Broken Preferences, unused Universal Binaries, unused Language files and Localisations, Deleted Mail Attachments, iTunes junk, Browser Cache and History and of course your Trash Bins. This whole process is automated and after a few minutes of processing a figure of storage is given. In running it on this very workstation whilst writing this article CleanMyMac found 1.7GB of junk to be removed. 

The Un-installer is one feature that is still missing from MacOS even today. Some App's once installed are complex and awkward to uninstall and most require a return to console commands to remove everything. CleanMyMac allows complete removal of Applications including preferences and local data. CleanMyMac can even uninstall multiple applications at once which is really handy. 

MacOS has a number of tools only available from the command line such as flushing DNS, rebuilding the launch database (Launchpad), repairing permissions etc and CleanMyMac brings these to an easy to use menu. 

Privacy is something that is becoming more important now that the nefarious practices of some Websites is becoming public knowledge. CleanMyMac gives a simple click and do approach to clearing this data and ensuring privacy. CleanMyMac also includes a secure file deletion tool which promises to eradicate all traces of a selected file or files. 

Extensions, are pluggable add-ons for MacOS Browsers and Applications such as Finder and Launchpad. CleanMyMac lists all these Add-ons and allows you to simply point and click to enable and disable them. Especially useful is removing Launch Agents, which load automatically when you login and can be really annoying. 

CleanMyPC    

With the same clean and modern interface, CleanMyPC brings the same toolset to windows and focuses on the key issues that still effects windows PC's daily. The "Cleanup" feature clears Cache Files, Logs and of course Trash. Running it on a PC in the office a moment ago we free'd up 1.5GB of space automatically. 

The Windows Registry is the store for all settings for Windows and most Applications. The Registry is a database and suffers from Fragmentation as well as junk. CleanMyPC swiftly cleans the junk and optimises the Registry files to speed up access and keep it relevant. 

Windows does have an Uninstaller but you can only uninstall one application at a time and there are often issues with uninstallation. CleanMyPC brings the same multi-application uninstaller with added clean up. 

Windows Extensions are again plug-ins and add-ons for Browsers, Windows Explorer and these can again become damaged and require repair or removal. 

Autorun, which is the same as Launch Agents on MacOS and is a list of applications that will automatically be started when your PC boots up and/or you login. CleanMyPC Gives you a simple click to enable/disable list to easy manage these.

Privacy is again a concern maybe more-so for Windows users and CleanMyPC not only gives you a list of data to be cleaned but also suggests the data's "Safety" or risk. CleanMyPC also brings with it the same secure erase functionality ensuring any trace of the selected files is removed and rendered unrecoverable. 

The NEW Version of CleanMyMac

CleanMyMac X takes the product to a whole new level with CPU & Memory monitoring, Malware Protection and performance tracking all of which just add to an already awesome toolset. 

Overall

Both tools offer a wide range of really useful services and perform flawlessly. This is not free software and there's a price but its very reasonable, is FREE to try and on a cost/reward basis is well worth the money. If your looking for more than 5 copies then please contact us for a corporate license. 

 

 

Continue reading
  366 Hits
  0 Comments

Copyright

© (c) 2019 GEN. E&OE

366 Hits
0 Comments

Royal TS/TSX - The perfect tool for connecting to everything

manageeverything_crown

There are some tools that you work with so often that they become invaluable. Anyone who spends their days connecting to different systems and servers will know that the tools generally available are system specific; Windows desktop = Microsoft RDP Client, Linux box = Native SSH or Telnet, FTP Server = FileZilla, Cute or WinSCP and the list goes on. Each tool has its own qwerks and issues but we learn to live with them in order to get the job done. 

A few years ago now I was looking for a better SSH client because in my job when I have many SSH windows open its easy to loose track of which is which and I downloaded the first beta of Royal TSX (For Mac). It was a work in progress but I loved it. Now I can have my SSH clients in Tabs instead of separate xterm windows and I can name the tabs so its clear to see. I can even automate the login by scripting so I no longer have to waste time looking up passwords and leaving sessions open way longer than needed just because I have to lookup passwords. Royal TSX even in its early stages was a well thought out tool that instantly made its way to my quick launch bar. 

The first beta could connect to SSH, Telnet and RDP and I quickly found time to add all my regular connections and never looked back. 

Now that was a good few years ago and today Royal TS for Windows and Royal TSX for Mac are well polished and comprehensive toolsets with connectivity options to just about everything you could ever want...

Telnet, SSH: With full control over credentials, session, scripting, emulation and much more. 

You can clearly see the TAB's showing connections to multiple servers with varying connection types. 

File Transfer whether FTP, SFTP, SCP can be a bind to manage but no longer

Simple drag-drop file transfer. But there's more, much more...

RDP: for connecting to windows workstations and servers. 

TeamViewer: For anyone that still uses it. 

VNC: For your GUI based connections to Windows, Mac, Linux, IP KVM's and more. 

File Transfer: Over FTP, SFTP, SCP and more. Simple drag-drop functionality.  

VMWare: List instances, control on and off, connect to the console and more.

Hyper-V: Instance control, data and connections. 

Serial: Yes, even Hardware Serial over USB is a click away for those serial console moments that blindside you on an idle Tuesday afternoon. 

An all-in-one Tool, one screen, one set of configs! The organisation of connections allows you to create folders and move connections into folders so finding that connection is logical. I have folders for each customer, then a folder for each site within the customer folder which really helps. Royal TS/TSX stores all your connections and configuration in a 'phonebook' file which can easily be migrated or even sync'ed between workstations. I for example sync between my main desktop, laptop and mobile phone (yes, there is a mobile/tablet companion product!) 

But that's not all, how about windows Events? We all hate those, and monitoring can be a pain especially with multiple servers over multiple domains. Royal TSX cuts through all the nonsense with direct connections to Windows Events.

Windows Services, no problem. Windows Processes a click away, simple as anything and of course Powershell is also a click away. 

If your not already looking for where to download this tool then I'd be surprised, did I mention its FREE for up to 10 connections and after than the full product is only €35 or $46 for an individual license which is seriously undervalued in my opinion. If I add up the thousands of hours I've saved over the years then the true worth of this product would be 5 figures plus. 

When I first started using TSX and it would spend a good part of the day on my screen, where co-workers, visitors and even customers would ask, What are you using to do that? The product literally sells itself through its smart clean look and feature set. 

The developer, Royal Applications, are an Austrian company with a tight focus on their core product line. The product is actively developed and there are updates with new features and connections arriving regularly. The Support is outstanding with quick responses and assistance, and there's comprehensive documentation also available.

Its important to note that Royal Applications are not paying or influencing this review in any way. I genuinely love the product, use it every single day and paid willingly for my licenses. I strongly recommend anyone not already using it to give it a try, for FREE remember. 

You will find their product at www.RoyalApplications.com, and a quick link to their download page would be https://royalapplications.com/ts

 

If you found this review useful and I managed to save you hours a day then drop us a comment... 

Continue reading
  4850 Hits
  1 Comment

Copyright

© (c) 2018 GEN, E&OE

4850 Hits
1 Comment

SocialMedia, Google, Bing, Yahoo, Amazon, ISP's, Government Tracking and Personal Data Leakage

After our post 'In defence of social media" which itself was a response to the disproportionate news coverage of Facebook specifically, there have been many responses generally accepting that it should have been common sense that nothing is 'free' but that there was a clear mis-understanding on how people are tracked online and what exactly is collected and by who. This isn't unreasonable because the whole tracking and collection industry is shady and insidious, and just for clarity I was correct when I said GDPR will make absolutely no difference. So, how about we look at a few specific examples of data capture from some big players in the market...


Let's start with Facebook, purely because it was the subject of recent news stories. 

Facebook of course collects everything you feed into it, this includes you name, address, date of birth (if anyone actually uses their real date of birth), phone numbers, email addresses and so on. This data forms the root record (the record to which everything else is attached). 

To the root record we then add everything you view, everything you like or dislike, everything you post (Images, Text, Links), every message you send and receive and every ad that is displayed or clicked. 

Associations are also added, that's "Friends" and the interactions between you and your "Friends" are also logged and common interests or appearance in common photographs are also recorded. 

If you use the Facebook app on your mobile device then your location (unless you deliberately disable it) is recorded and stored. 

If you are unfortunately enough to have used your Facebook 'login' to login to third party websites then a record of that site, when you use it and for how long is also included. 

Facebook was reportedly paying people to give up their privacy by installing an application that sucks up huge amounts of sensitive data, and explicitly sidestepping Apple's Enterprise Developer program rules. This has now been brought to a shuddering halt by Apple, so thanks Apple. More information on this one HERE.

As you can see, Facebook stores pretty much everything you do and that's their business model, you get to waste hours of your life that you'll never get back and Facebook sells the data they collect from this activity. There's nothing wrong with this business model, it works and has been around for decades. 

Pinterest, Instragram(which is now Facebook), Tumblr and so on

These sites, which are generally 'image' sites record everything you add into the profile, a to that they add everyone you follow, every image you view (and for how long) and further some of these scan the images uploaded, recognise faces and then form internal relationships between the images and users. There's nothing wrong with this business model either of course, except perhaps the fact that the moment you upload your image, its no longer your image but that still doesn't stop people using these services. 

Twitter

Now Twitter has been around for a few years and is basically a 'feed' services where you follow topics and people and you'll receive updates from them. Its a simple model yet an effective one. Twitter records your posts, reads, follows and followers. It also records every link you follow from posts. Twitter inserts 'ads' into your feed which is annoying but not a show stopper and these are of course paid for by the advertisers. The rest of twitters revenue comes from selling your data to third parties which is again a good sustainable business model. In the early days Twitter was wide open to abuse where 'fake' accounts were created in celebrity's names causing unsuspecting followers to be duped and further be directed to 'donation' or 'malware' sites but Twitter put a stop (mostly) to this by 'verifying' some celebrities to remove any confusion. Twitter also allows the embedding of links, audio and now video into the feed which is great but also brings with it a new set of challenges around protecting users but also provides additional tracking metrics. 

 

Google

Google is a huge company with many 'services' most of which are 'free' to use. Let's look at probably the most common service, the "search" engine. There's no denying that Google.com is a great search engine and if your looking for something a little obscure then its your go to engine, but let's look at what's captured. 

When you Search on Google, the search term is recorded along with the results, which results you click on, and the time taken for that click. This simply makes associations of interest between your google profile (if you created one, or a unique identifier if you didn't). This in itself isn't really bad and you would expect them capture this information surely? This information (search history) is further used to focus future searches so the more you use it, the more likely you are to get more applicable results but this is the official line and don't ever believe that Google is the only search engine, its not. Because of the way Google adds sites to its index, sites with large budgets and resources always find their way to the top results even if they aren't applicable at all. Moreover, Google adjust results of political, social, personal or controversial searches to add their bias to the results you see, and many would argue that this 'bias' that most don't even realise is wrong on many levels. Some other search engines such as DuckDuckGo, etc often produce more evenly weighted results and without adding their bias which some may prefer. 

Getting back to Google the company, we need to talk about google analytics which is yet another 'free' service allowing website owners to get insights into visitors which is actually really useful, but for that to work Google needs to be able to connect YOU as a person to that site which it does easily. This gives Google not only your search queries, results, and clicks but also now most websites you visit, when you visit them for how long and what you do on those sites. Now we're starting to collect some seriously valuable data and this is of course the business model again, you get lots of free services and Google makes money from advertisers and the data. Google allegedly purchased shopper data from MasterCard which again when augmented with your online profile just adds a wealth of additional behaviour data. 

Other Services (Gmail, Google Docs, Groups, Google+, Google Drive, and so on)

Google offers a bunch of other 'free' services all of which are quite useful, but each bring yet more data to the profile they are maintaining on your behalf. Every email you send and receive via Gmail is scanned, stored and linked. Every document you add to Google Docs is scanned, stored and added, any file you store on Google Drive is scanned Stored and added, are you seeing a pattern here? Nothing you do on any Google service is private. How about Google Maps? A very useful tool if you want to find somewhere, but yet again everything you look at is recorded and added to your profile. If you have an Android phone then your location data is also added to your profile along with your messages, apps installed, app usage, contacts and so on. Google Home is a voice assistant and speaker for your home, but again anything you ask it is stored and added to your profile data. 

YouTube (now owned by Google) again stores the video's you want, channels you watch, comments you make and so on. 

Android, the phone operating system developed by Google as open source has its own class of information leakage in that every app you install and use is tracked and unless you specifically disable it (and there's still a debate if you can disable it) then your location is tracked using your phone's GPS data. Mapping this allows Google to track all the places you visit, shops you visit and for how long. 

Google Chrome is a web browser developed by Google and is again free to download and use. Within this browser there are options to 'store' your credentials and bookmarks in the Cloud and this does then of course give Google this data to further add to the profile. We also noticed that Chrome (unlike other browsers) created several local files storing your search history, browser history, and so on for reasons unknown. The files are unprotected meaning that we (or any malicious or otherwise software) can easily read them to obtain this information. At the time of writing we also noted weak protection of your stored passwords, but this isn't specific to Chome and several other browsers are also easy to crack. 

So Google know what you search, what you view and for how long and how often, what you buy, what you look at but don't buy, how often you buy something, what you read, what you post and what posts you read, what pictures and video's you view, how often and from what websites which is what everyone expected, but wait, google recently were exposed by the EFF for using methods to bypass Apple's protection and capture users screens. Read the linked article HERE for more details. 

Bing & Yahoo

Bing is a search engine that is pretty useless in fact and is even more unfairly weighted towards sites with $$$ and subsequently doesn't have any significant market share (about 7% at time of writing) but that doesn't mean that they don't store you searches, links clicked etc which they do. There's a 'relationship' between Microsoft and Yahoo which goes back several years and brings Yahoo results into the Bing search engine which is probably a good thing but this also brings Yahoo free services such as Yahoo Messenger, Yahoo Groups and so on into your search footprint. Yahoo itself has been bought and sold several times and the actual ownership is hard to pin down but we do know that the majority is owned by Oath inc (part of Verizon) at time of writing. 

Generally speaking the use of Bing and Yahoo is fairly limited these days with about 4% market share (at time of writing) since Bing's search results are limited and Yahoo's reputation has been shredded with past data breaches. The use of Yahoo mail brings with it the same issues that Gmail has, your email's and everything in them are scanned and stored. Microsoft's Hotmail is exactly the same and why shouldn't it be so, its free after all. Yahoo's Geocities which is pretty much dead now and Yahoo Groups, if anyone still uses them, bring yet more profile cross linking with group 'Members' being associated by topic and post and of course you must have a 'yahoo' account to participate.

GeoData

Pretty much ANY app on your mobile device, for android at least is able to track your location using your device's built-in GPS. For Apple devices it's harder but still perfectly do-able. Collecting this GPS data, as you may suspect would enable the processor of such data to be able to track your movements throughout the day. For modern laptops running windows there is also a leak of GPS data to installed programs and even webpages under certain circumstances. Apple Laptops are by default prevented from leaking GPS data but this can be overcome especially in earlier versions of MacOS. Your Car, if it has satellite navigation, records your start, end and route in its entirety and the more upmarket vehicles ship that data over the cellular network back to base. If you combine this GPS data with detailed mapping information and you can easily link GPS co-ordinates with the places (shops, schools, etc). 

Internet Service Providers (BT, PlusNet, Virgin and so on)

Some reading this may not be aware that your Internet Service Provider has access to every website you visit. They do this via DNS which is the system that converts a domain name into an ip address. Unless you specifically override it your ISP will route your DNS requests to their servers which then accumulate your website requests against your 'session' which is your current IP Address linked to your account. Using SPI (Stateful Packet Inspection) your ISP can also record what you actually do online such as listening to music, watching video, making phone calls, instant messaging, and so on. All this data is accumulated and stored indefinitely and in this country at least is made available to law enforcement without a warrant. 

Amazon

The Amazon ecosystem is slightly different to the general model as there's no 'free' services, you need an account to be able to buy online, download books, listen to music or watch videos, but that doesn't mean the company won't collect your data because they do. Everything you search for on Amazon is stored and kept, everything you listen to, read or watch is stored and kept and all this profile data is used to target search responses and advertisements to your specific interests. Amazon don't make any guarantees not to sell your data (that I can find) so its safe to assume they probably do. Amazon also has 'Alexa' which further arguments the profile by storing what you ask and do with the devices but this in itself isn't bad and can be used to tailor responses based on your past history. 

 Local Government & Agencies

You may or may not know that your local council is at liberty to sell your personal data to anyone willing to pay. They call this the electoral roll but in fact its just a dump of all the people registered to vote + council tax payers. When you combine this with data from a company like Cameo you then introduce affluence and net worth, link that with Experien or Equifax and you now have credit worthiness, loans, mortgages, bank accounts and the list goes on, all free to purchase.

The DVLA is now also selling your details to companies so if you own or are the registered 'keeper' of a vehicle that data is now also up for grabs. 

And of course the Census data, that you MUST complete legally is made available for sale to anyone who wants it and this is of course why the Government is exempt from GDPR along with the Police, the Military, and anyone else who you may want GDPR to actually apply to. 

Paypal

The payment provider allows easy transactions available on many websites and vendors. Paypal collects the product, price, location, currency, and store and records this at point of sale. Whilst this information can easily be justified, Paypal are at liberty to sell this data to anyone else which further compliments your online profile with validated purchases. 

VoIP

There are an ever increasing number of "Voip" Providers, most of which are just reselling someone else's service who are actively pushing Voice over IP to anyone who will listen. There's no doubt that Voice over IP will become the norm in the future, but currently there are significant risks to its uptake. In an earlier article we showed just how easy it is to intercept voice traffic as it passes through the internet and this of course makes is really easy for anyone, government or otherwise to capture and record telephone calls. There are unconfirmed rumours that our own government is already capturing our internet traffic for analysis and of course voice traffic would be part of that. If you're familiar with the abilities of modern voice analytics then you'll know that your conversation can be quickly converted into a transcript and searched and/or archived. If you've taken up VoIP then ask your provider if they are using SRTP (Secure RTP) and you'll be told either No or they will lie to you. As it stands in the UK marketplace we are the ONLY VoIP provider offering voice encryption but be aware that even our voice encryption is only encrypted up to the point it leaves our service meaning we can ONLY guarantee voice security between GEN VoIP Customers/Sites. To many this shouldn't be a concern especially considering how much of your data is already in the wind but for some this is a serious unmitigated concern. 

The Cloud

There are two distinct flavours of "The Cloud". Private Cloud is business class internet based storage and services as provided by a myriad of providers and for those enterprise class providers you can be assured that your data, servers, containers and systems are secure and protected. Public Cloud which is often 'Free' is the sort of services provided by Microsoft (OneDrive), Google (Google Drive), Amazon, DropBox, Apple (iCloud Drive), Datablaze, Box, FlipDrive, HiDrive, iDrive, JumpShare, Hubic, Mega, pCloud, OziBox, Sync, Syncplicity, Yandex.Disk etc, and these services are absolutely NOT SECURE. This is not only because they are frequently compromised but because there is zero accountability because it's 'free' and provided 'as-is'. NO business should ever use Public Cloud services for storing business critical data. If its important to you then use a service that you PAY for and that has a degree of accountability. 

Cross Contamination

Since tracking to your personal profile is done via Fragments left on your computer, or cookies/sessions left by website's or even by your browser screen size and in a recent discovery by your sound card then allocating your activity to you is fairly good but there are some cases, especially in companies where internet access is proxied and where only a few 'login' to accounts that others activity can be falsely attributed to your or others profiles. I have personally seen this whilst writing this article when I requested all my activity from Google. Digging through it and remember I never use Google I found a bunch of searches performed as recently as earlier in the week that were from other users on the network which somehow wound up in MY profile. I have no idea how common this is in the real world. 

Controversy

There are some claims on social media that Google, Facebook and others are always 'listening' using the Microphone in your equipment, but this has largely been disproved by researchers at the time of writing this article. That doesn't mean it categorically does not happen or that it does, simply that the evidence to date suggests not. 

Obfuscation

Services such as VPN's and of course the ever popular Tor Browser are ways to obscure your real identity online, but you'll discover fairly quickly that the services above either don't work at all or are crippled deliberately. Google for example returns some made up message about unusual traffic. As VPN's come and go there will always be a short time before the services get blacklisted but this will never be a viable solution long term. 

The sale of data and the data market

All of the above can produce fairly detailed and valuable profiles of your online AND offline activity but when the separate data collections are combined you start to have very complete profiles linked directly to an individual. This is what worries people more than Facebook and Google. Given that your data is bought and sold on a daily basis, some of these companies have a complete record of pretty much everything you do. Let's see what the total footprint of an average teenager today is

  • Your Name, Address, Race, Religion, Ethnicity, Phone Number(s), Email Addresses, family members, friends, loved ones, and associates. 
  • Your bank accounts and balances, credit cards, loans, and payment history. 
  • Your vehicle, make, model and registration, current tax and MOT status and how much you owe on it if anything. 
  • All Google/Bing/Yahoo searches, Clicks and All Sites visited.  
  • Every instant message you've ever sent or received and the content of all. 
  • All your photo's and the date/time and location they were taken along with everyone who can be identified in them. 
  • Your location to within 5m at any time of the day and where you've ever been and for how long, how often and with who. 
  • What music, sports, products, services, video's, you like, dislike, watch, download or buy. 
  • Anything you've ever purchased or sold online, be that clothes, shoes, groceries, electronics, etc. 

I think now you must be starting to understand how the data business works and how your pretty powerless to stop it without some radical changes to your lifestyle and even then its too late for most people. Its important to be aware that these companies have done nothing wrong, nothing illegal or even shady, they are all businesses and their business is your data. I personally like Facebook & Twitter and Google is a good search engine but YOU need to make informed decisions on what services you use online, and what information you surrender to those services, because changing a few settings on their website will make ABSOLUTELY NO DIFFERENCE.

Apple

Whether you believe it or not, Apple has taken a fairly adversarial approach to data protection, committing to protecting your data not only on your devices but also online with anti-tracking features in their browser (Safari), but in the scale of things and despite Apples best intentions it's not going to make very much difference in the end. The only way for Apple to make an effective dent in the data collection market would be to block all social media and search engines from users devices, which they won't do for obvious reasons and in the real world everyone has to make their own decisions on what they do and don't use. 

 

The near future

There's no doubt that data collection and dissemination is a business model that's here to stay, and you have to look at both sides of the argument. Imagine how much easier it is for our Police to be able to tell exactly who was where and when, Imagine how pattern analysis of messages and movements can identify possible crimes before they are committed, or imagine a world where your every move is recorded, analysed and reported. There's always two sides to it. 

Notes: 

Although GEN VoIP Encryption can only secure voice communications between GEN VoIP Customers/Sites, We also offer VoIP encrypted to Mobile Phones using a local App so for Company Site <-> Company Mobiles we can guarantee voice security.

 

Continue reading
  45517 Hits
  2 Comments

Copyright

© (c) 2018 GEN. E&OE

45517 Hits
2 Comments

In defence of Facebook and Social Media

a_glossy_vector_facebook_icon_by_lopagof

There's a lot of hysteria in the news around Facebook and personal data, and that's fine it's a slow news week, yet the real truth is that Facebook did nothing wrong. 

Facebook, like all social media, is a business, plain and simple. Their business model is to provide a free service to you, and from that collect information and then sell that information to third parties for the purposes of advertising, marketing, market research, and analysis. A wise man once said in relation to internet services,

"If you don't pay anything for a product, then you Are the product"

and its true of Facebook just as it is for Twitter, Pinterest, Instagram, Snapchat, WhatsApp and so on. You use the service for free, and the company running the service and spending significant sums to develop and maintain it gets free and unrestricted use of your data. Sounds like a fair deal to me. 

Facebook will tell you its in the agreement you accept when you setup an account, and it is, but its also just common sense. So, delete facebook if you wish or keep using it in the knowledge that they will collect and sell your data as part of their business. This same framework applies to all social media, the majority of 'free' apps you can download for you phone, and other free services such as google, gmail, yahoo, bing and so on.

If, for whatever reason you object to any of these business models and do not want your personal data scanned, analysed, sold and so forth then that's your right, but don't whine about it on the very service you're complaining about! 

Outraged

To those still outraged at the idea that Facebook sold their data, Facebook is just one of many that you will undoubtably use and they are all doing what Facebook does, so singling out Facebook does indicate a certain online naivety. For anyone who uses 'free' email, did you know every email you send and receive is read and analysed by the company operating the service? Did you know that every time you use google to search for something they track not only what you search, but how long you spend looking, what you click on and for how long? Did you know that every picture you've ever uploaded to a photo service such as tumblr, pinterest, instagram, and so on is then scanned and faces recognised and cross linked between users? Did you know that the Chrome browser stores everything you've ever searched for in a file on your PC? 

I could go on and on so get with the programme and understand the model at work here and then make informed choices about what you will and won't participate in. 

Loss of control

One subject that has been asked a few times recently is how do you withdraw your consent for your data to be used? and the short answer is besides some 'settings' that change very little, you cannot. Whilst you can write to some companies and express your wish they have no obligation to take account, and further since they've already sold your data many times over the chances of you being able to track down all renditions and withdraw them all is zero. If you've used social media, search engines, free email then it's simply too late, but you have an opportunity to educate your children and ensure they make informed choices. 

This article generalises the business model although it is understood that each company may vary their model specifically for their users. There is no complaint or blame here, just education. E&OE. 

Continue reading
  5889 Hits
  0 Comments
5889 Hits
0 Comments

The 2017 Toyota Prius PHEV

20171207-152651

We recently selected the Toyota Prius PHEV for our 2017-2020 Fleet and after 6 months its time for a real world review. The New Prius PHEV comes in two flavours, the Business and the Excel. The former lacks many of the refinements yet has an optional solar roof whereas the latter is probably the only sensible choice but cannot have the solar roof.  

The Toyota website quotes "Fun to drive" as one of the USPs for the Prius PHEV and indeed it is much more fun to drive than the regular Prius. In Electric only mode its fast and sporty, so much so that even in damp conditions its hard to keep the front wheels stuck to the road. In Hybrid mode it performs pretty much as the regular Prius. The quoted range is 30 miles and we can achieve that if driven very carefully and without any heating but in the real world you can expect to get 21-26 miles range and in the winter its more like 18-20. When pushed the traction control doesn't seem to control anything and your left with the same understeer issues that you would expect from most front wheel drives. It would have been nice to have seen a rear motor as in the Estima for even more go and some 4 wheel handling but sadly not.  

The city drive is really good, very sedate and comfortable especially in traffic and you have to believe that this scenario is the real purpose of the PHEV. Motorway driving is good but there is significantly more engine and road noise which requires an adjustment in expectations, again, its a city car for sure. You have full control over EV or HV modes allowing you to mix/match to obtain maximum fuel economy on longer journeys. A good example here would be a 40 mile round trip that involves around 50% at 50mph, and the rest slower in the city, Select EV for the city driving, and HV for the longer faster runs and this works great. You can even 'charge' the battery whilst in HV mode should you need it. 

Once the battery is empty, your then back to Hybrid mode and this seems to regularly achieve 50-55mpg which is very respectable but overall performance is severely diminished. One point to note is that Toyota seem to have failed to match the relative throttle position of the EV and HV modes so when switching back and forth you're required to adjust the throttle which takes a little getting used to. 

Exterior

The exterior style is unique and truly stunning, and was a large component of our purchasing decision. With its quad LED Headlights and its sleek aerodynamic profile this is one of those vehicles that stands out from the rest. The alloy wheels are also fairly unique although I would have preferred some alternative options available. The vehicle is available in only 4 colours and black isn't one of them which was a shame and again more options available here would certainly not go a miss. The rear boot glass is elegant and expensive but of course lacks a rear wiper because of this, and it could do with one. 

Interior 

The interior, when compared to the previous Prius Plugin is a significant upgrade and everything feels a little more upmarket. Comfortable leather seats further enhance the experience and the cabin is quite spacious even for the larger occupant all of which enhances the driving experience. There are however a few complaints to consider, such as the dash decor that sweets to the left from the infotainment system is just a crap trap and with the sweeping dash the windscreen is hard to reach and clean but these are generally very minor issues. The cup holders are generous and easily accessible as is the Qi Charging Tray but there is a definite lack of somewhere to put your crap which now tends to occupy one of the cup holders. The storage area between the front seats is ok but the lid opens sideways and not backwards making it very awkward for the passenger to access and quite awkward for the driver. The steering wheel is smaller than most but with the power assist its more than acceptable. 

The heating however is utterly worthless. I know its an EV and I also know that EV's have poor heating but this vehicle seems to excel in poor heating. There is an option to pre-heat from the key fob before a journey but that just steams up all the windows and defrosts nothing, when you get in the vehicle you then need to use de-mist  which then starts the petrol engine so what possible benefit that is I'm not sure. At 0c outside I ran the pre-heat three times and it didn't even clear the frost from the front window let alone the rear ones. Even on FAST mode, Heat set to HI, driver only and in Power mode the heating still struggles to heat the cabin in moderate exterior temperatures. Its so bad in fact that the back and rear windows permanently steam up and this means you need the rear de-mist permanently on, which is also underpowered. There are heated seats in the front but those also seems under powered and were definitely an after thought judging by the ridiculous location of the switches (below)

But climate aside the interior is pleasant environment in which to spend your day. The infotainment system is covered separately Toyota's Touch 2 & Go Review so I'll skip over that for now and focus on something that caught us by surprise a little. The boot. 

As you can see from the picture a large part of the boot is taken up with the batteries leaving a greatly reduced cargo area. We didn't see this initially as being a problem but once you start loading it up with equipment you soon find that the back seats are lost to overflow so consider this carefully. 

Charging

The vehicle comes with a charger for a normal 13A socket which takes 4 hours to change. Additionally you can have a hard wired charger installed at your property that will charge at 16A and this reduces charging time to 2Hours 10Minutes. Unfortunately that's the fastest it will charge, even though most properties are able to supply 40A which would charge in less than an hour and this makes charging on the go a no-go unfortunately but charging at work is still do-able. 

You are able to setup charging schedules so that your daily charge can be taken in off peak times and cheaper electricity, and when you turn off the vehicle you have the option to bypass this scheduling and charge immediately if required which is nice. 

Driving Features

The new Prius PHEV comes with a wide range of driving features which I'll address individually here, but collectively its a nice package that is rarely seen on a vehicle of this price point.

HUD (Head Up Display)

The Prius has featured a heads-up display for many years and generations but in this model the display is further enhanced and very visible. It's also a colour display which is great except that the normal display is in monochrome, but I assume to be as clearly visible as it is a single colour is beneficial. The only downer for this feature I can see is that the SATNAV is *not* replicated to this display as it is in most, if not all other vehicles with a HUD. 

Automatic High/Low Beam Headlights

A well thought out system that works in the majority of cases even if its a little slow to react sometimes and it only works faster than 40mph which can be annoying. The system is activated by a switch located near your knee which is unfortunate making it a distraction to turn it on and off. Overall however its a good system as long as you understand its limits. 

Radar Cruise Control

Not so well thought out and the sort of system that seems to work great right up to the point where it quits working as you're approaching the vehicle in front at speed, which it does. Further when you are trying to engage it, it just won't engage for some reason and gives no feedback or reason why. It seems to work well in queuing traffic but again occasionally just quits working for no reason. When it quits working the warning is tame and often missed leaving you to discover that its not going to brake for you at the point when your thinking 'why isn't it breaking'. Another annoyance is that it constantly feels the need to display pointless images and messages on the dash obscuring key information and you cannot turn that off. On roads with corners, not that we have any of those in the UK it seems to regularly loose track of the car in front and accelerate then spot it and brake again usually in the corner which can be worrying and is just bad implementation. So overall it works, but you've got to be supervising it at all times and preparing for its failure. 

Road Sign Recognition

It does, but it doesn't. Road sign recognition is probably a good idea and I'm sure it works great in Japan but here it either gets it wrong or misses the signs altogether. Turn it off and move on. 

Collision Protection

Well, this kinda works and if you're using the radar cruise control then you're going to get a chance to test this from time to time. The only problem here is that when its activated and it detects an imminent crash it displays BRAKE in red on the far left dash accompanied by a fairly feeble beep that serves no purpose. Ideally for such a function to be effective it should BEEP loudly and flash everything so the driver is immediately aware that they need to take action. 

Lane Departure

This works most of the time although it can become very annoying after a short time especially on country roads where the road markings are not so clear. On the motorway however it seems to work great. There is a button on the steering wheel to switch it on and off which makes managing the feature very easy.

Automatic Parking

Well, this is one of those features that does work if you have the patience to let it do it or if your not able to park yourself. For me its a gimmick that will never get used except to test it because I can park and I can do it much quicker and more accurately, but some may find this feature of use. The vehicle does have all around sonar so parking by ear is easy to do yourself.

Driver Information

The Prius boasts two 7" displays that form the digital dashboard display and it does have all that the regular Prius has but seems severely lacking in driver information for EV mode. It does show the average MPG and average Kw/H but for a single journey you cannot get the Kw/H used or regenerated nor can you get Kw/H remaining. Furthermore on the infotainment display you can get regenerated power whilst in Hybrid mode, but in EV it shows nothing. The 'battery gauge' is confusing and the Toyota manual does a bad job of trying to explain it. 

Its as-if the software was tweaked slightly to make it work with the EV but they couldn't be bothered to add the key functionality and data that you or I might want which serves to detract from an otherwise good vehicle. To take it further all this data that's collected cannot be downloaded or exported anywhere even though there's a USB port which for a business makes it hard to track mile performance metrics. Ideally you would want to be able to download a record of Kw/H used, regenerated and fuel used which would give everything needed. I know that Toyota don't expect to sell that many PHEV's but for the price they could at least dedicate some time to driver information. 

The Economics

There's a lot of talk around the economics of EV's over conventional fuel vehicles, but its really down to your driving requirements and some math has to be done to work out if its going to be worth the extra costs so let's do that now. 

Assuming that we take the purchase cost, grant, servicing, MPG, etc from the official Toyota website and throw in servicing and tyres then we're going to get a total cost of ownership over 5 years of £31670 for the Plug-in vs £30470 for the standard Prius excluding any finance charge (because finance varies significantly so we're going to assume here that you purchased it outright). 

Next we need to know the driving patterns for the year, and initially we're going to consider 15k miles per year, with an average journey of 30 miles, that's around 500 journeys per year. I'm going to take the EV range at 25 miles as a year average, and the cost of fuel at £5.50 per gallon and electricity at 0.13p/Kwh. Given that we can calculate the fuel and electricity costs for your 500 journeys which is

£412.50 per year for the Plug-in vs £1586.54 for the regular Prius and that's £2062.50 over 5 years for the plug-in and £7932.7 for the regular Prius. 

That brings the cost of travel for your 5 years to £33732.50 for the Plug-in and £38402.70 for the regular Prius showing a saving over 5 years of £4670.20. 

So, if your'e a 15k a year driver running an average of 30 miles per journey then your going to be a winner with the plug-in. For business however we'd need to consider an average mileage of around 60k, and an average journey of 150miles so let's do the math.

£5130.00 per year for the Plug-in and £6346.15 per year for the regular Prius. Again we'll add in the cost of ownership to give a 5 year travel cost of £57320.00 for the plug-in vs £62200.77 for the regular Prius giving a nett saving of £4880.77. 

So, on a scale of economy the Prius Plug-in is a clear winner for both domestic and business travel with the benefit being significantly greater if you can keep your average journeys to 25 miles or less, and of course be aware that we're using Toyota's values here and these may not be real world applicable. I'll add these figures into a table below to make it easier to see. 

Vehicle Miles/Year Average Journey Cost of Ownership Fuel costs / Year Total Cost of Travel / 5 Year
2017 Prius Plugin Excel 60000 150 £31670 £5130.00 £57320.00
2017 Prius Excel 60000 150 £30470 £6346.15 £62200.77
      
2017 Prius Plugin Excel 15000 30 £31670 £412.50 £33732.50
2017 Prius Excel 15000 30 £30470 £1586.54 £38402.69

Final Thoughts

I personally like the car and I like driving it especially in Electric only mode but some may find the greatly reduced cargo area combined with the lack of colours and options too much of a stretch. It is in my opinion a far better option than the Ampera/Volt (which we had before the PHEV's) because its more fun to drive, more comfortable and more stylish. You will also find some incentives available at your local Toyota dealer which can make the relative premium more manageable. 

There is a wealth of information on the Toyota.co.uk website but be aware that certain parts of it do not work, like 'My Toyota' which just gives you a blank page when you try and login so be aware of that. 

 

 

 

Continue reading
  4972 Hits
  0 Comments
4972 Hits
0 Comments

Synology Hyperbackup and Certificates

Hyperbackup is a backup system provided by Synology on their Diskstation and Rackstations and its a good product as is the hardware, but like most things in Synology, the term "set it and forget it" does not apply as this customer found out to their detriment. 

The Synology NAS system has a web interface, which is in fact very good and well designed, it allows amongst other things for you to setup an SSL certificate to encrypt web traffic. This can be a self signed, purchased or lets-encrypt certificate and in the latter the process of renewal is automated which is nice. 

The problem comes when your SSL Certificate changes, which is would normally do annually for a purchased cert or every 90 days for lets-encrypt, at which point everything breaks including Hyperbackup and the cause isn't immediately clear. The dialogue above indicates that the destination for your backup is offline, you would of course check the backup server and find it online and running. You would check the firewall settings, probably restart the services maybe even reboot the server but nothing is going to make this work again until you go into settings and get as far as target at which point you notice...

Yes, seriously, because your certificate renewed and even though you've specifically not enabled transfer encryption the backup process crashes to a halt. You are required to press "Trust Server Certificate" to continue after which the backup will resume until the next certificate change (90 days for lets-encrypt, a year for purchased). Why? What possible purpose can there be to halting the backup every time a certificate renews? and why is there no way to prevent it? 

Just as a side note, other things that break are all the iOS applications, Cloud-Station Backup, Cloudstation, and probably more. If you are going to use a lets-encrypt certificate, and I would encourage you to do so, then every 90 days you need to make a note in your diary to go to all the servers and click all the buttons or stuff will stop working. 

Update 19/09/2018: Just had another new customer today who's had a volume crash and his hyper backup stopped working because of this about 6 months ago, so we're now in the position where he's shipping the unit back to us and we're going to have to attempt volume recovery. PLEASE CHECK YOUR HYPERBACKUP IS RUNNING REGULARLY

Update 20/01/2019 - Synology released an update that effectively FIXES this who scenario by allowing you to ignore certificate errors/always trust. We're briefing this out to our base and recommend you re-visit your Hyperbackup client and make the change. Nice one Synology! 

Continue reading
  3333 Hits
  0 Comments
3333 Hits
0 Comments

Whois Information Fraud

02_thief

A very long time ago when the internet was young, someone had a great idea that rather than remembering 192.168.111.245 we could use a sensible name that people could remember like "email" and this was called its hostname and these were stored in text files, but that wasn't good enough and so this concept was further developed into what we now know as the Domain Name System. The Doman Name System (DNS) that we know and use today is basically the same; we have top level domains such as com, net, org, uk, us, eu, and so on, and under these registries administer the second level domains. 

An example would be gen.net.uk. In this case the top level domain uk is administered by the registry Nominet. If someone wants to view our website (this website) then upon entering it into their browser their computer will ask the top level name servers who's responsible for uk and be given Nominet. Then Nominet will be asked who's responsible for gen.net and that will be GEN, and finally GEN will be asked what's the server address for www. All this magic happens without any user involvement and takes fractions of a second. 

This article is specifically targeted at the registries, in the example above it was Nominet, but every country has at least one registry and with the expansion of top level domains into things like .email, .digital, .academy etc there's now even more registries that are not country specific.

When you register a domain name with a registry, they will require you to provide information such as the owner, their address, phone numbers, email address and the same for the administrative contact, Technical Contract and Billing Contact and this information is publicly available for anyone to access via a service commonly known as WHOIS. You can use our WHOIS tool on the GENSupport website to find out what information is available for any domain. Some registries allow certain information to be hidden for an additional fee, and others don't. Nominet for example will now allow information to be hidden even for an additional charge unless the registrant is an individual. Having all this information publicly available when there's absolutely no reason to do so presents fraudsters with a virtually unlimited target base with a perceived credibility greater than the usual daily scam emails. We'll look at one common fraud that regularly hits the HelpDesk here at GEN. 

Whois Information Fraud

Now that's sounds quite important and for companies who don't have their own dedicated IT department or who haven't outsourced there's an information vacuum that the fraudsters leverage with such scams. This particular one is quite expensive at $86 but even so I've no doubt that some smaller companies will pay it under fear of loosing something they need without fully understanding the implications. This example is just one of many such scams all with different wording and layouts but all trying to take your money for something you don't have.

Let's first look at how it got here...

Received: from reliance.gen.net.uk ([127.0.0.1])
	by localhost (reliance.gen.net.uk [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id JRVvXwltlucK for <hostmaster@gen.net.uk>;
	Sat,  9 Sep 2017 22:07:33 +0100 (BST)
Received: from mail.szjdyd.org (j115-58.sjc1.ethr.net [216.224.115.58])
	by reliance.gen.net.uk (Postfix) with ESMTP id 7E93D5F085
	for <hostmaster@gen.net.uk>; Sat,  9 Sep 2017 22:07:29 +0100 (BST)
Received: from ([127.0.0.1]) with MailEnable ESMTPA; Sun, 10 Sep 2017 05:07:26 +0800

So it originated from a host in the USA, namely j115-58.sjc1.ethr.net [216.224.115.58] which is operated by Ethr.Net LLC and all the information on this scam is taken from the WHOIS information for the domain in question, we know this because of the information in the fraudulent email. If we look at the 'Secure Online Payment Link' which in this case goes to "bit.ly/2wOlh4L" but that's just a redirector (a website who's only purpose is to direct you to a different site) which directs us to "www.whoisworks.win" and we're presented with a set of options to pay money. What is moderately entertaining is that the WHOIS information for this domain isn't obscured in any way and we see that the owner of the domain is 

Registrant Name: wu zhiying
Registrant Organization: wu zhiying
Registrant Street: cuixiangjiedao635hao
Registrant Street:
Registrant Street:
Registrant City: zhuhai
Registrant State/Province: Guangdong
Registrant Postal Code: 519000
Registrant Country: CN
Registrant Phone: +86.75638971201
Registrant Phone Ext:
Registrant Fax: +86.75638971201
Registrant Fax Ext:
Registrant Email: whoisbao@126.com

Which could well be made up but moving on, the Payment Link from the website which doesn't even use SSL just takes us in a loop capturing card details for the fraudsters to sell or use or both. 

Until someone actually decides that making this information public is a ridiculous idea then the endless scams will continue and we're stuck with workarounds.  

Whois Privacy Options

Assuming you don't want to publicly broadcast your name, address, phone number and email then options are limited to a whois privacy service such as the one that we offer, which simply registers the domain using a subset of our details therefore directing scams to us instead of you. This means that we need to 'administer' the domain by responding to the nonsense sent by registries from time to time but we don't mind doing this for our customers and change nothing for the service. Other Providers do charge but it's generally a fairly nominal fee of around $5 per year. 

Know Your Domain & Services

When you have one or more domains then there will be an annual registration charge which will be invoiced directly to you by your registrar. If you registered through GEN, or migrated your domain here then we'll send you an invoice yearly. There are no other annual charges for the registration of your domain name.

If you have services on that domain name such as a website and email then charges for these, which are usually annual will be invoiced to you directly so know who hosts your website and provides your email services and if your even in doubt then ask them before paying anything that arrives to your inbox unexpectedly and never pay for something if your unsure. If you are a current, past or future customer of GEN then the HelpDesk is available 24/7 to answer your questions to please ask. 

GDPR and the Chaos Factor

Since writing this, many if not all registrar's have cashed in on the GDPR (Global Data Profit Regulation) by offering to hide your information from the public whois, usually for a fee ranging from $3 to $10. Whilst this is great and many have taken up the offering with some registrar's even providing it free, this move has now increased the value of whois data that is now being traded online from companies who scraped the whois before it was restricted. This means, in effect, that the GDPR & whois privacy is only effective for domains that are newly registered. Any domain name registered prior to May 2018 is already scraped and the data available for sale so paying an additional fee to hide it is just money down the drain. You are absolutely no more protected now than you were before, and you will still receive fraudulent demands for payment that you need to be aware of, and ignore. 

 

 

Continue reading
  4658 Hits
  0 Comments
Tags:
4658 Hits
0 Comments

Toyota's Touch 2 & Go Review

2016-Toyota-GMS_Touch-1000x668

The Touch 2 & Go head units fitted to new Toyota Vehicles promises a great deal "The TOYOTA TOUCH® 2 multimedia system gives you a world of information and entertainment every time you get behind the wheel. And it’s all displayed in high-resolution colour-rich graphics on a simple touch screen." from the Toyota Website, and yet when you actually use it for a week or so you start to feel a little let down. Again from the Toyota Website "All smart. All simple. All for you." seems like a good place to start and for completeness we'll break this down into the main features. 

Multimedia

Toyota claims "To enjoy the journey even more, you can connect your iPod or MP3 remotely to the Toyota Touch® 2 multimedia system via Bluetooth® or USB and enjoy your favourite playlist in high quality audio with album, artist and track information displayed" but in reality that's not going to happen. Connecting via Bluetooth provides audio, but intermittent album, artist and track information, no ability to select or browse tracks. Connecting via USB does provide this but then you've got to leave the USB connected to your phone which you rightly want to reside in the Qi charger instead. The other significant issue with USB is that you cannot browse folders on the device but instead all the media regardless of folder is shown. This means you can't, like me, order your music into folders on your USB stick and play media from a folder. DAB is ok but with only 6 presets its kinda awkward to operate if you have more than 6 favourite stations. It has a CD player but as I've not owned a CD for the last decade I can't test that. There's no sign of Apple CarPlay or Android Auto, and 'Mirrorlink' is only compatible with phones from the last decade so practically useless today. There is no support for any form of video to be played from USB storage so don't waste time trying. 

The audio quality is very subjective. With its 6 speakers, all mid range and no subwoofer it does a reasonable job at low to moderate volume levels with even sound coverage. Turn it up too far and you start to loose what clarity it had but for the price point and in the lower end of the market it's not bad at all. 

Phone

The phone integration is ok and the hands free is very workable but there are a few obvious issues when using this. It's not clear or intuitive how to get from the "last called" list to the phone book or back again, its do-able but needs touch work that shouldn't be required whilst driving. 

When looking at the last called, dialled and missed lists there is no way to navigate without using the touchscreen (unlike every other vehicle where you can do it from the controls on the steering wheel) this means that again your distracted whilst trying to hit the right number which is actually quite hard to do whilst driving. 

Whilst you've got the "last called" list up, you can no longer see the signal strength which to my mind seems ridiculous when the main use of the 'last called' screen is to recall after getting cut off due to the miserable cell coverage in this county. To add insult to injury, once your call has been cut off and you reach to press the screen to redial, a pop up rolls down from the top of the screen, obscuring the last called number to tell you want media you're listening too just in case you had forgotten! What possible use is that and how did that ever get past QA?

There is also a significant delay between getting into the car, starting it and driving and the phone becoming available. Its as if the unit has to sync the entire phonebook from scratch on every start up, which for me with a sizeable phonebook seems to take forever. There is no search facility so you have to use the A-C, D-F and so on which is a nightmare when you've got a lot of contacts. The handling of contacts (from an iPhone) is also unusable where your contacts are for companies. An example would be for company Fred Bloggs Inc, having two contacts, in this case you can find Fred Bloggs Inc but you have no idea which contact its going to call meaning you need to pick up your phone, use its contacts to make the call which defeats the whole purpose really. Since the majority of my contacts are businesses and I'm forced to dial from my phone then I looked for a way to stop it syncing but found none. 

Navigation

Toyota claims "Toyota Touch® 2 with Go features enhanced satellite navigation with clear visuals showing signposts, junctions and lanes with real-time traffic updates alerting you to congestion on your route and suggesting detours" and it does do some of that but for the first 2000 miles I've yet to see anything 'enhanced' about it. It does seem to detect traffic alerts but it simply tells you "Traffic Jam Ahead" and then directs you into the back of it without suggesting any detours. Maybe it will in the future, but so far that's a zero. 

The voice navigation also leaves a lot to be desired with 'Turn Half Right' being its favourite phrase of the moment. What exactly is a half right? I have no idea and I'm sure you don't either so looking at the Navigation screen, which is only on the centre console touchscreen and not replicated to either the dash (except for an arrow) or the heads-up display is a prerequisite of using this system.  It does sometimes show junctions and lanes, but don't rely on it as it gets this wrong from time to time and your back to looking at the map to figure it out for yourself. 

The navigation data is significantly out of date, even when updated to the 'spring 2017' data, there are still roads just in my locality that are incorrect and that's unfortunate. Whilst sitting in traffic on a road that doesn't exist in Toyota land, I loaded TomTom GO on my phone and of course the road was found. I wonder why TomTom can get their maps up to date, but Toyota can't? 

There is a definite delay in processing current vehicle position especially noticeable on roundabouts where the 'screen' and your actual position can be a junction or two out meaning you're going to come off at the wrong junction. This is annoying especially when it gets the exit number wrong, which it does periodically. Most modern Navigation systems use GPS and Wheel turns to calculate position but the laggy behaviour of this system would suggest its only using GPS. 

The route planning is fairly poor with only major roads factored into any route. We planned a series of routes and whilst it gives you the Fast, Short and Ecological routes they are invariably all the same. If you take a route which you drive regularly and get it to plan it, then it will only use main roads. If you plan a route between two villages then it will plan the route ok but if you plan a route city to city then you only get main roads and the short route simply doesn't work. 

A most notable absence from the Navigation system in our EV is any way to navigate to your nearest charging point, something that I believe every other EV we've tested has as standard. 

Another 'feature' that I was eager to test was the Speed Camera Alerts which are built into the system. The Toyota Website Claims

"Cyclops is a driver safety app that gives you professionally-verified fixed speed camera alerts combined with real-time updates for mobile cameras from the Cyclops community. Cyclops delivers the most accurate and reliable safety camera databases and smart software - you can enjoy these benefits by using our Cyclops App – specially designed to alert you to currently active mobile camera sites. And all other fixed camera types are automatically updated too! Cyclopse has comprehensive coverage of over 90,000 sites across 48 countries and automatic updates ensure that you always have the most accurate information possible."

Which sounds great, but actually finding any information is like pulling teeth out of a Donkey. There's nothing on the Toyota website and a web search eventually renders this Wikipedia link and possibly this company website which might be the company in question. Regardless in my daily drive the data seems to be outdated & inaccurate and whilst it gets the majority of long term fixed camera's its notably silent as I passed two mobile vans. There's an inference that its updated somehow online but there's certainly no feedback on the screen to show that. I'm not sure quite how much of my £199 goes to cyclops because the Toyota website doesn't say but as GARMIN seems to include it for free I suspect it's not a lot. 

Coyote on the other hand is an App that you have to pay £87 a year for, and promises "With Coyote, always be warned safely directly on your embedded screen. You will receive the relevant alert at the relevant moment, to adapt your driving style to road hazards reported by the Coyote community, in real-time." and this does indeed pop-up for the majority of fixed speed camera's, but so far not a single mobile one. There is no further information on the Toyota website (any of them) so your back to searching the web. A best guess would be this company which seems to have versions in every language except English. The Coyote app is also infuriatiating because it pops up OVER the navigation screen meaning that you can no longer see the map and in city's these days with speed camera's every 5 meters this means the navigation is impossible to use and your left with yet another distraction that you have to deal with instead of watching the road. 

One point to note is that if you have the coyote app loaded it seems to kill off the cyclops camera warnings which would indicate that Toyota believe Coyote is 'better' but again there's nothing on the website to explain the benefits/drawbacks of these two systems so once again its left to the end user to guess. 

"To keep you connected and in control wherever you are, you can send your chosen route to your mobile or device." is a claim on their website, and indeed you can send a route to the car from their website. What they don't tell you is that their website is poor and allows just simple from and to input without any navigation functionality. The best way forward I've found here is to go to maps.google.com, plan the route then copy/paste the destination into their website in order to send to the car. It doesn't recognise things like HOME or any of your other favourites so you have to enter the full address in to both and it's not country aware so always specify the country along with the address. 

Apps

Now for the section that I'm sure everyone has been waiting for.. The Toyota Website (as of today) says

"In today’s world of connectivity Toyota Touch® 2 (Go and Go Plus navigation systems) won’t disappoint. With our Toyota online services and applications your car can be a hub like your computer. With the ability to download great apps such as AUPEO! which gives you the chance to personalise your in-car music experience, it learns your music taste and suggests tracks by theme, genre, artist or even mood. And Coyote, the community-based speed camera awareness app, with 3 million drivers already helping one another against every road hazard. The integration of Google Street View™ and Panoramio™ provide imagery of your current location, or a location of your choice, allowing you to start navigating directly from the image, so you’ll never be lost."

So let's break this down. Firstly Google Street view is there, and it sort of works although you can't move around it like you can on google maps, but at least its there. There is no sign of "Panoramio" and AUPEO went out of business at the end of 2016, but who cares, "With our Toyota online services and applications your car can be a hub like your computer" so let's get on line and start downloading those apps!

Arriving at the toyota.co.uk website, registering, adding your vehicle and steaming over to the e-store, your invited to "Discover exciting new apps, update your navigation apps, and download the latest software for your Toyota's multimedia system" and its at this point that your expectations are quite literally crushed into dust.

 

There are no apps, well no useful apps anyway. If you take away Coyote which we've already talked about above, and eStore isn't an app anyway, then your left with 'Glass of water' which to my mind does absolutely nothing useful, and Park&Go which likewise has no real world use. This is what Toyota believes to constitute their "great range of apps". There is a 'weather' app that's pre-installed but seriously, a weather app? just look out of the WINDOW!

There were also some other pre-installed apps which are not on the 'e-store' such as Twitter that simply doesn't work and says "Unable to connect to the server" immediately no matter what you put into it , AUPEO that went out of business last year, A-ha that sometimes works, a parking app that only works with some car parks, and a fuel prices app which shows pricing from some fuel stations, the distance to, but fails to do the obvious mpg -> distance calculation. 

 

If your dealer has told you that there are 'more exciting apps coming' then you may want to ask them why there have been no new apps since the system was released, and that's now almost two years ago?  Its because there are no new apps coming, and no one is developing them. We collectively spent an entire day on the phone trying to find someone in Toyota who knew anything about apps and got nowhere. We tried contacting Harman who make the unit and again got absolutely nowhere. We sent numerous email's, left voicemails and even sacrificed a Toyota pen to the great car manufacturing eternal but so far not even the courtesy of a reply and this was weeks ago now. 

Just take a moment to consider the list of actually useful apps that Toyota could have developed - EV Charging Point Map, AllStar fuel locator, CRM integration (be able to pull salesforce, vtiger, sugar contacts into navigation/phone), Guages (show data from the CAN bus such as charge, engine, power, RPM, etc), Facebook, Youtube, Vimeo and the list goes on and on. 

If you expected to get 3 years of 'connected' services and map updates for FREE, then you don't and it'll cost you another £199 for that privilege although the only thing of use here is the map update. 

Annoyances

Every system has a few annoyances but Touch 2 & Go seems to have more than most and some, maybe most of these should never have made it past Quality Assurance. 

The screen is high gloss and when the sun is shining on it especially mid morning/afternoon its impossible to read it and you end up trying to shade it with your hand, which is probably the reason that other manufacturers have their screens recessed and heavily polarised. 

When you get into the car and start it, if you had the music playing loudly when you shut it off then it will start playing again at the same volume but you have to wait for the touchscreen to boot before you can shut it off again which can be annoying or embarrassing depending on who your with. 

Coyote - As we've discussed above, this app takes over the entire screen blocking your view of the navigation map which is really annoying and as a bonus it doesn't do anything when passing mobile speed camera's. Coyote rarely seems to work out of the box and you wind up having to end it, then restart it to eventually get it to work. This isn't how it should be. 

Internet Connectivity for "Connected Services" comes and goes but there's no indication on the screen at all. When your in an area with intermittent data then things just stop updating without any indication of such. You would expect an icon to be shown or something to show that connectivity has been lost but no. The only way I've found so far to verify if 'connected' means connected is by going to the Apps and selecting Weather to see if it can get any data.  

The Toyota.co.uk Website

This is by far the worst website I've had the misfortune of using in recent times. The site is slow and its use of Ajax is embarrassingly poor. Even the details like the spinning icon whilst it's downloading content isn't clipped properly and in vehicle details if you want to see "Audio Information" then you have to select something else and then back to Audio Information to get it to update. Pretty much every option you select presents you with a full width picture and the content you're looking for is only visible once you scroll down, and don't even start me on mobile friendliness as the site navigation doesn't even work properly on an iPad. Something simple like the owners manual even after you've logged in still needs the VIN which of course everyone can remember. You can get to the owners manual from the my vehicle, then somewhere towards the bottom of the page but its hard to find, in fact everything is hard to find and unintuitive. 

If you're looking for detailed or technical information then expect to find it spread piecemeal over several websites sites, one often contradicting the other and all woefully out of date. If you were impressed with their new "gas-injection heat pump powers the air conditioning" and wanted more information then your out of luck because there isn't any. Toyota.co.uk often links to other websites with vastly different formats and the whole approach seems disparate and messy. Whilst we all understand that Toyota isn't a Premium brand as such, there really isn't any excuse for this and I'm sure it must have an adverse effect on potential and current customers alike. If Toyota would like us to fix this then we'd probably do it for free in exchange for the source code to their head unit so we could fix that too. 

You'll also be greeted with the following or similar regularly for unknown reasons, just try again. 

iPhone/Android Apps

Unlike the earlier versions of the system there's no longer any App's available except the 'MyToyota' app that has no impact on the audio system and requires you to re-enter your password on every use which just makes you not want to use it.  

PHEV Specific complaints

The new Prius PHEV is a fantastic vehicle and fun to drive but there is a complete lack of EV information on the touchscreen. You can see the 'power' flow even though its slow to update, but with things that you'd consider essential for an EV such as KWh charged, KWh used, KWh regenerated, KWh/Mile and so on are completely missing which is a real disappointment especially as everyone else manages to provide this (even if it's not accurate). Maybe this will come with later software but I doubt it, essentials like this come with the launch or don't come at all generally. 

Overall

Its far from the best system we've used, but its not the worst. If you were wowed by the dealers promise of over the air apps in an vibrant app ecosystem, fantastic navigation, realtime mobile speed camera alerts and 'Premium Audio' then you're going to be hugely disappointed for sure, but if you were spared all that and just expected a vehicle with navigation and the ability to play music then you're going to be in luck. 

This entire article is based solely on our opinion after using the Toyota Touch 2 & Go for a few months in real world situations and its not meant to be an exhaustive analysis of the system or its features. We may well do a technically biased article in the future. If you have a specific question then please feel free to post it in the comments, or pop in to your local Toyota dealer and ask them. I'd recommend staying away from blog.toyota.co.uk because the comments are heavily moderated and a 'difficult' question is unlikely to even make it to the site let alone be answered. We've posted a few questions and they were all just ignored. There is the enquiries@toyota.co.uk email address but likewise in our experience awkward questions are ignored and simple ones just get passed on to a dealer so your email can be added to their spam lists. 

IF you found this useful then please take a moment to rate it below. If you have a question then feel free to post it below and we'll reply. 

 

Continue reading
  8844 Hits
  10 Comments

Copyright

© (c) 2017 GEN, E&OE.

Recent Comments
Technical Support Team
Nope, just the opposite in fact, it seems to 'go off' rarely and even for some fixed speed camera's that have been there for years... Read More
Tuesday, 22 August 2017 09:08
Technical Support Team
Unfortunately Not. We did try a stick with some divx, mpeg4 and wmv and avi files that the Ampera can play but this system just ig... Read More
Friday, 08 September 2017 16:29
Technical Support Team
There are rumours that it can only display album art of 200x200 and no bigger, but likewise in our experience it seems to only dis... Read More
Saturday, 02 December 2017 19:23
8844 Hits
10 Comments

GoToAssist, problems or end user chaos?

GoToAssist

For many years we have been a customer of GoToAssist from Citrix (now LogMeIn) as a reliable method of providing remote support where its needed with the minimum of effort. The end user client can be downloaded from fastsupport.com on Windows & Mac (No Linux Support at present) and a simple 9 digit key connects the client to our support team. Because of the way GoToAssist works using HTTP channels for the connection it can operate through most firewalls and proxies without special considerations which puts it ahead of other point to point remote control tools. You can even remotely support users and servers from an iPad with a well implemented app. You can get a 30 day trial on the GoToAssist website.

For unattended machines such as servers or regular clients you can setup 'Unattended Support' which will allow you to remotely connect to a machine without the client having to do anything. Over the last few months we've intermittently noticed machines on our 'unattended' list that we don't recognise but as there's several people who use it regularly I had reasonably assumed it was one of my colleagues. 

Today I noticed three new Unattended hosts.

I took the time to ask around who had created these and to my surprise no one had any idea. Clicking on one of them established a remote session with a machine at a site that we knew nothing about and didn't setup. Moments later the workstation was unlocked and were given desktop access. We immediately terminated this connection and contacted GoToAssist for Support. Despite their support line dropping our calls and their community forum preventing us from posting they did get back to us quickly and conducted an investigation. 

LogMeIn, who took over GoToAssist identified that some of the workstations we were seeing on our account were in fact linked to our account and they went a step further to identify that the unique code used to identify each account was in fact ours. Further research identified that our copy of the GoToAssist unattended installer had been downloaded from our support site and that same copy had been installed on this clients machine. 

Using this installer will silently setup unattended support on the clients machine and link that back to our account. Whilst this download is rarely used by us and only in circumstances where a browser is unable to work correctly such as old windows 2003 servers with ie6 etc, the file had been downloaded 266 times. So let's consider the risks here. 

Firstly, having an unattended installer, which installs silently and without any user interaction is a good thing, it means we can in a worst case scenario use SMB to push the file onto a server and then persuade that file to be executed under the system or administrator context using the task scheduler, registry or by replacing a windows file and forcing a reboot. We can also distribute and auto-install unattended support on a corporate network by using a logon script to pull it from a server and execute it as part of the logon process and again the user doesn't get a choice. The unattended support installer does create a start menu item, but there's no 'uninstall' in there just the program so clients who have the control panel restricted can't subsequently uninstall it without permission. 

So how did we get machines on our account from the other side of the world ? Well that's simple, they downloaded the GoToAssist client from our website and installed it. Even more bizarre is that they then proceeded to enter their login credentials into the unattended client using the notification icon. Hold that thought and instead let's consider that someone less honest was to seed the internet with their installer and instead of "The GoToAssist client for receiving remote support from us" they linked it from something like "Get GoToAssist remote for FREE" or "30 day free trial of GoToAssist", then those users would be opening their PC up to whoever without realising it and that might not end well. The unattended client does have a notification icon on windows (nothing on mac), but using the registry, powershell or some vbscript that can be hidden as part of the install making it invisible to the end user. 

But taking a step back for one moment, the technical scope for abuse is about the same for GoToAssist as it is for any other remote control solution with the difference being that GoToAssist can pull the plug on any account they suspect is involved in abuse whereas some of the other products that are point to point don't have that safeguard. If you really want to stop GoToAssist, Teamviewer, RAdmin, VNC, and the rest then specifically block them at your firewall and the risk is gone. If you want to monitor their use then your firewall or proxy logs are your friend. 

Summary

This has been a voyage of discovery for us with end users again doing the unexpected and causing chaos and confusion. We've pulled the downloads from our support site now and will look at a more selective method of file distribution going forward. If I were to make a product enhancement suggestion to LogMeIn then it would be to add the IP Address, the method of install and whether credentials were stored to the unattended machines window. Having the IP Address would let us track down poorly named or unknown clients quickly and knowing that it was installed within a GoToAssist session or via a downloaded installer would further clarify the situation. Knowing if credentials were stored would save time in having to establish a connection, find they are not then disconnect, lookup the credentials and reconnect. These are only suggestions and not complaints. 

 

Continue reading
  3134 Hits
  0 Comments
3134 Hits
0 Comments

Synology Auto-Update

synology_logo

We've been actively promoting Synology Rackstations for many years now and they do provide exceptional performance for our customers, but they also come with a few gotcha's that you need to be aware of when running them. If you have managed storage or any of our support or outsourcing services then we'll take care of these units for you, but if not then please read on. 

Auto-Update is an important part of any strategy and of course Synology provides the same functionality which can be found in Control Panel / Update & Restore / Update Settings

Here we have updates to be applied automatically at 3am when available. This will mean your system will always be up to date with the latest patches and fixes. 

A second level of protection comes from the package centre auto-updates which can be enabled in Package Centre / Settings / Auto Update and will look something like...

But you can never leave your Synology servers to just update themselves without intervention as we've discovered today, for example when we found that all our customers who have managed storage were showing package updates available (via CMS) but they weren't auto-updating. We investigated this further and found that Synology have made a change that seemingly effects everyone ... 

When opening the package centre from DSM on the server you find this dialogue 

and of course all the updates have stopped auto-updating because of this.

Now we have 300+ Synology Servers on management and so far today we've only managed to do a fraction of that, but over the next few days we'll login to each of the boxes, tick the box and then let auto-update do its thing. If you are using Synology NAS then double check this now and make sure you've got it ticked, then apply any outstanding updates.  

 

 

Continue reading
  3878 Hits
  0 Comments
Tags:
3878 Hits
0 Comments

Firewalld on Redhat/CentOS 7 and later

CentOS 7 brings with it a new dynamic firewall interface deamon (firewalld) which allows for a fairly easy configuration of your firewall without having to learn iptables. The firewalld daemon provides a dynamically managed firewall with support for network “zones” to assign a level of trust to a network and its associated connections and interfaces. In reality firewall-cmd is just a front end for iptables and will indeed create and maintain the iptables rules required in your configuration. In a normal configration you would expect to have a local and remote interface, the local being the LAN and the remote either being behind a firewall or NAT'ed. The rules for each would of course be different and so you can create 'zones' with firewall-cmd for Internal and Public (or whatever you want to call them). 

If your using a graphical interface then you can use the firewall-config tool but for the rest of us that live in the shell, the command line interface is fairly easy to use. 

Let's assume you have two interfaces as

eno16777984 = LAN with a private address such as 10.1.1.10

eno33557248 = Public with a public IP such as 8.4.2.1

Now the magic with firewall-cmd is that once you've defined the zones (Internal and Public or whatever you want to call them)

firewallcmd --permanent --add-zone=Internal
firewallcmd --permanent --add-zone=Public

You can then assign some services to those with 

firewall-cmd --permanent --zone=Internal --add-service=ssh

and that's assuming your SSH'ing into the box, you don't want to be locked out. So now let's assign the interfaces to the zones. 

firewall-cmd --permanent --zone=Internal --add-interface=eno16777984
firewall-cmd --permanent --zone=Public --add-interface=eno33557248

and finally a restart of the firewall with 

systemctl restart firewalld

Now you can go ahead an add more services (with --add-service=) or ports with (--add-port=) and setup the rules for your interfaces. If your curious as to how this is configuring iptables then just issue iptables -L to see the rules. You'll find for each zone you've got an IN and OUT, Permit and Deny and your rules are allocated to the correct tables. 

One big tech tip here, for some reason, especially when your changing interfaces, IP's and the whathaveyou, firewalld can sometimes move interfaces between zones. Its rare, but not realising can be bad news especially if it moves the dirty interface into the Internal zone. To ensure your always aware of what zones are on what interfaces locate your .bashrc file (in your home directory - the one you land in when you login) and add a line on the end 

firewall-cmd --get-active-zones

You'll get output similar to 

Internal
interfaces: eno16777984
Public
interfaces: eno33557248

Every time you login so your always aware if an interface has vanished. 

The full reference can be found on the RedHat Site and there's ample community resources too. If you get stuck and need some help then feel free to post in the GENSupport Forum and someone will help you out. 

 

Continue reading
  1126 Hits
  0 Comments
1126 Hits
0 Comments

USB Flash - Built in failure

s0404080_sc7

With the slow decline in CD's and the long lost days of floppy diskettes, USB portable storage has become common place. A memory stick, thumb drive or pen drive are common terms for the same thing, a USB mass storage device based on FLASH, and yet many people don't know that the whole technology behind FLASH storage has a very limited lifespan - this leads me on to the relatively high volume of data recovery requests we have for USB storage coming through the channel.

Flash memory is generally of two types, NAND and NOR. Both technologies allow permenant storage of data without needing a power supply. NAND requires data to be read and written in blocks called 'pages' and is by far the most common FLASH memory in use today.

FLASH memory like all memory stores data in 0's and 1's in a vast array of cells, but the method by which the data is permanently written involves pushing a charge (electrons) through an insulated layer, once through the insulator its stuck there and will remain until its pulled back through the insulator therefore changing the state.

However, this 'pushing' and 'pulling' through the insulator, known as tunnelling slowly breaks down the insulator until it fails. When an insulator fails this only effects the cell, but of course just one bit that won't switch will adversely effect the data when read back. Furthermore certain areas of the flash drive are read and written much more than other area's and these are the master directory and the File allocation tables, both of which are changed when data is read (changing last access time) and written (changing last updated time and changing allocation of storage in the file allocation table). This means that in many instances the part of the flash drive that fails first is the most important part - the part that tells us what files are stored on the drive and where they are stored.

Cheap vs Expensive

When it comes to Flash Drives, there is a real physical difference between the budget end of the market and the professional end because NAND/NOR Flash comes in many different flavours depending on its performance and expected lifespan. Often the cheapest FLASH IC's are designed for storing firmware in embedded devices where write performance is a non issue and the expected number of writes is very limited, maybe 10 writes in its entire lifetime whereas the most expensive FLASH is designed specifically for high speed  and many write cycles and this is the correct hardware for USB Flash Drives. If you can buy a 128GB Flash drive from SANDISK for £30 and a unbranded one for £5 then the lifespan and performance of your SANDISK drive will be many many times better than the unbranded one.

I guess I should also point out that some cheap unbranded USB Flash drives (or knock off Branded) are engineered to falsely report their capacity. This is done by creating a partition on the drive with false data, so the computer you connect it to thinks its larger than it is and the only way to be sure is to try and fill it up or to perform a low level reformat. This sort of storage fraud is often seen on sites like eBay promising 1TB of flash for $10 which is nonsense.

Recovering data from failed Flash drives isn't that hard, but it does bring with it some challenges because the data will have errors in it where specific cells are stuck or indeed entire pages are stuck and non responsive and its not always possible to identify these area's during the scan, they often read as ok but with incorrect data, or they read as all 0's but after re-assembling the filesystem as best we can its over to the client to work through the recovered data and validate it.

The bottom line here is never ever rely on a USB Flash drive for data storage, its not safe and certainly not guaranteed and it will fail at some point. Stick with brand names and stay away from the budget end of the market.

Continue reading
  3157 Hits
  0 Comments
3157 Hits
0 Comments

Synology CloudStation in the Corporate Environment

Synology CloudStation in the Corporate Environment

If you've invested the time and money into Synology RackStations then your probably going to want to take advantage of some pretty cool embedded features. One such feature is CloudStation and its associated CloudStation Sync and CloudStation Backup, which collectively allow for realtime'ish local file synchronisation with a server which provides up to date files for remote users, a multiversioned backup for desktops and laptops and realtime sync between servers across sites. There is however one serious flaw in the plan that you need to be aware of before you go and roll this out across the business and that's SSL. 

When you setup your RackStation(s) you probably setup SSL and would have used the build in 'LetsEncrypt' support which promises a valid certificate every 90 days or you would have installed a paid certificate which renews annually in most cases. Having setup your SSL certificate you would of course want your clients to use SSL when connecting to the server so the transfer is a little more secure, but here's where it all goes down the tubes; If you did make the mistake of selecting SSL when you setup the clients then every 90 days (or annually) all the clients are going to silently stop working and no one is going to notice for a while. 

If a user actually opened CloudStation Backup to restore a file then they will be met with

And should they click on Version Explorer they get the equally helpful...

In fact there is no way out of this without going into Settings then Connection and re-entering the User/Password and Applying,  and in a corporate environment the end user may well not be privy to the Synology User/Password but even if they were its now too late because the CloudStation Backup hasn't been backing up since the last certificate renewal. The ONLY way around this is to turn off SSL or you'll be back here again before you know it. It's a real shame that you cannot use SSL as it's a nice feature but in a corporate environment its not essential unless your allowing remote sync.  

I have no doubt that Synology will resolve this in due course, but until then keep SSL off to save a bunch of time and effort.

Continue reading
  3406 Hits
  0 Comments
3406 Hits
0 Comments

eMail Security and Retention

internet-security-concept-19461118

I was asked a few days ago by one of the Partners if we could retrieve an email from a year or more ago and of course the answer was no, but that left me thinking about the question itself and the wider implications. I think its pretty much understood that if you choose to host your email at Microsoft, Google, BT, and so on then your every email is going to be archived away somewhere for all time and will no doubt be available for anyone with sufficient clearance to review, trawl, analyse and so on, but that's fine as long as you know its happening. At GEN we offer a secure service which by its very nature is not archived anywhere unless that functionality is specifically ordered by the customer, and that's rarely the case, but we do take backup's so I think its important to define exactly what we do, and what we don't do here. 

 

Your email is stored in an encrypted format on the physical server media and the key to decrypt this format is different for each mailbox. 

There is a snapshot of the entire server cluster taken hourly on a 96 hour rotation. That is, the oldest snapshot we have is 96 hours. These snapshots are taken as part of our disaster recovery process meaning that even if an entire datacentre was destroyed then your email service would resume shortly afterwards at a backup site which is always in place. 

Your mailbox is protected to some degree from brute force attacks by a system which actively monitors such behaviour and blocks attack routes in real time. 

Server free space is defragmented daily as an overnight process. 

Logging of email traffic including date/time, sender, recipient, size but not its contents exists for 7 days on the anti-spam and anti-virus gateways and for 3 days on the mail servers themselves. We use these logs to satisfy all those tickets that people raise complaining that their email isn't reaching someone or that someone trying to send them an email isn't getting through and so on. 

So, unless you specifically ordered email retention then when you delete an email its gone from the email server immediately, from our logs 7 days after receipt and from our snapshots within 96 hours. 

Keeping your email secure...

If you consider that when you send an email from A to B then the following are involved: 

  • Your PC, has to store the message to be able to send it
  • Our server, receives the email from you, stores it in your Sent Items (Encrypted) and then sends it on to the recipients server
  • Recipients server receives the email from us and stores it on disk, maybe in the clear and then stores it in the recipients mailbox. 
  • The recipients PC retrieves the email and stores it on disk, maybe in the clear

So there are many points of compromise here and some of the most vulnerable are on sender and recipients PC's. To completely remove this risk use only webmail or an email client that stores your email with strong encryption. 

We've already covered our servers, but the recipients server(s) are a real risk too. If the recipient is using a server which does retain everything and you wouldn't know without checking then your email is once again going to be stored for all time. 

Any way around this? 

To keep your email as secure as reasonably possible between sender and recipient they

  • Should be on the same server which then negates the risk of a second server with unknown retention and security and also negates the risk of a man-in-the-middle attack by anyone compromising your DNS. 
  • S/MIME or GPG should be used to provider a second layer of encryption to further protect the email's contents and in the case of S/MIME this will also provider validity guarantees. 
  • Webmail only should be used as these will not store a copy of the email on local devices
  • A secure access service such as GEN SAS can be used to ensure an encrypted tunnel into the GEN Infrastructure and onto the Mail Servers. 

But who needs that level of security? Well, anyone who wants their email to be secure and that might be you or you might be happy knowing that everything you have ever sent and received is stored and archived somewhere. 

I hope this has cleared up any confusion around retention of email data, if you have any more questions then raise them at the HelpDesk ok. 

 

 

 

 

 

 

 

Continue reading
  1524 Hits
  0 Comments
1524 Hits
0 Comments

Browser Cache, Transparent Proxies and more

Browser Cache, Transparent Proxies and more

One of the questions that comes up time and time again on the Helpdesk is, what is my cache, where is my cache and what am I supposed to do with it? 

Well, the question itself often arrives on the back of conversations with content providers and developers often around out of date content so its worth taking a few minutes to explain what the cache is, where it is and why it is. 

A cache, pronounced "Cash" is masterfully defined as "A hiding place used especially for storing provisions." or "A place for concealment and safekeeping, as of valuables." and that's not too far from the truth. The cache is indeed a place for storing provisions of the digital kind. You see the internet isn't anywhere near as fast as you experience it from a browser on your PC, and this is because the internet is just a collection of many different networks all connected together to provide a 'route' from your PC to the server at the end of a browser request. Let's look at this in more details now: 

When you type a url into your browser, for example http://www.gen.net.uk and press enter or go, the browser uses the operating system of your device to open a connection to www.gen.net.uk on port 80 (port 443 if https://) and request that page. The actual request sent to the remote server looks like this "GET / HTTP 1.1" which means get the page at / the default or index page and use HTTP 1.1 which is just a specification. The response from the server will be a HTML page which the browser then displays to you as the client. 

Now where does caching fit in here? Well, your browser when it receives the HTML page stores in locally in a cache (which is just a hidden folder on your pc) and with that it stores a date and time the page was retrieved. Now if you close the browser, open it again and again type in http://www.gen.net.uk then this time something magical happens; The browser realises that its just been to www.gen.net.uk and just received the page at / so rather than bother requesting it again it just returns the one it stored a few moments ago. Simple and fast right? 

Well, it get's a little more complex than that because the server when returning the page to the browser can in fact indicate whether or not the browser should cache it, and if it should then it can specify for how long the browser can cache it and indeed the page at www.gen.net.uk/ at the time of writing does not give any special instructions to your browser around caching. 

So, hopefully that's a little clearer, when you type in a url or follow a link if your browsers already been there recently then you'll get the cached version rather than the 'live' version unless the site specifically told the browser not to cache. This really becomes visible if you have your own website, and you or your developer has made changes but you just can't see them, its all in the cache. Clearing the cache is simple enough and can be found in your browsers menu's should you require it and issuing repeated refreshes (CTRL+R windows, CMD+R Apple) will also force the browser to reload the live page generally. 

Now as I said before the internet is no where near as fast as you experience it, and this is not only due to your browsers magic cache, its also due to internet service providers (mostly residential) using systems called 'transparent proxies'. This is another cache between you and the sites you browse and this cache is not optional and in many cases will not yield to servers requests not to cache. The transparent proxies intercept your requests as you make them, look to see if they have a copy of that page and of so serve it up as if it came from the server itself. Your browser has no idea its not a live page and neither do you. By using transparent proxy caching ISP's (Internet Service Providers) especially residential can significantly reduce the amount of bandwidth they use on their upstream (between them and the server). There are also, in this country at least, significant privacy concerns around transparent proxying because your ISP not only intercepts your requests but can keep a log of them tracked back to your IP Address, and therefore back to you so its a bit of a double whammy. There is a third layer of caching known as web accelerators that are sometimes used at the server side to speed up performacne by keeping a cache but this is under the control of the site owners and as such isn't an issue. 

How do you defeat this transparent proxying ? 

Well its not easy because the ISP has access to all the traffic you send and receive and can easily intercept not only your web requests, but your email too, although if your email is stored at Microsoft (hotmail, office 365 etc), google (gmail, etc), Yahoo, AOL and so on, then its already compromised many times over and this really isn't going to make any difference. There are however tools that can cut through the proxies by establishing a 'tunnel' between your browser and a server in another country and from there making browser requests and I am of course talking about VPN's, the most common of which is the Tor Project (https://www.torproject.org/) but having said that, the tor project based in the USA is probably not going to be filling you with overwhelming confidence in the privacy of your data but its the best we've got unless you want to spend some real money in which case you can establish real VPN's to real secure proxies and have true anonymity online. 

I think its also worth mentioning that browser plugins such as Addblock, Ghostry, Web of Trust to name a few and of course Microsoft's own 'safe browsing' nonsense also hijack every URL you visit and pass that url back to central servers somewhere giving them also a full history of your browser habits but by themselves they can't tie that data back to you personally. That is, they know that a PC on the internet with a unique ID visits these websites but without help from your ISP they can't tie that information specifically back to you as a person unless of course you login to your Facebook, Google+, twitter and so on using the same PC in which case they can now easily tie your browsing habits back to you personally the only difference is that your ISP has your postal address and generally people aren't stupid enough to enter that sort of thing into Facebook, google+ or twitter. 

So here concludes this little discussion around caching that has taken a sideways step into privacy and anonymity but its all connected of course. 

Continue reading
  1803 Hits
  0 Comments

Copyright

© GENADMIN

1803 Hits
0 Comments

We could eliminate SPAM tomorrow if...

We could eliminate SPAM tomorrow if...

We are all familiar with SPAM, its the huge volume of unsolicited crap that we have to wade through each day just to do our jobs, and yet there's no sign of it going away despite us all having the means to end it. So let's look at why we are all being subjected to the spam and then we'll look at why we don't end it when we all have the power to do so. 

The reason for SPAM

SPAM has three basic objectives and in order of volume, 

  • Firstly the majority of SPAM is an attempt to infect your workstation, laptop, tablet etc with a virus and/or trojan. By doing this the spammers have (a) the ability to scan your system for card numbers, passwords, and of course email addresses from your email client, (b) steal the login credentials for your email account so they can use it to propagate more spam FROM YOU, and (c) in order to leverage DoS attacks. 
  • Secondly, Spam will attempt to impersonate an organisation that you might expect an email from and then trick you into giving up your login, password, account and so on by taking you to a fake website. Whilst you may think most people are weary of this type of spam you would be surprised how many we still get at the helpdesk. 
  • Finally, Some spam can actually be trying to sell you something, which is rare these days but does still happen. 

Current SPAM defences

  • The blacklist: A number of worthy organisations like Spamhaus, SpamCop, etc are dedicated to maintaining lists of domains, hosts and subnets which are used to originate spam. Using these blacklists is an expensive but effective tool to eliminate a good percentage of spam at the first gate. Blacklists however are not realtime, and there is always a delay between a spammer launching a mass mailing and the blacklists listing it. 
  • Authentication: Several technologies exist to verify sender domains and hosts such as SPF & DKIM and these can serve (where used by the receiving server) to block spoofed spam which constitutes the vast majority of scams. For example, the HMRC who are under constant attack from scammers specify in their SPF records two hosts that are allowed to send email for @hmrc.gov.uk and of course the spammers cannot originate email from those addresses so SPF wins the day and any email coming from, say refund@hmrc.gov.uk that doesn't come from the two hosts listed in the SPF record are canned. This however all falls down when the receiving server doesn't check, the sending organisation doesn't use it, or the sending organisation has been compromised.
  • DNS: The domain name system is that which coverts gen.net.uk to 212.140.242.10 and back again, and when you send email to someone @gen.net.uk DNS gives up the address of the mail server that is designated to receive that email, in this case farpoint.gen.net.uk. The RFC1124/1124 which form part of Internet Standard 1 specify clearly that every host on the internet should have forward and reverse DNS, that is gen.net.uk to 212.140.242.10 and 212.140.242.10 to gen.net.uk. So, when a host 'spammer.com' connects from 212.140.242.50 to our mail server, we (a) check that 212.140.242.50 corresponds to 'spammer.com', that 'spammer.com' has a valid MX record and that the host listed in the MX record actually exists on the internet. This is particularly hard for a spammer to forge and therefore this check eliminates a percentage of spam as well as a percentage of legitimate email from companies who don't know how to setup very basic DNS correctly. 
  • Content Filtering: By far the most effective tool at eliminating spam which passes all the above tests is pattern matching. This involves looking and detecting elements in the body of an email and assigning a score to each detection. An example would be a HTML only email which scores 3 points, external links to pictures which scores 0.2 points each and so on. The more spammy the email the more points it will accumulate and once a threshold is reached the message is flagged as spam. Content filtering can make use of content lists which are maintained by third parties and provide known phrases and content to score. 
  • Bayesian Probability Filtering: A gross simplification of this would be that email which is known to be spam can be 'learned' and that data used to identify 'similar' spam. The area of mathematics is complex and the techniques even more so, but the result is the same in that spam that looks like spam based on learned data can be flagged as such, usually by giving it a score, such as +10

And with these methods we can and do filter around 80% of your spam, but its never ever going to be 100% because SPAMmers spend a great deal of their time trying to circumvent these filters likewise costing us a great deal of money to continually adapt the filters for maximum effect. 

BUT, we do have the ability to stop the SPAM completely, 100% total removal of spam so why don't we? Well, quite simply we cannot because in this day and age everyone's an expert when of course they aren't. Using the current standards, and systems we could easily: 

  • Eliminate the source of SPAM by authenticating the source of all email both by using DNS and SPF. This would mean that email can only be sent if it originates from an authenticated server and if all the ISP's got together an setup their systems in this manner (most already do) then spammers would ONLY be able to send spam by compromising users email credentials. That's going to immediately eliminate 67% of SPAM. 
  • Use the tools we all have available to track, trace, and block email origination 'out of zone'. That is, for every email account the email server will ONLY accept email from the senders company LAN, or their country of residence. This kind of geolocation limiting is already built into all the modern mail systems, but its rarely used. 
  • Use anti-hijack detection to automatically flag accounts that are likely to be compromised by looking for unusual email activity. For example, if a mailbox normally originates 50 email's a day and then suddenly originates 50 emails a minute then we have the systems to automatically block that behaviour until the mailbox owner contact's us.
  • The use of S/MIME certification, which is free for individuals, and only a nominal charge for businesses not only provides transparent encryption of business email, but also provides authenticity to every recipient, so that when you receive an email from fred@bloggs.com, it comes with a 'seal' that confirms the email came from fred at bloggs.com. We've used these for the last decade, but we're pretty much alone in this. 

So, it doesn't sound that hard does it? Well its not, but unfortunately as an ISP with many customers there are always going to be the few who effect the many as in many business models. No matter how much you promise your customers a spam free life, a minority of customers don't want to hear that fredbloggs inc doesn't meet the standards and/or is blacklisted and therefore cannot send them email, they just insist how important it is that fredbloggs inc can email email them. This creates a real problem for ISP's who technically want to kill spam as promised to their customer base but are also aware of the real world cost of dealing with ticket after ticket of 'I can't receive email from xxx' and the time and effort spent identifying the sender doesn't comply or is blacklisted then trying to explain that to the customer.  

So our approach, which has been adapted over the years is to offer three levels of protection: 

  1. No Filter - All email is accepted regardless. All Spam and Viruses are delivered untouched. 
  2. Basic Filter - Some filtering is done, but spam is still delivered with [SPAM] in the subject line allowing customers to filter that into a spam folder if required. Some antivirus protection is enabled. 
  3. Max Filter - All the above fully enabled and active both Anti-Spam and Anti-Virus. 

And as we expected the vast majority of business and corporate customers opt for the Max Filter, with only a very few opting for other options. The customers who opt for and stay with the Max Filter understand the issues and stand with us on the fight against spam. If a sender winds up blacklisted then they don't tell us, they tell the sender to sort it out. 

So what's the future? Well unfortunately as it stands with some ISP's favouring an easy life rather than deploying the available protections, with players like Microsoft and Google seemingly doing nothing to limit the spam they collectively originate, and with senders especially in the less advanced countries not able to configure even the very basic standard requirements we're going to be up to our armpits in spam for a good while to come but I do feel that things are changing as we're already seeing customers migrating to us solely for the benefits of our protection systems and that means we're doing it right. 

There are a number of articles on Blacklists, SFP, DKIM on our FAQ as well as the internet standards 1 RFC's. They are all technically orientated but available for anyone who's interested. 

 

Continue reading
  1979 Hits
  1 Comment

Copyright

© (c) 2017 GEN Partnership, E&OE

1979 Hits
1 Comment

Apple Wi-Fi Assist and Mobile Data Charges

Today at the HelpDesk we were dealing with a corporate customer who was experiencing HIGH mobile data charges and wasn't able to pin down the cause. We had a pretty good idea of the cause and this was confirmed when we took a look at one of the mobile handsets with high usage. In IOS 10 Apple introduced a new 'feature' called Wi-Fi Assist which is supposted to increase mobile data reliability for customers with poor wifi, which is great, but the issue is that even if you make sure you only use traffic intensive App's like YouTube etc when your on wifi, with WiFi Assist enabled the device can and will use mobile data (without telling you) if your wifi signal becomes weak, and that's ok if you have an unlimited data plan but we all know those don't exist in any form. 

Turning it off is easy if you can find it, go into setting, then mobile data (towards the top) then scroll all the way down to the bottom and there is it. in the example below, Wi-Fi Assist had assisted us to use 478K of mobile data whilst we were on Wifi. Whilst your in the screen and have turned off Wi-Fi Assist then its worth having a look through the apps listed to make sure you've allowed/denied mobile data as needed. 

Continue reading
  1613 Hits
  0 Comments

Copyright

© (c) 2016 GEN Partnership, E&OE

1613 Hits
0 Comments

Just Don't

I've just returned from a new customer who has experienced a serious data breach and the ensuing blackmail and extortion that follows. We were introduced to this customer by recommendation after they were contacted by an unknown third party asking for money to return their confidential data and of course supplying proof in the form of attachments. The nature of the clients business is such that the confidential data, if in the wrong hands would present a significant risk to the business hence our involvement. So, not wanting to name any particular company, the previous 'supplier' of our new clients IT seemingly had no idea about security and probably wouldn't know a risk assessment if it hit them in the face and that annoys me, not only because we come across this situation on a very regular basis but because there's really no excuse for putting a companies very existence at risk by simply not understanding the sector in which you operate. In any industry there will always be suppliers who know the industry and those who don't but in IT the actions of one supplier can very literally mean the end of their customers business as potentially in the case that prompted this article. 

Start with this question, what is your data worth to someone else? If you sell washing machine spares, then its worth money to your competitors and the pain will be felt gradually as you loose customers for unknown reasons, but if your a solicitors, a financial organisation, a doctors, the value of the data goes far beyond its monetary value, there's the exposure, the embarrassment and the compensation that would ensue along with sanctions from regulators and so on. 

So, I will try my best to educate customers in what is and is not a good idea when considering IT and security. I have a list which isn't exhaustive but certainly covers some of the main issues...

  • If you have an internet connection, NEVER EVER under ANY circumstances connect a cheap Chinese router to your LAN. So if for example you have an internet service from BT and they supply you a cheap Huawei router, then never connect that directly to your LAN, just don't. These devices are cheap as chips and have about as much security as a paper bag. They are easily compromised, have absolutely no outbound security and their firewall is laughable, but they aren't supposed to be connected directly to your lan in most cases they are 'residential' quality and as a business your expected to understand the risks and mitigate them by either replacing them with a competent router or simply connect them to a separate security appliance. But trust me on this, just don't connect it to the lan, ever. 
  • Local services, and more specifically if you have a local (in your business) web server, or email server, then under no circumstances allow it to be connected to the internet directly. This is bad on so many levels, many of which are quite technical, but the key point here is that *IF* you allow it to be connected directly to the internet, then you have of course got to allow the internet into your network as communication is a two way process. This is the very attack vector (method of the data breach) that was used in the incident that prompted this article. The clients 'IT' supplied setup Microsoft exchange on a server and then opened ports on the cheap router which was directly connected to the LAN. The server was quickly compromised and whilst it was used to originate spam the hackers also vectored out from there to the company's NAS and downloaded the entire thing, how? well because the administrative account on the exchange server was the same account/password as the admin account on the NAS - seriously.
  • Never rely on free or bundled antivirus, and never on 'windows defender', they DO NOT STOP ANYTHING. A good antivirus solution will protect your network and its endpoints to a degree, but it can never be 100% no matter how much you spend. Our AV solution comes out at £2 per month per machine and includes support should you experience a virus event and require it which is also an important provision. But be aware that an antivirus solution will not protect you from poorly designed, poorly implemented network security. 
  • Never rely on the poorly implemented and weak VPN services built into cheap routers, just don't. PPTP is so weak it should be considered unusable. There are far better solutions for VPN and having a dedicated vpn appliance, or having it combined with your security appliance is the best option. Better still is to use a secure access service such as SAS or Juniper SA etc. 
  • Never install applications such as teamviewer, radmin, vnc etc, these applications will create tunnels through your weak firewall to the internet which are persistent (always there) and these can easily lead to additional attack vectors especially when combined with social engineering techniques. A good firewall will not even let these programs run and block them by default. If you do need remote access then use a secure VPN method as above. 
  • Wireless, when setup correctly can be very useful, but when setup poorly presents a significant risk to the business. This is of course because wifi isn't just in your office, its outside in the street, next door, other floors and cheaper wifi equipment has flaws that can be exploited to determine the wifi password and associate with the access point. Even more effective are social engineering techniques to gain a wifi password, and of course there's always Microsoft's wifi sense password sharing endeavour which we talked about before. So stick with high end Wifi access points, have centralised management and oversight, use WPA2 with TKIP or AES encryption and use mac based security as a second level of protection. 
  • Ports or not Ports; Almost all businesses have Category 3, 5, 7 or 8 cabling throughout, and these terminate at the wall with RJ45 jacks and that's great because this is where you plug your computers and phones into, but managing the availability and security of these jack points is a critical concern. Consider this scenario.... a business has cat5 throughout the offices including reception, canteen, locker room etc. A person pretending to be a potential customer enters the premises and whilst no one is paying attention plugs a small device no bigger than a thumb drive into a vacant cat5 port then leaves. You might think that'll never happen but I can tell you in the IS audits we do for our clients it HAS happened and will continue to happen. The device that is connected is a small battery powered wifi access point that doesn't broadcast its SSID (network name). With this the 'visitor' can, from the car park find a local IP address, and then initiate a network scan for services such as email, files and so on. With a little effort and some automated software a selection of attacks can be performed and if successful, systems and data compromised. The nice person who perpetrated this crime will then upload some software which opens a connection through your firewall to a remote server and waits for instructions. Everything from here onwards can be done from anywhere in the world and there is very little anyone can do to track this down. This is becoming an effective attack vector and awareness is the key. Don't have any ports live that don't need to be, have managed switches and allow lists by mac and some form of intrusion detection either in the security appliance or separate. 

The bottom line here is that any IT infrastructure should not in any way directly connect the public internet to your local network and likewise your local network should never directly connect to the public internet. This one is simple.

More challenging is making staff aware of vulnerabilities in your infrastructure and how to detect, and deal with them. We've touched on social engineering above but this is becoming more and more common and whereas you might be very good at spotting spam or fishing email's, suspect phone calls from 'it support', or are aware of the possibility of rogue devices and subversion, is everyone in your organisation?  in this modern world they need to be, through both training and auditing. No matter how secure your network is, with its expensive firewalls and security appliances, it only takes one member of staff to bring the whole thing crashing down - Staff are and will always be the biggest risk to any organisation, but trust me on the crappy router. 

Continue reading
  1635 Hits
  0 Comments

Copyright

© (c) 2016 GEN

1635 Hits
0 Comments