Toyota's Touch 2 & Go Review

2016-Toyota-GMS_Touch-1000x668

The Touch 2 & Go head units fitted to new Toyota Vehicles promises a great deal "The TOYOTA TOUCH® 2 multimedia system gives you a world of information and entertainment every time you get behind the wheel. And it’s all displayed in high-resolution colour-rich graphics on a simple touch screen." from the Toyota Website, and yet when you actually use it for a week or so you start to feel a little let down. Again from the Toyota Website "All smart. All simple. All for you." seems like a good place to start and for completeness we'll break this down into the main features. 

Multimedia

Toyota claims "To enjoy the journey even more, you can connect your iPod or MP3 remotely to the Toyota Touch® 2 multimedia system via Bluetooth® or USB and enjoy your favourite playlist in high quality audio with album, artist and track information displayed" but in reality that's not going to happen. Connecting via Bluetooth provides audio, but intermittent album, artist and track information, no ability to select or browse tracks. Connecting via USB does provide this but then you've got to leave the USB connected to your phone which you rightly want to reside in the Qi charger instead. The other significant issue with USB is that you cannot browse folders on the device but instead all the media regardless of folder is shown. This means you can't, like me, order your music into folders on your USB stick and play media from a folder. DAB is ok but with only 6 presets its kinda awkward to operate if you have more than 6 favourite stations. It has a CD player but as I've not owned a CD for the last decade I can't test that. There's no sign of Apple CarPlay or Android Auto, and 'Mirrorlink' is only compatible with phones from the last decade so practically useless today. There is no support for any form of video to be played from USB storage so don't waste time trying. 

The audio quality is very subjective. With its 6 speakers, all mid range and no subwoofer it does a reasonable job at low to moderate volume levels with even sound coverage. Turn it up too far and you start to loose what clarity it had but for the price point and in the lower end of the market it's not bad at all. 

Phone

The phone integration is ok and the hands free is very workable but there are a few obvious issues when using this. It's not clear or intuitive how to get from the "last called" list to the phone book or back again, its do-able but needs touch work that shouldn't be required whilst driving. 

When looking at the last called, dialled and missed lists there is no way to navigate without using the touchscreen (unlike every other vehicle where you can do it from the controls on the steering wheel) this means that again your distracted whilst trying to hit the right number which is actually quite hard to do whilst driving. 

Whilst you've got the "last called" list up, you can no longer see the signal strength which to my mind seems ridiculous when the main use of the 'last called' screen is to recall after getting cut off due to the miserable cell coverage in this county. To add insult to injury, once your call has been cut off and you reach to press the screen to redial, a pop up rolls down from the top of the screen, obscuring the last called number to tell you want media you're listening too just in case you had forgotten! What possible use is that and how did that ever get past QA?

There is also a significant delay between getting into the car, starting it and driving and the phone becoming available. Its as if the unit has to sync the entire phonebook from scratch on every start up, which for me with a sizeable phonebook seems to take forever. There is no search facility so you have to use the A-C, D-F and so on which is a nightmare when you've got a lot of contacts. The handling of contacts (from an iPhone) is also unusable where your contacts are for companies. An example would be for company Fred Bloggs Inc, having two contacts, in this case you can find Fred Bloggs Inc but you have no idea which contact its going to call meaning you need to pick up your phone, use its contacts to make the call which defeats the whole purpose really. Since the majority of my contacts are businesses and I'm forced to dial from my phone then I looked for a way to stop it syncing but found none. 

Navigation

Toyota claims "Toyota Touch® 2 with Go features enhanced satellite navigation with clear visuals showing signposts, junctions and lanes with real-time traffic updates alerting you to congestion on your route and suggesting detours" and it does do some of that but for the first 2000 miles I've yet to see anything 'enhanced' about it. It does seem to detect traffic alerts but it simply tells you "Traffic Jam Ahead" and then directs you into the back of it without suggesting any detours. Maybe it will in the future, but so far that's a zero. 

The voice navigation also leaves a lot to be desired with 'Turn Half Right' being its favourite phrase of the moment. What exactly is a half right? I have no idea and I'm sure you don't either so looking at the Navigation screen, which is only on the centre console touchscreen and not replicated to either the dash (except for an arrow) or the heads-up display is a prerequisite of using this system.  It does sometimes show junctions and lanes, but don't rely on it as it gets this wrong from time to time and your back to looking at the map to figure it out for yourself. 

The navigation data is significantly out of date, even when updated to the 'spring 2017' data, there are still roads just in my locality that are incorrect and that's unfortunate. Whilst sitting in traffic on a road that doesn't exist in Toyota land, I loaded TomTom GO on my phone and of course the road was found. I wonder why TomTom can get their maps up to date, but Toyota can't? 

There is a definite delay in processing current vehicle position especially noticeable on roundabouts where the 'screen' and your actual position can be a junction or two out meaning you're going to come off at the wrong junction. This is annoying especially when it gets the exit number wrong, which it does periodically. Most modern Navigation systems use GPS and Wheel turns to calculate position but the laggy behaviour of this system would suggest its only using GPS. 

The route planning is fairly poor with only major roads factored into any route. We planned a series of routes and whilst it gives you the Fast, Short and Ecological routes they are invariably all the same. If you take a route which you drive regularly and get it to plan it, then it will only use main roads. If you plan a route between two villages then it will plan the route ok but if you plan a route city to city then you only get main roads and the short route simply doesn't work. 

A most notable absence from the Navigation system in our EV is any way to navigate to your nearest charging point, something that I believe every other EV we've tested has as standard. 

Another 'feature' that I was eager to test was the Speed Camera Alerts which are built into the system. The Toyota Website Claims

"Cyclops is a driver safety app that gives you professionally-verified fixed speed camera alerts combined with real-time updates for mobile cameras from the Cyclops community. Cyclops delivers the most accurate and reliable safety camera databases and smart software - you can enjoy these benefits by using our Cyclops App – specially designed to alert you to currently active mobile camera sites. And all other fixed camera types are automatically updated too! Cyclopse has comprehensive coverage of over 90,000 sites across 48 countries and automatic updates ensure that you always have the most accurate information possible."

Which sounds great, but actually finding any information is like pulling teeth out of a Donkey. There's nothing on the Toyota website and a web search eventually renders this Wikipedia link and possibly this company website which might be the company in question. Regardless in my daily drive the data seems to be outdated & inaccurate and whilst it gets the majority of long term fixed camera's its notably silent as I passed two mobile vans. There's an inference that its updated somehow online but there's certainly no feedback on the screen to show that. I'm not sure quite how much of my £199 goes to cyclops because the Toyota website doesn't say but as GARMIN seems to include it for free I suspect it's not a lot. 

Coyote on the other hand is an App that you have to pay £87 a year for, and promises "With Coyote, always be warned safely directly on your embedded screen. You will receive the relevant alert at the relevant moment, to adapt your driving style to road hazards reported by the Coyote community, in real-time." and this does indeed pop-up for the majority of fixed speed camera's, but so far not a single mobile one. There is no further information on the Toyota website (any of them) so your back to searching the web. A best guess would be this company which seems to have versions in every language except English. The Coyote app is also infuriatiating because it pops up OVER the navigation screen meaning that you can no longer see the map and in city's these days with speed camera's every 5 meters this means the navigation is impossible to use and your left with yet another distraction that you have to deal with instead of watching the road. 

One point to note is that if you have the coyote app loaded it seems to kill off the cyclops camera warnings which would indicate that Toyota believe Coyote is 'better' but again there's nothing on the website to explain the benefits/drawbacks of these two systems so once again its left to the end user to guess. 

"To keep you connected and in control wherever you are, you can send your chosen route to your mobile or device." is a claim on their website, and indeed you can send a route to the car from their website. What they don't tell you is that their website is poor and allows just simple from and to input without any navigation functionality. The best way forward I've found here is to go to maps.google.com, plan the route then copy/paste the destination into their website in order to send to the car. It doesn't recognise things like HOME or any of your other favourites so you have to enter the full address in to both and it's not country aware so always specify the country along with the address. 

Apps

Now for the section that I'm sure everyone has been waiting for.. The Toyota Website (as of today) says

"In today’s world of connectivity Toyota Touch® 2 (Go and Go Plus navigation systems) won’t disappoint. With our Toyota online services and applications your car can be a hub like your computer. With the ability to download great apps such as AUPEO! which gives you the chance to personalise your in-car music experience, it learns your music taste and suggests tracks by theme, genre, artist or even mood. And Coyote, the community-based speed camera awareness app, with 3 million drivers already helping one another against every road hazard. The integration of Google Street View™ and Panoramio™ provide imagery of your current location, or a location of your choice, allowing you to start navigating directly from the image, so you’ll never be lost."

So let's break this down. Firstly Google Street view is there, and it sort of works although you can't move around it like you can on google maps, but at least its there. There is no sign of "Panoramio" and AUPEO went out of business at the end of 2016, but who cares, "With our Toyota online services and applications your car can be a hub like your computer" so let's get on line and start downloading those apps!

Arriving at the toyota.co.uk website, registering, adding your vehicle and steaming over to the e-store, your invited to "Discover exciting new apps, update your navigation apps, and download the latest software for your Toyota's multimedia system" and its at this point that your expectations are quite literally crushed into dust.

 

There are no apps, well no useful apps anyway. If you take away Coyote which we've already talked about above, and eStore isn't an app anyway, then your left with 'Glass of water' which to my mind does absolutely nothing useful, and Park&Go which likewise has no real world use. This is what Toyota believes to constitute their "great range of apps". There is a 'weather' app that's pre-installed but seriously, a weather app? just look out of the WINDOW!

There were also some other pre-installed apps which are not on the 'e-store' such as Twitter that simply doesn't work and says "Unable to connect to the server" immediately no matter what you put into it , AUPEO that went out of business last year, A-ha that sometimes works, a parking app that only works with some car parks, and a fuel prices app which shows pricing from some fuel stations, the distance to, but fails to do the obvious mpg -> distance calculation. 

 

If your dealer has told you that there are 'more exciting apps coming' then you may want to ask them why there have been no new apps since the system was released, and that's now almost two years ago?  Its because there are no new apps coming, and no one is developing them. We collectively spent an entire day on the phone trying to find someone in Toyota who knew anything about apps and got nowhere. We tried contacting Harman who make the unit and again got absolutely nowhere. We sent numerous email's, left voicemails and even sacrificed a Toyota pen to the great car manufacturing eternal but so far not even the courtesy of a reply and this was weeks ago now. 

Just take a moment to consider the list of actually useful apps that Toyota could have developed - EV Charging Point Map, AllStar fuel locator, CRM integration (be able to pull salesforce, vtiger, sugar contacts into navigation/phone), Guages (show data from the CAN bus such as charge, engine, power, RPM, etc), Facebook, Youtube, Vimeo and the list goes on and on. 

If you expected to get 3 years of 'connected' services and map updates for FREE, then you don't and it'll cost you another £199 for that privilege although the only thing of use here is the map update. 

Annoyances

Every system has a few annoyances but Touch 2 & Go seems to have more than most and some, maybe most of these should never have made it past Quality Assurance. 

The screen is high gloss and when the sun is shining on it especially mid morning/afternoon its impossible to read it and you end up trying to shade it with your hand, which is probably the reason that other manufacturers have their screens recessed and heavily polarised. 

When you get into the car and start it, if you had the music playing loudly when you shut it off then it will start playing again at the same volume but you have to wait for the touchscreen to boot before you can shut it off again which can be annoying or embarrassing depending on who your with. 

Coyote - As we've discussed above, this app takes over the entire screen blocking your view of the navigation map which is really annoying and as a bonus it doesn't do anything when passing mobile speed camera's. Coyote rarely seems to work out of the box and you wind up having to end it, then restart it to eventually get it to work. This isn't how it should be. 

Internet Connectivity for "Connected Services" comes and goes but there's no indication on the screen at all. When your in an area with intermittent data then things just stop updating without any indication of such. You would expect an icon to be shown or something to show that connectivity has been lost but no. The only way I've found so far to verify if 'connected' means connected is by going to the Apps and selecting Weather to see if it can get any data.  

The Toyota.co.uk Website

This is by far the worst website I've had the misfortune of using in recent times. The site is slow and its use of Ajax is embarrassingly poor. Even the details like the spinning icon whilst it's downloading content isn't clipped properly and in vehicle details if you want to see "Audio Information" then you have to select something else and then back to Audio Information to get it to update. Pretty much every option you select presents you with a full width picture and the content you're looking for is only visible once you scroll down, and don't even start me on mobile friendliness as the site navigation doesn't even work properly on an iPad. Something simple like the owners manual even after you've logged in still needs the VIN which of course everyone can remember. You can get to the owners manual from the my vehicle, then somewhere towards the bottom of the page but its hard to find, in fact everything is hard to find and unintuitive. 

If you're looking for detailed or technical information then expect to find it spread piecemeal over several websites sites, one often contradicting the other and all woefully out of date. If you were impressed with their new "gas-injection heat pump powers the air conditioning" and wanted more information then your out of luck because there isn't any. Toyota.co.uk often links to other websites with vastly different formats and the whole approach seems disparate and messy. Whilst we all understand that Toyota isn't a Premium brand as such, there really isn't any excuse for this and I'm sure it must have an adverse effect on potential and current customers alike. If Toyota would like us to fix this then we'd probably do it for free in exchange for the source code to their head unit so we could fix that too. 

You'll also be greeted with the following or similar regularly for unknown reasons, just try again. 

iPhone/Android Apps

Unlike the earlier versions of the system there's no longer any App's available except the 'MyToyota' app that has no impact on the audio system and requires you to re-enter your password on every use which just makes you not want to use it.  

PHEV Specific complaints

The new Prius PHEV is a fantastic vehicle and fun to drive but there is a complete lack of EV information on the touchscreen. You can see the 'power' flow even though its slow to update, but with things that you'd consider essential for an EV such as KWh charged, KWh used, KWh regenerated, KWh/Mile and so on are completely missing which is a real disappointment especially as everyone else manages to provide this (even if it's not accurate). Maybe this will come with later software but I doubt it, essentials like this come with the launch or don't come at all generally. 

Overall

Its far from the best system we've used, but its not the worst. If you were wowed by the dealers promise of over the air apps in an vibrant app ecosystem, fantastic navigation, realtime mobile speed camera alerts and 'Premium Audio' then you're going to be hugely disappointed for sure, but if you were spared all that and just expected a vehicle with navigation and the ability to play music then you're going to be in luck. 

This entire article is based solely on our opinion after using the Toyota Touch 2 & Go for a few months in real world situations and its not meant to be an exhaustive analysis of the system or its features. We may well do a technically biased article in the future. If you have a specific question then please feel free to post it in the comments, or pop in to your local Toyota dealer and ask them. I'd recommend staying away from blog.toyota.co.uk because the comments are heavily moderated and a 'difficult' question is unlikely to even make it to the site let alone be answered. We've posted a few questions and they were all just ignored. There is the This email address is being protected from spambots. You need JavaScript enabled to view it. email address but likewise in our experience awkward questions are ignored and simple ones just get passed on to a dealer so your email can be added to their spam lists. 

IF you found this useful then please take a moment to rate it below. If you have a question then feel free to post it below and we'll reply. 

 

Continue reading
  40754 Hits
  20 Comments

Copyright

© (c) 2017 GEN, E&OE.

Recent Comments
Guest — Greg
Is the speed camera warning anything like Road Angel where it goes off all the time even where there has never been speed cameras?... Read More
Tuesday, 22 August 2017 09:04
Technical Support Team
Nope, just the opposite in fact, it seems to 'go off' rarely and even for some fixed speed camera's that have been there for years... Read More
Tuesday, 22 August 2017 09:08
Guest — Jason J
Can you play video's on the screen from a memory stick ?
Friday, 08 September 2017 16:26
40754 Hits
20 Comments

GoToAssist, problems or end user chaos?

GoToAssist

For many years we have been a customer of GoToAssist from Citrix (now LogMeIn) as a reliable method of providing remote support where its needed with the minimum of effort. The end user client can be downloaded from fastsupport.com on Windows & Mac (No Linux Support at present) and a simple 9 digit key connects the client to our support team. Because of the way GoToAssist works using HTTP channels for the connection it can operate through most firewalls and proxies without special considerations which puts it ahead of other point to point remote control tools. You can even remotely support users and servers from an iPad with a well implemented app. You can get a 30 day trial on the GoToAssist website.

For unattended machines such as servers or regular clients you can setup 'Unattended Support' which will allow you to remotely connect to a machine without the client having to do anything. Over the last few months we've intermittently noticed machines on our 'unattended' list that we don't recognise but as there's several people who use it regularly I had reasonably assumed it was one of my colleagues. 

Today I noticed three new Unattended hosts.

I took the time to ask around who had created these and to my surprise no one had any idea. Clicking on one of them established a remote session with a machine at a site that we knew nothing about and didn't setup. Moments later the workstation was unlocked and were given desktop access. We immediately terminated this connection and contacted GoToAssist for Support. Despite their support line dropping our calls and their community forum preventing us from posting they did get back to us quickly and conducted an investigation. 

LogMeIn, who took over GoToAssist identified that some of the workstations we were seeing on our account were in fact linked to our account and they went a step further to identify that the unique code used to identify each account was in fact ours. Further research identified that our copy of the GoToAssist unattended installer had been downloaded from our support site and that same copy had been installed on this clients machine. 

Using this installer will silently setup unattended support on the clients machine and link that back to our account. Whilst this download is rarely used by us and only in circumstances where a browser is unable to work correctly such as old windows 2003 servers with ie6 etc, the file had been downloaded 266 times. So let's consider the risks here. 

Firstly, having an unattended installer, which installs silently and without any user interaction is a good thing, it means we can in a worst case scenario use SMB to push the file onto a server and then persuade that file to be executed under the system or administrator context using the task scheduler, registry or by replacing a windows file and forcing a reboot. We can also distribute and auto-install unattended support on a corporate network by using a logon script to pull it from a server and execute it as part of the logon process and again the user doesn't get a choice. The unattended support installer does create a start menu item, but there's no 'uninstall' in there just the program so clients who have the control panel restricted can't subsequently uninstall it without permission. 

So how did we get machines on our account from the other side of the world ? Well that's simple, they downloaded the GoToAssist client from our website and installed it. Even more bizarre is that they then proceeded to enter their login credentials into the unattended client using the notification icon. Hold that thought and instead let's consider that someone less honest was to seed the internet with their installer and instead of "The GoToAssist client for receiving remote support from us" they linked it from something like "Get GoToAssist remote for FREE" or "30 day free trial of GoToAssist", then those users would be opening their PC up to whoever without realising it and that might not end well. The unattended client does have a notification icon on windows (nothing on mac), but using the registry, powershell or some vbscript that can be hidden as part of the install making it invisible to the end user. 

But taking a step back for one moment, the technical scope for abuse is about the same for GoToAssist as it is for any other remote control solution with the difference being that GoToAssist can pull the plug on any account they suspect is involved in abuse whereas some of the other products that are point to point don't have that safeguard. If you really want to stop GoToAssist, Teamviewer, RAdmin, VNC, and the rest then specifically block them at your firewall and the risk is gone. If you want to monitor their use then your firewall or proxy logs are your friend. 

Summary

This has been a voyage of discovery for us with end users again doing the unexpected and causing chaos and confusion. We've pulled the downloads from our support site now and will look at a more selective method of file distribution going forward. If I were to make a product enhancement suggestion to LogMeIn then it would be to add the IP Address, the method of install and whether credentials were stored to the unattended machines window. Having the IP Address would let us track down poorly named or unknown clients quickly and knowing that it was installed within a GoToAssist session or via a downloaded installer would further clarify the situation. Knowing if credentials were stored would save time in having to establish a connection, find they are not then disconnect, lookup the credentials and reconnect. These are only suggestions and not complaints. 

 

Continue reading
  7760 Hits
  0 Comments
7760 Hits
0 Comments

Synology Auto-Update

synology_logo

We've been actively promoting Synology Rackstations for many years now and they do provide exceptional performance for our customers, but they also come with a few gotcha's that you need to be aware of when running them. If you have managed storage or any of our support or outsourcing services then we'll take care of these units for you, but if not then please read on. 

Auto-Update is an important part of any strategy and of course Synology provides the same functionality which can be found in Control Panel / Update & Restore / Update Settings

Here we have updates to be applied automatically at 3am when available. This will mean your system will always be up to date with the latest patches and fixes. 

A second level of protection comes from the package centre auto-updates which can be enabled in Package Centre / Settings / Auto Update and will look something like...

But you can never leave your Synology servers to just update themselves without intervention as we've discovered today, for example when we found that all our customers who have managed storage were showing package updates available (via CMS) but they weren't auto-updating. We investigated this further and found that Synology have made a change that seemingly effects everyone ... 

When opening the package centre from DSM on the server you find this dialogue 

and of course all the updates have stopped auto-updating because of this.

Now we have 300+ Synology Servers on management and so far today we've only managed to do a fraction of that, but over the next few days we'll login to each of the boxes, tick the box and then let auto-update do its thing. If you are using Synology NAS then double check this now and make sure you've got it ticked, then apply any outstanding updates.  

 

 

Continue reading
  6563 Hits
  0 Comments
Tags:
6563 Hits
0 Comments

Firewalld on Redhat/CentOS 7 and later

CentOS 7 brings with it a new dynamic firewall interface deamon (firewalld) which allows for a fairly easy configuration of your firewall without having to learn iptables. The firewalld daemon provides a dynamically managed firewall with support for network “zones” to assign a level of trust to a network and its associated connections and interfaces. In reality firewall-cmd is just a front end for iptables and will indeed create and maintain the iptables rules required in your configuration. In a normal configration you would expect to have a local and remote interface, the local being the LAN and the remote either being behind a firewall or NAT'ed. The rules for each would of course be different and so you can create 'zones' with firewall-cmd for Internal and Public (or whatever you want to call them). 

If your using a graphical interface then you can use the firewall-config tool but for the rest of us that live in the shell, the command line interface is fairly easy to use. 

Let's assume you have two interfaces as

eno16777984 = LAN with a private address such as 10.1.1.10

eno33557248 = Public with a public IP such as 8.4.2.1

Now the magic with firewall-cmd is that once you've defined the zones (Internal and Public or whatever you want to call them)

firewallcmd --permanent --add-zone=Internal
firewallcmd --permanent --add-zone=Public

You can then assign some services to those with 

firewall-cmd --permanent --zone=Internal --add-service=ssh

and that's assuming your SSH'ing into the box, you don't want to be locked out. So now let's assign the interfaces to the zones. 

firewall-cmd --permanent --zone=Internal --add-interface=eno16777984
firewall-cmd --permanent --zone=Public --add-interface=eno33557248

and finally a restart of the firewall with 

systemctl restart firewalld

Now you can go ahead an add more services (with --add-service=) or ports with (--add-port=) and setup the rules for your interfaces. If your curious as to how this is configuring iptables then just issue iptables -L to see the rules. You'll find for each zone you've got an IN and OUT, Permit and Deny and your rules are allocated to the correct tables. 

One big tech tip here, for some reason, especially when your changing interfaces, IP's and the whathaveyou, firewalld can sometimes move interfaces between zones. Its rare, but not realising can be bad news especially if it moves the dirty interface into the Internal zone. To ensure your always aware of what zones are on what interfaces locate your .bashrc file (in your home directory - the one you land in when you login) and add a line on the end 

firewall-cmd --get-active-zones

You'll get output similar to 

Internal
interfaces: eno16777984
Public
interfaces: eno33557248

Every time you login so your always aware if an interface has vanished. 

The full reference can be found on the RedHat Site and there's ample community resources too. If you get stuck and need some help then feel free to post in the GENSupport Forum and someone will help you out. 

 

Continue reading
  2749 Hits
  0 Comments
2749 Hits
0 Comments

USB Flash - Built in failure

s0404080_sc7

With the slow decline in CD's and the long lost days of floppy diskettes, USB portable storage has become common place. A memory stick, thumb drive or pen drive are common terms for the same thing, a USB mass storage device based on FLASH, and yet many people don't know that the whole technology behind FLASH storage has a very limited lifespan - this leads me on to the relatively high volume of data recovery requests we have for USB storage coming through the channel.

Flash memory is generally of two types, NAND and NOR. Both technologies allow permenant storage of data without needing a power supply. NAND requires data to be read and written in blocks called 'pages' and is by far the most common FLASH memory in use today.

FLASH memory like all memory stores data in 0's and 1's in a vast array of cells, but the method by which the data is permanently written involves pushing a charge (electrons) through an insulated layer, once through the insulator its stuck there and will remain until its pulled back through the insulator therefore changing the state.

However, this 'pushing' and 'pulling' through the insulator, known as tunnelling slowly breaks down the insulator until it fails. When an insulator fails this only effects the cell, but of course just one bit that won't switch will adversely effect the data when read back. Furthermore certain areas of the flash drive are read and written much more than other area's and these are the master directory and the File allocation tables, both of which are changed when data is read (changing last access time) and written (changing last updated time and changing allocation of storage in the file allocation table). This means that in many instances the part of the flash drive that fails first is the most important part - the part that tells us what files are stored on the drive and where they are stored.

Cheap vs Expensive

When it comes to Flash Drives, there is a real physical difference between the budget end of the market and the professional end because NAND/NOR Flash comes in many different flavours depending on its performance and expected lifespan. Often the cheapest FLASH IC's are designed for storing firmware in embedded devices where write performance is a non issue and the expected number of writes is very limited, maybe 10 writes in its entire lifetime whereas the most expensive FLASH is designed specifically for high speed  and many write cycles and this is the correct hardware for USB Flash Drives. If you can buy a 128GB Flash drive from SANDISK for £30 and a unbranded one for £5 then the lifespan and performance of your SANDISK drive will be many many times better than the unbranded one.

I guess I should also point out that some cheap unbranded USB Flash drives (or knock off Branded) are engineered to falsely report their capacity. This is done by creating a partition on the drive with false data, so the computer you connect it to thinks its larger than it is and the only way to be sure is to try and fill it up or to perform a low level reformat. This sort of storage fraud is often seen on sites like eBay promising 1TB of flash for $10 which is nonsense.

Recovering data from failed Flash drives isn't that hard, but it does bring with it some challenges because the data will have errors in it where specific cells are stuck or indeed entire pages are stuck and non responsive and its not always possible to identify these area's during the scan, they often read as ok but with incorrect data, or they read as all 0's but after re-assembling the filesystem as best we can its over to the client to work through the recovered data and validate it.

The bottom line here is never ever rely on a USB Flash drive for data storage, its not safe and certainly not guaranteed and it will fail at some point. Stick with brand names and stay away from the budget end of the market.

Continue reading
  4682 Hits
  0 Comments
4682 Hits
0 Comments

Synology CloudStation in the Corporate Environment

Synology CloudStation in the Corporate Environment

If you've invested the time and money into Synology RackStations then your probably going to want to take advantage of some pretty cool embedded features. One such feature is CloudStation and its associated CloudStation Sync and CloudStation Backup, which collectively allow for realtime'ish local file synchronisation with a server which provides up to date files for remote users, a multiversioned backup for desktops and laptops and realtime sync between servers across sites. There is however one serious flaw in the plan that you need to be aware of before you go and roll this out across the business and that's SSL. 

When you setup your RackStation(s) you probably setup SSL and would have used the build in 'LetsEncrypt' support which promises a valid certificate every 90 days or you would have installed a paid certificate which renews annually in most cases. Having setup your SSL certificate you would of course want your clients to use SSL when connecting to the server so the transfer is a little more secure, but here's where it all goes down the tubes; If you did make the mistake of selecting SSL when you setup the clients then every 90 days (or annually) all the clients are going to silently stop working and no one is going to notice for a while. 

If a user actually opened CloudStation Backup to restore a file then they will be met with

And should they click on Version Explorer they get the equally helpful...

In fact there is no way out of this without going into Settings then Connection and re-entering the User/Password and Applying,  and in a corporate environment the end user may well not be privy to the Synology User/Password but even if they were its now too late because the CloudStation Backup hasn't been backing up since the last certificate renewal. The ONLY way around this is to turn off SSL or you'll be back here again before you know it. It's a real shame that you cannot use SSL as it's a nice feature but in a corporate environment its not essential unless your allowing remote sync.  

I have no doubt that Synology will resolve this in due course, but until then keep SSL off to save a bunch of time and effort.

Continue reading
  5506 Hits
  0 Comments
5506 Hits
0 Comments

eMail Security and Retention

internet-security-concept-19461118

I was asked a few days ago by one of the Partners if we could retrieve an email from a year or more ago and of course the answer was no, but that left me thinking about the question itself and the wider implications. I think its pretty much understood that if you choose to host your email at Microsoft, Google, BT, and so on then your every email is going to be archived away somewhere for all time and will no doubt be available for anyone with sufficient clearance to review, trawl, analyse and so on, but that's fine as long as you know its happening. At GEN we offer a secure service which by its very nature is not archived anywhere unless that functionality is specifically ordered by the customer, and that's rarely the case, but we do take backup's so I think its important to define exactly what we do, and what we don't do here. 

 

Your email is stored in an encrypted format on the physical server media and the key to decrypt this format is different for each mailbox. 

There is a snapshot of the entire server cluster taken hourly on a 96 hour rotation. That is, the oldest snapshot we have is 96 hours. These snapshots are taken as part of our disaster recovery process meaning that even if an entire datacentre was destroyed then your email service would resume shortly afterwards at a backup site which is always in place. 

Your mailbox is protected to some degree from brute force attacks by a system which actively monitors such behaviour and blocks attack routes in real time. 

Server free space is defragmented daily as an overnight process. 

Logging of email traffic including date/time, sender, recipient, size but not its contents exists for 7 days on the anti-spam and anti-virus gateways and for 3 days on the mail servers themselves. We use these logs to satisfy all those tickets that people raise complaining that their email isn't reaching someone or that someone trying to send them an email isn't getting through and so on. 

So, unless you specifically ordered email retention then when you delete an email its gone from the email server immediately, from our logs 7 days after receipt and from our snapshots within 96 hours. 

Keeping your email secure...

If you consider that when you send an email from A to B then the following are involved: 

  • Your PC, has to store the message to be able to send it
  • Our server, receives the email from you, stores it in your Sent Items (Encrypted) and then sends it on to the recipients server
  • Recipients server receives the email from us and stores it on disk, maybe in the clear and then stores it in the recipients mailbox. 
  • The recipients PC retrieves the email and stores it on disk, maybe in the clear

So there are many points of compromise here and some of the most vulnerable are on sender and recipients PC's. To completely remove this risk use only webmail or an email client that stores your email with strong encryption. 

We've already covered our servers, but the recipients server(s) are a real risk too. If the recipient is using a server which does retain everything and you wouldn't know without checking then your email is once again going to be stored for all time. 

Any way around this? 

To keep your email as secure as reasonably possible between sender and recipient they

  • Should be on the same server which then negates the risk of a second server with unknown retention and security and also negates the risk of a man-in-the-middle attack by anyone compromising your DNS. 
  • S/MIME or GPG should be used to provider a second layer of encryption to further protect the email's contents and in the case of S/MIME this will also provider validity guarantees. 
  • Webmail only should be used as these will not store a copy of the email on local devices
  • A secure access service such as GEN SAS can be used to ensure an encrypted tunnel into the GEN Infrastructure and onto the Mail Servers. 

But who needs that level of security? Well, anyone who wants their email to be secure and that might be you or you might be happy knowing that everything you have ever sent and received is stored and archived somewhere. 

I hope this has cleared up any confusion around retention of email data, if you have any more questions then raise them at the HelpDesk ok. 

 

 

 

 

 

 

 

Continue reading
  2850 Hits
  0 Comments
2850 Hits
0 Comments

Browser Cache, Transparent Proxies and more

Browser Cache, Transparent Proxies and more

One of the questions that comes up time and time again on the Helpdesk is, what is my cache, where is my cache and what am I supposed to do with it? 

Well, the question itself often arrives on the back of conversations with content providers and developers often around out of date content so its worth taking a few minutes to explain what the cache is, where it is and why it is. 

A cache, pronounced "Cash" is masterfully defined as "A hiding place used especially for storing provisions." or "A place for concealment and safekeeping, as of valuables." and that's not too far from the truth. The cache is indeed a place for storing provisions of the digital kind. You see the internet isn't anywhere near as fast as you experience it from a browser on your PC, and this is because the internet is just a collection of many different networks all connected together to provide a 'route' from your PC to the server at the end of a browser request. Let's look at this in more details now: 

When you type a url into your browser, for example http://www.gen.net.uk and press enter or go, the browser uses the operating system of your device to open a connection to www.gen.net.uk on port 80 (port 443 if https://) and request that page. The actual request sent to the remote server looks like this "GET / HTTP 1.1" which means get the page at / the default or index page and use HTTP 1.1 which is just a specification. The response from the server will be a HTML page which the browser then displays to you as the client. 

Now where does caching fit in here? Well, your browser when it receives the HTML page stores in locally in a cache (which is just a hidden folder on your pc) and with that it stores a date and time the page was retrieved. Now if you close the browser, open it again and again type in http://www.gen.net.uk then this time something magical happens; The browser realises that its just been to www.gen.net.uk and just received the page at / so rather than bother requesting it again it just returns the one it stored a few moments ago. Simple and fast right? 

Well, it get's a little more complex than that because the server when returning the page to the browser can in fact indicate whether or not the browser should cache it, and if it should then it can specify for how long the browser can cache it and indeed the page at www.gen.net.uk/ at the time of writing does not give any special instructions to your browser around caching. 

So, hopefully that's a little clearer, when you type in a url or follow a link if your browsers already been there recently then you'll get the cached version rather than the 'live' version unless the site specifically told the browser not to cache. This really becomes visible if you have your own website, and you or your developer has made changes but you just can't see them, its all in the cache. Clearing the cache is simple enough and can be found in your browsers menu's should you require it and issuing repeated refreshes (CTRL+R windows, CMD+R Apple) will also force the browser to reload the live page generally. 

Now as I said before the internet is no where near as fast as you experience it, and this is not only due to your browsers magic cache, its also due to internet service providers (mostly residential) using systems called 'transparent proxies'. This is another cache between you and the sites you browse and this cache is not optional and in many cases will not yield to servers requests not to cache. The transparent proxies intercept your requests as you make them, look to see if they have a copy of that page and of so serve it up as if it came from the server itself. Your browser has no idea its not a live page and neither do you. By using transparent proxy caching ISP's (Internet Service Providers) especially residential can significantly reduce the amount of bandwidth they use on their upstream (between them and the server). There are also, in this country at least, significant privacy concerns around transparent proxying because your ISP not only intercepts your requests but can keep a log of them tracked back to your IP Address, and therefore back to you so its a bit of a double whammy. There is a third layer of caching known as web accelerators that are sometimes used at the server side to speed up performacne by keeping a cache but this is under the control of the site owners and as such isn't an issue. 

How do you defeat this transparent proxying ? 

Well its not easy because the ISP has access to all the traffic you send and receive and can easily intercept not only your web requests, but your email too, although if your email is stored at Microsoft (hotmail, office 365 etc), google (gmail, etc), Yahoo, AOL and so on, then its already compromised many times over and this really isn't going to make any difference. There are however tools that can cut through the proxies by establishing a 'tunnel' between your browser and a server in another country and from there making browser requests and I am of course talking about VPN's, the most common of which is the Tor Project (https://www.torproject.org/) but having said that, the tor project based in the USA is probably not going to be filling you with overwhelming confidence in the privacy of your data but its the best we've got unless you want to spend some real money in which case you can establish real VPN's to real secure proxies and have true anonymity online. 

I think its also worth mentioning that browser plugins such as Addblock, Ghostry, Web of Trust to name a few and of course Microsoft's own 'safe browsing' nonsense also hijack every URL you visit and pass that url back to central servers somewhere giving them also a full history of your browser habits but by themselves they can't tie that data back to you personally. That is, they know that a PC on the internet with a unique ID visits these websites but without help from your ISP they can't tie that information specifically back to you as a person unless of course you login to your Facebook, Google+, twitter and so on using the same PC in which case they can now easily tie your browsing habits back to you personally the only difference is that your ISP has your postal address and generally people aren't stupid enough to enter that sort of thing into Facebook, google+ or twitter. 

So here concludes this little discussion around caching that has taken a sideways step into privacy and anonymity but its all connected of course. 

Continue reading
  3686 Hits
  0 Comments

Copyright

© GENADMIN

3686 Hits
0 Comments

We could eliminate SPAM tomorrow if...

We could eliminate SPAM tomorrow if...

We are all familiar with SPAM, its the huge volume of unsolicited crap that we have to wade through each day just to do our jobs, and yet there's no sign of it going away despite us all having the means to end it. So let's look at why we are all being subjected to the spam and then we'll look at why we don't end it when we all have the power to do so. 

The reason for SPAM

SPAM has three basic objectives and in order of volume, 

  • Firstly the majority of SPAM is an attempt to infect your workstation, laptop, tablet etc with a virus and/or trojan. By doing this the spammers have (a) the ability to scan your system for card numbers, passwords, and of course email addresses from your email client, (b) steal the login credentials for your email account so they can use it to propagate more spam FROM YOU, and (c) in order to leverage DoS attacks. 
  • Secondly, Spam will attempt to impersonate an organisation that you might expect an email from and then trick you into giving up your login, password, account and so on by taking you to a fake website. Whilst you may think most people are weary of this type of spam you would be surprised how many we still get at the helpdesk. 
  • Finally, Some spam can actually be trying to sell you something, which is rare these days but does still happen. 

Current SPAM defences

  • The blacklist: A number of worthy organisations like Spamhaus, SpamCop, etc are dedicated to maintaining lists of domains, hosts and subnets which are used to originate spam. Using these blacklists is an expensive but effective tool to eliminate a good percentage of spam at the first gate. Blacklists however are not realtime, and there is always a delay between a spammer launching a mass mailing and the blacklists listing it. 
  • Authentication: Several technologies exist to verify sender domains and hosts such as SPF & DKIM and these can serve (where used by the receiving server) to block spoofed spam which constitutes the vast majority of scams. For example, the HMRC who are under constant attack from scammers specify in their SPF records two hosts that are allowed to send email for @hmrc.gov.uk and of course the spammers cannot originate email from those addresses so SPF wins the day and any email coming from, say This email address is being protected from spambots. You need JavaScript enabled to view it. that doesn't come from the two hosts listed in the SPF record are canned. This however all falls down when the receiving server doesn't check, the sending organisation doesn't use it, or the sending organisation has been compromised.
  • DNS: The domain name system is that which coverts gen.net.uk to 212.140.242.10 and back again, and when you send email to someone @gen.net.uk DNS gives up the address of the mail server that is designated to receive that email, in this case farpoint.gen.net.uk. The RFC1124/1124 which form part of Internet Standard 1 specify clearly that every host on the internet should have forward and reverse DNS, that is gen.net.uk to 212.140.242.10 and 212.140.242.10 to gen.net.uk. So, when a host 'spammer.com' connects from 212.140.242.50 to our mail server, we (a) check that 212.140.242.50 corresponds to 'spammer.com', that 'spammer.com' has a valid MX record and that the host listed in the MX record actually exists on the internet. This is particularly hard for a spammer to forge and therefore this check eliminates a percentage of spam as well as a percentage of legitimate email from companies who don't know how to setup very basic DNS correctly. 
  • Content Filtering: By far the most effective tool at eliminating spam which passes all the above tests is pattern matching. This involves looking and detecting elements in the body of an email and assigning a score to each detection. An example would be a HTML only email which scores 3 points, external links to pictures which scores 0.2 points each and so on. The more spammy the email the more points it will accumulate and once a threshold is reached the message is flagged as spam. Content filtering can make use of content lists which are maintained by third parties and provide known phrases and content to score. 
  • Bayesian Probability Filtering: A gross simplification of this would be that email which is known to be spam can be 'learned' and that data used to identify 'similar' spam. The area of mathematics is complex and the techniques even more so, but the result is the same in that spam that looks like spam based on learned data can be flagged as such, usually by giving it a score, such as +10

And with these methods we can and do filter around 80% of your spam, but its never ever going to be 100% because SPAMmers spend a great deal of their time trying to circumvent these filters likewise costing us a great deal of money to continually adapt the filters for maximum effect. 

BUT, we do have the ability to stop the SPAM completely, 100% total removal of spam so why don't we? Well, quite simply we cannot because in this day and age everyone's an expert when of course they aren't. Using the current standards, and systems we could easily: 

  • Eliminate the source of SPAM by authenticating the source of all email both by using DNS and SPF. This would mean that email can only be sent if it originates from an authenticated server and if all the ISP's got together an setup their systems in this manner (most already do) then spammers would ONLY be able to send spam by compromising users email credentials. That's going to immediately eliminate 67% of SPAM. 
  • Use the tools we all have available to track, trace, and block email origination 'out of zone'. That is, for every email account the email server will ONLY accept email from the senders company LAN, or their country of residence. This kind of geolocation limiting is already built into all the modern mail systems, but its rarely used. 
  • Use anti-hijack detection to automatically flag accounts that are likely to be compromised by looking for unusual email activity. For example, if a mailbox normally originates 50 email's a day and then suddenly originates 50 emails a minute then we have the systems to automatically block that behaviour until the mailbox owner contact's us.
  • The use of S/MIME certification, which is free for individuals, and only a nominal charge for businesses not only provides transparent encryption of business email, but also provides authenticity to every recipient, so that when you receive an email from This email address is being protected from spambots. You need JavaScript enabled to view it., it comes with a 'seal' that confirms the email came from fred at bloggs.com. We've used these for the last decade, but we're pretty much alone in this. 

So, it doesn't sound that hard does it? Well its not, but unfortunately as an ISP with many customers there are always going to be the few who effect the many as in many business models. No matter how much you promise your customers a spam free life, a minority of customers don't want to hear that fredbloggs inc doesn't meet the standards and/or is blacklisted and therefore cannot send them email, they just insist how important it is that fredbloggs inc can email email them. This creates a real problem for ISP's who technically want to kill spam as promised to their customer base but are also aware of the real world cost of dealing with ticket after ticket of 'I can't receive email from xxx' and the time and effort spent identifying the sender doesn't comply or is blacklisted then trying to explain that to the customer.  

So our approach, which has been adapted over the years is to offer three levels of protection: 

  1. No Filter - All email is accepted regardless. All Spam and Viruses are delivered untouched. 
  2. Basic Filter - Some filtering is done, but spam is still delivered with [SPAM] in the subject line allowing customers to filter that into a spam folder if required. Some antivirus protection is enabled. 
  3. Max Filter - All the above fully enabled and active both Anti-Spam and Anti-Virus. 

And as we expected the vast majority of business and corporate customers opt for the Max Filter, with only a very few opting for other options. The customers who opt for and stay with the Max Filter understand the issues and stand with us on the fight against spam. If a sender winds up blacklisted then they don't tell us, they tell the sender to sort it out. 

So what's the future? Well unfortunately as it stands with some ISP's favouring an easy life rather than deploying the available protections, with players like Microsoft and Google seemingly doing nothing to limit the spam they collectively originate, and with senders especially in the less advanced countries not able to configure even the very basic standard requirements we're going to be up to our armpits in spam for a good while to come but I do feel that things are changing as we're already seeing customers migrating to us solely for the benefits of our protection systems and that means we're doing it right. 

There are a number of articles on Blacklists, SFP, DKIM on our FAQ as well as the internet standards 1 RFC's. They are all technically orientated but available for anyone who's interested. 

 

Continue reading
  3430 Hits
  1 Comment

Copyright

© (c) 2017 GEN Partnership, E&OE

Recent comment in this post
Guest — cjm
Agreed, the lack of technical standards enforcement is the very reason we ALL have to suffer the endless onslaught of spam.
Wednesday, 18 January 2017 17:04
3430 Hits
1 Comment

Apple Wi-Fi Assist and Mobile Data Charges

Today at the HelpDesk we were dealing with a corporate customer who was experiencing HIGH mobile data charges and wasn't able to pin down the cause. We had a pretty good idea of the cause and this was confirmed when we took a look at one of the mobile handsets with high usage. In IOS 10 Apple introduced a new 'feature' called Wi-Fi Assist which is supposted to increase mobile data reliability for customers with poor wifi, which is great, but the issue is that even if you make sure you only use traffic intensive App's like YouTube etc when your on wifi, with WiFi Assist enabled the device can and will use mobile data (without telling you) if your wifi signal becomes weak, and that's ok if you have an unlimited data plan but we all know those don't exist in any form. 

Turning it off is easy if you can find it, go into setting, then mobile data (towards the top) then scroll all the way down to the bottom and there is it. in the example below, Wi-Fi Assist had assisted us to use 478K of mobile data whilst we were on Wifi. Whilst your in the screen and have turned off Wi-Fi Assist then its worth having a look through the apps listed to make sure you've allowed/denied mobile data as needed. 

Continue reading
  2959 Hits
  0 Comments

Copyright

© (c) 2016 GEN Partnership, E&OE

2959 Hits
0 Comments

Just Don't

I've just returned from a new customer who has experienced a serious data breach and the ensuing blackmail and extortion that follows. We were introduced to this customer by recommendation after they were contacted by an unknown third party asking for money to return their confidential data and of course supplying proof in the form of attachments. The nature of the clients business is such that the confidential data, if in the wrong hands would present a significant risk to the business hence our involvement. So, not wanting to name any particular company, the previous 'supplier' of our new clients IT seemingly had no idea about security and probably wouldn't know a risk assessment if it hit them in the face and that annoys me, not only because we come across this situation on a very regular basis but because there's really no excuse for putting a companies very existence at risk by simply not understanding the sector in which you operate. In any industry there will always be suppliers who know the industry and those who don't but in IT the actions of one supplier can very literally mean the end of their customers business as potentially in the case that prompted this article. 

Start with this question, what is your data worth to someone else? If you sell washing machine spares, then its worth money to your competitors and the pain will be felt gradually as you loose customers for unknown reasons, but if your a solicitors, a financial organisation, a doctors, the value of the data goes far beyond its monetary value, there's the exposure, the embarrassment and the compensation that would ensue along with sanctions from regulators and so on. 

So, I will try my best to educate customers in what is and is not a good idea when considering IT and security. I have a list which isn't exhaustive but certainly covers some of the main issues...

  • If you have an internet connection, NEVER EVER under ANY circumstances connect a cheap Chinese router to your LAN. So if for example you have an internet service from BT and they supply you a cheap Huawei router, then never connect that directly to your LAN, just don't. These devices are cheap as chips and have about as much security as a paper bag. They are easily compromised, have absolutely no outbound security and their firewall is laughable, but they aren't supposed to be connected directly to your lan in most cases they are 'residential' quality and as a business your expected to understand the risks and mitigate them by either replacing them with a competent router or simply connect them to a separate security appliance. But trust me on this, just don't connect it to the lan, ever. 
  • Local services, and more specifically if you have a local (in your business) web server, or email server, then under no circumstances allow it to be connected to the internet directly. This is bad on so many levels, many of which are quite technical, but the key point here is that *IF* you allow it to be connected directly to the internet, then you have of course got to allow the internet into your network as communication is a two way process. This is the very attack vector (method of the data breach) that was used in the incident that prompted this article. The clients 'IT' supplied setup Microsoft exchange on a server and then opened ports on the cheap router which was directly connected to the LAN. The server was quickly compromised and whilst it was used to originate spam the hackers also vectored out from there to the company's NAS and downloaded the entire thing, how? well because the administrative account on the exchange server was the same account/password as the admin account on the NAS - seriously.
  • Never rely on free or bundled antivirus, and never on 'windows defender', they DO NOT STOP ANYTHING. A good antivirus solution will protect your network and its endpoints to a degree, but it can never be 100% no matter how much you spend. Our AV solution comes out at £2 per month per machine and includes support should you experience a virus event and require it which is also an important provision. But be aware that an antivirus solution will not protect you from poorly designed, poorly implemented network security. 
  • Never rely on the poorly implemented and weak VPN services built into cheap routers, just don't. PPTP is so weak it should be considered unusable. There are far better solutions for VPN and having a dedicated vpn appliance, or having it combined with your security appliance is the best option. Better still is to use a secure access service such as SAS or Juniper SA etc. 
  • Never install applications such as teamviewer, radmin, vnc etc, these applications will create tunnels through your weak firewall to the internet which are persistent (always there) and these can easily lead to additional attack vectors especially when combined with social engineering techniques. A good firewall will not even let these programs run and block them by default. If you do need remote access then use a secure VPN method as above. 
  • Wireless, when setup correctly can be very useful, but when setup poorly presents a significant risk to the business. This is of course because wifi isn't just in your office, its outside in the street, next door, other floors and cheaper wifi equipment has flaws that can be exploited to determine the wifi password and associate with the access point. Even more effective are social engineering techniques to gain a wifi password, and of course there's always Microsoft's wifi sense password sharing endeavour which we talked about before. So stick with high end Wifi access points, have centralised management and oversight, use WPA2 with TKIP or AES encryption and use mac based security as a second level of protection. 
  • Ports or not Ports; Almost all businesses have Category 3, 5, 7 or 8 cabling throughout, and these terminate at the wall with RJ45 jacks and that's great because this is where you plug your computers and phones into, but managing the availability and security of these jack points is a critical concern. Consider this scenario.... a business has cat5 throughout the offices including reception, canteen, locker room etc. A person pretending to be a potential customer enters the premises and whilst no one is paying attention plugs a small device no bigger than a thumb drive into a vacant cat5 port then leaves. You might think that'll never happen but I can tell you in the IS audits we do for our clients it HAS happened and will continue to happen. The device that is connected is a small battery powered wifi access point that doesn't broadcast its SSID (network name). With this the 'visitor' can, from the car park find a local IP address, and then initiate a network scan for services such as email, files and so on. With a little effort and some automated software a selection of attacks can be performed and if successful, systems and data compromised. The nice person who perpetrated this crime will then upload some software which opens a connection through your firewall to a remote server and waits for instructions. Everything from here onwards can be done from anywhere in the world and there is very little anyone can do to track this down. This is becoming an effective attack vector and awareness is the key. Don't have any ports live that don't need to be, have managed switches and allow lists by mac and some form of intrusion detection either in the security appliance or separate. 

The bottom line here is that any IT infrastructure should not in any way directly connect the public internet to your local network and likewise your local network should never directly connect to the public internet. This one is simple.

More challenging is making staff aware of vulnerabilities in your infrastructure and how to detect, and deal with them. We've touched on social engineering above but this is becoming more and more common and whereas you might be very good at spotting spam or fishing email's, suspect phone calls from 'it support', or are aware of the possibility of rogue devices and subversion, is everyone in your organisation?  in this modern world they need to be, through both training and auditing. No matter how secure your network is, with its expensive firewalls and security appliances, it only takes one member of staff to bring the whole thing crashing down - Staff are and will always be the biggest risk to any organisation, but trust me on the crappy router. 

Continue reading
  3081 Hits
  0 Comments

Copyright

© (c) 2016 GEN

3081 Hits
0 Comments

Data Security of Warranty and End of Life Drives

I'm sure everyone has had to return a failed hard drive or replace drives that are end of life and this process is well documented in many security policy, but how do you ensure the data is irrecoverable before disposal or return? 

You would be surprised to learn just how much data can be recovered from a seemingly destroyed hard drive, and we are well aware because we spend a great deal of time every month recovering data from Hard Drives, SSD's, tablets, phones, USB sticks and more with significant success rates. 

So, in order to satisfy this need the group has decided to offer *FREE* non destructive hard drive data destruction for all our customers. Simply return the drive to us and we will securely erase the data using a device which emits very strong magnetic fields in patterns desgined to purge data from magentic media. If the drive is a warranty return then we will take care of the return to the manufacturer for you too, again at no charge. 

Thank you for taking the time to read this post and have a great week!

Continue reading
  2702 Hits
  0 Comments

Copyright

© (c) 2016 GEN Partnership

2702 Hits
0 Comments

Windows 10 and Wifi Sense

Windows 10 and Wifi Sense

Windows 10 has a lot of additional features over previous versions and most are safe enough, but a few stand out as being a little dangerous. Wifi Sense is one of those because it doesn't clearly explain the ramifications of setting it to the end user. Microsoft describe Wifi Sense as "WiFi Sense automatically connects you to WiFi, so that you can get online quickly in more places. It can connect you to open WiFi hotspots it knows about via crowdsourcing, or to WiFi networks your contacts have shared with you by using WiFi Sense."

Sounds great! if your out and about your laptop or phone will automatically connect to wifi that has been shared by 'crowdsourcing' without even telling you. So why is that bad? 

Well its bad on many levels, and I'm going to try and be as non-technical as possible here so as to benefit as many readers as possible....

  • Firstly, automatically connecting to anything is bad except for your trusted wifi in your home and/or office. This is because malicious individuals could setup a wifi hotspot, leave it without WEP or WPA (i.e. no password needed) and then wait for unsuspecting people to connect to it at which point a crafted attack is performed at your device. If passwords are being shared between these hotspots and many microsoft devices then everyone who passes is at risk. You should always be careful when connecting to wifi especially from a Windows Phone or Computer. 
  • Wifi Passwords are there for a reason; to limit access to the wifi network to those who know the password. Wifi Sense, as described by Microsoft will "Automatically connect you to WiFi networks that your Facebook friends, Outlook.com contacts or Skype contacts have shared with you after you've shared at least one network with your contacts.". So, that means that if, by chance you have not disabled "Share network with my contacts" which is found in Settings > Network & Internet > WiFi > Manage WiFi settings, then your home and office wifi passwords are shared with all your facebook friends and contacts. That is bad for so many reasons, but here's a few; Firstly do you really want everyone on your facebook friends list having your personal Wifi Password and being able to connect to your personal Wifi network at home remembering that your personal wifi network at home is treated as your local area network and is trusted? Wose still do you want your social media contacts and email contacts having the company Wifi password to access that at will? I don't think anyone does, but that's what's going to happen unless you disable this feature. 
  • Did you know that Wifi Sense also captures your GPS location as well as your wifi password? How save is this data that your sharing? Where is it stored and how is it shared? Consider the potential risk of having that data compromised and revealing the wifi passwords of millions of users worldwide, that alone should be enough to turn this feature off. 

So its up to you, as users to make your own deicision on how this goes down, all I can do is point out the risks and leave it with you. Microsoft have a FAQ on the subject which I recommend reading for additional information. 

To Disable Wifi Sense follow the instructions found HERE. Remember, even if YOU disable it and then let someone you know have access who has NOT disabled it then there is a possibility of your Wifi Password being shared, so check with everyone who give access to that they have also disabled WifiSense. If you are still worried then you can change your SSID to something followed by _optout as per the Microsoft FAQ but that seems a little extreme unless you have already shared your Wifi Password unknowingly with the world in which case change both the SSID AND WIFI Password once you've disabled WifiSense. 

You may also want to consider disabling location tracking by following the instructions HERE

 

Continue reading
  3613 Hits
  0 Comments

Copyright

© (c) 2016 E&OE

3613 Hits
0 Comments

Today at the Helpdesk - ITV Player

A Customer raised a ticket at the HelpDesk today complaining that their ITV player was no longer working correctly and giving strange messages. We asked for a screenshot and received it minutes later. The screen show indicated that 'Ad Block Software detected' which peaked our attention and so we investigated further. 

Now ITV Player is one of the few remaining companies still using Adobe Flash Player to stream movies despite there being much better transports available (like HTML5 etc) and flash gives us a number of problems here because (a) shockwave/flash is blocked by default at the firewall (as it is for all our customers of officeGateway), and (b) none of our workstations have flash installed as its a high security risk. Anyhow after some faffing about we managed to get the adobe flash demo page to work and then switched on over to ITV player. 

After selecting a program to watch, the usual unclean and tatty flash player window is displayed, and we click the big > in the middle to play. Immediately we're given 5 minutes of adverts to watch before we can do anything else like FF/REW etc. Then after the 5 minutes of ad's we're onto the programmes introduction for another 2 minutes and then finally the show begins. Now at this point we followed the EU's reported behaviour of fast forwarding to the second segment of the show, and doing this means that again we have to watch another 5 minutes of adverts, and then on the last advert....

Perfect, we can reproduce the issue in a freshly installed (today) system of Safari 9.1 on OSX 11 with definitely no ad block software installed. After this rather abrupt message the player is dead and you have to refresh the page and whilst the option to 'Resume' is offered it does nothing except start from the beginning again meaning... watch another 5 minutes of adverts, FF then watch another 5 minutes of adverts and finally get to the segment you need to watch, but on our second try we got something else...

And yet again, flash player is dead and we've got to reload the page, another 5 + 5 = 10 minutes of the same pointless adverts and then the show plays just fine. We shuffle back and fourth several times after this and it seems to play everything just fine, we even left it playing in the background and it got through another two episodes before the 'Ad Block Software detected' message truncated our viewing enjoyment. So, being 'flash' which is so easily reversed we downloaded the SWF file and took a look at the cause of these spurious and erroneous messages. 

Looking at the code(scripts) within the SWF file it would appear that the ad block software message is triggered when a HTTP request fails, but that wouldn't necessarily mean its ad block software would it? In our short tests today the player has shown itself to be far less than reliable on a fresh install of OSX and if all it takes is a HTTP error to cause it all to come crashing down then someone really should sort that out. Whilst we were in the code we did notice a significant level of logging and auditing taking place that I'm fairly sure no one knows is happening but that's another story for another day.

For effective Ad Blocking with this shockingly poor flash setup it would be much easier to redirect the SWF request to a crippled SWF (or decompiled/recompiled) with the ad's removed. If, on the other hand someone actually wanted to add in 'Ad blocking' software detection then doing it within HTML5 would be far simpler with some client side js/java passing a token back to a server somewhere then a reliable solution is to be had. Of course, once you've spent a few £££ on that solution then ad block software vendors will find a way around it by trashing your client side js so one has to wonder if the battle is even worth the expense? In ITV's case I strongly suspect their spurious 'Ad Block Software detected' message simply serves as a catalyst for the viewer to hit google and discover that Ad Block software does exist and how to download and install it. I suppose its a little like "thepiratebay" that virtually no one had ever heard of until some muppet decided to sue them and then suddenly the whole world knew about it and sites like it and moreover how to get around all the worthless 'blocks' that ISP's were forced to setup by clueless judges. 

So back to the ticket in question, we couldn't of course fix ITV's failures to provide a stable service but the whole idea of 'Ad Block Software' gave us another avenue to explore - Ad Block Software! We searched the internet and found several solutions all promising to remove all ad's and thought we should give them a try. I'm going to go ahead and call these Program 1, 2 and 3 and not give out the actual names of the software as I don't want to encourage anyone to install software that's not been fully certified as safe but if you have the knowledge then google/bing is your friend. 

  1. Program 1 is open source, freely available and seems to have a fairly active github repository and once installed we found it did indeed block some ad's but not ITV's. It didn't however increase the incidence of the erroneous "Ad Block Software detected" message and in fact it seems to occur less often with it installed but that may be coincidental. So we uninstalled that and moved on to...
  2. Program 2 is closed source but freely available and seems well supported. We installed it without issue and again it did stop some ad's from some 'other' websites but for ITV player it stopped it working altogether. We found that we could specify various options to make it work again but we still got ad's and the erroneous message still appeared from time to time but no more than with nothing installed. So uninstall and move on to...
  3. Program 3 is closed source and not free but we did managed to acquire a temporary licence from the vendor for our testing, this installed without issue and finally our ITV player was advert free and without any 'Ad Block Software detected' message either. With a little more investigation into the settings it was clear that this plug-in was operating at a much lower level than Program 1 & 2. 

So, in summary, the message is in error and it clearly only serves to annoy potential viewers but when you look at the whole ITV player setup, being forced to watch 10 minutes of adverts, that's 40 minutes per hour is in itself going to alienate customers especially if they are just the same ad's over and over again which is what we observed. I personally think YouTube has the balance about right (and I'm rarely one to support Google) with its skippable adverts which means that if I'm not interested then I'm not forced to watch it all, but on the other hand it means that the adverts that do interest me I can watch in full and I do watch some in full just in case anyone wondered. 

This article is a technical article and the content is solely the opinion of the author and not the company. E&OE. Neither the author nor the company has any interest in ITV, its player or any solution designed to remove advertising and does not recommend you do or do not install any such solution. 

Follow up

So, the same customer contacted us again today via the HelpDesk to tell us that ITV Player was now not working at all and instead was saying "ITV Hub is only available to viewers in the UK" as below:

Whilst its mildly entertaining that ITV seem to think that Reading, Berkshire is not in the UK that is in fact the location of our customer. We did check the RIPE whois on the IP subnet used by our customer and it was indeed located in the UK so this is clearly just another ITV error. We simply advised that they contact This email address is being protected from spambots. You need JavaScript enabled to view it. as instructed because the only people who can fix this are ITV. 

 

 

Continue reading
  7587 Hits
  1 Comment

Copyright

© (c) 2016 GEN

Recent comment in this post
Guest — LJM
ITV Player has always been a substandard piece of trash. Requiring logins, requiring ad-blockers to be removed when they aren't e... Read More
Friday, 13 January 2017 14:15
7587 Hits
1 Comment

Web Harvesting, List building and how to avoid it

Today at Technical Support

One of our customers raised a ticket at the HelpDesk complaining of telemarketing calls on his managed VoIP telephony system. Some technical analysis later proved that the incoming calls were genuine calls and there was no security issue around the platform. The customer disclosed that his email was also inundated with spam which started around the same time and this points us to a completely different cause. During the next few updates and phone calls the customer disclosed that he'd recently had their website redesigned and paid for some form of 'marketing'. 

Taking a quick look at the website it was clear to see why they were suddenly victims of a spam attack; The website, although very pretty had their phone number (actually three of their phone numbers) in plain text on their contact form and again on their about page. Additionally, their email address was hard coded into the contact form. 

A quick web search using our favourite search engine of their telephone numbers showed them appearing in 192.com, yell.com, and various other 'indexes' that no one ever uses anymore in one form or another. This was apparently the 'marketing' they had paid for. 

Web Harvesting

Its fairly easy to write a program that will load a web page and save the contents to disk. Its fairly easy to take said contents and search through it for email addresses and telephone numbers. Now, imagine that same program started at google uk with a search for "engineering" and then just spidered (followed every link) saving the contents and then searching for email and phone numbers. That's exactly what web harvesting is, and spammers use it all the time to compile and sell lists of phone and email addresses to other spammers. 

So how do you prevent your contact information being harvested? 

Its actually as simple as you'd expect. Do not under any circumstances put your email address or telephone number on your website - ever. In days gone by we were able to put the telephone number in an image and obscure it that way, but with modern OCR systems like tesseract even that no longer works.

If you really absolutely must have your telephone number on your website then we can shield it by formatting it in such a way that simple searches won't see it (such as breaking it up into several parts and then having each part in a separate DIV/P)  or we can hide it behind a server side request using a captcha but both these options serve to confuse potential customers and does it give any benefit? Maybe from programatic web harvesting, but it won't stop list builders from Asia. 

List Builders from the far east? 

Yep, so qualified list's can be purchased for not a great deal of money from certain companies that do not use programatic based harvesting, but instead have a room full of staff who use search engines, find companies, and then compile lists. An example would be if you wanted a list of dentists in the south east then for a few hundred dollars your custom list can be provided. Its not going to be perfect, but the accuracy is going to be much better than web harvesting because someone has actually done some research. 

Is it legal? Yep it sure is as all the legislation to date only protects individuals and not businesses, and besides even the current legislation is next to worthless given the global nature of the internet. 

Contactless Contact 

Contact forms without contact information? Sounds like trouble to me, but in fact it isn't as a well designed and fast contact form will usually do the trick just fine. If you want that instant response then consider an inline chat system like tawk.to. 

But what about Google Places for Business, or Bings equivalent ? 

In order to have your business listed in either then you need to have a phone number, but it doesn't have to be geographic and it doesn't even have to work. We're listed in both of course but we've listed a non-geographic (08700) number which plays a message to say head on over to the website and that works just fine given that we get almost no traffic from the number over the year. 

 

 

Continue reading
  2927 Hits
  0 Comments

Copyright

© (c) 2016 GEN

2927 Hits
0 Comments

How to completely Remove OneDrive from Windows 10

OneDrive comes installed with windows 10, and whilst some may trust Microsoft with their personal, corporate and confidential data, I'm not one of those. So I want it gone and that's gone from windows explorer, gone from the task bar and just generally not there anymore. 

So firstly, open up a command prompt. This can be done by pressing the Windows Key + R and type CMD or by typing CMD into the I'm cortana box by the start button and select cmd/Run Command or by going to Start /All Apps / Windows System / Command Prompt. You should wind up with a black box and some text in it saying something like "Microsoft Windows [Version 10.0.10586]" and so on. 

Now with any luck its going to leave you with

C:\WINDOWS\system32>

If not then do one of the following depending on whether your running 32bit or 64bit windows 10. 

32Bit: Type cd \windows\sysWOW64

64Bit: Type cd \windows\system32

Now, we are ready to remove one drive, and the command is: 

OneDriveSetup.exe /uninstall

Once you've run this, you will probably get one of those suitably annoying UAC confirmation's and you should select YES. 

And its done, its gone, no more OneDrive. 

NOTE: With windows 10 refresh, microsoft re-install onedrive without notice so you will need to remove it once again by following the instructions above or a slightly more complete version available at GENSupport.net

Continue reading
  3769 Hits
  0 Comments

Copyright

© GENADMIN

3769 Hits
0 Comments

Windows 10 and Microsoft Ad-ware

If you are unfortunate enough to have upgraded to windows 10 and found half your stuff doesn't work and there's no way back then a fresh re-install of windows 7 is probably the only option. If however you've upgraded and its all pretty much working then you may want to get rid of a number of windows 10 annoyances and we'll deal with those here. 

Firstly, Windows 10 bring's Microsoft advertising directly to your desktop. No one asked for this or wants it, but its there and luckily its easy to turn off. 

Go to Start / Settings, then Personalisation, then Start from the bottom left and finally locate and disable "occasionally show suggestions in start". 

Now your free of that, how about the equally annoying pop-ups that seems to want you to try various Microsoft products and so on? 

Go to Start / Settings, then System, then Notifications & Actions from the left and finally, disable "Show me tips about windows". 

Then scroll to the bottom of that window and look for things like "Get Office" and turn that off too. 

And at last, quiet. 

Well for now at least, until Microsoft push out another update, and yet more annoying ads. 

Continue reading
  2778 Hits
  0 Comments

Copyright

© (c) 2016 GEN Partnership

2778 Hits
0 Comments

The Tools are back!

The Tools are back!

When we moved from the old HTML4 GENSupport website we left behind the heavily used 'Diagnostic Tools' section and we promised to rebuild it on the new site. Well, its taken a few months but we've done it and the new tools section can be found at the GENSupport website under Tools

We're going to be adding the rest of the lesser used tools over the coming weeks as we rewrite them on the new platform. 

If anyone has any issues using the new tools then raise a ticket or drop a post in the forum and we'll get right on it. 

 

Continue reading
  4682 Hits
  0 Comments

Copyright

© (c) 2016 GEN

4682 Hits
0 Comments

Cheap IP Cameras - Worth it?

Cheap IP Cameras - Worth it?

As you probably know GEN supply IP CCTV systems to businesses around the UK and we generally use Samsung or Sony camera's to provide to highest quality picture and stable video, however, we though it would be worth checking out some cheaper chinese camera's to see how they compare price/performance wise and here's what we found: 

Test 1: The Foscam FI9828W

This Wifi (not that anyone would use Wifi) enabled camera comes without POE and audio (although audio can be added separately). Its listed as having 1.3 Megapixel (1280x960p)  resolution, H.264 video compression and frame rates of up to 25 fps. On the face of it that sounds ok, but whilst it has a 360 degree pan/tilt it only has a 4 times optical zoom which is about as much use as windows 10. We had no real issue connecting it to the system although we did have issues with frame rates above 15fps on variable bandwidth. Setting it to constant bit rate of 4k solves that issue. The picture quality was, well, poor at best and the colour rendering was pale and unexciting. The pan/tilt speed was acceptable but we found we'd ofter overshoot and have to come back which made operating it cumbersome. Setting patrols seemed to work for a short time but the camera would drift out of sync and the patrol positions would therefore move until a camera reset restored operation. The Infrared night vision was extremely poor suffering from reflections from inside the dome and we found no way to turn off the IR LED's but keep it in IR sensitive mode as you would always expect to be using a separate IR source anyway. 

So in summary, the Foscam FI9828W is ok for domestic use, but no where near the mark for commercial use. We ordered two, and one came with duff optics but despite several phone calls, and email's we were unable to get Foscam UK to exchange it despite their promises to the contrary. As a side note we also ordered in FI9805E which packed up working after about 2 weeks and once again support was non-existent. 

Test 2: HIKVISION DS-2CD2132-I

This is advertised as a vandal resistant external dome camera with a 4mm lens, and it is all that for sure, but once again night vision suffers really badly from internal reflections from the dome. The configuration was more flexible and we could disable the IR LED's but keep the sensitivity which resolved that issue. The picture quality is pretty good although the compression could have been implemented better. We found a frame rate of 12fps, with constant bit rate of 4k produced the best video feed but again the colours were wishy washy and the camera suffered badly in sunlight and would clearly require additional housing if used in an area where sunlight was an issue. We mounted one vertically and one horizontally and found the vertically mounted camera suffered from rain on the dome which we mitigated to a reasonable extent with some RAINX.

So in summary, the HIKVISION  DS-2CD2132-I makes a good attempt at being a quality camera, but the actual picture quality and lens lets it down. It would be fine in a domestic setting but not really in the game for commercial use especially in low light or fast motion. It has to be said that both HIKVISION cameras worked out of the box and during the testing which took several months without issue so we were unable to experience the support channel which was unfortunate. 

So there you have it, are they really worth the hassle? Well, a typical 3MP sony IP Dome Camera is going to cost you around £600, and a HIKVISION 3MP IP dome is going to be around £120, but on a price performance basis the Sony wins hands down with crystal clear video, vibrant colours and excellent low light performance. In a large installation you could save 20K on camera's if you can put up with the issues but you will soon be eating into that 20K saving with replacement camera's on a regular basis as well as service charges and so on. 

Anyway, if you found this interesting then let us know? If you want us to test a specific camera, let us know? 

 

Continue reading
  3119 Hits
  1 Comment

Copyright

© (c) 2016 GEN

Recent comment in this post
Guest — Bob sanderson
But you do have to factor in the costs of camera failure in the real world and the liability that it creates. In the real world, u... Read More
Monday, 15 February 2016 15:02
3119 Hits
1 Comment

The Nomad RoadTrip

 

With Mobile devices becoming more indispensable every day there's a growing market for additional battery capacity. Companies like EE have for many years been supplying USB power packs that can be used to charge your mobile devices when away from the office, and we internally use a 12Ah unit to change multiple devices when off site. 

The Nomad is slightly different to the usual footprint because you can only change it in the car

During out test, we struggled to find a cigarette lighter socket in our vehicles that would take the size of the unit but when we did (in the boot) it fitted very well with no movement and remains firmly connected. The charge indicator is on the top and clearly visible in the vehicles we used. When you compare this to the usual setup where your power pack floats around the vehicle on its charging wire as you drive this is hugely more practical. 

The device connections are USB-A (the standard usb socket we're all used to) and the new USB-C socket which is a new standard. The reason for this is unclear, and I suspect many of us would have preferred 2 x USB-A until the USB-C standard becomes more widely used but it is what it is. The power output is apparently 1.5A per port (so that's 1.5A useable unless your lucky enough to have a USB-C cable to use). 

When charged which takes a couple of hours, and we're assuming having all the LED's illuminated indicates this, then pressing the button supplies power to the accessories. Its a real shame that you have to actually do something to make it start supplying connected devices as in our test we found that we were pre-programmed to just plug it in and go forgetting to push the button and of course not powering anything. I have no idea why they did that either, surely when you connect it to the car it should power the output automatically? I can't think of a situation where you would plug it in to the car, connect your devices and NOT want it to start supplying them, but its too late to change it now. 

In our test we used an iPhone 6S+ and it charged it from just below 50% to full in about an hour which you may not think is particularly fast but it is comparable with other devices. 

So in summary its a good idea but with a relatively small capacity (3000mAh), relatively high price $50 and problems finding a socket in your vehicle that will take the size of the unit its probably not something that will go mainstream anytime soon. As a side note, for anyone in the UK we did find that it interfered with DAB radio especially when placed in the boot near the DAB antenna so that's something to watch out for. 

Please see the Nomad Website Here

Continue reading
  2923 Hits
  0 Comments

Copyright

© GENADMIN

2923 Hits
0 Comments