Synology Auto-Update

synology_logo

We've been actively promoting Synology Rackstations for many years now and they do provide exceptional performance for our customers, but they also come with a few gotcha's that you need to be aware of when running them. If you have managed storage or any of our support or outsourcing services then we'll take care of these units for you, but if not then please read on. 

Auto-Update is an important part of any strategy and of course Synology provides the same functionality which can be found in Control Panel / Update & Restore / Update Settings

Here we have updates to be applied automatically at 3am when available. This will mean your system will always be up to date with the latest patches and fixes. 

A second level of protection comes from the package centre auto-updates which can be enabled in Package Centre / Settings / Auto Update and will look something like...

But you can never leave your Synology servers to just update themselves without intervention as we've discovered today, for example when we found that all our customers who have managed storage were showing package updates available (via CMS) but they weren't auto-updating. We investigated this further and found that Synology have made a change that seemingly effects everyone ... 

When opening the package centre from DSM on the server you find this dialogue 

and of course all the updates have stopped auto-updating because of this.

Now we have 300+ Synology Servers on management and so far today we've only managed to do a fraction of that, but over the next few days we'll login to each of the boxes, tick the box and then let auto-update do its thing. If you are using Synology NAS then double check this now and make sure you've got it ticked, then apply any outstanding updates.  

 

 

Continue reading
  5090 Hits
  0 Comments
Tags:
5090 Hits
0 Comments

Firewalld on Redhat/CentOS 7 and later

CentOS 7 brings with it a new dynamic firewall interface deamon (firewalld) which allows for a fairly easy configuration of your firewall without having to learn iptables. The firewalld daemon provides a dynamically managed firewall with support for network “zones” to assign a level of trust to a network and its associated connections and interfaces. In reality firewall-cmd is just a front end for iptables and will indeed create and maintain the iptables rules required in your configuration. In a normal configration you would expect to have a local and remote interface, the local being the LAN and the remote either being behind a firewall or NAT'ed. The rules for each would of course be different and so you can create 'zones' with firewall-cmd for Internal and Public (or whatever you want to call them). 

If your using a graphical interface then you can use the firewall-config tool but for the rest of us that live in the shell, the command line interface is fairly easy to use. 

Let's assume you have two interfaces as

eno16777984 = LAN with a private address such as 10.1.1.10

eno33557248 = Public with a public IP such as 8.4.2.1

Now the magic with firewall-cmd is that once you've defined the zones (Internal and Public or whatever you want to call them)

firewallcmd --permanent --add-zone=Internal
firewallcmd --permanent --add-zone=Public

You can then assign some services to those with 

firewall-cmd --permanent --zone=Internal --add-service=ssh

and that's assuming your SSH'ing into the box, you don't want to be locked out. So now let's assign the interfaces to the zones. 

firewall-cmd --permanent --zone=Internal --add-interface=eno16777984
firewall-cmd --permanent --zone=Public --add-interface=eno33557248

and finally a restart of the firewall with 

systemctl restart firewalld

Now you can go ahead an add more services (with --add-service=) or ports with (--add-port=) and setup the rules for your interfaces. If your curious as to how this is configuring iptables then just issue iptables -L to see the rules. You'll find for each zone you've got an IN and OUT, Permit and Deny and your rules are allocated to the correct tables. 

One big tech tip here, for some reason, especially when your changing interfaces, IP's and the whathaveyou, firewalld can sometimes move interfaces between zones. Its rare, but not realising can be bad news especially if it moves the dirty interface into the Internal zone. To ensure your always aware of what zones are on what interfaces locate your .bashrc file (in your home directory - the one you land in when you login) and add a line on the end 

firewall-cmd --get-active-zones

You'll get output similar to 

Internal
interfaces: eno16777984
Public
interfaces: eno33557248

Every time you login so your always aware if an interface has vanished. 

The full reference can be found on the RedHat Site and there's ample community resources too. If you get stuck and need some help then feel free to post in the GENSupport Forum and someone will help you out. 

 

Continue reading
  1872 Hits
  0 Comments
1872 Hits
0 Comments

USB Flash - Built in failure

s0404080_sc7

With the slow decline in CD's and the long lost days of floppy diskettes, USB portable storage has become common place. A memory stick, thumb drive or pen drive are common terms for the same thing, a USB mass storage device based on FLASH, and yet many people don't know that the whole technology behind FLASH storage has a very limited lifespan - this leads me on to the relatively high volume of data recovery requests we have for USB storage coming through the channel.

Flash memory is generally of two types, NAND and NOR. Both technologies allow permenant storage of data without needing a power supply. NAND requires data to be read and written in blocks called 'pages' and is by far the most common FLASH memory in use today.

FLASH memory like all memory stores data in 0's and 1's in a vast array of cells, but the method by which the data is permanently written involves pushing a charge (electrons) through an insulated layer, once through the insulator its stuck there and will remain until its pulled back through the insulator therefore changing the state.

However, this 'pushing' and 'pulling' through the insulator, known as tunnelling slowly breaks down the insulator until it fails. When an insulator fails this only effects the cell, but of course just one bit that won't switch will adversely effect the data when read back. Furthermore certain areas of the flash drive are read and written much more than other area's and these are the master directory and the File allocation tables, both of which are changed when data is read (changing last access time) and written (changing last updated time and changing allocation of storage in the file allocation table). This means that in many instances the part of the flash drive that fails first is the most important part - the part that tells us what files are stored on the drive and where they are stored.

Cheap vs Expensive

When it comes to Flash Drives, there is a real physical difference between the budget end of the market and the professional end because NAND/NOR Flash comes in many different flavours depending on its performance and expected lifespan. Often the cheapest FLASH IC's are designed for storing firmware in embedded devices where write performance is a non issue and the expected number of writes is very limited, maybe 10 writes in its entire lifetime whereas the most expensive FLASH is designed specifically for high speed  and many write cycles and this is the correct hardware for USB Flash Drives. If you can buy a 128GB Flash drive from SANDISK for £30 and a unbranded one for £5 then the lifespan and performance of your SANDISK drive will be many many times better than the unbranded one.

I guess I should also point out that some cheap unbranded USB Flash drives (or knock off Branded) are engineered to falsely report their capacity. This is done by creating a partition on the drive with false data, so the computer you connect it to thinks its larger than it is and the only way to be sure is to try and fill it up or to perform a low level reformat. This sort of storage fraud is often seen on sites like eBay promising 1TB of flash for $10 which is nonsense.

Recovering data from failed Flash drives isn't that hard, but it does bring with it some challenges because the data will have errors in it where specific cells are stuck or indeed entire pages are stuck and non responsive and its not always possible to identify these area's during the scan, they often read as ok but with incorrect data, or they read as all 0's but after re-assembling the filesystem as best we can its over to the client to work through the recovered data and validate it.

The bottom line here is never ever rely on a USB Flash drive for data storage, its not safe and certainly not guaranteed and it will fail at some point. Stick with brand names and stay away from the budget end of the market.

Continue reading
  3822 Hits
  0 Comments
3822 Hits
0 Comments

Synology CloudStation in the Corporate Environment

Synology CloudStation in the Corporate Environment

If you've invested the time and money into Synology RackStations then your probably going to want to take advantage of some pretty cool embedded features. One such feature is CloudStation and its associated CloudStation Sync and CloudStation Backup, which collectively allow for realtime'ish local file synchronisation with a server which provides up to date files for remote users, a multiversioned backup for desktops and laptops and realtime sync between servers across sites. There is however one serious flaw in the plan that you need to be aware of before you go and roll this out across the business and that's SSL. 

When you setup your RackStation(s) you probably setup SSL and would have used the build in 'LetsEncrypt' support which promises a valid certificate every 90 days or you would have installed a paid certificate which renews annually in most cases. Having setup your SSL certificate you would of course want your clients to use SSL when connecting to the server so the transfer is a little more secure, but here's where it all goes down the tubes; If you did make the mistake of selecting SSL when you setup the clients then every 90 days (or annually) all the clients are going to silently stop working and no one is going to notice for a while. 

If a user actually opened CloudStation Backup to restore a file then they will be met with

And should they click on Version Explorer they get the equally helpful...

In fact there is no way out of this without going into Settings then Connection and re-entering the User/Password and Applying,  and in a corporate environment the end user may well not be privy to the Synology User/Password but even if they were its now too late because the CloudStation Backup hasn't been backing up since the last certificate renewal. The ONLY way around this is to turn off SSL or you'll be back here again before you know it. It's a real shame that you cannot use SSL as it's a nice feature but in a corporate environment its not essential unless your allowing remote sync.  

I have no doubt that Synology will resolve this in due course, but until then keep SSL off to save a bunch of time and effort.

Continue reading
  4230 Hits
  0 Comments
4230 Hits
0 Comments

eMail Security and Retention

internet-security-concept-19461118

I was asked a few days ago by one of the Partners if we could retrieve an email from a year or more ago and of course the answer was no, but that left me thinking about the question itself and the wider implications. I think its pretty much understood that if you choose to host your email at Microsoft, Google, BT, and so on then your every email is going to be archived away somewhere for all time and will no doubt be available for anyone with sufficient clearance to review, trawl, analyse and so on, but that's fine as long as you know its happening. At GEN we offer a secure service which by its very nature is not archived anywhere unless that functionality is specifically ordered by the customer, and that's rarely the case, but we do take backup's so I think its important to define exactly what we do, and what we don't do here. 

 

Your email is stored in an encrypted format on the physical server media and the key to decrypt this format is different for each mailbox. 

There is a snapshot of the entire server cluster taken hourly on a 96 hour rotation. That is, the oldest snapshot we have is 96 hours. These snapshots are taken as part of our disaster recovery process meaning that even if an entire datacentre was destroyed then your email service would resume shortly afterwards at a backup site which is always in place. 

Your mailbox is protected to some degree from brute force attacks by a system which actively monitors such behaviour and blocks attack routes in real time. 

Server free space is defragmented daily as an overnight process. 

Logging of email traffic including date/time, sender, recipient, size but not its contents exists for 7 days on the anti-spam and anti-virus gateways and for 3 days on the mail servers themselves. We use these logs to satisfy all those tickets that people raise complaining that their email isn't reaching someone or that someone trying to send them an email isn't getting through and so on. 

So, unless you specifically ordered email retention then when you delete an email its gone from the email server immediately, from our logs 7 days after receipt and from our snapshots within 96 hours. 

Keeping your email secure...

If you consider that when you send an email from A to B then the following are involved: 

  • Your PC, has to store the message to be able to send it
  • Our server, receives the email from you, stores it in your Sent Items (Encrypted) and then sends it on to the recipients server
  • Recipients server receives the email from us and stores it on disk, maybe in the clear and then stores it in the recipients mailbox. 
  • The recipients PC retrieves the email and stores it on disk, maybe in the clear

So there are many points of compromise here and some of the most vulnerable are on sender and recipients PC's. To completely remove this risk use only webmail or an email client that stores your email with strong encryption. 

We've already covered our servers, but the recipients server(s) are a real risk too. If the recipient is using a server which does retain everything and you wouldn't know without checking then your email is once again going to be stored for all time. 

Any way around this? 

To keep your email as secure as reasonably possible between sender and recipient they

  • Should be on the same server which then negates the risk of a second server with unknown retention and security and also negates the risk of a man-in-the-middle attack by anyone compromising your DNS. 
  • S/MIME or GPG should be used to provider a second layer of encryption to further protect the email's contents and in the case of S/MIME this will also provider validity guarantees. 
  • Webmail only should be used as these will not store a copy of the email on local devices
  • A secure access service such as GEN SAS can be used to ensure an encrypted tunnel into the GEN Infrastructure and onto the Mail Servers. 

But who needs that level of security? Well, anyone who wants their email to be secure and that might be you or you might be happy knowing that everything you have ever sent and received is stored and archived somewhere. 

I hope this has cleared up any confusion around retention of email data, if you have any more questions then raise them at the HelpDesk ok. 

 

 

 

 

 

 

 

Continue reading
  2084 Hits
  0 Comments
2084 Hits
0 Comments

Browser Cache, Transparent Proxies and more

Browser Cache, Transparent Proxies and more

One of the questions that comes up time and time again on the Helpdesk is, what is my cache, where is my cache and what am I supposed to do with it? 

Well, the question itself often arrives on the back of conversations with content providers and developers often around out of date content so its worth taking a few minutes to explain what the cache is, where it is and why it is. 

A cache, pronounced "Cash" is masterfully defined as "A hiding place used especially for storing provisions." or "A place for concealment and safekeeping, as of valuables." and that's not too far from the truth. The cache is indeed a place for storing provisions of the digital kind. You see the internet isn't anywhere near as fast as you experience it from a browser on your PC, and this is because the internet is just a collection of many different networks all connected together to provide a 'route' from your PC to the server at the end of a browser request. Let's look at this in more details now: 

When you type a url into your browser, for example http://www.gen.net.uk and press enter or go, the browser uses the operating system of your device to open a connection to www.gen.net.uk on port 80 (port 443 if https://) and request that page. The actual request sent to the remote server looks like this "GET / HTTP 1.1" which means get the page at / the default or index page and use HTTP 1.1 which is just a specification. The response from the server will be a HTML page which the browser then displays to you as the client. 

Now where does caching fit in here? Well, your browser when it receives the HTML page stores in locally in a cache (which is just a hidden folder on your pc) and with that it stores a date and time the page was retrieved. Now if you close the browser, open it again and again type in http://www.gen.net.uk then this time something magical happens; The browser realises that its just been to www.gen.net.uk and just received the page at / so rather than bother requesting it again it just returns the one it stored a few moments ago. Simple and fast right? 

Well, it get's a little more complex than that because the server when returning the page to the browser can in fact indicate whether or not the browser should cache it, and if it should then it can specify for how long the browser can cache it and indeed the page at www.gen.net.uk/ at the time of writing does not give any special instructions to your browser around caching. 

So, hopefully that's a little clearer, when you type in a url or follow a link if your browsers already been there recently then you'll get the cached version rather than the 'live' version unless the site specifically told the browser not to cache. This really becomes visible if you have your own website, and you or your developer has made changes but you just can't see them, its all in the cache. Clearing the cache is simple enough and can be found in your browsers menu's should you require it and issuing repeated refreshes (CTRL+R windows, CMD+R Apple) will also force the browser to reload the live page generally. 

Now as I said before the internet is no where near as fast as you experience it, and this is not only due to your browsers magic cache, its also due to internet service providers (mostly residential) using systems called 'transparent proxies'. This is another cache between you and the sites you browse and this cache is not optional and in many cases will not yield to servers requests not to cache. The transparent proxies intercept your requests as you make them, look to see if they have a copy of that page and of so serve it up as if it came from the server itself. Your browser has no idea its not a live page and neither do you. By using transparent proxy caching ISP's (Internet Service Providers) especially residential can significantly reduce the amount of bandwidth they use on their upstream (between them and the server). There are also, in this country at least, significant privacy concerns around transparent proxying because your ISP not only intercepts your requests but can keep a log of them tracked back to your IP Address, and therefore back to you so its a bit of a double whammy. There is a third layer of caching known as web accelerators that are sometimes used at the server side to speed up performacne by keeping a cache but this is under the control of the site owners and as such isn't an issue. 

How do you defeat this transparent proxying ? 

Well its not easy because the ISP has access to all the traffic you send and receive and can easily intercept not only your web requests, but your email too, although if your email is stored at Microsoft (hotmail, office 365 etc), google (gmail, etc), Yahoo, AOL and so on, then its already compromised many times over and this really isn't going to make any difference. There are however tools that can cut through the proxies by establishing a 'tunnel' between your browser and a server in another country and from there making browser requests and I am of course talking about VPN's, the most common of which is the Tor Project (https://www.torproject.org/) but having said that, the tor project based in the USA is probably not going to be filling you with overwhelming confidence in the privacy of your data but its the best we've got unless you want to spend some real money in which case you can establish real VPN's to real secure proxies and have true anonymity online. 

I think its also worth mentioning that browser plugins such as Addblock, Ghostry, Web of Trust to name a few and of course Microsoft's own 'safe browsing' nonsense also hijack every URL you visit and pass that url back to central servers somewhere giving them also a full history of your browser habits but by themselves they can't tie that data back to you personally. That is, they know that a PC on the internet with a unique ID visits these websites but without help from your ISP they can't tie that information specifically back to you as a person unless of course you login to your Facebook, Google+, twitter and so on using the same PC in which case they can now easily tie your browsing habits back to you personally the only difference is that your ISP has your postal address and generally people aren't stupid enough to enter that sort of thing into Facebook, google+ or twitter. 

So here concludes this little discussion around caching that has taken a sideways step into privacy and anonymity but its all connected of course. 

Continue reading
  2545 Hits
  0 Comments

Copyright

© GENADMIN

2545 Hits
0 Comments

We could eliminate SPAM tomorrow if...

We could eliminate SPAM tomorrow if...

We are all familiar with SPAM, its the huge volume of unsolicited crap that we have to wade through each day just to do our jobs, and yet there's no sign of it going away despite us all having the means to end it. So let's look at why we are all being subjected to the spam and then we'll look at why we don't end it when we all have the power to do so. 

The reason for SPAM

SPAM has three basic objectives and in order of volume, 

  • Firstly the majority of SPAM is an attempt to infect your workstation, laptop, tablet etc with a virus and/or trojan. By doing this the spammers have (a) the ability to scan your system for card numbers, passwords, and of course email addresses from your email client, (b) steal the login credentials for your email account so they can use it to propagate more spam FROM YOU, and (c) in order to leverage DoS attacks. 
  • Secondly, Spam will attempt to impersonate an organisation that you might expect an email from and then trick you into giving up your login, password, account and so on by taking you to a fake website. Whilst you may think most people are weary of this type of spam you would be surprised how many we still get at the helpdesk. 
  • Finally, Some spam can actually be trying to sell you something, which is rare these days but does still happen. 

Current SPAM defences

  • The blacklist: A number of worthy organisations like Spamhaus, SpamCop, etc are dedicated to maintaining lists of domains, hosts and subnets which are used to originate spam. Using these blacklists is an expensive but effective tool to eliminate a good percentage of spam at the first gate. Blacklists however are not realtime, and there is always a delay between a spammer launching a mass mailing and the blacklists listing it. 
  • Authentication: Several technologies exist to verify sender domains and hosts such as SPF & DKIM and these can serve (where used by the receiving server) to block spoofed spam which constitutes the vast majority of scams. For example, the HMRC who are under constant attack from scammers specify in their SPF records two hosts that are allowed to send email for @hmrc.gov.uk and of course the spammers cannot originate email from those addresses so SPF wins the day and any email coming from, say refund@hmrc.gov.uk that doesn't come from the two hosts listed in the SPF record are canned. This however all falls down when the receiving server doesn't check, the sending organisation doesn't use it, or the sending organisation has been compromised.
  • DNS: The domain name system is that which coverts gen.net.uk to 212.140.242.10 and back again, and when you send email to someone @gen.net.uk DNS gives up the address of the mail server that is designated to receive that email, in this case farpoint.gen.net.uk. The RFC1124/1124 which form part of Internet Standard 1 specify clearly that every host on the internet should have forward and reverse DNS, that is gen.net.uk to 212.140.242.10 and 212.140.242.10 to gen.net.uk. So, when a host 'spammer.com' connects from 212.140.242.50 to our mail server, we (a) check that 212.140.242.50 corresponds to 'spammer.com', that 'spammer.com' has a valid MX record and that the host listed in the MX record actually exists on the internet. This is particularly hard for a spammer to forge and therefore this check eliminates a percentage of spam as well as a percentage of legitimate email from companies who don't know how to setup very basic DNS correctly. 
  • Content Filtering: By far the most effective tool at eliminating spam which passes all the above tests is pattern matching. This involves looking and detecting elements in the body of an email and assigning a score to each detection. An example would be a HTML only email which scores 3 points, external links to pictures which scores 0.2 points each and so on. The more spammy the email the more points it will accumulate and once a threshold is reached the message is flagged as spam. Content filtering can make use of content lists which are maintained by third parties and provide known phrases and content to score. 
  • Bayesian Probability Filtering: A gross simplification of this would be that email which is known to be spam can be 'learned' and that data used to identify 'similar' spam. The area of mathematics is complex and the techniques even more so, but the result is the same in that spam that looks like spam based on learned data can be flagged as such, usually by giving it a score, such as +10

And with these methods we can and do filter around 80% of your spam, but its never ever going to be 100% because SPAMmers spend a great deal of their time trying to circumvent these filters likewise costing us a great deal of money to continually adapt the filters for maximum effect. 

BUT, we do have the ability to stop the SPAM completely, 100% total removal of spam so why don't we? Well, quite simply we cannot because in this day and age everyone's an expert when of course they aren't. Using the current standards, and systems we could easily: 

  • Eliminate the source of SPAM by authenticating the source of all email both by using DNS and SPF. This would mean that email can only be sent if it originates from an authenticated server and if all the ISP's got together an setup their systems in this manner (most already do) then spammers would ONLY be able to send spam by compromising users email credentials. That's going to immediately eliminate 67% of SPAM. 
  • Use the tools we all have available to track, trace, and block email origination 'out of zone'. That is, for every email account the email server will ONLY accept email from the senders company LAN, or their country of residence. This kind of geolocation limiting is already built into all the modern mail systems, but its rarely used. 
  • Use anti-hijack detection to automatically flag accounts that are likely to be compromised by looking for unusual email activity. For example, if a mailbox normally originates 50 email's a day and then suddenly originates 50 emails a minute then we have the systems to automatically block that behaviour until the mailbox owner contact's us.
  • The use of S/MIME certification, which is free for individuals, and only a nominal charge for businesses not only provides transparent encryption of business email, but also provides authenticity to every recipient, so that when you receive an email from fred@bloggs.com, it comes with a 'seal' that confirms the email came from fred at bloggs.com. We've used these for the last decade, but we're pretty much alone in this. 

So, it doesn't sound that hard does it? Well its not, but unfortunately as an ISP with many customers there are always going to be the few who effect the many as in many business models. No matter how much you promise your customers a spam free life, a minority of customers don't want to hear that fredbloggs inc doesn't meet the standards and/or is blacklisted and therefore cannot send them email, they just insist how important it is that fredbloggs inc can email email them. This creates a real problem for ISP's who technically want to kill spam as promised to their customer base but are also aware of the real world cost of dealing with ticket after ticket of 'I can't receive email from xxx' and the time and effort spent identifying the sender doesn't comply or is blacklisted then trying to explain that to the customer.  

So our approach, which has been adapted over the years is to offer three levels of protection: 

  1. No Filter - All email is accepted regardless. All Spam and Viruses are delivered untouched. 
  2. Basic Filter - Some filtering is done, but spam is still delivered with [SPAM] in the subject line allowing customers to filter that into a spam folder if required. Some antivirus protection is enabled. 
  3. Max Filter - All the above fully enabled and active both Anti-Spam and Anti-Virus. 

And as we expected the vast majority of business and corporate customers opt for the Max Filter, with only a very few opting for other options. The customers who opt for and stay with the Max Filter understand the issues and stand with us on the fight against spam. If a sender winds up blacklisted then they don't tell us, they tell the sender to sort it out. 

So what's the future? Well unfortunately as it stands with some ISP's favouring an easy life rather than deploying the available protections, with players like Microsoft and Google seemingly doing nothing to limit the spam they collectively originate, and with senders especially in the less advanced countries not able to configure even the very basic standard requirements we're going to be up to our armpits in spam for a good while to come but I do feel that things are changing as we're already seeing customers migrating to us solely for the benefits of our protection systems and that means we're doing it right. 

There are a number of articles on Blacklists, SFP, DKIM on our FAQ as well as the internet standards 1 RFC's. They are all technically orientated but available for anyone who's interested. 

 

Continue reading
  2597 Hits
  1 Comment

Copyright

© (c) 2017 GEN Partnership, E&OE

Recent comment in this post
Guest — cjm
Agreed, the lack of technical standards enforcement is the very reason we ALL have to suffer the endless onslaught of spam.
Wednesday, 18 January 2017 17:04
2597 Hits
1 Comment

Apple Wi-Fi Assist and Mobile Data Charges

Today at the HelpDesk we were dealing with a corporate customer who was experiencing HIGH mobile data charges and wasn't able to pin down the cause. We had a pretty good idea of the cause and this was confirmed when we took a look at one of the mobile handsets with high usage. In IOS 10 Apple introduced a new 'feature' called Wi-Fi Assist which is supposted to increase mobile data reliability for customers with poor wifi, which is great, but the issue is that even if you make sure you only use traffic intensive App's like YouTube etc when your on wifi, with WiFi Assist enabled the device can and will use mobile data (without telling you) if your wifi signal becomes weak, and that's ok if you have an unlimited data plan but we all know those don't exist in any form. 

Turning it off is easy if you can find it, go into setting, then mobile data (towards the top) then scroll all the way down to the bottom and there is it. in the example below, Wi-Fi Assist had assisted us to use 478K of mobile data whilst we were on Wifi. Whilst your in the screen and have turned off Wi-Fi Assist then its worth having a look through the apps listed to make sure you've allowed/denied mobile data as needed. 

Continue reading
  2161 Hits
  0 Comments

Copyright

© (c) 2016 GEN Partnership, E&OE

2161 Hits
0 Comments

Just Don't

I've just returned from a new customer who has experienced a serious data breach and the ensuing blackmail and extortion that follows. We were introduced to this customer by recommendation after they were contacted by an unknown third party asking for money to return their confidential data and of course supplying proof in the form of attachments. The nature of the clients business is such that the confidential data, if in the wrong hands would present a significant risk to the business hence our involvement. So, not wanting to name any particular company, the previous 'supplier' of our new clients IT seemingly had no idea about security and probably wouldn't know a risk assessment if it hit them in the face and that annoys me, not only because we come across this situation on a very regular basis but because there's really no excuse for putting a companies very existence at risk by simply not understanding the sector in which you operate. In any industry there will always be suppliers who know the industry and those who don't but in IT the actions of one supplier can very literally mean the end of their customers business as potentially in the case that prompted this article. 

Start with this question, what is your data worth to someone else? If you sell washing machine spares, then its worth money to your competitors and the pain will be felt gradually as you loose customers for unknown reasons, but if your a solicitors, a financial organisation, a doctors, the value of the data goes far beyond its monetary value, there's the exposure, the embarrassment and the compensation that would ensue along with sanctions from regulators and so on. 

So, I will try my best to educate customers in what is and is not a good idea when considering IT and security. I have a list which isn't exhaustive but certainly covers some of the main issues...

  • If you have an internet connection, NEVER EVER under ANY circumstances connect a cheap Chinese router to your LAN. So if for example you have an internet service from BT and they supply you a cheap Huawei router, then never connect that directly to your LAN, just don't. These devices are cheap as chips and have about as much security as a paper bag. They are easily compromised, have absolutely no outbound security and their firewall is laughable, but they aren't supposed to be connected directly to your lan in most cases they are 'residential' quality and as a business your expected to understand the risks and mitigate them by either replacing them with a competent router or simply connect them to a separate security appliance. But trust me on this, just don't connect it to the lan, ever. 
  • Local services, and more specifically if you have a local (in your business) web server, or email server, then under no circumstances allow it to be connected to the internet directly. This is bad on so many levels, many of which are quite technical, but the key point here is that *IF* you allow it to be connected directly to the internet, then you have of course got to allow the internet into your network as communication is a two way process. This is the very attack vector (method of the data breach) that was used in the incident that prompted this article. The clients 'IT' supplied setup Microsoft exchange on a server and then opened ports on the cheap router which was directly connected to the LAN. The server was quickly compromised and whilst it was used to originate spam the hackers also vectored out from there to the company's NAS and downloaded the entire thing, how? well because the administrative account on the exchange server was the same account/password as the admin account on the NAS - seriously.
  • Never rely on free or bundled antivirus, and never on 'windows defender', they DO NOT STOP ANYTHING. A good antivirus solution will protect your network and its endpoints to a degree, but it can never be 100% no matter how much you spend. Our AV solution comes out at £2 per month per machine and includes support should you experience a virus event and require it which is also an important provision. But be aware that an antivirus solution will not protect you from poorly designed, poorly implemented network security. 
  • Never rely on the poorly implemented and weak VPN services built into cheap routers, just don't. PPTP is so weak it should be considered unusable. There are far better solutions for VPN and having a dedicated vpn appliance, or having it combined with your security appliance is the best option. Better still is to use a secure access service such as SAS or Juniper SA etc. 
  • Never install applications such as teamviewer, radmin, vnc etc, these applications will create tunnels through your weak firewall to the internet which are persistent (always there) and these can easily lead to additional attack vectors especially when combined with social engineering techniques. A good firewall will not even let these programs run and block them by default. If you do need remote access then use a secure VPN method as above. 
  • Wireless, when setup correctly can be very useful, but when setup poorly presents a significant risk to the business. This is of course because wifi isn't just in your office, its outside in the street, next door, other floors and cheaper wifi equipment has flaws that can be exploited to determine the wifi password and associate with the access point. Even more effective are social engineering techniques to gain a wifi password, and of course there's always Microsoft's wifi sense password sharing endeavour which we talked about before. So stick with high end Wifi access points, have centralised management and oversight, use WPA2 with TKIP or AES encryption and use mac based security as a second level of protection. 
  • Ports or not Ports; Almost all businesses have Category 3, 5, 7 or 8 cabling throughout, and these terminate at the wall with RJ45 jacks and that's great because this is where you plug your computers and phones into, but managing the availability and security of these jack points is a critical concern. Consider this scenario.... a business has cat5 throughout the offices including reception, canteen, locker room etc. A person pretending to be a potential customer enters the premises and whilst no one is paying attention plugs a small device no bigger than a thumb drive into a vacant cat5 port then leaves. You might think that'll never happen but I can tell you in the IS audits we do for our clients it HAS happened and will continue to happen. The device that is connected is a small battery powered wifi access point that doesn't broadcast its SSID (network name). With this the 'visitor' can, from the car park find a local IP address, and then initiate a network scan for services such as email, files and so on. With a little effort and some automated software a selection of attacks can be performed and if successful, systems and data compromised. The nice person who perpetrated this crime will then upload some software which opens a connection through your firewall to a remote server and waits for instructions. Everything from here onwards can be done from anywhere in the world and there is very little anyone can do to track this down. This is becoming an effective attack vector and awareness is the key. Don't have any ports live that don't need to be, have managed switches and allow lists by mac and some form of intrusion detection either in the security appliance or separate. 

The bottom line here is that any IT infrastructure should not in any way directly connect the public internet to your local network and likewise your local network should never directly connect to the public internet. This one is simple.

More challenging is making staff aware of vulnerabilities in your infrastructure and how to detect, and deal with them. We've touched on social engineering above but this is becoming more and more common and whereas you might be very good at spotting spam or fishing email's, suspect phone calls from 'it support', or are aware of the possibility of rogue devices and subversion, is everyone in your organisation?  in this modern world they need to be, through both training and auditing. No matter how secure your network is, with its expensive firewalls and security appliances, it only takes one member of staff to bring the whole thing crashing down - Staff are and will always be the biggest risk to any organisation, but trust me on the crappy router. 

Continue reading
  2219 Hits
  0 Comments

Copyright

© (c) 2016 GEN

2219 Hits
0 Comments

Data Security of Warranty and End of Life Drives

I'm sure everyone has had to return a failed hard drive or replace drives that are end of life and this process is well documented in many security policy, but how do you ensure the data is irrecoverable before disposal or return? 

You would be surprised to learn just how much data can be recovered from a seemingly destroyed hard drive, and we are well aware because we spend a great deal of time every month recovering data from Hard Drives, SSD's, tablets, phones, USB sticks and more with significant success rates. 

So, in order to satisfy this need the group has decided to offer *FREE* non destructive hard drive data destruction for all our customers. Simply return the drive to us and we will securely erase the data using a device which emits very strong magnetic fields in patterns desgined to purge data from magentic media. If the drive is a warranty return then we will take care of the return to the manufacturer for you too, again at no charge. 

Thank you for taking the time to read this post and have a great week!

Continue reading
  1998 Hits
  0 Comments

Copyright

© (c) 2016 GEN Partnership

1998 Hits
0 Comments

Windows 10 and Wifi Sense

Windows 10 and Wifi Sense

Windows 10 has a lot of additional features over previous versions and most are safe enough, but a few stand out as being a little dangerous. Wifi Sense is one of those because it doesn't clearly explain the ramifications of setting it to the end user. Microsoft describe Wifi Sense as "WiFi Sense automatically connects you to WiFi, so that you can get online quickly in more places. It can connect you to open WiFi hotspots it knows about via crowdsourcing, or to WiFi networks your contacts have shared with you by using WiFi Sense."

Sounds great! if your out and about your laptop or phone will automatically connect to wifi that has been shared by 'crowdsourcing' without even telling you. So why is that bad? 

Well its bad on many levels, and I'm going to try and be as non-technical as possible here so as to benefit as many readers as possible....

  • Firstly, automatically connecting to anything is bad except for your trusted wifi in your home and/or office. This is because malicious individuals could setup a wifi hotspot, leave it without WEP or WPA (i.e. no password needed) and then wait for unsuspecting people to connect to it at which point a crafted attack is performed at your device. If passwords are being shared between these hotspots and many microsoft devices then everyone who passes is at risk. You should always be careful when connecting to wifi especially from a Windows Phone or Computer. 
  • Wifi Passwords are there for a reason; to limit access to the wifi network to those who know the password. Wifi Sense, as described by Microsoft will "Automatically connect you to WiFi networks that your Facebook friends, Outlook.com contacts or Skype contacts have shared with you after you've shared at least one network with your contacts.". So, that means that if, by chance you have not disabled "Share network with my contacts" which is found in Settings > Network & Internet > WiFi > Manage WiFi settings, then your home and office wifi passwords are shared with all your facebook friends and contacts. That is bad for so many reasons, but here's a few; Firstly do you really want everyone on your facebook friends list having your personal Wifi Password and being able to connect to your personal Wifi network at home remembering that your personal wifi network at home is treated as your local area network and is trusted? Wose still do you want your social media contacts and email contacts having the company Wifi password to access that at will? I don't think anyone does, but that's what's going to happen unless you disable this feature. 
  • Did you know that Wifi Sense also captures your GPS location as well as your wifi password? How save is this data that your sharing? Where is it stored and how is it shared? Consider the potential risk of having that data compromised and revealing the wifi passwords of millions of users worldwide, that alone should be enough to turn this feature off. 

So its up to you, as users to make your own deicision on how this goes down, all I can do is point out the risks and leave it with you. Microsoft have a FAQ on the subject which I recommend reading for additional information. 

To Disable Wifi Sense follow the instructions found HERE. Remember, even if YOU disable it and then let someone you know have access who has NOT disabled it then there is a possibility of your Wifi Password being shared, so check with everyone who give access to that they have also disabled WifiSense. If you are still worried then you can change your SSID to something followed by _optout as per the Microsoft FAQ but that seems a little extreme unless you have already shared your Wifi Password unknowingly with the world in which case change both the SSID AND WIFI Password once you've disabled WifiSense. 

You may also want to consider disabling location tracking by following the instructions HERE

 

Continue reading
  2710 Hits
  0 Comments

Copyright

© (c) 2016 E&OE

2710 Hits
0 Comments

Today at the Helpdesk - ITV Player

A Customer raised a ticket at the HelpDesk today complaining that their ITV player was no longer working correctly and giving strange messages. We asked for a screenshot and received it minutes later. The screen show indicated that 'Ad Block Software detected' which peaked our attention and so we investigated further. 

Now ITV Player is one of the few remaining companies still using Adobe Flash Player to stream movies despite there being much better transports available (like HTML5 etc) and flash gives us a number of problems here because (a) shockwave/flash is blocked by default at the firewall (as it is for all our customers of officeGateway), and (b) none of our workstations have flash installed as its a high security risk. Anyhow after some faffing about we managed to get the adobe flash demo page to work and then switched on over to ITV player. 

After selecting a program to watch, the usual unclean and tatty flash player window is displayed, and we click the big > in the middle to play. Immediately we're given 5 minutes of adverts to watch before we can do anything else like FF/REW etc. Then after the 5 minutes of ad's we're onto the programmes introduction for another 2 minutes and then finally the show begins. Now at this point we followed the EU's reported behaviour of fast forwarding to the second segment of the show, and doing this means that again we have to watch another 5 minutes of adverts, and then on the last advert....

Perfect, we can reproduce the issue in a freshly installed (today) system of Safari 9.1 on OSX 11 with definitely no ad block software installed. After this rather abrupt message the player is dead and you have to refresh the page and whilst the option to 'Resume' is offered it does nothing except start from the beginning again meaning... watch another 5 minutes of adverts, FF then watch another 5 minutes of adverts and finally get to the segment you need to watch, but on our second try we got something else...

And yet again, flash player is dead and we've got to reload the page, another 5 + 5 = 10 minutes of the same pointless adverts and then the show plays just fine. We shuffle back and fourth several times after this and it seems to play everything just fine, we even left it playing in the background and it got through another two episodes before the 'Ad Block Software detected' message truncated our viewing enjoyment. So, being 'flash' which is so easily reversed we downloaded the SWF file and took a look at the cause of these spurious and erroneous messages. 

Looking at the code(scripts) within the SWF file it would appear that the ad block software message is triggered when a HTTP request fails, but that wouldn't necessarily mean its ad block software would it? In our short tests today the player has shown itself to be far less than reliable on a fresh install of OSX and if all it takes is a HTTP error to cause it all to come crashing down then someone really should sort that out. Whilst we were in the code we did notice a significant level of logging and auditing taking place that I'm fairly sure no one knows is happening but that's another story for another day.

For effective Ad Blocking with this shockingly poor flash setup it would be much easier to redirect the SWF request to a crippled SWF (or decompiled/recompiled) with the ad's removed. If, on the other hand someone actually wanted to add in 'Ad blocking' software detection then doing it within HTML5 would be far simpler with some client side js/java passing a token back to a server somewhere then a reliable solution is to be had. Of course, once you've spent a few £££ on that solution then ad block software vendors will find a way around it by trashing your client side js so one has to wonder if the battle is even worth the expense? In ITV's case I strongly suspect their spurious 'Ad Block Software detected' message simply serves as a catalyst for the viewer to hit google and discover that Ad Block software does exist and how to download and install it. I suppose its a little like "thepiratebay" that virtually no one had ever heard of until some muppet decided to sue them and then suddenly the whole world knew about it and sites like it and moreover how to get around all the worthless 'blocks' that ISP's were forced to setup by clueless judges. 

So back to the ticket in question, we couldn't of course fix ITV's failures to provide a stable service but the whole idea of 'Ad Block Software' gave us another avenue to explore - Ad Block Software! We searched the internet and found several solutions all promising to remove all ad's and thought we should give them a try. I'm going to go ahead and call these Program 1, 2 and 3 and not give out the actual names of the software as I don't want to encourage anyone to install software that's not been fully certified as safe but if you have the knowledge then google/bing is your friend. 

  1. Program 1 is open source, freely available and seems to have a fairly active github repository and once installed we found it did indeed block some ad's but not ITV's. It didn't however increase the incidence of the erroneous "Ad Block Software detected" message and in fact it seems to occur less often with it installed but that may be coincidental. So we uninstalled that and moved on to...
  2. Program 2 is closed source but freely available and seems well supported. We installed it without issue and again it did stop some ad's from some 'other' websites but for ITV player it stopped it working altogether. We found that we could specify various options to make it work again but we still got ad's and the erroneous message still appeared from time to time but no more than with nothing installed. So uninstall and move on to...
  3. Program 3 is closed source and not free but we did managed to acquire a temporary licence from the vendor for our testing, this installed without issue and finally our ITV player was advert free and without any 'Ad Block Software detected' message either. With a little more investigation into the settings it was clear that this plug-in was operating at a much lower level than Program 1 & 2. 

So, in summary, the message is in error and it clearly only serves to annoy potential viewers but when you look at the whole ITV player setup, being forced to watch 10 minutes of adverts, that's 40 minutes per hour is in itself going to alienate customers especially if they are just the same ad's over and over again which is what we observed. I personally think YouTube has the balance about right (and I'm rarely one to support Google) with its skippable adverts which means that if I'm not interested then I'm not forced to watch it all, but on the other hand it means that the adverts that do interest me I can watch in full and I do watch some in full just in case anyone wondered. 

This article is a technical article and the content is solely the opinion of the author and not the company. E&OE. Neither the author nor the company has any interest in ITV, its player or any solution designed to remove advertising and does not recommend you do or do not install any such solution. 

Follow up

So, the same customer contacted us again today via the HelpDesk to tell us that ITV Player was now not working at all and instead was saying "ITV Hub is only available to viewers in the UK" as below:

Whilst its mildly entertaining that ITV seem to think that Reading, Berkshire is not in the UK that is in fact the location of our customer. We did check the RIPE whois on the IP subnet used by our customer and it was indeed located in the UK so this is clearly just another ITV error. We simply advised that they contact itvhubhelp@itv.com as instructed because the only people who can fix this are ITV. 

 

 

Continue reading
  6609 Hits
  1 Comment

Copyright

© (c) 2016 GEN

Recent comment in this post
Guest — LJM
ITV Player has always been a substandard piece of trash. Requiring logins, requiring ad-blockers to be removed when they aren't e... Read More
Friday, 13 January 2017 14:15
6609 Hits
1 Comment

Web Harvesting, List building and how to avoid it

Today at Technical Support

One of our customers raised a ticket at the HelpDesk complaining of telemarketing calls on his managed VoIP telephony system. Some technical analysis later proved that the incoming calls were genuine calls and there was no security issue around the platform. The customer disclosed that his email was also inundated with spam which started around the same time and this points us to a completely different cause. During the next few updates and phone calls the customer disclosed that he'd recently had their website redesigned and paid for some form of 'marketing'. 

Taking a quick look at the website it was clear to see why they were suddenly victims of a spam attack; The website, although very pretty had their phone number (actually three of their phone numbers) in plain text on their contact form and again on their about page. Additionally, their email address was hard coded into the contact form. 

A quick web search using our favourite search engine of their telephone numbers showed them appearing in 192.com, yell.com, and various other 'indexes' that no one ever uses anymore in one form or another. This was apparently the 'marketing' they had paid for. 

Web Harvesting

Its fairly easy to write a program that will load a web page and save the contents to disk. Its fairly easy to take said contents and search through it for email addresses and telephone numbers. Now, imagine that same program started at google uk with a search for "engineering" and then just spidered (followed every link) saving the contents and then searching for email and phone numbers. That's exactly what web harvesting is, and spammers use it all the time to compile and sell lists of phone and email addresses to other spammers. 

So how do you prevent your contact information being harvested? 

Its actually as simple as you'd expect. Do not under any circumstances put your email address or telephone number on your website - ever. In days gone by we were able to put the telephone number in an image and obscure it that way, but with modern OCR systems like tesseract even that no longer works.

If you really absolutely must have your telephone number on your website then we can shield it by formatting it in such a way that simple searches won't see it (such as breaking it up into several parts and then having each part in a separate DIV/P)  or we can hide it behind a server side request using a captcha but both these options serve to confuse potential customers and does it give any benefit? Maybe from programatic web harvesting, but it won't stop list builders from Asia. 

List Builders from the far east? 

Yep, so qualified list's can be purchased for not a great deal of money from certain companies that do not use programatic based harvesting, but instead have a room full of staff who use search engines, find companies, and then compile lists. An example would be if you wanted a list of dentists in the south east then for a few hundred dollars your custom list can be provided. Its not going to be perfect, but the accuracy is going to be much better than web harvesting because someone has actually done some research. 

Is it legal? Yep it sure is as all the legislation to date only protects individuals and not businesses, and besides even the current legislation is next to worthless given the global nature of the internet. 

Contactless Contact 

Contact forms without contact information? Sounds like trouble to me, but in fact it isn't as a well designed and fast contact form will usually do the trick just fine. If you want that instant response then consider an inline chat system like tawk.to. 

But what about Google Places for Business, or Bings equivalent ? 

In order to have your business listed in either then you need to have a phone number, but it doesn't have to be geographic and it doesn't even have to work. We're listed in both of course but we've listed a non-geographic (08700) number which plays a message to say head on over to the website and that works just fine given that we get almost no traffic from the number over the year. 

 

 

Continue reading
  2183 Hits
  0 Comments

Copyright

© (c) 2016 GEN

2183 Hits
0 Comments

How to completely Remove OneDrive from Windows 10

OneDrive comes installed with windows 10, and whilst some may trust Microsoft with their personal, corporate and confidential data, I'm not one of those. So I want it gone and that's gone from windows explorer, gone from the task bar and just generally not there anymore. 

So firstly, open up a command prompt. This can be done by pressing the Windows Key + R and type CMD or by typing CMD into the I'm cortana box by the start button and select cmd/Run Command or by going to Start /All Apps / Windows System / Command Prompt. You should wind up with a black box and some text in it saying something like "Microsoft Windows [Version 10.0.10586]" and so on. 

Now with any luck its going to leave you with

C:\WINDOWS\system32>

If not then do one of the following depending on whether your running 32bit or 64bit windows 10. 

32Bit: Type cd \windows\sysWOW64

64Bit: Type cd \windows\system32

Now, we are ready to remove one drive, and the command is: 

OneDriveSetup.exe /uninstall

Once you've run this, you will probably get one of those suitably annoying UAC confirmation's and you should select YES. 

And its done, its gone, no more OneDrive. 

NOTE: With windows 10 refresh, microsoft re-install onedrive without notice so you will need to remove it once again by following the instructions above or a slightly more complete version available at GENSupport.net

Continue reading
  2678 Hits
  0 Comments

Copyright

© GENADMIN

2678 Hits
0 Comments

Windows 10 and Microsoft Ad-ware

If you are unfortunate enough to have upgraded to windows 10 and found half your stuff doesn't work and there's no way back then a fresh re-install of windows 7 is probably the only option. If however you've upgraded and its all pretty much working then you may want to get rid of a number of windows 10 annoyances and we'll deal with those here. 

Firstly, Windows 10 bring's Microsoft advertising directly to your desktop. No one asked for this or wants it, but its there and luckily its easy to turn off. 

Go to Start / Settings, then Personalisation, then Start from the bottom left and finally locate and disable "occasionally show suggestions in start". 

Now your free of that, how about the equally annoying pop-ups that seems to want you to try various Microsoft products and so on? 

Go to Start / Settings, then System, then Notifications & Actions from the left and finally, disable "Show me tips about windows". 

Then scroll to the bottom of that window and look for things like "Get Office" and turn that off too. 

And at last, quiet. 

Well for now at least, until Microsoft push out another update, and yet more annoying ads. 

Continue reading
  2092 Hits
  0 Comments

Copyright

© (c) 2016 GEN Partnership

2092 Hits
0 Comments

The Tools are back!

The Tools are back!

When we moved from the old HTML4 GENSupport website we left behind the heavily used 'Diagnostic Tools' section and we promised to rebuild it on the new site. Well, its taken a few months but we've done it and the new tools section can be found at the GENSupport website under Tools

We're going to be adding the rest of the lesser used tools over the coming weeks as we rewrite them on the new platform. 

If anyone has any issues using the new tools then raise a ticket or drop a post in the forum and we'll get right on it. 

 

Continue reading
  3477 Hits
  0 Comments

Copyright

© (c) 2016 GEN

3477 Hits
0 Comments

Cheap IP Cameras - Worth it?

Cheap IP Cameras - Worth it?

As you probably know GEN supply IP CCTV systems to businesses around the UK and we generally use Samsung or Sony camera's to provide to highest quality picture and stable video, however, we though it would be worth checking out some cheaper chinese camera's to see how they compare price/performance wise and here's what we found: 

Test 1: The Foscam FI9828W

This Wifi (not that anyone would use Wifi) enabled camera comes without POE and audio (although audio can be added separately). Its listed as having 1.3 Megapixel (1280x960p)  resolution, H.264 video compression and frame rates of up to 25 fps. On the face of it that sounds ok, but whilst it has a 360 degree pan/tilt it only has a 4 times optical zoom which is about as much use as windows 10. We had no real issue connecting it to the system although we did have issues with frame rates above 15fps on variable bandwidth. Setting it to constant bit rate of 4k solves that issue. The picture quality was, well, poor at best and the colour rendering was pale and unexciting. The pan/tilt speed was acceptable but we found we'd ofter overshoot and have to come back which made operating it cumbersome. Setting patrols seemed to work for a short time but the camera would drift out of sync and the patrol positions would therefore move until a camera reset restored operation. The Infrared night vision was extremely poor suffering from reflections from inside the dome and we found no way to turn off the IR LED's but keep it in IR sensitive mode as you would always expect to be using a separate IR source anyway. 

So in summary, the Foscam FI9828W is ok for domestic use, but no where near the mark for commercial use. We ordered two, and one came with duff optics but despite several phone calls, and email's we were unable to get Foscam UK to exchange it despite their promises to the contrary. As a side note we also ordered in FI9805E which packed up working after about 2 weeks and once again support was non-existent. 

Test 2: HIKVISION DS-2CD2132-I

This is advertised as a vandal resistant external dome camera with a 4mm lens, and it is all that for sure, but once again night vision suffers really badly from internal reflections from the dome. The configuration was more flexible and we could disable the IR LED's but keep the sensitivity which resolved that issue. The picture quality is pretty good although the compression could have been implemented better. We found a frame rate of 12fps, with constant bit rate of 4k produced the best video feed but again the colours were wishy washy and the camera suffered badly in sunlight and would clearly require additional housing if used in an area where sunlight was an issue. We mounted one vertically and one horizontally and found the vertically mounted camera suffered from rain on the dome which we mitigated to a reasonable extent with some RAINX.

So in summary, the HIKVISION  DS-2CD2132-I makes a good attempt at being a quality camera, but the actual picture quality and lens lets it down. It would be fine in a domestic setting but not really in the game for commercial use especially in low light or fast motion. It has to be said that both HIKVISION cameras worked out of the box and during the testing which took several months without issue so we were unable to experience the support channel which was unfortunate. 

So there you have it, are they really worth the hassle? Well, a typical 3MP sony IP Dome Camera is going to cost you around £600, and a HIKVISION 3MP IP dome is going to be around £120, but on a price performance basis the Sony wins hands down with crystal clear video, vibrant colours and excellent low light performance. In a large installation you could save 20K on camera's if you can put up with the issues but you will soon be eating into that 20K saving with replacement camera's on a regular basis as well as service charges and so on. 

Anyway, if you found this interesting then let us know? If you want us to test a specific camera, let us know? 

 

Continue reading
  2283 Hits
  1 Comment

Copyright

© (c) 2016 GEN

Recent comment in this post
Guest — Bob sanderson
But you do have to factor in the costs of camera failure in the real world and the liability that it creates. In the real world, u... Read More
Monday, 15 February 2016 15:02
2283 Hits
1 Comment

The Nomad RoadTrip

 

With Mobile devices becoming more indispensable every day there's a growing market for additional battery capacity. Companies like EE have for many years been supplying USB power packs that can be used to charge your mobile devices when away from the office, and we internally use a 12Ah unit to change multiple devices when off site. 

The Nomad is slightly different to the usual footprint because you can only change it in the car

During out test, we struggled to find a cigarette lighter socket in our vehicles that would take the size of the unit but when we did (in the boot) it fitted very well with no movement and remains firmly connected. The charge indicator is on the top and clearly visible in the vehicles we used. When you compare this to the usual setup where your power pack floats around the vehicle on its charging wire as you drive this is hugely more practical. 

The device connections are USB-A (the standard usb socket we're all used to) and the new USB-C socket which is a new standard. The reason for this is unclear, and I suspect many of us would have preferred 2 x USB-A until the USB-C standard becomes more widely used but it is what it is. The power output is apparently 1.5A per port (so that's 1.5A useable unless your lucky enough to have a USB-C cable to use). 

When charged which takes a couple of hours, and we're assuming having all the LED's illuminated indicates this, then pressing the button supplies power to the accessories. Its a real shame that you have to actually do something to make it start supplying connected devices as in our test we found that we were pre-programmed to just plug it in and go forgetting to push the button and of course not powering anything. I have no idea why they did that either, surely when you connect it to the car it should power the output automatically? I can't think of a situation where you would plug it in to the car, connect your devices and NOT want it to start supplying them, but its too late to change it now. 

In our test we used an iPhone 6S+ and it charged it from just below 50% to full in about an hour which you may not think is particularly fast but it is comparable with other devices. 

So in summary its a good idea but with a relatively small capacity (3000mAh), relatively high price $50 and problems finding a socket in your vehicle that will take the size of the unit its probably not something that will go mainstream anytime soon. As a side note, for anyone in the UK we did find that it interfered with DAB radio especially when placed in the boot near the DAB antenna so that's something to watch out for. 

Please see the Nomad Website Here

Continue reading
  2107 Hits
  0 Comments

Copyright

© GENADMIN

2107 Hits
0 Comments

Backup and Restore Strategies

Its that time of year when we like to remind our customers that having a complete and tested backup and restore strategy is a business critical requirement especially when many customers work on a set and forget basis. That is, they set it up, and then forget about it only being vividly reminded when the server catches fire or some other disaster. We've recently had one customer who setup an online backup almost 3 years ago and when they really needed it they found the company had gone bust two years ago which in short means, no backup. Another customer in Q4 last year had an online backup solution which used a local key stored on the backup server to encrypt the backup, which is great until the server blows up and you can't restore the data without the key that's now lost. These are just simple examples of how set and forget which is so often promoted as beneficial is really not in any way a benefit. 

So whatever your backup solution, please take the time at least one a year if not more often to analyse log files and actually 'test' the restore process and make sure it works as expected.

If your using any of GEN's backup solutions then we're more than happy to work with you to actually carry out a full restore onto another system to test the solutions. 

 

Continue reading
  1822 Hits
  0 Comments

Copyright

© (c) 2016 GEN

1822 Hits
0 Comments

Counterfeit HP Consumables

Counterfeit HP Consumables

Hewlett Packard are not by any stretch the only manufacturer to loose revenue to cloned consumables, but they are by far the largest supplier effected by corporate procurement of counterfeit items. GEN as a HP partner will of course only supply HP branded consumables and we're confident that our supply chain is trustworthy, but in December 2015 a large IT distributer was found to have a significant stock of counterfeit HP consumables and had of course supplied those to corporate customers. 

There has always been an argument that counterfeit supplies somehow help to control the price of genuine products but its rarely backed up with any evidence and if you actually analyse the cumulative effect that counterfeit consumables have then the opposite is far more likely the case. The reason for this article is that one of our good customers has recently returned a HP Laserjet printer to us for repair still containing a counterfeit cartridge. The damage to the printer was as a direct result of the failure of that cartridge and as such we are in a difficult position. In all likelihood we'll repair it at our cost under its warranty and then speak to the customer about the risks of counterfeit items, but how many times must we take the loss before we simply have to start charging for the repairs? 

And its not just us that will loose out, of course HP in many cases make zero (or less) profit on the actual hardware but instead rely on revenue from the consumables to fund future development. If the market becomes saturated with counterfeit consumables then, (a)  HP will have no other choice but to charge more for the hardware, (b) HP will not honour its warranty where fake consumables have been used and (c) HP will have its reputation for high quality products tarnished unfairly by printer failures resulting from sub-standard fake consumables, and who looses out in the end? We do. 

Now identifying counterfeit consumables is actually quite hard as they are deliberately manufactured to be 'clones' of the genuine article but the key indicator is the cost. If your suddenly offered consumables (in small quantities) at significant discounts then they are almost certainly fake and/or substandard. 

The only advice we can give is to purchase your consumables from HP Authorised distributors or Partners and that way your assured genuine items. 

HP have their own pages dedicated to counterfeit consumables which I'll link in HERE

Hardware, consumables and duty are the three factors that any business must factor into a price performance calculation when looking for a new hard copy solution and we would always do that for you, but if your a business that has purchased a number of HP printers and are now having issue with the cost of consumables then do talk to us as we can in many cases offer bulk pricing which over time can provide a significant saving. 

Continue reading
  2191 Hits
  0 Comments

Copyright

© GENADMIN

2191 Hits
0 Comments