New Questions

It's been a while since I've had a chance to post anything: I've been really busy with a client and there's been a lot of travel, I've also started a new business ... with a new blog.

From now on those aspects of business focused on research and consumer advice will appear there.

Firewalls, IDS and sticky tape

More Surface Pro blogging....

I had some issues with some of the Windows 8 apps that rely on Xbox Live sign in - Most seemed to take ages to sign in and others refused to sign in at all (SmartGlass in Windows 8!!!). I'd been poking around BitDefender and just couldn't deep enough into the configuration so removed it and went back to ESET.

After fiddling around trying to resolve SmartGlass sign in error 0x3ec with no success, I made some changes to get everything else working...SmartGlass now shows error 0x3ea and I've stopped wasting any more time on it.

[Please note - SSL scanning in original post, but see update comment at end of post]
Long story short - I often enforce an SSL scan (just because a service uses secured transport doesn't mean someone's cocked up something within the delivery), and this was basically what was causing the issue. After adding some certificates as trusted or excluded the whole sign process was fine.

Excluded certificates: login.live.com, storage.live.com
Trusted certificates: none (other than what you already have)

Not happy that some certificates have to be excluded from SSL scanning but a leap of faith needed to get features operational. Don't forget to disable all obsolete versions of SSL (TLS 1.x > only!) if the option exists in your security system.

In addition to that firewall rules need to be added for outbound traffic.

Application: {windows}\system32\WWaHost.exe
Application: {windows}\SysWow64\WWaHost.exe
Protocols: TCP
Ports: HTTP, HTTPS (ports 80 and 443 by default)
Direction: Outbound

The net result is that I have Windows 8 applications working and still isolated by the OS, IDS and SPI features working. There was an issue with a previous version where if your Xbox was wired to the network and you were using wireless for your SmartGlass device the two could not communicate - They needed to be on the same wireless network. I can understand why that might have been done but it renders the features pointless for me (it just doesn't fit the topology we need here at home).

As I've invested too much time already in SmartGlass I just uninstalled and moved on, but the rest of Xbox One, 360, SP3, Windows and WP are operational again.

Update 25-07-2015

I've now disabled SSL scanning in a few security suites due to concerns about privacy and chain management. A number of well thought of systems will not work with SSL scanning enabled (due to the way in which many security suites insert themselves into the chain). The firewall rules mentioned here could still help you but I no longer recommend SSL scanning
As part of my study for things like CEH I'm building a home IDS separate from these software components - these suites are fairly good for most people but anyone who does a lot on their home networks should consider defence-in-depth these days.

Job Board Analysis

I've been working on a blog post relating to the barter of personal information, most of it is unsurprising really but the flagrant disrespect for personal identity seems to be widespread.

An economy of scale where your information is bought and sold is inevitable - whether its your personally identifiable information, the email address you used to sign up to a newsletter or the details you forgot to remove from public access on a social networking site.

This isn't the place for that full post but an offshoot of that research unveiled something that may be of use to others. This year I started using a new sequence of mechanisms designed to trace the flow of information whilst I use the job boards - they're an essential business tool because as a contractor / freelancer it's the easiest way to find clients.

However these sites often require registration and up front disclosure of details - meaning you're essentially putting your details in the hands of a 3rd party. Most of the sites automatically create an account for you the minute you apply for a role, and - despite best efforts from your side - automatically subscribe you to 3rd party offers, newsletters, etc, etc.

Once you've applied for a job you have to log in, uncheck the relevant spam mailer and distribution options and hit the apply button. That, in my view, is unacceptable as it essentially puts you on the spam lists before you get a chance to opt out. Most job sites are guilty of it - most notably JobServe and TechnoJobs.

So you've now applied for a job but at least two organisations have your details - the job website data owners and the recruitment agency. That assumes that your details haven't already gone to a 3rd party for re-use too.

TL;DR

Of the three distinct phishing attempts made in October, they all came from PII which indicates it was skimmed from CwJobs applications or profiles. Had it all come from only one of the accounts I'd make a guess that it had come from compromised data at Harvey Nash but other permutations disproved this.

All three phishing attempts came from CwJobs email addresses which have only been used on that site, which means that either the recruiters or CwJobs - or both - aren't protecting personally identifiable information correctly.

Looking at it objectively it's more likely that the spammers are creating recruiter accounts on these boards and simply harvesting the details, capturing new job seeker update feeds, or acquiring the data more directly. Either way I've stopped using CwJobs altogether.

We cannot guarantee that other jobs boards aren't already compromised but hopefully the dragnet will either help ICO take the case forward or provide incentive to the site owners to review their validation procedures.

I've sent a copy of the blog post to the listed email address of the lawyer named in the spam, as well as the spammers "personal" email address to invite them to respond.

Phishing Explained

You really don't need to read this section if you're already aware, this is more aimed at people who have less experience with the web and email. I'm not writing this to extol any knowledge virtues but because I'm tired of answering the same questions from friends and relatives. Now I can just give them a URL to read.

So...

The aim of phishing is to get you to give up some personal details in order to access your account and get some money - or better, get you to give them money directly and save them the extra leg work. It's not about anything else.

I've got a dead relative in Malaysia and I should contact the Malaysian barrister using his Russian personal email address. Obviously if you want to check the address then having a poke around for the office on street view will show you where they are.

Of course it turns out this particular legal firm actually exists and uses a different gmail account, but that's just paperwork.

Now if by this point you still think this is a potentially viable email with genuine offers you need to re-read the last few paragraphs carefully. Make sure you follow the links in this post (not in your spam / phishing email) and think about it. Any email that asks you for personally identifiable information - Full name, date of birth, mothers maiden name, shoe size, etc... just delete it. If it's a bona fide conversation they'll be sending you a letter or calling you to make contact first. Don't give out any details over email to anyone you don't actually know.

I've included the entire email text in case anyone out there is searching for the same problem, and can get an indexed response based on content.

5 Ghz Wifi & Surface Pro 3

I've noticed a trend with SP3 users over the course of its life so far, and there's been a few issues initially relating to overheating, pens, over-eager power saving and wireless networking.

Whilst I feel fortunate to have missed out on these problems in only buying after the first big batch of firmware and software updates I've still been struggling with the 5Ghz band Wifi issues; that is, until now.

Basically I've had WiFi problems with Windows Phone 8.1 and Surface Pro 3; although not Surface Pro 1 funnily enough. A registry hack enabled visibility of 5Ghz networks on the SP1 but after recent WP8 updates I've not been able to acquire those networks any more. 2.4 Ghz is fine, and if separated from the router by more than one or two solid walls (esp. re-enforced concrete) 5 Ghz is next to useless anyway. I'm not going into details here but you can read about it on StackOverflow if you're interested.

However 5 Ghz is great for the same vicinity plus network storage / high data transfer, which is why I'm interested in getting it working over our home network. After two weeks of frustrated router settings experiments I found the solution whilst browsing with my Saturday morning cup of coffee.

The answer lies here on the Windows 8.1 Forums over at Microsoft. Now whomever UKNOWJP is, they deserve a medal - it only solves the problem on networks where you have privilege to change the router & AP settings but on your own network it's a winner.

There's all sorts of answers on the web about deleting drivers, updating router firmware, messing around with recovery partition driver versions....all valid solutions to other specific problems. However across all the different devices and patch versions I found across the forums this one was unique in that it solved the initial problem.

Just change all 5 Ghz networks channel numbers to below 100 - channel 36 is suggested in this post (you still need to use different channel numbers for different networks on the same frequency).

Don't forget: Reboot the router after you've logged in to the admin area and changed your settings; this prevents any possibility of latent session capture by unwelcome guests.

Now Windows Phone 8.1, Windows 8.1 (SP3 and SP1) all see every single WiFi network our routers provide...but it's not a silver bullet.

Prior to this I hadn't altered the channel number on the 5 Ghz networks so above channel 100 was the default setting. If that's the case we cannot guarantee that all networks of this frequency will enable contemporary Windows devices to connect - this only appears to be a problem with AP's running the 802.11ac protocol afaik.

Overall I think Microsoft need to work on some updates which don't have this channel number requirement - and disclose why this problem exists.

Addendum: I haven't checked this with iPhone yet, my better half has a 4S - that and iPhone 5 weren't 802.11ac capable...Will update when she gets her iPhone 6 to see if these settings are compatible.

VMWare Player Memory Issues

I had a *facepalm* moment with VMWare Player yesterday and solved it today so thought I'd share it - Either that helps someone out or makes someone laugh at my stupidity (either way it's a positive post).

I've recently been getting things deployed to my brand new Surface Pro 3 and by and large it's been painless - almost everything Windows 8'y was done instantly because of the settings sync between my Surface Pro 1 and my various desktop and R&D VMs using the same Microsoft Live ID. It's optional of course but I found that it makes a positive difference¹.

The only installs I've had to do are the standard laptop / desktop installs, e.g. Visual Studio, Achimate, EA, Office, etc... And VMWare Player^2.

None of these were an issue but when trying to spin up a VM I kept getting an error message telling me that there wasn't sufficient memory for the VM guest. I'd already moved VMX across from old Surface or installed new VM's from scratch so it wasn't happening all the time.

I thought that was a bit strange as my Linux guests tend to have 512Mb RAM for sandboxes and up to around 2Gb for intensive operators (such as some research tools on Kali). With 8Gb of RAM on SP3 and a few days researching memory cache in Win8.1 I was pretty confident that this wasn't the real issue.

Which of course it wasn't. Finally found this conversation chain on the VMWare forums.

Well that made a lot of sense. Should have checked UAC issues out first. I changed the application start-up options via context menu properties on %installPahth%\vmplayer.exe to run as administrator ... restart machine and - lo and behold - it seems to kick it into touch.

Hope that saves someone else the time spent on the problem :)

Disclosure Dilemma

Being able to find a flaw in a system isn't going to win you any friends - depending on your intent you may or may not profit from it - but the developers won't appreciate being told they screwed up and a project manager somewhere is quietly weeping over their previously impeccable Gantt chart¹.

One of my clients asked me if they could get one system to "integrate" with another by automatically logging on for the user. Aside from the usual question marks about stored credentials I did point out that unless there's a central authentication model (such as OAuth) it would not be advisable. Nevertheless I completed due diligence. In the process of doing the impact assessement I ended up doing a lightweight mini pentest after finding some interesting behaviour.

In this situation I'd normally contact the vendor and let them know about some areas for improvement and say nothing to anyone else but before I started the client specifically asked me not to contact the vendor of the system for any reason. Politcs aside they're clearly intending to replace the system and do not want to engage the vendor in the process.

Reading the papers yesterday puts the issue list in perspective - none of the issues I found are particulary serious but it does affect an HR system (and therefore real people data).

I could provide the information to the client and let them decide whether or not to disclose to the vendor but the problem here, again, is politics. They could also use it as a bargaining chip to either better the price or cut loose of a contract without giving the vendor a fair chance.

Knowing the client as well as I do they probably wouldn't expand the budget for upgrades so the vendors natural patch path has a chance to resolve some of these issues. To me this isn't an ethical approach because you're putting the power of blame essentially out in the open, which defies the point of responsible disclosure.

At some point the contract I have with the client will end but siding with the client vs. the vendor should have nothing to do with the financial incentives - Only bug bounties are the exception to this ethic.

I spent some time thinking about it and decided to get in touch with the vendor, against my clients wishes. I need not divuldge the detail of the political situation and only the tech detail.

Is that the right thing to do? What would you do?



1: No plan survives first iteration. Ok, ok, ok this could be a burndown chart but it seems most environments say "agile" but make it synonomous with "waterfall". Or Wagile™.

Council Tax: The Saga Continues

So despite being promised a response with 15 working days by Lisa Atkins ... I've received nothing. Perhaps they want to sweep the whole affair under the carpet? No-one likes seeing their ineptitude blogged about.

I may prod them next week after I've finished laughing about the "new" iPhone.

Auto-Archiving IMAP in Outlook

It seems like I'm not alone in initially being surprised that IMAP accounts cannot be archived in Outlook.

After spending some time poking around forums, Q&A sites and product support pages it's as simple as IMAP and archiving are mutually exclusive. I thought I'd put a concept forward for anyone out there who needs both the convenience of externally hosted IMAP functionality as well as the maildrop & delivery capability provided by the POP3 system.

A typical example here for me is wanting to access the same email account across multiple devices, get alerts on incoming messages on those devices, and be able to reply should I need to.

I also want to be able to take an archive of older emails (receipts, legal conversations, audit items, records of business and conversations, etc) and store separately for a given period too.

So in order to get around this I use IMAP almost everywhere but then on one (perhaps two locations) I'll connect via POP3 over Outlook - use whatever email client you wish - and use the auto-archive facilities to create email archive files.

Application and Service Relationship

These files (PST) can then be added to an offsite backup. An IMAP account in Outlook will use an OST file to cache mail items and headers but if its deleted or lost your IMAP account is unaffected.

Archive and Artefact Relationships
 

Council Tax

How I'd imagined Birmingham Council Tax team to appear on Monday mornings

Have you ever had a situation where your council have incorrectly billed you and take an enormous amount of time to get back to  you - never mind resolve the situation?

Have you ever become frustrated with local government civil service ineptitude, broken record response, their lack of productivity and their incredible inefficiency?

Have you ever received threatening letters from the council, perhaps attempting to coerce you into overpaying something with the threat of a court appearance?

Well, I may have a couple of pointers to help you out.

In the first instance, obviously try and get the other party to engage in the issue and make reasonable attempt to move the situation along. For example, I tried phoning the council and was told I couldn't close the account and get a final bill until I provided the next tenants details. As I no way of knowing this and they wouldn't take the management agents details, I was told there was "nothing we can do" by the person on the other end of the phone.

Even though I told him that it simply wasn't my problem and followed it up in an email to confirm, they still tried bill me after I had vacated the property. I even explained that no other city I've lived in has ever tried such a ridiculous trick to save themselves investigating the deeds.

So ... what next?

Firstly, take the name at the bottom of the automated council tax letter you've just been unnecessarily sent - Usually its from someone nominally senior to make the letter more official, threatening court action if you don't comply. In my example it was stamped from Chris Gibbs, the Assistance Director of Revenues and Benefits.

You'll need the domain name they use as well - Do a web search for "[insert city name in here] council tax" and it should be amongst the top results - it'll usually be the same as the council tax website where you live. In my example its "birmingham.gov.uk".

Put that aside and try the usual routes of approach - I tend to avoid spending my own money on hold over the phone with various departments, who only tell me to fill out a form; and email directly. Don't expect rapid responses but it means you're getting everything in writing.

In this case it took a fortnight just to reply to an email.

Now when this inevitably fails - After hearing every excuse under the sun no to add single person occupancy discount, or close the account due to you moving out, etc, start forwarding snarky emails to the semi-important nominee you found on your letter.

Try the following:

• firstname.surname@domain name
• [letter of firstname].surname@domain name
• [letter of firstname]surname@domain name
• firstname_surname@domain name
• ...and so on.

You'll end up with an email with a lot of recipients perhaps - try about five at a time. When one of the addresses does not return a failed recipient error email from the council email server you'll have found the right email address.

In my example it was as simple as chris.gibbs@birmingham.gov.uk - as you can see from the email I eventually got from his PA.

Now and then you may get the occasional attempt at derailment, or just plain mishaps with technology...such as your email vanishing in a puff of smoke. Example here. Apparently between replying to my email acknowledging receipt and then actually getting around to looking at it / forwarding it, the content had vanished. Electronic trickery. Clearly sorcery at work.

Finally, after five months end-to-end, malcontent with the situation and happy to demonstrate the level of ineffectualness to the courts; the council emailed me back. Very forthright and here it is.

I've waited a while to respond and ensured more people had access to the email address - Maybe it might help the council deal with queries faster - It certainly got past the evasive and disinclined lower ranks of the city council for me.

So all it took to add single person occupancy discount to the council tax bill and close the account in order to send me a final bill was my prompting, cajoling, returning legal threats in kind, involving the department deputy head for five months.

It took six minutes to pay in full electronically from my tablet.

Even now Chris' department are attempting to coerce me into paying council tax for a period after I moved out. Guess its time for another email...

Update 2015

After a few months of hearing nothing I got a bit suspicious - I'd created enough attention now that the issue would surely be resolved (only took a year). Unfortunately it had: The council had ignored my proof and raised a claim in the courts without notifying me. By the time I found out about it a collections agency contacted me. I'm not sure how legal that was because I would have been extremely happy to represent myself in the courts - after all, plenty of public evidence.

My advice here would be to email and call every week for an update to check that your council weren't trying to pull a fast one, I didn't and got caught out procedurally.

The net result was that I had to pay for the con-job letting agents portion of the bill as well as my own. I suppose it was more the principal of it than anything else as the money involved was negligible (only around £200) but local government defeated me by knowing how to take advantage of the system in order to absorb their own broken processes.

However, if you fall foul of a similar situation don't forget; don't waste your time with the 9-5 mob at BCC as they'll just have you chasing your own tail. Go straight to Chris Gibbs so you can get a response, and he can be reached at: chris.gibbs@birmingham.gov.uk - best of luck.

Silver bullet? No such thing

With recent activity surrounding OpenSSL / LibreSSL / BoringSSL and the ongoing debate into the feasibility of open source quality control, it may be worth sharing a couple of quick tips to help.

Changing passwords on systems affected by heartbleed isn't going to fix the problem - intruders can still get in and insert themselves in between you and the destination. Once the vendor has resolved the issue with the OpenSSL version in use on their web server or router, its better to ensure a few settings (where available) are enabled in your browser.

I had a look at Chrome, Aviator and IE and they all have these settings, but as I've stopped using other browsers I can't answer for the likes of Firefox or Safari - I'm sure they must have similar options by now.

• In the HTTPS section of settings there will be a check box worded something like "Check for certificate revocation". Ensure this option is enabled / checked as it will ensure that once the vendor has updated OpenSSL they will get new SSL certificates and revoke the previous ones. This option ensures no-one can use the old certificates to impersonate.
• Enable SSL scanning in your security suite - Usually vendors tuck the setting away somewhere in advanced settings, but your protected traffic should also be liable to the same scans as your normal web traffic.
• Ensure that use of obsolete secure layer protocols are rejected - A lot of home & personal security suites should allow you to do this easily and it will be worded something like "Block encrypted communications using obsolete SSL v2 protocol".
• If at all possible, force use of TLS 1.2 - this won't be possible everywhere as not all vendors and services have upgraded. Avoid use of TLS v1.0 if possible. SSL v1 was created by Netscape 1995 so don't expect it to be so helpful 20 years later. TLS v1 dates back to 1999 so be realistic about that too. TLS v1.2 was "defined" in 2008 and v1.3 is currently in draft.
• IE has an option (set to enabled by default I think) called "Warn about cert. address mismatch", make sure this is still checked. It will provide a warning if the certificate was issued a domain other than the one the client-server communication is actually happening on.

Please note: This is just a thin slice of the solutions available of a much wider problem. I hope that going forward that vendors such as browser manufacturers and cloud solutions firms start making these settings default.

I did ask BT if their devices were susceptible to Heartbleed but got no response - I will assume that the answer was "yes" and there's no documentation indicating whether an update has been applied to the closed system. BT tried to tell people that even though their devices were vulnerable it wouldn't matter because the intruder would have to be able to access your network to take advantage of the problem. Omitting that their devices are wifi enabled routers with guest networks for BT FON.

A lot of admins panicked in the days following the Heartbleed reports and updated their systems with the faulty version so it pays to be a bit more careful as the end user. Don't assume there's a warm blanket encasing your journey online and take responsibility for yourself.
 

Simple Backup Follow up: Part 2

Ok so having sifted through roadmap candidates I was left with Carbonite, SpiderOak and Backblaze.

As I mentioned in the first part of this piece I've got some very specific [picky] drivers and requirements for this solution.

Carbonite seemed pretty good overall but the price is an issue. For £34 a year (or thereabouts depending on the forex rate) you get to backup only one device. Even the next package up at around £60 a year is restricted to one device.

However for that you get unlimited space on your single Windows or Mac machine. It's not bad but I'm aiming for something that isn't as restrictive to cover my secondary drivers and requirements. To do that I'd have to take one of the Pro Plans, which start at £162 per year. That covers an unlimited number of devices but is then restricted to 250Gb.

It's an option but I'm discounting it for now as I'm going for something cheaper - perhaps even considering Carbonite alongside Datto for an enterprise-level candidate. My concern there is for non-US customers as they have stateside support only according to their website.

So down to two, both of whom have trials available.

I started with Backblaze as it seemed to cover all aspects. The review from the original cloud storage reviews list stated that Backblaze doesn't have a single-point encryption key to match some of the other products but I think the vendor has added the feature since that review.

All fine - good price: Either £3 per month for an essentially unlimited storage quantity, or £9 for the year. I actually thought I need look no further - and for most people this will probably do what you need it to do with minimum hassle. It's pretty easy to use ... but the problem is that I couldn't use it the same way I could with Mozy Pro and define specific backup sets of files and folders. I need a selective DR option and this would take too much time to configure.

With Backblaze I found it would back up all drives, but then allow me to isolate exceptions to the rule to exclude from future backups / delta chains.

Inverse selection....Choose everything then remove everything you don't want

 If it wasn't for that small issue I would have signed up there and then. If you don't have such restrictive requirements and are looking for something safe and cheap you may want to take a look at the options this vendor provides.

My last option was actually added after further research whilst trialling Backblaze, and does exactly what it says on the tin (what I'd call "a Ronseal job").

Whilst the free 2Gb, unlimited devices, hive capable, secure and fast capabilities seem great;  A word of caution: The two-factor authentication is limited as this is a US-focused product too - you cannot use the two-factor authentication unless you have a Canadian or US mobile number. I can get around the problem as I have infrastructure and phone numbers in the states but anyone solely based in Europe would need to review and balance capability over protection.

The vendors engaging the wider FOSS community with outer shell tools and libraries from their product. There's a description of the encryption and hashing algorithms implemented within the web-gumpff pages if you want to read it in detail. Its impossible to tell exactly how they're managing the information protection aspect of the implementation from the sales page but use of CFB is interesting. Works for me.

The only problem I have with that will be future release of open-source libraries used by their main products. Open-source is great but without organisation-level QA of each delta there's a risk of insecurity - lets hope that changes with the major corporate push on critical open source projects from earlier this year. We'll see where that goes but for now I'm going to shortlist SpiderOak.

I've read a few reviews that state that the UI isn't as intuitive; or that its quite complicated - I think thats probably relative. Its more complicated that Backblaze, but probably about the same as MozyPro. The UI is consistent on the Debian package as well so I'll give it a thumbs up.

I like that SpiderOak has endpoint installers for my favourite OS across Windows, Debian-based and Android...but no Windows Phone. We'll see how that goes for now as its not a critical requirement. [Update: WP doesn't need it due to the direct integration with OneDrive]

Whilst chipping away at this article I've been running SpiderOak for a day or so on a selected backup set. I had some problems with the SSL scanner within one of my security suites initially, but have since resolved that issue.

The final candidate, operational across numerous devices.

I ran some tests on a couple of other devices and virtual machines. Windows Server 2012 R2, Kali, Windows 7, Debian and a Mac all worked perfectly well. Time will tell but for now that's all boxes checked. I didn't get round to checking how well it works on the Nexus 7 but there's nothing of value on there anyway. We don't have any overpriced paperweights in this house [c.f. iPad].

SipderOak doesn't store plain text backups, encrypts before transfer and encrypts the transport so prevents easy acquisition of my device files and data.

TL;DR

Overall this is the viable candidate for me, and in summary (comparing it against my original key drivers) I can sync and schedule backups separately, or link the events together - with a per-machine sync schedule. There's a zero-visibility policy meaning only I can unlock the secured backup sets. I can have 2Gb storage free forever - Although I've now signed up to the annual 100Gb package for £60. Its more than I was paying for Mozy Pro but I get more for my money, better support availability and unlimited device capability (including mobile and virtual). I can pick and choose where to restore specific files from any device in my list.

All the candidates I looked at were good products but this one suited my needs better than the rest. I'd be really interested to hear other opinions.

Simple Backup Follow up: Part 1

Having ditched Mozy Pro after trials and tribulations described in an earlier post, I've started looking at alternatives.

I've had no response from MBW or Mozy regarding my password reset or product code requests so couldn't get any further with the uninstall / reinstall process. Needless to say that I haven't got time to spare dealing with the problem, so am looking at other solutions.

Anyone facing a similar choice of offsite backup solutions may find the results useful, but I found this comparison quite a useful starting point. Personally, I'm always a little suspicious of who paid for advertised reviews and which reviews are genuine; so found this list that contained a wide range of solutions.

From my perspective, the term "cloud" is a sales buzzword for architecture that has been in existence for at least a decade. "Cloud", "cloud hybrid", "private cloud" essentially just means "hosted" - With a combination of outsourced hosting or private / internal hosting infrastructure.

Moving past this, the objective of the exercise is to find an offsite / cloud backup solution for personal use - perhaps even a vendor that provides appropriate personal and enterprise-grade solutions. Obviously this is a very specific set of requirements, and yours will be different.

I'm aiming for the following drivers in order:

1. Ability to synchronise and schedule backups, potentially even machine restores
2. Price
3. Security (I'd like a secured backup that only the key-holder can open)
4. Capacity

Optionally, some secondary drivers would be nice:

1. Capable of backing up specific folders / files from a number of devices or VM's
2. Capable of restoring specific files to a device of my choosing

So where to start? Well Mozy Pro is discounted immediately. Whilst it seems to cover the main drivers it seems to miss out on the secondary drivers. Also my own experience has been tainted by the difficulty in solving a problem originally reported in 2010. If I had problems with Windows 8.1 Enterprise I'm not prepared to wait it out or see what happens with Windows 9 upgrades.

After doing some research I'm going to cut the list down to 2 candidates, although I focused on the following roadmap candidates to begin with:

• Carbonite
• Backblaze
• Datto
• OneDrive (Sky Drive)
• SpiderOak

For me, the whole OneDrive / Google Drive / Dropbox mechanism is great for a specific purpose - storing a bunch of files and folders online (or "in the cloud" if you must), and sharing across devices. We have a large proportion of Microsoft devices in our household, along with an iPhone, a few Linux boxes and some other kit I use in my sandbox.

OneDrive is great for allowing the share of files I've acquired on a PC to a sandbox machine on a different VLAN. Its also perfect for being able to capture, modify sales documents written in MS office on Surface Pro, desktops and Windows Phones.

However I've discounted this type of technology almost straight away because I'm looking for a dedicated backup & disaster recovery option for some very specific file sets. Windows 8/8.1 already takes care of things like apps and settings. I've also discounted them because it would be conceivable that MicroGooHoople^TM could allow access (by subpoena, for example) to those backups - don't forget that everything is based in the US your data is liable to US law.

Obviously that last statement is really within tin-foil hat territory :)

I'm also eliminating Datto as it's clearly an enterprise-grade solution (and has no prices on the website!). EtE encryption, Atom 2.4 Ghz 8 core processors on the backup servers, backup chain recovery, bare metal restores, etc.

In part 2 of this post I'll look at the remaining roadmap candidates:

• Carbonite
• Backblaze
• SpiderOak

 So far I'm also seeing encouraging alternatives for all the MBW features I use and will speak to one of the vendors to take the services outside of the MBW package. Great when its all working but appalling when you need assistance.

Blogger Behind The Times

Just tried to log in to Blogger on Win 8.1 / IE 11 to be greeted by a "Browser not supported" message. Seems that the Googlers are still supporting IE 9, but not IE 11 - Not sure that's compatible with Microsofts own support lifecycle though...?

The only reason I'm curious is that Aviator won't let me add comments to Blogger posts via Google+ - probably either being a bit too paranoid or having conflicting rules dictating the combination of cookies and popups. So you on Aviator you can log in to the Google ecosystem, but when you view your own blog and try to comment.... it does nothing :)

Seems to work just fine in IE though. Happy days.

Simple Backup

I've just returned from a family holiday in Italy to find that my offsite backup for non-essential files still isn't working. I thought I'd leave it after making some system changes and seeing if it resolved itself.

It's pretty simple - All it needs to do is take deltas of selected folders and ensure the latest changes are kept securely offsite. If a PC goes up in flames then I can just restore the important photo albums, etc without much hassle. For more important or critical backups I use other corporate solutions but for the low sensitivity stuff I use MozyPro.

So ever since I restocked a PC with a new SSD and rebuilt with Windows 8 Enterprise I've been having issues - not with the hardware or operating system - but with the backup software. It's not so much that the software is a problem but the support and offered solutions that I have a problem with (or perhaps more that people are being given such terrible advice).

So it started with an innocuous error message "FilesystemError4".... Nicely labelled but with no real indication of what it means in any of the application event items. It does, however, link through to the equally useless expansion of the error category:

So I had a look around, ran some check disks, used SanDisks own disk evaluation tools for the Extreme Pro....no hardware issues at all.

As there was little or no explanation from the application I tried a few searches and quickly discovered this was a reported issue back in 2010 - apparently with no resolution. People were being told to get a replacement hard drive from original vendors, run check disks, restart computers....For some it appears that netsh worked - Mozy actually suggested that people use the legacy version of their software to resolve the issue instead of attempting to diagnose the faults.

So I clicked the Support link on the application settings page and was taken straight to the MyBusinessWorks page....with no hint of a support link. I tried the chat window only to be told by "James" that I had to contact MBW directly by phone on an expensive non-geographic number.....Not impressed at all. I even asked him for a geographic number to use instead but - either through ignorance or belligerence - he told me that there wasn't an alternative and that I could ask a support representative to call me back once I got through to the support desk.

Absolutely unacceptable!!! Say No To 0870 to the rescue - helped me translate 0845 608 0280 into 020 7253 1649: If anyone needs it, this gets you through to the parent company automated switchboard; select option 2 for MBW support. Good thing I'd not called the 0845 number as I hung up after being sat on hold for over ten minutes.

The fact I'm paying for this service makes me so much happier. Its good to see such bright and enthusiastic direct routes to problem resolution.

Bear in mind I've already bought the service (MBW) and the system (MozyPro) but am unable to raise a support ticket with Mozy, EMC or Decho because I have an indirect license. Awesome.

I'm now working my way through error log messages from the text log of the application. So far I've needed to do the following:

1. Create a new user with specific permissions on the PC
2. Assign the new user rights to log on as a service on the PC
3. Assign this new user logon to the Mozy service
4. Enable read value / set value permissions to the HKEY_LOCAL_MACHINE\SOFTWARE\MyBusinessWorks\Online Data Backup\scheduling key

Its now getting further that the initial failure on backup start but it shows how inappropriate the error message is - a registry key read permission error designates a FilesystemError4. It looks like another failure during the actual backup relating to HTTPS chunked stream reads is failing, but then its reverting to the registry permission error. Will update the post when I have more but I think I'll be replacing Mozy Pro with a competitor very soon.

Update (12th August)

I'm going to give Mozy / Decho a 24 window to send the password reset request I made earlier, if that isn't sorted I'll wash my hands of it and go elsewhere. My only questions is why is something so simple so painful?

Final Update (14th August)

Still no word from the vendor. I'll post my reviews of alternatives in a later post this evening.

2014

I've been away from the blog for a long time, but then I've been pretty busy.

I have some new observations to add to the mix - Off on holiday to Italy for a couple of weeks soon and intend to soak up some sun whilst putting pen to paper...assuming there's no WiFi I can crack near the beach :)

MY IDE is Better Than YOUR IDE So Nurr

*sigh*
It never really changes.

Same argument - different playground.
jmonkeycoder.wordpress.com/2013/08/28/eclipse-vs-visual-studio/

Interesting article - Think there's plenty of people out there who appreciate the type of comparison.

Thought I'd pitch in as I use both Java and .NET for different clients: I often use both Eclipse and VS (although rarely at the same organisation!). Thought I'd could give a more balanced perspective. You're a Java & Eclipse person - there's nothing wrong with that; many commenters appear to be VS & .NET-ers though and I think there's more caustic discussion there.

It's great to have a side-by-side comparison but there's a lot of the functionality and features from Visual Studio in addition to your lists. There's a number of features from, say Ultimate edition that perhaps not everyone gets to play with! In particular intellitrace and the performance tools from the analysis side, and the architectural tools integration on the design side.

Don't get me wrong - VS doesn't match up to Archimate in my opinion but its tools integrate well. CodeLens is another good example but there's quite a few more.

There are a number Eclipse plugins that do some of these things but not all (which is probably why Ultimate costs > 12k GBP for a single seat license)...but then Java works a little differently, and the platforms it generally runs on are very different!

After running Eclipse on a pretty fast machine on Kali and VS on W8.1 Enterprise I don't see much difference in IDE performance for massive multi-project applications either. I have noticed performance differences in the root frameworks though.

I've always thought that developers shouldn't really have a preference between either framework but I would say there there's a clear difference in the level of productivity however that's kind of irrelevant...I would never consider using Eclipse for .NET/Mono and I haven't seen anything for Java on the Visual Studio side - lets try and forget all about J++ and J# as soon as we all can :)

For me, Java & Eclipse are extremely useful for specific scenarios and I don't think its fair to discount it as other commenters have, yet you've severely underestimated the capability of the other IDE (even for VS 2012).