Thursday, 31 March 2016

Eye test

I went for my every-two-years eye test today, and it was very thorough. The good news is that my eyes haven't deteriorated over the last two years. So much so, that I don't need new glasses.

I'm getting new mid-range glasses anyway, though, becuase I've had these for a very long time, and the lenses are scratched and fuzzy in the middle, just the place where you don't want them to be scratched. I persuaded them to let me keep the frames (most glasses frames corrode terribly on me, and these don't) and I insisted on glass (plastic is the usual material, but it scratches much worse than glass).

They also did an inside-the-eye scan, which isn't as gruesome as it sounds, they just flash a bright light in each eye. This reveals that my right eye is in tip-top condition, but the left eye (where I had the high pressure, leading to glaucoma) has some deterioration of the optic nerve. The good news is that since it was diagnosed two years ago, it hasn't worsened, and the pressure is now 17, which is excellent. It means that the eye drops are keeping it under control.

My back is also improving rapidly; I'm pretty sure that what I had was something ike cramp in the back muscle.

Wednesday, 30 March 2016

Ooh, my back.

I had planned to go out caching today.

But yesterday, I woke up with a back pain. It feels a bit like cramp, and it twinges badly if I twist, or stand up, or sit down, or pretty much anything that involves back movement. A day out caching sounded like a day of agony, so I've deferred it.

I don't think there's anything seriously wrong, I think I "pulled a muscle" or sprained a rib or something. I'm hoping that a few days of quietude will fix it.

Accident compensation cold call

I had another call today "you were in an accident recently ..."

So I spoke to the caller, Nasir Khan. He said that he was with Lance Amyinsoms (he spelled it out for me). No such company. There's a company called "Lance Masons", but there's probably no connection. Then he said he was with No such web site. But there is a, although I doubt if he was from there either. He did give me his phone number, 020 331 81767 (actually, he gave me two phone numbers, but the first one he gave me turned out to be a fax number).

So we got to talking, and I told him that I had indeed had an accident, I'd fallen over while walking (this is true, I fell over on a walk about a few weeks ago). He seemed interested, so I told him that I had a photograph. He sounded quite keen. "Should I send it to you?" I asked. "Yes," he said, "Email it to".

A domain name.

That gave me a web site to go to, I looked up the registration details, it gives the person who registered is the name "Danish Notta" in London, Gloucestershire. London is not in Gloucestershire. There's a Danish Notta runs One Call BPO, a call center in Pakistan. And theclaimsonline gave a phone number, which had the same UK STD code as the number that Nasir gave me. Their web site also gave me their CRM (claims management regulator) number, 11234.

So I went to the CRM web site and it actually led to a different company called "xxx". So I went to their web site, which was very reminiscent of the I mean, it looks pretty much the same (slightly different logo), including on both sites, recommendations from the same three people who received the same amounts and gave the same words of praise. And the two companies have the same CRM number. OK, maybe nothing bad here, maybe it's one company that trades under two names, but interesting.

I went to the Companies House web site. I couldn't find anything for theclaimsonline, but it was easy to find xxx.

So I looked at the directors. There's two, Gavin yyy and Deborah yyy. Again, nothing to worry about, lots of small companies are run by a husband and wife team. And Gavin yyy is the name given on the whois database for xxx.

I found out lots more about Gavin from Company's House, Linkedin and Facebook (I didn't bother with Twitter) - I doubt if most people realise just how much personal information they put on the internet about themselves for anyone to read. I probably do the same. I've xxxed and yyyed out these details because I believe that xxx and yyy are innocent victims of web site copying,

I looked at the latest published accounts for xxx. The company's net book value fixed assets are £301 as of December 2014; the P&L account shows a loss of £1241. So I don't think xxx is very active.

So I checked out Gavin yyy more thoroughly on Linkedin. There are a few with that name, but the most interesting was Gavin yyy at zzz Solicitors. So I went to their web site. And on that web site, is listed Gavin yyy, he's on the Personal Injury team. On his bio, it says that he has over 25 years of experience (The Gavin yyy I'm looking for is 46, according to the Companies House information).

Looks interesting.

You see, the thing is, according to the solicitor's code of conduct, they aren't allowed to make cold calls to people scraped out of a list (I'm guessing the electoral register?). And I suspect that setting up a separate company to generate leads by cold calling is also frowned on. You might recollect the last time I looked into a situation slightly like this, with Renaissance Solicitors and Whynotclaim Ltd. Speaking of which, I just had another look at their web site, and Mobeen Hussein (director of Whynotclaim, the people who cold-called me), is no longer listed as working there.

So, back to linkedin. I read Gavin's bio, available to anyone who wants to read it. June 2015 to present, zzz Solicitors, head of Fast Track Litigation, and one of his past jobs was with xxx. So it's the same person.

So Gavin is employed (or something, but he isn't listed as a partner or Associate) at zzz, but at the same time, theclaimsonline, who say they have the same CRM as xxx (Gavin's company) is making cold calls. Or most likely theclaimsonline doesn't actually have any relationship to xxx and is just saying that they do, by claiming the same CRM number.

So that's cleared up most of the questions that I had, using publicly available information put onto the internet by Gavin yyy, and the rest was resolved with a call to zzz solicitors, except that he wasn't there, so I used the internet phone books to get his home phone number. He wasn't at home, but his answering machine gave me his mobile number and that of his wife, and I'm really quite surprised at the amount of information I can find out about someone without really trying. So I called his mobile, and he was in his car.

He called me back later, and it looks like I'm right about him being an innocent victim of web site copying. It looks to me that there's slight evidence that "The claims online" web site is more recent than the xxx site. xxx has copyright dates of 2008-2010 and 2008-2014, claimsonline is only 2008-2014. xxx has a "privacy policy" and "terms and conditions", claimsonline doesn't have either of those. And "the claims online Ltd" doesn't get found on the companies House web site.

But Gavin will surely want to know what's being done with the CRM11234, because if "The Claims Online" are using it without his permission, that's naughty.

So I told him. And the rest is up to him.

Tuesday, 29 March 2016

Every cloud

I'm an inveterate optimist - I see the flecks of gold in heaps of dross, and I often find small coins in car parks. And every cloud has a silver lining, if you stare at it for long enough.

I'm seeing a lot more ransomware attacks. Typically, a gullible user has either clicked on an attachment in an email (I'm currently getting about a hundred such malware-bearing emails per day) or has been hit by malvertising. Probably the email is more frequent. Sadly, antivirus software has a 10% success rate in flagging such stuff. It misses nearly all of it. Because if you're about to send out a bunch of malwareiferous emails, you'd test to see if the AV products detected it, change it if it did, and continue to test and change until you had something that would pass the tests. This is called "crypting".

And the thing Gullible User (last name User, first name Gullible, called Gully for short) clicked on, reaches over the internet, downloads the malware, and installs it on Gully's computer. And ransomware is the flavour of the month.

The ransomware encrypts all the data files it can access (which means all the data files that Gully can access, including those on the corporate network) using a dual-key encryption system. Dual key means that one key encrypts, and a completely different key decrypts. So even if you trawl through Gully's computer and find the key that encrypted, that doesn't give you the key to decrypt. And modern crypto systems are strong enough to give serious obstacles to government spooks, so forget about cracking it by brute force.

So how do you get your data back? You pay. Money. Using Bitcoin, which is as untracable as sending money via Western Union or Moneygram. And they send you the decryption key. Maybe. You just have to trust the unscrupulous scroats who ripped you off in the first place and who have only a slight incentive to send you the key now that they have your money. Let's hope they're honest scroats.

The good news is that it's not much money - maybe a few thousand dollars, which is peanuts to a big organisation (but very painful for a tiny business, and if we're talking about grandma's collection of grandchild pictures, poses a heartbreaking barrier).

So what precautions are you taking against being hit by ransomware? Choose one of the below.

1) We're running an excellent antivirus, tests say that it detects 100% of in-the-wild threats, and it's updated daily.

 ... but, sadly, the tests are not correct. Do your own testing. Choose a dozen of the malware-bearing emails that you're getting every day (and deleting unread, I hope) and see if your AV flags them all. It won't. Maybe one or two of them. Ask your AV vendor why not, and they'll say "That's because you're testing on something that only came out an hour ago, you can't expect us to be able to detect that, can you?" Actually, you can, and in my blog I've explained how. And if you're paying money for something that the vendor says cannot possibly do what you're paying for, rename yourself Gully. You can also ask the organisations that publish these 100% tests, how come in the real world the figure is more like 10%?

2) We have backups.

 ... well, that's good. But have you? Some people use "cloud backup", which means that files that change are automatically copied over the internet to a server somewhere in Albuquerque. So the ransomware encrypted your data, the backup system says "Oh, that changed" and copies it to Albuquerque. And if you restore that backup, you've just restored an encrypted file, which doesn't help you. And this happened to someone recently.

Maybe your cloud backup works that way, or maybe it doesn't. If you don't understand how your backup system works, then that's probably the way it works.

Here's how my backup system works. On the 1st to the 10th of each month, files are backed up to one server. On the 11th to the 20th to a second server. And on all other days, to a third. Plus there's various other backups going to and fro, which aren't automated.

I even have servers that are powered off, and hold a copy taken several weeks ago.

So if something has borked all the files on my main server, I have at least a chance of restoring something not too ancient.

3) We're educating our users.

... don't make me laugh. That hasn't worked in the past - why would it work in the future?

38% of busnesses are confident that they could recover from a ransomware attack. There's two problems here; first the obvious problem of the 62% who aren't sure they can recover, but the other problem is that I suspect that a large proportion of the 38% who are confident, are only happy because they haven't really understood the problem. Here's a nine-point list of advice for avoiding ransomware attacks.

Most of those nine points are good ideas, but won't stop ransomware, especially ransomware delivered via email.

So where's the tiny silver lining in the large and unpleasant cloud?

Any organisation that has been hit by ransomware, has been charged several thousand dollars for a lesson in computer security, a lesson that people like me would be willing to teach them for free, but free stuff is subject to floccinaucinihilipilification and usually ignored. But the lesson bought for real money, is likely to be taken to heart.

I did warn you, it's only a tiny speck of silver.

Monday, 28 March 2016

My bike

Millions of readers of my blog have ask to see a picture of my bicycle. Well, one guy did. So as well as pictures, I'm going to explain what's there and how it works.

This is the bike, folded up. Because it's a folding bike, I can keep it in the back of my car (a Landrover Freelander). It also makes it possible for me to get it through metal semicircular kissing gates without having to do a strenuous lift.

You can see from this picture that it's a Haro bike, and the tires I use are Schwalbe Black Jack. I use those because they're Kevlar reinforced, making punctures slightly less likely.
What you can't see, is inside the tires. There's a thick-walled inner tube, adding to the puncture resistance, and between the inner tube and the tire, there's a gel insert, also reducing punctures. Since I adopted this system, I haven't had a single puncture. You can also see that the tread on the tire is quite knobbly. That gets me a better grip on soft ground and mud.

Here's the bike seen from the other side. You can see how the pedal is folded.

The folding pedal makes it easier to get it in and out of the car. And occasionally, folding both the pedals helps me get it across a narrow bridge.

To unfold it, first I attach the handlebars ...

Once, I put the handlebars on the wrong way round. When I applied power to the motor, it ran backwards, of course, and I fell off. I've only ever done that once!

So here's the bike fully unfolded.

Originally, it came with a kickstand near the back wheel. After I used the stand and it had fallen over numerous times, I replaced it with a much better kickstand near the center. I'm still not happy with it, though, so I often (especially on soft ground) lie the bike down while I go deal with the cache. I'm constantly on the lookout for a stand that would make it possible for me to leave the bike on the stand without it falling over. So far, no luck.

So now we look at the front wheel.

That's the motor. It's quite understated; it isn't obvious that this is an electric-assisted bike. You can also see the torque arm, and I'll explain that. The motor wants to turn, the bike forks don't want to turn. the motor axle has flat sides which slide into the bike forks, and that's almost certainly enough to resist the turning force. But if the axle does turn inside the fork, catastrophe will ensue, because the wheel can pull itself outside the fork, and now you have no front wheel. You can imagine the result if you're going along at 20 mph and suddenly the front wheel isn't there! The torque arm transmits the torque from the motor, to the bike frame, without undue reliance on the fit of the axle into the fork.

The motor is rather special; it's a dual speed motor. You can run it either forwards or backwards (the gearing transforms the backward motor rotation, into a forward wheel motion), and one way gives you a gear ratio of twice as much as the other. So low gear gets you up hills, high gear is good for tarmac on the flat. I get about 12 kph in low gear, and that's good over rough ground and grass; I get about 20 kph in high gear, which is good on tarmac when I'm covering a distance that's a lot more than the minimum distance between two caches (1/10 mile).

I can go even faster on downhill stretches, because I replaced the highest gear on the rear derailleur with an 11 tooth sprocket (the normal is 14), and when you're driving a bike via the pedals, the only speed limit is whatever the car speed limit is.  So on a country road with a good downhill, I can get over 40 kph.

Here's the back wheel.

You can see the quick-release lever for the wheel - that's also non-standard. It means I don't have to carry the spanner I'd need to remove the back wheel. I got it when I replaced the gears that had the highest as 14 tooth, with an 11-tooth, which gives me a 30% advantage when going fast.

You can also see the black bracket that supports the rear carrier. That rear carrier is important, because it supports the panniers, which contain the batteries.

The rear carrier is shown below.

The grey tape at the base of the carrier, is to avoid a problem whereby the rubbing of the pannier on the carrier, wears a hole in the pannier. On top of the carrier, you can see the bike controller. The controller is important.

Ancient electric motors had commutators, and carbon lumps (which would wear out and need replacing) conveyed the electricity to the commutator. The commutator was a mechanical way of switching the power so that the motor electromagnet was always attracted to the permanent magnets so as to turn the motor consistently in the same direction.

Modern electronics has abolished this messy solution, and now it's done digitally. There's three sensors inside the motor that lets the controller know the angle of the motor, and the controller then switches the power, using FETs (field effect transistors) so as to continue turning the motor. And the controller can choose whether to turn the motor forward or back. And that's how the dual speed motor works, via two clutches and sun-and-planet gears.

The controller is in the open so that it gets the benefit of air cooling.

Here's the rear carrier seen from the other side.

A close-up of the rear wheel ...

The bike has a two-wheel drive - the motor drives the front, and the pedals drive the rear. A lot of electric bike owners much prefer to have the motor drive the rear wheel, but they aren't geocachers. I'm often going over soft ground, mud, or ground thoroughly chewed up by horses, so a two wheel drive gets me a much better grip. Again in the picture above, you can see the grey tape that I use to stop the carrier rubbing holes in the pannier, and the way that the carrier attaches to the bike frame. That attachment is non-standard - there's a lug near the axle of the bike where the carrier is supposed to attach. There's two problems with that. The first is that the bolt holding it on has a tendency to work loose, the second is that if you try to screw it in really tight, you strip the thread.

You can also see the rear gear changer. You might recollect from a recent post, that the gear changer got broken, and I sorted it out by taking parts from the old broken gear changer, and from another one that was faulty. It's always nice when you can use old parts to repair a break.

A quick view of a pedal that's folded ...

Here's how the carrier attaches to the back of the bike:

That's also a bit of a bodge; there needs to be ample clearance between the carrier and the seat post, otherwise the carrier knocks against the seatpost every time I go over a bit of a bump, which is very frequent on rough ground.

You can also see the blue EC5 plug that leads to the controller, and is there to plug in to the battery pack. The leads from the controller are encased in old inner tube, which I hope will tend to keep the wet out.

And you can see the big spring for the rear suspension. I was going over a rough track once, and there was a "SPROING CLUNK CLUNK" noise. I stopped to see what had gone wrong, and it was that spring, it had broken. Like many things about a bike, it was really cheap to repair; a replacement was £7 for the whole suspension unit.

 The saddle.

I would, of course, prefer a saddle made out of rainbow and stuffed with cloud, but I've not been able to find one on Ebay, so I have to make do with springs and gel. This saddle is really comfortable. I have it a lot lower than most cyclists, because A) I'm stopping and starting a lot, and B) on really rough or soggy ground I help the bike along by hobby-horsing with the feet, and C) I really really hate falling off.

The red things attached to the seat post are red LED rear lights. If I'm still on the bike after dark, then I want any motorists behind me, to be certain to see me. For the front light, I carry a powerful head torch, which I'll show you later.

So now to the control of the bike, which is done, of course, via the handlebars.

The lever on the head post is because the handlebars are detachable for folding up; that lever is for tightening the bolt that holds it together. Another unusual feature is the grey tape at either end. That is there to protect my Freelander, which, although bought second hand (they don't make them any more) was in pristine condition, and I'd like to keep it that way as long as I can. My previous Freelander was somewhat scratched by the handlebar ends from leaning it against the car. Also scrunched by an anonymous person in a car park who didn't apologise or leave contact details. And then there was the time a cow fell in the car.

So let's look at the handlebars more closely.

The main control there is the left handbrake, which controls the rear brake. That's the brake I mostly use for slowing down - the front brake is used when I need to stop more rapidly. You can also see the bell. When I'm coming up behind a pedestrian, I ting the bell to let them know I'm there, because I don't want a situation where, just as I pass them, they suddenly notice me and step to one side, and if that's the wrong side, it could be catastrophic.

There's also the gear changer for the front gears. That would be useful if I need a really low gear, but because I have electric assist, that's rarely needed.

In the middle of the handlebars, you'll see this.

On the left, there's a switch that's connected to the controller, and selects the motor gear; low, high or automatic. Automatic means low gear until I get to about 12 or so kph, then it switches to high hear. I mostly use low gear, but if I'm going some distance on tarmac, I'd use automatic. You really feel it when the gear changes, it's like an afterburner just kicked in.

You can see the controller screen. That shows how far I've travelled, and I've done about 2500 kilometers on this bike. The most useful display there is the battery voltage, because that tells me roughly how much I've used, and how much is left. It starts at 50 volts, and when it gets down to 42 volts it's nearly empty.

Above that screen, you can see a bracket. I put a PDA holder on that bracket, to hold my Fujitsu Loox navigation device, which tells me how far away the cache is, and in which direction, together with an OS map of where I am. The holder isn't there permanently, because it's really fragile, and after I'd broken a few putting the bike in and out of the car, I adopted this solution.

Here's the right side of the handlebars.

On the left of this picture, there's the gear changer, which lets me run from low gear to high, in seven steps. The bike came with a twister gear changer, but I much prefer the kind that clicks between gears. So I replaced the original changer with a clicky one, which also includes a brake lever that controls the front brake, which I don't use much.

The blue collar is to keep the rubber handlebar grip in place. Just under the blue collar, you can see the throttle lever. It's a thumb throttle, and I've become very used to that. The more I push it down (it's on a slight spring) the more power is fed to the motor.

So that's the bike. But there's more. Here's the pannier.

It's quite big. In it, there's the batteries for powering the bike, a tool kit, and more.

It's heavy. Very heavy. It's about 12 kilos, depending on how many batteries I'm carrying. It detaches, though, very easily, so that if I have to lift the bike over an obstacle, I don't also have to lift that heavy bag. If necessary, I can divide the load beween two bags; if I'm doing 60 caches on the trot on a hot summer day, then I'll need a lot of batteries, and a few bottles of water. I can go without food until I get back to the car, but water is needed while I'm out.

Let's look inside it.

Hmm. A bit of a mess. Let's unpack it. First, the batteries.

This is a light, hard plastic box. It's just the right size to contain two of the battery packs that I use, and it will give the batteries some useful protection against the possibility of me coming off the bike (which has happened, a few times). So let's look at the batteries more closely. Notice the S&S International sticky tape!

These are Hobbyking Multistar batteries. Each of those three gives 10 amp-hours at a nominal 14.4 volts (which means 16.8 fully charged, 12.8 when discharged). These give the best power-to-weight performance of any kind of battery. You can get them for £21 each. I put three together in series to give me a start at 50 volts.

The batteries come terminated with a yellow XT90 connector, but I've standardised on EC5 for everything, so I add a cable that has an XT90 at one end, and a blue EC5 at the other. I tried a number of different connectors, and I chose EC5 because they're easier to pull apart than the others I tried, and because of the way I use batteries, I'm all the time connecting or disconnecting.

This turns out to have another useful effect - if the battery pack parts company from the bike (and that's happened to me a few times) then instead of the cables ripping apart, the EC5s disconnect, and it's easy for me to reconnect them.

You can also see the balance wires, those are the thin wires, too thin to carry the substantial current to power the bike. I'll explain about those soon, they're used for recharging.

Also in the pannier, I have these:

The blue and yellow zipped bag, contains geocaching stuff that I don't need often, but which could be useful. For example, spare batteries, multitools, sting relief, plasters, biro, pencil, string, safety pins and other stuff I've needed occasionally. The stuff I need all the time, I keep in my shoulder bag, with very easy access.

You can also see a fairly substantial combination lock. That's in case I need to leave the bike for any length of time - for example, if I need to trek a couple of hundred yards to get a cache, into a muddy field where a bike is a very bad idea. Or if the bike suffers a catastrophic failure that makes it a good idea to abandon it, walk to get the car, and then pick up the bike from where I left it. I did have a bike stolen once (it wasn't electric, so not too big a loss) and that was because the lock I used could be broken with the application of a couple of bricks.

Repair kit.

Ladysolly gave me this bag - it's leopard-skin makeup bag. No actual leopards were involved. It had a price-tag of £130, but she got it free with something, and it's probably worth about £0.50. Less now, it's become a bit grotty.

Inside, I keep my bike repair tools. I have all the spanners I'd need to remove either wheel, a puncture repair kit, a spare inner tube, tire levers, a pump, an adjustable spanner and a 46-way bike multitool that can do anything except get stones out of horses hooves. There's also some electrical stuff (wire, connectors, an adaptor to power the PDA for any battery, fuses) a handy selection of nuts and bolts (which have proved vital in the past) and various other bike-saving bits and bobs.

On my head ...

At this time of year, this is what protects my skull. I only have one head, and I'm very attached to it. I think it's actually a skate-boarding helmet. I also have a conventional bike helmet, which lets in a lot more air; that's for summer. And in the depths of winter, I wear a world war two flying helmet; leather on the outside and sheepskin on the inside. That keeps my ears and cheeks a lot warmer.

On my hands I wear fingerless cycling gloves unless it's very cold, in which case I wear sheepskin gloves (or similar). In really bitter weather, I wear the fingerless gloves *and* mittens, so that when I take off the mittens to sign a log, I don't get instantly frozen hands.

So how do I connect the bike to the batteries? With this. Reading from left to right ...

You can see the three blue EC5 connectors, which let me connect three 16.8 volt batteries in series to give a single 50 volt battery. That three-to-one adaptor feeds into a 30 amp fuse (it's never blown, but a fuse is surely a good idea) which connects to a big circuit breaker switch, and then to the EC5 connector that connects to the bike. While the switch is off, there's still a connection from the batteries to the bike, via a 100 ohm resistor. So with the switch off, I connect up the battery to the bike. Then I switch the switch, but by the time I do the switch, the capacitors in the controller have charged up via the resistor, so there isn't a big spark when I switch on.

The thinner wires connect from the balance leads of the batteries to the small black rectangles, which are alarms. When any cell of the battery falls from the original 4.2 volts down to 3.2 volts, the alarms starts to beep. It's not a good idea to run a LiPo cell below about 3 volts, so it tells me to change the battery.

Here's another thing that I carry in the panniers.

This is one monster head torch, a real night-into-day. There's also a red LED at the back, in case I'm on a road, so that car drivers can see me.

This is how I recharge the batteries.

There are all sorts of battery chargers for LiPo batteries (it's *very important* to use a LiPo charger, not any random voltage source), and most of them are quite expensive. I do have these complex and expensive chargers, but these days, all I use are these very simple chargers that cost about £6 and will change my batteries (or any 2S, 3S or 4S battery) ... but slowly. They will output about 1 amp, so a 10 amp-hour battery will charge in 10 hours. But I don't see that as a problem. If you need to fully charge batteries like this in a short time, get the complex expensive chargers.

Typically, I'll come back from an outing with two of my battery packs at least partly used. My batteries are made from three 4S batteries. So I use six of these little chargers (nine if I used three battery packs). They connect to the balance ports of the batteries, which means that it's very easy to plug in and unplug, and it means that the batteries are fully charged, and balanced, each time.

Important - I disconnect the batteries from the three-to-one series cable before I plug in the chargers. This is to avoid the possibility of a catastrophic short circuit, although when I think about the connectivity, I don't think that's actually necessary. Still, I'm cautious!

I power the chargers from old PC power supplies.

And you can also see a big fan that I use to blow cool air over the chargers. Not vital, but I like things to run cool.

I also have smaller batteries, these are five amp-hours, half the capacity.

Those are the batteries that I used before the Multistar became available, they're only 5 amp-hours, and are a little heavier per watt-hour than the Multistars.

How far will the batteries take you? That's a very difficult question. I would average about 40-50 caches with one set of three batteries, but that's over rough ground, with starting and stopping. On tarmac, you'd get 10-20 miles. The reason why I'm being so vague, is that this is a bicycle. You could go from Lands End to John O'Groats on a bicycle, and the same on an electric bicycle, except that part of the journey would be easier.

So what does this paragon, this queen of bikes cost? You should be able to get a 26 inch wheel folding bike for around £50 from Ebay; £20 if you don't mind a non-folder. The dual speed motor, built into a 26 inch wheel, andincluding the controller and other bits, will be £225 from Panda (less if you haggle). The batteries will be £63 for 10AH, or if you want a huge amount of battery, £126. Six chargers will be £36. From Ebay, a rear carrier £9, panniers £7. Total £325 to £450.

My bike.

Republicans and guns

Many Americans believe that they have an almost sacred right to swagger around carrying a machine gun. However, this right ends on private property; if you don't want a gun carried into your home, you have the right to say so, and to enforce this requirement (while waving a gun to emphasise your view).

The Republican national convention will be held in July 2016 in the "Quicken Loans Arena". Quicken doesn't allow guns.

So, of course, a petition has been created, pointing out this dissonance and asking for it to be rectified, either by Quicken allowing guns for the convention, or by moving the convention to another venue.

It's hilarious. And possibly a fine sample of American irony. Who said that Americans dn't have a sense of humour?

The National Rifle Association is vehemently opposed to "gun free zones", on the grounds that they become a safe space for any insane shooter. The two leading Republican candidates have declared their opposition to gun free zones.

I can just imagine the emotive atmosphere of a political convention, spiced up as gun carriers eye each other warily, ready to spring into action the first time they see an aggressive move.

Something tells me, however, that despite the opposition of Republicans to gun free zones, their convention will not allow people carrying guns to enter, because common sense and self-preservation overrule rhetoric and idealism.

Saturday, 26 March 2016

The first ransomware

I remember the first ransomware.

It was a diskette that arrived in the post, and I was lucky enough to receive one. I remember the sense of anticipation as I read the accompanying documentation, and I thought, "This looks interesting".

So, of course, I installed it. In the virus lab. And it didn't diappoint. It counted the reboots, and after a fixed number (I think it was 100, but Wikipedia says 90) it encrypted all the file names on the hard disk.

It didn't encrypt the files, just the file names. So it was very easy to reverse.

It demanded $189 for fixing the problem. I doubt if anyone actually paid.

The author was Dr. Joseph Popp; he was arrested, charged, was declared mentally unfit to stand trial, and was deported back to the USA. Perhaps they have better nutter data.
I heard a rumour that he wore a paper bag over his head in court, but I can't confirm that.

This was in 1989, 27 years ago. There's nothing new about ransomware.

Friday, 25 March 2016

Blame the victim?

Bernard Hogan-Howe, the Met police commissioner, suggested that banks should stop refunding victims of fraud.

Well, it depends.

If someone comes to your front door and offers to bless you in exchange for £1000 and that this blessing will reward you tenfold, and if you go for it and subsequently decide that this was fraudulent because the hoped-for £10,000 didn't materialise, should your bank refund you?

Of course not.

On the other hand, if you suddenly find that £1000 has been removed from your bank account without your knowledge or consent because someone turned up at the bank pretending to be you, and the bank believed them because they were able to recite your mother's maiden name, then should your bank refund you?

Of course they should.

It depends on whose fault it is. Sometimes it will be the victim, sometimes the bank.

My experience with banks, has made me feel that they really aren't serious about security. How often have I been phoned up by my bank, and then they start asking me my security questions! And they're surprised when I refuse to answer, on the grounds that "how do I know that you're really my bank?"

And, by the way, when I'm asked to set up security questions like this, I don't give my mother's real maiden name, which could probably be discovered by someone interested enough. I make up a name and give that instead; I then record that answer against the organisation that I gave it to. Yes, I write it down! Because that's more secure than using the easily-discoverable real name.

And likewise for any other security questions, "name of first pet, brand of first car, name of first school".

So anyway.

Recently, I tried to pay for fuel at my local garage using my credit card, and I got the PIN wrong. Because I was exhausted after a great day's caching. And then I got it wrong again. And then I checked where I have it written down. Yes, I write down my PIN number, but not as it is, I add (or subtract) a magic number from it and write that down. So that all the written-down PINs aren't the real PIN, and I don't write down my magic number.
Anyway - because of exhaustion, I got it wrong a third time, and that locked the card out. So far, so good. Mildly annoying, but obviously my own fault, and I dealt with it by paying cash.

A little while later, I looked into the question of, how do I reactiviate the card. I thought it would need an in-person visit with some proof of identity required. But no. All I had to do, was put the card into an ATM, choose "PIN services" and it unlocked the card.

Wow. That was easy! Too easy.

But back to Hogan-Howe.

The problem is, computer security is *difficult*. Computers are difficult for many people; computer security is *difficult*. I don't believe that "educating the user" works; it certainly hasn't in the past, so why should it in future? Maybe people should install security software, but the problem there is that, as far as I can tell, there isn't any that's actually useful against the threats of today. Sure, there's plenty of software that deals with the threats of ten years ago. How useful is that?

What there is, is a torrent of emails bearing malware, and if you click on any of them, you're stuffed. What there is, is malvertising, so if you visit even a reputable web site, you can be stuffed. What there is, is javascript that, if you run it, will download something nasty (probably ransomware) to your computer, at which point, you're stuffed.

And with the currently available antivirus software, you're lucky if one out of every ten of these is flagged. You can test this for yourself - take one of the emails that arrived recently, carefully detach the attachment, and show it to Virustotal. Note carefully the very small number of products that flag it. Antivirus products aren't dealing with today's threat.

So should the bank fork out when you accidentally, through no fault of your own, install something on your computer that watches what you do and sends any credit card info, or online banking info (by the way, I do not use online banking, because the banks are so careless about security)? The problem with the bank paying, is that it isn't the bank that pays. It's me. It's everyone who uses the bank system, because the costs of those payouts will be built in to the price of banking.

So is it fair that I pay for the gullibility and/or carelessness of another citizen?

I don't think it's fair. I think that the cost of gullibility, carelessness, ignorance and faith should be borne by the gullible, careless, ignorant and faithful.

Thursday, 24 March 2016

Another gross

Another gross of malware-bearing (maliferous?) emails arrived today. I can't help feeling that the Bad People must believe that they'll harvest a fine crop of victims, otherwise why bother?

I picked one of the emails and ran it through VirusTotal. 8 products flagged it, 48 passed it as clean.

The products that flagged it are:

Avira (no cloud)

But if you're using one of those products, don't pat yourself on the back too hard. 

I tried another one, and 3 flagged it, 53 failed. The ones that flagged it are:      


I haven't tested the other 142 emails, but I would expect that I'd get similarly dismal results.       

What does this malware do? They download something from a remote server, and the thing they download is the payload. So I don't know, but if I had to guess, I'd guess that
a week or so after installation, a screen will pop up telling you that if you want to see
your data again, you'll have to send $1000 in bitcoin to the criminal.

Wow. This is *such* a big problem. But a big problem is just a big opportunity seen from the wrong end. Surely someone soon will make a product that strips out potentially malicious attachments, or the parts of attachments that are potentially malicious? Anyone who did that, could do very well out of it. I mean, it is *so* easy to see that your current AV solution isn't solving the problem that people are actually facing today. Just take a few of the malware-bearing emails that you get today, and see if your current AV flags them.

And do make sure that you have a backup.

Wednesday, 23 March 2016

The assessment of risk

34 people were murdered in Belgium yesterday. That's very bad. Of course it is. But is there anything worse?

In 2013 (the latest year I could get figures) 724 people were killed by road accidents. Belgium is trying to reduce road fatalities; the target is 420 in 2020.Good idea, but not enough.

This isn't comparable - the 34 were murdered, the 724 were unfortunate victims of an accident.

But dead is dead. People's lives are over. Families are bereaved.

Belgium has the second worst per-capita road fatality rate in Western Europe (after Portugal).

So what is to be done? Here's my prediction.

Huge amounts will be spent on security theater at airports and railway stations, but how will this stop a terrorist with a bomb in a suitcase from entering the terminal and blowing it up in the middle of a crowd?

I was driving round the M25 yesterday, and I passed two cars that were so close together, that the only rational possibility was that one was towing the other. Except they weren't. Go on any motorway, and you'll see frequent examples of tail gating, undertaking, lane swerving and other risk-laden activities that mostly don't lead to an accident, but occasionally do. People are very bad at asessing risk, even when their own lives are directly at hazard.

Nothing will be spent on hastening the time when autonomous cars are compulsory. That's going to be the most significant reducer of premature deaths in this century, unless someone comes up with a cure for stupidity.

Malware by the gross

A gross is, of course, a dozen dozen, and for those readers who weren't programmed with their twelve times tables like I was five dozen years ago, that's CXLIV.

I'm now getting a gross of malware spams per day. That's more than spam for Viagra and replica watches combined. It's a deluge of badness.

I don't know what they do, except that they contact a remote server over the internet and install something nasty on the computer, although I'm guessing that it wouldn't work on me as I'm not running Windows. I'm not engaged enough in this to try to find out. I don't think the people who are involved in malware research are either, because I'm not picking up any buzz.

My guess is ransomware.

Ransomware is the new big thing. It's easy to do, you just buy yourself the malware, buy a spamming service, spew it out and wait for the untracable payments in Bitcoin to roll in. And roll in they do - a great many businesses, companies and government organisations are willing to pay £1000 to get their data back. I know this, because 30 years ago, I ran the first no-fix no-fee data recovery service in the world, and we would typically charge £500 for the service, which our customers gladly paid after their hard drive had failed - and all hard drives do fail, it's only a question of when, and do you have a good backup? They didn't.

What I did was a useful and honest service, of course. Ransomware is illegal, but that doesn't stop the Bad People. So what would stop them?

If your computer has been held to ransom, you're probably stuffed. Encryption is sufficiently good these days for it to be unbreakable without the key. You could pay up and hope that the criminals are sufficiently honest to send you the decryption key, but if they don't, you've had it - you might speak to a consultant who knows about these things because it's possible that the ransomware that hit you doesn't use strong encryption. But don't bank on it. And if you do pay up, then you have the shame of knowing that you've just made this crime profitable, thus encouraging more crime.

If you haven't been hit by ransomware yet, then there are precautions you can take. Backup is one obvious idea, but if the backup media is accessible by your computer, then it's also accessible by the ransomware, and that could be encrypted too. Even if the backup is offline, if you don't get told about the attack until the good backups have been overwritten by encrypted files, you're out of luck again.

What you need, is a product that (as far as I know) doesn't currently exist (but if it does, tell me and I'll tell people about it). This would be a product that checked inside emails for enclosed files, and stripped anything that could contain an executable (such as word macros, javascript) out of them before presenting the email to the user. It would also check inside zip and other compressed files, it would sanitise PDF files, xls files and anything else that could be a problem.

This wouldn't solve the whole of the malware problem (there's also malvertising, which is the main reason many people run an ad blocker) but it would deal with the gross of malware that arrived in my inbox in the last 24 hours.

What we don't need (because experience tells me it doesn't work) is to tell users to be careful about anything suspicious. People do not know how to decide if anything is suspicious, nor do they know how to be careful about it. To most people, a computer is just a magic box that operates on incomprehensible rules to give unpredictable results.

And if you think that your antivirus is protecting you, try this simple test. Carefully save one of the obviously malware attachments to a file, and show it to your antivirus. When you discover that the antivirus doesn't flag it, don't panic. Just speak to your AV vendor and ask them "Why?" and among the barrage of excuses you'll hear "Because we don't know how".

Tuesday, 22 March 2016

Malware times sixty

During the course of the last 12 hours, 60 malware-ridden emails have arrived in my inbox.

I didn't check them all, but the one I did check was missed by 45 out of 57 AV products.

It's not surprising that ransomware is becoming such a big problem.

I still don't understand why none of the AV producers has come up with anything to deal with this problem. It's not that it can't be done - I've explained in this blog how to do it.

Maybe the reason it hasn't been done, lies in the fact that AV product testers are still awarding products a "100% medallion" even though it's easy to see that this is undeserved.

"The attack on Methodist Hospital was another form of opportunistic attack that came in via spam email, in messages stating something about invoices and that recipients needed to open an attached (booby-trapped) file."

Well, yes. That's what I get all the time! But it would be so easy to write a product that removed all potentially dangerous content before passing it on to the users.

Little Bedwyn and Great Bedwyn

I went out today to do the Jockey Green circuit.

I planned carefully; there's a road that splits the series into two parts, so I started there, did the southern half, and then cycled back to the car. Then I had lunch, changed battery and did the other half.

I found a problem with the bike; when I went over a bump, the rear carrier would hit the seat post. Once I realised what the knocking noise was, I knew it wasn't a big problem. And at the halfway mark, I got the spanners out and fixed it.

I did a total of 57 caches today with no DNFs, although there was a disabled cache that I didn't really look for much.

The bike ran well, but by the time I finished at about 6pm, my back was aching. That seems to be my limiting factor these days.

Saturday, 19 March 2016

Fake prayers

Benjamin Rogovy must repay $7 million for fake prayers.


He set up a web site and took money from people, in exchange for praying for them. I don't understand where the problem lies.

Anyone could, very easily, become a pastor. As far as I can tell, all you have to do, is make up your own church and nominate yourself as a pastor.

And anyone could, very easily, set up a web site to take people's money. The prayer process could simply be automated - the user could select from a predetermined list of prayers, and the computer would then send those to /dev/null, or to a preferred email address, such as God being omniscient, would be aware of the prayer eben if the email isn't delivered, and since all prayers are answered (though not necessarily in the way the requester hoped), there's a result.

So what's the scam here?

Prosecuting Rogovy for fake prayers is like prosecuting a homeopathic vendor for fake medecines.

Thursday, 17 March 2016

More bike maintenance

The big job today, was to install a rear carrier that could stand up to having 25 pounds of batteries and other stuff at least, and stay sound while being ridden over very rough terrain.

I used one of these. It's very adjustable, and doesn't rely on the bike having any screw-in eyes, it clamps direct to the frame.

It took me ages to install, because I had to try different configurations. I need to avoid fouling the chain while in any of seven gears, and I need it to be rock solid. But eventually, I have it to my satisfaction. The proof of the pudding will, of course, be in the bumpy terrain.

I also deflated the rear tire because the inner tube had crept round again. I shifted the tube by about a centimeter, so that now the valve is at right angles to the rim.

And the rear brake wasn't good enough, so I had a look at thet. The brake shoes were completely worn out, so I replaced thm. I had a look at the front brakes, but they were fine. I do most of my braking on the rear brake, and only use the front brake when the rear brakes need a bit of help.

Finally, I had annother go at truing the rear wheel. It's not completely true, but it's a bit better than it was.

Buggered by the Beeb

You know that a problem is major when it hits dear old Auntie BBC. And malvertising is major.

Malvertising is when something wicked is hidden inside one of the adverts that is thrust at you when you visit a web site. But is this the fault of the BBC? Yes and no.

The internet advertising ecology isn't simple. There's content providers (like the BBC), there's people who want to advertise, and there's middlemen. The content providers just sell advertising space to the middlemen; the advertisers buy advertising space from the middlemen. And the adverts are hosted by the middlemen (or by someone running a server for them).

The problem is, who checks that the adverts aren't malicious software? And the answer is, if anyone is checking, they aren't doing a great job of it.

And maybe that's not their fault - remember how I've been finding that pretty much all antivirus products fail to flag pretty much every instance of malware that enters my inbox? Well, if the middlemen are relying on their favourite antivirus ... that isn't going to help them.

So what is to be done?

I know what I'm doing. I'm running an ad blocker - uBlock Origin. I also have a huge hosts file that killfiles a long lost of ad servers. As a result, I very rarely see an advert. And yes, I do realise that this leads to a loss of revenue by the web sites. But until they find a way to make adverts safe (and that can actually be done *very* easily), I want to keep malware off my computer using the only methods that I have.

Wednesday, 16 March 2016

Lambourn loops

I went out today and did two loops on the bike. In the morning, I did Eastbury Fields plus a few nearby extras. I got back to the car for lunch, then did The Valley of the Racehorse.

I did a total of 58 caches, with no DNFs, except that I did DNF one of them, but then returned to it and found it.

One of the bolts holding the rear carrier to the bike fell out. I'm going to try a different kind of carrier, because this one is a bit too wobbly. I'll also check the front and back brakes; they need tightening, or maybe they need new brake shoes.

Sunday, 13 March 2016

Major bike repair

I examined the bike today. The derailleur was broken into two parts! I think the sequence of events was:

1. I was going over rough ground,
2. I hadn't done up the catch on the pannier that stops it coming off the rack.
3. The pannier came off one of its hooks to the rack.
4. It swung round, and fouled the derailleur mechanism.
5. The derailleur mechanism got into the back wheel.
6. The bike came to an abrupt halt. Fortunately, I didn't fall off.

There's no way the derailleur can be mended. Fortunately, bike parts are astonishingly cheap - a new derailleur mechanism is about £7. I also bought a new chain and master links for it.

Then I remembered. I had a problem once before with the freewheel, and the bike shop replaced the freewheel, and also told me I needed a new chain and derailleur mechanism. I let them do the work, it wasn't too expensive, but I took the old parts  away with me. So I had a working derailleur!

I looked in my box of bits, and sure enough, there it was. The jockey wheels were very loose, so the shop was right to do the replacement, but hey, I have a couple of perfectly good jockey wheels on my broken mech. So I put the jockey wheel from the broken mech onto the old mech, and installed it on the bike.

"Installed it on the bike", such a short and simple phrase, but involving a couple of hours work. This is partly because I've never done this job before, and partly because the bike was missing a threaded hole to secure the mech - I had to improvise a bit.

Now the cable - the disaster that hit the mech, also did bad things to the gear changing cable. That was easy to fix; I just cut off the half-inch that was messed up and rethreaded it.

With that done, I had to adjust the derailleur so that I could get each of the seven gears.
And then I retrued the back wheel, because it wasn't exactly true, and was rubbing against the brakes at one point in its revolution.

And then the rear carrier. I had a problem there; it had been fouling the top gear. So I removed it, and put it back further away from the gears. That seemed to work OK.

The valve on the back wheel was at an acute angle to the rim - it had started at a right angle, but the tube must have slithered round. I deflated it, slithered it back and reinflated.

The pannier needs to be protected from anything sharp nearby, otherwise it just rips. So I taped a plastic shield over the rack where it touches the pannier. And then, because one of the batteries that I'm carrying cant fit inside the metal lunchbox inside the pannier,it has to go on the outside, and there's only the canvas pannier between it any anything that might damage it. So I "armour plated" it with a length of corrugated cardboard, so it has at least some protection.

And now the bike is ready for its next adventure.

Saturday, 12 March 2016


I went out today with SimplyPaul to do the Catwalk series in Essex on bikes. We had a number of disasters.

The first was when we were doing number nine. We couldn't find the micro, but as we were searching, someone walked up - a geocacher. He told us where the micro should be, and it wasn't there. So then he told us where the final was, and we all walked to it. On the way, we went through some very deep mud. I got a boot full of mud, and then I slipped and fell on my arse. But we found the cache.

Then, soon after, my left bike pedal fell off. I put it back on, and it fell off again. The problem was that it wasn't rotating freely. So a few caches later, Paul and I had a discussion about this, and we decided that I couldn't complete this circuit with only one working pedal. So we went back to the car, found a bike shop nearby and I bought a pair of pedals, £7. And then we bought pizza for lunch from Domino's - they have a deal whereby you can get a seven inch pizza for £1. Amazing.

We continued the route (plus a few extras - solved puzzles). The next problem was when my bike fell over while I was getting a cache, and the PDA holder broke. I do have an emergency replacement for it, but it isn't nearly as good.

The third problem came near the end. I haven't checked the exact problem yet, but I think what happened, was that the pannier came adrift from the rack, hit the derailleur, rammed it into the wheel where it got tangled with the spokes. This is going to need major repair work.

And then Paul had a puncture.

When we got back to the car, I was exhausted, and Paul looked pretty done in.

Still, we did 50 caches and only had one DNF, so it was a good day out.

Friday, 11 March 2016

More bike maintenance

I was about to take the bike out to the car, when I noticed an ominous bulge in one of the tires. Whe I prodded it with a finger, I could feel the inner tube. Oh dear. That's not good.

It would continue to work for a while, in my experience, but at some point fairly soon, it would give up being able to contain the inner tube, followed by a loud BANG as the inner tube burst. I don't want that to happen while I'm out on a circuit. Time for a change!

I have the back wheel on a quick-release skewer, so I quick-released it ... and it didn't release. So I wiggled and waggled it, then released the brake so that the wheel could come out, then deflated the tire so I could get it past the brakes, and eventually, I got it out. When I examined the tire, I was right, there was a split in the side. This is caused by the jamming of mud into the back wheel, which then rubs against the mud and erodes the tire.

So, off with the old tire, and on with a new one (I usually have a couple of spares. The inner tube looked fine, so after wiping the inside of the wheel and the inner tube, I put it back together, which was pretty easy, although I did use a couple of tire levers to get it in place.

Putting it back on the bike, wasn't easy. The problem was getting the gear changer into position, because it has a very strong spring, and I have to tension it against the spring, put it in position, and hold it there while I screw in the retaining bolt. Eventually, I got it into position, added the metal rod that guards the gear changer, and tightened everything up. The wheel was rubbing against the brake at one point in its rotation, so I used my spoke spanner to tighten the appropriate spokes to that it didn't rub.

 I noticed that I've put the tire on the wrong way round. That's despite carefully working out which way I should put it on. Oh well, it'll still work, it'll just give me slightly less grip in slippery mud. I'm not going through the hassle of taking the wheel off, turing the tire and putting the wheel back.

Then I adjusted the brake to make it tight enough ... and the brake cable snapped. It's a stranded cable, and the strands tend to break one at a time. This was the last strand snapping.

No problem, I have spare inner cables, so I swapped the cable, readjusted the brake, checked that the gears all still work, and the bike is now ready for action!

Thursday, 10 March 2016

NS&I security

I've just registered with the National Savings and Security web site. Their security is impressive.

It starts off with, you apply for registration. After a few days, you get your initial password through the post, on a tamper-evident seal.

I wrote that down, then got onto their web site. That asked me for my surname (easy) and my NS&I number. I had to refer to previous correspondence for that.

Meanwhile, there's a timer going, it will log me out after 5 minutes. But I can click to reset the timer. This will prevent a situation where someone walks away from the computer without logging out.

I gave the NS&I number, with the spaces as per the letter. It realised that it could ignore the spaces! That is, obviously, very easy to program, but I've been on so many web sites where the programmer thought this was my responsibility, and if I had extra spaces it was my problem.

Then is asked me for a password. 6-8 characters, at least one upper case, at least one lower case, at least one digit, at least one special character. It then wanted two phone numbers in case of need to contact me, and five security questions, of the "name of first pet" variety. I made up five random answers to these questions, so they can't be guessed by someone who knows me well.

Whenever I log on, it shows me a picture that I chose from ten, and a phrase that I gave it. So that when I log in to their site, I know it isn't a spoofed site.

My only criticism of this, was that when I tried to use a 9-character password, it wouldn't allow that. 8 is really short, why not allow people to use longer ones?

It looks to me as if they've really given considerable thought to their security. So I tested it using the Qualys SSL test.

It scored "C", which is pretty poor. For example, they're using weak 128 bit RC4 ciphers.

Wednesday, 9 March 2016

Bike maintenance

I fixed the rear carrier. I doubt if it's a permanent fix, because the way it attaches to the the bike near the wheel hub, isn't very good. So I've attached a few spare bolts to the bike for when it works loose again. And I'll give some thought to an alternative attachment method. Maybe use P clamps.

The rear inner tube had rotated in the tire - this means that instead of being parallel to a radius, it was at an increasing angle. That might not sound like a big deal, but I know (from experience) that when that angle gets sharp enough, it shears off the valve and you get a total blowout. So I deflated the tube, wiggled it so that it was in a better place, then reinflated it.

But to reinflate it, I use a battery-driven car air pump, the same one that I use as an emergency battery in the car. And it was almost flat. The reason is simple, it's too old. These lead-acid batteries only last a couple of years, and it's three years old. So I went on to Ebay and bought a new one for £25. I have needed it a couple of times - once when I stupidly left the headlights on while I had lunch in the car, and that flattened the battery. And once when the engine was overheating while I was stuck in a traffic jam, so I was turning the engine off and restarting it, and that flattened the battery.

Did you know that a diesel engine needs more power to start up than a petrol? It means you need a more heavy-duty battery.

I also adjusted the rear brake; it needed tightening up  a bit. I oiled the chain, then turned my attention to the batteries.

The new batteries I bought from Hobbyking arrived, and they look good. I also got three more chargers; I no longer use the more complicated balance chargers that mainly charge through the main connector, then balance via the balance ports. Instead, these chargers charge via the balance ports. These are much easier to connect and disconnect, because I don't need to use the main connectors. Also, I've had a few of the big chargers fail (and they don't always fail safe). The chargers I'm using now are only 30 watts whereas the big ones are 80 watts. But I use three small chargers for my battery-triples, instead of the one big charger. So they'll charge in several hours, which is fast enough.

The chargers cost about £6 and I run them from old PC power supplies, which cost me nothing.

... later ...

Yes, P clamps were the answer. I had to do quite a lot of cut-and-try so that they wouldn't foul the chain when in high gear, but I think it's OK now. I feel a lot more confident that when I bump along some of the very rough tracks I navigate, the back carrier, supporting  20 to 25 pounds, isn't going to fail.

Tuesday, 8 March 2016

The rest of the new Essex Way

First, I did the remaining 23 caches on the "Essex Way again". Then I went south, and did Rio's Ramble Reborn.

Is this a trend? Old caches are archived, and then brought back to life? Resurrection!

52 caches done today, and one DNF.

Four caches before the end, my rear carrier fell apart, or to be more precise, one of the bolts holding in to the frame came off. So I had to run the bike very gently for a couple of kilometers, but it worked out OK.

Monday, 7 March 2016

Poo sticks

Last week, my poo sticks arrived.

It's a test for bowel cancer; the kit includes six cardboard sticks, which you use to smear a small amount onto each of six places, two per day. It's not nice, but it's easy and it's a way to make an early diagnosis of something that would be a big problem. So I posted it off, and today I got the result.

I'm normal.

I'll get the poo sticks kit again in two years.

The downside of malware

Here's what happens if you become a victim.

Your antivirus will most likely not protect you. Because when I test antiviruses on stuff I get emailed, maybe 5 or 10% is flagged.

Once the ransomware is in, you're screwed. Even if you pay the several hundred pounds, you might not get all your data back, because what are you going to do, sue the criminals? Demand a refund?

Ransomware is a profitable business, and easy to get into, so it's going to grow massively. And anyone can be a victim; they don't target, they scattershot. Because anyone can afford the few hundred pounds they're asking for. Multiply that by a milliion victims (and that's a million so far) and you're stealing a good income.

So what can you do?

As far as I know, there's no product currently on the market to protect you. That's not, I think, because it's not possible to write a product, it's because most people think that existing products are useful, with their claimed and certified 100% effectiveness.

How do I know? Because I get several dozen emails per week including malware, and when I test them using VirusTotal, about 95% of products do not flag the malware. And you can do the same test, and see for yourself. If I were paying for an antivirus, I'd be demanding a refund, on the grounds of "not fit for purpose".

It is possible to write a useful product. I even have a demonstration of this. Sooner or later, someone will write a useful product (it won't be me, I'm having too much fun biking, geocaching and playing Civilization) and will make a ton of money. But until then?

1) Make sure that your Word and Excel don't run macros. And when you load a file into them that asks you to enable macros, DON'T DO IT!

2) Get rid of Adobe Acrobat, there's a flaw in it that people emailing PDFs to you can exploit. Instead, download and install a different PDF reader.

3) If someone includes an attachment in an email, don't open it, don't click on it.

4) If you think that an email came from a friend, you should be aware that to pretend that an email came from someone that it didn't come from, is as easy as it is to put a false return address on an envelope.

5) And I get several emails per week that really did come from the email address of someone I know, but which weern't sent by that person. They were sent by someone who hacked the email address.

6) To guard agains malvertising (malicious adverts), run an ad blocker (I use uBlock) and a javascript blocker (I use Noscript).

7) Flash is vulnerable. I've updated is several times, and each time, a new vulnerability is found, and I have to update it again.

8) Do backups,. That won't necessarily protect you from malware (imagine if your files are encrypted, and you've backed up the encrypted files to your backups) but they will help agains hardware failure.

And cross your fingers if you're relying on antivirus software, because your crossed fingers are more effective than the software.

Sunday, 6 March 2016

Hacking in to my network

It started at 9pm last night. Suddenly, my 2 mb leased line was dead, and all my computers were reporting that they couldn't access the internet. Bad. Very bad. So I called Daisy Communications.

"How long has it been down," they asked. About two minutes, I explained - my monitoring system actually works; theirs doesn't. They checked and found that they couldn't ping my router, so they passed the problem on to Vodafone, who are the people who actually run the network. After a few hours, I decided that this was going to be a long one, so I went to bed.

At 9am the next morning, it was still down. Daisy confirmed that Vodafone were working on it. It was one of their core routers.

That's like Piccadilly Circus and Trafalgar Square. If those are closed down, London becomes one huge traffic jam - nothing can get through. That was good news, though, because it meant that they didn't have just one whiney customer bleating at them, they had a MAJOR problem, and hopefully would throw major resources at it. Wouldn't you think?

So today it was Sunday, and we took the train to London to visit daughter.1 and grandson.1. About ten minutes after I got on the train, I got a call from Daisy. Vodafone have fixed the problem, but Daisy can't contact my router, could you reboot it, "No, I'm on a train." "Oh." "And anyway, I could reboot the router, but not the BT equipment, because that gets power from the phone line, and there's no off switch." "Oh." "And anyway, there's no way the problem could be the router, because it isn't connected to Vodafone''s equipment, it's connected to the BT Box." "Oh. Well, could you reboot the router?" Sigh. "OK."

So here I am on the 11:12 from Chalfont and Latimer to Marylebone, and I want to power cycle my router in Little Chalfont, and I don't have a remote reboot facility for that, because if I need to reboot the router to get onto my network, the problem is that I can't get onto the network to tickle a remote rebooter. But there is one chance. It's a million to one, but it just might work ...

Ruth comes in on Sunday to help with the cleaning. So I phoned home, and she answered. I explained what I wanted her to do, and explained that as nothing was working, there was nothing she could do that would make it worse. We used her mobile; I talked her into the room where the router was, and described the table it was on. Actually, on that table is the firewall and the router, and I couldn't remember which was on top, but that wouldn't matter. She looked at the front of both of then, and saw green lights. I told her to look round the back where the power switches were, and she switched them both off. She checked that the power lights were off. Then I told her to switch them back on, she did, and check that the power lights were on. Thank you Ruth, you are now a sysadmin.

This sounds easy, but remember I'm on a moving train, I'm working from memory to do something I never expected I'd need to do with someone whose job description does not include "sysadmin", and there are tunnels on the line during which there's no telephony.

So then I phoned Daisy to tell them that the power cycle was done, and they confirmed that there was still no contact. Which meant that, as I'd told them, rebooting the router was futile. So they got back to Vodafone and told them that the reboot didn't do the trick, and they need to take further action.

Remember, this is one of their core routers. A lot of people are without internet access while this is down.

I went to lunch with daughter.1 etc, we had a Mother's Day lunch at Pizza Express, and when I got back to her flat, I fired up the Dell laptop that I keep there for just such an occasion.

It wouldn't start, The CMOS battery needs to be replaced, so it had lost its setup info. So I told it the date, guessed a time and told it to reboot, and it did as it was told. Then I tried to contact my network, by trying to access my Secure Server remotely, because that, for obvious reasons, is accessible to the whole world, so they can give the needful info securely, It wouldn't connect. Rats. Nor could I ping it. Double rats.

I was just about the call Daisy and give them an earful, when I thought, hang on, I can't ping it because I've blocked ping to my secure server, as per the PCI DSS recommendation. So I pinged another of my servers, and it worked! Which means that Vodafone have fixed the problem that was stopping the leased line from working, hurrah.

But why can't I access my secure server?

The next thing was to log into the secure server to find out what the problem might be, but I can't, because people outside my network can't log in to the secure server, because security. But I can log in to it from inside the network. Except that right now, I'm not inside.

So I need to log in to a server that's inside my network (and from there I could log in to my secure server). But my firewall doesn't allow people from outside to log in to the inside, because security

Usually, when I go away for a few days holiday, I relax that a bit, so that there's one computer that can be logged in to from the outside, and then from there I can log in to any other computer on the inside. But normally that facility isn't there, because security.


I won't tell you what I did next, because I don't want anyone else to do it. It was pretty clever, I thought, and it let me log in to one of my Raspberry Pies, which is inside the network, and from there I could log in to any of the other computers. I'm in!

So I went to my secure server and checked. A) Apache was running, and B) I could access it from another computer via the https protocol. Which meant that it was actually working, and I could see that it had collected some user data as of 16:30. So why couldn't I access it?

After some thought, I realised why, This Dell is running Fedora linux core 9, which is a five year old version. That's because I tried to install a more recent version and it wouldn't install.

When a browser contacts a secure server, they negotiate an encryption protocol, and between them, they choose the most powerful encryption that they can both handle. Because of vulnerabilities found recently, I had told Apache not to use SSLv1, SSLv2 or TLSv1. But this old version of Firefox doesn't have the most up-to-date protocols, so it wasn't able to talk to the secure server. When I told the server "Yes, you can use TLSv1" everything worked.

And now I'm a happy bunny.

Computer problems are rarely simple.

Saturday, 5 March 2016

New batteries

When I went out yesterday, I ran through both of my 10 AH batteries, and got partway through my "emergency" 5 AH battery. Actually, even if I did totally run out of battery, I still have a working bicycle.

Today, I checked on Hobbyking, and they've got a special on the 10AH batteries that I like. I get 10AH, 14.4 volts for £22 (usually £43). Three of those gives me enough battery for a few hours of biking - of course, it depends on how much power I use. On a good surface (such as tarmac or gravel) that would be a lot less than on a bad surface (soggy mud or soft grass). So, I bought three more batteries to make aup another battery pack, and I also got three more chargers (I use chargers that cost only £6, and can charge up the 4S batteries that I use via the balance port, which makes it very easy for me to set up the recharge.

Friday, 4 March 2016

RTF can be malware

I just discovered that RTF (rich test format) attachments can contain malware. I was emailed an RTF file, I checked it with Virustotal, and two of the 54 products flagged it as malware. That's pretty poor, I agree, but it's what I've come to expect.

We all knew that Doc and Xls files (and similar) can include malicious macros, and that Zip and rar (and similar) files can too. HTML can include javascript that does something you didn't want, and because I'm being sent javascript files, clearly these can include malware. PDF files can exploit a bug in Acrobat to install malware.

I though RTF files were safe. They aren't. They can include macros, just like Word files.

This isn't a new discovery, the experts already knew about it (that article is dated 2001). But I have a problem with "the experts", they warn us about this and they warn us about that, but none of them seem to be warning us that the real threat today is malware arriving via email, and that of 54 products, 95% don't flag the malware that just arrived in my inbox.

Why is this? I mean, I know why they can't flag the malware, that's obvious, it's becuase they didn't even see it before I did. What I don't understand, is the silence about the situation. Maybe one could imagine a conspiracy in which the AV companies don't want to tell the world that they're selling a useless product, but there's a lot of researchers who aren't attached to an AV company who would be delighted to blow the whistle. And it isn't exactly difficult to verify the situation - just take the next dozen obviously malicious emails that are sent to you, and submit the attachments to VirusTotal. Or just scan them with the scanner that you hope is protecting your system.

OK, so antivirus products don't protect against trojan horses sent via email. Maybe the clue is in the word "antivirus", because trojans aren't viruses. And maybe AV products protect very well against viruses. Maybe - I can't verify this. Because I haven't seen a virus in donkey's years. The threat has changed.

25 years ago, the threat was viruses. Remember the panic over Michelangelo, dues to turn nasty on March 6 1992? That was a boot sector virus. Boot sector viruses spread from computer to computer via infected floppy disks. When was the last time you saw a floppy disk? Computers today don't even have floppy disk drives! The virus threat is history. The threat today is trojans. Mostly sent by email, partly transmitted via the web using malicious adverts.

And antivirus products don't help you.