A two-pipe problem

It's been a while since I wrote anything, but something inspired me today. Here is a useful bit of information which may well help other people with a similar problem. I had no luck googling it!

So, what was the problem? Microsoft account login.

I am involved with a community shop. Last week our access to our Microsoft Office 365 & OneDrive suddenly stopped. We couldn't log in to our Microsoft account. We kept getting a message about 'too many failed login attempts'.

Hmmm. Someone trying to hack us? Try changing password. That seems to go okay but still get the message

This is what we get when trying to login via a browser:

"Something went wrong and we can't sign you in right now. Please try again later.The Microsoft account login server has detected too many repeated authentication attempts. Please wait a moment and try again."

 Logging in via the desktop OneDrive app fails, and suggests logging in via the browser!

One suggested fix involved clearing cache etc. Did that, tried 3 different browsers, still no luck. Changed password again. Still the same message.

Was going to seek support in the Microsoft Community support forum. Slight problem - you need to be logged in to ask a question! Phone support is only available on Business accounts.

So time to call in the experts - the wonderful John Behnan of 8020tech in Machynlleth. Bit more head scratching. It's still happening this morning. He then asked if I'd trying connecting from somewhere else (all connection attempts had been on the network in the shop). Hmmm...tried logging in from phone on 4G connection. IT WORKED! This suggests an IP address problem. John digs and finds we're on various blacklists. Re-booted the router and got a new IP address and everything is okay. But it's bad luck for the next person who gets that IP address!

Now why would we have been blacklisted?

Best thought is that someone has connected a malware-infected laptop to our public WiFi network, which proceeded to send out streams of spam via a built-in mailserver. We have now blocked the e-mail ports on the firewall. This is the second time John has seen this in a few months.

All is now back to normal.


So, why does the Microsoft message not give the vaguest hint of the root of the problem? It would have saved me a lot of time.

The moral: if you're setting up a public WiFi network for customers, make sure you block the common mailserver ports on the firewall. Plus make sure that the public network is on a different IP range to your own network, and that devices on the public WiFi are isolated from each other to prevent cross-infection. We're using a Ubiquiti device, which is pretty neat for doing those things.

In a way it's lucky that we don't have a fixed IP address, as a router re-boot wouldn't have worked.

Another thought, particularly for people using 'the Cloud' - OneDrive in this case. We use OneDrive to share files between staff, and to ensure they are 'safe'. We also use it to store various data file backups off-site. (No use having a backup on a hard drive in the same building if the building burns down!). The same problem could happen with your Dropbox or Google Drive or whatever. What would you do? I suspect one option is not to rely on the 'popular' systems. If you need cloud storage should you use Amazon AWS or similar? Should the really paranoid duplicate their OneDrive files to Dropbox (or to a local USB hard-drive) from time to time? A back-up is only useful if you can access it!

Halt and give the password!

Passwords are such a pain, aren't they?

Several recent incidents have prompted me to scribble a few thoughts on the subject. Firstly, there was the infamous Ashley Madison hack (not that any of my readers are likely to have joined that rather dubious website). It's not so much the details of who the users are, but the information that's come out about passwords. It seems that the most popular passwords are 'Password' and '1234' - these are not exactly strong passwords. Of course in this case it may mean that the users were just creating throw-away accounts, with fake names etc, so weren't too fussed about security. But other website hacks have shown similar results.

Surely by now people should understand about having strong passwords? Or, even better, using 2-factor authentication when it's available? Some websites now actually show how good a password is when you choose one - some, but not all. It's still no excuse for using the name of your pet pussy-cat instead of p1nk56bananA#!  (And don't start me on websites that don't allow special characters like #@£& etc. in passwords!)

But, you say, how do I remember all of my passwords? Should I use the same (strong) password for every website? NOOOOO! And please don't start me on the wisdom of those stupid sites that say 'log in with your Facebook account' - what a brilliant idea! Use the same password for every website - then life will be so much simpler for the hackers. Obviously, you must have a different password for every site.

So, again, how to remember them all? That's where password managers in your browser come in handy - they can securely remember all your passwords - just make sure that you set a master password to stop anyone browsing through them all (and have a nice, strong, unique master password, not 'fluffypaws')

Password managers are great. But unfortunately there are a few idiots out there who disagree. The Welsh Government have recently decided that users of their 'Sell2Wales' tender management website can't use a password manager 'for security reasons' - I assume that they feel that having the password on a post-it note stuck to the computer is more secure. They seem to be under the impression that no-one uses any website other than theirs, and will have no problem remembering a password for a site they perhaps visit once a month. Or perhaps they want people to use their Facebook password?  Why do the taxpayers of Wales have to pay for this sort of 'advice'?

I'd say 'roll on fingerprint ID', but that's even worse. There is a key difference between passwords and biometric ID. User name+password identifies the user of a website as someone authorised to use the website, but doesn't actually identify the person or allow them to be linked to login data from other websites (Facebook please note) and the subsequent data mining. You can use totally different names, dates of birth, address, e-mail etc for every website. Biometric ID is very very different - it identifies you as a unique human being, and allows all sorts of dodgy data analysis. No thanks. For me, I'd like to see a much wider roll-out of 2-factor authentication - security combined with privacy.

To Facebook or not to Facebook, that is the question...

Technoleg Taliesin is involved in all areas of the on-line world. Mainly we develop websites, but it's impossible these days to create an online presence without considering social media.

Often people will glibly tell our customers that they MUST be on Facebook and Twitter and Pinterest and LinkedIn and so on...the list is endless. (And what about MySpace? Remember them?) But, as with any aspect of marketing a business or organisation, you have to sit down and think carefully about what marketing channels are appropriate for you and your message - and your customers.

So, we work with our customers to decide what is right for them. If they organise a lot of activities or events, then a Twitter account makes a lot of sense. For others a Facebook presence could be very helpful. For professionals then perhaps LinkedIn might be useful. Perhaps a blog? or an e-mail newsletter? We help our customers decide what is right for them, and then help them set things up. Horses for courses, as they say.

But the one thing that we must always remember is that all of these activities, no matter how much potential they have, will only be effective if they are done properly. Managing a Facebook account takes a lot of time and effort. Creating interesting posts, responding to comments, sharing etc. all take time. No problem for a large organisation with a marketing department, but perhaps more of an issue for a small business with one or two over-worked staff. And consider what an out-of-date Facebook or Twitter account, with no posts for months, says about the owner. In reality it may be they're too busy to keep up with things - or they could have gone bust!

And to be honest, is Facebook appropriate for every sort of business, even if their customers tend to be regular Facebook users? Is Dai the Death, the Llanbethma undertaker, really likely to get many friends on Facebook? Will everyone be following him on Twitter in case he announces a special Buy-one-get-one-free offer, for seven days only!

And that really explains why a search for Technoleg Taliesin on Facebook or Twitter comes up blank. We think it's probably not very appropriate or practical for a small web development company, and is certainly not worth the effort of setting up and maintaining a page. We have other ways of keeping in touch with our customers, and we prefer to do it on a one-to-one basis.

Techno-fear

It's easy for professionals in any field to get to the stage where they're so comfortable with the technology that they work with that they start to forget that 'normal' people may not be so relaxed about things.

I've been working with computers for many decades, and I hope that I manage to remember that what is second nature to me is a bit more complicated for other people to understand and, more importantly, that other people may be frightened that they're going to break something. And that's a very real problem. Windows, in all its various flavours, can be a nightmare to use. Different programs do similar things differently. What should be a simple process can turn into a nightmare. Click on a few wrong pop-ups and your bank account can mysteriously end up empty.

Perhaps this is why Apple products are so popular - they may cost a fortune but generally they work the way the user expects, because all the software is effectively made by the same company. The same thing with Android phones - people just use them. Okay, they may not understand exactly what they're doing, and how risky it might be, but they don't worry about it.

Windows is different. People worry. At a recent talk that I gave on Internet safety this was a common comment - people were actually frightened of doing something wrong - or even doing something right!

I thought this was something that I was aware of and appreciated, but didn't thing I was likely to suffer from myself. WRONG!

My main laptop is now nearly five years old. It works well, but the main disk partition is getting close to full - regularly! The problem was that when the system was new I decided that I really didn't need a primary disk partition of 512GB, so I split it up into several bits, and gave the main C:/ drive a 'mere' 120GB (I can remember putting a new hard drive into a computer some years ago that was 512 MEGA bytes - and cost £250). The rest I used for an extra data drive, and then installed Linux to have a play. Now I needed to extend the C: drive, but Linux was in the way. I decided to delete Linux and add the space to C:. Straightforward process once I'd acquired some souped up partition manager software (the standard Windows 7 stuff is a bit limited). Basically just delete the old Linux partition, reset the boot manager to Windows instead of Grub, and away we go.

I was TERRIFIED! Playing around with partitions and boot managers in the wrong way is one way to trash a computer, and this is a very important computer. Yes I've got backups, yes I've got other computers I can work on in an emergency, but if anything went wrong it would waste an awful lot of time. I knew what I was doing (sort of - I'm a software developer not a computer engineer), but when it came to rebooting to see if the machine would come back to life I was sweating.

Of course I didn't need to worry, it all worked perfectly, but it was a useful reminder of how some people feel every time they approach a keyboard.

Our job is to make things as simple, friendly and foolproof as we can, and to train people properly so they don't panic whenever they use our software.

Wales goes digital - at last!

Wales has finally been allowed to take its place in the digital world: the .cymru and .wales domains went live for general use yesterday, March 1st. It's been a long wait.

Trademark holders have been able to register them for some months, and we started hosting our first .cymru and .wales domains late last year when the domains www.ylolfa.cymru and www.ylolfa.wales went live for Welsh publishing company Y Lolfa. For the moment they're just pointing to the main www.ylolfa.com website.

Whilst this is obviously a Jolly Good Thing, I'm a bit irritated with the top level domains chosen: ideally we would have been like other countries and had a single 2 or 3 letter code. What was wrong with having .cym? And why have both .cymru and .wales? .cymru would have been fine by itself, but now everyone will need to buy both, just to make sure no-one else buys the other one.

In some cases this will work well - for bi-lingual websites we can direct the .cymru domain to the Welsh home page, and .wales to the English one. Businesses and organisations can have different domains for .cymru and .wales: siopardfarcdai.cymru and daisaardvarkshop.wales. We've done precisely that for a project that will be launched later this month: Voices from the Factory Floor, for Womens Archive Wales. We'll be using www.lleisiaumenywodffatri.cymru and www.factorywomensvoices.wales

So, it's a very good morning in Wales as we become a fully paid up member of the world of the interwebs.

And of course we'll be offering .cymru and .wales domains to all our customers from now on.

Avoiding the Tarantulas

The Internet is wonderful, an ingenious invention that has grown into something utterly indispensible in a little over a couple of decades. But who would have thought it could end up such a hostile and dangerous place!

It was bad enough a decade ago, as viruses attacked our desktops. Now the problem is orders of magnitude worse as we access the Web from a variety of vulnerable devices via unfamiliar wifi access points.

Every day new vulnerabilities are discovered and patched, but it's a war of attrition and the goodies are losing.

I mentioned a while back that we're involved with assisting in our local community shop and cafe through developing their website and helping with social media etc. The group that manages the shop and cafe, Cwmni Cymunedol Cletwr (of which I'm a Director, by the way) has a wider remit than simply running the shop and cafe - it's a community group that exists to improve life in the community in any way we can. For instance, we're organising a litter pick-up session and we recently established a fuel-buying syndicate that arranges bulk purchases of heating oil (at a discount) - the first order saved £280 for locals.

We're now looking at education, and we decided to run a series of talks aimed at helping people to use the Internet more safely. I presented the first one last night.

Obviously using the Internet will never be 100% safe, but we hope that by giving people a series of tips on best practice, the chances of them being bitten by the tarantulas lurking on the web will be minimised, as will the effects of any such venomous bites!

The talks cover the obvious topics such as making sure anti-virus software is installed and up-to-date, tips on what makes a good password, safe use of public wifi and internet cafes, recognising and avoiding phishing attacks and general online privacy. Some of the guidelines were technical - installing AV software, having backups of important data or using a VPN when on public wifi, but much of it was about basic behaviour - watching out for shoulder-surfing etc, who to trust (no-one!), and not publishing too much personal information.

The talk went very well, but I think I may need to turn down the paranoia level next time - I suspect some of the attendees will never go on-line again!

The importance of such education was highlighted when the first e-mail I opened this morning was from one of my neighbours, who is apparently on holiday in Turkey and has had all her money, tickets and passport stolen, and needs a loan!

This sort of education is essential, but it must be presented in an easy-to-understand way so that normal people (non-techies) can put some of the tips into practice, and make their on-line life a wee bit safer.

The slides and notes from the talk are available on the Technoleg Taliesin website

I would urge any techie to do their bit to help their community by organising similar assistance, either as public talks or simple one-to-one support.

Language choices

One question which often arises while designing a bi-lingual website is how to show the option to change language. Well, to be honest, I suspect the question doesn't actually get asked - many websites just use national flags, without any thought of the significance of the flag: e.g.

...but that is completely unacceptable!

The flag of the red dragon, Y Ddraig Goch, is the flag of EVERY Welshman and Welshwoman, whatever their language(s) - Welsh speakers, non-Welsh speakers, learners, immigrants or whatever. And the Cross of St George is the flag of England and it's inhabitants - not English speakers. English is spoken in many countries, including Wales.

Some sites even use the Union Jack to represent English.

(vistcardigan.com)

(that's the website of Cered, the Ceredigion Language Organisation, who really should know better - but at least they have the name of the language as well)

The Union Jack is the flag of the United Kingdom, which includes Wales (where some people speak Welsh), England (officially English only, but in practice many, many languages), Northern Ireland (English and Gaelic) and Scotland (English and Scots Gaelic) So completely wrong!

I believe that the only option is to use the name of the language, in the language, so 'Cymraeg' and 'English' (and perhaps 'Castellano' in South America and 'Español' in Europe, Български or whatever)

Here's an example of a site we developed for an EU-funded project, that involved people from six countries/regions:

www.futureforest.eu