Saturday, 21 December 2013

E-mail hackers = evil scum

Without doubt, the criminal scum who attempt to rip off normal people through computer fraud will spend all eternity burning in the hell of their belief system. And if they don't believe in an after-life then I'm sure we can devise a hell especially for them.

I'm slightly peeved with these toe-rags as I've just spent several hours helping a friend to recover from an e-mail account hijacking.

Over the last year or so I must have had a dozen e-mails from friends and contacts with the usual sob-story that they're in Nairobi/Istanbul/Cairo/Casablanca or wherever and have been robbed/lost their money and tickets/been arrested and need some financial assistance. Most of them have been yahoo or btinternet accounts. It's a well known problem and seems to be almost inevitable for yahoo mail users, even the careful ones.

This one was unusual as it was a gmail account, which tend to be a lot more secure (or can be).

The hijacker was a bit nastier than usual as well.

The sequence of events:

  1. They managed to log in to the gmail a/c
  2. They changed the password
  3. They set up a 'reply-to' to a yahoo a/c with the same user name that they'd just set up.
  4. They sent out the begging letter to all the contacts in the address book
  5. Then they deleted all the mail in the a/c and emptied the trash - although they left the address book intact
  6. They also managed to get into his Facebook a/c and changed the password on that too.

Friend then gets lot of calls and e-mails telling him he's been hacked, and made the mistake of googling for assistance, and ended up talking to some dodgy company in India who used Teamviewer to control his machine and showed him the terrible things that were there and frightened him somewhat. (They weren't there I hasten to add). He agreed to pay them the £130 they wanted to clean up his machine. Luckily the bank stopped the payment! Total scammers, and presumably the same nice folk who phone little old ladies and claim to be from Microsoft and offer to remove the virus from their computers. What are the Hindus like for punishment in the after-life?

He then reported the issue to Google and got his password changed using the 'security questions' so he had his account back, minus all old e-mail.

He also reported the matter to the police (which will undoubtedly result in a series of worldwide dawn raids and arrests within days, if not hours - well, possibly in some parallel universe)

He also got all his credit cards changed.

Wisely he then asked me for advice and we've spent several hours sorting things out.

For reference, this is what we did.

  • Firstly, check his gmail a/c to see if any other nasty surprises had been left, like filter, forwarding etc. Only obvious thing was that a reply-to address had been set up, and has now been removed.
  • Then contact Google to see if they can recover his deleted mail. There's an excellent summary of how to report problems and get mail recovered at

    https://support.google.com/mail/answer/78353?hl=en
  • We filled out the form and within 10 minutes the mail was all back. Serious "thank you very much" to Google for such fast work. (I suspect they have to do it quite frequently...) 
  • Looking at the mail discovered some messages from Facebook about changes of password and e-mail a/c (to the new dodgy yahoo a/c), so then had to do a forced reset of the FB password and e-mail a/c. Not too stressful, although the option to recognise people in photos was useless!

Meanwhile we're wondering how it had happened in the first place. Checked that AV was up-to-date on friend's main laptop and ran full scan, completely clean. Ran different AV to doublecheck, and about to run Spybot as well. So probably not something as obvious as a keylogger. If they'd done that I think they may have tried high value attacks like bank accounts rather than a standard scam that's unlikely to work, and grabbing FB contact lists.

We chatted about his recent activities. Did he use an internet cafe or a strange computer? Could someone have shoulder-surfed when he logged in in public? And he travels a lot, in some slightly dodgy places (including Nairobi - where he met a nice lady who offered him TWENTY SIX MILLION US DOLLARS). He travels with an old laptop, and remembers using some unsecured public WiFi spots. We decided that was probably it - shoulder-surfing or unsecured WiFi with some nasty goings-on on the server.

That was actually quite encouraging, as he'd been worried that someone had hacked his actual laptop - but it doesn't seem to be that. (The nice lady in India who should go and get an honest job suggested that someone had hi-jacked his IP address - I'm not sure how that would work.)

So, we then looked at how to stop it happening again.

First off, we turned on Google 2-factor authentication. This is a seriously important step, and really everyone with a google a/c should use 2-factor. It's simple - when you try to login from an unfamiliar computer google will prompt you for a second, one-time pass code. It can either send it as an SMS to a previously agreed primary phone, or it can make a voice call to the phone, or you can install an app on a smartphone that generates a code that changes every 60 secs (like the good old SecureID tags that I used for remote dial-up loggin to Eagle Star many years ago). Some other services offer 2-factor, and everyone should use it whenever possible.

Then we looked at the issue of possible hi-jacking of a WiFi session. He's now going off to install VPN software (I suggested Hide My Ass Pro) which will create a secure connection over even an unsecured WiFi network. I've used it, and it works with Windows and Android devices, and I assume a whole lot of others. It has other uses too, but well worth the $60 p.a. (special offer) if it prevents a repeat of something like this.

That seems to be it. I'm not sure how effective it would be to report the dodgy yahoo a/c to yahoo.

We had a look at the gmail account history, to see if we could get an IP address for the soon-to-be-spit-roasted one, but we'd left it too long. Pity. Can one book a drone strike on an IP address anyway, or do they want a grid reference? (That's a question for you, NSA)

A useful lesson (or two) to us all. Mainly a) use two-factor authentication and b) don't use unsecured WiFi

Hopefully this particular scammer/hacker/little shit will shortly have an accident that wipes out all their savings on medical bills, without actually being life-threatening. May they live a long and miserable life of anticipation of the hell-fires that await them when DEATH finally comes to take them.

Thursday, 12 December 2013

Companies in the community

We've been in business for over a decade now, and from the beginning we've been aware that there is more to being a small business in a rural area than screwing every penny possible out of every customer. In the big city you may get away with it, but living and working in a small community really makes it obligatory to contribute to that community in whatever way we can, whether as individuals or as businesses. That may be something as simple as paying for an advert in the village school's calendar, but in our case it goes further: we're always happy to contribute our professional skills to local community groups at reduced costs or even for nothing. From a pragmatic point of view this sort of pro-bono work may help to generate a bit of paid work by spreading the word about the company, and in rural areas reputation is everything: very few small businesses just look in Yellow Pages when they want a web developer - they go by word of mouth recommendations (or at least they do round here). That's one factor of course, but on the whole we do it because we actually want to - we want to get involved with local groups and businesses - they're our neighbours, after all.

One recent project comes to mind: Siop and Caffi Cynfelyn.

Siop Cynfelyn is a community enterprise (Cwmni Cymunedol Cletwr) that has taken over the site of a local petrol station/shop/cafe in the village of Tre'r Ddôl on the A487 that had been empty for several years. In May 2013, after a lot of hard work by a team of volunteers, the café and shop were re-opened to the public. It's grown steadily since then, staffed mainly by a team of dozens of volunteers, and is now in the process of applying for grants so that the group can buy the site and completely redevelop it. Our initial contribution to the project was an offer to develop a website (a freebie of course) to keep locals up-to-date with the project plans. That then evolved into a site aimed at advertising the activities in the shop and café and progress on the project. It was then added to with a private area for managing communication with the volunteers and to maage a general customer mailing list. Although the site was developed with our standard content management tools, we're still doing most of the content editing as well.

Of course in this case our involvement didn't stop there - somehow I'm now on the management committee and I also seem to be doing a couple of shifts a week making excellent lattes for the customers and standing behind the till (a strangely slow piece of advanced computer-based technology. Why does it take 7 seconds to calculate that there is £4.00 change from a £5 note when buying a £1.00 loaf? Very odd - I think there's a little demon in the box writing down the details of each transaction with a quill pen.)

You can see the website at www.cletwr.com


The managers have also been busy, and set up a Facebook account, which helps to spread the word

...and of course, if you're on the A487 between Machynlleth and Aberystwyth at any time, why not pop in for a cuppa and a slice of cake, and a chance to buy some excellent local produce - choose the right time and you might even meet Santa Claus

Saturday, 23 November 2013

Backups? What backups? (fit the second)

In my last post I chatted about the sort of backup approach that I use for my own computers, but what about website backups?

We are responsible for managing dozens of client websites, on a number of different servers. All our server and hosting suppliers provide backup (obviously) but that's mainly to cope with server failures. Most of our sites are developed using content management tools, which means that the site owner could be adding or editing content every day.

So how do we guard against:

1) Client wants to revert to an older version of a page

2) Content is corrupted and not noticed for a few days
3) Hosting provider suddenly shuts down (it's not happened so far, fingers crossed)

We've set up a number of systems to protect against these situations.

The first is fairly straightforward: our CMS stores all previous versions of a page in the database and a client can view all of these and revert to whatever version they want.

The others are slightly more complicated.

We originally set up a system that backed up the latest version of our production sites to storage in our office. The procedure was fairly straightforward: copies of the databases were downloaded each night and kept for a couple of weeks, and a copy of the current state of the static files (pictures, pdfs etc) was also kept. The main drawback was doing this every night over a broadband line - some of those databases were quite large, and were downloaded every day even if nothing had changed. So how could we improve things?

Initially we set up a system using an 'unlimited' (hah!) hosting package which did something similar, but to a hosted server, so that we didn't have to worry about bandwidth and storage. It then turned out that the unlimited package we had bought wasn't quite as unlimited as all that. So on to plan C.

Plan C is our current version and now makes use of 'the Cloud'. We are using an Amazon EC2 server to run the backup processes, which now do a daily backup of all the static files and databases on all our production servers and then stores them in Amazon S3 storage. The costs are pleasingly low. We also make use of the Amazon 'Glacier' storage for older backups. This way we can have a complete snapshot of all our site data which is immediately available (so that we can restore individual files or database records) for every day for the last two weeks, and we have further daily backups for three months which can be recovered in a few hours. (Obviously all the backup files are password protected and aren't directly web accessible).

We've also developed a backup management system that warns us if a backup is overdue for some reason.

So now we can sleep easy in our beds!

The whole process of developing the backup strategy to the position we're now in has taken many weeks of development time. Apart from the obvious advantage of having a reliable backup system, it's also served as a useful opportunity to experiment with the Amazon Cloud services - which are pretty impressive.

But there are times when I wonder if we're very good at "business". We've done all this work to ensure our customers' data is safe, but do we charge them an arm and a leg for the extra security? Do we heck! All part of the Technoleg Taliesin service.

Wednesday, 30 October 2013

Backup? What backup?

You all take regular backups of the critical data on your computers, don't you? And backups of your entire hard drive? But do they work? A wise sage once said "Your backups are only as good as your last restore", and that's probably right.

Over the years I've heard a whole host of horror stories about the subject, some pretty ancient. There was a colleague who visited a local office where there was a problem and who asked for the disk copies - and was given a folder containing photocopies of their data floppy disks! (This was obviously a few years back in the days of 5.25 inch floppies) - fair play to the office staff, no one had explained what was needed. Someone had just installed this amazing new bit of kit, shown them how to use it, and then said "Don't forget to copy the disks every day" - and as far as they were concerned copies were made on the photocopier.

And there was another colleague (same sort of era) who discovered that the backup floppies (real floppy disks this time) were kept safely where everyone could find them - clamped to the side of a filing cabinet with a large magnet!

And some years ago in the Green Party office when the computer died, and someone asked for the backup. No problem, sitting in the filing cabinet, taken the previous afternoon. All was well - luckily - as yesterday was the first backup they had made in six months!

And the office in a large insurance company in the early days of IBM PCs, before networks, where PCs were stand alone, and they had installed a tape cartridge unit and software on the PC for daily backups - which they did. And one day the engineer was looking at something and discovered the cartridge drive door was covered in cobwebs - they'd been backing up onto the same cartridge daily for the previous year - and those cartridges had a recommended lifespan of 20 uses.

Of course we're much more sensible these days - aren't we?

Personally I'm paranoid when it comes to data backups. I look at a long list of scenarios and try and have a setup that can cope with (almost) all of theml:

1) Hard disk crashes
2) File gets overwritten
3) Office burns down
4) Burglar nicks computers from office
5) Computer gets lost
6) Global warming floods Taliesin
7) Meteorite hits Taliesin

As a result, my backup strategy has several strands. I have software on my main computer that automatically runs schedules backups. The entire hard disk is backed up weekly, and my data directories daily. I keep daily backups for several months, and occasional ones before then. The backups are written to a Network Storage Device in another building.

From time to time I mount one of the backup files to check it works - I haven't dared to run a full restore though! But I'm thinking of upgrading the hard drive on my laptop, so that may be an opportunity to try it out...

This setup can cope with (1) - the full disk backup should allow a straightforward restore to a new drive using a restore boot CD.
(2) - the daily data file backups mean I can go back to the state of every individual file, every day for the last couple of months
(3) - the backups are in a different building
(4) - ditto - it's embarassing if your backup is on a bit of kit next to the computer which the burglar also nicks.
(5) - buy a new computer and restore from the full disk image
(6) - hopefully I'll have time to escape clutching critical kit
(7) - if I'm at home at the time, I'm past caring. If I'm not, there is a weakness which I'll be addressing soon. I have a couple of large, cheap USB hard drives, and I'm going to do a monthly manual copy of the entire system and store it at the house of a colleague who lives 20 miles away. We'll meet up monthly and swap copies - I'll be doing the same for him.

Overkill? Maybe, but I don't think so. For a business that relies on data stored in electronic form, the security of that data is absolutely essential. Lose the data and you lose the business.

And what about individuals and their home computers? And websites? I'll discuss those later...




Wednesday, 23 October 2013

The joy of fonts

Amongst the many woes of the professional web developer has been the difficulty of explaining to clients, particularly those who have experience of preparing work for print, that a) web pages are not all the same size, b) web browsers sometimes do things differently and c) you can't use that nice Papyrus font that you've got on your computer (except in images)

The first two are still an issue, and in fact have got messier thanks to the rapid rise of mobile internet and the viewing of websites on some very 'odd' devices.

The third has got a lot better since Google released their webfonts. For those who don't know about them, the google webfonts are a very large collection of fonts that can be safely used on web pages (with a bit of extra coding - which Google provide). The code and fonts work on all modern browsers. No more are we stuck with the same old half-dozen slightly boring (if very readable) fonts.

To be fair, a lot of the available fonts are a bit iffy, but there are a nice selection that can be used for body text as well as wierd headings.

Our first attempt at using them was for a new site for Robin Huw Bowen, the world's leading player of the Welsh Triple Harp. Here we wanted something a bit more 'relaxed' for the menu text, and settled on the delightfully named 'Swanky and Moo Moo'

We also developed some interesting code for use in our Content Management System for when someone really, really needs a specific font. The code allows users to enter headings into the CMS as normal text but the system then generates an image of the text in the fancy font on the fly, and inserts it into the page (with appropriate alt text etc.) Quite handy.

Tuesday, 22 October 2013

SEO - a bit of a black art

Sometimes it's tricky to explain to customers that the hardest part of developing a website is getting a good position on the search engines. Some expect us to wave a magic wand and suddenly their site will be "top in google" - regardless of the search term!

Of course, sometimes it's easy: if the client is an Aardvark breeder in Dolgellau and wants to be number one for searches for 'pet aardvark dolgellau' it's a doddle. For others in a more crowded market it requires a little more skill.

But with some diligent work, and careful understanding of how we develop the site content, and structure, and a few little tricks we have up our sleeve, we can often get some very effective results. For instance, one of our customers is Mark Derby, an incredibly talented mechanic, who runs RS911 Porsche Restoration from a site in the hills near Llanidloes in mid-Wales. But if you Google (or bing) 'porsche restoration' from the UK guess who is no. 1 - www.porsche-restoration.co.uk

Recently I've been working in conjunction with Chris Gibson of mach2media to do some work on the website of a rather lovely Guest House/B & B called Brynarth which is a few miles outside Aberystwyth. In addition to the fact that there are a lot of B&Bs around here, part of the difficulty is that they are NEAR Aberystwyth not IN Aberystwyth, and this now seems to be important for Google, so we've been doing a bit of fine tuning to see what we can manage. It'll take a few days for the changes to take effect and we'll then see how effective they were.

Brynarth is an interesting client. Chris and I first worked together to build a website for them back in 2003. Since then the business has changed hands twice, and each time we have been asked to stay on and redevelop the site for the new owners, which just shows the importance of building up a good relationship with clients. We want to work with our clients in the long term, not just deliver a quick template-based website and then disappear.

Richard Purcell, Osteomyologist

Our latest new site is for Richard Purcell, an Osteomyologist who practices in Aberystwyth and Aberaeron. You can see the full site at www.richardpurcell.co.uk

What is an Osteomyologist you ask. Basically it was developed by chiropractors and osteopaths as a fusion of the best practice of both disciplines, and focuses on the root cause of the condition so that the symptoms abate and reoccurence is prevented where possible. Richard worked as a qualified Chirpractor for many years before switching to Osteomyology.

As someone who has suffered from 'a bad back' for decades, I cannot say too much in praise of the skilled people who have sorted it out for me. I started seeing a chiropractor in Peterborough many years ago, and have used them regularly ever since. I've been an occasional visitor to Richard for the last ten years, and he is excellent. In my case, the chiropractic/osteomyology has been complemented by Alexander Technique training from Gail Barlow (another of our customers!)

The development of the site presented some interesting challenges from a Search Engine Optimisation point of view. Usually a client who is a fishmonger or whatever can be described as that, and people will be searching for a fishmonger or fish seller. This one is a bit different: Osteomyology is a new discipline and few people will be looking for one. What people with bad backs will be looking for is a Chiropractor or Osteopath or similar. But only members of the College Of Chiropractors can call themselves Chiropractors. Richard has a degree in Chiropractic, as well as years of experience and other qualifications, and was a member for many years, but isn't any more, so we can't simply create pages saying 'Chiropractor Aberystwyth' without falling foul of the law. But at the same time we want to ensure that Google etc include the site for searches for Chiropractor. And I think we've managed it...time will tell. Have a look at the site to see what we did.

My First Post

I suppose if I'm going to have a blog I ought to say a little bit about me and about the business (Technoleg Taliesin)

I've been fiddling with computers for a very long time. I wrote my first program (in a language called Algol W) to be run on the St Andrews University IBM 360/44 mainframe back in January 1975, as part of the 1st year Mathematical Methods course. I've never looked back since. I used the University computer until I left, then got a job with Pearl Assurance programming in a language called PL/1 (and later COBOL). I got my own ZX81 in 1981 and evolved from there. I got online using Prestel on my Sinclair Spectrum, then used the CIX bulletin board on dial up using my first IBM compatible PC, and in about 1992 I started fiddling with some new-fangled thing called the Cello 'browser' to access 'websites' on the 'world wide web'.

I developed the first version of my own website (www.taliesin.co.uk - still there) in the late nineties, and at the same time started getting involved with web development at work (Eagle Star/Zurich in Cheltenham by that time). I worked in Java on the motor insurance on-line quote system (one of the first), then doing various jobs on the main websites and other web-based developments.

In 2002 I did a runner and set up Technoleg Taliesin, aiming to specialise in bi-lingual website development and advanced database-driven websites (I've been juggling databases for many years). That was over a decade ago and we're still in business, with a very long list of customers, small and large, throughout Wales (and beyond), so we must be doing something right.

I think some of the most important things I've learned are that IT developers need to be flexible and focus on the purpose of the project. Languages and platforms come and go, (remember WAP phones?) but the basic principles still apply. We need to constantly adapt and be willing to learn about new technologies, but not blindly - the flavour of the month may be just that, so don't jump on every bandwagon.

If we're developing websites (or writing programs) it has to be for a reason - usually to help the customer's business. So we need to forget clever bells and whistles, and keep asking the question: how will this feature help to achieve the aims of the customer?

And that's at the core of what Technoleg Taliesin offers now - the mechanics of building a website are fairly straightforward - what we are offering is the knowledge derived from 30 years in business IT about how we can best use IT to further the customer's business aims.