by Russ Michaels | Jan 7, 2017 | WEBBY STUFF, Tech Stuff
I have recently been setting up MSP Control (formerly WebsitePanel) on my new CFML Developer server. Unfortunately, it doesn’t support MariaDB out of the box and so won’t detect if you have it installed. Fortunately, this is an easy hack.
- Open up your MSPControl database in SSMS, and open the providers table.
- Now find the MySQL providerID that matches your MariaDB install
i.e. MySQL 5.7 for MariaDB 10.1
- Now add a new entry into the SERVICES table, using the providerID you got from the last step and the appropriate serverID for the server you want to add it to. You get he ServerID from the servers table, or just edit the server in the control panel and get it from the URL.
- Now just edit this server in MSP Control, and you should see MySQL listed, just edit and setup as you would MySQL.
- Now you just enable MySQL on your hosting plans.
by Russ Michaels | Aug 8, 2016 | Reviews
A couple of months ago I decided to bite the bullet and get rid of my Windows Phone and switch back to Android, I donated my Nokia Lumia 930 to my son. While I liked Windows Phone, and I do prefer the GUI, there were just too many niggling issues and bugs and those few “must have” apps that either did not exist or the WP version sucked, and this is not going to change due to the tiny user base.
Now my requirements are pretty simple, I do not need a phone to play 4k video or play 3D games which will drain my battery within 2 hours, so spending hundreds on a phone seemed like a pointless waste of money. I did get myself a Galaxy S7 edge, but frankly I found the EDGE quite annoying as I could not pick it up or put it down without touching the edge and causing some action to occur, and frankly it felt so flimsy I was scared of breaking it, so I sent it back as I am not prepared to spend that much on a phone if it annoys me in any way.
I do not understand this whole concept of making phones more powerful with more battery draining features, yet thinner so the battery cannot even last a day if you actually use it for anything other than checking your email. Surely if you want to use your phone to watch a video and play games you need a phone that has a big fat battery in it, I think the phone makers are really missing a trick here. Phones are not primarily phones anymore, that functionality is likely the least important feature for most people, what they really want is a pocket tablet/gaming device.
So I decided to start looking at budget phones, and specifically the Chinese alternatives which seem to be getting more popular. My first choice was a Doogee X6, which despite having good reviews turned out to be a mistake. It felt very cheap and the screen was very unresponsive, either it did not even detect my taps or detected them in the wrong place, I found the device totally unusable and frustrating, so that was returned after a couple of weeks.
My second choice was the Uhans U200, which is an unusual looking phone, but it seemed chunky and solid with a bigger battery than most, a proper mans phone, which was exactly what I was looking for. So far I am glad to say it has delivered everything I had hoped and is absolutely worth the £85 I paid for it and I would not hesitate to buy this phone again. There is also a smaller model called the Uhans U100, which I have bought for my son, and he loves it also.
Despite being a Chinese phone, there are no issues setting it up, it is as easy to setup as any UK phone, and the Uhans packaging is as slick as any top of the range phone.
I have also installed a Windows Phone style launcher, so I still get the benefits of the GUI that I preferred on the Windows Phone but with an Android.
Look and Feel
The Uhans U200 I think is squarely aimed at men, it has a real leather back with a crocodile skin pattern, and I must say I like it, sadly it only comes in black, there are no other colors which is a shame, as I would have quite liked one in actual snake skin style. The other big advantage with the leather is that it is immune to greasy finger prints, which is something that affects just about every phone. As soon as you touch them, they are covered in them. It is chunky too, it has a 5 inch screen and I can hold this phone comfortably without fear of dropping it, and it feels solid, the buttons are easy to use with my big fat man fingers, and with the metal frame I do not feel the need to actually purchase a case to protect it. I carry a man bag so not really an issue for me, otherwise it sits quite happily in my jacket pocket or the leg pocket of my combat trousers.
Performance and Usage
The Uhans U200 has a 5.0 inch screen, 4G Smartphone, Android 5.1 MTK6735 64bit Quad Core 1.0GHz 2GB RAM 16GB ROM, 13.0MP Main Camera OTG
So far I have no complaints with regards performance. The screen is responsive in all applications including games. It has had no issues with running any of the apps I use regularly, playing video etc and the only time it has struggled is when I tried to play some resource intensive 3D games, although it still managed to run them at an acceptable speed to make them playable, but this is not an issue for me as this is not what I use my phone for anyway, but when I do play games, it does the job.
Sadly you do not get fast charging, but hey it is a budget phone, so I am not complaining, and I suspect that in the near future that this will become a standard feature for all phones, budget or not.
The battery easily lasts all day for me, sometimes I have forgot to charge it and it has lasted 2 days, but that is with me barely using it.
Accessories
This is one area where the phone is let down, when I went looking for a case, I found only one, and not a lot else accessory wise. However this is a compromise I find acceptable, being as the phone feels so chunky and solid anyway, I am not feeling the need to buy a case, although I did order the only one available just so that I do have something to put it in when I don’t take my main wallet, and the case does match the style of the phone and it is wallet style case itself, so fits in well with the whole MANLY concept of the phone. Other than this there is actually no other accessories I actually need, so again I have no real complaints.
Camera
After several months using this phone, I can say that the camera is a bit of a let down. As long as you have good lighting then it takes great pictures which I have been happy with, but as soon as lighting is less than adequate then it struggles to get focus, and the flash often seems to go off BEFORE the shutter, which means it does nothing to illuminate the target. The rest of the time the flash seems to add a blue hue to the picture, which is also not great.
Customer Support
This has been the biggest let down of all, support from UHANS is virtually nonexistent. I contacted them about an issue I was having with the SDCARD reporting wrong size, and each reply took several weeks, the last response took them 2 months, so I gave up as they simply did not care and were unhelpful.
I then had cause to contact them about connecting the phone to the PC as this also would not work. They told me that Windows 10 is not supported and I had to install Windows XP or Windows 7 to do this. This is absolutely shocking and incompetent that they are suggesting I install an end of life, no longer supported OS with serious security vulnerabilities. Even Windows 7 is no longer secure to use.
by Russ Michaels | May 3, 2016 | Windows 10, Mobile, Tech Stuff
Windows Phone has received a lot of bad publicity, and the main complaint you see from ignorant reviewers is that there is a lack of apps for windows Phones (WP). While there may be many legitimate reasons to not like WP, lack of apps is not one of them, there are currently over 500,000 apps in the WP store, and there were 300k even when I got my phone, so I would hardly call this a lack of apps. Sure there are some apps you may want that do not exist because most vendors do not bother with WP due to the small user base, but in most cases someone else has created a good alternative and I have found the quality of most WP apps to be high. I have only found a very small handful of apps I wanted which were not available at all or were so bad I could not use them, LastPass and Kayako are 2, both of which I needed and both of which are dire on Windows as the developers have put barely any effort into them and they lack the functionality of their Android counterparts.
The biggest cock up that Microsoft did make was not releasing Windows Phone 10 at the same time as Windows 10, and I think this killed it for them, aside from being too late to the phone party in general. And then they have taken forever to roll out the upgrade to Windows phone 8 users, and many phones will not even keep the upgrade as promised as their phones do not meet minimum memory requirements.
I have a Nokia Lumia 930, running WP 8.1, which I purchased after getting fed up with Android updates making my Galaxy note unusable, killing my battery life etc. It turns out I much preferred Windows Phone, it was faster, more responsive, more reliable, and I simply preferred the more grown up and business like UI. The requirements for WP are also a lot lower and thus the phones are lower spec and cheaper as a result. Certainly there were some areas of functionality lacking, and I got fed up waiting for WP10 to be released for my phone, and so I installed the insider preview instead. Sadly it has been riddled with bugs, with each update seeming to break something new, and then it seems the last update I did must have resulted in the battery being drained super fast, as it was only lasting half a day with no use whatsoever and suddenly became unusable.
At the time I thought it was a problem with the phone/battery itself, so decided to bite the bullet and get an upgrade from O2, and decided to try the much applauded Samsung Galaxy S7 edge (which I will be reviewing). While I like the look of the new Lumia 950 XL, my experience with WP10 insider preview has given me a bad impression that if I bought a new WP10 phone, I would have same issues, and as much as I like Windows Phone, unless Microsoft pulls a rabbit out of the hat, its days are certainly numbers, unless the rumored surface phone saves the day.
Now annoyingly after I got my new Galaxy S7, my son asked if he could have my Lumia 930, so I did a factory reset on it, and installed latest updates, and guess what, the battery is now fine GRRR!!
So I then decided to find out if WP10 was officially available yet, and it was, although this information was not made easily available by Microsoft, you have to install the upgrade adviser first to find out if your phone supports WP10, and then you have to enable the upgrade. So I would imagine that most WP8 users are never going to find this out. You can find upgrade instructions HERE.
So I now have an upgrade that I didn’t really need and I am tempted to just send it back and carry on using my Lumia. But I first decided to see if there was a way to make Android UI more like Windows Phone, so then maybe I could have UI I wanted, but keep the other advantages this phone offered, and it turns out there is a way.
A number of developers have created Windows Phone style launchers for Android that emulate the WP8 or WP10 UI and layout. The best one I have found so far is “Launcher 8 WP style” which has managed to emulate the WP tiles interface so perfectly that you think you have a Windows Phone. The only thing that seems to be lacking is live tiles, as I so far have not seen any of the tiles updating. Most of the others I have tried have not got it right, and just look like cheap knockoffs as they have no got the tiles right. This app also includes themes so you can change the look further.
So if you are a fan of the Windows Phone UI and tiles, but find the Windows Phones lacking and cannot give up your Android phone, give this a try instead.
by Russ Michaels | Jan 19, 2016 | ColdFusion, Lucee, Tech Stuff, WEBBY STUFF
This is a topic I have found myself explaining a lot over the years, not just to customers but to developers as well, and one thing I can say with absolutely certainly from dealing with hundreds of developers of all levels over the years, from newbs to gurus, is that most devs in general do not really understand how things work on the server (they know how to write code and upload it to the server) and most CF devs additionally don’t understand how ColdFusion really works and how/why it differs from other scripting languages like PHP or Perl or ASP.net, so I decided it was time to write a complete blog post on the subject and hopefully to try and enlighten some of those developers a bit more. I have copied this article across from my old blog as it was a popular article with a lot of views. I have removed all references to Railo (since it is now dead) and replaced with Lucee.
Now I have heard many say “I am just a developer, it is my job to write code, not to understand the server stuff”, but i’m afraid I disagree with this and consider it a bit of a cop out, because If you don’t understand how things work on the server to at least some degree, how can you be sure you are writing code that is going to be scalable, reliable and is not going to cause problems? Sure no-one should expect you to know EVERYTHING to the same level as a sysadmin, but you certainly should know the basics that are relevant to your job, especially if you are going to be making any hosting recommendations to your clients, which most devs do.
The first thing to understand, is that ColdFusion and Lucee are not technically application servers (which most people believe them to be), they are simply Java applications (that convert CFML into Java bytecode) that run inside a java servlet container (e.g. Apache tomcat, Jetty, Jboss) which runs as a service/daemon, and all requests for all pages coming into the server go through that same service/daemon. This means that any problems with that service affect ALL CFML (or JSP) websites on the server.
This is also a bad thing for security because it means that all sites on the server run within the security context of the service and so cannot have their own permissions. So any java code in any site can access files in site2, site3 or any other site on the server or in fact any part of the system that the service itself has access to. The only way round this is to use security sandboxes, which is a feature of ColdFusion enterprise and Lucee.
But BEWARE, CF sandboxes can give a false sense of security, they are only applied to CFML code and do not sandbox Java, so if you drop any Java code in your CFML pages (using CreateOnject(java), then you bypass the sandbox completely, so they not stop any vaguely competent coder/hacker. There is no way round this on a shared server, you simply have to take the risk. On a dedicated VPS you can mitigate this by using multiple instances of CF/Tomcat and isolating each site using server side permissions.
Before you say “so hosts shouldn’t allow Java”, this also is not even an option for any host as all moden frameworks and apps need createObject(java), so disabling this function would break almost every modern application, ergo it is a risk that has to be taken, because at the end of the day 99% of clients simply don’t care about the security risks, all they see is that their app doesn’t work and will just go elsewhere.
When we look at other common languages such as PHP, Perl, asp.net etc, these run as an ISAPI or CGI process, so every website on the server spawns its own process to handle the requests. So if there are 20 PHP sites then there are 20 x PHP processes running (think of this like 20 instances of ColdFusion). The process runs within the security context of the website that spawned it, so in the case of Windows it runs under the application pool identity. So this means that as long as you have every website/application pool set to run under a different user account with access only to that website root, and so will php also have only this permissions, so it is more secure and also isolates each site in a separate process.
So if site1 crashes php or ASP, it will have no effect on any other site because they are running php/ASP in a separate process.
Here is a diagram to illustrate.
This is the primary reason why CFML is not suited to shared hosting, no application isolation and no control over security.
Imagine the following (very common) scenario.
abc.com makes a cfhttp request to an external web service at xyz.com to get syndicated content for its pages.
The web service at xyz.com goes down, which means all the pages on abc.com are now going to timeout. On a shared server this will very quickly result in all the ColdFusion max number of simultaneous requests to be consumed, and subsequent requests to then become queued. The result of this is that every other CFML site on the server now becomes slow as well as all their page requests have become queued behind the problematic site, and now are likely to also timeout as a result.
An even worse scenario is where native java requests are concerned, such as database queries as these cannot be killed automatically, not even with FusionReactor. If a page hangs in the middle of a database query because it is waiting for a response back from the db server, then this request will not ever timeout and will hang indefinitely, thus 1 cf thread is now no longer available. If this happens 10 times, now 10 cf threads are gone and no longer available, if your “max number of simultaneous requests” is set to 10, then you now have 0 requests left and your server will stop serving up CFML and all websites will now hang/timeout untill the service is restarted.
If the original problem still exists then restarting CF also will not help, as the issue will simply continue until all the requests are again used up and all sites start to hang. The only solution at this point is to turn off the site causing the problem.
Then we have the security issues that I mentioned. Everyone by now is aware of the CFIDE hack which affected many cf servers. This was only possible because CF runs as service and because that service runs under the SYSTEM account by default, which has full file system access, which allowed the uploaded hack to access every part of the server. If CF worked like a CGI/ISAPI application, the effect of this hack would have been far less.
But my code has proper error trapping and caching and stuff, so this doesn’t affect me right ?
Wrong i’m afraid, on a shared server it doesn’t matter how brilliant your code is, or how well your have performance tested it, or how much error trapping you have, this does not stop the other sites on the server from causing you problems.
You could be lucky on a shared host for months or even years if you are on a server that doesn’t have many sites, or simple sites that are not problematic (at the moment), but It only takes one poorly written app to bring CF to its knees.
It is also important to realize that almost nobody using shared hosting has ever done any kind of load testing or performance testing on their website and in most cases do not even know what this means or how to do it, the result of this is that web site owners have no idea how their site will perform under load nor did the developer who made it. This results in another very common scenario which usually begins with a statement like “Nothing has changed on my site and it has been running fine for years, so it must be your server”.
Again this is totally irrelevant in most cases, sure your site may well have run fine for years with 20-50 visitors per day, but what happens when it suddenly gets 1000 visitors per day as a result of some marketing or media attention, or if it starts getting hit by search engine bots, suddenly this once stable site falls over horribly due to poorly written or legacy code.
But Railo/Lucee is better right ?
Ultimately no i’m afraid, as they run on Java so work the same way as CF so the primary issues mentioned above apply just the same.
Lucee is however an improvement in that the security sandboxing is automatically applied at website context root level (if you set this in your Lucee server admin) and does not require admins to set up sandboxes for each site as with ColdFusion which is a sandboxing nightmare, which makes Lucee better for shared hosting. However the sandboxes like ColdFusion’s only sandbox CFML and can easily be overridden with Java code.
Lucee also has its per site web admin allowing all users to admin their own site, which is again a bit improvement over ColdFusion which has a single Admin which must be administered by the host.
So by using Lucee you don’t have to rely on your host, you can pretty much do everything yourself.
So what’s the solution ?
The only solution is to do some research, educate yourself and use a bit of common sense.
ColdFusion is intended to be an enterprise solution, and thus run on dedicated hosting solutions, it was never intended to be used for shared hosting and is not built to do this. So the simple answer is, use the right tool for the job.
If you just want to run a blog, personal website or simple brochure ware website and you don’t have your own server and only have the budget for shared hosting but do not want to be affected by the above problems, then use a technology more suited to this purpose, one that runs as a CGI/ISAPI process, the most popular of course being PHP or ASP.net . Avoid any Java related choices as these will all suffer from the same issues.
If you love CFML and want to use it for everything you do, then do yourself a favour and get a VPS running Lucee (or ColdFusion if you can afford it).
On your own VPS you then also have the option to use multiple CF instances, so each of your sites runs on a dedicated instance of Tomcat or whatever is your java servlet container of choice, so you can still run multiple sites but avoid the shared hosting scenario and also lock down the security.
I am going to use shared hosting anyway regardless, what do you suggest ?
If you really have no choice (or simply won’t take good advice), then here are some tips on choosing a host.
- Choose a host that specializes in Lucee or ColdFusion and actually knows what they are doing, do not choose a generic host that simply has Lucee/CF installed and classes this as SUPPORTED.
- Test your hosts knowledge, see how much they know about CF/Lucee, ask to speak to a CF specialist.
- Make sure your host is secure
- For ColdFusion they should be using enterprise edition, otherwise no sandboxes, and no security. If they are running standard edition, avoid.
- Ask them if they run a bog standard out of the box CF installation, if yes then it is not locked down and is not secure.
- Ask them if they use FusionReactor or HackMyCF. Preferably go with someone who says yes.
- Ask them if they use security sandboxes, if no then avoid.
- Ask your host how many sites they run on each CF server. Too many = bad
- If you regularly need to set up data sources, mappings or anything that requires access to the CF Admin, you would be better of with Lucee.
- Ask if you can get RDS access, if they say yes then avoid, as this should not be enabled in production
- Check if you can access the cfadmin or adminapi from your site, is yes, change host now as they are not secure.
Unfortunately there are very few noteworthy CF hosts these days, the ones I see most commonly recommended are Viviotech, Hostek, HostMySite (although not so much since they got taken over by hosting.com), Host Partners (my company)
by Russ Michaels | Jan 18, 2016 | Kayako
nb: copied from my old blog
We run Kayako fusion over at Host Partners, and one of the issues I have had is dealing with sub-departments.
e.g.
GROUP1
I do not want customers to be able to to submit tickets to the parent department “GROUP1”, as this is just a a group/label, but fusion provides no way to stop this as it treats everything as a department., and does not allow to simply treat the parent as a group.
I never found any solution to this, so decided to do it myself, hopefully others may find this useful.
In the template editor, find the template named “submitticket_departments”
Find the following line, right after the first <(foreach block
<td width="16" align="left" valign="middle" class="zebraodd">
<input type="radio" name="departmentid" onclick="javascript: ToggleTicketSubDepartments('<{$_item[departmentid]}>');" value="<{$_item[departmentid]}>" id="department_<{$_item[departmentid]}>"<{if $_selectedDepartmentID == $_item[departmentid]}> checked<{/if}> />
and replace it with this
<td width="16" align="left" valign="middle" class="zebraodd">
<input type="radio" name="departmentid" onclick="javascript: ToggleTicketSubDepartments('<{$_item[departmentid]}>');<{if count($_item[subdepartments]) >= 1}>unselect(this);<{/if}>" value="<{$_item[departmentid]}>" id="department_<{$_item[departmentid]}>"<{if $_selectedDepartmentID == $_item[departmentid] && count($_item[subdepartments]) == 0 }> checked<{/if}> />
This will stop any departments that have sub-departments being selected, even if it is set as the default department. If you also want all the departments to be expanded by default find this line, after the second <(foreach block
<tr class="ticketsubdepartments_<{$_item[departmentid]}>" style="<{if $_displayParentDepartmentID != $_item[departmentid]}>display: none;<{/if}>">and change it to
<tr class="ticketsubdepartments_>{$_item[departmentid]}>">
by Russ Michaels | Jan 17, 2016 | Jibber Jabber, Reviews
You may recall from my earlier post “O2 customer service driving me insane” that I have not been having a very good experience with O2 support/customer service of late, and sadly things have not improved and if I had any hair then I would certainly be tearing it out by now, so here is my latest rant on the subject.
.
My last phone from O2 was a Nokia Lumia 930, which while being an overall good phone when it works, I have had ongoing problems with it and O2 and have had it replaced around 5 or 6 times now. Now most of these replacements were O2’s decision to just replace the phone because they could not be bothered to troubleshoot my issues, which on several occasions were to do with signal problems, call quality, sms messages going missing and the likes so replacing the phone actually made no difference at all. Yet they actually had the gall to tell me that they would not replace the phone again due to the number of times it had been replaced already, even though most of the replacements were O2’s choice not mine and were due to their own laziness. I have also since discovered that all the replacements I have received are refurbished not new phones, which probably explains why I have had ongoing problems.
O2 also has the default response to tell me to take my phone to my local O2 store so that they can take a look at it. I have taken my phone to the store twice when advised, and the store staff and the store manager has told me that they cannot fix phones so it is pointless O2 support telling me to take my phone there and they do not know why they keep telling customers to do it. They are not engineers, and the most they can do is a factory reset or just follow the exact same canned response suggestions that O2 support have already given. The only thing the store can really do is just send the phone away to be looked at or repaired, which O2 support can arrange themselves anyway. Even when I tell O2 this, and advised them that the store themselves told me this, they still continue to suggest going to the local O2 store.
So my current issue with my Lumia 930 is that the search button stopped working which is quite annoying as it takes more effort to use cortana as well as search, I have now had 2 phones with this issue, and also a phone where the screen started to grow a corrupted color blob from one side which was getting bigger and bigger. I have wasted a huge amount of time on the phone, on live chat and on twitter with O2 trying to resolve this and getting no where as every person is as clueless and unhelpful as the next, it is like running up a down escalator.
I am certainly thankful for my OneDrive cloud storage and phone sync that is for sure, as have had to factory reset this phone so many times now because O2 required me to do so due to their standard response.
The last suggestion I had from O2 after weeks of back and forth was to book a meeting with an O2 Guru. I do wish I have taken screenshots of my live chat conversations as most of these are monumentally stupid.
This is despite me telling them that the staff in the shop cannot fix phones, and I asked them to confirm if the guru was any different, and they advised me that he would be able to help me fix the phone. Needless to say I did not believe this, and was not going to make 2 hour round trip to take my phone to someone who would just give me the same response as my local store. So I booked an appointment but I also took my phone to a local repair shop and they advised me that it was the digitizer which was faulty and that this was a common issue with refurb phones. So I advised O2 of the issue.
I then got a response from the O2 guru who I had booked the appointment with, and he informed me (as I knew he would) that he would not be able to help me with the problem and the phone needed to be repaired. So I then reply to O2 support and tell them this, and their reply was this.
So
So even though they knew the phone was faulty, and knew what the fault was because I had told them, they had still told me to go to the guru who they knew could not fix such an issue. Not to mention that I had previously been told they would not repair the phone now due to the previous replacements.
During this whole process, just to wind me up a bit more, we were getting lots of unsolicited calls from one of O2’s sales/marketing agents called ADSI, all the other numbers on my account were getting calls several times a day trying to get them to upgrade, no matter how many times they said that they are not the account holder or were not interested, the calls kept coming. O2 were just as helpful with this as well, they just said they did not recognize the number (see tweet above), further tweets did not help they just refused to take responsibility even though this company was calling on behalf of O2 with the details O2 had given them.
By this point I had started to hate my Lumia 930 thanks to O2, so as I had a couple of numbers on the account which were due for an upgrade I decided to just cut my losses and get a new phone instead. Silly me for thinking this would be any easier. I tried many times to call O2 but was constantly stuck in a never-ending queue, same with the online chat. So I sent an email to all the O2 addresses I had in my address book asking for someone to call me back to do an upgrade as I was unable to get hold of them. Did anyone call me back? No of course not, instead I got a rather unexpected letter via email telling me that my (non-existent) complaint had not been upheld. I of course had no idea what complaint they were referring to, and the sender of the letter “Christine Marsland” refused to reply to me. so I had to take it to twitter yet again order to get an explanation, which is when I was told that sending an email asking for a call results in a complaint being logged, WTF ?.
Not only did Christine refuse to reply to me but needless to say that “Terri-Ann” never called me either.
The saga continues.
by Russ Michaels | Dec 21, 2015 | Security
As any I.T. person will know, Linux geeks consider Linux to be the most secure OS on the planet, and many will even claim it is so secure and un-hackable that they do not need any malware protection or such. So it is ironic that a Linux hack has now been discovered which is probably the worst and simplest hack ever discovered, far worse than any hack or vulnerability ever discovered for Windows. If you press the backspace key 28 times on a locked-down Linux machine you want to access, a Grub2 bootloader flaw will allow you to break through password protection and wreck havoc in the system.
Researchers Hector Marco and Ismael Ripoll from the Cybersecurity Group at Universitat Politècnica de València recently discovered the vulnerability within GRUB, the bootloader used by most Linux distros.
As reported by PC World, the bootloader is used to initialize a Linux system at start and uses a password management system to protect boot entries — which not only prevents tampering but also can be used to disable peripheries such as CD-ROMs and USB ports.
Without GRUB password protection, an attacker could also boot a system from a live USB key, switching the operating system in order to access files stored on the machine’s hard drives.
The researchers discovered the flaw within GRUB2, of which versions 1.98 to 2.02 are affected. These versions were released between 2009 and today, which makes the vulnerability a long-standing and serious problem.
In a security advisory, Marco and Ripoli said the bootloader is used by most Linux distributions, resulting in an “incalculable number of affected devices.”
Exploiting the flaw — and checking if you are vulnerable — is simple. When the bootloader asks for a username, simply press the backspace button 28 times. If vulnerable, the machine will reboot or you will encounter a Grub rescue shell.
The shell grants a user a full set of admin privileges — within the rescue function only — to load customised kernels and operating systems, install rootkits, download the full disc or destroy all data on a machine.
The researchers say the fault lies within two functions; the grub_password_get() function and the andgrub_password_get() script which suffer integer overflow problems. Exploiting the flaw causes out of bounds overwrite memory errors. When a user presses backspace, the bootloader is erasing characters which do not exist — damaging its memory enough to trigger an exception in authentication protocols.
Not only does the vulnerability give attackers the chance to steal data and tamper with peripherals and passwords, but Linux entries can be modified to deploy malware.
While there is an emergency patch available on Github for Linux users, the main vendors have been made aware of this security flaw. It is recommended that users update their machines as soon as patches have been deployed, but it is worth noting an attacker needs physical access to the machine to exploit the flaw.
by Russ Michaels | Dec 20, 2015 | Windows 10
Since the release of windows 10, users now have access to a free online support service called “Answer Desk”. In Windows 10 you access this by typing “contact support” at the start menu, which will allow you to launch a native answer desk chat app. This will connect you an answer desk tech who will provide you with free support for Windows and related apps.
While the concept is great, Microsoft’s implementation of it is not so much. Having used the answer desk a few times myself now, I can tell you that the techs are not skilled at all, all they do is search the Microsoft forums and knowledge base for a solutions and copy/paste it to you.
In fact I have on a couple of occasions had the techs connect to my computer, open a browser and start searching the knowledge base right in front of me. In addition they have blatantly lied to me on several occasions.
One thing you need when contacting support is ticket/case reference number in case you need to contact them about the same issue again. While the answer desk are supposed to you provide you with this, they usually don’t, so you end up having to explain your issue over and over again each time you speak to someone new. Even when you call them on the phone, if they create a case, they do not give you the details and will just blindly transfer you to another person without any warning or explanation to the other party, so you will have to explain everything over and over again, each time you get fobbed off and transferred to someone else, or if they cut you off and have to call back, which happens very often.
Once I twigged on this, I started explicitly asking them to give me a reference number, which works when you are on the phone, as long as they do not cut you off before they give it to you, but when using the live chat I have found that they consistently lied to me and would tell me they will email the case details to me, but never do.
One of the Microsoft Assure support techs hard at work.
The other consistently frustrating problem is that they simply do not read anything you tell them properly, if at all. If you tell them that for example that you cannot even login to windows or that it just keeps constantly rebooting, they will then ask you to do something that completely ignores those facts such as tell you to go to a website and download a file or follow some instructions on a web page. In every single instance of contacting the answer desk, I have had to repeat every piece of information to them several times, often within minutes, and they will ask the same questions multiple times. If you send them links to screenshots, they won’t look at them, but they will not tell you this at the time, they will simply ignore the link, and only later when they start asking you the same questions and you say “see the screen shot I sent you earlier”, will you then discover they never looked at it and will then claim they cannot click links. Needless to say this really does drive you insane.
There were several occasions where I was contacting them about a different computer which was having a problem upgrading to Windows 10, and I told them it was not the one I was using to talk to them on, and yet still they asked me to do things on this computer or tried to remote into this un-related computer and investigate an issue which did not exist here. So much time was wasted on this because they would not take notice of what I was telling them.
On my first use of answer desk, they were unable to help, and suggested I should purchase an Assure subscription for £150, which would give me premium support for 5 pc’s. I wen’t along with this on the premise that it would give me access to a better level of support as well as getting my current issue escalated. Sadly this was not to be the case, even with paid support, you still have to go through the answer desk and deal with the same level 1 monkey’s, but if they cannot help then they are supposed to escalate you to level 2 if you ask. Although they do not bother to check if you have paid support, you have to tell them this.
The last issue I contacted the answer desk about was my system keep getting corrupted, no matter how many times I reinstalled windows or replaced the disk. The solution given to me by the tech was to run Windows 10 off a USB memory stick instead of an SSD. I refused this solution, as it is not a viable solution, would of course result in an incredibly slow system and I didn’t have a USB member stick big enough anyway. So because I refused to do this, the tech then refused to help me further unless I did this, refused to escalate me to level 2, even though I had a paid assure support subscription, refused to give me a reference number for the case, and also refused to give me contact details for customer services to complain.
Last week I received an email from Microsoft asking me for feedback on my assure subscription, so I gave them my honest feedback, detailing all the issues I have had, as mentioned above. They then sent me a canned response stating that my feedback had not been accepted and would not be published, obviously because it was negative.
Final summary
If you are not a very computer literate person and not able to solve problems by yourself or use google to find solutions or search the Microsoft KB or forums, then answer desk will most likely help you, as the most common/simple issues that are well documented. For complex issues, you take the risk of getting wrong advice which may make the issues worse, and you may well end up reinstalling windows. You need to be savvy to avoid such issues and know when you are being given bunk advice or down right lied to as there is no fall back and no-one to complain to. If you do know how to troubleshoot, then I would recommend to try and find the solution yourself first, search their KB and forums, use google etc, it will likely be quicker and less painful in the long run.
I would recommend to avoid the online chat, and instead request a call back and speak to someone on the phone, as the live chat techs do tend to have several chats on the go at a time which adds to the frustration, already poor communication and reading skills, slow responses and lack of a case number. Do remember to always ask for a case number when you start a call, and use this whenever you get transferred or call back on same issue.
If you want to speak to 2nd level support techs that actually have a clue, then you will need to pay for support, either per incident, or an assure subscription.
by Russ Michaels | Nov 23, 2015 | Security, Reviews, Windows 10, Windows 8
Like many parents, I have been using Microsoft Family Safety on my kids computers for several years now to keep them safe online by restricting what websites they can view, blocking adult content, restrict what apps they can use etc.
I also used family safety to control my kids screen time, so that they could not spend all day/night on the computer frying their brains and eyesight, or use it after bedtime. By default, we gave all our kids ZERO screen time each day, and then used the handy “Add time” feature to add x number of hours for them each day as long as they had been good and done their homework and chores etc.
The way that Microsoft has implemented screentime is brilliant and is more flexible than any other product I have used and was working great for the most part until earlier this year when Microsoft started makes changes to family safety and the way it worked.
Family safety was sadly never entirely reliable and as such it was only the screen time feature that we really used as the other features had a tendency to just stop working. As the result of these recent changes since Windows 10, they broke every aspect of family safety even more, and there were hundreds of complaints on the Microsoft forums because family safety had mysteriously and without warning stopped working for many parents, putting their children and their computers at risk.
Screen time was no longer working allowing kids to use their computers any time of the day or night or the times were simply being applied incorrectly, allowing access when they should be blocked and vice versa.
Content filtering had stopped working, allowing kids to view any website. I saw several reports on the forums where parents had reported their children had seen some very inappropriate adult content as a result, which is, unfortunately, a very easy thing to happen with a seemingly innocent google search, and I have experienced this myself one time before I had set up parental controls.
App & Games filtering stopped working, allowing kids to install and launch any app or game, regardless of age rating.
I have opened numerous threads on the Microsoft forums, but the so-called “Microsoft Techs” (sic) are about as useful as three colourblind hedgehogs, in a bag. They do not even bother to read the questions, they look at the subject, and just post a canned response based on words in the subject telling you how to set up family safety, and you will not get any other responses from them beyond this. I have even made posts saying “DO NOT SEND ME A LINK TELLING ME HOW TO SETUP FAMILY SAFETY, THIS DOES NOT APPLY. READ THE QUESTION BEFORE REPLYING”. I have put it in bold, caps underline, with arrows pointing to it, but still, they ignore it and still post the same useless canned response.
So I tried completely removing my kids from family safety altogether so as to try and add them again from scratch, this then resulted in my not being able to add them again as family safety said they already existed even though they did not, so now I was completely stuck. So I then resorted to using “Microsoft Answer Desk”, which is also accessible via a new live chat feature that I discovered in Windows 10, just type “Contact Support” in the search box, and voila, you get a live chat app. So I used this to ask for support, and on every occasion, the answer desk tech was completely clueless and was simply quoting me the same crap from their forums. One tech asked to do remote assistance, and then simply proceeded to open a browser on my machine and use that to search the Microsoft KB and forums for an answer (like I haven’t already done that), and just randomly clicked around on my computer for a while before giving up and getting me to contact another completely unrelated dept that could not help either. Another tech was quoting me instructions from the OLD windows live family safety app (pre windows 8) that was completely out of date and not applicable, I had to tell him that it was all controlled from the family safety website these days. I ended up being transferred around to 3 different depts, none of which knew anything about family safety. One tech actually admitted to me that they knew everything was broken, and I simply had to wait until they got around to fixing it. This I find absolutely diabolical that Microsoft would intentionally cause this problem, put kids at risk and not only keep it quiet, but tell their forum techs to just fob everyone off.
Anyway, finally, I got escalated to 2nd level support due to my Assure subscription (paid support) and spoke to some guy called Medha on the 10th October. Medha started a remote support session and pretty much did the same as the previous techs, just randomly moved the mouse around my desktop for a while, opened and closed the start menu a few times, then went to the family safety website, and just tried repeatedly over and over again to re-add my kids to family safety, getting the same error each time, and just looking blankly at the error, highlighting it, randomly clicking about a bit more and then repeating, somehow thinking he would get a different result if he repeated it enough times, he has was as clueless as the rest of them.
So it seems no-one at Microsoft support has any clue how family safety works. Then suddenly my phone rings, it’s Medha, who proceeds to tell me that family safety is not a supported product and so he cannot help me, even though I have paid support, and the only place to get support is on the forums. Hmm funny how this came out of the blue only after he realizes he cannot fix it, after all these hours of speaking to different techs, including Medha himself, why wasn’t I told this right at the start by anyone else? In fact why did he not tell me this at the start of the session instead of spending 30 minutes cluelessly pissing around on my desktop? Strangely he did not have an answer for this.
I told him I had already posted on the forums many times, along with lots of other people, only to get useless canned responses. But he assured me that if I posted again then he would make sure someone replied to me on the forums and solve my problem. I asked him how he could make this random assurance, how would they find my post, he had not taken any details or anything? He could not answer this either and just waffled on saying someone would reply, which of course turned out to be a lie, as I have still not had any responses or help on the forum. Medha also told me he would create a support case and email me the details so that I could respond to him if I did not get any help on the forums, this was also a lie and never happened.
So I would warn all parents at this time, DO NOT TRUST MICROSOFT FAMILY SAFETY. If you do choose to continue using it, then you need to check all your kids computers on a regular basis to make sure it is still working in all areas.
Also be aware, that any content and website filter only works on the Microsoft browser. So if your kids know how to install another browser, such as Google Chrome or Firefox, the filtering will have no effect. So you you will need to use something else for add security.
by Russ Michaels | Oct 18, 2015 | Jibber Jabber, Reviews
Anyone from my generation or older will have heard of Dreamland. At the height of its popularity in the 1960s, when it attracted more than two million thrill-seekers a year, Dreamland boasted a wall of death run by legendary stunt motorcyclist Yvonne Stagg, which was covered in Anderson’s unsettling 1953 documentary film, O Dreamland, with its terrifying animatronic electric chair and Haunted Snail ride.
In its hay day, Dreamland was at the cutting edge of fairground excitement. But by todays fairground standards the rides feel rather lackluster. Rather than competing with the high-tech thrills of Alton Towers and Thorpe Park, it has opted to try and maintain that retro feel with its gentle, sweetly retro vision of seaside fun created by designer Wayne Hemingway. Old rides and paraphernalia have been refurbished and recycled. 17 rides are currently open, which may be enough for a day out forthose with not too high expectations, ranging from the vintage galloper merry-go-round, its handsome, brightly painted steeds performing a stately dance, to the hectic, waltzer-meets-roller coaster swoops of the Crazy Mouse.
I recently took my 2 boys Bret (8) and Austin (11), which cost roughly about £40 for the 3 of us. Had this resulted in a fun day out then I would have said that is a very reasonable price indeed. My thought process was, even though I found the rides old, dull and boring and cannot go on anything that makes me dizzy anyway, my kids would probably be entertained well enough for the day, but sadly this was not to be the case. Despite the fact that the park was fairly quiet and there were barely any queues, my kids got bored and we were done within 2 hours. Sadly the rides are just too old and dull to keep anyone entertained for long, even kids. I think their decision to go for retro style rides was a mistake, and won’t keep people coming back for subsequent visits, overall it really isn’t any more fun than those travelling fun fairs, aside from those 2 rides which were closed anyway.
The 2 rides they really wanted to go on, crazy mouse and the scenic railway were still offline which was the first disappointment, this was then followed by further angst as each ride they tried to go on Bret was told he was not tall enough. This resulted in one very disappointed 8 year old and an 11 year who was forced to go on the rides by himself without his brother, which diminished his enjoyment and stopped him wanting to go on the rides more than once. Had they been able to go on all the rides together then they would likely have gone on them again and again. The remaining rides that they could both go on were generally a bit too retro and dull.
Had we been going to a big theme park, them I would have expected to encounter height restrictions on the big scary rides, but considering the retro 60’s nature of Dreamland I just didn’t expect this to be an issue, and there was no information about these restrictions until you get into the fair itself, and the ticket staff did not bother to mention this either.
The day after I did actually contact Dreamland via their website with feedback and suggested they put these restrictions in plain view outside where you buy the tickets, to avoid such disappointments for other families. Their response was to point out that this information is on their website, which is true, but their emails felt like a typical uncaring canned response and not really adequate in my books, and doesn’t help those who did not think to check the website, certainly grandparents bringing their grandchildren out for the day would likely not even know how to do that.
I had also sent them some feedback RE octopus garden,which is a kids play area and the total lack of security, and the replies I received from customer services were very belligerent and nonchalant and they are in total denial that there is any problem with their security at all. When I said I would video the security problems for them next time I was there and send it over for them to see, they responded by threatening me, so clearly the safety of your kids is of little interest to them.
Now annoyingly after I got my new Galaxy S7, my son asked if he could have my Lumia 930, so I did a factory reset on it, and installed latest updates, and guess what, the battery is now fine GRRR!!
Since the release of windows 10, users now have access to a free online support service called “Answer Desk”. In Windows 10 you access this by typing “contact support” at the start menu, which will allow you to launch a native answer desk chat app. This will connect you an answer desk tech who will provide you with free support for Windows and related apps.
Last week I received an email from Microsoft asking me for feedback on my assure subscription, so I gave them my honest feedback, detailing all the issues I have had, as mentioned above. They then sent me a canned response stating that my feedback had not been accepted and would not be published, obviously because it was negative.
Recent Comments