Hand Over Your Money!

April 18th, 2014

In July I’ll be doing a million steps in a month, which is a challenge I’ve chosen for a few reasons:

  • I want to raise money for the Charity involved (ServeOn)
  • I’ll likely lose a lot of weight in this challenge, which is good
  • It’s a challenge that doesn’t cost much to do, which is good, because I kind of need to recover a bit
  • It’s a challenge that doesn’t need a special location or equipment

The virginimoneygiving site that handles donations and sends them direct to the charity is at:

You can use that page to donate to the Charity I’m supporting, the money will go direct to them.

As the page explains, a million steps isn’t impossible in a month and certainly if you’re a nightly jogger with an active day job that involves moving about then you might be close to this but I’ve added a graph and explanation to give evidence that for me this is really going to be a meaningful challenge – I do 5k steps a day normally, this will need 33k steps every day for a month. I’m likely to be a few kilos lighter at the end of this.

Serve On?


Before Christmas in 2013 I visited a charity in Gloucester to help with the computers after a co worker who had been assisting had asked for help due to him having to go abroad for a year.

I’ve enjoyed helping them out although it does sometimes feel like Ex forces, Firemen, Paramedics all oozing training and confidence and the ‘right stuff’ and then … er… me with years of social skills carefully honed from being hunched over a computer for the past 10 years in a corner.

But I figured I should have a go at the selection event for active members. I know they aren’t keen on giving out the details of what goes on on the selection course, so I’ve not blogged about it until now, as a online article was posted about the weekend.

We got sent the link, and when I saw the link I thought as I clicked on it “I hope I’m not obvious in any of the photos or pulling some stupid facial expression”…


…yeah, the person on the left with their eyes shut who looks like they are shouting “Strength of a teddy bear!” is me. This was about the sixth time we’d pushed that damn tyre up the quarry, including one awful attempt when I suggested we drag it up on its side, which removed the danger of it rolling back but just took massive amounts of energy for hardly any movement (I felt a bit guilty about 2 minutes into the attempt when it became obvious that this was going to be the most painful attempt for everyone).

The full article is at: http://www.thesun.co.uk/sol/homepage/features/5560064/serve-on.html

In general the weekend involved food and sleep depravation, plus lots of physical activities. The instructors were keen to point out that it wasn’t like a military selection – the aim wasn’t to be the fastest, or better than everyone else, but to be a good teammate. The intention is (after training people for over a year) to send people out to the aftermath of an earthquake and dig people out of collapse buildings (which the charity has done many times before, under a different name) which generally involves very little sleep, physical effort and being able to deal with complicated social situations even when you’re tired (I was told in Haiti the earthquake rescue was made harder by the fact that armed gangs owned each area, with locals refusing to go to the nearby hospital as they’d be shot for crossing into another gangs zone – the full story is long and complicated).

I’d like to say I was the perfect teammate, that I was sharp minded and a powerhouse of physical strength but that would be untrue. I spent most of the time knackered and feeling like for some reason I had less strength than the others, I think my drinking patterns were bad for the first day which would cause that to happen but it was probably more than that (maybe I’m just unfit and need to shape up). There were a couple of times I snapped back at teammates during some task which isn’t the right way to handle things, and sometimes I forgot instructions, felt I made mistakes that got the whole team in trouble or even worse was when I got my teammates names wrong. I was so busy critising myself internally however that it hadn’t occurred to me that other people might be having the same problems.

When I came back it took about 5 days to recover. I fixed a lot of my kit, such as by putting a proper drinks system (on 50% off at £10) on the rucksack instead of a bottle shoved inside, and got some safety goggles with prescription inserts (which was only about £40).


So please donate, it’s for a worthy cause and goes directly to the charity.

I might do another event with a different tone, e.g. “pay to see guy thrown out a plane, there’s always a chance the parachute won’t open and he may die!” which should attract donations from friends and frenemies alike. I hate heights and falling so a parachute jump would probably be hilarious for spectators/photos.

The Unofficial Getac S400 G2 Guide

March 30th, 2014

This is a guide for some of the more unorthodox things you can do with your Getac S400 G2 if you don’t care too much about voiding the warranty.

Whats the S400?


The Getac 400 is a semi-rugged laptop. Semi-rugged means it can survive some medium levels of abuse but it still has vents and fans, so you can’t throw it into a lake. Semi ruggeds like the Panasonic Toughbook CF-53 and the Getac S400 typically cost about twice the price of a similar spec normal laptop. In contrast a fully rugged will be totally sealed from any dust or water and will usually have a metal body which the CPU will use as a giant heatsink (since there’s no air vents), the problem is that a fully rugged typically costs four times as much as a high end laptop.

Semi-rugged and fully rugged laptops are normally provided to high abuse but technical environments, such as the oil industry, emergency services and military. The catch is that as part of all the certifying and approval, spare parts are expensive compared to normal laptops.

This is where this guide comes in. If you’re an individual who has managed to grab an S400 cheaply (such as an ex display model or similar) and enjoy tinkering with things, this guide is aimed at helping answer some of the questions you might have.

There’s a good review of the Getac S400 on the ruggedpcreview site but note that it’s for the older G1 socket version. There’s also a slight mistake in the description of how the back can be removed (read my notes for a couple of gotchas).

What’s the difference between the S400 and the S400G2?

Essentially it’s a move to a more recent processor generation/architecture, from those using the older Intel Socket G1 to the newer Socket G2.

For example, a G1 model might use a i5-520M CPU, a similar build G2 a i5-3320M. The more recent processor is better in every way for the same wattage [1] [2].

I want to upgrade my hard disk but the cost for a Getac hard disk is too high.

The official Getac certified hard disk enclosures aren’t really priced at the individual market.

Assuming you don’t care about the warranty, open the hard disk panel on the back of the laptop and take out the caddy. You need to prise apart the two halves of the hard disk carrier by putting pressure on the retaining lugs. Then put in your standard 2.5″ laptop hard disk and reseal it and replace it.

120GB Samsung SSD

Samsung SSD in the Getac carrier

I’ve tested the 120GB and 250GB Samsung SSD drives with the G2. If you want to use the encryption built into the Samsung SSD drives, go into the Bios and find the option for the hard disk password. It’s not very well explained by Samsung, but this will apparently encrypt the disk. Existing data wont be damaged so there’s something clever going on – I’d like more technical details about how this works but it’s very poorly documented the last time I tried to find details.

What’s the Maximum RAM it can handle?

The official stats say 8GB RAM is the maximum.
For the G2 I used 2x 4GB DDR3 SODIMM (204 pin) 1333Mhz PC3 10600 [Amazon link].

Note that the G2 socket processors can address 32GB RAM as opposed to the G1′s 8GB. It might be that (unofficially) the S400 G2 can talk to more than 8GB of RAM, or it might be a limitation of the Getac motherboard, but I don’t have the larger SODIMMS about to test this.

Just take the small panel off on the back and (obviously, with the laptop off) fit the new ram. If you don’t have 8GB showing in the bios when you boot then it’s a seating issue. Turn the laptop back off and remove/reseat the RAM properly.

What’s the fastest Processor it can Handle?

i5-3380M in the socket, about to be locked in place.

i5-3380M in the socket, about to be locked in place.

The official options for the G2 are the i3-3120M 2.5GHz and the i5-3320M 2.6GHz but an i5-3380M will work.

Limits on laptops are normally down to
* what can the physical socket/architecture support
* What heat can the laptop cope with
* What restrictions has the manufacturer put in the BIOS

The later is because they might have locked it to only certain specific CPU types to prevent support cases related to people tampering and modifying. Happily this isn’t the case with the Getac G2, at least using the R1.04.070520 Bios.

i5-3380M CPU

“Now, young Jedi, witness the power of this fully armed and operational i5-3380M CPU with Samsung 840 SSD”

Normally, the G2 socket can support the following processors.

  • Core i5-3210M 2.5 3MB/35W
  • Core i5-3230M 2.6 3MB/35W
  • Core i5-3320M 2.6 3MB/35W [Getac option]
  • Core i5-3340M 2.7 3MB/35W
  • Core i5-3360M 2.8 3MB/35W
  • Core i5-3380M 2.9 3MB/35W

Note that they are all 35 Watt maximum power draw (and hence heat output) so there’s no danger of overheating. There’s no i7 option for the G2 socket, so any choice is a two core CPU with the maximum speed processor the socket supports being a i5-3380M. I’ve tested the i5-3380M – it works great with the R1.04.070520 bios and I’m typing on a 3380M S400G2 now. Obviously Getac support are going to spit out their coffee and start showing you the door if you take such a laptop in for warranty work.

Use some decent thermal paste. It costs pretty much nothing from ebay.

use the good stuff

use the good stuff

I’ve not listed the i3 Options as you’re probably upgrading from an i3 so will be looking at the i5 range. The i3 in the Getac is a really great CPU so don’t be in any rush, however the i5 for the same clock speed offers a few improvements that might be of interest depending on the work you do, notably the vPro extensions, AES acceleration and Trusted Execution.

Help! I was tinkering and now the screen lights up but no Bios shows…

You had the back off and now the screen doesn’t work? This is easy to fix, don’t panic. Grab a cup of tea and here’s how to fix it.

To verify:

  • You turn on the power button
  • Laptop status lights come on, LCD backlight comes on, no text on the screen
  • Connecting up a monitor to the SVGA output, hey I can see everything fine

Here’s what happened:
When you took the back off, one of two things happened. Either you didn’t loosen the external SVGA connector nuts and tugging on the case caused this connector to tug on the motherboard or you didn’t undo the two screws on the back of the case that surface mount above the SVGA connector and that tugged on the motherboard. Either way, when you attempted to lift the back case off, a small white connector was tugged partially lose on the back of the motherboard. It’s hard to spot but just a matter of pushing it back home again.

To fix it:

  • Take the back cover off
  • Take the CPU heatsink and fan off
  • Don’t undo anything else, just get a torch and look under the motherboard
  • Push the white connector back into place
  • Put everything back
  • breath again, it’s all ok.



My Bluetooth device is being a right pain…

Er, yeah it might not be the Bluetooth device. If you’re in MS Windows, go to device manager and checkout the Bluetooth driver. If it’s the Windows one from years ago then click to uninstall/remove the Bluetooth device.

Go to the Intel site and download the latest Bluetooth driver, let it install and reboot.

Don’t download the official Getac Bluetooth drivers, they’re a mess (three types of Bluetooth driver, with no explanations) and out of date.

There’s only 3 USB ports on the S400 G2, so I went with a Bluetooth mouse and headset.

Other Upgrades

According to Getac support, your authorised local Getac service centre should be able to upgrade some of the modular features, like 4G, Bluetooth and discrete VGA. When I first asked a Getac reseller in the UK however, they we’re not aware this was possible, stating only the RAM could be upgraded after purchase.


I haven’t seen it fitted but I believe the GPS, Gobi WWLAN and/or 3G/4G options are handled by one mini PCI-E card. The sim card fits in next to where the battery is, so I believe the PCI-E minicard fits beneath the protective cover in that corner.

With 4G being released, there’s a lot of 3G cards going cheap on ebay but one of the problems might be that even if you get it, since you didn’t have the WWLAN option (because if you did you wouldn’t be attempting to fit it) you might not have an antenna available as I believe the antenna is an option that’s built into the monitor housing. I need to look at this further,

You can of course use an external adaptor via USB but that’s not a challenge worth writing about :o)


I don’t know anything about the GeForce GT 730M option at this time. It plugs in next to the CPU but I’m unsure of the heatsink/fan arrangement – I suspect a different combined heatsink is used. I’ll alter this post if I find out details.


I don’t currently know if the board can support any alternatives to the GT730M.

If you are buying an S400 from new, I’d go for the Nvidia graphics option as aftermarket cards appear to be fairly rare and expensive (compared to the PC desktop components market) so it will be harder to upgrade later.

External Display

I wanted another monitor but I wanted it to be light and portable. I went with the Lenovo Thinkvision LT1421 14″ portable monitor which works over USB (just one cable, feeding off the USB port by the power supply) and doesn’t appear to cause any CPU load or cause ghosting effects which are the two main concerns people tend to have with USB monitors. It roughly matches the rectangular outline of the S400 and it comes with a protective case.

Getac Support

Sadly I find the support (as an individual) very hit and miss, which is a shame because I love the hardware. I suspect corporations might have better/dedicated support agents assigned.

Starting with the website, if you compare the Getac S400 G2 downloads page to similar offerings from HP, you’ll notice HP have changelogs describing why a newer driver or bios is available – what’s been fixed and what has changed. With Getac it’s just the file, with no details.

Raising a support ticket, I got a response where it looked like a link had been stripped from the persons reply, e.g. “please download from . Reply back if there’s any issues.” But the mail came from a noreply@ address and the web interface at the time didn’t have any option for replying on support tickets (I notified their web team so this might be fixed now).

Raising a ticket to ask about the newer bios for the S400 and the differences between the three Bluetooth options, there was no reply.

I’m not sure if Getac support is based in one location. My experiences have included one person who had very good written English, which I suspect was someone in the US (and addressed the query well) but my contact since then has always been in broken English, with at least one signature stating it was from an office in Taiwan.

Did you know…

  • Press function-escape for the pretty keyboard backlight
  • Press the special bulb strikethrough button when you hear Russian helicopters overhead, it turns off the screen and every other light, including hard disk activity lights, power indicator, keyboard backlight and caps lock etc. Press it again to stop panicing that you just crashed the laptop.
  • Don’t forget you can expand with a PCMCIA card or a ExpressCard/54

I want to do some REAL customisation….

For extra engineering work, talk to people like this who add external GPS ports and similar to the Getac range.

2014 plans

March 2nd, 2014

I was a risk, but in the end it’s all worked out.

I handed in my notice and spent the Christmas and New Year period applying for security related positions which was what I wanted to move into. I know most people would think it’s crazy to leave one job without having another lined up, but I don’t see it as being clear cut. I knew I had funds for a few months and I’d sorted out a motorbike and laptop in advance for commuting and potential self employment. Note for anyone that tries this – the Christmas period sucks for job hunting, a lot of companies don’t advertise until January but for my situation I was happier making a start. It was the right time.

For non IT people – previously I’d worked as generalist positions, related to network and system administration, with some web programming thrown in. Although both my previous position and security IT work is in the IT industry, it’s not the case that different branches of the IT industry are similar enough that you can walk from one to another without preparation. My recent self study and qualifications were designed to be this assisting preparation.

Finding the right place

I approached a local penetration testing company – I’d found them by search engine, using certain security related keywords and the local area names. From their website I could see they weren’t advertising for a position but I thought they might be of the right size and specialist enough to be recruiting in future. I used LinkedIn to see what the various staff specialised in, and to lookup previous staff members and used this to tailor what aspects of my training I emphasised in the approach letter. I was careful with the wording as you can’t come across as the sort of person that assumes you know another persons profession just from reading a book or studying (or you could think that, but I’d hope everyone recognises it’s a troubling and flawed reasoning). I stated I wasn’t a penetration tester, but emphasised that I had transferable skills. I’ve spent years on the other side of things – trying to secure things to negate the type of attacks they’re carrying out – but didn’t know the deeper technicalities or have the experience of performing the attacks.


I was invited in for a technical interview. I took a taxi as I thought it would look more professional than turning up for an interview carrying a motorbike helmet and clothing. The taxi driver took my map (with the marked destination) spotted the company telephone number and then, before I realised what he was doing, he rang the company direct to get directions – I cringed slightly at the lengthy confused conversation on the phone as I thought if the rest of the workplace was within earshot of the person speaking they would think it was myself when I walked in.

I was asked verbal questions from a senior members experience – there were no written questions, the questions weren’t pre-planned and didn’t seem hard for the interviewer to come up with which I think made it better for both parties. I wont give specifics, but in general I was asked about things such as certain common programming issues and the security problems inherent with them, and how an attacker might approach or detect certain issues in websites or networks. I wasn’t asked any cliché interview questions. There were no awkward silences from when you’ve answered an interview question incorrectly or attempts as belittlement. When I said I didn’t know an answer, I explained the limits of my knowledge on that subject, which the interviewer appeared fine with.

In the application I’d suggested perhaps I could do a couple of days work as a trial. In the interview this was discussed and I was sent a Non Disclosure Agreement (NDA) covering client names, details of work done and similar.

Trial Day

I’d had a disastrous interview somewhere else where I’d turned up in a expensive suit which matched the interview panel, but then had been introduced to the team, whereupon a scruffy member of the team spent about 5-10 minutes openly sneering at my suit. I didn’t want that to happen at this company so I dressed down for the trial day to match the smart/casual attire I’d noticed the testers wearing in-office on my first visit.

I shadowed one team member first, who turned out to be an ex-marine. He showed me some physical penetration testing equipment he’d built (disguised tools you might leave in a target building) which I thought were fantastic and seemed well executed and then went through the network based attack he was currently performing.

As some background to the industry: A long time ago at a trade stand I’d spoken to a member of a branch of GCHQ (I don’t recall the specifics but in hindsight it might have been a member of CESG as the discussion topic matches the role) who had spoken of the difficulties they had when identifying useful penetration testing companies – the problem with the trade is the presence of companies who can only perform automated sweeps with no greater knowledge than the output reported by their automated tools (I have some horror stories on this for a future blog post). This wasn’t the case with the company I visited, where the penetration testers were hands on, with any tools simply being used as an alternative to speed up certain attacks that they happily demonstrated by hand to explain the theory and execution.

I’m not giving specific technical details due to the NDA but can say it was exciting to see an attack underway, the thought going on, the tool selection, usage and experience based testing. I understood the concepts and the flaws being explored, so I could follow what was being done, but the penetration testers clearly had a lot of experience – problems I’d always thought of as being theoretical or pedantic were actively being turned into exploits.

The team automatically went for lunch together, walking down to the local shop which you could tell form mannerisms was a routine social behaviour which I took to be a good sign.

After lunch I then shadowed another member of staff who was performing a social engineering attack on a client. While deploying the attack he was encountering issues with the companies defences and I understood from my own work what the company had done and was able to assist. I was really excited and wanted to help but didn’t want to be obnoxious and interfering so I tried to tone it down as much as possible. I helped with some a Linux command line syntax problem and suggested a minor improvement to the social engineering attack, which the tester decided to implement as a valid idea.

The day went really well, but the company hadn’t been advertising for a penetration tester and couldn’t offer me a position at the time as they didn’t know in January how much work there would be next month (a lot of large companies take a little while to wind up again after the new year and so take time to place orders for new networks or websites to be tested). They asked what salary I was seeking, and I stated I was motivated by the position, so was simply looking for one they felt was fair.


A week later I got an email, saying they’d let me know, and that the tester I’d shadowed for the social engineering attack wanted to pass on that it had been successful.

The Wait

I’d applied for more positions at other companies and as time went on I was fearing not just the career damage of an unemployment gap on the resume but also, due to financial liabilities, of potentially having to accept a position being employed somewhere where my heart wasn’t in it. One friend really stuck his neck out, first to suggest a temporary employment possibility and then to continually persuade me to apply for another company he knew to be a good employer despite my accidental best efforts at being unemployable – a public thanks to Dan.

I was a bit conflicted and about to finish arrangements to attend a second interview as a sysadmin with a local company when the phone rang and I was asked if/when I could start as a penetration tester at the company where I’d wanted to work – work had picked up again after the New Year break and there was now lots of work to support an additional position.

What Worked?

I don’t claim to be an expert on job seeking, but it might be that my experience is useful to others.

  • Don’t be afraid to approach companies directly if they aren’t advertising.
  • Talk to your friends about local employers they’ve heard of. I had no idea how many local companies there were tucked away nearby. Some quite famous ones I’d never realised were within a stones throw.
  • Do your research to find what they offer to clients and then demonstrate in your cover letter you have at least some knowledge of these areas.
  • Make sure you can financially afford to job hunt – know how long you can survive
  • Suggest something unorthodox like a trial/test day. It’s a chance for you to discover and run like heck if the place is dysfunctional (hopefully that’s rare but it’s a real career threat if you accidentally accept a job at such a place), and a chance for them to answer two of the the main questions they need to know the answer to: will you enjoy it here, and will they enjoy working with you?
  • Work on your LinkedIn profile, interview presentation materials, portfolio and resume

What didn’t work

I attended about 4-5 interviews over December-February, it’s important to learn from things that went wrong.

  • Don’t expect anyone to read your portfolio, LinkedIn profile, interview materials and resume (despite the advice in the previous section). If they do it’s a bonus, so you should work hard on it, and there’s personal benefits from self development as you work on them, but don’t assume a link on the resume will ever be followed.
  • Don’t assume the interview is just to flesh out more details about the things in your resume. You have to repeat your experience in the interview. It’s a nightmare to realise towards the end of an interview that they haven’t read your resume and you’ve just assumed they know you have knowledge of the areas you’ve mentioned in it.
  • Don’t let it get you down. If an interviewer fixates on your A level results from 18 years ago, if they hate your suit, if they have some slightly crazy view of the world – it’s going to happen in an interview eventually. Do your best not to burn the bridge and afterwards just learn from the experience as character development.

This is almost 2k words – there’s bound to be some errors so drop me a message for corrections. Related: I’m currently offering £2 to charity per correction on my portfolio site.

Portfolio Site Revamp

February 10th, 2014

A couple of years ago I had a go at building a portfolio website. I also created a couple of small software projects to try and show some public code. It was successful in getting me to think about what I was selling, and holes in my skillset or presentation compared to advertised positions, but the site itself looked a bit dated. I’m currently between employments so revisited the site to modernise it and improve the presentation.

I spent last weekend reworking it and then making corrections over the week. If you’re interested in creating your won and, like me, your primary experience is not web development, then you might be interested in some of the notes below:

Monitored for reachability by site24x7.com

247site24x7.com is quite handy in that it alerts you if your site goes down. Although it costs money for commercial use, it’s free for one website (with a starter number of alerts). It constantly checks my site is up (from world locations you can choose) and sends me a mail if my site goes down, which avoids a potential situation of sending out resumes linking to an online portfolio and then discovering it’s been down for days due to a technical problem.

If you pay a little bit you can have a lot of other features such as SSL certificate checking, SLA monitoring, twitter and SMS alerts and similar, however I’m not using HTTPS for my portfolio and don’t need the other extra features at this time.

  • normal link [http://site24x7.com]
  • Referral link (gains me monitoring alert credits if you sign up, but no other benefit)

Static analysis of code

To check the code that creates the sites html, I run the code through a static code analysis program that looks for and alerts you to issues. For Perl this is perlcritic, but other languages have their own tools. As well as using it in your development, you might want to automate this so any time you accidentally commit broken code to the site (development or live) it emails you an alert (think: preferably only one alert, and not every $X minutes the check runs against the webservers codebase).

If you’re using a version control system for your code, such as SVN or Git, you can make it run checks each time your commit code.

Run the CSS through CSSlint

I’m familiar with the W3C validator for CSS but hadn’t heard of CSS lint.

The key with CSS lint is to understand that it’s aimed at massive sites. There’s an online checker at http://csslint.net/ and for a small site I would run your sites CSS through it but then only fix the issues you recognise to be genuine problems – the other warnings (such as not using CSS ids) are aimed at improving code maintenance in massive sites and can be ignored as incorrect for a small site.

Tidy the HTML

Just for my own site maintenance and readability, I’ve passed a lot of the html templates through htmltidy although some files I’ve avoided where HTML is mixed with a templating language (Template Toolkit).

The full command I used for XHTML wrapped at 80 characters is:
tidy -w80 -indent -omit -asxhtml -xml -modify somepath/sometemplate.tt

Let someone else run a suite of tests for you


Rather than testing each page separately for spelling mistakes, accessibility, search engine optimisation, dead links or XHTML syntax errors I used a trial account for a centralised website tester that performs multiple checks on your site http://trial.sitebeam.net.

I’m about 3/4 of the way through the trial allowance of 10 checks. Currently it’s aimed at large customers but their support say that their service might be about to change to add a smaller/cheap customer category suited for individual site owners.

Run a dev site

If you’re making changes, always do it to the development site. It’s just one more DNS record, and extra folder and webserver configuration that’s near identical to your live site (just change the site name from “foosite” to “dev-foosite” and the directory files are served from to match).

This way is something breaks there’s no damage to you public presented image and no panic to fix it. You can try out different things on different versions of the site. Remember to have your template or code automatically link to the right site when you move pages to live. You don’t want to find links in your live site accidentally pointing to pages on your development site (I see this on some large public sites sometimes). If you don’t know how to do this, at least go with a check that runs every $X minutes/hours to search the live site for links to the development site and alerts you if it finds any. This later option isn’t as good a solution but it’s better than letting the visitors find the errors.

You may or may not want the entire internet to be able to find your development site. For a simple portfolio site I find it easier for the dev site to be accessible, and there shouldn’t be embarrassment from people seeing the information on it. This might not be true for a commercial site of course, especially if it’s a non static site dealing with customer data or shopping carts and billing information since client data might be exposed by a developer error or someone might be able to exploit a mistake.

For a simple portfolio site, I find having the online site checkers be able to check your development site is also handy since it’s preferable to find and fix mistakes on the development site, rather than discover them on your live site when someone might already have seen them. A commercial venture would probably use tools in-house so this wouldn’t be an issue.


If you put a lot of effort into a site, you don’t want to lose it due to hardware failure, hosting provider mistake or your own accidental command. Make regular backups, and if possible automate the system so you don’t have a laborious manual process that you might end up skipping. Remember, depending on what’s in the backup, to think about how you’ll get that backup off the server and transmitted/stored in a secure manner.

For my site:

  • A fileserver machine at home automatically establishes an encrypted SSH tunnel to the webserver, or re-establishes one if there’s been a connectivity drop. It’s important to do it this way around since if the webserver had login SSH keys for my fileserver (if my home fileserver had a public ipv6 address and could be reached) then an attacker that gets into the public webserver could have useful avenues of attack versus my home fileserver and from there my home network (There are ways to limit the commands the SSH client can run but it’s good not to tempt fate, in case you’ve made a mistake in configuration or there is a flaw in the software).
  • The webserver later performs an automated rsync of the files it has compared to the currently back up files on the fileserver and transmits only what’s changed. If it wasn’t for this intelligent comparison you’ll transfer a lot of data every time and might consume your bandwidth allowance, either at your hosting provider or your backup site (perhaps your domestic broadband in this case, if it has a data cap)
  • You can generally predict how long the rsync will take (e.g. for me it’s a lot less than an hour). So another timed automatic cron job then causes the backup fileserver to creates a single archive file of the entire folder of backup up files it has stored (e.g. creating a single file similar to a windows .zip file but without the compression at this point).
  • The date is added to the filename and the backup server (which has little else to do during the day) spends the next few hours compressing the archive file to reduce hard disk space usage and so increase the number of days of backups that can be stored.
  • An automatic housekeeping process removes archives over a given age to stop the disk filling.

If I was taking backups to CD/DVD/Tape or other removable media, I’d encrypt the backup so that if someone finds the CD, they can’t read the contents. I might also encrypt the filesystems and files on my backup server if the data was really important (since a thief could rob my house and take the server), but it’s harder to achieve in a totally automatic manner and in this case the data is only my public portfolio code.

Aren’t backup systems simple?

Use some of the colour/color picking websites

The title is because all CSS uses the American spelling of colour.

There’s various websites that let you put in a colour and automatically give you the range of lighter and darker shades to choose from. This was handy as I used a colour scheme centred around that used for the organisation/logo of my highest qualification and then where I needed to, produced darker and lighter shades of the same colour (to improve readability and so on).

These tools might not be all that advanced, you could write your own, or use the facilities in an art program like GNU Gimp, but some of the sites suggest entire themes and help give you ideas. Some quick hits from a search engine:



For visitor analytics I used http://clicky.com. I’ve used Google Analytics in the past but I wanted to move away from Google and the clicky.com interface is simpler. It’s also free for this small scale usage. There’s open source analytics programs that you host yourself, which would be more private, but I wanted to be up and running quickly and didn’t want another package to administer/maintain at this point in time. Maybe later.


I’ve added Twitter, Linkedin and Google+ buttons to the site, as well as the new OpenGraph meta tags that sites like Facebook use for rendering a picture of a site when it’s linked.

The code these addons and meta tags use necessitated moving to HTML5 instead of XHTML1.1 strict. I need to test the site over the next couple of weeks in some older Internet Explorer (IE) browsers and get it rendering to an acceptable level in those, since some HR units may be using corporate managed desktops stuck with old browsers. This sometimes happens if large internal corporate web based systems like payroll are using 3rd party software that only runs on old versions of IE.

Get feedback early

I created a table with one axis being the types of people I wanted feedback from (sysadmin, networks, security, human resources, design/typesetting), and then a column for friends and one of contacts which I then tried to populate with names of people I knew I could probably contact. My thinking was that a sysadmin friend would have the most feedback on the sysadmin section, but perhaps wouldn’t have the same depth of knowledge on another topic. A friend might also give you quite different feedback to that of someone that only knows you briefly, professionally or not at all.

Your roles/topics of people whos opinions you want will depend on your industry, but remember to talk to someone from Human Resources (HR) or a recruiter. For commercial 3rd parties you’ll need to be prepared to pay or offer a donation to charity if approaching them in their spare time.

Role/Topic 3rd party professional Friend
Designer Laurence Llewelyn-Bowen Sam
Sysadmin Richard S.
Cryptography Bruce S. Alice,Bob
Someone who works in HR

I contacted a few people for this first draft and the best response was from a friend who I hadn’t met in some time, has sat on a few recruitment panels and has a similar employment history. This seems to give the right blend of technical knowledge combined with being able to confidently say “look, this bit sucks, I’d change that to be more [...]” without any social awkwardness.

As an example, in this case the feedback included

“The front page has hardly anything on it, throw things at me.” [fixed]
“The navigation is awkward and confusing, just give me one page per topic.” [fixed]
“I’m bored of IT people with nothing but IT in their lives, tell me something about you” [fixed]
“$X and $Y don’t line up! I know it’s little but fix it” [fixed]

Publishing the site on this blog was the next step, and probably next week I’ll contact some more specific people.

Asking for feedback gives you an opportunity to step back and take a break while you wait for the response. I think it’s important to take little breaks and do the development in waves, especially as even a small portfolio might be 2,000+ words of meaningful content that you need to create, check, rewrite and re-scrutinise.

Domain name

I moved the domain name to improve the branding. Just be aware when you do this that search engines may rank the old site higher as the domain name has existed for longer and remember to make requests for the old site redirect to the new one in your webserver configuration – don’t just leave the old site up and wonder why people visit your old site by accident, and don’t take it down and wonder why everyone has broken links and thinks your site no longer exists. Redirect oldsite.yourdomain to newsite.yournewdomain. I used an Apache rewrite rule.

So what is the new site?

The new site is at http://portfolio.guyjohnedwards.co.uk/

If you have any feedback, there’s an email address on the front page. Let me know your favourite charity if you’re providing useful war-and-peace volumes of feedback and I’ll make a donation.

Does making a portfolio site actually do anything for your employment chances?

I’d love to say yes but I’ve attended a number of interviews where I’ve realised that my resume hasn’t been read by at least one person on the panel (this happens a lot), let alone any linked sites within it.

It could be that the main value is in the journey rather than the end product. It’s what you learn in developing the site and writing about what you’ve done. In doing so you’re forced to re-evaluate what skills you have and what evidence you can show. You might start thinking about the future and what you wish you could say in a certain section in a years time. It might affect what projects you get involved with at work, or how you otherwise guide your development.

Parental Worrying Device

November 3rd, 2013

[this article is written for non motorcyclists, so if that's not you, just skip the obvious bits]

I live in the middle of a city that’s fairly cycle-friendly and so to save money I’ve just had a bicycle for a number of years now. I was starting to get itchy and there’s some places I wanted to go to do (non IT) training courses that would be away from train and bus routes. I could hire a car or get involved in some car-sharing scheme but there’s other complications with those situations.

We live in rented house, which shares a drive with four other rented houses, so the landlord and landlady aren’t too keen on everyone having a car as they wouldn’t all fit. They were fine at the suggestion of a motorcycle however.


Trivia: I hadn’t noticed it before now but in the photo above there’s something that looks like a dent in the fuel tank. There’s no dent – it’s actually just where the matte finish has been worn to a smooth finish by the riders knees and it causes an odd false perspective effect in the photo.


I rode motorbikes from about age 16-18. At first a 50cc and then later a 125. Both were two strokes (an engine design that’s good for high power in a light package but uses oil in the petrol and so doesn’t meet modern emission requirements for anything more interesting). I was mechanically minded enough to service them and in suburban/rural Gloucestershire they were a lot of fun. I passed my full Motorcycle (category A) and because this was some time ago I’m not covered by the newer restrictions with regard to what size motorcycle you can ride in your first X years after passing your test.

A normal everyday bike

I wanted something that wasn’t as frantic as a 125. On the smaller engines, in order to make enough power to overtake on for instance a rural A or B category rode, you need to keep the engine revs high because the engine only makes reasonable power in a fairly narrow band of it’s rev range. It’s tiring as you have to constantly work the gears and the road topography alters (for instance, small engines have low torque so you have to change down the gears on short inclines and similar), you can get bullied by other traffic if you don’t keep up and it’s not safe to be planning desperate slingshot overtaking manoeuvres. It might sound odd, but I also wanted something with some physical size to it so that you’re more noticeable and you’ll generally be given more room. Most 125s, 250ccs and similar are quite lightweight and narrow, which is fine for what they’re designed for but they don’t have the same presence as a larger bike on a dual carriageway or motorway.

Looking around at bikes that people recommended for riders coming back into riding, the Suzuki SV650 gets mentioned a lot. It’s got enough torque that if you accidentally pick too high a gear for a situation the bike can pull through and it’s generally described as predictable to ride with the V twin engine adding some enjoyment (compared to high revving inline four cylinder road race style bikes which are quite ‘peaky’ to ride). I knew that the four cylinder road race bikes of 600cc and above were more towards the guided missile style of riding so I wanted to avoid them if I could.

I wanted to be able to carry panniers (luggage on the back) and possibly do some long distances so looked around the SV650 forums at photos for different peoples setups. They all looked like a fairly smallish low road bike with giant boxes on the back but it was do-able. People complained about the riding position not being ideal – wrist pain from the weight forward road race style positioning and similar, and discussed ways to modify the bike to be better for touring.

Getting the itch

So at this point I was browsing ebay for SV650 bikes, and visiting the local motorbike dealers. Buying a motorcycle helmet highlighted how out of touch I’d become with the motorcycle world. I was fairly open minded about what helmet to get but I knew I didn’t want an open face one (as I like my jaw and don’t want to lose it in an accident) and I knew I didn’t want one of those flip-front helmets that old people have (more on that shortly). The conversation went a bit like:

Me: “Hi, I’m after a motorcycle helmet. Here’s a few I was interested in from your website, just to give an idea.”
Assistant: “Ok”
[I look around at the in-store range. I remember Arai and Shoei helmets from when I was riding last, but don't recognize any of the makes on display]
Me: “So I haven’t ridden for a long time but when I was riding last it was the case that for safety you avoided Polycarbonate [plastic] helmets and went for composite [glass reinforced plastic, kevlar and/or carbon fibre weaves] ones, is that still the case?”
Assistant: [slightly puzzled look from the assistant] “Not really, for instance all these polycarbonate helmets are Gold ACU race standard [the highest standard possible when I was riding], it’s more about weight, the composite ones are lighter so you get less neck fatigue”
Me: “Oh, I guess things have come on a bit”
Assistant: “They all have washable and replaceable liners, most of them have pin lock fittings, some of them have the sun visors”
Me: [slightly gobsmacked] “You can take the helmet liner out and wash it?” [note: in my day your helmet absorbed whatever hair gel and face-grease was applied to it and that was it because the liners were fixed - it's such a simple requirement but so helpful]
Assistant: “Of course”
Me: “erm, what’s a pin lock?”
Assistant: “It’s like an anti fogging system that puts a layer of plastic within the inside of the visor”
Me: “Oh like double glazing I guess?”
Assistant: “Yes sir”
[I wanted to say "so why not call it visor double glazing instead of pin-lock" but I didn't want to test the limits of his politeness]

My old helmets had all been the traditional race style. I tried one on. If you push your hands against your cheeks and move them forward in a comedy fashion, that’s what it was like.

Me: “Er, I’m not so take with the fit. I know different manufacturers sometimes have different helmet fits, do you have anything slightly different?”
Assistant: “We have some of the flip front helmets behind you, they’re popular with glasses wearers as they tend to find them easier to put on and off”
“Hmm, ok I’ll try one one” [puts on the helmet, everything goes suddenly quieter - this isn't the case with the race helmets]
Assistant: “mmmhm mhmmhmm hmmhmh”
Me: “What?”
Assistant: “This one is intended for touring so it’s wind tunnel tested and has improved sound deadening. The slide brings down the sun visor, the button releases it. Bluetooth compartment is to the side.”
[...fast forward 10 minutes or so...]
Me: “Erm, can I have the flip front helmet in the Matt black option?”


But it’s not just helmets either. The “armoured jeans” that were first coming out when I started to ride got quite poor reviews (compared to thick leather trousers) but now they’re all approved to various ratings, with four rows of stitching to keep it all together in an accident. The textile jackets have armour systems, goretex and similar fabrics.

At least I know what bike I want

So I sat on a second hand SV650 at a dealers. I could reach the floor easily, the controls fell to hand. All the dealers agreed it was a good first big bike for getting back into riding, with no nasty surprises. Getting one that hadn’t been thrashed might be an issue. One dealer himself owned an SV650 “I’m on my forth engine” he said. He had the look of someone that you would ask to deliver a bike a days ride away, and then have it arrive 30 minutes later with the engine glowing red hot. I found one SV650 with one lady owner from new, but the dealer wanted a lot of money for it for the age that it was – as each year went by the model was improved, with fuel injection for instance, and this was quite an old one. Everything else seemed to have an ominous after market exhaust, and some of the wording of the private adverts reminded me of the mechanic on his 4th engine.

I spoke to my dad on the phone, whilst happy to discuss motorbikes, he was very carefully avoiding anything that might sound like encouragement.
“Have you thought about an adventure style bike instead? They’re quite popular”.
“Oh what, like a scrambler – enduro road bike thing? Hmm nah”

A few days later I idly googled for the adventure style bikes to see what was going on nowadays. One of the first things I bumped into was the Suzuki DL650. It’s essentially the same engine as the SV650 but with a milder camshaft (slightly less peaky), and of course mounted in a semi road-offroad frame. There’s a couple of owners forums. Looking on ebay I found a few interesting bikes for sale, including one which was very cheap for a 2008 model but wasn’t cheap for the high mileage it hand – there was a compromise going on. I couldn’t help but notice it was in zombie-apocalypse-mad-max matte black (it’s an official colour for 2008, not a respray). I knew the 2008 model had an upgraded alternator to handle more electrical output (such as heated grips, GPS systems and similar) which previous models suffered from, and the high mileage seemed to be work out as commuter miles so wasn’t too odd and checking the forums it wasn’t excessively high for the engine to cope with – lots of other people had higher mileage DL650 bikes. I asked the dealer a few questions.

* it could be delivered to me at half the normal delivery price
* they would put a brand new back tyre on (a decent make)
* they’d also service it, it would have a new MOT
* they’d would throw in a bike cover
* they’d give a 30 day warranty for any issues

Obviously, using all my advanced motor trade haggling skills I looked at the zombie-apocalypse black bike and drove a hard bargain, something along the lines of:

Futurama: shut up and take my money animation

So it arrived in the back of a van. The bike mechanic unstrapped it, we did the paperwork. I looked at my wooden gate.
“I looked up the specs online beforehand, the bike is apparently 33 inches wide, I measured the gate at 35 inches, now I just have to see if it’ll fit”
“Oh, do you want me to ride it though?”
[At this point I think of myself trying to do it with the 200kg bike I'm not familiar with, the narrow gate, the gravel drive, the slippery wet metal inspection cover the other side and the fact that he's fully insured]
“Er, yes that would be great”


Weirdly, something that makes an immediate difference is the fuel gauge. When I first rode, the amount of petrol you had was found by

  • you sat on the bike with feet spread out either side
  • you opened up the fuel cap
  • you looked inside whilst moving your hips side to side to see if you could see how much petrol was sloshing about, or once you know the bike by the amount of weight/resistance to your movements

Now I have a fuel gauge, which reduces the chances of the ancient fun activity of cutting out from lack of petrol and pulling over to put the bike onto reserve tank, only to discover it’s accidentally been on the reserve tank all along and so has drained the main and reserve (reserve is like a subcompartment of the main tank) and you now need to find a friendly motorist to help. I think I only did this once, which was a bit of a miracle for a sleepy 17 year old.

First ride

I knew I needed to be careful with my first ride as I hadn’t ridden for so long. As we’re on a fairly busy main road, inside the city ring road. The bike had been delivered with the fuel gauge showing a warning. Rather than get worked up about dashing to the petrol station and maybe ending up pushing a 200kg bike around a ring road roundabout, I just walked there and filled up a petrol can and brought it back.

I got all dressed up and prepared, went out to the bike and… then it wouldn’t start – the battery had gone dead as it had been stood and the weather had suddenly gone cold (including a proper storm). It’s a fuel injected bike so I believe bump starting is difficult as usually the fuel pump helps pressurize the fuel injectors. Plus bump starting a 200kg bike on gravel was not going to end well. Luckily I borrowed a charger from a nearby fellow motorcyclist and charged it up overnight.

I picked a time after the main rush hour and on a fairly calm evening. Low speed throttle and clutch control was fine/predictable for getting the bike out of the narrow alleyway. Pulling onto the main road I pulled off a little too wide, pressed the horn when I tried to cancel the indicators, and the bike rocked a bit as I changed gears. I quickly pulled into a quiet side road so noone could see me riding like a moron.

I pottered around the side streets for a bit, getting used to the slower speed behaviour. I liked the upright riding position which kept your eyes ahead scanning for issues, like pedestrians stepping out or motorists pulling odd manoeuvres. The levers needed adjusting as they needed to rotate down slightly so they were in line with my hands but otherwise it was fairly familiar (gear changing etc was second nature). The high up weight I need to get used to, especially low speed cornering or stop start turning manoeuvres – I will lower the suspension slightly so I can reach the ground with the flat of my foot rather than just the toes/ball as otherwise I have to lean the bike slightly to one side when I stop which I could see otherwise leading to a (slow speed topple) mistake one day, such as the bike leaning to the right as it comes to a stop and my foot being on the right hand side on the brake pedal instead of down on the floor in time. The right hand mirror is great, the left hand one gives me interesting views of the tops of trees.

I went out again today early on Sunday when the roads are empty. I filled up in the petrol station without doing anything stupid, like dropping it. The bike is easy to handle as long as it’s moving, even if it’s just moving really slowly with the back break on. The balance really seems perfect when it’s moving slowly – when it’s stopped it becomes a big hulk of weight ready to fall on the floor the moment I don’t pay attention. I cycle every day so it could be all the times I’ve balanced my mountain bike on the pedals when stopped at red lights also helps with the slow speed bike balance. General roadcraft as well transfers from cycling, not perfectly but enough to be noticeable. The helmet and protective clothing reduces the situation awareness compared to cycling but the motorbike is more noticeable and doesn’t get bullied whereas people will try to push your bicycle to one side, even if it’s slow moving traffic with no possible advantage to them.

I went off down the A40 but although it was sunny, today was pretty windy and I didn’t turn it into a multi-hour ride as there were some strong side winds (the UK is currently having some interesting storms) and similar so I played it safe. A noticeable difference to my old 125 is that if I’m at 50, I can open the throttle and the bike will strongly pull to 70 with ease. The bike was happy to sit at 70mph and felt normal at that speed – I have friends who’ve test ridden sports bikes and said that they were riding at what seemed a normal speed, then looked down to see 110mph on the clock. So I’m sure the DL650 can go fast but it doesn’t feel like a license wrecker.


One or two bits on the engine and engine guards could do with a wire brush and lick of paint but otherwise I’ve no immediate mechanical concerns with the bike. I think the main improvements would be via the rider.

  1. Other than my helmet, my protective clothing is currently borrowed from a friend so I need to get my own
  2. There’s a motorcycle training company the other side of town that has a massive abandoned factory car park for low speed/stop-start practice and also does refresher/advanced training so I’m probably going to book a few hours with them just to remove any bad habits. I don’t have to do this but I recognize it’s a sensible way to reduce risk.
  3. I’m going to drop the suspension about one inch to improve my stop/start bike control, there’s a simple kit that does this.
  4. I’ll play to the bikes strengths to build my confidence by doing some longer distance riding on low traffic roads I’m familiar with

Maths Institute – Building Move

August 28th, 2013

Just a short post- I’m now working in a senior post at the Mathematical Institute, University of Oxford. Our main task is moving three old buildings full of academics, students and similar into the new building. I’ve been working quite long hours for this and we’re only two days in so I’ll leave a picture instead:


I took this this evening on my way out of work. My pedometer says I walked roughly 17,450 steps inside the building today, with a lot of crawling under peoples desks and a fair bit of cable patching. I’m going to get some sleep and will start early again tomorrow.

Bank refunds me for 2005 cash withdrawal

July 25th, 2013

I received a letter from HSBC who refunded my account after discovering that in 2005 I didn’t receive all the money I’d used at a cashpoint. It’s genuine – my account has been credited. This raises some interesting points like:

  • My cynical side is speechless that banks actually have managers that say “hey lets check if we owe our customers money, it’s the ethical thing to do”
  • banks keep cash machine records for a long time. Before you say “Well, duh! They need to keep financial records!”, there are quite a few laws concerning data and they get harder to defend against the longer you keep data

I’m not complaining, I just find it interesting.

Here’s a scan of the first page of the letter, the second page is just a closing paragraph and the HSBC footer so I’ve left it out.


If you work for a bank and know what process/requirement or similar might have suddenly have brought this on, drop me a line in the comments.

Nation State Monitoring

June 30th, 2013

There’s lots of new recently with the former NSA contractor Edward Snowden releasing information about the surveillance programs operated by the US and UK governments. Thanks to this recent development I would suggest that for the general population, government monitoring is now known to be taking place, whereas previously it might have been considered by laypersons as the conjecture of IT workers and conspiracy theorists. I’m going to attempt to discuss some of the technical and political aspects of a nation state monitoring program without getting into opinions on current political circumstances.

This article is aimed at people with a little IT knowledge (friends, family) although it’s a little bit of a dry subject area. It’s my job to give these kind of technical and ethical issues thought and I should be able to communicate the problems into laypersons terms.

a cat monitoring

By popular demand, this post will again feature pictures of cats

Why do we have Secret Services?

You’re probably thinking this is a daft question – clearly we have them to fight terrorists and assist in wars? This is one role (it’s actually quite close to the mission statement of MI5) but it might be more accurate when talking about the collection of secret services a government will have, to say that governments generally have secret services to protect and improve the countries financial and political welfare. That’s not a perfect definition but it makes the situation a little clearer. What’s the difference? The difference is that the scope is much wider than you might expect. A basic example would be if you’re a large corporation in a nation, bidding for an overseas contract, then there are avenues by which you can ask if there’s any information the government can provide to assist in your bidding.

At this point you’re probably thinking there doesn’t seem to be much of an issue. The ‘bad guys’ being negatively affecting by the information gathering are either foreign nations or designated as ‘the enemy’. It all perhaps sounds fairly reasonable if you’re law abiding and you assume the good faith of others, especially as we have to assume other nations are doing the same.

Problems with national monitoring

The problem comes in five main situations

1. When corporate domestic interests clash with local (or larger) public domestic interests.

For example
* The hydraulic fracturing industry (fracking)
* The wind turbine industry
* The nuclear industry

These industries contain people, and as per any human population of reasonable size – not all will be honest. Groundwater contamination, wind turbines well under the recommended distance from homes and nuclear risk/contamination might be valid concerns for local residents to raise depending on how professional and responsible the implementation has been. Regardless of the behavior of the industries or the behavior of the protest groups (on a rising scale of political opposition, civil disobedience, direct action or outright military violent actions) the corporations can receive data from the government on the activities of the activists. If an activist is acting legally, and the large corporate is acting illegally, then supplying domestic confidential information to the corporation about the activist takes the monitoring program (on a sliding non-Boolean scale) from being beneficial to residents of the country to being a hostile tool (and the extreme end, fascism).

2. When ‘the enemy’ of the nation slowly shifts to become members of the public opposed to the current ruling regime of the nation

…such that the surveillance powers become a tool to maintain power against a democratic desire for change. A clear example would be when demonstrations or internal civilian actions against an oppressive regime take place – in this case the demonstrators would be labelled as ‘freedom fighters’ and the government as an ‘oppressive regime’. The perspective changes however when the terms instead become ‘anti terrorist surveillance’ and ‘domestic terrorists’. Specifically the terminology used normally depends not only on the actions of those involved, but also on who is creating the labels and who emerges as the victor.

3. When data collection points are shared with another country.

Entering into a reciprocal arrangement with another country whereby you monitor their citizens and they monitor yours, and then you share the resulting data, gets around a lot of laws designed to safeguard against domestic surveillance. These laws are typically in place to put barriers in the way of, for instance, a political regime using the data to target supporters of another political party. A corrupt government can change the law of course, but changing or breaking the rule is a warning flag or tool by which to trigger widespread notice of corruption by the government, so it still has value.

A countermeasure to this is preventing or limiting the discussion of breach. In the UK this is done via a Defence Advisory Notice (D-Notice or DA-Notice) to the press, the issuing itself of which is confidential so in may ways it’s similar to the “super injunction” gagging orders certain celebrities in the UK used to hide affairs, but the DA-Notice is more of a threat of (severe) action rather than an in-effect court based action. At least one site claims to have a copy of a current DA-Notice but due to it’s nature there isn’t any way to verify the claim and be able to report the result in press if positive. Again there’s a terminology problem – we’re either defending necessary state secrets from reckless disclosure harmful to the state, or we’re a corrupt regime that’s censoring media to the population in order to manipulate the populations opinion, depending on the intent behind the restriction, the country and who is labeling the action.

4. When known false positives are chased up harshly – with the effect of stifling discussion.

This goes from obviously over reactive examples – such as people who state on twitter that they are going to destroy (as in party) the US and dig up Marilyn Monroe (which was a “Family Guy” cartoon quote) being interviewed as terrorists and rejected entry to the US. Another person discovered a tracking device on their car (which the FBI turned up to collect) after a friend commented on a news forum that in his opinion the airport security measures were poorly thought out as the friend perceived that an explosive device in the airport where everyone had to queue up due to the new security measures was now a greater risk than on a plane. He’d been investigated for 3-6 months due to the friends comments.

The end effect of these incidents is an undercurrent of fear – a noticeable number of commentators on online articles warning people that it’s too risky to discuss opinions on monitoring and current political events (on common UK newspaper websites, which would normally be perceived to be legitimate discussion sites in a democratic and free country) because the perception (rightly or wrongly) is that there will be repercussions by the state against them for voicing an unfavorable discussion.

5. When the data is handled recklessly

Such as leaving data on a train, or via a stolen laptop. Now all the intercepted data is in the hands of whoever stole the information.


A friend refused to read my blog unless it had “pictures of hot chicks”. Enjoy the photo.

If you’ve done nothing wrong, then you’ve got nothing to hide

This is best treated as a fallacy.

* Even if you assume that governments are trustworthy, people run these systems and in any population of people there is a percentage of corruption in the form of using the data for individual criminal purpose, or to further personal goals. Your financial and personal data can be used in interesting ways against you. The data you accidentally hold about other people can also be unintentionally useful. When Banks or large data maintainers (such as Google) have bad employees caught performing illegal acts, I would suggest that it is safe to assume that sometimes these employees are quietly let go (dismissed, perhaps with a gagging order or other agreement) without public notification so as to prevent damage to the public perception of the company (brand).

* A future governments of your country, between now and when you die, may have information for all your personal data stretching back many years. They may share that data with groups of their choosing (foreign, corporate, criminal). With apologies for skirting close to Godwins Law, the most obvious case is the persecution of a section of the population due to their religion for political purposes – the World War II persecution of the Jewish population of Germany to the extent of euthanisation programs, wasn’t believed by the allies due to being too far fetched, until the concentration camps were found. We often think no such action would repeat itself, but the actions of a small group of people in the terrorist attacks on the US world trade centre caused a growing polarisation against members of the same religion (I could discuss what might appear to be a feedback loop here over the past decade but it’s likely to cross too far into opinion).

* You may be committing a crime by stating something which is not against the law in your country, but is against the law in another country that has surveillance (and potential extradition) abilities in your country. An example would be the NSA staffed (with an RAF commander) Menwith Hill installation in the UK – the UK and USA have similar Law structure but not identical laws, nor identical political interests.

Is there some test I can perform to detect nation state monitoring?

No, not really (or at least, not without getting yourself into potential trouble).

There was a statement from Nokia when they were initially taken to task for providing a telecommunications network with the ability to conduct government controlled monitoring to Libya. I’m struggling to find it but I believe the quote was along the lines of “all governments require this, you can’t setup a telecommunications network for any country without providing this facility”. I believe the obvious implication was that this was known to be implemented in the reporters country as well. You sometimes see occasional stories that hint at this ongoing operation.

Rightly or wrongly, and despite any public statements, for the purposes of computer security you should assume all nations do this. It’s still perfectly legitimate to have concerns about it however. Even if you accept monitoring for the purpose of national defence, it’s legitimate to have concerns about specific parts of the monitoring, including who has access to the data, how long the data is stored for, and what is being collected. The ideal situation is perhaps to have capabilities to detect and therefore intercept against terrorist attacks whilst at the same time not allowing for political and corporate misuse. That’s easy to type but the political requirements can be quite difficult to translate into a system. As an example the NSA claim to intercept only data for (or concerning) non US citizens but that’s a very difficult requirement in terms of analysis of modern internet traffic – for this reason it appears they’ve made some generalisations such as traffic originating from IP ranges abroad are not US citizens, which although flawed is the perhaps the best that can be done.

How is it implemented?

In short, if I was given a massive pot of money and had a short timeperiod to setup a monitoring system in a country it would be broken down into

* ‘taps’ which essentially take a copy of data sent on an internet service providers backbone. These might be housed in the service providers buildings or via covert means (at extra cost and fragility) without the provider knowing (the example is from the cold war rather than the domestic sector, and the physical conditions a little extreme but the technology is the same for the purposes of a tap example). In the NSA case it appears this was done against the local law and via a mechanism that if the telco had refused would have resulted in repercussions. It’s not clear what tap points are in place in the UK but it’s believed it might be at the national data exit/entry points.

* local servers – perhaps local servers turning the raw packet data into a summarized form such as netflow – in laypersons terms “this ip contacted this IP on these ports at this time” – and then perhaps compressed form for sending to a central location.

* a data centre – to receive and store the data in the long term and to perform computationally intensive processing of the data

* software for interfacing with the data – how do you search through so much data? You have to have a logical interface that everyday operators can use to provide them with data.

* start setting up relationships with mail and social network providers so that we can get access to mail boxes and account information via some form of interface.

How do you defend against it?

With great difficulty. There are a few points to note here:

* You can attempt to defend against corporate and governmental data cataloging of your actions however defending against a nations government where you live that has an express and burning interest in you is (I would say) impossible.

* unusual things attract interest. A computer that only sends encrypted mails, out of a local population of 10,000 domestic ISP connections, is conspicuous. I might be able to deduce something from the timing of your mails, as well as who they are sent to (unless the SMTP servers involved using opportunistic encryption, and even then are they log searchable themselves?).

* You can avoid using Internet based services. Google, Microsoft, Facebook and similar have stated they wont give up information without a warrant. No warrant is needed for non US citizens however. If IT literate you can run your own services but it’s likely to incur a cost and it mainly protects against routine cataloging of your data – nothing is totally secure from a nation state. As an example it’s nearly always possible to bribe someone when needed, such as the person running your collocation server room or your system administrator (if he/she doesn’t have a price, perhaps the threat of prison for some concocted charge might work).

* You can use applications such as TOR to attempt to disguise your network traffic but you still need to be careful as there’s lots of ways to make mistakes that demask who you are. As a couple of examples, with visibility of your ISP network and the TOR endpoint your entry traffic can be correlated with the exit traffic (not always possible but a risk…) – a lot of TOR end nodes are thought to be operated by governments as the cost of the traffic volume and risk of prosecution from other peoples traffic such as file sharing can make operating an end node problematic for an individual – and the traffic still needs to be encrypted as the contents might give away your identity.

Why would you want to defend against it?

Sometimes society is broken – historically there are some things that should be challenged so that society can change for the better
* The abolition of slavery
* The right to vote for women
* Equal rights regardless of ethnic background

Remember that the negative case of each of these was bound in law at one point and if the governments had had the data to single out and arrest each activist they would have. That doesn’t of course endorse every political view to have an activist approach but it does show that protesters (and lawbreakers) aren’t always out to damage a country. Following on from this is the subject of whistleblowers which probably deserves a post all of it’s own. In short you want people to come forward and tell you about out of control situations but you also don’t want to be able to punish staff giving confidential data to the press in other situations where no greater good had priority and it served only to damage your institution.


Congratulations, you got to the second cat photo. This one is entitled “The End”

In closing

I have to stop here for today. I try and take a step back and think about the different angles and as stated at the start of my post, it’s part of my job as an IT professional to stay up to date and think about these issues. I’m not advocating any angle, but I think it’s sensible to think about what services you use (such as ‘cloud’ internet based services) and what data you make available deliberately such as via facebook/linkedin or accidentally such as via nation state monitoring (internet traffic, credit card transactions and similar).

Full disk encryption with a twist

June 3rd, 2013

What’s this about?

Perhaps as a normal user in your job, you deal with job applications, or patient data, or your new product idea, or your companies client list, or your new product designs from engineering which you show to select customers under an NDA. If your laptop were to get stolen, it might lead to (non exhaustive list)

  • political embarrassment
  • financial loss to your company
  • identity theft issues for your customers
  • legal fallout
  • loss of your job

You might have a logon password to get into your operating system (Windows Desktop and similar) but this isn’t going to stop someone who can Google for a solution to resetting/rescuing a forgotten administrative/root password (or just mounting the drive on another system) who can then get in to take a look about at the user data

It doesn’t have to be theft either – if passing through certain national borders you might end up having an image of your hard drive taken. If we assume (for simplicity) that governments themselves are totally trustworthy we still have to assume that data will be held securely and only analysed for national security… but the data is being held by multiple people, you only need one parasitical (corrupt) employee to put your data at risk. An individuals motivations for your data might be looking for financial data such as credit card details stored in a file (don’t do this), or data that could be used to answer your password recovery information on banking sites.


I’m told I don’t use enough pictures, so this post will feature pictures of cats

What’s the solution?

A solution is disk encryption. This way if the laptop is stolen the confidential data stays encrypted. When the computer boots up you type in a password and that is fed into the process that allows the data on the hard drive to be read. For an attacker, removing the hard drive and putting it in another computer won’t work – without the decryption password as well as the drive you just have a lot of encrypted data.

What other solutions are there?

You could pay someone to constantly stand over your laptop and physically remove anyone that comes near. For border crossings a diplomatic status, armed guard and being from a large aggressive military orientated country would probably keep the data safe. It’s a bit expensive though and do you trust your guard? Maybe he’s a spy…

Ok, lets use disk encryption. Are there any problems with disk encryption?

I notice you didn’t say ‘full’… sometimes software will be used on the hard drive that first boots up a kernel from a small partition on the hard disk, then asks for the password and uses that to decrypt the second (much larger) encrypted partition. One problem with this approach is that I could work out what software you’re using, work out an attack in private, and then the next time your laptop is unattended I can modify that unencrypted partition to boot up a slightly altered kernel. With the right approach you won’t be able to trust your device any longer and the attacker will be able to use your system at will.

Ok, full disk encryption. No unencrypted stuff. Beat that.

So you’ve been given some full disk encryption product and is has a suitably massive number for how long in years it’s expected that all the worlds computers combined would take to decrypt your disk. There’s still some issues. The main one is social related.

When you go through some hostile border and they demand that you boot up your laptop, the first thing they will see is a password prompt. If you’re lucky you’ll just get a demand that you type it in. If you’re unlucky they’ll ask for the password so they can record it with the disk image. You can stamp your feet and refuse but things are only going downhill from here on – you might lose the laptop, be promptly deported or detained for national security reasons.

Or if you have financially valuable engineering data on your laptop, perhaps you’ll get the xkcd scenario, and beaten until you give out the password. How many fingers do you have?

Well this all sucks

OK wait. Imagine someone demands to see what’s on your laptop, it boots up into MS Windows, they see that you have a few (rather dull) mp3s, a browser history of some dull sites and not much else. They see you have a USB stick on you, they ask to see what’s on it. You plug it in and there’s just some more boring mp3s. They get bored and wave you off.

Later on in private you put the usb stick in to the same machine, reboot and up comes a different operating system, which asks for a disk encryption password, and then decrypts a different operating system from a hidden (to the casual eye) encrypted area of the hard drive.

That sounds fun

Yes, the problem is that despite whatever you know about computers you now need to sit though a bunch of graphical installers, trying to convince them to do something complicated when they’ve spent the past 10-15 years making the install process hide as much complexity as possible from the user.What you need is a technical blog written by someone who went through the pain for you.


Our success criteria:

  • If untouched, the computer boots into [a sacrificial] MS Windows without any boot menus or similar having been shown during the bootup process
  • If plugged in to a Windows based machine, the USB stick you carry will show as ‘normal’ (some mp3 files etc)
  • If an image of the hard drive is taken, the data remains confidential
  • Stealing the USB stick and computer is not sufficient enough to get access to the real data
  • If the hard drive is tampered with (data altered) your data is either unaffected or the entire system is destroyed – you can trust the integrity of your device

There are limits to this but it’ll protect you in most scenarios. You have to upset some persistent people for it to come apart.

Solution Outline

  • Put windows on the laptop, then install Linux to a second partition, with the partition encrypted and the /boot partition on the second partition of the usb stick
  • Carry a usb stick with you, on a keyring or similar. The first partition is fat/vfat which windows can read, the second partition is /boot for Linux. Grub bootloader is installed to the USB sticks Main Boot record.
  • For extra security, you could use a hardware encrypted USB stick that has a built in keypad


  • You must put the FAT (windows viewable) partition on the first partition of your USB stick
  • You must put the bootloader onto the usb stick despite anything the installer does to try and persuade you not to
  • The USB bus resets a lot of times in an install, causing issues if using a hardware encrypted usb stick as it will disconnect and demand the password and the install process might chose that moment to get upset and die because the drive didn’t return in time. Hence use a normal usb stick for the install, then ‘dd’ the image to your hardware encrypted usb stick later (and securely wipe the original after confirming the copy works).


  • Don’t write a blog post about implementing it, otherwise they’ll know it’s there and you’re vulnerable to physical duress again[1]
  • Don’t use a uselessly weak password. There’s no point using 256 bit disk encryption if your password for unlocking it is ‘password’  (and no, ‘s3cur1ty’ isn’t a good password).
  • Anyone who’s above average with computers will spot the secondary partitions if they investigate either the laptop or USB stick in a partition manager[2]
  • If you make backups of the drive in it’s encrypted form, don’t forget the password or you’ll be locked out forever
  • If you make backups of the laptop when the drive is decrypted, then remember your data is vulnerable whereever the backup data is stored.
  • It might be possible to social engineer you into using a keylogger device (“hey, that laptop keyboard looks small, want to use my spare USB desktop one?”)
  • If you don’t keep your system patched and secure, you might just get it compromised when it’s turned on like any other machine
  • If using a hardware encrypted USB device, note that various nation states might have required a backdoor from the manufacturer
  • If the laptop is unattended, a well funded attacked might just lift out the laptop keyboard, but some form of small broadcasting hardware between the keyboard and keyboard connector and then refit it, then wait to sniff your keystrokes which decrypt the hard drive. That’s out of the realms of normal attackers but within reach of state-sponsored espionage.

[1] In all seriousness, this is a trade off. I like to share helpful information, my fleshy biological internal risk analysis thinks I’m low risk of (for instance) physical duress but I find it fun to work out how to do things like this.

[2] Forensic examination will have no problem determining that there’s partitions there, and if you’re involved in a court process you’ll probably be asked to give up your encryption keys. You can refuse which in the UK will get you 2-5 years in prison. The best way to avoid going to prison is to not break the law (not a perfect guarantee).

Full Howto

I’m using OpenSUSE 12.3 in this guide but the general principal is the same for pretty much all Linux distros.

Install MS Windows, but during installation don’t use the entire hard disk, instead leave some space (which will be used by Linux). E.g. you could split a 120G drive into 60G/60G.

Now we’ll install Linux. If you get it wrong and accidentally install grub (laypersons: a common bootloader used by linux) onto your main drive, do not panic. Boot up your windows install/repair disk and select the command prompt option, then type

bootrec /fixmbr
bootrec /fixboot

this will remove the Linux bootloader and you can then try installing Linux again (and windows boot will return to normal).

So during the Linux installation, when it comes to partitioning your hard disk space, select the free space not used by windows and select to create a partition. In OpenSuse 12.3 I used the following steps

  • click on free space
  • select ‘add a partition’
  • select ‘do not format’
  • select ‘LVM partition type’
  • select ‘encrypt device’.
  • enter the password when prompted that you want to type in when the laptop tries to boot into Linux

It will not have created what’s probably (depending on the Linux distribution) an AES 256 encrypted drive. If you’ve an Atom processor there’s some suggestion that you may have faster disk access times if you’re able to select the Blowfish encryption method instead, but I don’t think this is possible in Opensuse (using a command prompt to look at the installers supported encryption types) and there may have been some improvements in implementation. If I was doing this on 250 corporate laptops and had the option in the distribution I was using then I’d probably do some benchmarking.

But currently it’s just a big encrypted space, we need something useful on it.

  • Now go to LVM volume management, select to add a new volumegroup
  • select the physical partition to add to the LVM physical group (use the one you encrypted)
  • enter a name, then click on finish
  • now add logical volumes (such as a swap, root and home area)

Some people might suggest not adding a swap partition – my advice would be that you might not need it but it’s going to be a nightmare to add it later on so add one now to play it safe.

It’s optional but you might want to change the mount options to add noatime (this means don’t record file access times, it’s not normally useful and slows everything down) and to remove support for extended file attributes (ACLs) if you won’t be using them.

I used ext4 as the file system as btrfs is a bit new and gave me some unexplained errors during one of the trial installs on the device I was using (I forget which distribution I was trying at the time – I tried a few while looking into the disk encryption) which made me nervous about the implementation – I like my filesystems to be error free since I want my data uncorrupted.


For removable media, selecting to format the second partition will format the first partition. You made a backup right? Right?

  • Having partitioned the main drive, select the usb stick.
  • Put a vfat partition at the start of the disk, then use the last space on the disk for the /boot partition (200MB-500MB) – you must get the order right (see following notes)

Important: you might be tempted to make the usb stick have a /boot partition at the start and a vfat partition for windows use in the remaining space. Don’t do this. If you do it this way around firstly windows will ask if you want to format the disk everytime the usb stick is plugged in, and secondly attempting to format the secondary vfat partition in MS Windows partition manager will cause it to format the first partition. So in short you won’t be able to use the usb device in Windows and you’ll fail the requirement of the USB stick appearing normal when plugged in.

This is due to Windows behavior with drives that have the Removable Media Bit (RMB) set (only one partition allowed, and some other behavioral changes), which is normally set in the USB device controller chip, and usually only alterable using a special program from the device manufacturer.

The Microsoft decision maker

The Microsoft RMB policy decision maker

  • click finish
  • you’ll be asked to add a user, and then you’ll get the install summary screen. HALT! stop at the summary screen as there is something we need to do

Take a look at the Bootloader section very carefully on the install summary screen. Notice that the installer is going to install grub to the main hard disk (e.g. /dev/sda) but we want it on the usb stick, (e.g. /dev/sdb).

So if we click accept now it will be a disaster. If it goes on the hard drive then grub (bootloader menu) will be loaded on boot and it will get upset when the usb stick isn’t present and we won’t be able to boot windows either.

So to fix this

  • click on Booting
  • select ‘boot loader installation details’
  • in the list of drives, move the secondary drive (usb stick) to be top of the list using the arrow buttons

I then used ‘boot loader options’ to set the active flag for the /boot partition but I think you only use that if you install grub to the boot partition itself, and I used the MBR instead. now proceed with the Linux install.

If you have a hardware encrypted usb stick and you followed my earlier advice and to installed to a normal usb stick, you can then image to your encrypted usb stick

# check the device names are right, then double check
# if = reading in file[system in this case], of = writing out file[system]
dd if=/dev/sdb of=/dev/sdc

Although an encrypted usb drive has better data integrity/confidentiality, a small usb stick might be better in use as it’s discrete and easier to carry on yourself at all times. Although I don’t like promoting security through obscurity, a smaller device also won’t look out of place, whereas having a (in comparison) gigantic usb encryption keypad sticking out of your laptop might perk interest. You can always take the stick out after boot of course (add the ‘nofail’ option to the /boot mount point fstab to make Linux cope with that situation better).


Test Expected Result If it fails…
Laptop boots without USB stick Laptop bootsinto windows without and bootloader evident If grub loads you installed grub to the main drives MBR by mistake
Laptop boots with USB stick Laptop loads grub boot loader and attempts to boot Linux If this fails you’ve probably made a mistake with grub
Linux needs a drive decryption password to boot On boot, Linux halts and asks for a decryption password If it boots without a password then you forgot to create an encrypted drive
USB stick appears normal in windows Plugging in the stick, it’s visible as a normal USB drive If it asks to format it, you’ve got the partitions the wrong way around – fat/vfat has to be the first partition

Congratulations, you made it through the wall of text. This second cat picture is your reward.


Some modern devices come with features such as the ability to encrypt the hard drive via (in simplified terms) the computers bios, which loads before the operating system. This means the attacker needs the password to decrypt the disk. The problem is that it’s very obvious as soon as the computer boots up that a password is needed (“please enter the password”), and depending on the circumstance whoever took the laptop from you might be physically aggressive.

So instead, don’t have Linux as the sole operating system. Have the device boot into MS Windows by default. You could still have a hardware implemented password required (a bios boot password), but under duress you can give it up and the attackers will boot the machine, which will yield the Windows system. In a similar fashion, we want our USB stick to appear boring and uninteresting. It should behave normally when plugged into a everyday computer.

Some people say that you only need to encrypt your /home partition in Linux – where your user files are. The problem with this is that you really want to ensure you can trust the integrity of the computer kernel before you type in your disk encryption passwords. If the kernel in /boot has been modified the attacker can get logs of everything you do in the operating system, they can open backdoors, they can operate invisibly as root.

So with the above  described technique your /boot will be on a usb stick which you carry with you. Your data is on your laptop, and you can leave the laptop behind and still trust it on your return (within sane levels of paranoia – if you are a state funded secret agent, please consult your local security officer for further notes). You need to have a backup of your boot usb stick (otherwise it will be awkward to recover your system), and ideally that backup needs to be encrypted.

dd if=/dev/sdb of=my-bootdisk-backup.dd
xz --compress my-bootdisk-backup.dd
gpg -c my-bootdisk-backup.dd.xz
# now copy it somewhere safe/off your computer

So this isn’t a golden solution to every security problem, but it might help you setup one trusted device that you can always depend on.

Visit to ECMWF

April 12th, 2013

There was good news and bad news this week.

The bad news was that I won’t receive any funding support for the CISSP exam/course that I did which covered networks and telecoms, datacentre security, disaster recovery, software development and similar.

The good news was that yesterday I passed the smaller Comptia Security+ exam, which cuts a year off the endorsement time period required for the CISSP. It’s only a minor achievement in light of the larger CISSP exam being a superset of the Securty+ exams content (although it’s from a different vendor). A friend summed it up in a text message as “well done. It would have been HILARIOUS if a CISSP failed the Security+”.

Today I followed up on an invite to visit ECMWF, which is essentially a well funded EU wide organisation with a ~300 person branch facility in Reading, using supercomputing facilities for medium range weather forecasts.


The server rooms are restricted photography areas but the watercooled supercomputers are quite impressive in terms of heavy machined piping and reinforced floor to handle the weight. The operations monitoring room (again, photography restricted) looks like a miniature version of the military nuclear control facility in the 1980s movie ‘Wargames’. The photograph below is from the public video wall near the reception.


There’s obviously a lot of funding going on – there’s two datacentres of duplicated infrastructure equipment, large individual offices for staff (although office sharing is now coming in) but there’s also some tactful funding decisions evident such as not specifying the most expensive switch vendors for edge switches.

In the networking and security section I met my old work college, Oliver, and his co-worker Ahmed who is a CISSP and we had food at the local pub.


I enjoyed talking to Ahmed about his life experiences as he’d emigrated to the UK and I was interested in hearing what it had been like as I’d similar concerns about a potential move abroad. He’d also taken the CISSP for similar reasons to myself so it was easy to relate to his work experiences. Oliver was doing well and it was interesting to see what new technologies he’d been looking at as ECMWF appears to use quite a range of vendors. They’ve made different key choices about key business software (Zimbra based rather than MS Exchange for mail) and also have a quite different network architecture. I’m not going to go into depth on what the setup is as it’s not my network and the culture on openness might be slightly different – we tend to openly publicise network design/service setup at the university more than not educational institutions would (if someone wants to argue that this is good or bad I could probably write a whole article on the ethics and reasoning either way and what I’d chose in each situation) .