31 Mar
March 31, 2016

As part of the run up to UCExpo I’m going to be taking part in my first Twitter debate this afternoon (Tweebate?). I’ll be taking over the SIPHON twitter account: @SIPHON_Networks.

Feel free to fire me your questions – the theme for the debate is going to the Future of Communications Security, which gives rise to the hashtag for this debate: #comsecfuture

Hurting your partners the Basecamp way

01 Feb
February 1, 2016

I was recently pointed towards this thread on github which I read with growing horror as the thread developed.

Now, fair disclosure – I’ve never really liked Basecamp. In the words of an old friend, they appear to have confused “simple” with “simplistic” and released a product that left me in the position where I always wished it did more than it did. As a result, I’ve only ever used it when customers require it for their projects.

However, the discussion on that thread isn’t related to the product per se, but rather the release of the new version of Basecamp. As developers occasionally need to do from time to time, they’ve rewritten the product. This does occasionally happen when you reach a point where design decisions were made on assumptions that are no longer true – often due to growth. Fact of life. No problems here.

The problem comes in how Basecamp have approached their partners – Basecamp is at its heart an end-user-focused application and some of the principles outlined in the book that they released back in 2006 hold well with that ethos. The problem they have is that along the way, they have taken a product decision to allow integration with third party apps via their API – so when they released v3 of Basecamp and focused around their users, they left their partners in the dark.

My biggest problem with this whole situation is that Basecamp could easily have avoided this if they’d clearly communicated with their partners – a group of people who Basecamp have to engage with in a singularly different way to their end users. Had they said, back in November, “hey, look, v3 is coming out but because it’s a rewrite the API will be different and not backwards compatible, so you need to tell your users that” then I’m sure the partners would have been unhappy but could do something about it. Even identifying which version a user was using based on the old API would have been useful so that at least the third party app could pop up an alert.

Instead Basecamp have strung their partners along for the ride for several months, all the time promising an API “real soon, now!”. As a result, end users who felt, like me, that the product needed extras and used third parties who used the API to implement those extras are now stuck between a rock and a hard place. Companies who wrote integrations are facing a real problem, especially if they’re small shops whose business models rely on this integration.

Maybe I spend too much of my time in a world where APIs, resilience and reliability are “table stakes”. Maybe I’ve been spoiled by companies who place the importance of integration front and centre of their product strategy. Maybe I’m too used to companies who understand how their users use and perceive their products and are willing to communicate clearly to those “users”, whether they’re end-users or third party integrators.

Maybe, once again, I’m just expecting too much from Basecamp.

Police misleading the public to pass the Investigatory Powers Bill?

07 Dec
December 7, 2015

I was browsing twitter this evening when I came across the following tweet, published by an agency that I have a lot of respect for, the National Crime Agency. They’ve been doing some work with Channel 4 and are publicising an upcoming documentary. Part of that campaign seems to have led to this tweet:

The link in their email points to an infographic:
Misleading NCA infographic about the use of comms data in a missing person case

I had to read this infographic more than once – it’s so misleading that I had to check how many different problems there were with it. Although I replied to the NCA, 140 characters is a bit limiting for a response, so let me respond, in my professional opinion as a communications industry expert and with over a decade of experience in helping the Police with missing persons cases through Mountain Rescue.

So the infographic starts with a story about Amy, a missing 14 year old girl whose parents are unable to reach her because her phone is switched off. Let’s skip over the fact that this is not a surprising situation for a teenage girl, and suppose that there is something untold in the situation that places Amy in the “high risk” category that requires immediate investigation to prevent her from coming to harm.

At this point, the police request call data records from her mobile phone provider, but “…Amy uses online applications on her smart phone to make calls and send instant messages so no useful data is returned.” I’ll come back to this, but let’s take that at face value for the moment.

The police request that her mobile operator then provides communications data (presumably what the Investigatory Powers Bill is referring to as “Internet Connection Records”), but as they don’t store it, they can’t provide it. The police are stumped and can’t help Amy. Poor Amy.

The infographic then goes on to say how access to those records could help provided “key investigative leads” to trace Amy and reach her before she’s harmed.

Seems reasonable, right? Well, no.

First of all, Mobile Network Operators (MNOs) don’t just store call data records – they store a whole host of useful operational information on your mobile including information about the cell that you are or were connected to. This is useful operational information for the MNO, but is also useful for the security and law enforcement agencies (let’s just call them Law Enforcement Agencies, or LEAs for now). As a result, I wouldn’t be at all surprised if this information was not already the subject of an Order for retention under the current regime on all of the MNOs – however, that information is Classified Information, so we can only make educated guesses. That would give the police a good idea where the phone was (with a resolution of anywhere down to a few hundred metres normally) when it was turned off – in some cases, they could even ask the MNO to “ping” the phone from multiple cells to get a very accurate picture of where the handset is – but let’s assume the battery’s been taken out or the mobile destroyed. What else?

Sticking with communications data for a moment, what could that data have revealed if the MNO had been keeping it? Well, it could have told the police that Amy went to Google. She also used WhatsApp, twitter, Google Hangouts, Facebook, Hotmail and a whole host of other random websites.

That data’s limited to what service she was using and when – so for example, you can’t tell if she looked up the number of a local taxi company or searched for a bus timetable on Google. You can’t tell if she sent a message on WhatsApp, twitter, Hangouts or Facebook – because those apps maintain connections with their services on a semi-permanent basis to receive notifications of new messages. My twitter feed for example gets updated on my phone even when I’m not using it. What could the police do with this data? Well, they could approach a Judge and ask for warrants of intercept for each and every one of those services in case she uses them again – none of those are UK based, so they wouldn’t be subject to this new law. Whether the Judge would want more than just “she used them” to get a warrant is a good question. Or perhaps they could check those services and see if she posted anything publicly. Great, so this data was useful, right?

Well, sort of – asking Amy’s mum whether she used facebook reveals that yes, she’s always on it talking to her BFF, Brenda. A quick chat with Brenda, where the police explain the urgency here, and Brenda tells them all about Amy’s new boyfriend who she met online and was going to meet this morning. Or perhaps Brenda tells them about the album that Amy’s favourite band have just released and that she’s gone to buy it in defiance of her mum’s instructions. Or maybe Brenda doesn’t know anything, but she can at least tell the Police what services she uses to communicate with Amy, because Email is just soooo last year, everyone’s using Facebook Messenger at the moment…

“Human intelligence”, or information gathered directly from people rather than their communications has always been favoured by the LEAs and security services for many reasons – it brings along with it a wealth of useful and sometimes unintentional information. Brenda here was a much better source of information than Amy’s MNO because Brenda can provide context and information that isn’t transmitted by any communications services. Moreover, the MNO has given police a long list of service providers who they need to contact and the majority of those are outside the UK making warrants to get access to that data lengthy, time-consuming affairs.

So far then, the communications data hasn’t been as useful as what is occasionally referred to as “good, old-fashioned policing” – talking to relatives, friends and other people who are connected to this individual.

And this brings me neatly to my last point – that the NCA seems to think that there’s nothing else that the police can do. Now, I’ve been involved in dozens of missing persons (MisPer) investigations for high-risk MisPers and the communications data is a minuscule part of the investigation. CCTV cameras, taxi company bookings, conversations with family, friends, neighbours, bank records, credit card records – all of these can help track our activity. More than that, however they can provide insights into the one thing that the communications data can’t – our reason for doing something and our state of mind. A new boyfriend. An anniversary of the death of a loved one. A pending bankruptcy. An argument with a parent. All of these are hugely important in building up a profile of the missing person and will tell police where they’re likely to be. Unsurprisingly, this is well documented procedure in the Police Search Manual published by the College of Policing and that, together with the data from the Centre for Search Research, such as the UK Missing Persons Behaviour Study can be incredibly accurate and useful in guiding the next steps. To suggest then, that the police are stumped because they can’t get access to the communications data is so misleading as to be almost lying to the public and is doing an enormous disservice to the difficult and complex work that Police Search Advisors undertake as part of a search for a vulnerable missing person.

I’ve been watching the progress of this bill with interest and far better people than I have commented already – but this bit of poorly written and sensationalist misinformation from the National Crime Agency angered me – not only because it’s trying to influence the direction of a political bill through tugging on heartstrings using information that’s just plain wrong, but that it diminishes the skills and efforts of those teams of people whose job it is to find these vulnerable missing persons.

Hopefully, someone from the National Crime Agency will read this and reply as to why they thought this was acceptable, but I’m not holding my breath.

This post has been edited to correct the title of the bill, which I originally referred to as the Communications Data Bill – this was the original Snooper’s Charter in 2012, and not the new Investigatory Powers Bill which is currently being proposed.

Specialist operational teams: a thing of the past?

07 Oct
October 7, 2015

Almost two and a half years ago I wrote an article about the changing face of recruiting engineers and how vendors were talking about automating the configuration of networks. I had some doubts at the time but things have moved on from there.

This week I’ve been attending the Oracle Communications Customer Advisory Board in Paris. Quite apart from the usefulness of the sessions and availability and access to a variety of people from engineering through to PLM, it’s been an interesting insight into the future direction that Oracle is taking and what Tier 1 communications providers are talking about. In particular, the things I spoke about in my original article now have a name – Network Function Virtualisation, or NFV. Oracle have been clear in this conference that NFV is coming and that they want to have all of their products in an NFV architecture. A lot of people will have a knee-jerk reaction to this and say that it’s impossible – that there components which have to stay as hardware or purpose-built systems. Equally, I’m seeing people take the exact opposite position – everything will have to be software, there will no longer be any purpose-built hardware. Oracle however, is clear that there is room for both – a good example is an SBC. AcmePacket systems were always purpose-built hardware to provide acceleration in silicon. Although that hasn’t changed with the acquisition by Oracle, there is equally a commitment to provide a virtualised SBC alongside the purpose-built hardware. The point that’s clear here is that NFV doesn’t exclude purpose-built hardware, or at least it mustn’t if it is to succeed. There is room for a hybrid approach from an architectural point of view as well as from a commercial migration point of view.

One question in this morning’s session caught my attention though. The question was asked “Who is going to manage your NVF architecture?” A number of options were proposed from splitting the stack to horizontal components much as it is now, or having a specific team manage the whole stack.  The discussion was varied and there was some brief discussion about whether the IT team or the Application team should be responsible for the stack.

The conversation sadly missed the point entirely – the technology that is being proposed is fundamentally different to anything that’s in place today. As a result, we have to approach this in a different way.

First of all, to have multiple teams managing the NFV stack isn’t useful – as a systems integrator we see too many problems categorised as “grey” problems – issues with integration which two vendors will point at each other and both say “It’s their fault”. This is one of the benefits of getting support from SIPHON on multiple products – by supporting the solution as a whole, we accept responsibility for the grey problems and manage the vendors appropriately. In an NFV architecture where the stack is potentially fully automated with multiple vendors, this will happen more frequently. So it’s critical that companies look to provide a single team that manages if not all then a significant majority of the stack. Who then?

The team that manages your NFV stack will work best if you have a team of generalists or a multi-discipline team. With this approach, every individual should have a good working knowledge of every part of the system right up to and including the application. NFV means that you’re providing a framework that places multiple components in close proximity and with complex systems of this type, you’re going to have elements that impact other elements – the system is inter-dependent to some degree and decisions you make will need to take into consideration the whole system.

That’s not to say that you don’t need specialists – I think it’s likely that what we’ll see is multi-disciplined teams of generalists who can either draw on specialist teams or who each have one or more specialist areas. It’s also possible that the team will depend on an outsourced specialist team much like some of our customers do already with SIPHON’s engineering team.

This new architecture is a fundamental change in how the stack works so we need a fundamental change in the operational model to support it and it’s time that operators realise this and look forward to a positive change.

Save harbour agreement threatened?

23 Sep
September 23, 2015

Edward Snowden’s revelations to the world about the US’ monitoring of communications is the gift that keeps on giving.

The Advocate General to the EU Court of Justice has today issued a legal opinion which makes two findings:

1. That the Commission’s acceptance of US safe harbour arrangements does not override the ability of local courts to make their own determination as to whether the arrangements meet their local laws.

2. That the current decision of the Commission to accept the safe harbour arrangement is no longer valid.

The first finding is, in my view, fairly logical and not contentious at all – that member courts should be able to decide whether an arrangement fits their local implementation of an EU-wide directive seems logical, especially given that although the laws stem from the directive, they may not all have the same implementations.

However, the second finding is much more damning and interesting. The BBC article sets out the background to this case, but the Advocate General makes a few key statements:

It is apparent from the findings of the High Court of Ireland and of the Commission itself that the law and practice of the United States allow the large-scale collection of the personal data of citizens of the EU which is transferred, without those citizens benefiting from effective judicial protection. Those findings of fact demonstrate that the Commission decision does not contain sufficient guarantees. Owing to that lack of guarantees, that decision has been implemented in a manner which does not satisfy the requirements of the directive or the Charter [of Human Rights].

It’s clear then that based on the Snowden information, the Advocate General doesn’t believe that the US is able to offer the appropriate level of protection. This has wide ranging impact to all manner of people from service providers who have servers in the US to companies that use services like Amazon’s cloud services and even, potentially, to industries like banking and even air travel. Ultimately, it’s in the US’ interests to get this right since it will hit US business if the rest of the world can’t transfer data over there – of course that’s a pretty extreme outcome and I fully expect the EU and US to come to a new “arrangement”. They’re already negotiating, which simply lends even more weight to the advocate general’s statement:

Given such a finding of infringements of the fundamental rights of citizens of the Union, according to the Advocate General the Commission ought to have suspended the application of the decision, even though it is currently conducting negotiations with the United States in order to put an end to the shortcomings found. The Advocate General indeed observes that, if the Commission decided to enter into negotiations with the United States, that is because it considered beforehand that the level of protection ensured by that third country, under the safe harbour scheme, was no longer adequate and that the decision adopted in 2000 was no longer adapted to the reality of the situation.

Now the legal opinion is not binding on the Court, however it’s a pretty damning statement in its own right. Given the enormity of the impact this could have, I’m watching this case with interest. It might finally wake the US up to the fact that its human rights record is pretty shambolic, all the more considering their self-appointed status of police of morality for the rest of the world.

Have Tom Watson and David Davis inadvertently made things worse with DRIPA?

19 Jul
July 19, 2015

I was all ready to pen a nice article about The Data Retention and Investigatory Powers Act (DRIPA) after I attended a Home Office briefing Thursday at the ITSPA summer forum, however I’ve just seen this article from the BBC.

Personally, I agree with both the courts and with Tom Watson, MP and David Davis, MP. The poorly acronym’d DRIPA legislation was a bad piece of legislation, pushed through as an emergency measure with little or no parliamentary scrutiny. This legislation attempts to strike a careful balance between two key concepts – the government and its agencies’ need to catch criminals and safeguard the public; and our rights as citizens to privacy. For this legislation to have little or no scrutiny or debate is, in my opinion, a travesty and sticks two fingers up to our entire process of governing. The only good that I saw in DRIPA was the sunset clause which gave the Home Office the time to draft legislation for debate in the chambers and the necessary accompanying review of legislation carried out and reported on by David Anderson QC, which in and of itself is an interesting and wonderfully balanced report with a comprehensive review and series of recommendations.

The briefing on Thursday was very informative and it was immediately clear that the Home Office is very conscious of the balance they need to strike between the essential needs of government to protect its citizens from harm and to provide them with a legal infrastructure that protects their right to live a peaceful life. What was clear was that drafting legislation like this takes time to get right, especially since it has been promised a full and informed debate in both chambers. This would have happened early next year with legislation due to be enacted by the end of 2016.

Now the problem with this ruling starts to become apparent. On the one hand I agree with the court that this legislation is not compatible with our human rights, but the judgement actually limits the time available for drafting and debating in full what is an extremely complex piece of legislation. This, unf0rtunately, is the crux of the matter – Tom Watson and David Davis may have shot themselves in the collective feet by actually preventing the full and frank debate that this new bill needs.

It remains to be seen what will happen between now and April when the judgement of the court comes into effect, but this one may have backfired.




Customising Polycom button configuration

26 Apr
April 26, 2015

One of the pieces of work I’ve been doing recently has been to reconfigure our standard Polycom handset template for our sales team. I was asked for a few specific features for them and some specific button layouts to make life easier. We then couple this with a little bit of training and they then get access to some of the power of the BroadWorks system that we run.

Unfortunately, configuring customised button layouts for Polycom phones are neither simple nor fun and there’s not a lot of information out there, so this post is all about some of the work I did.

This is going to be a long blog post so I’ve hidden the detail below, click down to read on.

Read more →

Moving forward at the speed of technology

24 Sep
September 24, 2014

When companies I buy a service from send newsletters out they occasionally have some interesting tidbits and so I saw today’s newsletter from EE telling me that I could now make journeys through public transport in London by paying with my phone. I was a part of the recent TFL trial using contactless payment cards, so this was interesting for me – solving one of the problems I saw with the contactless system (waving your credit card around in public is surely just asking to be mugged).

Screenshot of the EE newsletter detailing the announcement that EE are working with TFL to roll out NFC payments from mobiles across the TFL network.

So I follow the instructions and check the list of handsets supported for NFC payment (EE branded as “Cash on Tap”) – surprisingly my fairly new HTC One M8 isn’t on there – what gives? It’s certainly got NFC capabilities. A quick google shows something interesting – Only recently has the HTC One M7 been added – that handset was released almost 18 months ago. I couldn’t understand what was going on until I spotted the fine print – “These devices have been securely tested by EE and MasterCard®.”

Now, I know what’s involved in protecting credit card transactions and rightly so – fraud is a multi-billion dollar industry funding all manner of criminal enterprises. However, if you’re telling me that EE is taking 18 months to test new handsets (NFC payments have been out on EE for quite some time), then they really need to review the process. Those people with the highest amounts of disposable income are likely to be the same people who renew their handset every 2 years on a new contract, so an 18 month delay in rolling things out to the customers most likely to make use of this isn’t really on.

Sadly, it’s a trend we see across the industry. My inbox is full of promising new technologies (including a fair amount of vapourware) which larger providers are unable or unwilling to roll out to customers rapidly – and this really is where the smaller ITSP can make a difference. By reacting quickly to customer demand and new technology, they can deliver on these new technologies whilst the large Tier 1’s are still scoping out the deployment project. It’s a pattern I see every day and our customers lean on us to bring the experience of rolling these kinds of features out to the table so help them succeed in delivering. Unfortunately, the mobile industry isn’t really geared for small providers so the large carriers end up stifling the very innovation that they need.

What’s the answer? I really don’t know here – a different regulatory framework might work, perhaps one that splits the network from the handset in much the same way as OpenReach provides the network that thousands of smaller ITSPs use. It may be that LTE will enable a better way of working between the network providers and the service providers, allowing service providers to treat the RAN like a simple access network. We may even find one of the MNO’s suddenly gets off their proverbials and starts reacting better to the technology and userabase. I’m not even sure, given the progress of that industry whether anything will change without a regulatory shakeup, but what I do know is that the customer experience is suffering. The current system doesn’t promote innovation – something needs to change.



screenrc: my defaults

03 Aug
August 3, 2014

I spend a lot of time working on customer systems, particularly where we have to use a jump server or bastion host to access the rest of their network. I also spend a lot of time working from dodgy wifi and mobile connections trying to do something urgently or quickly. As a result, one of my favourite pieces of open source software is screen, it’s saved me more time than I care to mention. My biggest problem with it is that by default, there’s no immediate visual feedback to the list of screens you have open, so having spend a little time hacking together a personalise .screenrc file, I thought I’d post it for others to share:

hardstatus on
hardstatus alwayslastline
hardstatus string "%{.bW}%-w%{.rW}%n %t%{-}%+w %=%{..G} %H %{..Y} %m/%d %C%a "

The key string is the hardstatus at the bottom which prints a line at the bottom of the screen (alwayslastline). Most of this is setting colours/brightness settings, but basically this sets a line at the bottom of the screen which lists all the screens open and hi-lights the current screen.


How Starbucks have ruined their brand

21 Jul
July 21, 2014

I am what people politely refer to as a “prosumer” when it comes to coffee. Suffice to say, Google Now tells me about driving time to two locations on a Saturday morning – the St John Ambulance operations center and the Starbucks Dunleavy Drive Thru and I will invariably have gone to at least one if not both before the day is out.

So you’d think that given that I drive past a Starbucks twice a day that I’d be in there at least 3 times a week…but I’m not. I simply don’t go there – possibly once or twice a year if I’m desperate. In fact, if I want a coffee, I will go out of my way to avoid this store and head down to the Dunleavey Drive Through instead. So what’s so bad about this one Starbucks store?

The secret is, it’s not Starbucks. I’ve been in a few of these and they almost invariably suffer the same problem – although they’re branded identically to a normal Starbucks store, have the same menu and offer the same basic drinks, this isn’t a Starbucks store. This is  Starbucks branded store inside a Welcome Break motorway service station. They don’t take Starbucks cards and worst of all, they don’t seem to have the same training or care that you get in a true Starbucks store. Starbucks is all about the customer experience, they chat with you; they name your coffee; if your coffee isn’t how you want it, tell them and they’ll make it again just the way you want. Almost entirely across the Welcome Break chain, every Starbucks branded store I’ve been to has sullen, uninterested employees more reminiscent of a McDonalds. And the coffee? I like Starbucks, especially their drive to bring better quality beans as part of their Origins beans. I like that the Starbucks card gives me discounts as a loyal customer. I like that I can use the Starbucks card in any Starbucks over the world – in the USA, in Holland or even in Hong Kong…but I can’t use it in Welcome Break.

Starbucks have truly done themselves a disservice in the UK with this tactic. These aren’t branded as “Proudly serving Starbucks coffee” stores who buy the raw materials but aren’t Starbucks, they’re branded exactly like a regular store. Without going inside and going to buy something, I can’t tell whether this is a regular store or a watery facsimile of a real store. And that, is the problem – the brand doesn’t distinguish them. Starbucks UK have allowed their brand to be diluted – this great customer service that has drawn people into their stores builds a huge brand following and loyalty, but this business strategy means that my experience in their stores is hit and miss.

This really hit home recently when the key staff in Siphon sat down and reviewed our strategy and values as a company. After the acquisition of VCOMM in 2012, we’ve been busy integrating the systems, processes and services of the two companies. We realised earlier this year that as part of that process we hadn’t spent a lot of time thinking about the culture and values that were coming out of this period and decided it was time to take stock. Part of what we did was to think about our brand as a company and how we want to be perceived and I’m really proud of the value statements we put together. We’re justifiably proud of our brand – over the last 5 years we’ve delivered really high quality work to our customers that have improved their service and by association, improved the service that thousands of their customers receive. Much of our work is on word of mouth which goes a long way to showing what our customers think of us. it’s been 5 years of hard, diligent work for us, so it’s even more perplexing to me that Starbucks is diluting this good will.

What are you doing that devalues your brand?