Saturday, August 23, 2014

Auto-Archiving IMAP in Outlook

It seems like I'm not alone in initially being surprised that IMAP accounts cannot be archived in Outlook.

After spending some time poking around forums, Q&A sites and product support pages it's as simple as IMAP and archiving are mutually exclusive. I thought I'd put a concept forward for anyone out there who needs both the convenience of externally hosted IMAP functionality as well as the maildrop & delivery capability provided by the POP3 system.

A typical example here for me is wanting to access the same email account across multiple devices, get alerts on incoming messages on those devices, and be able to reply should I need to.

I also want to be able to take an archive of older emails (receipts, legal conversations, audit items, records of business and conversations, etc) and store separately for a given period too.

So in order to get around this I use IMAP almost everywhere but then on one (perhaps two locations) I'll connect via POP3 over Outlook - use whatever email client you wish - and use the auto-archive facilities to create email archive files.
Application and Service Relationship

These files (PST) can then be added to an offsite backup. An IMAP account in Outlook will use an OST file to cache mail items and headers but if its deleted or lost your IMAP account is unaffected.
Archive and Artefact Relationships
 

Tuesday, August 19, 2014

Council Tax

How I'd imagined Birmingham Council Tax team to appear on Monday mornings
Have you ever had a situation where your council have incorrectly billed you and take an enormous amount of time to get back to  you - never mind resolve the situation?

Have you ever become frustrated with local government civil service ineptitude, broken record response, their lack of productivity and their incredible inefficiency?

Have you ever received threatening letters from the council, perhaps attempting to coerce you into overpaying something with the threat of a court appearance?

Well, I may have a couple of pointers to help you out.

In the first instance, obviously try and get the other party to engage in the issue and make reasonable attempt to move the situation along. For example, I tried phoning the council and was told I couldn't close the account and get a final bill until I provided the next tenants details. As I no way of knowing this and they wouldn't take the management agents details, I was told there was "nothing we can do" by the person on the other end of the phone.

Even though I told him that it simply wasn't my problem and followed it up in an email to confirm, they still tried bill me after I had vacated the property. I even explained that no other city I've lived in has ever tried such a ridiculous trick to save themselves investigating the deeds.

So ... what next?

Firstly, take the name at the bottom of the automated council tax letter you've just been unnecessarily sent - Usually its from someone nominally senior to make the letter more official, threatening court action if you don't comply. In my example it was stamped from Chris Gibbs, the Assistance Director of Revenues and Benefits.

You'll need the domain name they use as well - Do a web search for "[insert city name in here] council tax" and it should be amongst the top results - it'll usually be the same as the council tax website where you live. In my example its "birmingham.gov.uk".

Put that aside and try the usual routes of approach - I tend to avoid spending my own money on hold over the phone with various departments, who only tell me to fill out a form; and email directly. Don't expect rapid responses but it means you're getting everything in writing.

In this case it took a fortnight just to reply to an email.

Now when this inevitably fails - After hearing every excuse under the sun no to add single person occupancy discount, or close the account due to you moving out, etc, start forwarding snarky emails to the semi-important nominee you found on your letter.

Try the following:
  • firstname.surname@domain name
  • [letter of firstname].surname@domain name
  • [letter of firstname]surname@domain name
  • firstname_surname@domain name
  • ...and so on.
You'll end up with an email with a lot of recipients perhaps - try about five at a time. When one of the addresses does not return a failed recipient error email from the council email server you'll have found the right email address.

In my example it was as simple as chris.gibbs@birmingham.gov.uk - as you can see from the email I eventually got from his PA.

Now and then you may get the occasional attempt at derailment, or just plain mishaps with technology...such as your email vanishing in a puff of smoke. Example here. Apparently between replying to my email acknowledging receipt and then actually getting around to looking at it / forwarding it, the content had vanished. Electronic trickery. Clearly sorcery at work.

Finally, after five months end-to-end, malcontent with the situation and happy to demonstrate the level of ineffectualness to the courts; the council emailed me back. Very forthright and here it is.

I've waited a while to respond and ensured more people had access to the email address - Maybe it might help the council deal with queries faster - It certainly got past the evasive and disinclined lower ranks of the city council for me.

So all it took to add single person occupancy discount to the council tax bill and close the account in order to send me a final bill was my prompting, cajoling, returning legal threats in kind, involving the department deputy head for five months.

It took six minutes to pay in full electronically from my tablet.

Even now Chris' department are attempting to coerce me into paying council tax for a period after I moved out. Guess its time for another email...

Update 2015

After a few months of hearing nothing I got a bit suspicious - I'd created enough attention now that the issue would surely be resolved (only took a year). Unfortunately it had: The council had ignored my proof and raised a claim in the courts without notifying me. By the time I found out about it a collections agency contacted me. I'm not sure how legal that was because I would have been extremely happy to represent myself in the courts - after all, plenty of public evidence.

My advice here would be to email and call every week for an update to check that your council weren't trying to pull a fast one, I didn't and got caught out procedurally.

The net result was that I had to pay for the con-job letting agents portion of the bill as well as my own. I suppose it was more the principal of it than anything else as the money involved was negligible (only around £200) but local government defeated me by knowing how to take advantage of the system in order to absorb their own broken processes.

However, if you fall foul of a similar situation don't forget; don't waste your time with the 9-5 mob at BCC as they'll just have you chasing your own tail. Go straight to Chris Gibbs so you can get a response, and he can be reached at: chris.gibbs@birmingham.gov.uk - best of luck.

Sunday, August 17, 2014

Silver bullet? No such thing

With recent activity surrounding OpenSSL / LibreSSL / BoringSSL and the ongoing debate into the feasibility of open source quality control, it may be worth sharing a couple of quick tips to help.

Changing passwords on systems affected by heartbleed isn't going to fix the problem - intruders can still get in and insert themselves in between you and the destination. Once the vendor has resolved the issue with the OpenSSL version in use on their web server or router, its better to ensure a few settings (where available) are enabled in your browser.

I had a look at Chrome, Aviator and IE and they all have these settings, but as I've stopped using other browsers I can't answer for the likes of Firefox or Safari - I'm sure they must have similar options by now.
  • In the HTTPS section of settings there will be a check box worded something like "Check for certificate revocation". Ensure this option is enabled / checked as it will ensure that once the vendor has updated OpenSSL they will get new SSL certificates and revoke the previous ones. This option ensures no-one can use the old certificates to impersonate.
  • Enable SSL scanning in your security suite - Usually vendors tuck the setting away somewhere in advanced settings, but your protected traffic should also be liable to the same scans as your normal web traffic.
  • Ensure that use of obsolete secure layer protocols are rejected - A lot of home & personal security suites should allow you to do this easily and it will be worded something like "Block encrypted communications using obsolete SSL v2 protocol".
  • If at all possible, force use of TLS 1.2 - this won't be possible everywhere as not all vendors and services have upgraded. Avoid use of TLS v1.0 if possible. SSL v1 was created by Netscape 1995 so don't expect it to be so helpful 20 years later. TLS v1 dates back to 1999 so be realistic about that too. TLS v1.2 was "defined" in 2008 and v1.3 is currently in draft.
  • IE has an option (set to enabled by default I think) called "Warn about cert. address mismatch", make sure this is still checked. It will provide a warning if the certificate was issued a domain other than the one the client-server communication is actually happening on.
Please note: This is just a thin slice of the solutions available of a much wider problem. I hope that going forward that vendors such as browser manufacturers and cloud solutions firms start making these settings default.

I did ask BT if their devices were susceptible to Heartbleed but got no response - I will assume that the answer was "yes" and there's no documentation indicating whether an update has been applied to the closed system. BT tried to tell people that even though their devices were vulnerable it wouldn't matter because the intruder would have to be able to access your network to take advantage of the problem. Omitting that their devices are wifi enabled routers with guest networks for BT FON.

A lot of admins panicked in the days following the Heartbleed reports and updated their systems with the faulty version so it pays to be a bit more careful as the end user. Don't assume there's a warm blanket encasing your journey online and take responsibility for yourself.
 

Friday, August 15, 2014

Simple Backup Follow up: Part 2

Ok so having sifted through roadmap candidates I was left with Carbonite, SpiderOak and Backblaze.

As I mentioned in the first part of this piece I've got some very specific [picky] drivers and requirements for this solution.

Carbonite seemed pretty good overall but the price is an issue. For £34 a year (or thereabouts depending on the forex rate) you get to backup only one device. Even the next package up at around £60 a year is restricted to one device.

However for that you get unlimited space on your single Windows or Mac machine. It's not bad but I'm aiming for something that isn't as restrictive to cover my secondary drivers and requirements. To do that I'd have to take one of the Pro Plans, which start at £162 per year. That covers an unlimited number of devices but is then restricted to 250Gb.

It's an option but I'm discounting it for now as I'm going for something cheaper - perhaps even considering Carbonite alongside Datto for an enterprise-level candidate. My concern there is for non-US customers as they have stateside support only according to their website.

So down to two, both of whom have trials available.

I started with Backblaze as it seemed to cover all aspects. The review from the original cloud storage reviews list stated that Backblaze doesn't have a single-point encryption key to match some of the other products but I think the vendor has added the feature since that review.

All fine - good price: Either £3 per month for an essentially unlimited storage quantity, or £9 for the year. I actually thought I need look no further - and for most people this will probably do what you need it to do with minimum hassle. It's pretty easy to use ... but the problem is that I couldn't use it the same way I could with Mozy Pro and define specific backup sets of files and folders. I need a selective DR option and this would take too much time to configure.

With Backblaze I found it would back up all drives, but then allow me to isolate exceptions to the rule to exclude from future backups / delta chains.
Inverse selection....Choose everything then remove everything you don't want
 If it wasn't for that small issue I would have signed up there and then. If you don't have such restrictive requirements and are looking for something safe and cheap you may want to take a look at the options this vendor provides.

My last option was actually added after further research whilst trialling Backblaze, and does exactly what it says on the tin (what I'd call "a Ronseal job").

Whilst the free 2Gb, unlimited devices, hive capable, secure and fast capabilities seem great;  A word of caution: The two-factor authentication is limited as this is a US-focused product too - you cannot use the two-factor authentication unless you have a Canadian or US mobile number. I can get around the problem as I have infrastructure and phone numbers in the states but anyone solely based in Europe would need to review and balance capability over protection.

The vendors engaging the wider FOSS community with outer shell tools and libraries from their product. There's a description of the encryption and hashing algorithms implemented within the web-gumpff pages if you want to read it in detail. Its impossible to tell exactly how they're managing the information protection aspect of the implementation from the sales page but use of CFB is interesting. Works for me.

The only problem I have with that will be future release of open-source libraries used by their main products. Open-source is great but without organisation-level QA of each delta there's a risk of insecurity - lets hope that changes with the major corporate push on critical open source projects from earlier this year. We'll see where that goes but for now I'm going to shortlist SpiderOak.

I've read a few reviews that state that the UI isn't as intuitive; or that its quite complicated - I think thats probably relative. Its more complicated that Backblaze, but probably about the same as MozyPro. The UI is consistent on the Debian package as well so I'll give it a thumbs up.

I like that SpiderOak has endpoint installers for my favourite OS across Windows, Debian-based and Android...but no Windows Phone. We'll see how that goes for now as its not a critical requirement. [Update: WP doesn't need it due to the direct integration with OneDrive]

Whilst chipping away at this article I've been running SpiderOak for a day or so on a selected backup set. I had some problems with the SSL scanner within one of my security suites initially, but have since resolved that issue.
The final candidate, operational across numerous devices.
I ran some tests on a couple of other devices and virtual machines. Windows Server 2012 R2, Kali, Windows 7, Debian and a Mac all worked perfectly well. Time will tell but for now that's all boxes checked. I didn't get round to checking how well it works on the Nexus 7 but there's nothing of value on there anyway. We don't have any overpriced paperweights in this house [c.f. iPad].

SipderOak doesn't store plain text backups, encrypts before transfer and encrypts the transport so prevents easy acquisition of my device files and data.

TL;DR

Overall this is the viable candidate for me, and in summary (comparing it against my original key drivers) I can sync and schedule backups separately, or link the events together - with a per-machine sync schedule. There's a zero-visibility policy meaning only I can unlock the secured backup sets. I can have 2Gb storage free forever - Although I've now signed up to the annual 100Gb package for £60. Its more than I was paying for Mozy Pro but I get more for my money, better support availability and unlimited device capability (including mobile and virtual). I can pick and choose where to restore specific files from any device in my list.

All the candidates I looked at were good products but this one suited my needs better than the rest. I'd be really interested to hear other opinions.

Thursday, August 14, 2014

Simple Backup Follow up: Part 1

Having ditched Mozy Pro after trials and tribulations described in an earlier post, I've started looking at alternatives.

I've had no response from MBW or Mozy regarding my password reset or product code requests so couldn't get any further with the uninstall / reinstall process. Needless to say that I haven't got time to spare dealing with the problem, so am looking at other solutions.

Anyone facing a similar choice of offsite backup solutions may find the results useful, but I found this comparison quite a useful starting point. Personally, I'm always a little suspicious of who paid for advertised reviews and which reviews are genuine; so found this list that contained a wide range of solutions.

From my perspective, the term "cloud" is a sales buzzword for architecture that has been in existence for at least a decade. "Cloud", "cloud hybrid", "private cloud" essentially just means "hosted" - With a combination of outsourced hosting or private / internal hosting infrastructure.

Moving past this, the objective of the exercise is to find an offsite / cloud backup solution for personal use - perhaps even a vendor that provides appropriate personal and enterprise-grade solutions. Obviously this is a very specific set of requirements, and yours will be different.

I'm aiming for the following drivers in order:
  1. Ability to synchronise and schedule backups, potentially even machine restores
  2. Price
  3. Security (I'd like a secured backup that only the key-holder can open)
  4. Capacity
Optionally, some secondary drivers would be nice:
  1. Capable of backing up specific folders / files from a number of devices or VM's
  2. Capable of restoring specific files to a device of my choosing
So where to start? Well Mozy Pro is discounted immediately. Whilst it seems to cover the main drivers it seems to miss out on the secondary drivers. Also my own experience has been tainted by the difficulty in solving a problem originally reported in 2010. If I had problems with Windows 8.1 Enterprise I'm not prepared to wait it out or see what happens with Windows 9 upgrades.

After doing some research I'm going to cut the list down to 2 candidates, although I focused on the following roadmap candidates to begin with:
  • Carbonite
  • Backblaze
  • Datto
  • OneDrive (Sky Drive)
  • SpiderOak
For me, the whole OneDrive / Google Drive / Dropbox mechanism is great for a specific purpose - storing a bunch of files and folders online (or "in the cloud" if you must), and sharing across devices. We have a large proportion of Microsoft devices in our household, along with an iPhone, a few Linux boxes and some other kit I use in my sandbox.

OneDrive is great for allowing the share of files I've acquired on a PC to a sandbox machine on a different VLAN. Its also perfect for being able to capture, modify sales documents written in MS office on Surface Pro, desktops and Windows Phones.

However I've discounted this type of technology almost straight away because I'm looking for a dedicated backup & disaster recovery option for some very specific file sets. Windows 8/8.1 already takes care of things like apps and settings. I've also discounted them because it would be conceivable that MicroGooHoopleTM could allow access (by subpoena, for example) to those backups - don't forget that everything is based in the US your data is liable to US law.

Obviously that last statement is really within tin-foil hat territory :)

I'm also eliminating Datto as it's clearly an enterprise-grade solution (and has no prices on the website!). EtE encryption, Atom 2.4 Ghz 8 core processors on the backup servers, backup chain recovery, bare metal restores, etc.

In part 2 of this post I'll look at the remaining roadmap candidates:
  • Carbonite
  • Backblaze
  • SpiderOak
 So far I'm also seeing encouraging alternatives for all the MBW features I use and will speak to one of the vendors to take the services outside of the MBW package. Great when its all working but appalling when you need assistance.

Tuesday, August 12, 2014

Blogger Behind The Times

Just tried to log in to Blogger on Win 8.1 / IE 11 to be greeted by a "Browser not supported" message. Seems that the Googlers are still supporting IE 9, but not IE 11 - Not sure that's compatible with Microsofts own support lifecycle though...?

The only reason I'm curious is that Aviator won't let me add comments to Blogger posts via Google+ - probably either being a bit too paranoid or having conflicting rules dictating the combination of cookies and popups. So you on Aviator you can log in to the Google ecosystem, but when you view your own blog and try to comment.... it does nothing :)

Seems to work just fine in IE though. Happy days.

Simple Backup

I've just returned from a family holiday in Italy to find that my offsite backup for non-essential files still isn't working. I thought I'd leave it after making some system changes and seeing if it resolved itself.

It's pretty simple - All it needs to do is take deltas of selected folders and ensure the latest changes are kept securely offsite. If a PC goes up in flames then I can just restore the important photo albums, etc without much hassle. For more important or critical backups I use other corporate solutions but for the low sensitivity stuff I use MozyPro.

So ever since I restocked a PC with a new SSD and rebuilt with Windows 8 Enterprise I've been having issues - not with the hardware or operating system - but with the backup software. It's not so much that the software is a problem but the support and offered solutions that I have a problem with (or perhaps more that people are being given such terrible advice).

So it started with an innocuous error message "FilesystemError4".... Nicely labelled but with no real indication of what it means in any of the application event items. It does, however, link through to the equally useless expansion of the error category:

So I had a look around, ran some check disks, used SanDisks own disk evaluation tools for the Extreme Pro....no hardware issues at all.

As there was little or no explanation from the application I tried a few searches and quickly discovered this was a reported issue back in 2010 - apparently with no resolution. People were being told to get a replacement hard drive from original vendors, run check disks, restart computers....For some it appears that netsh worked - Mozy actually suggested that people use the legacy version of their software to resolve the issue instead of attempting to diagnose the faults.

So I clicked the Support link on the application settings page and was taken straight to the MyBusinessWorks page....with no hint of a support link. I tried the chat window only to be told by "James" that I had to contact MBW directly by phone on an expensive non-geographic number.....Not impressed at all. I even asked him for a geographic number to use instead but - either through ignorance or belligerence - he told me that there wasn't an alternative and that I could ask a support representative to call me back once I got through to the support desk.

Absolutely unacceptable!!! Say No To 0870 to the rescue - helped me translate 0845 608 0280 into 020 7253 1649: If anyone needs it, this gets you through to the parent company automated switchboard; select option 2 for MBW support. Good thing I'd not called the 0845 number as I hung up after being sat on hold for over ten minutes.

The fact I'm paying for this service makes me so much happier. Its good to see such bright and enthusiastic direct routes to problem resolution.

Bear in mind I've already bought the service (MBW) and the system (MozyPro) but am unable to raise a support ticket with Mozy, EMC or Decho because I have an indirect license. Awesome.

I'm now working my way through error log messages from the text log of the application. So far I've needed to do the following:

  1. Create a new user with specific permissions on the PC
  2. Assign the new user rights to log on as a service on the PC
  3. Assign this new user logon to the Mozy service
  4. Enable read value / set value permissions to the HKEY_LOCAL_MACHINE\SOFTWARE\MyBusinessWorks\Online Data Backup\scheduling key


Its now getting further that the initial failure on backup start but it shows how inappropriate the error message is - a registry key read permission error designates a FilesystemError4. It looks like another failure during the actual backup relating to HTTPS chunked stream reads is failing, but then its reverting to the registry permission error. Will update the post when I have more but I think I'll be replacing Mozy Pro with a competitor very soon.

Update (12th August)

I'm going to give Mozy / Decho a 24 window to send the password reset request I made earlier, if that isn't sorted I'll wash my hands of it and go elsewhere. My only questions is why is something so simple so painful?

Final Update (14th August)

Still no word from the vendor. I'll post my reviews of alternatives in a later post this evening.