Friday, November 20, 2015

Beneath The Surface

<abstract surface pun />
As a follow up to my last post I talked a little about how I'd become more open to options and that I'd had reservations about re-applying Windows onto my Surface Pro 3.

Obviously this isn't a default install and most of the concerns weren't because of issues with Windows - eventually I got Win 8.1 Enterprise back in there dual booting with Ubuntu. A couple of minor hitches which were resolved with a bcdedit command to force Windows to use the Grub2 loader after a file copy from the old Ubuntu boot partition to the newly-screwed Windows boot partition.

Still have to register the loaders in the secure boot registry, as is well described by David Elner (just be aware that this is an older version of Ubuntu and I could not get the kernel re-compile to work) but otherwise it's all ok.

However I thought I'd share some issues I have with SP3 and why I'm not likely to buy an SP4. For reference the PCs involved are:
  • Surface Pro 1 128Gb 4Gb i5
  • Surface Pro 3 512Gb 8Gb i7
Firstly the OS.... Windows 10 locked me out and I had no downgrade option other than a manual re-install. Something went horribly wrong after I got my replacement SP3 and for some as yet unknown reason Win10 software protection service started failing after I installed Office 2013 Pro. The knock-on effect was that I couldn't use Office, I couldn't use a lot of the feature changers (add / remove programs, anything that writes changes to registry, etc) nor would any of the safe boot options appear and I couldn't do a refresh or a factory reset either.

I didn't have any choice about Windows 10 - that was what was installed on the replacement unit.

Support simply suggested I return it to the shop and as I'd already burned two weeks for the replacement unit after a screen failure, then another week or so (evenings only) actually re-deploying all the 'stuff' on it, I didn't think the extra effort was worth the pain. After a bit of thought I then realised now would be the perfect time to dual boot it and have a workaround for some of the issues with Windows in general. Not much to lose at that stage.

Of course now I have screen flickering issues on the unit - it seems to be some sort of physical connection issue because when I squeeze the screen in a particular place and wait an undetermined amount of time it sorts itself out. Although often I'm not sure whether the whole thing hasn't just hung and I do a hard reset. It's not a driver or software issue as only physical intervention (pressing and squeezing the unit until the screen springs back into life is not a driver fault or brightness management) and I just don't have time to send it back for another replacement; rebuild and re-deploy only to later find out the same problem might exist.

A very embarrassing problem for a touch screen device.

The pen....the pen....What a brilliant concept yet how did they screw it up so badly? It feels like a real pen, the buttons on the side are fantastic and I no longer need a mouse....just the pen and my fingers. But then all by itself it decides that it needs a rest and goes to sleep. I've tried battery replacements, holding down buttons to try and wake it up and even whacking it over a solid surface (which seems to work most often) and nothing seems to help. Of course if you try and disable power management via Windows you get a BSOD. Nice. And I'm far from alone on this one.

Windows 10 lost it's way and I struggled to get it to flow as Windows 8.1 does. 10 tries to keep the desktoptards from Windows Vista *spits* and 7 happy whilst showing promise to touch-screen owners. Sometimes I think the desktoptards were the only voices complaining about 8.1 and not enough people extolled it's virtues. So now I have 8.1 Enterprise until the end-of-life or when Windows 10 Enterprise catches up so I can access OneNote during meetings and sync my OneDrive repositories. Windows also seems to be the only way to get firmware updates for Surface so it gets a small section of the SSD to park itself. I have too many reservations about the way Microsoft is approaching some aspects of security (such as the changes to BitLocker in 8). I'm not trying to outrun any governments but if someone nicks my SP3 I want to be fairly sure they won't get my data in their lifetimes. Of course dual booting means BitLocker won't encrypt the system drive like LUKS will, so only the OS and some program files are on the open system partition, the rest is on encrypted partitions.

Ubuntu is ok too - but the touch screen integration is extremely basic and there's no handwriting tools that are anywhere good enough. The pen buttons just don't do anything at all and no matter what I try I can't get the kernel re-compile to work. With Wily Wolf the battery indicator suddenly appeared and that was a big step forward - I've also discovered that touch screen scroll & zoom does work in specific applications. At the moment I'm struggling to get routes working under OpenVPN configurations that work fine under Windows so I tend to use Windows for comms and browsing in situations where VPN is a requirement. I will fix the problem but I need to understand it first.

I've also noticed that Network Manager sometimes refuses to use the right password for WiFi networks, resolved only by a mac change and a ifdown-up on the network adapters. That seems a little shoddy to me. Evolution is a pretty good mail app and I'm not really missing Outlook that much so it's evens on that front and with LibreOffice too - there are some issues with .XLSM and the occasional corruption-and-loss of .XLSX which is beginning to get on my nerves. Ubuntu seems ok but the Pen buttons don't work and I tend to end up using a mouse - the horror! - due to that and the SP3 Pen sleepy-time issues.

In short - neither platform is doing a great job at the moment but each has its own strengths.

I'm not going for a SP4 because - as much as I've loved the Surface experience - Surface Book means I can have my cake and eat it. It's more powerful than the overpriced Macintosh (I'd only be replacing OsX with a Win & Linux dual boot anyway) and I get the clipboard & pen with OneNote and Visio that I can't be without in meetings and team updates.

Of course that is assuming they fix the current complaints and I see some indication that the pen behaviour has improved. My Surface Pro 1 is still going strong and I don't mind Windows 10 on there because I don't use it much. The rest of the family don't seem to mind it when they want to use Kodi or play some Xbox games and everyone's forgotten about the Nexus 7 completely.

Saturday, November 07, 2015

Wǒ hěn hǎo, xièxie


Some time ago I had a peek into The Other Side and didn't take it any further - but maybe that's because I didn't have a purpose or reason to take it further but I couldn't see a reason to progress, so I didn't. It just came across like a hobbyists environment with a community of snobs driving progress.

Wind the clocks forward another year or more and the landscape is vastly different. I've moved on to learning about network security, information management and have trained myself to think like a black hat (a good defensive strategy). I'm working on some exams that will give me the foundation to absorb that within my work as an architect too and because of the nature of this research I've been working on Linux.

There's some aspects of Windows (e.g. restrictions on packet injection / tampering) which the Linux community seems to lambaste Microsoft for. To me - as a noob at least - it looks like this is by design for commercial reasons. Whatever the reason it just isn't feasible to do a lot of this research on Windows.

So I created VMs through Hyper-V and researched distributions and their capbilities, settling on Debian as my initial preference. It's used as a basis for a number of other flavours including Kali, Raspbian and Ubuntu. KDE is nice and the apt system makes sense to me at this stage.

But then, of course, you start discovering limitations in the virtualised environments leading to one conclusion: You need to deploy to hardware to gain direct interaction with that hardware (and mitigate problems with networking especially). I started beefing up my knowledge of networking stacks and how to analyse network traffic, creating sandbox WiFi networks on my test router and trying to see how to break them / break into them. I found that Kali was a great place to look at this as it contained all the tools and was designed to run OotB so stuck with that on a Pi B+ for a while.

After a while I was using Archimate to design the domains of our house network and started building a HIDS and IDPS, then a DNS server, then spent a bit of cash at ModMyPi getting all the bits I needed. I set up high-grade SSH keys and improved security - I may add a VPN server in the DMZ at some point too. I've got DD-Wrt on the inner router and a custom network set-up which provides additional protection for everyone in the house.

ATX Mid-tower was replaced and needed a new use. Stick a PiRack in there and all the cables.
I suddenly realised I'd become one of the hobbyists I'd turned my nose up years ago. Now our house provides media services so the kids can fire up a film of their choice on any Surface or XBox, iPhone or Windows Phone. We have network protection running in the background emailing me when it detects or fixes a problem. The kids came up with the idea of an underwater camera so they can see the fish even when they hide (yet to be designed and built). None of this involves a Windows server.

Of course I've made significant progress in my learning and research - the next pot of which will be a short study on effective WiFi passwords vs. advice from the pub - but as a by product I've gotten far more technical than I'd expected; you end up finding things to investigate that you'd never considered before and research topics or techniques far from the original purpose.

For example, I've moved my trust away from BitLocker and am testing alternatives, using local accounts for BAU and my Microsoft accounts for connected services (such as OneDrive and XBox). It's not about tin-foil hats, the X-Files or any part of government; it's just a simple case of protecting your assets against criminals or other similar attackers.

I went with Ubuntu because it is Debian-oriented and it seems to have the most support for things that Surface Pro needs. If Debian covered a lot of it I'd have just gone straight there. I don't like the whole Amazon / internet integrations on Unity; the volume buttons don't work; the SP pen buttons don't work; sometimes the left-mouse / pen touch / finger touch just stops responding at random. There's too many suggestions out there on the forums that don't explain what each command suggested actually does (do people just copy and paste these suggestions without understanding the implications first?).

Today is the first time I've used Windows in a week - I love Windows 8.1, especially on Surface Pro. It's beautifully designed, easy to use, makes the switch between keyboard-oriented and tablet seamlessly and OneNote /OneDrive / Office is pure brilliance in design and productivity. LibreOffice and Evolution do Office well but the UX is far clunkier. There is no OneNote outside of Windows and I miss the right click pen button (I only use a mouse on Ubuntu for apps that use context menus a lot). Office365 means I get proper Powerpoint instead of the terrible LibreOffice Impress. There's no Visio equivalent though I'm learning to use Camunda Modeller and Archimate instead. I can operate on client site without Windows now though.

For me Windows 10 is a disaster as it stands. They've ruined OneDrive (where is "Available Off-line Only" for files?) although are promising to rectify the situation and I think they've been led by too many Windows XP-ers in their UI-design-by-community instead of holding their ground and pushing 8.1 on to the next level. Continuum is awesome though - the new W10/Xbox dash is great (game streaming is by far the best add-on here), W10Phone looks superb and I hope they iron out the creases on W10. None of the privacy issues bothered me because you can turn off the telemetry services and disable the data sharing but the OS itself just doesn't feel as coherent or as well thought out as 8.1 on my SP3 or Windows Phone 8.1 on my Lumia.

I'm now in a position where I've had to remove Windows 10 from my replacement Surface Pro 3 as the software licensing service locked the whole machine out (Access Denied); despite this being the default build as supplied by Microsoft. USB boot won't work even after changing the UEFI settings to enable it - I suspect something to do with the Win10 installation - but I've now copied the 8.1 Enterprise installer to a new partition on the SP3 SSD and hacked the Grub2 bootloader to give me the option to boot from it and I'm going to get Windows dual booting on it for OneNote and firmware upgrades. Encrypted SD and data partitions allow sharing between OS-es and decent OpSec can ensure Windows only knows how to access one of those for transfer.

Phew. If you'd suggested and of that to me a year ago my eyes would have glazed over and I would have probably just sent the device back to manufacturer.

But the thing is I'm still afraid to install Win8.1 in case it fudges up all the work done installing and configuring Ubuntu. I know Windows will install its own boot-loader (I've modified the same on my desktop to add back the Ubuntu option enabling dual boot again). I like Ubuntu, Raspbian and Debian - I also like the Windows ecosystem and the journey is never over but I'm reaching the point where I have enough foundation to build on for the security architecture courses. In order to design an architecture or provide solid options for businesses I still feel it's beneficial to understand the inner workings.

It's good to be bilingual between Windows and Linux and none of this has been as difficult as learning Mandarin (as I originally thought it might be). It just sounded more tricky to get started than it was.

Tuesday, October 20, 2015

Argh - It Still Hertz!

Ha. Electricians joke-books are fairly rare. Yeh so my humour doesn't get any better and Scottish Power are still....consistent.

Not only did they send us a letter in the last week or so begging us not to go, now they've sent us a bill for the account they haven't closed. They've put my name at the top of the bill so it's not like they don't know who they're mistakenly trying to bill.

Let me rewind the clock: We used to have an account with SP at the old house and after all their flannelling around I told them I didn't want to take our account with us to the new address.

Of course they knew better than us and ignored that request leaving our beleaguered energy supplier to wrench control of the supply from them. I feel sorry for our new supplier - we deliberately moved away from the big six and haven't regretted it for a moment. It's cheaper and we still have gas and electric. Pretty simple relationship.

However after a call with our new supplier, Spark, it seems that SP are just ignoring them completely. Spark sent them a request to re-acquire the supply, which has now been successful on one of the supplies but now they're not getting any response at all from SP. It's not really fair to say that Spark are our new supplier either as we've been living here for most of the year now.

I told the Spark representative that I think they're just sulking. They've been told we don't want to be friends any more and they've taken their ball away.

During the discussion I pointed out that we had contracted the new supplier to supply us gas and electricity; we would not be getting in touch with SP to sort it out. After this incident I may send them a notice before action - we told them where to go before we moved out of the old house and there's just no way we'll be paying them a penny more.

We've been paying the new supplier since signing up so we're happy that this is between the energy companies but ... it's probably time Scottish Power to stop resisting (yes another electrical joke). At least we're staying positive (aha! on a roll).


Monday, October 05, 2015

Shocking Stuff

For the last five months we've been trying to get shot of Scottish Power. We tried every crazy approach you could try - telling them we didn't want to transfer the account to the new address; telling them we no longer wanted to use their services; asking them to close the old account at the previous address (or the current address as it was at the time).

Sadly all of these things were too complicated and meant that SP would ignore our instructions.

We asked them just to close the account at the end of our fixed rate tariff before we moved out of our old house, and enquired about the estimates for our new house.... which made us run away very fast. We also made the mistake of letting SP know our new address. I remember a phone call with one of their representatives that ended with me saying, "So there's no more paperwork needed; I don't need to cancel and house move requests or anything, that's it - you'll close the account and we'll hear nothing more from you?".

"Yes", was the confident reply.

Enter a new supplier (not one of the big six) who had supplied the previous owner; it was easy to sign up and sort out the tariffs, payment details etc and send them meter readings by replying to the emails their system sent us - no need to log in to your account...or rather forget what the password and user name was, request a reset, then reset it all, then login, then try and remember what the hell you were doing to start with and; finally update the meter readings.

However not all was as simple as it could have been ... we started getting letters and emails from SP at the new address saying how nice it will be to move our account for us and could we send our meter readings for the ... er fellas? What are you doing? We said "jog on" a couple of months ago, yet now you seem to have ignored that conversation and followed us home like some sort of deranged acquaintance we talked to that one time in the bar to be polite but were very clear that were not inviting home and...

I called our new supplier and they told us that this is a Tom Jones with the big six (it's not unusual...); often they have to let the other company take the account then claim it back some weeks later. I told them that they absolutely had our consent to do this and that SP had been told to close the account.

"No problem. You don't even have to speak to them again. We'll sort it out for you - but it might take up to 6 weeks or so". And they were true to their word (along with comedic unofficial comments about their competitor).

So now five months after the first calls to SP we're away but still they send us letters asking us to come back - despite being far more expensive that our supplier.

Sorry Scottish Power: It's not us - it's you. We need some time* to ourselves.

Outta here
* Where "time" is measured in periods of no less than twenty five years.

Friday, September 25, 2015

The 3 R's: Rinse, Repeat, Re-sell


Earlier this year I had the misfortune of coming into contact with MyJobMatcher; they'd essentially bought peoples personal data from data traders around the world to artificially inflate their candidate database, rather than work on gaining direct subscribers. They settled my claim for breaches of the DPA and PECR out of court with no associated admission of liability.

The end of the story? Lessons learned? Of course not. I got an email recently from MJM claiming that SpellJobs.com had suggested I would be interested in MJM's services. Anyway so if I want to log in and...Wait. What?

So one jobs board is passing on candidates to another competitor? After unlawfully acquiring my details from the original jobs board that'd I'd actually used? Of course. All of this makes perfect sense. Who the hell are SpellJobs.com? Their contact page just goes to a PHP error and the about us page is tellingly blank.
Karen - what have you done?
The shopping basket doesn't work either. I've had a look in between the lines at spelljobs.com and it appears to allow the general public to search and scrape job seeker data. The T's and C's look suspect to say the least too. I may add this to the LSP R&D portal as a new scam alert depending on how the SAR pans out.

Due to the no-contact agreement I'm currently in conversation with Mr Lawrence Weeks of Birketts LLP, representing MJM, and they've disclosed the contact details they use in their commercial relationship with SpellJobs.com. Although after doing a bit of digging it looks like SpellJobs.com isn't a registered business but it is either associated with Job Circle Ltd or Datasource Computer Employment Ltd. I've already knocked on that door with another SAR. I'd already sent Job Circle and another apparent linked entity a SAR each to cover all bases.

After my initial SAR to MJM via Birketts I've had a number of automated emails from MJMs systems saying that they are sorry to see me go but my account has been closed.

However now Birketts are asking me if I can supply other emails so they can be de-listed from MJM systems in future. But isn't that missing the point by a very wide margin? Surely they should stop their unlawful data and unsolicited communications practices to prevent them acquiring data they had no consent for in the first place?

Updated

It looks like their parent company haven't filed accounts but are still active (someone has applied to have the compulsory strike off suspended) and part equity sold to GMC Ltd. - MJM directors are directors of parent companies and other recruitment or data analysis firms.

After lodging a new claim in the courts against MJM we successfully negotiated a settlement to end this - and hopefully - future disputes.

Sunday, May 17, 2015

Progress Part 3

...carrying on from Part 2:

After a fair amount of digging and acquisition of evidence via SAR, I now had enough to make an informed decision on whether or not to take legal action.

To me this was a serious and significant breach far in excess of a normal situation. It was above and beyond the usual spam scenario as I had been subscribed to services I had not consented, and been forced into subscription policies I had not reviewed (or even known about). Essentially as a self-employed worker my resume is my sales pitch - if my competition gets a hold of it they could refactor parts of my resume approach into their own and I would potentially lose my competitive edge (my unique selling points) and therefore lose revenue. Having some unknowns in Pakistan scraping these details from jobs boards for free, then selling them on to the highest bidder beggars belief.

What really pushed the decision for me was when another person with whom I'd had contact reported that another flurry of negative Twitter-verse activity had occurred that week - for exactly the same reason as in December and January. Even after all the correspondence and negative feedback they were still doing it. Someone had to do something.

If you find yourself in a similar situation and decide to press for damages in the courts take the following points into consideration:
  • Have a list of items for damages, each with supporting evidence
  • Make sure you can explain each item on this list to the courts - who may not necessarily share your understanding of data, it's management or ownership
  • Be prepared for legal aggression from the outset. A standard trick across all specialisms of law seems to be an initial threat of return action
  • If there is a clear and describable breach of the DPA and / or PECR with evidence the defendant is still breaking the law, so do not take the defendants legal representatives threats as fact
  • A number of people I know in law - including relatives - have reminded me that there are guidelines for dealing with aggression. The Law Society has this LiP page, of particular interest is section 3.1
  • Get a copy of the consent form you signed for the organisation in question to hold your data. They won't be able to provide this of course, because you never gave your consent
I had some very good opinions from a lawyer I found online who specialises in this particular area of law. Although he was clear that he could not provide guidance or advice he gave me some good, solid facts and great reference material.

So the chain of events was a breach of the DPA and PECR, confirmed with evidence in writing from the defendant. I also maintained a list of damages covering the initial damage claim (£500, plus £35 costs) which was in excess of £1000. The aim were was to provide the courts with a list of items and the courts would decided which of these was recoverable. After no response for four weeks to a Notice-Before-Action (NBA) notification I raised papers via MCOL - which took less than 10 minutes.

I claimed nominal damages from My Job Matcher and we settled for £400 (plus court costs). Most of the time the defendant will try and get you to sign a gag order - it'll have some covenants such as deleting tweets, blog posts or publications, and a form of no-contact directive.

I negotiated the settlement with MJMs legal team (Birketts) without the gag order - One thing I should make clear in the interests of fairness is that they settled without admitting liability to the claim. Whilst I was fully prepared for the day in court it was a relief to settle.

My Job Matchers Twitter profile no longer seems to be under heavy fire from complainants but still sees the occasional "WTF?" sent to it, after a few weeks the SEO team at MJM just stopped replying to them all anyway. I know I'm not the only person to litigate against MJM so perhaps our objective was achieved (update: apparently not).

It's just a shame people have to resort to this to stop the illegal re-use of their personal details; however taking a more aggressive approach is having a substantial effect on my inbox. I'm not going to suggest that direct legal action should be your first approach - in fact it should be your last resort. ICO is almost entirely ineffective from what I've seen so far but the ASA appears to be able to apply some more pressure. I've even involved trading standards in one case.

I got the following email from MJM shortly after the settlement cheque cleared (others got a "How did we do?" support service email), and after the no-contact agreement was exchanged. The irony again here wasn't the email recipient wasn't the account they'd stolen from 2007, nor was it the one from the support email chain.



Progress Part 2

After starting to get responses back from MJM support the picture had become clearer. Being nice with your SARs goes a long way - in fact if you were to be as rude and obstructive as most organisations receiving SARs are, a court would not look kindly on your summons.

So whilst they were being helpful I congratulated them on their approach and noted a couple of things to myself:
  1. The resume attached was from 2007
  2. When I went to their website and password-reset-logged-in I found contact and personal information also dating back to 2007
  3. Whilst writing this section of the blog post I checked to see if I could download the attachment again three months later....and I can; despite MJMs insistence that it would be removed in due course
 These simple facts completely countermanded the response statement; which I assume is partly a canned reply / policy statement. In short, it demonstrated a complete disregard for anything approaching respect for privacy or data. Have a look at this ICO guidance document if you don't believe me.

My Job Matcher did confirm that Manz Online (part of the RecSmart Recruitment Ltd fold) was the source. Of course not only had I never heard of them but I'd certainly be able to prove the lack of consent or chain of privilege from me to their databases.

Quick bit of research showed that Manz is based in Lahore and does not fall under the remit of the Data Protection Act (UK) or Privacy and Electronic Communications Regulations (EU). This is of course just conjecture but it would almost seem like the use of offshore lead generation firms was intentional to inflate subscriber numbers; which would mean a greater appeal to investors or other job seekers in the market perhaps. That is a rather pessimistic opinion but one that was suggested by another MJM spam-ee.

Of course 360 Resourcing are UK based and would therefore be under purview of DPA and PECR; had MJM acquired my details from someone like 360 I could then take action against both MJM and 360 after some investigation.

If you were in a similar situation with Manz Online feel free to get in touch with their director Zak Ahmed on Google+. It's a dead-end to the search for data sources.

On To Part 3 Or Back to Part 1

Progress Part 1


Background

Back in April I mentioned on another blog that I'd encountered a more extreme example of breach of DPA / PECR and would be taking the matter more seriously.

Now the dust has settled I can speak more about it and add details / guidance principals.

In most cases I'm more than happy to rifle through company details, back-check organisation structures and determine the actual origin of the spam. Often it reveals that someone somewhere is trying to make a fast buck from your personal information without consent - and without compensating you for the pleasure.

Usually a combination of ASA and ICO complaints ensure that you'll never hear from the spammers again but occasionally someone really takes the biscuit.

Hand In The Cookie Jar

Twitter is an enourmously useful tool as it can augment your own opinions on a brand, organsiation, person or fact with a vast variety of 140 character masterpieces. When I started getting unsolicited emails from MyJobMatcher in January 2015 I noticed that there was a large group of people in the same situation - having been emailed job adverts from a company we'd never heard of, never subscrubed to and never given any kind of consent for any of the above.

So...no accounts had been compromised but personal information had. Maybe a recruiter got hacked or a jobs board?

Others have also blogged about the specifics of the privacy breach so I'll leave you to read their posts
There were many more simply questioning the approach....
But simply search Twitter for MyJobMatcher from early January to April for more of the same.

I got in touch with MJM with an initial Subject Access Request (SAR) to find out who they were and what personal information they had....And although I got an auto-response from their support system to say the message had been received (v. useful in DPA / PECR cases) I heard nothing for a week, yet continued to get spam about jobs that had very little relevance.

Before raising an ICO or ASA complaint it's better to check what details are involved and how they arrived at their destination. I can say with confidence that I don't subscribe to newsletters nor do I enter prize draws so know the usual flagrant response of "...you must have signed up for it somewhere..." won't fly.

First up someone on Twitter suggested getting in touch with Mandrill at help@mandrill.com - they were nice as pie and sorted out the spam straightaway. I coul dhit "unsubscribe" but it's better to hit the distributor so they know there are other issues with a particular client. In other cases I've been involved with companies have been banned from using marketing distributors entirely because of this.

I'm going to ramble on a fair bit so will break the posts down into chunks.

On to part 2

Sunday, April 19, 2015

Test & Learn



The last few years have been a really interesting adventure for me - I've set up two businesses and things are moving in the right direction. Along the way I've made some mistakes but more importantly; learnt from them.

Hopefully :)

This one relates to B2B late payments and lessons learned in preventing the situation. It's definitely worth getting a background in your monetary rights from UK Plc too.

When I first started it would have been fair to say that I was a novice in the world of contracting and it's nuances - Only good advice from my accountants and contractor colleagues really got me moving. However it was soon clear that even that wouldn't solve the underlying problem: What do you do if the customer doesn't take your invoice due dates seriously?

The first example is from my time working as a contractor for Woodrow Mercer. I don't think the recruiters themselves are really at fault but that doesn't excuse the accounting department. Most agencies seem to have rude and unprofessional accounts department staff - with few exceptions - and they frequently seem to attempt to bully or turn their nose up at contractors.

One agency, ERG, were particularly bad at this back in 2012 - I was sent threatening emails from senior recruiters and directors when I terminated the contract with them. They made wild [incorrect] guesses about where I'd taken the next contract and on recruiter even attempted to get in touch with relevant hiring managers. It was all bluster, aiming to play on the submissive psyche normally present in technical people. However I just prepared the particulars of claim document I'd need to take them to court for non-payment - they paid before the deadline to pay expired though.

Woodrow Mercer failed to pay on time on three separate occasions - the worst thing about this was that the client involved were such a nice bunch to work for. Really well gelled group of people who enjoy what they do. The second time payments were missed there was no excuses or apologies from WM so I called them.

They sent me an abrupt email saying that they'd pay one invoice but the other would have to wait - regardless of the fact that they were legally obliged to pay on both invoices due dates. In that scenario they did pay, but one week late on one and two weeks late on the other invoice.

The third time they missed payments I'd had enough of being passed off with bluster and excuses - Had a word with the client manager and respectfully noted that I would not be returning to site until the invoices were settled. One invoice is still outstanding 11 months on although for a relatively nominal fee. They've since stated that they will "...rigorously defend.." any claim in the courts - I may update that with another approach depending on some parallel research.

Wind the clocks forward a year or so and two other agencies have attempted to bully their way out of late payments. In both cases both the contract and the invoice T's and C's supported an instant late charge along with interest growing daily.

Uniting Ambition fell short of the mark after neglecting to pay the final invoice on due date (I would have been fine with it had their been discussion beforehand, some reasonable negotiation solves a lot). They attempted to negotiate a portion of the fines but then paid in full when I delivered a "notice before action". If it was the first time they'd paid late I might have let it slide but they'd failed to pay every single contractor at that client (~30 people) on the first invoice date. No apology was given and only a few vague excuses. An inexcusable attitude.

In all cases a reasonable discussion up front prevents any of this - Just a phone call to say there's payment problems and that your invoice will be 5 days late will make a huge difference to your planning. Having said that consistent late payments should give you all the indication you need. Try doing some research first and getting a credit check of the company before you sign a contract with them. That's often due cause for respectfully requiring them to change the payment terms on your contract. Talk to your bank about their B2B credit checking offering. You can throw the payment terms on any contract they offer back at them if they telling you they do 30 days payment but their credit rating barely supports 7.

Normally a lot of contract terms in the UK make it very tricky in relation to IR35 - never mind just getting paid. Lots of unprofessional agencies initially reject requests to change the contract; "it's a standard contract we use for everyone and do not change it". It's all bullshit. A contract review by your accountant or legal representative is worth every penny.

I work with other types of organisation directly and although some of these problems are common elsewhere, the attitude towards invoice due dates is not. You've worked hard for your rate and perhaps even worked far away from home to do so, why should getting paid be a struggle?

The Sting Of Chlorine


We often take the kids swimming and one of the pools is in Harbone. Facilities are good, kids have fun and we get to do some lengths too. However I made the mistake of buying some replacement goggles from the pool shop in the leisure centre - leading to a standoff in the reception area.

During the swim the goggles leaked and no matter what grip or band settings I tried they just kept leaking. After we'd finished I took them back to the reception desk and explained what the fault was (I just wanted either a replacement or a refund).

However the staff claimed that they could not refund the value of the goggles as they were not defective, and that they were not obliged to do so. I pointed out that my statutory rights as a consumer, plus those of standing legislation meant that as I was not happy with the product I could get a full refund. I also pointed out that I would not move from the desk and allow them to serve anyone else until the matter was resolved.

Whilst the staff went into the office for a huddle - I felt a little sorry for them having to deal with their employer's misguided principals - and the queue behind me grew. This is a good way of ensuring that retailers acknowledge their responsibilities and speeding a resolution; it's too easy to email or write letters and take no ownership or involvement due to the dissociative nature of words on paper.

However I got caught out - distracted whilst updating the Twatterverse on minute-by-minute changes to the situation (as if anyone was actually reading my twitter feed), the manager asked me to step over to another area to talk about the resolution.... fell for it.

The spell broken and the other waiting customers started getting to the desk. Bargaining position lost and hat tipped for being bettered.

All I could get was a credit note for the value of the goggles bought that day and the heartfelt promise of a phone call when they had the goggles in stock next. Maybe they're still waiting for the next batch? Either way I'll go to Amazon in future - even if I can't stand at the sales desk and stop other people getting served before they sort out my purchase.

Trotter Lettings Esq.

I had the misfortune to take up residence in a flat managed by Reed Residential last year. The flat itself wasn't bad as a property - although it would have been better had there been heating during winter.

And therein lies the comedy.

The problem with the heating was reported to them during the xmas holidays so the first delay in response was simply due to no-one being in office. As the weeks past though, and as my continued phone calls started being deflected by "Oh I'm sorry, Adam isn't at his desk right now", or "Adams in a meeting at the moment, can I take a message?".

I started imagining that Adam was printing out my emails and then using the paper copies to fuel an open fire - whilst wearing shorts and a t-shirt because of the heat produced - whilst I was shivering under jumpers, paying a premium rent for the pleasure.

Estate agents are a known quantity so it wasn't a Herculean leap of the imagination to realise that the primary contact - Adam - was simply avoiding my calls. There was a visit from an engineer to size up replacements, then the landlord wasn't sure if he wanted to replace them. Then he was getting other quotes, then the engineer visited again to get other measurements.

Nothing was moving in any direction other than a fob off and Adam seemed to be to focused on using my emails for firewood. Until February.

Then I cancelled the rent monthly standing order  and waited. By this point I'd had enough and was moving out but I thought it would be interesting to see how long it took Adam (or anyone else at Reed Residential) to get back to me and start playing nicely.

The response was simply astounding - Almost two days after the rent was due I got two emails and four phone calls (three of those on a Saturday)...of course this wasn't to apologise for months of refrigeration / premium rents; nor was it to ask if there was anything they could do. No - it was simply to chase for missing rent. So I explained that once the flat was in a condition befitting the rent and inventory I would be happy to pay full rent but in the mean time I'd deducted an appropriate amount retrospectively [i.e. since the problem first occurred]- meaning no rent was due that particular month.

And now everything changed - suddenly radiator replacements were being flown in by winged chariots piloted by Valkyrie smoking Romeo y Julieta's; there had been no delay, simply a misunderstanding and should I not pay rent I would be taken to court and flayed by their eight storey tall lawyers.

Of course I'd already moved out at this stage so it was just for my own entertainment (causing them the same inconvenience they caused me).

The net result was that they kept the deposit and probably just about broke even, someone at Reed Residential was apparently relieved of their job (the eponymous Adam) and the world continued unabated. However the real comedy occurred a couple of months later and really highlighted the care taken for all of their customers and tenants.


Now its entertaining astounding for a number of reasons:
  • The apartment doesn't have a microwave, I had my own and never mentioned it to anyone at Reed
  • I'd moved out on 28th February and this email arrived 22nd April
  • I made no request relating to anything other than the basics. Like heating.
  • Pretty sure they're talking about a different apartment
  • Pretty sure that email should have gone to someone else
  • Someone else probably got angry at Reed for not delivering on their promises

Thursday, January 01, 2015

MSXML 3 Control Panel Killer


I've got a few posts in the pipeline at the moment thanks to the generous time I've had on hols, but one thing caught my attention whilst fixing a problem on a Windows 8.1 Enterprise desktop.

I use Secunia to help keep an eye on installed software - it can be difficult to keep track of all the software installed sometimes, and this solution seems to cover various types of installer (including EXE's copied into a folder, without any associated registry settings).

So after running it and getting caught up on some minor version changes it also pointed out that there was a deprecated version of MSXML v4 deployed and after some laborious - but necessary - ownership and permission changes in SysWOW64 / System32 directories, I'd removed the MSXML v4 libraries. Of course that's never enough - Also noticed MSXML v3 so did a bit of digging into the upgrade path to version 6 (most of which dated back to 2007). No indication of warning signs.

So some more ownership & permission changes followed by some deletes. All fine.

Some time later.... I had cause to make a networking change and tried to open the Network and Sharing Center... hmmm. Nothing happens.

I try a few other control panel items and get a mix of results but most of the really important control panel pages aren't working. Some just aren't responding, others open the dialog but have particular tabs throwing exceptions about panel pages.

So aided by a bit of digging around I find the reference to the system file checker (sfc) - Always have a look at the command before you run it (rather than just doing what a web page tells you to...ironic considering this is a blog post). I hadn't connected the dots between MSXML and the problems at this stage so was curious about the log file sfc /scannow would generate.

000007c6 [SR] Repairing corrupted file [ml:520{260},l:46{23}]"\??\C:\WINDOWS\System32"\[l:22{11}]"msxml3r.dll" from store
000007c7 [SR] Repairing corrupted file [ml:520{260},l:46{23}]"\??\C:\WINDOWS\System32"\[l:20{10}]"msxml3.dll" from store
000007c8 [SR] Repairing corrupted file [ml:48{24},l:46{23}]"\??\C:\WINDOWS\SysWOW64"\[l:22{11}]"msxml3r.dll" from store
000007c9 [SR] Repairing corrupted file [ml:48{24},l:46{23}]"\??\C:\WINDOWS\SysWOW64"\[l:20{10}]"msxml3.dll" from store


There it was - literally as simple as that. Of course now everything was working as expected I did what I should have done first and read up on the MS Xml Parser roadmap.

Moral of the story...If it ain't broke, don't fix it. (especially if you have a cold and know you're not operating at 100%)

I'll post less dumb things as soon as I've got Kali set up on my new Pi B+.