Airline fined over website cookie consent

Pinsent Masons carried a story recently regarding an airline being fined for a poor cookie consent mechanism on their website (1). Although the fine is relatively small it hopefully highlights the fact that authorities are taking note of complaints against websites.

For some years now it has been necessary to declare cookies and have a mechanism to gain consent, but many websites are sadly lacking, some really badly. I’ve ranted about this in the past and when I was still working I always tried to ensure our websites were compliant.

The case in hand (2) is one where the website in question told users how to block cookies but had no consent mechanism. It was pointed out that there needs to be a mechanism whereby cookies can be rejected, as well as options to enable all cookies or to enable just specific ones.

From my own checks on websites some are really good, some so-so, and some down right awful. Among the best I’ve seen are ones that have a very simple consent mechanism at the bottom of the page with checkboxes for each type of cookie, as well as a ‘reject all’ button. Among the worst are those that throw up a large popup which gives little choice other than to accept their cookies with no way into the site without so doing. Some, typically media websites seem to burden the user with vast lists of partners with a ‘yes / no’ button against each. I have to say that when I find these latter types I take a screenshot for reference, and then wave goodbye. I also regularly clear my cookie cache so I don’t get stalked by adverts.

(1) https://www.pinsentmasons.com/out-law/news/airline-fined-over-cookie-consent-mechanism

(2) https://www.aepd.es/resoluciones/PS-00300-2019_ORI.pdf

Under attack?

My little VPS went crazy yesterday. Unresponsive, it took ages to log in. I quickly discovered multiple attacks, some attacks on WordPress’s xmlrpc.php and wp-login.php, a sustained attack on imaps from China and several concurrent brute force ssh attacks all at once. The poor little VPS kept running out of memory which caused it to kill off memory hogs – generally Apache and Mysql. At the stage I should add – and probably question my sanity – that it’s good fun thwarting such things and I’ve been doing similar for 10+ years…

Then I discovered that the out of band access to the VPS wasn’t working and I assumed this to be a part of the greater whole. It wasn’t.

My provider, Heart Internet has very good technical support. I’ve used them for ages for my own VPS as well as professionally, as have others partly due to the fact that I recommended them, something I very rarely do. They came up with a very detailed analysis. First off, an Ubuntu upgrade had knobbled /dev/ttyS0 so no out of band access and this was not the fault of the attack, I’d just never needed to use it so was unaware. A quick fiddle in the GRUB config sorted that. Next, the VM framework was itself suffering a high i/o load and that was causing my VPS to pause. These pauses then made matters worse as it seems that mysql inserts were queueing up and then went in with a bang when the VPS got some CPU time again. That, plus the WordPress attack caused the memory killer to terminate Apache and mysql causing further issues when they restarted. This was not eased by my watchdog process that restarts any failed PHP scripts which spend their life pulling in railway data and stuffing it into a mysql db meaning that as soon as mysqld went back in the PHP process would drag in a bag load of data and fire off tons of inserts.

To add insult to injury fail2ban, er, failed to ban. It had upgraded itself at some stage to a non-working state and I really could not spent the time reading the docs to find out what it needed, so it got purged and denyhosts, which I used to use anyway was installed and is working nicely. Not quite the same thing, but ideal for ssh attacks as it simply adds the IPs to /etc/hosts.deny. I still used iptables when, for example I see zillions of spam injections, but those are infrequent and sort themselves out in any case. But it’s still nice to see them suddenly stop when I can be bothered to look.

Having tidied up the little beggars via iptables and protecting the bits of WordPress that were under attack, and with the VM framework finally calmed down by the provider my VPS could once more tick along quite nicely at its usual load of, well, pretty much zero.

Fun nonetheless. Perhaps I’m just weird!

IP camera password reset

I had some time today to finally change the webcam that looks over our driveway. I got a PoE security camera from an eBay trader a while ago but only plugged it in once for testing. There must have been default password which is now lost. So, you can reset these things, right?

First problem – there’s no hardware reset at all. Not that much hope via Google (or, rather duckduckgo which I use now) other than having to email stuff to the manufacturer. I tried a password resetter found on GitHUB but it does not work.

Ok, what do I need to do… 

First, get their software. Oh it’s only Windows, so fire up the old Windows laptop and wait for it to do it’s booting up updates and sort itself out, usually at least 5 minutes.

Next, run the software and select ‘forgot password’ at which stage I can download some XML or take a photo of a QR code. These go to the manufacturer.

Next, download their PDF which has to be filled in. Find the laptop does not have Acrobat Reader, so go and get that. IE insists on opening…

Next, find out that their software does not let you copy text from the various fields needed for filling in their PDF. Ok, it will export to CSV so do that.

Next, open the CSV into Excel, which for some reason thinks it’s unlicensed and sticks in read only mode. Discover that for some reason read only mode also means no copying!

Next, close and restart Excel to sort its licence out, and finally copy the relevant fields into the PDF.

Last, send an email with the PDF and the XML and wonder why the XMP does not include all the fields you have to type into their PDF.

Finally, turn laptop off and wait for it to do its updates, only 10 minutes this time.

Notice and autoreply from the company that the email has been received but suggesting I contact the local branch in the UK. Forward the email and wonder why they don’t simply say that in their instructions anyway…

Honestly, the time it has taken for me to do this far exceeds the cost of the camera. If the password reset code does not come within a day it would actually be cheaper to simply buy a new camera on one-day delivery!

Good grief…

Edit: so, the reset key arrived. It does not work.

Enquiry forms

If someone goes to the trouble of creating a web based enquiry form I consider it reasonable that said someone would also create some form of acknowledgement on submission, rather than just send the visitor back to the home page! Honestly, its really not hard.

Home automation

I have three ‘onewire’ temperature sensors running up from the hot water cylinder and central heating pump to a Raspberry Pi in the loft. These record the water temperature going round the central heating, as well as that going into the hot water cylinder and the temperature of the pipe back to the boiler. The Pi records these every minute.

Nothing whizzy in any of that, it’s all standard stuff. Only I discovered that the temperature readings make a lot more sense if the sensors are actually on the pipes and not sitting in a pile of fluff on the floor! Ah…

Why do they design sites this way!

Another brain dead website, an estate agent this time. Filling in the contact-me form it pops up the usual Google ‘select all squares that may have had a bike in them last week’ thing. Only it’s hidden under the sliding design so you do not actually know. I found it, but the sliding imagery of their website covers most of the bottom three squares and the buttons, so no way to complete the task.

Good grief. I take it the user testing was somewhat less intensive than that which would have been accomplished merely by showing a screenshot to a brick…

Busted phones…

I have not had a good day fiddling with iPhones.

The story started some time ago when one iPhone was dropped and suffered catastrophic damage. And I mean catastrophic. For anyone that has ever had an iPhone SE apart, imagine a phone where the screen had to only cracked but had come completely away from the backplate. All three cables from the screen were torn. The case had bent, the plastic at the bottom was broken, the camera had gone, the plastic at the top of the case was very dodgy and the battery had bent. How on earth – apparently it fell three floors on to concrete.

And of course there was no backup…

So, off to eBay. Having acquired various bits and reassembled it sufficiently to do a full backup this was then restored to a new SE phone. All was well with the world (well, actually the new phone soon suffered water damage and then another catastrophic fall and has since become an even newer phone… but that’s not my problem!).

I had assembled the repaired phone rather quickly as it only had to do the one task of the backup. The camera was not sitting right and was pressing against the screen. So it sat on the shelf waiting it’s turn to be re-repaired. For maybe a year.

Fast forward and one of our older phones no longer receives new versions of iOS. The app used for bus tickets, which originally split into two apps, one for timetables and one for payments, has been replaced by a new version that does everything. Only it does not work on the older iOS. So, the waiting-to-be-re-repaired iPhone came to mind. I wiped it and checked the battery will actually store charge for more than a few hours, and then set about pulling it apart to sort out the camera. It all went back together just fine. I updated iOS, set it up as a new phone and attached it to the relevant iCloud account. All was going well. Well, until I tried to call it. The call worked fine, good audio both ways… but…

…IT DOES NOT RING OR VIBRATE!

Typical. Everything else is fine, but useless as it does not give any audible alert on incoming calls, FaceTime or messages. The ‘silent’ switch and volume up/down buttons are very non-functional, and even setting the ring volume up via the app it does not ring. The assistive touch stuff does not help. I guess it’s stuck somehow on ‘silent’ in a way that the software cannot get round.

So it is destined for eBay as parts.

CDN blues

Interesting week. A couple of days ago we heard of Cloudflare’s issues with a software rollout gone wrong. Yesterday I noticed I could not see one of our iPhones on FriendFinder. It later became clear that the phone had not received any iMessages either and the associated iPad was in a worse mess. It took several cycles of logging in on both to restore normality, and that meant logging into iCloud and FaceTime and message separately. Oddly he iPad had iMessages from 2018 but no later and the iPhone had missed a whole day of messages – I had expected both to pull down the current messages but on checking the o/s is too old (these are old Apple devices).

Then this morning my Mac, which is up to date o/s wise wanted the iCloud password, but putting it in resulted in an ‘unknown error’. I rebooted it and it appeared ok, but then I had to go through the cycle of logging into iCloud, iMessage and FaceTime. For iMessage it would not play ball and suggested that I was not logged into iCloud on my previous account name, changed some months ago. Potentially I’d never had to log in since the change so that may be why. Anyway, logging out and into iMessage again fixed this. My iPhone has not (yet!) had the same issue…

Given the Facebook / Instagram issues yesterday with stored photos and videos not displaying – also CDN based – it gives me an ‘eggs in baskets’ feel. Where you have one large infrastructure provider such as Cloudflare with so many services sitting upon it that provider has to work all of the time. Corners are easily cut (not saying they were here!) and mistakes can have far reaching effects. Of course the solution where everyone has their own infrastructure is not very ‘green’ these days with the proliferation of data centres and such and so these large third party providers make a lot of sense. But when they go down the world goes with them – well, ok, the web goes with them!

Notebook blues

A notebook came in the other day that had had tea poured into it and now refuses to work. I’d never seen inside one of these before and we wondered if the hard disk could be removed and installed elsewhere to recover any files. At that time I’d not been to Google to check on the model etc. because there was a disk-sized lump which surely must be it?

No, it’s part of an odd shaped battery! On inspection I could only see two connections and even though the whole ‘thing’ was connected by a multi-way plug it definitely looked very un-disk-like. Off to Google.

Yup. It’s a battery alright. This notebook has no disk, just some Gb’s worth of flash. All data is stored on OneDrive. Hopefully!

You live and learn…

US now wants your Facebook details when you visit

Lots of chatter today that the US now requires “nearly all applicants for U.S. visas to submit their social media usernames, previous email addresses and phone numbers”. (1) Essentially it requires visitors to give their social media information, phone numbers and e-mail addresses for the past 5 years.

The BBC carried a bit about this back in 2017 (2) which also stated that critics considered that checking up on these “could lead to extended, fruitless lines of inquiry or the collection of personal information not relevant to security checks”. Well, yeah, and I would need several continuation sheets to fill all my information in over that period.

A quick trawl through the visa waiver website suggests (a) that it is out of date because it does not indicate the requirement is now absolute and (b) clearly they will use this information to check up on you i.e. if your Facebook page marks you out as undesirable you’re out of luck. I did not delve further.

So your social media profile may now exclude you from entry. Of course, no undesirable type is capable of creating a fake Facebook profile are they…

So, is a blog social media? I’d argue not, yet I know this blog is spidered by Google (other spiders are available) regularly!

1 – https://www.cbsnews.com/news/state-department-now-requires-us-visa-applicants-to-share-social-media-accounts-2019-06-01/

2 – https://www.bbc.co.uk/news/technology-40132506