It was a quiet nights drifting for the Iceberg, but fire, speed, ignored ice warnings s[e;t doom for the Titanic?

We have a saying at cmx “It’s always three steps to a disaster”

– A salutary business lesson that’s never learnt.

The iceberg thought to have been hit by Titanic, photographed the morning of 15 April 1912 by SS Prinz Adalbert’s chief steward. The iceberg was reported to have a streak of red paint from a ship’s hull along its waterline on one side.

As far as the iceberg was concerned it was a small inconvenience but for the Titanic it was a disaster and most businesses think they are the Iceberg in the story but in reality they are more like the Titanic, it’s when” not “if”.

The popular story is that the Titanic hit an iceberg because the ship was travelling too fast in an ice field but there were three key factors that conspired that night, everything else just didn’t help.

What caused the problem?

1. A fire on board which buckled a critical bulkhead

2. The wireless radio operator dismissed a key iceberg warning.

3. Oh, and an Iceberg

This is what made it sink, nothing else, pure and simple. Everything else just made it worse

There was a fire on board since the ship left Southampton and it made the steel hull and bulkheads brittle and warped, so if the Titanic had heeded the warnings and not hit the iceberg chances are that it would have completed the  maiden voyage but unless corrected there would have been a problem sometime in the future. Fires on coal-fired ships werent unusual.

The crucial bulkead allowed the ingress of water to pass through what should have been a water tight bulkhead and tipped the bow lower allowing more water in to pass over the other bulkheads.

For the record here are the other points which had an influence.

It was traveling too fast, that was because there was a fire and coal would have run short. However, beating the record on a maiden voyage was an advantage.

The Bulkheads didn’t extend all the way up to the top of the ship. It didnt make much difference but it could have sunk at a slower rate.

There was a confusion with the steering, left used to be right and vice versa but in nautical terms.

Capt Smith was known to be reckless, he was involved in several collisions, accidents, fires and grounding, here is a list of ships involved; Olympic, Republic, Majestic, Adriatic, Hawke and Germanic.

Mirages and hazy horizons were created by weather conditions which meant it might have been an ice sheet rather than a berg and could have caused all sorts of optical illusions for the lookouts and the nearby ships.

The lookouts had no binoculars. They key to the binocular store went ashore with a crew replacement.

There weren’t enough lifeboats. Obvious one really, but the crew werent practiced in use or evacuation procedures.

The ship was not full, there were 2224 on board, 1115 short of capacity.

It’s alleged that the Titanic’s builders tried to cut costs. the rivets that held the ship’s hull together were not the best, uniform in composition or quality and not been inserted in a uniform fashion. Surely, that’s quality control which is again a cost cutting move.

If they had travelled backwards towards the Californian 10 /12 miles away for the two hours and forty minutes it took to sink then the distance would have been less but this has been discussed without any conclusions.

There was a massive cover up in the UK more than the US.

What the hell has it got to do with business?

You have to look at the shortcomings and a failure to examine the fundamental lessons that every business should learn. It’s a famous disaster but we, at cmx, come across the same thinking all the time in businesses large and small.

Lets look at the lessons;

1. No-one wanted to take the blame or responsibility. In any business there should be someone who is the key person and actually responsible, dont chuck the blame or job elsewhere, own it all – it’s a great mind focusser. Maybe the choice of Captain could have been better.
2. Precautions weren’t taken. Training, lifeboats, binoculars. The iceberg could have been spotted earlier, The lifeboats would have been sent off full,
3. Cheapness was a priority. Lack of quality control in construction and keeping the bulkheads shorter than possible.
4. Complacency was rampant. Titanic was unsinkable so bouncing off bergs was possible, it could stop in an impressive 777 yards, who needed precautions?
5. Suspect leadership. A good leader plans, prepares and anticipates difficulties, Captain Smith had a bad track record and was intoxicated, that might be an exaggeration but his track record of hitting things was not good. Who chose him to be in charge anyway?
6. Poor communication. Apart from the radio issues, of which there are many, they had to implement several changes and whether port meant port or porting around.

There were two unavoidable facts, the fire and the iceberg, ignoring the radioed ice warning was the what caused the collision. The normal action would have been to stop, as the SS Californian had. Everything else made the loss worse by compounding the problem.

So what’s it got to do with computing?

Simple, as we have said, we have a saying at cmx “three steps to a disaster”. Although the lessons should be applied to business generally its a good lesson to avoid a computing disaster.

Taking the points above as a template;

Business people should appoint a responsible person. If someone is responsible for IT safety then its a task that becomes a focal point and not a “Everyone (Read “nobody”)  is responsible”. Make someone responsible for checking backups and company practice. Expect and plan for disasters

Cheapness means continual replacement and unreliability. Spending the right amount gives you reliability, dependability and a more peaceful life.

Dont be complacent, train, practice and check. Backups are only of use if they are made regularly, aren’t on the premises and checked they work.

Make sure that the people at the top are aware of the dangers and the possibility of the outcomes of losing the business. If they don’t care then move on maybe, they don’t value you or the business.

Communicate, talk to your IT supplier and make sure everyone knows what they should and shouldnt be doing. We have alternatives that can make your business secure and safe.

How much will  it cost? – always the question

The question is how much will it cost if you don’t learn the lessons? In todays terms the Titanic cost $1.66 billion* to build, add in the loss of earnings, the scrap value and over 1,500 lives and it was a total loss. This could be the same thing for your business, the cost, not in terms of lives but a total loss and the ramifications go on long after you’ve lost your data.

* https://www.fgmr.com/how-much-did-it-cost-to-build-the-titanic/

We recently experienced what virtually every one of you has experienced or will definitely have one day –  a total extended broadband failure. We knew it could happen, we even knew when, so we planned for it and our backup plan also had a backup but there is an interesting conversation I had week later with an insurance consultant.

It was simple, we were told fibre was now available from our nearby cabinet.

Knowing how any change can go wrong and confident that BT were capable of outwitting any plan we decided to have it installed on a spare line, OK, we would have two services for a week but we wouldn’t be left broadbandless – or so we thought.

Cutting short a long story, it was installed, failed to work and the engineer was due to come out the day after our original service ceased. No problem stop the original cancellation? This was the bit we didn’t foresee, we couldn’t, it was committed and a fixed action, even a week before the date.

The service was cut off and the engineer sent by the new company appeared next day.Apparently we were mis-sold fibre, we can’t have it, we are 2.4km from the cabinet (we measured 500m to the nearest one but that isn’t the one it seems). We then downgraded to ADSL

Would the cloud have been a good idea?

No!  We have four servers here, we use remote control on our clients computers, we host our own email system, thankfully we aren’t on the cloud otherwise we wouldn’t be working at all, but we have been working normally.

The cloud would have let our other offices communicate with each other but at three times the price of having your own servers it’s not a solution we recommend or use. There are only two people who gain from cloud services, the salesman and the cloud provider. You wouldn’t permanently rent someone else s car, so why permanently rent someone else computer.

Our backup plan to our backup plan.

So we could work in-house as we weren’t dependent on the cloud but as we are so dependent on the internet we had a plan in case it went down, we use Draytek routers which take a USB Dongle, we put in a SIM from Vodafone with a 30Gb capacity for £25 a month. Back up and running again in 3 hours.

So I am talking to an acquaintance at BNI, Daniel Langford from Arthur J Gallagher about business disruption insurance. Apparently companies usually don’t have a disaster plan nor sufficient insurance for business disruption.

Hows it going now?

I sit here in the office 21 days from the fibre go-date with an unusable broadband service awaiting another engineers visit, but its business as usual. We prepare, we plan, we have a backup plan, a disaster plan and that changes a disaster into an inconvenience – What about you? Do you have a backup plan, a disaster plan and finally insurance business disruption cover? We even got our £25 back

• The following are typically covered under a business interruption insurance policy:

  Profits. Profits that would have been earned (based on prior months’ financial statements).
  Fixed Costs. Operating expenses and other costs still being incurred by the property (based on historical costs).
  Temporary Location. Some policies cover the extra expenses for moving to, and operating from, a temporary location.
  Commission & Training Cost. Business Interruption (BI) policy essentially covers the cost of providing training to the operators of the machinery replaced by the insurer following the insured events.
  Extra Expenses. Reimbursement for reasonable expenses (beyond the fixed costs) that allow the business to continue operation while the property is being repaired.
  Civil Authority Ingress / Egress. Government-mandated closure of business premises that directly causes loss of revenue. Examples include forced business closures because of government-issued curfews or street closures related to a covered event.

When looking at a competitors website we discovered that the “Meet the team” was unfinished, instead of readable text it was full of “Ipsum Lorem” Talk to anyone who has had anything to do with printing or graphic design and they will have heard of “Ipsum Lorem” yes, its latin but what is it about?

The standard Lorem Ipsum passage, used since the 1500s

“Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.”

Section 1.10.32 of “de Finibus Bonorum et Malorum”, written by Cicero in 45 BC 1914 translation by H. Rackham

“But I must explain to you how all this mistaken idea of denouncing pleasure and praising pain was born and I will give you a complete account of the system, and expound the actual teachings of the great explorer of the truth, the master-builder of human happiness. No one rejects, dislikes, or avoids pleasure itself, because it is pleasure, but because those who do not know how to pursue pleasure rationally encounter consequences that are extremely painful. Nor again is there anyone who loves or pursues or desires to obtain pain of itself, because it is pain, but because occasionally circumstances occur in which toil and pain can procure him some great pleasure. To take a trivial example, which of us ever undertakes laborious physical exercise, except to obtain some advantage from it? But who has any right to find fault with a man who chooses to enjoy a pleasure that has no annoying consequences, or one who avoids a pain that produces no resultant pleasure?”

Unfortunately the text is often taken out of context and messed about and if you try a “Google transalte” it will just come back as rubbish which is what happens to the above latin text. Thats why we are quoting the Rackham translation. Obvioulsy Google translate has its limitations, a bit llike my really bad Latin I had to do at school.

Favourite cloud Myths

Everyone is using the cloud in one way or another but there are many misconceptions. Here we are looking at a few and for these examples we are basing our information on AWS, the biggest cloud provider owned and run by Amazon.

Myth number 1 – The cloud is highly available.

No it isnt. The internet comes down a pair of wires to your premises. This connects you through a set of locations to your cloud service. For example we looked at how many hops a simple link to Ireland takes. It left our office in Ipswich and it took 15 hops to get there. That’s 30 connection points it has to go through and an error on any one means you don’t get through. DataCentres are meant to be virtually bomb-proof yet even last week one of the biggest went down, or should we say up in flames. The list of failures is endless.

Even if your phone line goes then its no interest and no-phone service, even fibre comes down to the last few meters or kilometres as copper.

Myth Number 2 – The cloud is cheap

No it isn’t. The average cloud service costs you £9 a month, that’s the price for controlling your home, using Microsoft Office, doing your accounts or crm. The real cost is not per month but over five years so if you use 3 services that’s costing you £1,620. We know of a company that added up their cloud services over five years for five employees and were staggered at the cost of £22,000. There are many free services available and you can have your own server on site for a fraction of this cost.and

Myth Number 3 – My data is safe

Well yes and no, its and extra copy stored somewhere else but if you read the cloud terms and conditions, they don’t guarantee it and they recommend that you backup your data elsewhere to be safe. Just read the T’s & C’s that every cloud provider publishes, and be shocked.

Myth Number 4 – Using someone else’s computer

No you aren’t, you are using someone else’s servers and storage, which makes even less sense. Why rent a car or a house when you can buy one. – enough said.

Myth Number 5 – cloud = datacentre

Using the “cloud” doesn’t mean you have to use someone elses data-centre. The term was thought up as a marketing gimmick. The cloud symbol was used in flow charts to symbolise “a large somewhere”. In reality it means storage that is accessible using the internet. It can be a low cost server on your premises which can do all the cloud things such as accounts, email, crm, notes, files etc for unlimited users for around £20 a week.

Myth Number 7 – cloud is better than a licence.

Cloud users defend their choice, for example Office in the cloud costs £9 a month. For that I get five licences, the latest versions, works on anything and synchronised documents. Only the last is partially true. You get the licence for five devices for one user. That means only one person can use it at any one time on five different items such as a laptop, phones and tablets.

You get all the updates with a licence copy that over five years costs 3 times less. Yes you get the latest version but with one issue every three years its no great loss when the changes are minor, besides no-one ever uses all the facilities.

Yes the cloud version of office works on everything but so does the free version of Microsoft Office online, the salesman didn’t tell you about that? Yes there is a free version of Microsoft Office that meets most users needs.

Everything is synchronised., Yeas it is but you can use all the free services to get the same synchronisation.

Conclusion

There are so many free programs, free storage and low cost servers that you don’t need to buy a cloud version, you can save a shed load of money by being a savvy buyer and not believing the cloud hype. Cloud salesmen dont give you access to any of the free or paid for alternatives, wondered why, well if I tell you we could make five times more money by selling you the cloud, would that answer it?

Park your car in the town centre, open all the windows, make sure that valuables such as cameras, jewelry are on view and leave it like that for a few hours.You wouldn’t believe it, but this might happen!

Now at home open all your windows and doors, turn on all the lights and go out. If you loose something as a result of either of these actions make sure you don’t blame yourself.

Its the fault of society, immigrants, Brexit, May, Corbyn, Farron,  police, schools, its anyone but your fault isnt it?

Well no, you are sensible enough to make sure you take all precautions and the above is just plain ridiculous and stupid isn’t it? Just like using Password1 on the internet or for your work computer.. 

YES – ITS ALL THAT STUPID – you deserve to be robbed and its all your fault if you are.

We have always being going on about passwords but the unbelievable fact is that for some  reason no one seems interested.

SECURITY SPECIALISTS have revealed half of online users worldwide use just 25 passwords and the passwords aren’t even very good. This is based on 10 million hacked usernames and passwords.

Last year, a similar study revealed that “password” was the second most frequently used password.

Strong passwords are essential for any online account, no matter how trivial

17 per cent of accounts have “123456” as their password, Followed closely behind is “123456789” in second place, and the equally uninventive “qwerty” in third.

Showing just how little many of us value our privacy and security, fourth place through seven on the most used passwords list comprise of “12345678”, “111111”, “1234567890”, and “1234567” respectively.

In fact, the only real surprise on the list is “mynoob” in 12th, and “l8atcskd2w” in 15th, and “google” down at the bottom of the list in 21st place.

If your password is on the list, you should probably want to change your code. Never use the same password and email combination across different websites. Always create a unique password for every one of your online accounts. If you want to how to have a good password then read our earlier blog on the subject

According to Keeper’s researchers: “The list of most-frequently used passwords has changed little over the past few years.

“While it’s important for users to be aware of risks, a sizeable minority are never going to take the time or effort to protect themselves.

The full list of the 25 most common passwords can be seen below –
123456
123456789
qwerty
12345678
111111
1234567890
1234567
password
123123
987654321
qwertyuiop
mynoob
123321
666666
18atcskd2w
7777777
1q2w3e4r
654321
555555
3rjs1la7qe
google
1q2w3e4r5t
123qwe
zxcvbnm
1q2w3e
In addition we would like to add P@55w0rd1 -if you recognise this then we have been warning you for months. Change it now, please.

Several models of Netgear routers are affected by a publicly disclosed easy vulnerability that could allow hackers to take them over.

An exploit for the vulnerability was published Friday by a researcher who uses the online handle Acew0rm. He claims that he reported the flaw to Netgear in August, but didn’t hear back.

The issue stems from improper input sanitisation in a form in the router’s web-based management interface and allows the injection and execution of arbitrary shell commands on an affected device.

The U.S. CERT Coordination Center (CERT/CC) at Carnegie Mellon University rated the flaw as critical, assigning it a score of 9.3 out of 10 in the Common Vulnerability Scoring System (CVSS).
ADVERTISING

Netgear confirmed the vulnerability over the weekend and said that its R7000, R6400, and R8000 routers might be vulnerable. However, another researcher performed a test and reported that other routers from Netgear’s Nighthawk line are also affected. These include: R7000, R7000P, R7500, R7800, R8500, and R9000.

Users can check if their models are affected by accessing the following URL in a browser when connected to their local area network (LAN): http://[router_ip_address]/cgi-bin/;uname$IFS-a . If this shows any information other than a error or a blank page, the router is likely affected.

In some cases, replacing the IP address with www.routerlogin.net or www.routerlogin.com might also work, because Netgear routers resolve these domains names to their own local IP address.

Since the vulnerability can be exploited with an HTTP request that doesn’t require authentication, hackers can attack the affected routers using cross-site request forgery attacks (CSRF). This works even when the routers don’t have their management interfaces exposed to the Internet.

CSRF attacks hijack users’ browsers when visiting specifically crafted webpages and send unauthorized requests through them. This makes it possible for a malicious website to force a user’s browser to exploit the router over the LAN.

This is unbelievable advice –

CERT/CC recommends that users stop using the affected routers until an official patch becomes available, if they can do so. However, there is a workaround that involves exploiting the flaw to stop the router’s web server and prevent future attacks. This can be done with the following command: http://[router_IP_address]/cgi-bin/;killall$IFS’httpd’

Because the web server will be shut down, the management interface will no longer be available and further attempts to exploit the vulnerability will fail, but this is only a temporary solution and needs to be reapplied every time the router is rebooted.

In order to protect themselves from CSRF attacks against routers in general, users should change their router’s default IP address. Most of the time, routers will be assigned the first address in a predefined netblock, for example 192.168.0.1, and these are the addresses that hackers will try to attack via CSRF.

Routers have become an attractive target for hackers in recent years as they can be used to spy on user traffic and launch other attacks. Most commonly they are infected with malware and used in distributed denial-of-service (DDoS) campaigns.

Prompted by a news article we thought we would look at the terms and conditions of the cloud. After all you pay for a secure, reliable, always on service don’t you? Read on then. We looked at one of the main cloud providers and we dont suppse the others are that different.

Other Security and Backup.

You are responsible for properly configuring and using the Service Offerings and taking your own steps to maintain appropriate security, protection and backup of Your Content,

Disclaimers.

So there you have it, they cannot guarantee the safety of your data, any malware, security even the service, You must make your own backups and you won’t get any compensation, and if you are lucky you might get one months payment back.

Further reading;

Apple founder believes Cloud is brewing a storm.

Are you sure you want to outsource IT? Yes/No. Check this box to accept Ts&Cs

This is the most glossed over but probably the most important subject in IT. Simply put, if you have an easy to crack password then it will, not may, cost you possibly* thousands of your hard earned money (*Account balance allowing).

To prove that point we have cases of an international company whose emails were hacked on the cloud and their bank paid out £14,000. Another a firm acted on a bogus email and proceeded to pay out £127,000. The reason was down to a weak password.

Playing with P@ssw0rd$

At cmx computing we have been playing with passwords using a free commercial password strength checker from one of the big anti-virus companies. The results will definately surprise you.

The system works out how long it would take to crack a password if you used a reasonably powerful home computer so “Password1” would take less than a second and “.2l5 20nm05u2v 5j2v552i2m-9” would take more than 10,000 centuries.

Toughest all round

The toughest passwords apparently contain a random collection of letters, numbers and characters. “DdFGGrgeE” would take 2 years to crack and by adding a random number to make “DdFG3GrgeE” it changes to 300 years. There are two problems; Its hard to remember and slow to type in.

So most people opt for what they think is the clever password using a system known as “Leet” where a number represents a letter it looks like, these are usually 1 for L, 3 for E and so on. Even with a twist P@55w0ed will take 14 hours. This is not that much faster than previous methods. (The twist was that the “r” was replaced with “e”)

Here at cmx we have been trying to find something that’s easy to remember, unique and quick to type in while still being hard to crack quickly.

The password solution.

The quick answer is don’t have one! Remember the old black and white spy films from the 1950’s, where the agents meet in red square and use pass phrases? “The wind blows from the east in January” – that would take10,000,000+ years to crack. Its a bit long so how about “Susan has 2 red shoes and 3 black” same high rating, but its a bit long. We tried “3 Green 2 Blue” that got 3,000 years.

So whats the answer to the best password?

The ideal password is easy to remember, quick to type and hard to break. We decided the ultimate answer was this “3 Green 2 Blue socks”. It ticks all the boxes and will take over one thousand centuries to crack using an Intel Core i7 home computer. That’s food for thought isn’t it?

Or is this your idea of passwords? We have tried to obscure the obvious, our blog is read by all ages!

Cloud, computers, datacentres, gmail, its all secure isnt it? Follow this story to have your eyes opened. The names, and other details have been changed so as not to identify the victim, the amount is accurate.

It started with a phone call at 11:54  to our Colchester Office and answered by Rose Burcham (real name). It came from Power Watch a client of ours for two years. The message was passed to Glyn Cheeseman (real too) who was on the phone but was allocated as he was already that clients specialist.

“REGARDING A SECURITY ISSUE SHE NEEDS TO SPEAK TO YOU URGENTLY ABOUT”

[subscribe2]

Glyn returned the call in seven minutes and after a quick discussion appeared at their site 27 minutes later. The laptop was found to be clear of all viruses and Spyware.

The issue was that they had sent their bank an instruction with a covering letter to transfer some money abroad.

Three hours later the bank received a request to transfer £15,000 to another bank and payee. The first was a real request, the second a fake.

The bank thought it was unusual so they called the client, she verified that it was fake and called us in, hence the original phone call.

The bank wouldn’t send us the email because of confidentiality but we explained how to send the “header” file, this is like an envelope with a stamp and postmark.

When we had this we could trace that the email was sent genuinely from Google mail. The originator used a data center in Stockholm, it’s here on the map, pretending to be the client. We traced it bouncing around inside Stockholm and then the trial went cold.

What had happened was that the clients email or Google were hacked, they intercepted the original money transfer request, copied and altered in and sent it on three hours later, they even had the gall to send a chaser when it wasn’t paid. It was to transfer money into the same bank as the clients.

The bank just closed the transaction and chased after the bank account. The client was told to phone and report the fraud who just took some information and gave it a case number.

The scary part is that no-one wanted to see the email, this is because there isn’t anything they can do to catch the perpetrators. We chased it back to either Google or the clients email being hacked. Their password was a mixture of a name and numbers but it wasn’t strong enough. If it hadn’t been for an ordinary bank staff member at the local bank the client would have lost £14,000 and wouldn’t get it back for a long time if ever, that could be you too.

If you want to know about strong passwords then you’ll have to wait for the next post.