PHIL'S HITLIST

Who's been naughty, or at least not nice, and what they ought to do, and other things that are really annoying!

Replaced previous Microsoft specific page on 27 January 2008. Last updated 12 June 2012.

Microsoft

As you are probably aware, this page all started from a page about my gripes with Microsoft. None of this is any less valid. I still think Microsoft leave a lot to be desired.

First off, there are, fortunately, frequent updates to their products. There are so many things going wrong, or at least being discovered vulnerable security-wise, that it is no bad thing that there are so many updates. Microsoft have a large (possibly the largest) market share for the operating system on PCs, and likewise for office applications – this is a problem in that it results in their update system having rather a lot of systems it ought to be looking after. Couple to that the fact that some people don't bother to update when they should, and those on dialup would need a long time to do it, and it gets even worse.

I am in the position I am sure many people know – you are seen to know what you are talking about and get asked to do things for people. However, to the best of my knowledge, it is now difficult to get hold of Microsoft's updates in a form that can be put on CD to take to machines that are behind with updates (for whatever reason). Furthermore, there are so many updates that they need to be rationalised and “rolled up” into either new service packs or simple roll-ups far more often than currently happens – I would suggest quarterly or half-yearly as a minimum.

A lot of the problem is that Microsoft are prudent in wanting to check the validity of the software installed on systems. In a way, there is nothing wrong with this – fakes may be less secure and have far more serious problems – but when it gets in the way of keeping a perfectly valid system up to date, it is a real bind.

It is even worse that sometimes, when a major hardware change is made (such as after a breakdown), the Blue Screen of Death can be invoked. This often leads to someone having to use the Windows XP CD to do a repair. This, if the CD is not one that has been prepared, with great time and effort, with the latest updates on, will regress the machine to the service pack in use at the time the CD was made. This, in turn, exposes the affected system to problems.

What Microsoft should do is to make it possible to prepare update CDs for systems that are having difficulty reaching the update site, or those that, for technical reasons, have had to be regressed. It would also be nice to be able to get the media if you can't find the right one for the machine on which you are working, but I can see the problem with this – although it would probably be a lot of work, someone could at least in theory get away without activating Windows. Having some way of “being trusted” by Microsoft would help, but any such way should not be expensive. I personally only use Windows on a virtual machine at the moment and do not feel I should have to pay more just to help me maintain machines for other family members.

The creators of system hijacking bots

This point relates to a paragraph just above, in some ways, but not entirely.

There exist several system hijacking bots, that look around for Windows systems they can attack. They are designed to make it difficult to remove them, and are installed simply because of a lack of protection on the system concerned – even perhaps because the protection is being changed over. There is no knowledge or consent for such hijacking.

There also exist hijacks in among other kinds of malware, but often these are avoidable simply by not installing the affected software in the first place – this amounts to the consent lacking above, but often without the knowledge of the user at which the software is aimed. These are a lesser evil but can still be deeply evil at times.

What the creators of these ghastly programs should do is repent, and furnish those who can do something about it with a remedy that makes them ineffective.

Real-time blocking lists

Please do not get me wrong here – the majority of well-established real-time blocking lists are well run, effective and not over-zealous.

However, whenever a new one is set up, there are often problems with over-zealous application of blocks and poor response when it is pointed out.

In case you are not familiar with this, IPv4 addresses can be divided into many small networks by using varying lengths of mask. If we take the address 10.1.2.3, it can be considered part of 10.0.0.0/8, 10.1.0.0/16, 10.1.0.0/20, 10.1.2.0/24 and 10.1.2.0/28 among many others.

The number after the / indicates that the first that many bits of the mask are 1, the rest 0, and, like an IPv4 address, it has 32 bits. So, for a /16, the mask could be written as 255.255.0.0, and for a /28, it is 255.255.255.240.

The problem is that, when a new real-time blocking list shows up, they might detect a spam from 192.168.224.163 and block 192.168.224.0/24, blocking not just the affected system but over 200 others. Suppose that that /24 is divided into /28s – the owner of 192.168.224.80/28 would be affected, even though the spam came from 192.168.224.163, outside his allocation. He would then have to use round-about means, or even a webmail system, to send mail to someone who uses the new blocking list.

Part of the problem, of course, is that some providers allocate IPv4 numbers dynamically – meaning that it is difficult to trace the source of spam, viral activity or whatever, to a specific machine. Some RBL operators make that assumption about any range if they see that it is for dialups, DSL or cable – often without checking that this applies to the whole range and not accepting the truth when one of the affected people lets them know.

(Observers will have noticed that all the IPv4 numbers quoted above are of kinds that should not be out on the Internet – they should be confined to private networks. However, they serve as workable examples which is just what is needed here.)

If someone is determined to create a new RBL, they should take care to make sure that it is not over-zealous, or if they receive a complaint that it is, handle it responsibly. However, it could be argued that we have enough RBLs already.

Wireless access points

The growth in popularity of wireless networking is no bad thing, provided it is done right. However, many access points are supplied in insecure mode by default. You can usually tell these – they have a network ID that tends to relate more to the make of the access point than to its owner, and no WEP or WPA enabled, meaning that if you are set up to allow roaming onto unsecured networks (as you need for public WiFi), your computer can easily wander onto these unsecured access points.

Deliberate use of such an access point without permission has been made illegal, as has using one on which you have cracked, or otherwise received from an unauthorised source, the key. However, the presence of such networks can make it difficult for someone to actually use their own network if their equipment detects better signals from one of these unsecured points.

As there is usually little to identify the owner of such an access point, it can be difficult to know who to approach to ask them to secure it.

As for any advice I can offer on this, unless you have a device that is WEP only, you should at the minimum use WPA-PSK. WEP is insecure enough in that some people have come up with quick ways to crack your key – but even WEP would prevent computers wandering onto your network instead of staying on their owner's. The only exception to this, and some even advise against that, is that if you live in an area where there really is no-one else around, you might consider an open network to be at least reasonably safe.

What should be done, and I note that some manufacturers do, is that access points should be sold, at minimum, secured with WEP by default. Another good idea would be for there to be a web page on an access point whose purpose is for people who have discovered it by chance to report to its owner that it is insecure and causing a problem.

Telephone companies and staff training

Once again, please do not get me wrong here. Done right, a company can have its calls answered by staff in a different part of the world, and it can be highly efficient. However, done wrong, it can really go wrong.

Companies, particularly telephone companies, using such facilities should make sure that calls only go to people who have sufficient grasp of the relevant language (English in my case) to deal with any enquiries they might get, whilst remaining civil, not repeating the same irrelevant response, and having someone they can refer a query to, preferably back in the home country of the company, on request.

For example, if you are trying to update your directory entries, you should be able to get through to someone who can at the very least advise you as to costs and availability. It should not be automatically assumed that the customer wants all the existing directories recalled – this is unreasonable anyway. It should not take more than the customer saying “You clearly have not understood me and I would like to speak to someone else.” for the call to be referred to someone back in the home country of the company. Of course, there should perhaps be a rule that the overseas agent tries twice to understand the situation and then automatically, on it being made clear that they have misunderstood the customer, put the call through to someone elsewhere.

Also, if you call up with a specific query about something, especially where a mistake in the company's own documents is involved, details of the query should be taken – the agent should not disappear before it and then come back, 20 or more minutes later, with an answer to the wrong question because he never took the right one.

Of course, this situation does not arise in the first place if a company ensures that all its calls are answered in the home country. I do appreciate how having call centres elsewhere makes things more efficient, but only if it is done correctly. Done badly, it can, in complicated situations, prove to be a complete waste of time, an obvious waste of the customer's money and highly frustrating for all concerned.

Idiots on IRC who do not understand or use terminology correctly

I'm sure some of you are now saying “IRC is full of idiots anyway” - and perhaps it is. What I can't stand is the terminology used by many to refer to IRC operators. For those of you unfamiliar with the term, an IRC operator is someone authorised to carry out administrative tasks on an IRC server, for the purpose of maintaining it and, in a small way, the network. If you want to shorten the term, the preferred abbreviation is “oper” - consider them to be like telephone operators who can help with administrative and technical matters. The alternative, “IRCop”, has a problem – some idiots see the “Cop” and think of them as some kind of police. This is untrue. They cannot “bulldoze” a channel just because it is being used, in the opinion of some ordinary user, abusively. They may be technically capable of removing people, but not “en masse” and they never do for matters which are not clearly against server or network rules. They don't use the capability for nicknames, and trying to use it for channels would be like trying to fight a forest fire with a water pistol.

The term “IRCop” needs to be firmly shown to be not the one to use, and that “oper” is preferred. It should also be realised that opers do NOT refuse to do things out of spite or for similar reasons, but because they either simply can't or because it would be counterproductive.

AIM bots – stupidity by the big guys?

You may wonder, again, what leads me to know anything about AIM – but I have friends who use it as a preferred means of communication, and my late partner also had friends who used it. For convenience, we have our own Jabber server and that handles all our onward connections to other messenger systems – also meaning we have a single consistent interface for all instant messenger services.

On one occasion, after using the official AIM client, my partner started to be plagued by some of AIM's bots, always trying to get his attention when he connected. Try as we might, nothing either in the official client nor the Jabber side of things would shift them.

The answer was in fact to use Trillian to remove the bots from his roster, and go straight back in via Jabber afterwards. This seemed to be the only way to get these bots out of the way.

These bots pestering a user constantly with no easy way to stop them are a nuisance! As they only descend on people who use the proper software, this is a good reason why freedom to choose the software you use is a good idea. This freedom needs to be maintained, at least as long as these messenger systems are independent.

Caravan parking at motorway and similar service areas

Arrangements for parking your car if you are towing something, when visiting a motorway-style service area, are often confusing, and even then, often abused. They may also fail to meet the needs of all on board at some service areas.

Ideally, there should be signs at every possible turning point along the way showing which way to go. The sign should have a picture of a caravan on it, and an arrow. At some, after the first sign there are no more and the road leads directly to the exit.

Failing that, a sign showing a caravan, “follow” and another symbol, provided that is adequately signposted, would do.

There should be a penalty for parking inappropriate vehicles in caravan bays. Appropriate vehicles should be cars towing anything and possibly motorcaravans and other vans too large for car bays. Other vehicles should be required to display a permit, showing that day's date, indicating permission to park there.

Where the sign points to a row of spaces and some are restricted to coaches only, others open to caravans, signs should make it clear which are which.

It is sometimes found when you get there that there are steps, or worse, whole flights of stairs, between the caravan bays and the facilities. If one of your passengers cannot use these, then it can be necessary to park elsewhere on the site. This somewhat frustrates not only the caravanner but the correct user – if any – of the space taken.

Above all, what is really needed is consistent signage, appropriate enforcement and, where possible, level access.

Mobile phone companies supplying handsets on contract

Once again, at least most of the time, I have no problem with the actions of these companies. However, information as to the differences between a network's version of a handset and the generic version should be clearly stated.

Networks may have their own firmware on a phone – often a good idea as it makes the phone operate nicely with the relevant network, simplifying the experience for some users and making technical support far easier. I support the right of the networks to do this – done properly, it works well. Networks have been known, though, to remove features other than those that are supported on their network. Often, they have at least semi-sound reason for this, but they should be required to indicate, in the sales documentation, which features found on the generic version of the phone are missing or restricted on their version.

Another problem that sometimes occurs: a network's firmware for a particular phone may contain a fault it inherited from its parent generic version. The fault will persist on that network's version of the phone until they launch a replacement firmware to fix it – if that ever happens! If it does not happen, at least reasonably promptly, I would argue that it is against the warranty, the Sale of Goods Act or both.

Users can generally update phone firmware themselves using a PC, but only to versions approved by their network. Actually this is enforced by a code in the phone – the product code. This should not be changed by anyone without written permission from the branding network, as to do so can be held to invalidate the warranty, though where done to fix a fault the network was not bothered about fixing I would argue it should be allowed. It also cannot cause faults that are due to such things as poor soldering – a point possibly arguable there.

The networks can give permission for the product code to be changed – to debrand the phone – but not all know anything about this – those that don't cannot give permission, and they are often reluctant as they consider it akin to unlocking. It is not – a phone can be debranded yet remain locked to a particular network. Locking a phone to a network is something I also find acceptable but it should be removable after the expiry of the minimum contract without further charge and without the code taking days to issue – with some modern phones the code is obscure and the network seems to have to go to the manufacturer for it.

The mobile phone networks should be required to be entirely honest as to the differences between their handset and the generic version, and offer the generic version locked to their network, or permission to debrand, as an alternative but possibly subject to them issuing a notice that they will not support features not in their branded version and there may be differences that technical support are unaware of reaching features they can support. There should not be a charge for debranding where a fault is involved, and the charge when removed features are required should be proportionate to the actual work required – it should be a small fee if any. Many people including myself would have greater faith in, and therefore loyalty to, a network if they agreed to this.

Call queue systems

I'm talking to some of the same people again here... once again, there is nothing wrong with call queue systems on the whole, but some are better than others and really show up the inadequacies in the poor ones.

There are two sorts of call queue systems – online and offline. Offline queues are, quite honestly, perfection itself if there has to be a queue at all – no way they can be done badly, provided any waiting period is adhered to, just call the caller back when there is an agent available. However, failing to call back within the stated period degrades these systems.

Online queues, on the other hand, keep the caller hanging on, often accompanied by music or an occasional tone, with occasional announcements. Just occasionally, one might include a period held in silence – this is a bad thing, you cannot tell for sure that the call has remained connected.

A good online queue will include the caller's position in announcements – this is helpful as it gives the caller a rough idea of how long they might have to wait.

The perfect online queue system should work like this:

The no-nos:

Companies which have good queue systems are more likely to have me as a customer than those with poor ones.

Providing forms as PDFs

Done right, forms provided as PDFs are wonderful. However, there is a very common wrong way to do it. Sometimes the PDF you can get is effectively merely a print-out of the paper form. This still leaves the user with the problem of how to complete it.

A properly done form can, with the right software, be filled in, apart from such things as signatures, directly on the computer before printing it. This should be the standard to which these forms are done.

A form which is merely an effective print-out cannot be so easily completed. I use a program called xournal to complete these, and it can be problematic because text I overlay does not always match the boxes, leading to me using a special font with thin spaces and adjusting most of the characters to fit correctly on a print preview before printing. This is very time-consuming.

The other way, to print the form as is and then write on it, is even worse for me.

Organisations that do PDF forms properly will find me more than happy to use them. Those that do them badly make it difficult and I will continue to look for easier ways.

Call rejection services, and their relevance to junk calls

Junk calls, of the “unwanted sales call” nature, are a nuisance. Some time ago, some telephone companies provided a service which the subscriber could switch on or off, which, when on, caused the telephone system to reject calls on which the caller's number had been withheld – it is normally referred to as “Anonymous Call Rejection”. This got rid of a lot of the nuisance calls. However, the junk callers soon found a way around it – by presenting a caller ID which is not genuine. Of course, it is not always easy to tell that they have done this – they might present a number which looks entirely plausible – but sometimes it is easy to tell. In some cases it is more difficult but still possible to tell as being a fake.

None of the telephone companies has yet implemented “Obviously Fake ID Call Rejection”, but it is, if you use something like Asterisk, something you can easily do yourself. Therefore there is no real reason why the telephone companies cannot do this.

Of course, you cannot connect your mobile phone via your own Asterisk setup, so it remains vulnerable to all calls. Couple to that the fact that the mobile phone service providers (with just one exception: Andrews & Arnold) have not yet implemented “Anonymous Call Rejection”, despite it having been a legal requirement for them to do so for some years, and you can see that the problem is difficult to solve.

Some obviously fake caller IDs:

Numbers beginning 01 normally have 11 digits, but they can have 10, if they begin with one of 210 sequences of digits, within 37 broad areas. I have a regular expression that matches every single one of the 210 sequences of digits, but even a special rule for 37 areas would not be hard to implement. If the number does begin with one of the 210 sequences, it cannot in fact be 11 digits at present, but there would be a risk of “false positive” if care was not taken with this, if a digit is added to the numbers to make them meet the more common 11 digit length.

As for calls that come to the mobile phone, the usual excuse from the networks for doing nothing about “Anonymous Call Rejection” or “Obviously Fake ID Call Rejection” is that you can press the red button, or similar, to reject the call. That is not the point. The requirement for “Anonymous Call Rejection” is that it be controlled by the subscriber – not necessarily the user of the phone. Another point sometimes made is that you can use an app to reject anonymous calls, or those from specific numbers known to be unwanted. However, once again, this is phone user, rather than subscriber, controlled, and also you can't program it to reject all the obviously fake caller IDs I mentioned above, only specific numbers. The real point against rejecting calls using the red button or similar is that the phone has already rung by the time you can do that.

Anonymous Call Rejection” also gets rid of the malicious idiot type of call, too.

The mobile phone networks have no excuse for not implementing “Anonymous Call Rejection” as per the law's requirement. The entire telephone system needs to be less trusting of the obviously fake caller IDs that appear on some calls, and should implement “Obviously Fake ID Call Rejection” as soon as possible.

My web form is open for comments on all of the above points.