A saga with Virgin Trains Mobile e-tickets

/
IMG_3126.jpeg

I've often considered myself an early adopter, but being of the nervous disposition I am in fact wary of things like e-tickets because no technology is perfect. Typically I like to have a paper backup of such things, just in case.

So, this also applied when I recently booked the whole family on return Virgin West Coast tickets from Scotland to London. I hesitantly ordered my tickets to be delivered to my mobile phone because I have been let down by the post before, and we have no self-service machine at our local station. (Sure, I can use the one at the main station on the day, which is 20 miles away, but I always feel it's a bit too late to find out something is wrong just before your train; I like to have these things in my hand in advance).

The thing is, Virgin seem to have changed their delivery of e-tickets and their app a few times lately. There was a time when you could download them into your iPhone wallet and display them on your lock-screen, which was ultra handy. And once they were on the phone, they were on the phone (or so it seemed anyway). I had very little issue with this system other than the risk of my phone conking out.

IMG_2823.jpeg

Now, however, tickets are accessed through the Virgin mobile app. The process seems similar: you "download" tickets, then on the day "activate" them. Well, our outward journey was fine, but it started to go wrong on the return journey.

We were sitting in Euston and about an hour before the journey I went into the app and made sure the tickets were "downloaded". All good. I then activated them, to make sure I had everything ready to present. Again, all good.

30 minutes before the journey I checked my phone again, checked the tickets were ok, and explained to my fellow-travellers that we'd have to show them at the platform entrance. All good.

Where did my tickets go?

About 20 minutes before the departure of the train we got the text notification to proceed to concourse. So, down we went.

I told you I was the nervous type, so I checked the tickets again. This time not good. I had been logged out of the app, and was presenting with a login screen. I tried to login with my regular details and it was rejected. Panic started to set in.

Now, I should also add that the week before when I booked the tickets, Virgin had taken it upon themselves to forcibly reject my existing password as not meeting their "new requirements" and so I had changed password. I started to wonder whether I was making a mistake or if it was them. Either way, whatever I tried, I was not getting in: I could not display my tickets.

I raced to the virgin ticket area to seek assistance - massive queues; one member of staff out front assisting and busy with two people ahead of me. Anyway, politely I waited while my blood pressure doubled, and eventually explained the predicament to him.

Now, I had taken what reasonable and available "backup" precautions I could, in the sense i had screen shots of my booking, the reference number etc. I asked would this be sufficient to at least get on the train and then try and sort the problem? He said no - the best he could offer was go over to the corner where there's a phone to virgin central command and see if they can do something like change your train!

A flash of inspiration

By now I was proper panicking, and was trying to do a password reset.

THEN, suddenly, I just had a light-bulb moment. Was this the internet? I realised my phone was showing a public WiFi connection but I'd not been asked to log in. I killed the WiFi, dropped back to 4G, and fired up the app again. I re-entered my login details and -boom- lo and behold I was back in my account.

However, my tickets were not in the app, despite previously having been "downloaded"! I "downloaded" them again, which thankfully worked, and was then able to activate them, before dragging my family at breakneck speed to the platform. We were back up and running.

IMG_2525.jpeg

This was a terrible experience on many counts: poor process design, poor user experience [failing a login attempt because of no internet connection but reporting just a login failure; loss of already "downloaded" tickets for example], poor customer service. It may have expanded my child’s vocabulary somewhat, but it didn’t do my cardiac system any good.

I had a quick look at the Virgin FAQ on e-tickets, and it says this:

Q: What happens if I run out of battery?

A: Ensure your mobile is charged, if you are unable to display your mobile ticket, you'll need to buy a new ticket at the full fare.

In other words: "no-show, no go.."

Obviously anyone reading that FAQ ought to realise that it would include any reason for failure to display the ticket; but what it doesn’t say is that mobile app appears to rely on an internet connection to display tickets. Had I known this at the outset this whole saga could have been avoided. Although, it does then beg the question, if the tickets are "downloaded" and "activated" why is an internet connection required at all after that point?

I suspect the answer is the tickets actually only live on the virgin server, and unless you can display that, you are stuffed.

back to good old paper

Suffice to say, I won't be using this system any time soon again in future unless I really have no option or Virgin introduce some kind of mitigation for device or connectivity failure. And if I do end up having to use the app again in future, at least I will take screenshots of all the tickets and bar-codes from inside the app in advance.

You have been warned.

IMG_2672.jpeg

Configure Ubiquiti Edge Router Lite with Preferential Load Balancing for different devices via dual link WAN

/

Snappy title, huh?

Introduction and Purpose

In this article I give the steps to configure an Edge Router Lite so that it can apply different load balancing rules to different devices on your home/local network. There might be a few use cases for this type of configuration, but here's mine:

I live in a rural area with slow ADSL broadband (around 2Mbps) and no imminent prospect of fibre. I am also a home worker, and that speed is practically unworkable. Thankfully in December 2016, Vodafone expanded 4G coverage, such that I can now receive it via an aerial on my house. So, at the time of writing, I have a 50Gb per month data plan on 4G, and can get speeds of around 40Mbps.  I need both links, because not only is their variability in the services, due to things like weather, but 50Gb is simply not enough. So, I need to split my traffic over the networks so that my work activity gets priority on the high speed link, and other stuff (such as music streaming) favour the slower - but uncapped - ADSL link. 

Using the edge router, this configuration does exactly that. The inspiration and configuration schema itself was provided at https://community.ubnt.com/t5/EdgeMAX/Dual-WAN-with-some-hosts-using-only-one-WAN/m-p/703493#M22093 but without instructions. As a novice to networking, my eyes glaze over at all that config and the prospect of recreating it at the command line. So I set out to configure it via the UI (and succeeded). This article shows the steps. 

Objectives

I have several media streaming devices in the house, e.g. SONOS, Amazon Echo Dot. The reality is, for playing music they do not need 4G speeds, and up until now have been unnecessarily consuming 4G data allowance on my existing load balancing set up. That set up is just one load balance group with a 75:25 split ADSL:4G, which in itself is not ideal because it favours the slow link, but is necessary to keep my 4G usage within the necessary limits.  The SONOS in particular is a culprit because it is in my child's room and plays a playlist of about 3 hours' duration each night: it really doesn't need to use 4G at all (except perhaps for fail over) - so the plan is to "pin" that device to the ADSL link.

The same goes for the Amazon Echo Dot in my office, and the Echo Dot in our living area, which is hooked up to a soundbar. 

The plan with the configuration is to have these 3 devices belong to their own load balance group, and balance that group so that it is almost 100% supplied by the ADSL link. In actual fact I am going to start off with 90-something percent, so that when the ADSL link is being heavily used (child watching iplayer for example), there is some availability of additional bandwidth from the 4G side.  Failover will be left in place so that there are no interruptions in the event of ADSL failure (or me tripping over the hub). 

Remaining devices, for now, will all belong to a different load balance group which is more equitable, allowing them a greater share of the 4G. I need to run the system for a while to establish the right level within my data cap, and indeed plan to introduce a further load balance group which tips the balance the other way; thus allowing, for example, my work PC to have a 90:10 balance 4G:ADSL. For the purposes of this article, however, all these remaining devices will stay in the default load balance group, which was created using the Edge Router wizard. 

Part 1 - Static IP's

This whole set up relies on creating a group of devices you can assign to a load balance rule, and applying that rule to the firewall prior to the default rule. In order to create the group of devices, they need to have static IP's rather than the default dynamic. That way they can always be identified.  Knowing that I plan to expand the number of devices that I might do this with, I decided to reserve a larger-than-default range of IP's for this exercise, and future use.

So, i reduced the existing dynamic IP range to stop at 192.168.2.230 on the basis I would reserve 192.168.2.231 - 239 for my "ADSL-pinned" devices. This can be done in the DHCP Server menu.

next step is to create the static mappings for the SONOS and Amazon Echo devices. One way to do this is from the DHCP Server -> Static MAC/IP mapping tab. 

I have set my SONOS to the first address in my "reserved" static range: xxx.231

There's also another (quicker/easier) way to create these mappings: from the Leases screen. Just find your device in the list.

Note that I didn't change the name of anything, just the IP address to something in my static range. Note too, that the existing IP leases hold good even after this change, so the devices do not take on their new IP until you reboot them, which we can do at the end. 

So, I mapped my Office Echo dot to static IP 192.168.2.232 and Kitchen dot to xxx.233

The above steps complete part 1, which accomplishes this configuration step of the original solution:

Part 2 - Firewall Group

Now we need an "Address Group" with those static addresses, as per the original solution:

This can be done from the Firewall/NAT controls - I created a group called A nice

A nice feature is the ability to add a range of IP's, not just individual devices (choose "Actions -> Config"). I chose to add the whole of my 192.168.2.23x range so that any device mapped into that static range in future will automatically adopt the ADSL load-balancing scheme. 

Part 3 - Load Balancing rules

The original solution requires creation of an additional load balance rule:

So, to begin with, I am going to create a load balancing group, using a 90/10 rule, called LB-ASDL-primary. This can be done from the Config Tree pane. (Navigate to the branch shown in the bold breadcrumb trail, and choose ADD)

Since I am running on fairly default configuration, this new group just needs to mimic the existing master group (G), so that means adding the right interfaces (eth0 and eth1 in my case)

Once done, we need to work down the configuration for LB-ADSL-primary, replicating what we see in "G".

Again, if like me you are running on default config, in reality most settings can be left alone, and it's just the weight that needs amending. Once, that's done, click "PREVIEW" - which is essentially a "check and save" function - at the bottom of the screen.

With this configuration, my SONOS/Echo devices are still going to use 10% of the 4G link. It will be trivial at a later date to make it 100% ADSL and 0% 4G, and set the 4G as failover-only, if desired.  That's this step done. 

Part 4 - Amend Firewall "Modify" group

Referring back to the original solution - we need to change the firewall "modify" rule to add a new "modify" rule, which will reference our new load balance group. Thus our new group of devices will get their special load-balance treatment before the remaining devices get the default treatment. 

Note that in the new rule we have to reference our new load balance group and then also the devices (address group) that are the source. As a reminder:

  • Our Firewall/Address group is called ADSL_link_devices
  • Our Load balance rule is called: LB-ADSL-primary

In the config tree (see below), the existing config built by the wizard looks like this, with rule 100 set as the load balancing rule, and the default load balancing group called "G".

We will add a new rule and reference to the group. It will be before rule 100, and use our new load balance group, and assign our new address group (i.e. target devices) to it. 

Add a rule 90, then change the "source" to reference the new address group. 

Now we need to define the actual rule. It's a "modify" rule, so navigate to the modify branch under rule 90, then reference our new load balance group in the lb-group slot. 

And Save ("Preview")

That's this step done.

Finally - Apply to Interface

A firewall rule is nothing unless it is actually applied to an interface, as per the original solution:

As you might have suspected, following this method you don't have to perform this step, because we have modified the existing rules "live" (called "balance" by default) and all our changes are already in place on the interface they originally applied to (eth2 in my case).  (shown below for completeness)

Testing

Before we change anything else or try our devices, check what is currently happening: our new group has no traffic (as we expect)

20 test 1 before.png

Now we play something on the SONOS / Amazon Echo, to see which WAN link the media comes down. Since the IP addresses of the devices have not yet changed, nothing new happens, and (happily for this test) the data comes over the 4G link (eth1): exactly what I am trying to prevent.

And another check from the command line (i did sneakily change the weightings to 91/9 in the meantime, for those with a beady eye). 

Now we reboot the devices so that they acquire their new static IP's. (Seems you can't ask Alexa just to reboot, which is a shame :) ). We can confirm that the devices (e.g. Echo) have picked up their new IP in the .23x range, which they have:

So,let's play some music again and re-examine the interfaces. Look at all that lovely red = eth0 = ADSL...  just what I wanted.

 

And finally, confirm the stats from the command line, we see LB-ADSL-primary load balance group is now pulling data in the right proportions:

Very happy. Case closed!

Should have been labelled...

/

The aftermath of the recent IT fiasco at British Airways reminds me of a funny story which should be filed under the "should have labelled it" category.

In my early 20's I took a trip to Edinburgh and stayed in a cheap guesthouse. I also took my "games console" (a Philips CDi, if anyone remembers those!).

The room was a bit sparse on sockets, especially near the TV, but there was one with a 12 volt adaptor already in it... I looked to see where is was going and what it was powering, but it didn't seem to be anything in the room. So, i turned it off, and nothing seemed to change, so I unplugged it, plugged in my CDi, fired up the TV and thought nothing more of it.

Next morning, I was rudely awakened by a knock on the door and a TV engineer asking if my TV was working. I'd played my video games with no problem, so "yes" was the answer. There was some confusion, as every other guest in the guesthouse had reported their TV not working.

It transpires they meant there was no signal - and the TV company had been out since dawn clambering all over the roof to trace the fault, starting from the aerial backwards.

Well, you know where this is heading.

It turns out that adaptor powered the TV booster box in some cupboard somewhere - so I had killed everyone's terrestrial signal by unplugging it. 

The proprietor was fuming and wanted to charge me the whole call out fee. Despite being a nervous 20-something-year-old, I refused. He said we were not entitled to use the electricity in the room. I said there was a TV, kettle in the room, so he was talking nonsense. And if he had critical infrastructure powered from a guest room, it should be labelled.

(In the end I gave him everything I had in my wallet as a gesture of goodwill, which was about 28 quid; I think the call out fee was 60 something)

So - a 10p label would have saved a £60 cost to the business...

BA, take note.... 

Controlling room temperature with Netatmo "occupancy detection" and IFTTT

/

Thanks to the addition of Heatmiser range to the online automation service IF (formerly IFTTT - "if this then that") it's now possible to control room temperature using inputs from your other IFTTT-friendly IOT devices. In my case, Netatmo weather station. 

In my house, heating for every room is individually controlled by a Heatmiser Neo thermostat, each running an individualised programme of temperature gradients throughout the day, tailored to each room. During the summer most of these are just on standby, meaning in practice unless the room drops below 12 degrees C, the heating will never come on.  

My child's room is the exception, because we don't want him to ever get too cold, and some days he naps in the afternoon; so his thermostat is always active. So far so good. Except when you open the windows, perhaps for fresh air during the day, and it turns cloudy, the temperature drops and the heating comes on and heats the great outdoors. 

Finally, I have a solution which does not involve adding sensors to the Windows.  

The first step is to use Netatmo indoor station as an occupancy detector. Over the last year I've charted the correlation between occupancy and CO2 levels and in general found that an occupied room tends to read >500ppm CO2 and unoccupied room is below that. Of course if you open the window the CO2 level drops to almost zero very rapidly. So, this basic threshold measure can be used as a simple detection of empty room and/or wIndows open.  

IFTTT recipes to control Heatmiser thermostats based on occupancy (CO2) 

IFTTT recipes to control Heatmiser thermostats based on occupancy (CO2) 

 

Of course, you might ask what happens if the windows are open while the room is occupied. Good question - but in our case it never happens; our child is young, so for safety when he is using the room we always have the widows locked shut. 

This simple trigger forms the basis of the input to an IFTTT recipe which controls the Heatmiser thermostat in the same room. If the CO2 levels drop (room empty or Windows open) then the thermostat is set to 'standby' (this stops it following its daily program) and if CO2 rises again ( = occupied) the standby mode is deactivated and the normal program continues to run. 

This way we hope to avoid those costly mistakes where we have opened the windows and forgotten to adjust the thermostat; or unnecessarily heated an unoccupied room.  

For the future we can explore whether outdoor temperature, wind speed and rainfall can be used to optimise performance of the indoor heating.   

You have no guts, man. The fingerprint of a scam.

/

I got a call  from 020 0982 3420 this evening from someone "authorised by Microsoft" offering to scan my PC for all manner of unnamed things that apparently make it run badly. I kept "Paul McKenzie" (with an Indian Accent) talking for about 25 minutes with the lure of 6 or 7 PC's to fix, knowing full well this was a scam.

I know it's a scam because a family member fell prey to it in 2010. And by how my call ended.

It is a well executed scam, very well executed actually; these folks have all the answers and play out a very convincing story. But, in the final analysis, when you consider that someone is prepared to stay on the phone for 25 minutes to make a sale of "PC healthcheck", something smells fishy - around about the 3 minute mark actually.

I stuck it out with this guy for a couple of reasons. One - just to save someone else being caught - my 25 minutes on the phone might have used up time scamming 3 or 4 other people, so it was part community service. Two - I also wanted to get a full sense of how they operate. I certainly got that.

Here are the tell-tale signs I noticed:

 

  • A call from a London number; when answered 3 or 4 seconds of silence before speaking = classic power-dialling = wanting to sell something
  • The chap then started referring generically to my PC. Rather than ask how he knew I had one (he, doesn't by the way, he's guessing; and if you ask the question he'll say it's the error reports you get from crashed programs), I asked which one. Pause.
  • The one with windows on. Yeah, doesn't really narrow it down does it? Which windows?
  • Err.. either windows XP or Vista. So immediately I know he's fishing, I own neither. This is almost like getting a psychic reading.
  • He proceeds to ramble on about windows auto updates and how it downloads junk and my computer is full of it and do I want a healthcheck. I play along.
  • I say I am recording the call. He says he doesn't mind, which proves he is reputable - a scammer would hang up, he says.
  • I say I know what's going to happen - he'll get me to download something and access my PC. Evasion.
  • I question his identity - he says he is a partner of microsoft, sort of implies doing it on their behalf.
  • I push the whole identity thing and he takes me to microsoft's website and claims to be SB3 INC. Would microsoft allow a disreputable company on their website?
  • When I question that I have no proof he is SB3 INC he says surely I trust microsoft. That an intelligent person would realise that a company associated with microsoft would not be disreptuable. I don't disagree, but my question is about proof he is SB3. And he insulted my intelligence; that raised the stakes.
  • He says he is my system admin and he is just trying to help. I say what? Do you access my PC without my permission? No, he just wants to help. Just a check, like going to the doctor, then you buy the medicine. (Good of him to spell that out for me).
  • He just wants to check my PC for bad things, what would a reputable company do that's bad? I say, you could install a keylogger and get my bank details. He repeats, why would a reputable company associated with microsoft do that?
  • I push the "prove you are SB3" line and he suggests I look at the SB3 INC website. I say this is not proof. I say I could tell him I'm from HP and show him an HP webpage - what does it prove?
  • Backed into a corner he asks what proof I want? I say it can't be given - what I'll do is call the SB3 number. He says Ok, he'll give me the number so I can call back and speak to him. I say no, I'll call the number on the microsoft site that I DO trust. He insults my intelligence again and asks why I don't trust microsoft. Calmy, I again explain to him that I do, but I don't trust him.
  • In the end I force this point and he says "you have no guts, man; you have no guts" and disconnects. 
  • I guess mr unintelligent here outsmarted him. 

 

Let me tell you - his persistence was wearing and convincing. I can see how it would be ever-so-easy for someone to be socially engineered into following his instructions. When you step back and analyse it, however, the whole scam revolves around the association with microsoft as a claim to be reputable (I hear all the Apple fanboi's - and a few others - sneer in the background!). The point is, at no time is there any proof of his identity, no proof of that association. This is where they trick people - they labour that point, state it as if it is fact. That's what convinced my family member.

How do you protect yourself?

Well, if you know nothing about technology, it doesn't matter; just follow this simple rule:

NEVER, EVER, EVER buy something if you are approached by someone you cannot verify - this applies as much to the doorstep as it does to the phone. If you get an incoming sales call, leave the decision to later. Make it your policy. Tell doorstep sellers "I never buy on the doorstep; leave me your details and I'll get back in touch". NEVER! NEVER! NEVER!

The second thing is to realise something about microsoft: this is not how they operate or authorise anyone else to operate using their brand. Furthermore, this is not the market that microsoft partners are in. MS partners are business solutions partners - they create systems and integrations for business, using email, instant messaging, sharepoint, communications, and all sorts of stuff that if you haven't worked in a big IT department will probably have never heard of. Microsoft retails through the usual channels to consumers, but it does not sit behind this kind of consumer support.  

Finally, make sure your computers are up-tp-date with virus checkers, windows/operating system updates, and run regular scans for malware. This is just as good as what these scammers can do - and the truth is, they don't even do that properly - it's a subterfuge to get you to pay for their services. It's all about impression. Be warned.