Skip to content

Blog

Extract List of ADFS Failed Logins to CSV

Keeping an eye on failed logins and the user accounts that are being targeted is an important part of being responsible for an Office 365/Azure Active Directory tenant.

If you can afford the higher-level O365/Azure AD plans, there are great tools built in to the Azure Portal that allow useful intelligence into your security posture.

For The Rest of Us(tm), we sometimes need to be a little creative to gather the information needed. For on-premises Active Directory Federation Services (ADFS) servers, I put together a simple, quick and, perhaps slightly hacky script to extract the usernames from recent failed login events from the Windows Event Log and dump them, along with the rest of the Windows Event, to a CSV file for later analysis.

This specifically searches event logs from the past 12 hours (43200000 milliseconds in the $query).

Note that this is heavily dependent upon the format of the event message having the username on the (zero-indexed) line 14. Works for us — no warranties, etc. etc.!

Installing RSAT on 1903 from the Features on Demand ISO

Installing the Remote System Administration Tools on a Windows 10 1903 system that uses System Center Configuration Manager to receive Windows updates seems to be challenging. The process of pulling the RSAT bits down from Windows Update in my experience was not succeeding – perhaps because the SCCM WSUS instance did not have them.

The CBS.log showed:

CBS    Exec: Failed to download FOD from WU, retry onece. [HRESULT = 0x800f0954 - CBS_E_INVALID_WINDOWS_UPDATE_COUNT_WSUS]

Some solutions online seemed to suggest temporarily switching the Windows Update source in the registry to Windows Update (online) rather than WSUS, but editing the registry this way and upsetting the software update system seemed… unwise.

I ended up doing it a different way: downloading the Features on Demand DVD ISO from the Volume Licensing Service Center (in my case, SW_DVD9_NTRL_Win_10_1903_64Bit_MultiLang_FOD_1_X22-01658.ISO), mounting the ISO and using this modified version of Martin Bengtsson’s script to install the components from that ISO without contacting Windows Update.

With any luck, this might help someone else.

Going Lower-Level

I just released, on GitHub, IdleTaskTerminatorLite, my first foray into the lower-level world of programming directly with the Win32 API.

We use an old custom shutdown.exe (BeyondLogic Shutdown) to provide a timed screen lock feature, where a user is notified their screen will lock in a period of time and can cancel the locking of the workstation.

Clicking the Cancel button within the time limit, however, seems unnecessary and requires precisely clicking the Cancel button when the user is under time pressure! This is not a good user experience. A simple change to the idle state of the machine (any keypress or mouse movement) should cancel the timed locking of the workstation.

This lightweight background application detects user activity and forcibly kills the beyondlogic.shutdown.exe process, effectively cancelling the locking of the workstation without requiring the user to actually click Cancel.

This is currently rather ‘opinionated’ in that it specifically checks for hard-coded named processes running. It Works for Us(tm), but you may need to modify it for your environment. 😉

This whole solution is a little bit hacky, but it works. 😐

I had written something along these lines to terminate this workstation lock program in C#, but as a .NET process running in the background, you were looking at dozens of megabytes of RAM for something always running in the background. It felt thoroughly inefficient and unnecessary for something so simple.

I have always found myself honestly a little frightened of C and C++. Horror stories around coding securely, the undefined behaviour of doing ‘pointer stuff’ yourself… but this little project represented an opportunity to take this relatively rudimentary functionality and learn how to implement it the Win32 API directly in a C program — and in doing so, cut resource usage (hopefully) significantly.

So, I did. Using the oft-abused WH_KEYBOARD_LL hook (and its WH_MOUSE_LL cousin), I periodically update a counter as to the user’s last idle time. If the hook is called (i.e. the user is typing or moving the mouse) and it’s been long enough since we last noticed such interaction, I check for the beyondlogic.shutdown.exe process and, if present, kill it.

This began life as whatever Visual Studio template gave me a buildable project that let me work with the right APIs, so there is likely unnecessary stuff still present and it could be more lightweight still. And, there’s a good chance I’ve made mistakes that need correcting, so please do get in contact if you’re willing to educate me in some small (or large) way!

I have tried to be particularly careful with buffers — string handling is either done with (I guess, inefficient) fixed-size buffers where I check what I put in will fit first, and I’ve tried to use the ‘safe’ string functions where possible too.

So, it’s a baby step towards working on more low-level projects. But, I’ve taken some action to tackle my pointer anxiety. 🙂

Maybe next the whole program should do the workstation locking, warning message and idle detection in one program.

Red Hat Certified System Administrator

This was a whole month and a bit ago, and I never got around to throwing it here on the site, but I will now announce that I am a Red Hat Certified System Adminstrator!

When You Have No Add-Ons, and about:studies is a Blank Page

It’s a tough day for some at Mozilla, I imagine, with pretty much all Firefox add-ons suddenly being disabled due to an expired intermediate certificate.

I love Firefox. I love having a browser that is not increasingly proprietary (*cough* Chrome *cough*), and so I too was hit by this issue.

Mozilla rolled out a fix using their studies system, and users were told to go to about:studies and it would show up within 24 hours.

My about:studies was a blank white page. Not a blank list of studies with the explanatory text — an entirely blank page. Here’s what it should have looked like:

about:studies as it should be.
I, however, saw a completely white screen.

I delved into the Firefox source code to see if I could track this down.

Running Firefox with the -jsconsole switch revealed errors relating to IndexedDB and the Top Sites component. Initially, I ignored these, but it turns out they were likely symptoms of the same problem.

In the end, I found toolkit/components/normandy/lib/AddonStudies.jsm, which I believe is the backend that the about:studies frontend JavaScript code talks to.

const DB_NAME = "shield";
const STORE_NAME = "addon-studies";
const DB_OPTIONS = {
  version: 1,
};
const STUDY_ENDED_TOPIC = "shield-study-ended";
const log = LogManager.getLogger("addon-studies");


/**
 * Create a new connection to the database.
 */
function openDatabase() {
  return IndexedDB.open(DB_NAME, DB_OPTIONS, db => {
    db.createObjectStore(STORE_NAME, {
      keyPath: "recipeId",
    });
  });
}

So, I knew I was looking at IndexedDB and I needed to locate what was happening with this particular shield database.

This StackOverflow answer was old, but gave me a hint of where to look. In the Firefox profile folder, there is storage/permanent. Inside here, a number of subfolders, including chrome (no, not Chrome — chrome) and other folders relating to devtools.

I noticed that in the chrome folder, I had four files for two different databases. Each database had a .sqlite-wal file and a .sqlite-shm file. This didn’t seem right — these are an index and a write-ahead log, but where is the actual data file? There should be a .sqlite file as well with the actual data for both databases.

So, I deleted these four .sqlite-wal and .sqlite-shm files from my profile (after a backup, of course, and when Firefox was not running).

A restart of Firefox later — several databases were regenerated and reappeared in that folder. Critically, about:studies was no longer blank and displayed as it should have — albeit with no studies yet.

A Fix? A Workaround?

Performing these steps may cause your Firefox profile to be irreparably damaged. This is an advanced and entirely unsupported process. Proceed at your own risk and only with a backup.

Great caution should be exercised here — I don’t know what these chrome IndexedDB databases contain, or should have contained. In any case, I’m pretty sure that the absence of the .sqlite file but the presence of the wal and shm files meant that Firefox was unwilling to delete them and start again for fear of losing something.

However, if you are experiencing the same problem:

  • Quit Firefox
  • Go to your Firefox profile folder
  • Back up your profile
  • Inside the profile folder, go to storage/permanent/chrome/idb
  • See if you have any .sqlite-shm and .sqlite-wal files without a corresponding .sqlite file
  • If so, move the .sqlite-shm and .sqlite-wal files elsewhere on your disk, away from your Firefox profile, and restart Firefox
  • See if about:studies is no longer a blank page

“File and Printer Sharing Ports Blocked” — But Are They?

A recent upgrade to System Center Operations Manager, taking it to the new 2019 release, perhaps combined with an update to the Windows Server management packs, created an interesting issue.

On the management server, an alert was triggered about the management server itself:

Resolution State: New
Alert: Server Service: File and Printer Sharing Ports Blocked
Source: SCOM (SMB)
Path: SCOM.fqdn
Last modified by: System
Last modified time: 3/13/2019 2:14:28 PM
Alert description: Either Windows Firewall is disabled or the firewall inbound rules for TCP ports 445 or 139 are disabled.

Interesting. Did the upgrade to SCOM 2019 or the management pack somehow break Windows File Sharing? And if it did, why hadn’t we noticed more significant issues than just this alert?

Well, no — it looks like this alert is actually earlier from March, but perhaps the alert has re-surfaced, post upgrade, as the monitor re-evaluated. What I was sure about, however, was that the file sharing ports were indeed open and that this alert couldn’t be correct!

Right? Right?

To the Firewall!

Investigating all the relevant firewall rules revealed that everything was in order — Windows File and Printer Sharing exceptions were allowed, as appropriate, across the board.

File and Printer Sharing rules

What is it Detecting?

So, it was time to dig a little deeper.

I was able to go to the Alert details and click on the Alert Monitor to drill down and find the details of how the monitor was coming to this apparently erroneous conclusion.

I extracted the script and tried running it manually on the server using cscript.

With a few WScript.Echo calls of mine sprinkled in, the relevant part of the VBScript that powered the monitor was as follows:

Dim rule

For Each rule in fwPolicy2.Rules
  If (rule.Protocol = NET_FW_IP_PROTOCOL_TCP) And (rule.LocalPorts = "445") Then
    WScript.Echo("Proto " + CStr(rule.Protocol) + " and port " + rule.LocalPorts + " enabled: " + CStr(rule.Enabled))
    WScript.Echo("rule.Profiles: " + CStr(rule.Profiles) + " and rule.Enabled " + CStr(rule.Enabled))

    If (Not rule.Enabled) And (rule.Profiles And fwCheckProfile )  Then

      WScript.Echo "Setting file sharing ports enabled to true"
      fwFileSharingPortsEnabled = "True"

      Exit For

    End If

  End If
Next

So, let’s go ahead and run this.

The script also checks to see if any non-hidden shares exist on the server and will only put the monitor in an unhealthy state if at least one exists.

It iterates over all the rules for port 445, decides all the rules are enabled, which would allow access to File Sharing, but then ends up with fwFileSharingPortsEnabled still being false.

This propagates to the ultimate script output of a PropertyBag with the value Disabled under PortStatus.

All the rules are enabled, but the result is that it considers the ports not open for business??

Is this Logic?

Is this Logic?

It seems to me that there is a logic error here:

If (Not rule.Enabled) And (rule.Profiles And fwCheckProfile )  Then

Only if the firewall rule is not enabled and the profile matches the current network profile, we consider the port enabled?

Remember that if the rule is not enabled, traffic would be blocked by the Windows Firewall.

It seems that this might be a simple logic error in the management pack. A comment later in the script even states:

‘ Only if regular share exists and port 139/445 are not open will portStatus be returned as “Disabled”

Am I missing something obvious?

I’d Report This…

I cannot figure out where I should report this, if I’m correct in thinking how this should be working. Should I complain on a forum? Is there a System Center Operations Manager support Twitter profile? Product Support?

An Unorthodox Workaround

For now, disabling at least one of the rules for port 445 suppresses this alert. For example, if you don’t need or want Remote Event Log Management, you can disable the Remote Event Log Management (NP-In) rule. This script will then return Enabled and the alert will not be fired.

Any of the port 445 rules being disabled will cause the script to be happy again.


When is iMessage not iMessage? (When it’s facebookexternalhit/1.1)

Facebook is a company that engages in unethical behaviour. Its ubiquity and its necessity for many people’s social lives undermines people’s ability to meaningfully grant or withhold their consent to its policies.

I take no pride in seeing this coming in 2010, and I have refused to use any of their services consistently since.

So I was surprised, to say the least, when I sent a link over iMessage that I knew would be unique, but saw a request being made for it by the facebookexternalhit/1.1 bot user agent. This URL should not have ever been seen by anyone but me and the recipient. I took the time to verify that the only access to this URL was by myself and the recipient.

“GET /some-secret-url HTTP/1.1” 200 – “” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/601.2.4 (KHTML, like Gecko) Version/9.0.1 Safari/601.2.4 facebookexternalhit/1.1 Facebot Twitterbot/1.0”

It turned out that the facebookexternalhit/1.1 request (also identifying as Twitterbot!) was issued by the same IP address that I had. How could I be a Facebook/Twitter bot? How could it be that some Facebook code was running in my network? (I’m pretty particular in blocking large numbers of domains relating to Facebook properties.)

It turns out that this message preview in iMessage seems to make a request for the URL using this user agent string. It doesn’t identify itself as iMessage in the user agent string at all!

I’m satisfied that I answered the question — and indeed I understand the nature of user agent strings and how everybody pretends to be something else for compatibility. I expect a service to add to the user agent string, though. Chrome pretends to be Safari, which pretends to be “like Gecko”, which pretends to be “Mozilla/5.0”.

So why can’t iMessage add “iMessageLinkPreview/1.0” or something to the user agent string?

“Live Photos in FaceTime” Bug

So, the iOS 12.1.4 and MacOS Mojave 10.14.3 Supplemental updates are out, fixing Grant Thompson’s reported FaceTime groups bug. You know, the one that turned your device into a listening device…

(It’s at least something that Apple acknowledged that the reporting process for security issues from non-developers needs to be improved.)

I note that one of the other security fixes in this release is explained as follows:

Live Photos in FaceTime Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation

Impact: A thorough security audit of the FaceTime service uncovered an issue with Live Photos

Description: The issue was addressed with improved validation on the FaceTime server.

CVE-2019-7288: Apple

APPLE-SA-2019-2-07-1 iOS 12.1.4

It’s good that they thought it wise to do a thorough audit on the rest of FaceTime, but why is this bug so poorly explained? “Uncovered an issue”? Of what scope? Of what severity?

Perhaps security issues Apple discovers internally don’t get disclosed, to provide an additional layer of obscurity if they believe others aren’t yet aware of them? Perhaps this is a server-side bug only? (But if it is, why note it in the client OS release?)

It is an unusual practice (even for a company as secretive as Apple) to provide a line and a CVE reference and so on, but not give any detail at all in the public release notes.

“Accident Advice Helpline”, 0161 854 1173 , Where Did You Get My Number?

A Case of Curious Coincidences…

Put on your citizen’s journalism hats, because we’re about to go on an investigative adventure.

UPDATE: More unsolicited calls recently from 0161 854 1214 where no message is left — unverified as to whom this is at this stage. It seems reasonable to presume that this in the same range of phone numbers, given the MO.

I have received a number of calls from 0161 854 1173 recently (May 2018). A voicemail message is never left, but if you pick up, you always hear a very short extract of hold music before you are connected with a person (automatic dialer, perhaps?) The agent typically identifies themselves as from the “Accident Advice Centre” or “Accident Advice Helpline”.

I have made a number of call recordings of my interactions with this phone number. I stress that these recordings have been made lawfully, as incoming calls to my number automatically play a pre-recorded message “this call is recorded” before the ringing begins, thanks to my service provider. (A recorded message stating that the call is recorded is common practice in that it is similar to the recorded messages that one hears when calling up companies.)

I was of course curious who was calling and how my phone number had been obtained.

Me: “I’m just wondering really where the number that you’ve called came from? I mean, obviously —”

Agent: “Oh, your number, sorry, sir? Your number?”

Me: “Yes. Yeah, yeah, yeah.”

Agent: “Ah, right, I do apologise. I thought I — no — no worries. Yeah, we work off the Accident Portal1, sir. So when you ring your insurance and tell them about your accident, er, it comes under what you would call the Accident Portal. Now [inaudible] organisations that have access to the Accident Portal, OK? The DVLA, the Accident Advice Centre, that’s us, the Motor Insurance Bureau and the DVLA2. Sorry, the [inaudible], the DVLA and your insurers.”

Me: “You’re a government organisation?”

Agent: “We are a [government/governing]3 body, OK? Er, we were set up to make sure your insurance companies are doing their job correctly. Also just to make sure the complaints[?] OK and happy with your insurance [inaudible] and everything, and just to make sure you know, you’ve received all your requirements — your legal, erm, payments and stuff. Now—”

Me: “What I’ve [inaudible] is to find out information about your organisation, because I’ve struggled on a number of occasions to actually find out any more.”

Agent: “Say again, sorry?”

Me: “I’ve struggled on a number of occasions to actually find out any more information about your organisation.”

Agent: “Just bear with me one second, I’m going to get my manager, OK?”

Me: “I tend to start asking these questions and the call seems to be cut off.”

Agent: “Right, well, why did you think your call seems to be getting cut off?”

Me: “I don’t know.”

Agent: “Is this our company you’re talking about, or…?”

Me: “Yeah, calls from this number. The number you are calling from, and, yeah, I seem to ask for information about the organisation and then I don’t seem to — the call doesn’t seem to stay, uh, connected.”

Agent: “Are you just looking at the [inaudible], because that’s just an area code, so it could be a million, um, you know, a million people calling you.”

Me: “— the full phone number”

Agent: “Let me just see who’s called you in the past, give me one second.”

Agent: “Yeah, I can see that our, our, our, my colleague [name] tried contacting you. Erm, but she put it down to answering machine, like, we couldn’t get hold of you, and that’s why it’s come back through today.”

Me: “Yeah, as I said, it’s not the first call. I’ve had a number of calls, but, um…”

Agent: “Right, so are you aware of the compensation that has been set aside for you, Peter? — — Hello?”

Me: “Again, what I’m wondering about is more information about your organisation.”

Agent: “Right, like I said— That’s completely fine, obviously you’re only [inaudible] obviously want to know who we are and make sure we have your best interests at heart. Erm, just bear with me and I’m going to get my manager, she’ll just come over and give you a bit more of an explanation of who we are and why we are calling you, OK?”

Me: “That would be great, thank you.”

1: The closest thing to “Accident Portal” I can find is “Claims Portal Limited”, a “a tool for processing low value personal injury claims”. I have no evidence that this is the “portal” in question, however. Investigations into whether Claims Portal Limited have my data are ongoing. Unfortunately, this company’s website Terms of Use prohibit me from linking to them without prior consent, so you will have to use a search engine yourself. (“You may not provide a link to this web site from any other web site without first obtaining Claims Portal Ltd’s prior written consent.”)

2: It’s credible that there is a database of incidents for legitimate organisations like insurance companies. That data presumably would be processed for the purposes of the prevention and detection of fraud. It certainly would not be permitted to use the data for “leads” for claims management companies, especially if the data subject is not specifically aware of the data processing in the first place.

3: It’s not clear enough to distinguish between these two words in my recording. I did want a clear answer as to whether they were identifying themselves as some kind of official body, or as a for-profit company. We’ll discover more about the identity of the organisation later.

After a brief interlude, the manager spoke with me. I asked for the full organisation name and the registered office.

Manager: “It’s the Accident Advice Helpline, OK?”

Me: “OK, so that’s Helpline. Is that Limited?”

Manager: “It’s just the Accident Advice Helpline. So basically we make the follow-up calls, Peter —”

Me: “—  the name of the organisation.”

Manager: “Accident Advice Helpline. Yes?”

Me: “OK, so not Accident Advice Helpline Limited…”

Manager: “Yes. OK? So, basically what we do is we make the follow-up calls to make sure that each and every person that has been involved in a recent road traffic accident or an incident — is being looked after, and offered a 5-star service so they’ve got the courtesy vehicle in place and the car’s in the garage and that you’re happy with the recovery of the vehicle etc. And obviously we explain to them about the payment when it’s a non-fault incident, there’s a payment automatically set aside1 — erm — which is for minor discomfort2, so this payment has got nothing to do with your insurers, it comes from the third party, the fault driver’s insurance—”

Me: “—so the information you’ve received about my number. Where has that come from, please?”

Manager: “That basically is uploaded onto the database. When you pay your premium — and everyone in the UK and Scotland pays their 0.34% of all the premiums put together — creates the Accident Advice Helpline3, so we’re authorised4 to receive all the, basically, the details of incidents and make sure that you’re being offered a good service by your insurers and then obviously, like I said, we ask you about your courtesy vehicle, the recovery of your vehicle, if you’re happy with the services and then obviously if you’re non-fault we explain that you are entitled to a payment, which I believe [original person who called me]’s explained to you already for the minor discomfort — you’ve had your seatbelt on5, someone’s collided into your vehicle and you’ve been involved in a low-velocity impact collision you are automatically entitled to a payment from the third-party6. So, like I say, just to confirm — erm — and to reiterate, this has got nothing to do with your insurers, this is coming from the fault driver’s insurance. Does that make sense?”

Me: “Erm — so, does your organisation have a registered office?”

1: Automatically set aside by whom I wonder?

2: “Minor discomfort”. Remember that justification that has been given for the “payment”, as we’ll be coming back to it later.

3: If I’m understanding the manager correctly, she is stating that the organisation is created from funding from everyone in the UK and Scotland [sic] and, I presume I am meant to believe, that the “automatic payment” comes from those monies. There is no evidence for this.

4: I did not press this point during the call — I was conscious that asking too many awkward questions seems to correlate with early termination of the call — but I’d love to know by whom they were authorised to receive my details. The “database”?

5: Another reference to “minor discomfort”, but then we move away from that and get more specific. Indeed, this is the closest I have come to any suggestion of the type of claim they’d actually want to pursue on my behalf. Mentioning the seat belt suggests they might look to see if a whiplash claim was a possibility if I continued further with them.

6: Automatically entitled? And this is “coming from the fault driver’s insurance”? I don’t accept these statements are true.

I will spare you the details of me explaining that asking for the registered office meant that I wanted a street address!

I eventually got this registered office from the manager:

50-52 Chancery Lane
London
WC2A 1HL

This address appears as the registered office address for an Accident Advice Helpline Limited, company 05121321. This doesn’t exactly match with the manager’s statement that it is “just the Accident Advice Helpline”, but the registered offices are the same.

The last filed accounts with Companies House were on 30th June 2017 and were accounts for a dormant company. I don’t think I can determine if the company is still dormant until they next file accounts in June.

(Coincidentally, Accident Advice Centre Limited (10275785), with registered office 8 Exchange Quay, Salford, United Kingdom, M5 3EJ, was dissolved on 13th June 2017, weeks before those dormant accounts were filed for “…Helpline”. I have a call recording from the same phone number, also from this month, where the agent identifies as from the “Accident Advice Centre” and confirms that this was the address of that organisation — “Yes, that’s our address”. So I’m still not sure who exactly is calling me from this same Manchester phone number — is it “Centre” or “Helpline”?)

I clicked on the name of the first company director for Accident Advice Helpline Limited listed on Companies House, and discovered this individual holds 36 directorships, almost all of them also with correspondence addresses of the London address as above.

Some of the more interesting ones:

I stress that all of the companies above can be reached at the 50-52 Chancery Lane address above.

The list seems rather comprehensive and efficient, in the sense that the whole process of lead generation, claims management, cost assessment and medical assessment for personal injury claims could, in theory, be administered all from this one building.

With all these companies physically located in the same building and with at least one common company director, I wonder how the issue of conflicts of interest is dealt with?

For example, I am sure that a “costs consultants” business would want to act in good faith to (I assume) estimate costs associated with an incident, but with such a close link to legal services firms and claims management firms that may be interested in maximising the assessment of costs… I will say that it raises ethical and procedural questions that I am sure the organisations involved will be happy to answer.

Back to my calls — I take the view that, while they may not want any money directly from me, that this is a marketing activity. They are a private company, trying to generate leads for business for personal injury claims.

My phone number is listed in the UK’s Telephone Preference Service. Let’s look at the legal obligations that this places on organisations:

Direct marketing telephone calls: it is unlawful for someone in business (including charities or other voluntary organisations) to make such a call to any Individual if that Individual has either told that business or organisation that he/she does not want to receive such calls or has registered with the Telephone Preference Service that they do not wish to receive such calls from any business or organisation.

I notified the manager that my number is in the TPS and that, therefore, I took the view that the call was unlawful.

Me: “Given that the number you have called is in in the Telephone Preference Service, um, list of numbers not to call, um, unfortunately the calls you’ve been making are actually unlawful under that relevant legislation1. When you said that this isn’t a marketing call—

Manager: “Oh for goodness sake.”

Me: “I’m sorry?”

Manager: “Do you want me to make a payment? Yes or no?”

Me: “Hello?”

Manager: “I assume no.”

Me: “Are you still there?”

[some confusion — I am asking “are you still there” because I am conscious that the call is likely to end soon]

Manager: “— so you don’t want to move forward with the payment, so I’m going to take you off the system, thank you — [hold music for ~0.5 seconds, then call disconnects]”

1: http://www.legislation.gov.uk/uksi/2003/2426/regulation/21/made

I’m struggling to think of another “helpline” would normally have managers who say “oh for goodness sake” to the people they “help”.

I do hope that she did indeed “take [me] off the system”. I should never have been on there in the first place — and if the company was checking numbers against the TPS list before making marketing calls, as they are legally required to do, this never would have been an issue.

My advice? Do not deal with this organisation, or any with a similar name and similar spiel. Perhaps calmly ask them a few questions about who they are, and see whether their story matches the ones above.

If any relevant official investigatory body wishes to contact me for further details regarding the way this organisation has identified itself, the calling of numbers listed in the TPS, etc., you are most welcome. Your call may be recorded. 🙂

The Case of the Rogue Caching Servers (Unable to Download iOS Apps Over The Air)

macOS Server

A recent version of iTunes dropped support for downloading and syncing apps to iOS devices — the only methods for this are now using the App Store, Apple Configurator(?), or having some other over-the-air MDM solution push the apps to devices.

This caused me to run into a little bit of an issue in my day job — we’d been having sporadic issues doing over-the-air app updates on our corporate network, but when devices were taken off site, apps would update perfectly. I had been sort-of ignoring, sort-of working around this by downloading the apps to a desktop running iTunes and syncing (a small(!) number of) devices by Lightning cable.

But, now my workaround feature was gone! What was I to do? The story here is true, but some names and specific technical details have been omitted for professional privacy!

I was curious, so I did a packet dump or two and discovered the iOS devices were talking happily to the iTunes Store as you’d expect they should, but that when it came to actually downloading the app’s bits, they were contacting an IP address in a private range!

» Read the rest of this post…