Colin’s IT, Security and Working Life blog

May 29, 2009

So…. How does this contracting thing work then?

Filed under: Contracting — chaplic @ 12:37 pm


Here’s the scene. You start a piece of work, swanning in with your expensive watch, and car. You apply your red-hot skills, motivation and experience to the task in hand and get respect from your co-workers.

At some point you’ll be socialising together, and you’ll get the question.

The answer?

About twice/ thrice what you are paid now Surprised

Downside is that the longest contract you’ll get is probably twelve months, 3 months is likely. Also, be prepared to travel. And get no pension, nor holiday, sickpay. On the plus side, zero performance reviews, office politics and a change of scene frequently. You might be out of work for months, but if you have a years pay in the bank…..

My view is that if you don’t want a management career, and are good at what you do, confident and bolshy then you should be contracting.

But Bank accounts, umbrellas What?
You need a vehicle to get paid if you are a contractor. This is either (in the UK)

  • An Umbrella company
  • Your own Ltd
  • Dodgy offshore payscheme

With the Umbrella they look after all accountancy and most paperwork – the downside is you are effectively PAYE, i.e. most of your filthy lucre is taxed at 40% and business-critical expenses such as plasma tvs and foreign holidays are difficult to claim.

However, if you are just getting your head around the idea of contracting, I’d say do this for six months
A Ltd gives you a lot more control and you’ll make slightly more money. YOU WILL NEED AN ACCOUNTANT. Should cost about a hundred bucks a month, but they’ll save you more than they cost.

Remember, what’s in the company account is NOT YOUR MONEY! You’ll pay yourself a salary that you set, and take share dividends as and when you see fit. You can also pay a partner to be a secretary and reduce tax burden, but as always the tax rules change often.

There are also likely dodgy schemes where they say you’ll take home 88% of your contract rate or similar. There’s plenty variations, but can be things like the umbrella-like company you work for doesn’t actually pay you, just gives you an interest free loan and promises never to ask for the money back. With this you are really a red rag to the tax inspector, and is only ideal if you have massive cojones as they can go back seven years to claim money back. And they also introduce rules which are retrospective (google BN66).

OK, understand that, what’s IR35?
First you have to realise the tax office hates contractors and doesn’t understand the concept of risk/ reward. It sees your fat juicy rate and wonders why it just can’t tax that at 40%.

So they have brought in rules that state if you are acting like a permie, we’ll tax you like a permie. But a permie with no pension, zero job security, holidays, and no unemployment benefit.

Theres a few ways to avoid it (maybe this isn’t clear-cut), including making sure there are no dumb clauses in your contract (most are OK these days), and also flying under the radar (paying yourself a salary of £5000 is one SQL query away from a formal IR investigation.

But how do I get a mortgage?
It’s true if you stroll into a high street bank, with your wage slip showing you earn £20K, £6K, £1, or whatever you decide to pay yourself and try and get a £300,000 mortgage you will quickly and politely get refused.
You need to go through a specialist broker Bizarrely, you might end up with a deal at the same bank, but with a better and more flexible rate. A mortgage where you can pile money into it, and take stuff out is handy as a last-resort if out of work.


May 18, 2009

Maybe the “perfect security theoretical paradigm” needs work

Filed under: Documentation — chaplic @ 1:03 pm


There’s a lot of a talent in the IT and Security industry. However, I tend to find the quality of documentation, bid responses and proposals to be massively variable. OK, that’s being charitable, it’s usually pants!

Here’s my thoughts on successful technical document writing, based on peer reviewing documents and also evaluating tenders

Boilerplate text, content copied off the vendors website and splattered in documents is utterly evil, frustrating and waste of time. Your readers have probably read it already and the language and terminology used won’t be consistent with your document. It sends a message that you are lazy. If you must, edit it appropriately or include it in an appendix.

By the same token, please, please, please don’t write business bullshit – you’ve read it, you know what it is – AVOID!

If you are responding to requirements, include a table in your document which, column-by-column  states the original requirement, then how you have satisfied this (usually just a reference to a section of your document. This serves two purposes – it demonstrates to the reader that you’ve been thorough and also gives you a tool to spot if you have missed anything.

Just like at school, tell me your working and read the question.

I’ve recently just reviewed a number of vendors proposals and lost count of the amount of responses to the requirements that have been answered  what they would like the answer to be (frequently missing responding to some requirements completely).

Also, Don’t just present a solution as a fait accompli. Remember, anyone reading your document may have at least as much technical skill as you, so will have an understanding of different options. Explain to them the reasons why you have gone down the route you have. For every point you make, make sure you defend it.

You should be an absolute guru at Visio! The adage about a picture is absolutely true, it helps break up text and can also explain your thinking to audience members who think visually. Consider a big “everything in” Visio at the start of your document, then take sections of that graphic when you are expanding the solution later.

Most vendors will have Visio stencils available – use them. No matter what kind of document you are writing, presentation is an important facet of getting your message across.

To keep document sizes manageable, I save my visios as .GIFs and import them into word. And whilst we’re on the subject of document size, don’t include large spec lists, code,  or other generic lists of information. Include them in an appendix.

Overall, it doesn’t matter how your technical solution is, it can live or die (or not even be born) depending on how good your documents are – hopefully this will help improve them!


May 13, 2009

Choosing a datacentre – security considerations

Filed under: Buying Smart — Tags: — chaplic @ 1:36 pm

For most businesses, moving IT kit to a datacenter is a “no brainer” – you get the advantage of shared resources that will likely improve availability (such as electric generators) and they are generally not in horrible parts of your building such as basements! However, they do introduce other security risks that you need to consider.


If your kit is hosted in-house just now, it’s protected by the nature of your general site protection – so, security guards, CCTV, locks, secure entry and so on. Crucially, it’s also unlikely that no-one will be there that you do not have a specific business relationship with. In a shared datacenter you don’t know – or trust- the person hosting beside you.


There are a raft of standard and awards that datacentres will no doubt try to impress you with; this isn’t about these. Instead it covers the basics.

Your evaluation of at datacenter starts before you arrive. What part of town is it in? Is it a flood risk? Any businesses next door that could have negative consequences (think buncefield or animal testing centres).

 Datacentres tend to be in less desirable, and isolated, areas of town. Have a walk round the building and identify how you would penetrate the building if you wanted access to your kit, either to access it or damage it.  Ideally the datacentre should look anonymous, admittedly that’s difficult with high fences and CCTV!

 How is access control enforced? Was it enough to say who you were or do you have to provide ID? Is there security controls in place so someone cannot simply walk through two doors in a row (this could be a ‘man trap’ door arrangement, or a turnstile)

 Hopefully the datacentre will impress with its cooling and power supply setup (including monitoring), and you’ll be able to see big generators, lots of batteries and redundant air conditioners. It is worthwhile asking the last time they had a real problem (and the result), and the last time a load test was done. Just how quickly can they get replenished with fuel? 

 You would expect the datacentre to already have diversely routed connections out to multiple telephone exchanges and electricity substations, but you should check.

 The datacentre may be partitioned, but how high are the walls, actually? Be suspicious of tiles, both above you and below you!

 Quite a lot of you kit may run from a single power supply. Ask about the datacentres power arrangements and what happens if they wish to do maintenance on one circuit. You may well find it wise to have your racks supplied with power from two rings, and use a device called a static transfer switch to make your single-power-supply devices able to take power from the two power supplies (and following the same model, your kit with dual power supplies get plugged into both circuits)

 If you can go from outside to your kit through one door (fire escapes are a possible route) then you have problems. Hopefully such doors are reasonably secured, but its still a direct access point (or, more likely a direct exit point – with your servers!)

You should understand how –if any- an active role the datacentre plays in the operation of your business. Do you have to comply with any of there procedures in order to install equipment in racks. If so, how do they enforce this? How do you get equipment couriered to site and do they have any handling rules. Many datacentres do not accept deliveries unless they are registered in advance, with codes marked on all the boxes (and the number of boxes itemised, too).

Most racks –assuming they are locked- are reasonably quick to open with just a screwdriver. Given the fact you are happy with the perimeter security, and other security in the building you may consider the fact you host alongside people you don’t trust an acceptable risk.

However, many will not accept this risk. There are options. Have the rack bolted to the floor (the real, concrete floor) . This will make physical theft that bit trickier. Also, surround the equipment with a steel cage – main braces say 1 inch square hollow steel with a thick wire mesh. This should be bolted to the fabric of the building, and if it does not stretch from roof to floor, then your cage should have a roof, also. Access to your cage should be via a different access control mechanism than the rest of the building.

Consider the logistics and human factors too – whilst you may be managing your kit remotely most of the time, during kit install you may have people there for some time. Is there any office space for them to use a laptop? What about toilets, cups of tea, lunch and so on? Although IT companies talk green, this usually doesn’t stretch to boxing of their components, so any decent infrastructure install will give rise to its own cardboard box city. Does the datacentre provide disposal for these items or do you have to arrange to get it removed yourself? By the same token, examine the loading bay and lift weight limits if you are off the ground.

Overall, do not make the choice quickly, or without care. If suitable for your business, a datacenter will quickly become invisible. Get it wrong, and it’ll be the biggest blip on your radar!

May 8, 2009

The most (and least) secure firewalls are soft and squishy

Filed under: Security In the News — Tags: , — chaplic @ 10:05 am

I was surprised (and somewhat smug) over the recent spate of people who should-know-better being caught by photographers holding sensitive documents in public display.

The reason for my smugness is that on a piece of work I’m doing, amongst other handling rules,  I insisted on large A3 envelopes being issued to the project team, and the players in the project were referred to by codenames. All papers were to be carried within and stored behind lock and key, which caused much good-natured bickering within the team.

The documents are held electronically, behind dual-skinned firewalls, stored on laptops with full hard disk encryption, and subject to a robust patching and AV routine.  It would take considerable effort to get at them.

However, there would be people in the building that would be very interested in seeing even just the front page. It was nothing particularly sensitive, just a key point in a commercial process.

It’s nice to be able to pin back why we preach good security against real-life examples, but we’re not all top police officers carrying documents of national security. Is the lesson still relevant?

I frequently take a train between Ipswich and London, there’s usually a high number of employees of a certain telco with me, beavering away on their laptops and mobiles.  I’ve heard the status of bids, seen designs for customers networks and generally gained information that I would never have the technical skills to “hack”.

Security does not stop at the firewall. Much in the same way that people now break into houses to steal car keys because it’s too difficult to hotwire a car, if you are confident your IT infrastructure is secure you must think wider.

Hello world!

Filed under: Uncategorized — chaplic @ 9:38 am

This is a new blog, though Im not exactly new to the world of web media.

Create a free website or blog at