There is a global systems outage that appears to affect Windows computers running CrowdStrike security software. Systems that have updated are crashing with a BSOD (Windows Blue Screen of Death). If this issue affects you, there is a quick fix.

How to fix the BSOD

• Boot into Safe Mode or into the Windows Recovery Environment
• Go to C:\Windows\System32\drivers\CrowdStrike
• Find and delete C-00000291*.sys
• Reboot

How to boot into Safe Mode

1. Interrupt Normal Boot Process:
   • When your PC starts, wait for the Windows logo to appear.
   • As soon as it does, forcefully shut down your computer by holding down the power button.
   • Repeat this process two more times.
   • On the fourth boot, Windows will detect the interrupted startup and offer you advanced options.
   • Choose “Advanced options,” then “Startup Settings.”
   • Click “Restart.”
   • Now, press the corresponding number key (usually 4, 5, or 6) to select the desired Safe Mode option:
     • Press 4 or F4 for minimal Safe Mode.
     • Press 5 or F5 for Safe Mode with Networking (useful if you need internet access).
     • Press 6 or F6 for Safe Mode with Command Prompt.

If you’re in West Cumbria and need help with this give us a call on 033 0001 1087 or email info@tulltech.co.uk and we can walk you through the process.

Update: Have you tried turning it off and on again? 15 times.

Microsoft are reporting that multiple reboots are fixing this issue for people running Virtual Machines!

Facebook allows businesses to create a presence on their site, this can be used to share information about the company, its products and services. It enables the company to interact with customers and other users. Facebook company pages can be customized with features such as photos, videos, and a company description. Users can follow or like a company page to receive updates from that page in their news feed, and companies can also use paid advertising to promote their page and reach a wider audience.

Sounds ideal?

It is possible to use a Facebook company page in place of a website, but it is not recommended for several reasons.

First, a website typically provides a more comprehensive and centralized source of information about a business or organization, whereas a Facebook company page is just one aspect of a business’s online presence. Websites can also provide more flexibility in terms of design and functionality.

Second, a website gives you control over the look, feel and functionality of your business’s online presence, while a Facebook company page is limited to the features offered by Facebook.

Third, a website can be indexed by search engines, which allows people to find your website when they perform a search for relevant keywords. A Facebook company page is not indexed by search engines, which means that it may not appear in search results for your business or organization.

Fourth, a website can be accessed by anyone with an internet connection, while a Facebook company page can only be accessed by users who have a Facebook account and are logged in.

And finally, limiting your prescence to Facebook makes a company completely dependent on Facebook. Any change in the Facebook algorithm could impact your online presence and Facebook has been built to make Facebook money, not your company!

Overall, while a Facebook company page can be a useful tool for businesses, it is not a substitute for a website, and having a website is still important for a business to establish its online presence.

It also has a dark side. You can be inadvertently exposed to extreme points of view or content. Twitter has an algorithm that wants to keep you using twitter. The way these algorithms work – if you show an interest in bad content you will automatically be fed more. This can lead to people developing quite extreme viewpoints. You might be a little unhappy about something and you look for other people that are and you end up going down a rabbit hole where you start believing things that are demonstrably untrue. You follow people with similar views and it creates a bubble where everyone validates and reinforces their extreme beliefs. This is why you need some form of content moderation to prevent people being radicalized in the first place.

Following his recent purchase of twitter, Elon Musk has created a furore by sacking half the workforce, announcing that they will charge for verified status and talking about absolute free speech. These are all terrible ideas. Advertisers are already starting to drop the platform.

If twitter charges for verification, someone can for instance say “I’m Martin Lewis” and pay over their money. They can then use their new status as the UK’s most trusted money saving expert to flog dodgy get rich quick schemes on the internet. Martin Lewis is already constantly fighting to stop scammers using his name. For twitter to make this worse would be a bad thing.

But the really big one is free speech. I believed in free speech as a heady teenager back in my early days on the internet. But experience has taught me over and over again that absolute free speech does not work. You need to have rules and you need to enforce the rules. If twitter abandons these rules it will become a wasteland of hatred and extremism. Ordinary people will be driven away.

But the whole thing raises a wider issue. Who should own social media? After all Twitter is made by the people that use it. Should an individual be allowed to own it and use it as their personal plaything? Should even a corporation be allowed that much control over people, their data and their communications. Should a government? Many twitter users are migrating to Mastodon, which is a network of servers, run by enthusiasts and volunteers, putting the power back in the hands of the people. Each server has their own rules, but if you don’t like those rules you can join another server or start your own. The main rule though is “Be Nice” Maybe this could be the future. If you’d like to join me on there you can find me at @ztulloch@mstdn.social

The two most likely culprits are a broken preloaded plugin or a broken theme. Let’s look at how to fix both.

Broken Plugin

The quickest way to fix this is to go in with ftp or go to your webhosting file manager and rename the plugin directory to plugin.nw. Preloaded plugins sorted.

Broken Theme

Themes are trickier. You have to rename the active theme, then rename one of the default WordPress themes to the name of the broken active theme. For instance. Say I’m using the theme “Broken” – I rename “Broken” to “Broken.nw” I then rename “twentynineteen” to “Broken” I can now go into theme selection in my WordPress and choose a working theme. Now that everything is working I can rename “Broken” back to “twentynineteen” then “Broken.nw” to “Broken”

This happened to a client recently. They had selected a third party theme and a WordPress update broke everything. All they were getting was this critical error:

It turned out the theme that they had installed broke the latest version of WordPress. The convoluted instructions above for renaming the theme brought the site back online.

This is one of the reasons I have resorted to using the WordPress default themes and then customizing them myself. When you use a third party theme it relies on that third party to keep the theme updated. It adds a dependency over which you have no control. Personally I prefer to keep things as simple as possible.

To access your hosting file manager, you need to log into your hosting account, select cpanel, then look for file manager under the files section. I will update this post as I encounter and fix more WordPress problems.

In other news it’s great to see the Government give out the password security advice that I gave in my last blog post. Perhaps they were reading it Let’s hope everyone updates their systems to take this into account! There’s nothing more infuriating than a prescriptive password system telling you to use a capital letter. And a number. And a punctuation mark.

Today, I’m particularly focused on online security because we’ve had a targetted attack on our website. When you run websites there is a constant background level of spamming and malicious activity, but the attacker today either knew a bit about the company or had done some research before they attempted to break in. I’ve not seen that level of sophistication before and as a consequence I’ll be undertaking a full security audit.

What can we do to protect ourselves?

Passwords

Passwords are the bane of our lives! You seem to need one for everything – even reading the paper! I personally have hundreds! Not only do we have all these passwords to remember, but they are all supposed to be different. They should be strong and they should be changed regularly! Hopefully we will come up with something better in the future, in the meantime there are steps we can take to mitigate some of the pain.

I recommend the use of a password manager. This is a program that allows you to store all your sensitive data in an encrypted, passworded database. I use the open source keepass which is available to run on your computer or you can also have it as an app on your phone. I run the desktop version, which I then sync to my phone, so I have my passwords on me at all times. There is also a browser plugin that can autofill websites. Obviously the more things you do the more you add possible weaknesses into the system, but I’m confident in my methodology.

If you want to give yourself a scare, enter your email address into one of the websites that monitor hacks and you mey well find out that your email and password are already out there on the internet, through no fault of your own. This happens when a company is broken into and their database of logins is stolen. Sometimes we don’t even find out straight away, because the company doesn’t want to admit it got broken into.

One more note on passwords. Where possible and not everywhere will allow this, I tend to use “several memorable words or phrases” as a password rather than the traditional “A78!£lks” type password. Not only is it easier to remember and easier to type, it is also far harder to crack on account of it’s length.

Two Factor Authentication

Where 2FA is available, turn it on. It is a second layer of protection for your accounts. There are two main types:- app based or email / text verification. Where possible use the app version. There are a number of apps from the likes of Google and Microsoft. I’m currently trialing a catch all authentication app called authy which I’m really impressed with so far. It works for all your accounts.

Email Security

Turn off images in your email client. Images can be external links and those links can be used to track you or worse. Most importantly never click links and that applies to any kind of message. If you need to visit a site go to the browser and type in the URL yourself. Scammers create sites to look exactly like the real thing and if you follow their link you might not realize you are on a fake website. I recommend Thunderbird as a desktop email client. The world of mobile email apps is much murkier. I found a brilliant free one, but discovered it was free because it was tracking me! The default iOS mail client is solid. On Android if you can live with gmail the google app is good.

Then there’s all the obvious stuff

• Run a virus checker.
• Run a malware scanner.
• Don’t install anything unless you know where it’s from.
• Keep software updated.
• Put a lock on your phone.
• Install a phone locator.

If you need advice or training on how to make yourself or your
business more secure get in touch with us. We’ve been doing this a
long time.

As for my security audit, I’ll be logging into all the websites we host, checking the logs, changing the passwords and ensuring all the software is updated. Then I’ll review my own online security and accounts.

The recent default WordPress themes have seen a trend towards minimalism, with themes that are optimized for readability. The last two themes have added extensive support for the WordPress block editor. Out of the box, they offer enough functionality to provide a good looking website with a minimum of tweaking, but have the flexibility for advanced customization. Or in the words of the developers, they offer a blank canvas.

The first thing to do with any new theme is to create a child theme. Themes, particularly new ones, are regularly updated and if you don’t create a child theme, you run the risk that a theme update will overwrite any customizations that you might have painstakingly implemented.

The new Twenty TwentyOne theme looks good without any tweaking. It has good looking typography and it supports dark mode.

It has deleted the company logo and I see from the specifications that the logo dimensions have changed. Twenty twenty required a 300 x 300 pixel logo, whereas twenty twentyone needs a 300 x 100 pixel one. The new theme supports dark mode so it will also be important to ensure that any logo works against both a light and dark background!

It has also capitalized the company name for some reason and there’s a lot of white space at the bottom of the page. The page titles are in a rather large font but I think it might be worth sticking with. I’ll take a deep dive into it when I have more time.

UPDATE: Perfomance of the updated website was shocking. It took over a minute for the main page of the website to load! As a result, the whole website has been reinstalled and the php version updated. Load times are back to normal. If you notice any issues please get in touch.

We could implement a number of algorithms into the code, but there are all kinds of inherent weaknesses with the approach, from finding holes in the algorithm to reverse engineering the Java code.

The safest and most secure option would be to rely completely on a third party for encryption. The simplest method would be to create an encrypted drive partition from a file. There are a number of programs that can do this such as BitLocker or the open source VeraCrypt. Plenty more options can be found here. If you think how much space you think you’d need for encrypted projects, then double it and create a partition that size. Then mount this to a drive letter. It’s important to use the same drive letter, so use something like Y: or Z: that won’t be used by anything else. Open AssetJournal and create a new Projects directory on the encrypted partition. Create a new project in this directory and work away. Once you close AssetJournal and unmount the partition, the project will be completely encrypted. If you wanted encrypted cloud storage, you could create your encrypted volume within a dropbox or tresorit folder.

We personally favour VeraCrypt. The fact that it is open source means that everyone can get in there and look for flaws and it means a secret backdoor is less likely to be hidden in the system. VeraCrypt has been externally audited to ensure it’s integrity. It’s also cross platform which is a big bonus.

A guide to creating encrypted partitions with VeraCrypt. And a guide to do the same thing with BitLocker.

As a small software development company, Covid-19 doesn’t have a great impact on us. Computer programmers have naturally been practising social distancing for years! It’s an occupation that requires intense concentration with hours spent staring at obscure looking computer code. A lot of the kinds of technology that people may be using for the first time to allow them to work remotely, programmers have been using for a long time. So if you need any advice on the technology side of things do get in touch.

We have had to temporarily put up shutters on some of our clients’ websites and we can only earnestly hope that they can make it through this crisis. These are strange times.

With a potential drop off in new work, it would be a good idea to look at some of the in house software projects that we have had sitting on the backburner and to take the opportunity to skill up our team.

Stay safe and remember to keep washing those hands!

Here is a snapshot showing a small fraction of the spam that has been coming through on a daily basis:

It was a simple process to plug Google’s reCaptcha into the website and already it has had a transformative effect.

Although the free Windows 10 upgrade expired some time ago, it would appear that it can still work in some circumstances. Microsoft have said they will close this loophole when support for Windows 7 runs out.

To upgrade to Windows 10 you need your Windows 7 product key. This might be with the media that came with the computer or it could be on a sticker on the case. The simplest way to find it is to download and install produkey from nirsoft. While you are there, there are a number of tools for scanning your system for passwords. Make sure you copy any keys off the computer as you won’t be able to access them at install time.

The next step is to download the Windows 10 media creation tool. With this tool you can upgrade the current machine or create Windows 10 install media on DVD or USB to install from.

The method that seemed to work was to create a bootable USB device using the default options. Reboot the computer and tell the BIOS you want to boot from the USB device. At this point you will get the option to enter your product key. If accepted proceed with the install, if not, just back out of it and either find a different key or perhaps look at installing Mint Linux!