Monday, January 25, 2016

Obtaining a UK visa: no, they don't "have it easy" at all

Dealing with immigration is exhausting. It's literally exhausting. I don't mean you think you feel a bit run down or whatever - your body goes into full sensory shutdown, your muscles ache, your migraines are never ending and you develop all new forms of lethargy that you didn't previously think existed.

It's a fucking ball-aching drain, man.

UK spouse visas are in the news due to an impending tightening up, and a common opinion is "Good, they have it easy". I'm here to tell you that this couldn't be further from the truth. Below is a very condensed rundown which doesn't go into the real nitty gritty, because honestly, you'd be here all day.

Setting the scene: someone in the UK wants to end up with someone from outside the EU. Ideally, they want to live in the UK. If you're from Europe and move to the UK, your spouse can be from anywhere in the World - Brazil, Africa, America, whatever. Doesn't matter. You can come to the UK from Europe with your non-European partner and that's basically it. Job done. Okay, there's a bit more to it than "show up and live here" but it's certainly not like the below process, to the degree that people from the UK are actually doing this to avoid the boobery outlined below.

That's because if you're from the UK, and your spouse is from outside the EU - you're screwed. You'll have to run a five year gauntlet of headaches, paperwork, problems, a total ban on any form of public funds, the most ridiculous assortment of "do this / don't do that" you could imagine, questions on application forms which are almost designed to fail by virtue of asking for things which many companies and banks don't even issue anymore (hello, self printed wageslips which aren't accepted, paperless bank accounts which also aren't accepted and landlords / housing associations who don't issue letters under any circumstance).

Should you be lucky enough to get the visa in the first place, you'll find out completely out of the blue - you just get an email saying "A decision has been reached", and then you have to sweat it out waiting to see what the result is a few days later when the parcel with your passport in arrives. They're supposed to tell you when the documents are on their way back to you, but guess what? The courier can (and did) just show up, then vanish taking the documents with them leading to more delays. You can also find some of the original documents are missing from the bundle, and after chasing them up and making appointments to collect will realise some of them are still missing.

Once you HAVE a positive decision, you then get 30 days to resolve your affairs and leave the country to head off to the UK. That's it - 30 days. Who can tie up bills, payments, apartment rents and everything else in their home country in 30 days before leaving it forever? And that's before you realise they have to pay a SUPER EXPENSIVE one way flight in 30 days or less. If you don't manage to fly to the UK within the 30 day time limit, things can get complicated - and expensive, of course.

Oh, and don't forget the part where you suddenly have to box everything up and arrange shipping. I hope you don't like sleep!

I'm not entirely sure why this absolutely insane discrimination against our own citizens exists, but here's just some of the changes over the last couple of years to the visa route in question:

1) The hardest part is obtaining the initial entry visa. This has always been the case. However, it used to be that once you'd done the hard part and forked over the cash, that was it - you could remain for 2.5 years and then apply for indefinite leave. You'd have to pay for that last part of course, but that was it.

2) That all changed. Figuring "we can make more money from it like this", now you'd have to pay for the initial 2.5 year spouse visa, and apply AGAIN for a renewal to last another 2.5 years. At the end of the 5 year stint (assuming you don't lose your mind and crack up over the possibility of doing something which invalidates the stay over those long 5 years or suddenly get caught by some retroactive nonsense, or lose your job at the EXACT moment you have to reapply and be under the £18,500 salary requirement), you THEN have to pay for the indefinite leave to remain.

In a nutshell, it's gone from 2.5 years and two payments, to 5 years made up of two separate 2.5 year visas and then the indefinite leave to remain payment.

Of course, this is all terrifyingly expensive which I'll get to later.

The run-up to applying isn't helped by the fact that the UK visa pages tend to be a circular mess of confusing links, baffling descriptions of documents required, a helpline which requires you to hand over credit card info and be billed for time spent on the call before they'll even talk to you and a set of requirements which are....astonishingly vague, for the most part.

You would THINK that the visa application form would say "Want to come here? Then provide this" and be done with it.


What actually happens is, you get a general outline of what's expected but then it's up to you to effectively fill in the blanks. Yes, we know you need 6 months wage slips and bank statements. But proof of relationship stuff? Documentary evidence? Eh, that's all left to your discretion. You don't HAVE to spend five days of your life printing out four years worth of emails, phonecalls, SMS, VoIP chat logs, social network screenshots and printouts of photographs - but it helps.


Other aspects like "Overcrowding" are a big deal. A horribly strained set of criteria are used to establish if your intended living space meets size and room guidelines, and although some immigration advisers will tell you that this information isn't needed, most people do it anyway just in case. Before you know it, £200+ has gone down the toilet on a four page house survey. £40 has gone out the door DHL'ing three sheets of paper overseas due to them insisting on having your most recent wage slip and bank statement AND letter from an employer being no older than 28 days at time of online application.

You know what documents don't magically tend to show up within a few days of one another, thus making the 28 day thing a source of endless headaches?

Wage slips and bank statements and letters from employers.

Meanwhile, the person overseas is blowing money on things like TB tests which have a finite amount of time ticking down before they expire and you have to go do it all over again. There was a language test which cost upwards of £150 (I think) which basically amounted to walking in a room, sitting down and having a conversation. "You've passed!"

Yes, you've passed the getting fleeced test with flying honours. Well done!


When you apply for the initial visa online, even that can be a disaster because they combined the system to take payments for the NHS surcharge (more on this below) and then the visa (originally, they were separate services and you could pay for them at different times).

You now have to pay for the NHS surcharge first, as a standalone payment, then take the number they give you and enter that when paying the visa fee. If you don't have the NHS number, you can't pay for the visa.

You know what happens when you try to make an NHS surcharge payment for £600 for a service your bank has never seen you pay before? You tend to have your card blocked.

You know what DEFINITELY tends to happen if you then try to immediately pay the £1,300 odd fee for the visa in the timeout threatening session?

You almost CERTAINLY have the payment blocked.

This leads to a merry dance of card switching, bank phoning action while trying to make sure you didn't typo any of the dozens of fields sitting in front of you.

Everywhere you look, there's an additional fee for something.

And that's before you get to the wonderfully silly NHS charge.


See, it doesn't matter that the person coming here will be paying for their NHS via their taxes just like the rest of us. For no real reason at all, they now get double dipped and have to pay a standalone NHS fee which amounts to £600 for 2.5 years of cover.  If you don't pay the NHS fee online, you can't apply for a visa because you need the NHS number at visa application submission time.
The pricing for the NHS charge confused many immigration firms who stated it would be £500 at launch, only to discover they were out by a hundred quid.

The reason is, as far as I can tell, that the UK visa is SLIGHTLY longer than 2.5 years by like a couple of weeks. As a result of THAT, anyone paying "only" £500 would be technically not covered by the charge for those few weeks. So they round it up to £600 to cover those last few weeks. If you didn't renew or had to leave, I guess you'd have paid over the odds for services you then wouldn't be using which is a bit annoying. (Please note, this is what I assume is happening - I asked 3 different immigration firms why the fee is actually £600 instead of £500 and this was the best guess answer).

So before you tally up any figures at all, anyone who stays the full 5 years is already out of pocket by £1200 for reasons which will forever remain a mystery.

In fact, your time is generally spent in general throwing up your hands every time the word "Immigration" comes on the news and crying out WHAT ARE THEY STIFFING US FOR NOW, DAMMIT.

Case in point: at the end of the 5 years, there's an English test. Of course, you'll be paying extra for that. This was a perfectly okay way to do it, but now there's a new English test sandwiched in the middle of the stay. You'll be paying for that, too.

Everywhere you look, it's death by a thousand paper money cuts.

Everything you do, or need to do, is permanently shrouded in a veil of "Debilitating anxiety that something will go wrong and / or be rejected at application time".


It can theoretically take "up to" 10 months for a renewal to take place. That's almost running up to half the length of your stay. So of course, the fear is to get it in early, despite probably not having enough documentary stuff to hand for "evidence" at this stage (ask me again sometime about the fun and games involved in getting a bank account, when you don't have a NI number, but need some other thing to get the NI number to get the bank account, but...)

Think about this. That's the best part of a year sweating buckets on something that's ridiculously important, upon which a whole pile of things hinge. But, you know, whatever. Sweat it out, and fork over a lot of cash for the privilege of doing so.

Alternatively, you can go do it same day, in person, and throw in something like a £400 odd "premium charge". Why? Because pay up or take a hike, that's why. Oh, and the cost of the visa is currently going through the roof.

"The cost of the visa will rise from £2,141 to a maximum of £3,250"

Seriously, look at that nonsense. It's expected to peak at around £2,600 odd, but by the time next year rolls around I'd be amazed if it hasn't approached insane levels of "Money please".


That's what - anything "up to" £3,250 for the visa, I'm guessing that doesn't include the £600 for the NHS fee renewal, there's the inevitable £400 odd premium same day service (because nothankyou.jpeg to the 10 month wait), an expected £200 odd for a house survey, whatever health tests they may want, the language test (not sure how much this will be yet but based on prior experience let's go with £150 odd) and - most likely - £600 or so pounds for a decent immigration advisor service (which I recommend using, because holy crap).

£5,000+ for a visa? What the actual fuck.

As a final closer: non EU partners in the UK do NOT receive benefits, and are barred from "public funds" for the duration of their stay alongside having to effectively pay an NHS tax of £600 as a further barrier to entry. If you show up in the comments banging on about jumping into the dole queue / getting houses for free or getting cushy medical treatment without having to pay a penny, I will banhammer you into outer space.

For everyone else, take a ticket and join me in shaking your head and saying "What the actual fuck".

It's my current favourite phrase.

Wednesday, June 03, 2015

The Writey Writer's Resource Page


Today I'm giving a workshop at BSides London called The Writey Writer's Guide to Writing Writerly, and this is the temporary landing page for a shortened URL. In the near future, this will serve as a handy resource link for those who attended.

Nothing to see here (yet), but there will be very soon...

Monday, December 29, 2014

My favourite game this year was...Dead State

You need to repair the fence before raiders trash it. A quarter of your group is sick with food poisoning. The one science guy you have needs to make antibiotics for the infected members of your team, but you're low on ammo so he needs to sort that out instead. The car broke down so you're on foot for today, but if you walk to the nearest supermarket to pick up as much food as you can carry you won't be back until after midnight and hit a fatigue penalty. That one racist guy is picking a fight with the kid ready to up and leave and take half your stuff with him. There's a militia at your gate asking for food in return for a safe evac within a month, assuming you can last that long.


This turn-based combat zombie apocalypse sim has gobbled up 90+ hours of my time this year, and I'm surprised to see only one other person on my Steam friends list who owns it (and that was because I bought it for them).

Staggering out of a burning plane, you're asked to choose from a wide range of attributes and in no time at all go full Rick Grimes as you battle to keep a school filled with survivors well fed and safe from the zombies and a variety of increasingly crazy humans. If you want to roll a science buff, you can. If you'd like to talk your way out of an endless stream of tricky scenarios you can do it. Long range sniper survivalist? Baseball bat swinging tough guy? Mechanical genius more suited to the large selection of base upgrades on offer? Be my guest.

Imagine State of Decay, but without the utterly generic placeholder "characters" in your crew who can easily be replaced should they die. That isn't the case here, and losing people with particular sets of skills can hurt you greatly in the long run. Everyone here also has a personality beyond "the guy with the green vest" and "the woman with the brown jacket". Doug is an IT geek. Vic is a backwater cop with a nice moustache. Priscilla likes chickens. Davis might be the best character in a wheelchair in a videogame you'll ever see on account of how well written he is. It's entirely possible to miss picking up additions to your group and that can significantly change up how things pan out inside the school. I think you'd need 2 or 3 playthroughs to see everything it has to offer.

The game takes place inside the fictional city of Splendid, Texas, and the map contains 100+ locations for you to pillage and / or run away from. You may find survivors. You might see traders. There'll be random encounters on the map. The environments all tell a story, and often it's fun to guess what went wrong and allowed all hell to break loose. It might be the car which overturned after ploughing through the barricade at the truck depot. It might be the flimsy fence which shattered and let the hordes in at the residential complex. It could be the looters which tore up an otherwise secure neighbourhood. Does that house have "keep out" painted on the wall with bullet holes peppering the windows? There's a good chance you'll want to steer clear unless you want to run into looters, or aggravate people just trying to survive and incur a morale penalty for killing them all.

Keen observation of the map you just entered can save you from a swift death, without taking a single footstep. Zombie infection can come from a single bite, and if you wander into an aggressive gang stomping ground before you're ready you may as well reach for the reload button now. The worst thing I probably saw was when I took the mother / daughter combo out on a food run, watched the daughter get her throat torn out, rise up as a zombie and have to smash her head in with the mother's sledgehammer immediately afterwards.

That was just wrong.

The writing is focused and well done, and the scenarios that unfold between your varied selection of survivors is both mature and often uneasy to listen to or attempt to resolve (usually pissing off one or the other in the process). Later on you'll become embroiled in group debates and have to make decisions which keep the majority of the survivors - and the all important second in commands - reasonably happy. Just when you solve one problem, another one crops up. It's all to easy to leave something hanging for a day - like specific requests to visit locations or perform certain tasks - then annoy your companions no end and watch them jump ship.

The game does have a number of bugs, but then I believe it contains something like 50,000+ branching lines of dialogue and a complicated set of event triggers which depend on certain events taking - or not taking - place. The devs seem pretty proactive about fixing these, and Dead State continues to receive attention.

Here's some screenshots I've taken while playing and the Steam page is here. I'm still finding new things to do and new ways to play, and haven't completed either of my two playthroughs yet (there are multiple endings, from what I've read). If you can deal with some bugs and the occasional script misfire (and, er, the occasional character returning from the dead in your shelter as if nothing had happened to them) then you should definitely consider giving it a go. The game isn't massively intensive on a laptop and works great even on a mid-range i5 rolling a Geforce 820m. If starting a second playthrough, I'd suggest increasing the animation speed to maximum so you can just get on with things at a faster pace. Everybody will be walking around like they're in a Benny Hill sequence, but that just makes a zombie apocalypse better.

Dead State: my favourite game this year.

Tuesday, September 23, 2014

Some thoughts on the Steam Store Update...

Steam updated the look and feel of the Store page, along with some fairly major revisions to how things work.

Some things to note:

1) A while ago, Steam altered the tabs on the front page. In terms of what was on sale, you used to see the new releases tab before anything else, then could dip into best sellers. At some point, they changed it so you'd see top sellers first. This used to grind my gears for a number of reasons, and it has been covered extensively elsewhere.

The way the tabs function has now changed again, so you default to "POPULAR new releases". To see what are presumably not high selling new games, you have to scroll to the bottom of the game tiles then click the "See all new releases" button. You're then taken to a feature-bare page of games, but at least you'll see new games which aren't AAA blockbuster pre-orders. As a final note, things like daily deals are currently way down the page.

This all seems like a really bad idea from a "Let me browse and purchase new games with zero fuss" point of view.

2) They really want you to see "curator" recommendations. They seem to be on every game page. These are people who post lots of comments about games on Steam pages. At time of writing, they're ranked like so:

"Right now, top curators are listed by the number of followers they have."

People interested in the Steam recommendations prior to the revamp tended to follow those who were known for their humorous "bag throw simulator" type missives, which is fine. However, now that these things are being pushed en masse across the Steam network whether you want them or not, it simply isn't good enough. If you want to add things to pages, you need to convince me that I want to see it on every single page. They do say that listing by number of followers may change at some point in the future, but in my humble opinion it absolutely has to and fast.

The bulk of the Steam recommendations I see right now are one line joke memes, and people trying to be witty. The result is a ton of "recommendations" which add nothing but clutter.

This game is on the frontpage of the site - look at the listed "review". Look at all of their listed reviews. What's the point of that? Other reviews from different curators: "This looks good but I haven't played it yet" and "this was shown at [videogame conference x]".

Do Steam allow people to recommend games they don't own? They sure do:

"Can I recommend games that aren’t in my Steam library?

Yes, you can recommend any game that is available via Steam."

I suppose the most important question here would be: why?

As a side note, you cannot currently disable the visibility of curators.

3) You can no longer see what friends are playing on the frontpage, or what they recently bought. Instead I'm overwhelmed by recommendations from strangers which I find little value in, or bizarre and broken suggestions from Steam as to what I should buy next. You know how if you click on something humorous on an Amazon page and your purchase recommendations go completely left-field? Imagine that but for videogame recommendations.

I'd rather trust visual suggestions of what may be good or bad based on immediate feedback from people I know than complete strangers.

Overall, I can't say I'm a fan of this rejig. I may well find some more things to add to the short list above, but for now let's see what Valve do with the feedback they're sure to be receiving...

Monday, September 22, 2014

Videogames: The Hacking Minigames Edition

Many moons ago I took part in an episode of Gamespot's Reality Check, on the subject of Watch_Dogs and videogame hacking. Out of that came a shorter segment based around good and bad examples of hacking in videogames. Fair warning: it mainly looks at the trend of turning hacking into minigames, instead of titles which are primarily all about hacking like Uplink.

A couple of games not mentioned up above were given a shout-out in a spinoff blog from way back when.

And yes, I really did sit there for an age trying - and failing - to figure out the hacking minigame in Alpha Protocol. Bonus points for mastering this on a PC with mouse and keyboard. The (rather distracting) mouse pointer which controls the right box often ends up moving outside the terminal screen, resulting in two eyeballs trying to track two boxes and an increasingly distant pointer crawling across a sea of flashing green letters and numbers.

The frequent reward for managing to not get a migraine in the first five seconds is the horribly imprecise mouse wobbling off the intended target just as you hit the button.

Last night I fired up an Alpha Protocol save from the first set of Saudi levels, had some fun with the email feature, the intel purchasing, the loadout screen and the comedy beard.

Ten minutes later I was standing in front of a failed hack attempt, flashing lights and guys firing machine guns from ten feet away and missing while I carefully considered which wall to bounce the mouse off for optimum destruction.

Back into the digital box you go...

Sunday, August 10, 2014

10 Years in Infosec: The Obligatory Blogpost

I didn't intend for the face to face meetup I had with the BBC to turn into some sort of  gonzo summing up of the last ten years of my life, but looking at it - with pictures of Batman and giraffes as you scroll down the page alongside tales of Chunkylover and the Nigerian Astronaut it's difficult not to feel that your life is pretty weird.

Ten years in infosec is nothing, really, given many people have done it for that length of time three times over or more. But when you thought you'd be getting paid money to make bad movies or paint pictures riffing on the best aspects of high renaissance art via comic book sensibilities, it feels a lot longer. I'm a "Veteran" now! I'm old! I might grow a beard!

I'm still pretty new to the infosec scene, but I think I earned my blogger Vet stripes thrashing it out with all those incredibly rich Adware companies of old at a time when hardly anyone else was, and in very public fashion I might add. I also managed to find a near endless stream of "really bad things" (TM) and shone a light on lots of terrible people and practices, which can only help people in the long run so I'm happy with that. I tell you what, that was probably more use to people than me making yet another bad film or a painting of some dudes with their weenies out.

I might still do the painting, whatever.

The one thing I have learned, above all else, is that there is no bigger challenge than sitting down and hammering out a non-stop wall of text spread out across ten years. Ten years! I never thought I'd be doing anything for ten years. I actually often feel like I could have written more blogs and entries and talked about more threats, but unfortunately I run out of hours like everybody else.

A moment of silence, please, for all those infosec bloggers down the years who either stopped or (in one sad case) went missing - writer fatigue and burnout is a very real problem, and when you're trying to hammer out new research info in a field where last week's news is as good as something that lumbered out of the Dark Ages, it's quite a problem.

Writing opinion pieces on anything is hard. Finding new threats and scams to write about on a daily basis, and trying to do it differently every time, and attempting to talk about things that others aren't already covering, is hard. When I look how many research pieces I've put together, more often than not based on something I found, analysed and then bashed into something approaching readable words it's quite the eye opener. I'm genuinely surprised how much I've done.

This isn't everything by a long shot, but as a random sample: 105 blog posts in 2007, 254 in 2008, 208 in 2009 via the old Spywareguide blog. Think about how many research posts someone can get out in one week - from what I see, it's usually about 2 or 3. One time I discovered and then wrote about 43 things in one month. Which is, by all accounts, completely insane. At the same time I was cranking out up to 30 or so posts a month - often on different threads of research - on my personal blog, for about six years. That personal blog finally died sometime in 2010 when I realised I was blog typing my way into an early grave with anything up to 50 posts a month. Whoops.

The words still keep coming, as I leave FaceTime and move to Sunbelt / GFI Software / ThreatTrack Security. As the blog kept changing and moving home, it's difficult to work out exactly how many pieces of research I put out but - and this is a rough guesstimate - around 283 blog posts on the Sunbelt / GFI blog between 2010 and 2012, then somewhere in the region of 100 posts for ThreatTrack between March and November of 2013.

In December, I moved over to Malwarebytes and just realised I have hit 100 posts in 9 months. I think that's pretty good!

All those words end up helping lots of people and steering them away from bad things. We also get to shut a lot of those bad things down and hand out digital hi-fives every now and then. That's good too.

The technical process for shaping those words is an ever changing sea of "what next?" Too many sentences and paragraphs, you lose your point. Not enough, people may assume what you're talking about doesn't matter. I have written long blogs, and will continue to do so when absolutely necessary but I do try to avoid where possible. I'm always looking to remove a sentence, a paragraph, will happily write 300 words then delete the lot if it looks like it isn't needed. I don't need to throw out thousands of words on something when I can get a perfectly functional entry out the door in half the time. 84 words! That's like four sentences! Awesome.

Of course, the reader doesn't need to care about the technical junk behind the crafting of the blog - though I will be giving a talk at a University on that very subject in December (oh my God, I am old!) - but it is something to think about.

Me, I'm thinking I'll hand myself a short pat on the back for having bludgeoned my way through 10 years of sleazy Adware vendors and an endless parade of scams, files and other shenanigans and come out the other side mostly intact and get right back to it.

Also that monster nudie painting is totally going on the wall above the TFT.

Thursday, July 31, 2014

Google+ updates policies, is still a fiasco

Hooray! Google have finally dropped their idiotic names policy on G+. Unfortunately it's a massive hack job and fails in almost every way imaginable.

I'd much rather be called "paperghost" than "Christopher Boyd" on G+. With that in mind, it should be a piece of cake to change it, right? The first problem is a total lack of clarity on the part of Google with regards how to change your details, what works and what doesn't.

A quick look at the Google posts on this one [edit - I had links but in keeping with the G+ tone they've fallen off and don't want to stick] and you'll see the first issue: people simply don't know what to click on to change the public facing name.  You'd think this rather basic info would be right there on the Google posts about this brave new world of customisation, but nope...nothing.

First port of call is trying to change the name in the custom url pop up, seeing as it's likely the first name related thing you'll have presented to you. Unfortunately, it doesn't work...All you can do is add letters and numbers to the name already in the system.

I eventually discovered that custom url fields are not the way to do it, and they won't be changing how those things operate for the foreseeable future.

Seriously, this is buried in blog comments.

I then worked out  - completely by accident - that you change the public facing name by clicking on it when on your profile. There's no onscreen indication that this field can be clicked on, there's nothing from Google giving you this info and looking in settings will only confound you. It's like the anti-mystery meat of web design.

Google then keeps warning you that you won't have the best experience if you go changing your details - no kidding!  - then presents you with screw up number 2:

You're still stuck with first name, last name boxes. As you might imagine, this isn't optimal if your pseudonym is one word long. The botch job workaround is to place a "." in the second box. Confusingly, one Google guy says this is a glitch and will be corrected, even though it says to do this on the official help pages. Also it hasn't been fixed yet.

An additional knock on effect is that the craven claws of G+ are so deeply embedded into all of your Google services that should you change it, that change is reflected across them all.

That's right, Google idiotic decision to cram this junk into all of their products means you'll now be receiving emails from "paperghost. " complete with the idiotic full stop at the end of the pseudonym.

Really? Really?

Get out of here.