My Worst Photos #1: Whitby 1984

A word of explanation…

BACK WHEN all photos were printed, I had a 4-tier system that determined each print’s fate:

  • The best shots went in a “display-type” album – the sort designed to showcase one or two pics per page.
  • The “OK but not brilliant” shots went in a “flip-type” album – the sort designed to store as many pics as possible.
  • The “worth keeping just in case” or “spare copies” went into “The Photo Box” (in reality a box that originally had computer speakers in). The box was then shoved back in a cupboard.
  • The failures went in the bin.

Nowadays it’s all digital and only the best make it into an album. Occasionally I’ll be given a print that still finds its way to The Photo Box (let’s call it TPB for short), but largely it covers the period from the 1970’s to the 1990’s.

Recently I up-ended TPB and browsed through the whole lot, reminiscing, occasionally smiling – but mostly remembering why those photos were relegated to TPB in the first place. I quite like sharing some of my photos online, but they’re usually pretty good (IMHO) to warrant that. Nevertheless, I realised, even these dodgy efforts had a story behind them. Hence today’s post, with a few more to follow.

And so it begins…

…with this beauty from 1984:

Worst_Pics (1)

Isn’t it great?!

It was taken in August 1984 in Whitby, North Yorkshire, probably on a Kodak Instamatic 33 or similar. To be fair to the Instamatic, I’m pretty sure the colours were originally better and have faded, even in the confines of TPB, over the subsequent 33 years. Colours apart, however, I’ll admit the composition is less than pleasing.

You can tell it’s the sea, and you can just about tell there’s a person in there (that would be my new wife, since this was our honeymoon). I think there are a couple of boats too. Pleasing to the eye it is not.

So what’s the story then?

Having got married in Cleethorpes we honeymooned in Robin Hood’s Bay, spending a week in a cottage attached to a farmhouse for the princely sum of £60. The cottage had a sink and loo but no bath or shower, so we had to go to the farmhouse for that. The first time my bride used the bath she left her wedding ring behind and the farmer’s wife brought it back for us. (A year or two later, my wife lost that ring, we knew not where, so we replaced it – only for the original to turn up when we defrosted the freezer…)

Our wedding reception hadn’t finished until gone 6 p.m. and we didn’t arrive at Robin Hood’s Bay until about 11 p.m. The cottage was up a farm track so there was my new wife in her going-away outfit, opening a gate on a muddy track by the light of the headlamps. Oops. The farmer’s wife came out to meet us, saying she was beginning to think we weren’t coming. We’d got lost in Hull (in those pre-satnav days), and we began to think we’d not be coming either.

We had a good week, taking a trip on the North Yorkshire Moors Railway and, obviously, visiting Whitby – where my wife indulged her love of swimming, or more specifically, swimming in the sea. 33-and-a-bit years later, she still loves sea swimming, most recently in Looe in Cornwall. She would love me to join her but it’s a rare day indeed that sees me in the briny.

We’ve never returned to Robin Hood’s Bay or Whitby but this faded, badly-composed shot will always remind me of where our life together began and make me grateful for having a fully-equipped bathroom.


Two-Factor Authentication: SMS or an authenticator app?

indecisiveI admit it: I’m dithering.

After agreeing that passwords are no longer enough, I continued my mission to explore strange new cyber security worlds and to boldly go where…oops, sorry. Anyway, I carried on looking into 2FA. The default, simplest and most easily understood (at least by me, and, I suspect, by many others) method of applying a second factor is to use SMS, a.k.a. text messages. I’ve experienced this, and it works. Trouble is, it’s far from foolproof: messages can be intercepted, my phone can be stolen and used to read them, or there’s a fiendish fraud trick called SIM swapping that can give the cyber-thief the information they need.

To overcome all these weaknesses, there’s an alternative called Time-Based One-Time Password (a.k.a. TOTP, which in my day always stood for Top of the Pops, but there you go). This method requires an app such as Google Authenticator or Authy, which is generally reckoned to be superior. In addition to overcoming the issues with SMS, Authy has other advantages.

So, having decided to try out the “Authy” 2FA app, I duly installed it on both my Android phone and my iPad. Here’s how the journey proceeded:

On opening Authy on my phone I was asked to enter my “cellphone” number (that’s mobile number to we Brits), consisting of the international code (i.e. 44 for the UK) and then the normal mobile number, which doesn’t need the leading zero and which Authy displays in typical American format. So if my number is 07123 123456, Authy shows it as 44 712-312-3456; slightly confusing but not a big deal.

I then entered an email address (although not sure what that’s used for yet…) and then had to choose between a voice call and SMS for initial verification of the mobile number. (Yes, it slightly goes against the grain to use an SMS verification code in this context – where the point of the app is not to use SMS for two-factor authentication – but as they point out I haven’t yet entered any confidential info in the app so the security risk is extremely low.) After receiving the verification code, Authy was ready to add 2FA accounts.

But first I wanted to install it in other places, because one of the advantages of Authy over, say, Google Authenticator, is supposed to be that it’s much less troublesome if my phone is lost or stolen, or if I port my number to a new phone. I read this Authy page and got slightly perturbed at a potential delay of several days. Nevertheless I decided to press on, so I installed it on the iPad, entered my mobile number and, as before, entered the verification code that was sent to my mobile (by SMS).

Finally, I installed it on a Win 10 desktop PC. This too required an authentication process.

Being the cautious type, before actually setting up any 2FA I wanted to clarify various Authy options, PINs, protection passwords and the like. But although I set out to read the Help info on those topics, I ended up reading an FAQ about the “phone change process“.

And I was alarmed.

It was all starting to sound rather involved and potentially complicated. Now I’m torn; I know that SMS-only 2FA is insecure, insofar as it can be bypassed by various nefarious means, but do I really want to go this more complex route??

I’m going to do some more reading before taking the plunge. I understand all the arguments for not using SMS, but my brain just hasn’t yet got to grips with all the scenarios. It whispers to me: “What’s the point of increasing the security of your online accounts if you can end up being locked out of them for days – or even permanently?”

Have you used an authenticator app? What do you think about my hesitation? Shall I just quit dithering and dive in?

Two-Factor Authentication: Is it worth the hassle?

Passwords are no longer enough. That’s what we keep hearing. Bad people are constantly battering at the door of my digital life looking for a way in, and I need more layers of defence, even if I avoid these classic password boo-boos.

2fa_picEnter two-factor authentication (abbreviated 2FA, a.k.a. 2-step verification if you’re Google, and hashtagged as #2FA on that Twitter thingy). (“Universal 2nd Factor” or U2F is a related technology requiring special bits of hardware. We’ll not go there just yet.)

Like you, I have lots of online accounts, some of which don’t currently use 2FA (I’m not telling you which ones as you might hunt me down in order to cyber-attack me). My first introduction to 2FA was with the UK HMRC web site. They didn’t force me to set it up, as I recall, but I was happy to do so. Now, whenever I need to log in they text me a code which I have to enter in addition to my user name and password.

At this point you (like me) may have some questions, such as:

What problem does 2FA fix?

Sticking with the HMRC example, if someone steals or cracks my HMRC credentials, they still can’t log in as me because they don’t have my phone and can’t receive the 2FA code.

But what if they steal your phone as well?

Not very likely, is it? It could happen, I guess, so let’s assume I’ve been assaulted, they’ve tortured me for my HMRC login and then nicked me phone. I was about to say they’d need to crack my phone security as well, but then I remembered that text messages show a notification on the lock screen – so they might still be able to read the code. Dang it.

Not only that, I did hear of a scammer who managed to scam the mobile phone company as well as the target company so that they were able to receive 2FA codes. No torture or physical theft required. The phone company were negligent and it was a very complex scam, but it worked. (I’d like to include a link to the story but I can’t find it online and, hey, I’m not Wikipedia.)

So the answer is – 2FA could be defeated. Boo.

Aha! And what if you just lose your phone?

That would also be a pain in the proverbial. But HMRC, like all reputable 2FA systems, provides for backup authentication methods. It may be a landline number, another mobile number or even a set of one-time codes you can download and keep for just such a calamitous occasion. (No good keeping them on your phone, naturally.)

So, when configuring 2FA I do need to consider the Plan B option as well.

Do you have to enter a code every time you log in?

With HMRC, yes – that’s how I’ve set it. I don’t use it that often, and the data is highly confidential. But for other accounts, I do live in the slightly troubled territory of Remember me on this computer. We all do it – who wants to log in to everything, every time, on every device? Browsers (or the systems themselves) offer to remember us, or keep us signed in. It’s that balance of security and convenience.

With most systems it’s possible to only require a 2FA code when signing in to a new device. There’s a logic to that because if my account credentials are stolen, chances are that the criminal will try to use them on a computer other than mine. And 2FA will thwart them. (Always assuming they haven’t stolen my phone.) But, as before, there’s a slim chance that the hacking happens directly on my own computer (say with a keylogger loaded by a Trojan). In that case, if I’ve selected “keep me signed in on this computer”, and the digital baddie has control of my PC, I’m doomed. 2FA will not save me. The baddie will access all my secrets and ruin my life.


Is 2FA worth the bother then?

Yes, yes, a thousand times yes. Cyber security is all about risk management, just like physical security. The fact that my front door lock isn’t impenetrable doesn’t stop me using it, because it significantly reduces the chances of a burglary. It makes life harder for would-be thieves. If I add a second factor (like an alarm, security lights or a savage guard dog), it mitigates the risk further. A determined criminal could still bypass it all – but the chances are they won’t bother.

Is 2FA using text messages perfect? Nope. Can it be beaten? Yep. (And not just by stealing my phone, by the way; text messages are unencrypted and can theoretically be intercepted during transmission.) Will it help if I’m already signed in, stay signed in and the criminal has access to my device? Nope.


Will 2FA with text messages usually stop a thief accessing my account on another device? Indeed. And theft of my credentials without loss of my phoneI would submit, your honour, is by far the most likely scenario. Why? Because most credential thefts or cracks don’t involve anyone accessing my computer (or my phone) directly. They’re stolen when a company web site is breached or when I’m dumb enough to be social-engineered or phished.

OK. So you recommend using 2FA?


Although…it’s worth being aware that companies mess up sometimes. Not naming any names, but Facebook have angered people with what they now say is a bug causing users to receive spam texts after setting up 2FA. That particular failing hasn’t caused a security problem – just extreme annoyance. Facebook’s 2FA is relatively new (at the time of writing) so it may be prudent to avoid being among the early adopters when a service first offers 2FA.

Which accounts did you say you don’t have 2FA configured for?

Nice try.

The Dad Diaries Chapter 5: In which a bowl is broken and bonding is too expensive

Wednesday, 9th February, 2005

The Bill Bailey DVD we ordered arrived, and I had to agree with Jack’s assessment that it’s “well funny”. I feel an affinity with Bill, since we’re both humourists. The only difference between us is that he’s extremely successful, has great stage presence and happens to be a talented musician to boot. There, I must admit, he’s got the advantage over me, since there’s probably not a huge amount of comedic value in a bloke staring at his guitar trying to remember the chords for Home on the Range.

Friday, 11th February, 2005

A man’s work is never done. In anticipation of guests landing on us (not literally) tomorrow, I took the afternoon off to get the house ship-shape (or, more realistically, house-shape). With F. being out and Sarah not being well, poor old Jack was press-ganged into “volunteering” to help. So, while I spent about 5 hours cleaning two bathrooms, the hall, landing and stairs, our bedroom, the lounge, the dining room and the study, Jack bravely changed his bed and hoovered his bedroom.

Jack asked if he’d be getting extra pocket money for all his efforts. I launched into an uplifting speech about fulfilling our responsibilities, all pulling together, the reward of a job well done and the like. It took me a good three minutes to notice he was no longer there.

Saturday, 12th February, 2005

A most pleasant day with our visitors. We watched rugby, went to town, got soaked walking back from town, then dried off while watching a Tom Hanks film, The Terminal. It’s a peculiar yet heartwarming tale (not unlike these diaries, really) marred only by the fact that in my hurry to restock the popcorn I broke one of our treasured blue Pyrex bowls.

Before the devastation

Much like a hamster, said bowl wasn’t exactly irreplaceable but had nonetheless been in the family for some time and will be missed.

Monday, 14th February, 2005

This being Valentine’s Day I have of course carried out various essential domestic chores, to whit: New battery in dining room alarm sensor (previous one having lasted a paltry six weeks); New fluorescent tube in kitchen worktop light fitting (a snip at £6.50); New 10 Watt halogen bulb in bathroom downlighter (again). My sense of achievement knew no bounds.

Thought I’d better tackle the assignment from last week’s session of the Finding Your Place in the Kingdom of Our Righteous God and Playing Your Part in the Spreading of His Glorious Gospel course. My thoughtful and decisive answers apparently indicated that I was mildly interested in eight different areas of ministry and may possibly have one or more of at least eleven different spiritual gifts. So that’s much clearer then.

This being Valentine’s Day, F., Jack and Sarah watched Forrest Gump.

Tuesday, 15th February, 2005

The extractor fan in the downstairs loo ceiling has been screaming like a strangled banshee for a while. Being on a DIY roll (see yesterday’s entry), I whipped it out and sprayed WD40 into every available orifice. A quick check of the instructions (carefully filed, naturally, along with leaflets for a fridge-freezer, a kettle we threw away in 1998 and 37 other miscellaneous household appliances) revealed a fairly short section on maintenance, consisting mainly of the phrase Do not lubricate under any circumstances.

While washing my hands after this highly successful task, I also had to rinse several drops of WD40 out of my left ear.

Wednesday 16th February, 2005

F. was not pleased by the small, oily pool on the floor in the downstairs loo. I said I’d have a word with the kids as it was probably some weird hair product.

Thursday, 17th February, 2005

I explained to Sarah and Jack that since our tickets for Les Miserables were pretty pricey, there’d be no father-child bonding trip this year. They put on a good show of concealing their disappointment.

Cycled to B & Q to look for a new extractor fan.


The Dad Diaries are fictional. Probably.