Sunday, 17 April 2016 14:46

Fringe festival drops another clanger

Following on from the Fringe Festival in Brighton and Hove comments that have seen calls for his resignation

it has now been added to by the continaul parking abuse by his team. Previously they parked for hours on a loding bay outisde their offices. Now they are parking on a cyle path, by removing a post or two

Thursday, 14 April 2016 22:51

Stand and Deliveroo

 Deliveroo are not a company that delivers marsupial meats as believed by Paul O'Grady

Using a fleet of cyclists and moped riders who are all self employed or freelance, the company delivers take away meals from restaurants.

It seems like a great deal for the cyclist who want to be paid to get fit or to do the sports and hobbies I love all the 16 and 17 year olds to earn their first major bit of pocket money


Sunday, 10 April 2016 19:26

using the bus in sussex

Buses are  changing, there is a silent revolution among drivers who appear to be reeducating passengers how to catch the bus according to traditional value

Here are the simple rules for using a bus

Saturday, 09 April 2016 18:50

abandoned bus stop

Brighton and Hove buses used to run a service up and down a road in Brighon called Downs Terrrace.
Last september they

Saturday, 09 April 2016 18:27

The Co-op cares or does it?

Recently the cooperative in London Road installed new cycle racks the swansea stand style as there was no where to park your bike safely. SInce the installation rough sleepershave taken over this area..
what is worse in the public view,

Saturday, 19 March 2016 21:12


Internal Notes on the VEL API

This is intended as a short summary of what I have done with the API. Feel free to argue with any points, if you feel that I have got it wrong.

I have prepared some short documentation on the VEL API which we can make available to users (see vel-api-documentation.html), which explains how to access it. This purpose of document is to explain to us how to use it.

The fields actually included in the public feed are these ones:-

Format of the Feed Items

  • id: the id of the listing
  • title: the name of the listing, usually the extension name plus vulnerable versions
  • description: includes information that cannot be easily put in other fields, eg if version numbers do not correspond to standard version conventions this can be explained here
  • status: 1 = live, 2 = resolved
  • jed: url of jed listing if any
  • cve_id: CVE and/or other vulnerability tracking database IDs
  • cwe_id: CWE vulnerability classification IDs
  • risk level: eg low, medium, high
  • recommendation: this field is used to give recommendation to the end user how to handle the subject extension, eg to update
  • cvss30_base: cvss 3.0 base vector string see
  • cvss30_base_score: cvss 3.0 numeric score
  • start_version: starting extension version where vulnerability is present, will be empty if all previous versions are likely to be vulnerable
  • vulnerable_version: most recent version known to be vulnerable
  • patch_version: version where vulnerability is patched, will be empty if no patch available
  • update_notice: url of developer's update notice, if any
  • install_data: json fomatted installation data from extension installation manifest, including name, type, creationDate, author, authorUrl, copyright, version and group (for plugins)
  • created: ISO8601 creation date of the listing
  • modified: ISO8601 modification date of the listing
  • statusText: "Live", or "Resolved"

Adding a New Item to the Feed

It is pretty straightforward, go to components->VEL, click 'new'.

I hope that the feeds are fairly self-explanatory. Note that we can add internal notes to the internal description field, these will not be made public. We can link the entry to a joomla article if we want, that might be useful in future, it will provide a way to link items to the current VEL articles.

You must change the status to live or resolved for it to show up in the feed.

The vulnerability type field is for our use only, and is not included in the feed, we don't have to use it but might find it useful to keep track of the vulnerability types in our database.

We can upload the extension manifest, then the data from the manifest will be automatically parsed, to give us the following:-

  • name,
  • type,
  • creationDate,
  • author,
  • authorUrl,
  • copyright,
  • version
  • and group (for plugins)

Accessing the Feed

It will be accessed at There will also be a verification hash at The verification hash updates when the feed updates, so plugins can use this to check whether it is necessary to fetch an updated version of the feed. Note that com_vel does not output anything else.


Com_vel has its own cache, which should cache the feed for up to a year, if nothing changes. Whenever a new item is added, or one is deleted (if that ever happens), or one is edited, the cache will be automatically cleared, and a new cached page will then be generated. Similarly the verification hash will be updated. So it should be quite efficient.

Additional Fields

There is always the possibility of adding additional fields if we decide that they are wanted, and actually there are several more that exist as fields in the database but are not currently included in the feed, mainly in order to keep things simple.

However they are all still there in the database, making it easier to include them in the feed later if we want. The main ones that have been dropped for now are the CVSS 3.0 temporal and environmental scores, as we discussed previously they probably do not add anything significant, and it would be fine to use just the base score. However the CVSS temporal and environmental scores do exist as fields in the database so can quite easily be added if we ever want to do so.

I have come round to the idea that including the CVSS 3.0 base score and vector string is a good idea, and actually much better than saying what type of vulnerability (eg SQL injection) it is. I have kept a field for the vulnerability type available to us in the admin, it might come in useful, but the vulnerability type is not included in the public feed.

There is also the possibility of crediting the discoverer of the vulnerability, if they want to be publicly credited, again it is a field in the database but not currently in the feed.

At the moment which fields are public is hard-coded into the extension (in models/items.php), there are some advantages to keeping it that way, at least it means that a mis-configuration will not accidentally make public any internal data. Still I may look at improving that at some point.

Monday, 14 March 2016 21:43

lost mobile phone

Seeing more and more of these " i lost/dropped/cant remember where" phone posters around what gets me is.

Friday, 26 February 2016 20:49

Fantastic Foster flat

Beng an avid reader / listener of hoorr/ghost/mystery  fiction and  having some extra time recently while on holiday (aka no internet and bad tv reception) i was recommended a new to me author whle waiitng for the latest victoria laurie to be released and not having Horror theatre from the net.

Orrin Jason Bradford has a wide rang of subject material  but i opted for his short story collection, fantastic fables of foster flat.

Tuesday, 24 November 2015 18:30

argos helpers = not

after the purchase of a new tablet for DD. and finding the tablet didnt quite match the descrition, the helpline debate started. date markers from 24 november


4:02pm · 15 Oct 2015 · Twitter for Android4:02pm · 15 Oct 2015 · Twitter for Android
@ArgosHelpers  444/9014 says it takes a SIM card. Where ? Can't find slot

Argos Helpers @ArgosHelpers
@mandville Hi, I'll pass this over to be looked at and let you know when I get a response. Kayleigh


Wednesday, 18 November 2015 16:41

i shut down a charities mailing list.

Many organisations use email services such as mailchimp or constantcontact.
This may be good to get round many email restrictions by hosts for the emailer but is often bad news for the emailee.

Here is the scenario that meant i single handed managed to get a national charity email list shut down.

Page 3 of 5