Joys of Christmas

Not going to be a good Christmas really.

Last year we had a breakout site that was doing really well. This year we have a mess that is dying on its arse, pardon language.

In 2015 we put together a roadmap of things to be done. All the work on it for me and in my area has been done.

Unfortunately there are parts that require the intervention of a third party our database handler. Who has done precisely one piece of work, after I threatened to sue.

When asked to do their part, they instead asked:

– why can’t I also do the databases instead of them? (You know, as well as all front end work, feeds, set up, membership, provide all the content, etc.) Because I’m flat out doing my work for the year and building work-arounds to get round the work they haven’t done.
– why do they have to do anything? Let’s see: agreed roadmap, costs and more.
– does this really need to be done? Yes, that’s what was discussed and signed off. – and he’s worked really hard for two weeks, so why am I still an unhappy customer?

Well…

• The roadmap and agreed work covered twelve months
• The site’s traffic has halved,
• It has lost 600,000 Alexa ranks,
• Ad revenue has collapsed and it is no longer supporting itself
• We’re losing subscribers over persistent bugs and promised features that have not arrived
• And I’ve been on two hours sleep a night for the last four weeks trying to fix it all.

And then at the weekend I learned he was claiming to have completed work that he hadn’t. I ended up in his office forcing him to actually look at the code, at which point he did the “Oh no, you’re right, it doesn’t work” and added a note to a pad. No apology, no indication he would actually do it.

Unhappy? I want this guy’s head and a competent coder!

And he now wants to take on video production for us. Somehow I don’t think so…

And I have will be logged in on Christmas Day to try and fix the mess from home. Did I mention I won’t get paid for this? I suspect there may be a damning post after Christmas naming and shaming the company.

---

This blog has now moved to http://www.rablogs.co.uk/tirial, where the original article can be found.  Joys of Christmas - http://rablogs.co.uk/tirial/2015/12/23/joys-of-christmas/ was published on December 23, 2015 at 9:47 am.

Search Engine issues

So, Google has now added a new feature.

Originally in the dim and distant past, Google was a search engine.  Then it started collecting details from users’ searches and serving ads. It could charge more based on these details. So it bought other sites, like youtube, and then tried to make users put everything under one sign-in, which creates ad profiles which can be sold for even more money.

And in the last few days the inevitable happened. If you don’t have a google account and don’t give them permission to track you, good luck using their search engine.

  Over the last few days I’ve been through this a few too many times.

Let my summarise it:

• Click next
• Get told that it will take your data, so click Other options
• Click edit settings under search customisation and turn search off
• Click edit settings under ad preferences and get a 302 error.
• Click edit settings under youtube and turn off.
• Click edit settings under Privacy and get asked to download Googles code. Non, no, no.
• click back.
• Get told that you still have to agree to let it track you to get to the search screen.

The really good thing, of course, is that after turning all this off I went to youtube. You know google claims that its default settings are child safe, and if you see porn its your fault? Nope. With history on I see tech demos and science vids. With history off I get lots of half-naked women. Unless they’re bio-roids with spec info, I’m really not interested.

But what can you do?

Oh yeah, you can

• Use duckduckgo.com to get a google search without giving google your data.
• Use altavista
• Use yahoo.com

Because seriously, given the poor quality of google’s recent search results (and before this screen came up I was averaging one report a day under their feedback of just how inaccurate their results were, and then having to go to duckduckgo anyway) and don;t see any reason to pay them for poor performance.

---

This blog has now moved to http://www.rablogs.co.uk/tirial, where the original article can be found.  Search Engine issues - http://rablogs.co.uk/tirial/2015/10/20/search-engine-issues/ was published on October 20, 2015 at 9:46 am.

Disabling Contactless Cards

Contactless card security – or the lack of it – is back in the media. There are three main items that the card firms say make these cards secure. Sadly I would disagree with each.

6 RFID Blocking Sleeve Set Offers
Secure Protection from
Identity ID Theft an d Credit Card Fraud

1) Short Range.
Which said that while industry standards specify a maximum magnetic-field strength for card readers of 5cm, some may be able to read cards at greater distances. Their test rig read it from 45 cm. (http://www.theguardian.com/money/2015/jul/23/contactless-card-is-too-easy-says-which)

"It may be possible for a small percentage of cards to be read 15 to 20cm from the reader," he said. "Even if this was to occur in 0.1% of cases, with more than 300m transactions taking place last year, many consumers could be affected."

So the only limit on how far a card can be read from is whether the person building the reader wants to stay within the guidelines. People planning to break the law by stealing credit cards will, of course, follow guidelines rigidly.

So your safety with a contactless card depends entirely on the honesty of the person who plans to steal it.

2) That the amounts are so small no one would be interested.
I’m going to use an actual live case that I observed here, regarding an online site and its payment. Squidoo was an article site that paid monthly for articles with the most traffic. As its monthly payment increased, so did the amount of click-fraud etc.

When the payment for a top article on squidoo was $10, fraud was very low.
When the payment was $30, coders built and sold tools just to get the payment, and sold them for $50 (e.g. SquidooBlaster).
When the payment reached $50, it was hard to get that payment without fraud.

Likewise, when the payment for a contactless card was £10 no one bothered. Now it’s £20, and they want to make it £30. At what point does it become worth the outlay for a cheap phone and wide range receiver – less than £100?

With Squidoo there was a cap – only the top 10,000 lenses got that type of royalty. With credit cards, they could get that many in an hour walking around a city street or station.

3) That after a certain number of transactions, you have to use your PIN.
Not only do they still get the funds for the first transaction, but this is where long term cons get nasty.
Once they’ve got your data, they can make a number of transactions and then get locked out.
If they’ve made small transactions, so transport or whatever else, they simply have to stop using your card, wait for you to use it and unlock it, and then they can harvest £20 off it again the next day.
£20 every day for a month is around £600 per card. The equipment for Which? cost under £200. Think the fraud is worth it yet?

And since thieves often s tore the cash by buying gift-vouchers, which are hard to trace, it provides an ongoing benefit.

The final safeguard: Insurance
If all of these safeguards fail and your card is used without your consent, the banks state they will refund you. There are a lot of issues here.
From the user’s point of view, they refund from the point where the user tells them there’s an issue. Unlike a physical card where you notice you’ve lost it, with contactless you could lose quite a bit before you get a statement or indication that something is wrong. 

However from a societal point of view there’s another issue. In the TJX case one woman lost $45,000. She reported it. The card firm refunded her. The firm then either claimed insurance, or reclaimed it from the retailer, who then claimed on their insurance.

The thieves still had the original $45,000. They still benefited, so there was no reason for them not to con tinue to steal credit cards, which in fact they did. If insurance means the theft can be seen as stealing from banks and insurance, not retailers and little people, it might even encourage it – you might have noticed the number of online groups spelling ‘bankers’ with a ‘w’.

Hacking Point of Sale:
Payment Application Secrets,
Threats, and Solutions

And then more recently, the possibility of a whole new field of fraud was opened up.

While RFID Journal says that the contactless chip does not contain the entire data for the card (http://www.rfidjournal.com/blogs/rfid-journal/entry?7870), InfoSecurity Journal states that it does, and that they have accessed it through a legacy profile (https://www.infosecurity-magazine.com/magazine-features/how-secure-are-contactless-payments/).

Now if this is true, it re-opens a whole field of card cloning. The security issue is simple – the RFID contactless chip contains the same details as the magstripe. This is enough for someone who scans the details to clone the card for signature use with a generated magstrip. Put a faulty chip on the cloned card and most card readers revert to the magstrip. Then the person who created the cloned card just has to swipe and sign the slip – like they signed the cloned card fifteen minutes before… It might not match the real owner’s signature, but that won’t be revealed until the slip reaches the bank in a few days.

So, no, the more I look into it, the less happy I am about the security on contactless cards. Many of the more complex technical security solutions seem to assume that a fraudster will never acquire a physical card from that bank to reverse-engineer it (because, you know, thieves never have or steal real physical cards…).

Then Visa asked to be able to track cardholders movements and transaction locations by their phones “for security” (https://nakedsecurity.sophos.com/2015/02/ 18/visa-asks-to-track-your-smartphone-to-help-sniff-out-credit-card-fraud/). And that data about where you are at what times of day every day couldn’t be abused at all, could it?

So when the bank refused to replace mine with a non-contactless card, I have just field-tested disabling my card’s contactless. My solution works. 

I’ll post it here in a few days.

---

This blog has now moved to http://www.rablogs.co.uk/tirial, where the original article can be found.  Disabling Contactless Cards - http://rablogs.co.uk/tirial/2015/09/10/disabling-contactless-cards/ was published on September 10, 2015 at 9:47 am.

EUVAT - a last thought

I’m not going to define EUVAT again (daft legislation that even the EU admit was not thought out and is killing small business, but may not fix for 2 years), but I was going throw out a last thought before the EUVAT Symposium in September. The problem with the proposed solution of adding a turnover threshold to EUVAT is that VAT thresholds vary country to country. A threshold was already rejected when it was originally proposed, so it won’t go through this time. So why not link EUVAT to company behaviour, so that only companies acting against the European Digital Single Market get hit? Small firms sell online by Paypal button or similar low cost one-click option. They offer the same thing to all countries and rarely even know where the customer is based. Large firms like Amazon select by country, offer different or restricted services in each country, and block users from accessing their content outside that country. So why not link EU VAT directly to this? If a company geo-selects within Europe on services, they pay EUVAT rates – i.e. they have to pay VAT at the point of supply: the customer’s location since they are obviously already collecting enough data to know this. However, if a company is using a single click payment option and not changing their offering by country, all sales are counted as domestic and VAT is paid at the rate of the company’s home location. Since few (virtually no) larger firms use PayPal or single-click payment processors that aren’t linked to an account with details and customer location, this would effectively remove small businesses from EUVAT. The benefits:

• This removes small businesses from EU VAT, saving time and hassle without needing a threshold.
• It encourages larger firms to provide identical cross-border content, promoting the DSM, and penalises those that don’t.
• It makes it harder for multi-nationals to dodge VAT.
• It makes it unnecessary to have a turnover threshold.

The disadvantage is proving that the offering is identical, but that should be easily done just by visiting the website from multiple countries’ IP addresses. If prices (not including shipping) change and products vary significantly, that’s EUVAT liability. Yes, this may be borderline for larger bookshops etc. or DVD and game sellers due to the issues of licences and overseas rights. However, since it is not illegal to sell a printed book or DVD created in one region to another, just to mass-produce or mass-retail them in a third party country without rights, most should be unaffected. Larger sites that might escape it are Flattr and Patreon, but then both are a way of moving funds directly to small creators, and they don’t care where the donors or creators are based. It’s better than people being threatened with extradition of 5p, and grannies selling knitting patterns having to pay VAT.

---

This blog has now moved to http://www.rablogs.co.uk/tirial, where the original article can be found.  EUVAT - a last thought - http://rablogs.co.uk/tirial/2015/09/03/euvat-a-last-thought/ was published on September 3, 2015 at 8:53 am.

Disabling contactless cards - paranoia or reason?

My bank sent me one of these cards, which in my opinion is about as safe as walking around with an infinite number of £20’s in your pocket to be taken by everyone walking past. So I thought I’d look into the security.

The flaw is fairly simple: they say the cards can only be read close up. However if you get a more sensitive receiver or jack up power of a transmitter, this increases the range. The TJX hack occurred from outside the shop. The card terminals were thought safe because the base unit could only pick them up within three feet or so. The hackers used a parabolic microphone hooked to a laptop that could listen in from much further away. (http://www.wsj.com/articles/SB117824446226991797)

Likewise there was an entire symposium on the ways to hack bluetooth pacemakers, which were suppose to be safe due to short range. (Read Here: http://science.slashdot.org/story/08/03/12/1232206/hacking-a-pacemaker)

Range, as has been shown repeatedly, is not a protection:
Backpack picks up all cards within 45cm: http://www.bbc.co.uk/news/technology-24743920
M&S debits cards far further away: http://www.bbc.co.uk/news/business-22545804
Fact: Detection and reporting rates for fraud are low. £2.1 Billion is estimated as undetected (http://www.almr.org.uk/undetected-fraud-growing-burden-business/).

So here’s a security test case:

• Fraudster walks round Bank station during the rush hour.
• 42,000 people use Bank in one hour of the rush-hour, and 96,000 passenger journeys are made during peak. (Figures here: https://consultations.tfl.gov.uk/tube/bank/supporting_documents/Bank%20SCU%20Common%20QandA%20Part%201.pdf) Assume half (an understatement) have Contactless cards, and our fraudster does this once.
• They have their paper.
• In their pocket is a mobile phone with a card-reader app.
• The microphone has a range of twenty feet.

Case a) Direct fraud.
They have set up a card account under false details: Mike’s News and Coffee.
Each card that comes into range is debited for between 1.49 and 3.99: the price of newspaper, coffee, or snack.
How much will they make, and how many of these people will notice it on their statement?

21,000 cards x (2.74 – 1.25 (average card charges)) = £31,290 for 1 hour’s work.
Note that the bank makes £26,560 from transaction charges. They are unlikely to believe that a coffee is a fraud even if it is reported.

Case b) A TJX clone.

They simply copy the data down and walk away.
Then they can clone the cards and use to buy gift cards. They then use the gift cards to launder their takings.
How many cards will they get data from, and how much can they make before the fraud is noticed?

Now the loss to TJX itself was around £10.9 per card (http://www.zdnet.com/article/the-tjx-data-breach-why-loss-estimates-are-overblown/). Assume the same rate, and you get £228,900.

The loss to cardholders and retailers was greater. The data was passed to an $8 Million crime ring (http://www.computerworld.com/article/2544011/security0/stolen-tjx-data-used-in-florida-crime-spree.html), this one of $75 Million (http://www.informationweek.com/secret-service-busts-four-fraudsters-with-ties-to-tj-maxx-attack/d/d-id/1057036?) and worldwide. One user found a £45,000 bill, which was thankfully reversed. (http://www.wsj.com/articles/SB117824446226991797) The total loss to card holders is unknown, due to the amount of undetected fraud.

So no, I don’t think contactless cards are safe, as they make this sort of thing far too easy. A card is now vulnerable just because it exists, not only when it is used.

I wasn’t particularly happy to find out my bank no longer issue non-contactless, nor that my bank telling me last year that contactless must be enabled turned out to be rubbish. I found that out when it was debited from six feet away, making me really not happy.

I should tell you my personal experiences with my first tests.
1) Contactless cards could be read by a supermarket reader from six feet (tested in Waitrose as their card readers are easier for customers to move).
2) Contactless cards could be read by London transport readers. I have a travel pass not an oyster, and yet a contactless card in my pocket got billed for walking past the reader.
And the range one is definitely over 4 to 5 cm.
I ended up talking to a drone (most customer service staff are good: he wasn’t.) who kept telling me these things were safe and I was technophobic, and yet didn’t know any of the IT security cases I brought up.

So I’ve paid off the card. Before I close the account, I intend to do some experimentation on how easy it is to disable it.

So to conclude, in my opinion, not wanting to walk around wirelessly broadcasting your card details is not paranoid.

---

This blog has now moved to http://www.rablogs.co.uk/tirial, where the original article can be found.  Disabling contactless cards - paranoia or reason? - http://rablogs.co.uk/tirial/2015/08/27/disabling-contactless-cards-paranoia-or-reason/ was published on August 27, 2015 at 11:00 am.

Shoreham

For the first time in a few years I didn’t go to the Shoreham Airshow. Work and life got in the way. This afternoon, on the way back from a meeting, I saw the news.

Hawker Hunter WV372, run by Canfield Hunter, failed to pull out of a loop and crashed into the A27. At least seven people were killed on the ground, and fourteen injured. The pilot, Andy Hill, was rescued from the burning wreck and life-flighted to hospital where he remains in critical condition.

Shoreham police have put out a request for all video or photos of the event. If you have any, please send it to: shoreham.aircrash2015@sussex.pnn.police.uk

My thoughts can only be with the casualties, and hopes and prayers that there are not more. The people I know in the area have checked in. Others won’t have been so lucky.

It is the first time since 1952 that spectators on the ground have been killed at an airshow in Britain. Proportionately more spectators have died in soccer matches than at airshows. (The second deadliest sport for spectators is racing driving).

I will not link to video of the crash. There’s enough of that on any news channel. The Sea Vixen flew one unrecorded fly-by in tribute. The video I will link is the Avro Vulcan, in its last display season, performing one slow fly past to a minute’s silence for the fallen.

"I know you will understand why we do this but I would like you to please pause a moment while the Vulcan flies through." Mr Terence Henderson, Shoreham announcer.

Shoreham Herald, Vulcan Flypast Tribute

In the meanwhile all there is to offer are prayers for all those involved, and a fervent, probably futile, hope that there are no more casualties to find and the death toll grows no higher.

---

This blog has now moved to http://www.rablogs.co.uk/tirial, where the original article can be found.  Shoreham - http://rablogs.co.uk/tirial/2015/08/23/shoreham/ was published on August 23, 2015 at 1:51 am.

Ant-man? Is actually really good...

I haven’t posted for a while, but I have seen the Ant-man movie.

It’s great. Go see it. Get it on Blu-ray/DVD – you’ll want to freeze-frame the Easter eggs.

This is the first film in twenty years I’m going to see twice at the cinema. The one before that was Terminator 2.

Raving aside, seriously, aside from a slightly weak villain, it’s really good. It benefits from being a heist movie not a superhero movie, it has an excellent script and supporting cast, and best of all it is fun. A few squeamish moments don’t detract from the tone, it doesn’t take itself entirely seriously even though it is played straight, and it has a great ending.

A few tropes are heavily subverted, particularly the ones about women in superhero films. The Wasp’s cameo made me cheer, just because so often women with children suddenly become useless with everything in movies and she was still an obviously-capable superhero. Hope van Dyne (Yes, I know it’s Hope Pym) was intelligent, made only one slip I saw in the whole film and it’s made a plot point, and even though she isn’t in the suit she’s still vital to the heist (and possibly in more danger because she’s not in the suit). The mid-credits was great.

Slight spoiler: The supporting cast aren’t bumbling and useless, everything ties together from early shots to Chekov’s Guns you won’t see without a freeze-frame but still remember when they fire, and frankly it has one of the best depictions of a blended family seen on screen. There’s a nice touch at the beginning which establishes Scott Laing as not the best judge of character when he is whining about his ex’s new husband. If you take a step back from following the hero, its pretty obvious he’s extremely biased by his views of the guy. Overcoming this is one of the major arcs, and works so well.

If you can catch it on it’s last week do. If not, get the DVD.

Dear Marvel,
Can we have another film like this? Please?
Regards,
Tirial

---

This blog has now moved to http://www.rablogs.co.uk/tirial, where the original article can be found.  Ant-man? Is actually really good... - http://rablogs.co.uk/tirial/2015/08/11/ant-man-is-actually-really-good/ was published on August 11, 2015 at 5:14 pm.

EUVAT - Amazon's coping method.

I was going to post my reason for being furious with VATMOSS today, but I saw this in the paper in the supermarket and thought it needed to be said.

In a case study for a client in February I pointed out that there was one very simple reason VAT would hit smaller businesses disproportionately. That was because multi-nationals could afford to set up subsidiaries in each country and route VAT through them, so only need to deal with one VAT rate per office and removing the requirements to store customer details. Small businesses rely on the same website supplying every country, so need to split the sales down by country, record and store customer details etc. which creates a huge admin overhead.

And what is in the Mail today?
Amazon sets up UK subsidiary to handle UK sales
The Mail have given it a nice spin of “they’ re finally paying tax”, without mentioning the laws that would have forced them to pay the VAT anyway. Note, this neatly takes Amazon UK out of VATMOSS.

Now if a company the size of Amazon would rather set up a new subsidiary than handle VATMOSS admin requirements, what chance do small businesses have?

---

This blog has now moved to http://www.rablogs.co.uk/tirial, where the original article can be found.  EUVAT - Amazon's coping method. - http://rablogs.co.uk/tirial/2015/05/23/euvat-amazons-coping-method/ was published on May 23, 2015 at 10:50 am.

A few thoughts on EUVAT - a right VAT Mess

So today I am writing about #EUVAT, a daft and damaging law written by a government so disconnected from its electorate that it didn’t remember small businesses exist. I’m not kidding, they’ve admitted it. (“Only 7% of businesses sell overseas” – Actually its 96%, ‘cos they forgot Paypal).

For anyone not familiar – most of the UK, as HMRC hasn’t exactly been telling people – from 1st Jan 2015 if you sell something online – an ebook, an app, an MP3, the seller has to work out and pay VAT to the government of the country where the buyer is located. For ebooks, this is 81-odd VAT rates, for 28 countries. You also have to capture two pieces of ID, which match, to confirm the country and hold them for ten years. Small businesses can’t do this, heck, even Paypal can’t do this…
 
The EU have said they will look at it again in 2016, when they will also make it cove r physical goods. 200 firms have closed so far, others are geoblocking EU customers, and some have had to switch to third parties who take a massive cut of earnings. One author quotes losing 80% of earnings to tax and fees. Many US SMEs will no longer sell to the UK. There’s a full breakdown of the damage here: 2015 EU Digital VAT (PDF)

So rather than detailing what you can do, which has been covered in detail by EUVATACTION, I thought I’d write about easy ways the EU could fix this legislation:

1) Add a Rider
Where the company or artist cannot locate the purchaser VAT on a purchase is paid as if purchased in the country of origin.
– Amazon and companies holding user accounts cannot say they don’t know the purchaser.
– Small businesses using Paypal definitely don’t.
Shipping addresses don’t count for location as the person it is shipped to may not be the purchaser. If a large company deliberately stops holding user data to avoid this, that’s tax avoidance and can be fined.

2) Add a Threshold
Microbusinesses by the EU classification pay VAT as if all sales are in country of origin
– Easily catches Amazon, Google and the large players
– As the minimum turnover is 2M euros, any firm of this size has the resources to implement a fix (est. cost £5,000/7,500 euros)
This is euva taction’s prefered option.

3) Refund Collection Costs
Allow companies to recover the cost of collecting VAT from the tax departments in question
e.g. if a person owes 1.67 euros to Spain and it costs them £180 to work out, £50 in lost business for calculation time*, and £40 in international transfers, The Spanish government owes them £270 – 1.67 euros. Cost of collection to be remitted first, so that the transfer fees can be paid.
Alternatively let it accrue, and when the debt owed reachs £500 (yes, the joy of working out currency conversion also falls on the tax dept) the government pays out. Turns EUVAT into a tax on large businesses and a subsidy for smaller ones worldwide.

* Set a base rate of minimum wage for collection time, and then allow the business to use its chargeable hourly rate if that is higher.

4) Centralise Accountability
Turn VATMOSS into a pool companies pay into at a flat rate, which then distributes payment Europe-wide.
Each VATMOSS receives payment at a flat average VAT rate (say 20%). It is then up to the VATMOSS group to work out percentages of how much was purchased from each EU country and remit a percentage of the pool to each.

Note: They don’t get to ask for purchase data, or go back to companies who have paid the flat rate and ask for more. After all, companies can’t go back to consumers to ask for more, and giving out client data like that breaches PCI DSS. The company’s obligation to digital tax ends with paying the Europe-wide MOSS rate. From there on, liuability rests with the MOSS teams, and they are the ones taken to court if it goes wrong. After all, these are people trained and paid specifcally to deal with tax. (They can use web traffic levels, etc.)

Alright, option 3 and 4 could be termed making EU VAT a nightmare for the tax departments. I view it more as shi fting the burden back where it belongs, onto the people who created the problem in the first place and civil servants who are paid specifically to deal with tax. Small businesses don’t have tax specialists or finance departments, so why does this law assume they do?

On a closing note, there are things you can do:
Lobby your MP and MEP for a country-wide exemption until the legislation is fixed. In the US, lobby your senator: no taxation without representation.
Approach industry and consumer bodies to see if they will take action
Tweet, twitter and get the word out. #EUVAT and #VATMESS are in use. I’ve put some banners on this page if you want to add one to your site.

Finally visit EuVatAction or join their facebook page for updates

---

This blog has now moved to http://www.rablogs.co.uk/tirial, where the original article can be found.  A few thoughts on EUVAT - a right VAT Mess - http://rablogs.co.uk/tirial/2015/05/21/a-few-thoughts-on-euvat-a-right-vat-mess/ was published on May 21, 2015 at 7:52 am.

London Riots (Again? Really?)

So, just at the start of Thatcher’s government there are riots at the start of Cameron’s. It is disappointing – no matter whether you like the election result or not (I don’t) the right-wingers sucked it up under Blair for 13 years without this kind of rubbish.  The left-wing need to do the same.  

Can’t help thinking that this:
Charlotte Church plans makeover of £1M home

is linked to this:
Charlotte Church “Mad as hell” as she joins Cardiff protest following Conservative majority

Or perhaps not. After all it’s not as if z-list, sorry former b-list celebrities ever mouth off about politics when they ne ed a higher profile or have something to sell…

I’m sure I can’t think of any recent comedian examples.

(And insulting my grandmothers and your own – “Tory Scum”? Some of those WWII women helped found the NHS for heaven’s sake!  – does nothing to make your point of view dearer.)

And as for this claim that Labour would be better? Ha!

I watched Blair and Brown slam part-time teachers and agency nurses when trying to hit IT contractors who simply went overseas (IR35). I watched them destroy the entire industry I worked in and sell my UK client relationships to big business (not to mention resurrecting a law that specifically targets female business owners by assuming their income is their husband’s – S660). Cameron& #8217;s now allowing a new law that will destroy the rest of my rebuilt business – #EUVAT, due to be rolled out to all online sales next year – which has just removed the entire US customer base I’d built to replace the UK one. I’m burned out. I just don’t care anymore.

There is absolutely no point in trying to build a small business in this country. After 13 years of Labour and 5 years of the Con/Dems I’m damned if I can tell the difference.

Bitter? Oh hell yeah. But I’m not destroying people’s workplaces and homes, or insulting dead women.

I’m just not sure I can pick myself up and try to rebuild a company for the third time in fifteen years either.

---

This blog has now moved to http://www.rablogs.co.uk/tirial, where the original article can be found.  London Riots (Again? Really?) - http://rablogs.co.uk/tirial/2015/05/09/london-riots-again-really/ was published on May 9, 2015 at 8:04 pm.

Voting and Elections

I was going to post about EUVAT and the mess that’s about to cost 750,000 British jobs due to a leftover of Brown’s government that Cameron’s done little about, or possibly a vaguely comical post on the local election campaign. Then I saw this video by Helen Pankhurst.

http://t.co/htpeluSBO8

This annoys me. This bloody well annoys me.

1. The suffragettes and suffragists fought for the right for women to vote, not to make voting compulsory, just as women in the 70’s fought for the right to choose a career, not to make work compulsory.
2. My gender does not give you the right to demand what I do, even if you are another woman.
3. This argument could as well be made for every group that now has the vote:
   1. Every man who owns property worth £10 or more should thank Lord Grey and the Whig government of 1832 for going against Arthur Wellesley Duke of Wellington to secure middle class sufferage.
   2. Male lodgers should thank the Chartist Movement and the reform act of 1868. The Chartists were arrested, opposed (the word "crushed" was used) by the authorities, and spent 30 years fighting for the right to vote.
   3. All other men should be grateful for the 1880’s acts.

It is worth remembering that the right to vote was fought for not just by women, but by the ancestors of every voter in the country at some point or another. Electoral reform was not a peaceful process, with riots, uprisings and more in a process that went from wealthy landowners only in the 1820's to universal sufferage in the 1920s. The suffragettes were force-fed in the 1900's. The Chartists, fifty years earlier, were tried for treason and transported.

The right to vote was won by the people and then protected by those who fought the second world war, those who stood on the front lines through the cold war and those be hind them who guarded that right from attacks at home.

Thanks to them, the long chain of campaign and sacrifice, you have the right to vote in Britain. You also have the right to choose not to, which is just as important.

I intend to vote. You don't have to.

My reasoning basically goes that it’s the only time for four years you get to have a direct say in government, so vote if you can find someone to support. If you want to protest, spoil your ballet paper, vote for a minority candidate, or tear up the sheet, but consider at least taking the time to stand in the ballot box. Because if you aren’t there, the people in charge just think you’re happy with the status quo.

But whether you decide to vote tomorrow, or whether you decide not to, make sure it is something you decide. Because if you don’t speak up for your future, someone else will.

---

This blog has now moved to http://www.rablogs.co.uk/tirial, where the original article can be found.  Voting and Elections - http://rablogs.co.uk/tirial/2015/05/06/voting-and-elections/ was published on May 6, 2015 at 8:16 am.

Frameworks, and coding, and CSS...oh my!

Sometimes I despair of the modern coding scene. Android, and Chrome and mobile and Jquery have emerged, and it does appear to do something very strange to some programmers: specifically they don’t know how to program.

I had a slightly odd CSS query but I knew there were ways round it in 2004 when I last used CSS in anger, so I had a look around the forums and the talks to see if anything had changed.

“Oh no, you’ll have to use jQuery and customise x function” External dependency and several hundred lines of code?

“How about wordpress? Bootstrap can do it if you…” Framework, with extra holes, potential vulnerabilities, external dependancy and bloat from unneccessary functions.

“It’s not possible.”

“Generate the entire page with javascript!” No, that’s not happening. Because I’m not a moron.

“Static layer to hit before that acquire details and then…” sigh. Load my page three times?

So I went back to my old-school, rather rusty, ten-year-old CSS

Three lines.

Three lines of basic CSS in the header (OK, stylesheet)

And what’s even better, when I put them into google to see why no one covered them anymore, those three lines are covered by W3C schools.

This is entry level stuff guys, used admittedly in a non-standard and browser-compatible way, so why isn’t it used more often?

Because it needs to be coded.

And that is sad.

It’s been many years since the interview where a coder shot himself down in flames by sitting in a major finance house, failed to answer any of the coding questions and announced he didn’t need to because – holds up CD – he had all the tools he needed right here.

The interview ended right there. An unknown disc loading unknown programs into a highly secure environment and he didn’t think it would be a problem. He couldn’t even imagine how we were working if we didn’t already have these tools loaded, because no one built code from scratch…

At the time we all thought he was an outlier. Now, sadly, I suspect he is becoming the norm, and that is going to cause real problems with coding. If no one ever examines the frameworks they are building on, if they never check the foundations of their work, there could be some very nasty surprises coming up. And yes, I know I’m using wordpress for this blog. I am aware of the risks, and my serious sites either manage them, or don’t use it. However, I suspect that many of the coders above do, and they aren’t even aware that there are risks. And that worries me. Because if you aren’t even aware of the risks, how do you protect yourself?

---

This blog has now moved to http://www.rablogs.co.uk/tirial, where the original article can be found.  Frameworks, and coding, and CSS...oh my! - http://rablogs.co.uk/tirial/2015/03/16/frameworks-and-coding-and-css-oh-my/ was published on March 16, 2015 at 10:01 am.

Server Woes and silver linings (Pt ii)

(I will explain why this is in two parts further on.)

The front page of the host’s site

Then I discovered that their site could still be viewed on mobile so off I went. (The site is relichost.net – don’t know if you can still see the directory structure but why not have a try. And a laugh.)

This post is in two parts because I keep getting logged out – it seems the server sessions are now rather shorter than they should be, and shorter than they w ere, making it very difficult to write articles. This might be due to memory.

It seems, among other things,  the host have nerfed the memory on the server. WordPress takes 64MB to run out of the box with no plugins, security or extras.  I would normally run it at 96MB or 128MB. A little bird (memory check) on the server revealed that it was running at 48. That’s right, it was running wordpress on a web server with less memory available than my ten-year-old phone. What makes it really funny is that wordpress is offered as part of the package preinstalled.

Now this could be because they have a new self-managed VPS package that they want to ‘encourage’ people to upgrade to – encourage as in “if no upgrade, your site no work”. I’ve left hosters before because of that.

There’s a problem however. For what they are charging I can get a fully managed server from a reputable firm. So I did. (I didnR 17;t intend to but when I saw that rate available I reached for my credit card…)

So my PC got written off by Firefox and recovered by Microsoft system restore and Adobe giving my a free software upgrade. Now my host has damaged my site and the result is a major upgrade in servers without spending more.

Always a silver lining? Perhaps, but I think I’d prefer fewer clouds

I’m off to play with my new server now. Ta ta.

---

This blog has now moved to http://www.rablogs.co.uk/tirial, where the original article can be found.  Server Woes and silver linings (Pt ii) - http://rablogs.co.uk/tirial/2015/02/26/server-woes-and-silver-linings-pt -ii/ was published on February 26, 2015 at 10:45 am.

Can renewable energy run out?

What happens when renewable energy runs out?

Sounds daft, doesn’t it? It’s the question asked by a politico from UKIP (See the Independent- Feb 20th) that’s currently all over twitter and news sites, and forums (and annoying me because I’m getting buried by flyers from various parties at the moment and I don’t want to think about politics until April…) with people saying how daft it is. By definition renewable resources don’t run out, right?

And yet it’s not a stupid question.

Poorly phrased maybe, but it does raise a valid issue.

The issue is that there are only so many ways to obtain energy from renewable resources, there’s a limited amount available at any one time, and obt aining it can involve severe damage to the environment.

Salmon Fish Ladder
Buy This at Allposters.com

The Pitlochry Hydroelectric dam (see my lens here) is a wonderful piece of engineering. The dam provides 15MW per year. However, building it required the construction of a fish ladder to allow salmon to reach their spawning grounds and the flooding of a valley with consequent loss of animal habitats and wildlife. It is still an area of remarkable natural beauty and supports many species, but making sure that remained the case was due to a lot of planning and work by the engineers and designers, all of which takes additional funds.

Regarding limits, renewable energy is large but not infinite. If you take a tidal river as an example, there is only so much force in each 24-hour tide which we capture by obstructing that tide. This produces consequences for a river estuary, and also means that you can’t just build dams up the length of a river: each dam will remove energy, and if the tide has less energy it will not reach as far upstream, making those further upstream less efficient. The tide failing to reach as far upstream will have effects on riverside plants, habitats and even erosion patterns and the course of the river.

Tidal Power
Buy This at Allposters.com

Finally given the limits of modern technology, and the amount of energy available there is currently a finite cap on how much energy renewable resources can produce in a time period. If we want to avoid destructive use of it – windfarms in bird’s migratory paths, solar panels built with rare elements, tidal barriers affecting fish – that limit becomes a lot lower.

Wiki places the actual limit on hydroelectric power in the UK at our current “1.65 GW” plus another possible “146 to 248 MW for England and Wales, and up to 2,593 MW for Scotland“.  The same source gives total energy use as “35.8GW on average, and 57.490GW at its peak.” Comparing the figures, there’s a huge shortfall between the available energy and our energy use.

Do I have an answer? No, but I have noticed that limits and consequences are something they don’t tend to teach in schools when they cover renewable resources. It’s basic physics: Energy cannot be created or destroyed. If you remove energy from a system it will affect other parts of that system. Wind power affects air currents, tidal power slows the earth (noticeable in *ahem* million years)…everything has a consequence. Some are just less damaging than others.

Hydroelectric Turbine, 19th Century
Science Photo…Giclee Print
Buy This at Allposters.com

What do I think they should do? How about using what we already have?

• There are Victorian tidal tunnels in the Thames originally built for barges, now abandoned. The daily rise and fall is nearly twelve feet, and yet no one has put a generator in?
• Looking online there are over a hundred functional watermills available to buy right now in the UK. These have been part of the environment for years, have millponds, why aren’t they being used for generation? The Gants Mill site in Surrey generates 12kw for the national grid and is still a scenic location. (There’s more details and working examples here: Using Watermills to generate electricity) Some are also windmills, offering two options.
Solar power is a little difficult in Britain given the weather, but there are other options: geothermal springs, etc.

As you might notice, these aren’t new ideas. There have been studies in this direction for years, for example: UK Hydro-Resource England and Wales Resource Study Oct 2010 (PDF). There are funds available: Rocs and Fits among others. So the question that must be asked, is why isn’t this being implemented further?

And I’ve just realised I’ve written five hundred words driven by a question from a politician that I probably put more thought into than she did.

And I’m a little disappointed. Instead of talking about the shortfall between energy use and available resources, or the failure to develop alternate resources, this morning the same per son stated she meant renewable energy subsidies (Guardian 20th Feb 2015)…oh well. Bureaucratic concerns over hard facts and engineering? That’s about what I should have expected.


*Adblock users miss the picture of the fishladder, the nineteenth century water turbine and the tidal powerstation diagram.

---

This blog has now moved to http://www.rablogs.co.uk/tirial, where the original article can be found.  Can renewable energy run out? - http://rablogs.co.uk/tirial/2015/02/20/can-renewable-energy-run-out/ was published on February 20, 2015 at 11:18 am.

User Upgrade or vandalism?

Yesterday morning I got up, logged into my machine and booted my browser. And discovered that the interface had changed, all my stored data was lost, my profile was corrupted, and the browser was locking into a restart cycle. Not want you want at 7a.m., but I honestly thought I’d been hacked or had a hardware fail. When I restarted, I had to run checkdisc because the corruption had spread to data.  

The cause: The Mozilla Foundation. 

Computer Rage
Kevin Curtis
Buy This
at Allposters.com

I have updates turned off on Firefox, which you might be aware of after their last attempt to trash my machine update my browser (details here). Despite all browser updates being turned off, and Mozilla Maintenance Malware Service being disabled, they’d done a forcible push to upgrade me to Firefox Beta.   In the process it destroyed my stored sessions and profiles, caused conflicts with two add-ons which actually caused corruption on my harddrive, and locked my browser into a crash/restart cycle. For the first time in my entire career I had to system restore my own machine.  

This isn’t a user upgrade. This is vandalism.  

Worse, ignoring the fact that updates have been declined and sending them anyway, is hacking.

Now, Firefox says that you should allow updates for security. There’s a problem with this: 
a) I can block updates and have a browser that may be hacked and my data taken, stored somewhere out of my control and used for purposes I am not aware of.
or
b) I can allow updates and know for sure my data is being taken, stored somewhere out of my control, and used for purposes I am not aware of. 

Now under case a), I can lock the browser down to prevent extras running. The update process removes this lock-down every time it updates, opening your browser to external access and running programs you don’t want.  

Specific Examples:
I don’t have flash, and video was disabled.

• Firefox’s forcible update to Beta enabled both of these, which opens a security hole that wasn’t there.

I had ActiveX disabled.

• Not any more.

I had Java disabled.

• Yeah, gu ess…

I had very limited data going out to the web.

• Firefox now sends my data in unencrypted format over the web, saying exactly which site I was on, my add-ons etc.

I have sync turned off.

• Firefox keeps trying to turn it on, a.k.a. take stored password and user data and store it unencrypted in the cloud.

I had updates turned off.

• Firefox ignored this, pushing unwanted software onto my machine and doing significant damage. 

Fortunately I was the only one hit – my co-workers were warned, booted their machines offline, and blocked the update.

Five hours, Mozilla. Five hours to recover lost data caused by your system intrusion. I should be charging day rate.  

The most damning part is that it doesn’t matter what I switch my settings to, every time I open Firefox now, updates are turned back on and it keeps trying to get me to use sync. I’ve g iven up. I’m not switching my settings anymore. I’ve switched my browser.  

Opera does for some of it, and I’ve another couple of alternatives for specific purposes.  I know the new one I’m using is not as secure. But it has a 1% chance of sharing my data, compared to Firefox’s 100% – and it has less chance of wiping out my PC. 

Update: To my complete horror, I found out this morning that the update from Firefox destroyed my SQLite databases and systems. I found this out because it did it again when it tried to update again. This is the second system restore in two days, and sadly Firefox is no longer a browser I can have on my system even as a backup. It’s done too much damage.

Alternative browsers:
Opera – Yes, I am an opera user right now.
Chrome – not so good if you want privacy
IE – useless to XP owners now (MS, you’re losing a m arket here, charge an annual maintenance fee…).
Seamonkey – opensource Firefox from Debian
Firefox 28 – yes the old version still floats around. I can throw my own .exe of it up if people like.
Safari – normally a Mac browser, but there are versions for windows. 

There are also a few new contendors:
Whitehat Aviator – Looks nice, but give it a few months to let it get over teething problems
Midori – crashes on install because of broken dlls, so not for the non-technical who can’t fix this.

Iceweasel is a problem. It is a good linux browser, but some of the windows versions floating around come with unwanted extras, and rumour has it a trojan, so it is probably not worth taking a chance on.

But I am still bloody furious. An entire unnecessary repair job because Mozilla can’t honour update preferences.

Sick Computer
Pop Ink – CSA…
Buy This at Allposters.com

 

---

This blog has now moved to http://www.rablogs.co.uk/tirial, where the original article can be found.  User Upgrade or vandalism? - http://rablogs.co.uk/tirial/2015/02/19/user-upgrade-or-vandalism/ was published on February 19, 2015 at 8:55 am.

Podcasting? Maybe not for me...

I’ve been working with podcasters at work so I thought I might try linking a podcast to this blog as a nice feature. Since I don’t have time to read every post out I was looking for an automatic Text to Speech solution. Podcastomatic offers this free as does iSpeech, so I thought I would try them out, starting with Podsomatic.

You can find the RSS for the Podsomatic feed here:

http://podcastomatic.com/podcast/tirialerror-blog/feed.rss

Unfortunately I couldn’t find any examples of blogs using this, so I was going in blind. Set up was very simple – give the blogs URL and it does the rest automatically. It really is that simple.  The result is an RSS feed which links to the seperate podcasts for your blog articles. You can run any of them by clicking the .mp3 link below the article.

The voice is clear but robotic and the pronounciation is close but slightly off for more unusual words. It is also di stinctly American “Lonjitood” instead of “longitude” (the UK is closer to Lon-gi-tewd).

What I could see taking some time is working out how to link the podcasts to the actual blog posts for users, and I’m not sure how long they retain each cast. Are they permanent, and if not, can you download them and add them to the blog?

I’ll try iSpeech out with a different blog shortly for comparison.

---

This blog has now moved to http://www.rablogs.co.uk/tirial, where the original article can be found.  Podcasting? Maybe not for me... - http://rablogs.co.uk/tirial/2015/02/09/podcasting-maybe-not-for-me/ was published on February 9, 2015 at 10:52 am.

Moving to Wizzley...

A few more of the classic articles have moved to Wizzley, but two in particular should hold the attention:

http://www.wizzley.com/Great-Western-Railway – The story of the Great Western
http://www.wizzley.com/Longitude – John Harrison’s watches

These were purple star lenses, Lens of the Day on Squidoo and receiving 1,000 hits a day even as the site closed down. On Hubpages they were delisted for being low quality despite similar high traffic.

I just wish it was easier to tell Google it needs to redirect…

---

This blog has now moved to http://www.rablogs.co.uk/tirial, where the original article can be found.  Movi ng to Wizzley... - http://rablogs.co.uk/tirial/2015/02/08/moving-to-wizzley/ was published on February 8, 2015 at 2:23 pm.

Blogging live, and 50 Wizzleys...

You might notice the blogger account getting updated more frequently. I’ve moved from my alpha system to a beta API, so while the posts may not look pretty, the content should port and the issues with broken connection should stop.

Not bad for someone dealing with their yearly bout of pneumonia.

Drawn: The Painted Tower (PC CD)

What I haven’t managed to do is complete many more Wizzley lenses, since my brain is rather fuzzy at the moment. However I have managed to port fifty across, so I now get the improved ad rate. I just need to get another 50 re-written to get my account to maximum.

In fact I have completed one lens in the last two weeks:

• http://www.wizzley.com/drawn

about the excellent Drawn video game trilogy. These are the games that got me back into PC gaming after a fifteen year break, so believe me, they are good!

(And I am sorry Wizzley, but I just can’t bring myself to call them wizzles! I think I’ll stick with lenses – it’s shorter than “single-page, multimedia-enhanced, transaction-enabled articles”.)



This blog has now moved to http://www.rablogs.co.uk/tirial, where the original article can be found.
 Blogging live, and 50 Wizzleys... - http://rablogs.co.uk/tirial/2015/02/06/blogging-live-and-50-wizzleys/ was published on February 6, 2015 at 3:43 pm.

Kind of bittersweet

It’s far enough away from Christmas to mention this one now.

Sad: Having a very sad event in the family just before Christmas and stopping to pick up some cards for the affected.
Annoying: Being accosted by a more than usually obnoxious member of the Smile brigade: “Come on, smile, it’s Christmas. Everyone should be happy. You look like someone’s died, not like you’ve bought your Christmas cards!”
Priceless: Holding up the two condolence cards I just bought and watching his face…

Moral: Sometimes when people aren’t smiling, there’s a very good reason.

This blog has now moved to http://www.rablogs.co.uk/tirial, where the original article can be found.
 Kind of bittersweet - http://rablogs.co.uk/tirial/2015/02/06/kind-of-bittersweet-2/ was published on February 6, 2015 at 3:23 pm.

The Quiet Carriage should be Quiet...

The Quiet Carriage should be Quiet... This is a 12 coach train. It is less than half full. There is only one quiet carriage. Why do you need to bring your small, loud, active, child into the coach where everyone else is trying to work? Continuously raising and dropping seat arms may not be specifically prohibited, but the sound can be heard through the entire carriage. Allowing your child to do this because it keeps them quiet...is absolute rubbish and makes you daft. If they are making noise then by definition they are not being quiet. It is worse when it is not their arm-rest they are raising and lowering – and I am not lifting my arm to let them play with mine. Not co-operating with your child's request does not make me a bad person. The fact the request was made and you expect me to go along with it instead of getting out of your seat at the far end of the carriage and managing your child makes you a bad parent. This shouldn't happen anywhere, but in the quiet carriage with signs up all over the walls about not disturbing other passengers? That's just rude. No, the child may not be playing music but their feet drumming on the back of the seat in front of them is probably louder. You may be reading to them quietly, but if that reading is interrupted throughout by high volume happy squeals, it doesn't belong in the quiet coach. When the reading involves them slapping their book against the chair in front, it is likewise not quiet. If every five minutes you are shouting at Matthew (or Damien as the rest of us dubbed him) to stop that, then he's not quiet, nor are you and neither of you belong in the quiet carriage. No, leaving the pushchair outside does not make it OK to bring your noisy child into the quiet carriage – it's obviously not the pushchair that's making the noise. If your child is talking quietly and can be heard from the far end of the quiet carriage, then they aren't talking quietly. If your child is quiet – not quiet for them, not making happy squeals, not drumming feet, quiet – then bring them into the quiet carriage. If not then, please, on a long haul train, use one of the other eleven carriages. Read more. This blog has moved to http://www.rablogs.co.uk/tirial where the original articles can be found.

Skyfall - oh dear...

Skyfall - oh dear... This was dreadful. I tolerated a sniper taking an unnecessary shot when she said she was going to loose the target - the target that was fighting another agent on top of a train. Now train tracks have a pretty fixed route.   I tolerated her shooting once and only once, using ammo that did not punch through her target and hit both of them, and failing to group her shots. If there are two targets, and she's been told that killing Bond doesn't matter she should be firing several shots to hit them both. By the sniper scene on a rooftop, I gritted my teeth as the so-called groundbreaking fight cinematics  borrowed heavily from several Asian kung-fu films, Babylon 5's season four fight with Sheridan in the night club and a number of others, and Bond lost his lead because he was incompetent. Remember, bond has been told to kill his source. All previous bonds: Shoot sniper in leg, then twist gun in injury until you get the details. This one? Get into an unnecessary fist fight. By the shower scene I was praying for Timothy Dalton's Bond to stick his arm round the corner of the shower, shoot Daniel Craig in the head and pull the woman out for interrogation. Screw sex, I want intel. The scene on the island, with the guy handing him a gun? Bond is there to kill him, not to get out alive. It doesn't matter that there is one bullet. (Also Moore's Bond got the woman killed in similar situations twice, without blinking. Direct quote "You wouldn't kill me not after what we've just done." "I certainly wouldn't have killed you before".) I quit watching when Q proved too incompetant to live. You have a laptop of dubious provenance and unknown contents. Do you: a) remove the harddrive and scan the contents in on an air-gapped virtual machine? b) Turn it on on an isolated system c) Plug in an alternate OS drive and boot it to read the data without running any programs on it. d) Plug this into your network inside your firewall - what bad things could possibly happen? I don't work with government data. I have worked with credit card data, and I can tell you what happens when someone brings an unauthorised laptop into the building, far less tries to plug it in. Not only would the company's IPSec department be on them immediately, if anything untoward triggered, the speed someone was in the server room pulling power to the switches would amaze you. I'll allow the virus going through Mac filtering - if their IT guy is stupid enough to plug an unknown machine into a secure network, he's stupid enough not to be using it. My friend quit watching shortly afterwards when a certain gentleman stole a panda car. Those cars, as most people are aware due to the press fuss over it, are tracked. They've had ways of tracking them since the last century. He did not disable any of them - he simply got in and started it. And from that moment, the police knew exactly where he was.  For anyone who wants to wash out memories of Skyfall, here's the previously mentioned B5 fight scene - the bit it borrows starts at 2:40: Read more. This blog has moved to http://www.rablogs.co.uk/tirial where the original articles can be found.