09 March 2010

 

BBC fail - my correct name is not permitted

BBC Fail
BBC displays another example of the Scunthorpe problem. I am no longer allowed to use my name on the BBC site. See the screendump (click to enlarge) and also my previous experience with Microsoft on this issue in 2004.

Labels: ,


02 November 2009

 

Password and PIN problems

An article on the relative security and insecurity of websites and banks

Why is it that websites deem a 6 character all lower case password to be "very weak" when there's 306million+ possibilities. Yet a 4 digit PIN (9999 possibilities) is secure enough for banks?

The website one is almost 31,000 times more secure yet is deemed "weak". Surely a rule for websites that if the incorrect password is used a certain number of times the account is locked would be sufficient to make the weak password 31,000 times stronger than the bank's security.

We have to be practical about this. In reality, any rules around requiring a password to have upper and lower case letter and special characters such as $,% etc simply make it much more likely people will write the passwords down. Just because this makes it the person's problem rather than the website's is no excuse - the overall security of the account is the issue, including the likelyhood that the account will be broken into because the password was so complicated it, together with the dozons of other passwords from other sites, all had to be written down somewhere because it was too much to remember.

Can we please have simpler password rules for websites and some way of having one strong security mechanism which ties them all together?

Craig

Labels: , ,


10 October 2009

 

Web2.0, a definition

People ask me what Web2.0 is. This is my explanation, hope you find it useful. It's hopefully a bit more readable than the definition on wikipedia. I also follow this with some information about Web3.0.

You may have heard the term Web2.0, a term first used in 2004. If you ask an expert what it means you'll probably get differing answers depending on who you ask because there is no real clear definition of it. So this is my one.

There are two main feature of Web2.0 which distinguish it from sites that aren't Web2.0.

  1. Web2.0 is about people creating their own content for publishing online

  2. it is also about the supporting technology for this content


It is easier to explain Web2.0 if you set it in context of what there was previously.

In the early days of the web, despite it originally being conceived as a document sharing and editing environment, the editing part rarely happened. Early sites were generally about a company, organisation or individual producing content, publishing it on their website and then people reading that content or transacting with it, e.g. reading the news on-line or buying a book.

However, following the emergence of blogs it became easier for larger number of people to author their own content and have others comment on it, just as you can do here. Similarly, Amazon allowed others to post their own reviews. This activity, together with the very long standing Internet tradition of news groups, forums, bulletin boards and so on going back to the 1970's - all these came together to form the early implementation what we now call Web2.0.

When you consider that most people think of Web2.0 as twitter, facebook and other similar sites they think of it as a social platform which allows them to publish their own content easily and share it with their friends. However, this facility has been around on-line for almost 30 years. In 1979 with the invention of usenet groups it was possible to easily share content online and from my own personal experience I used to run a mailing list called Gaelic-L that was founded in 1989 and allowed people with similar interests to share content with their online connections even way back then. In 1990 I also proposed an early browser with user generated content and personalised news, based on the fact that many people were by that time doing much of that anyway.

Web2.0 is therefore more than just being able to publish content and share it with your friends, this has been possible for decades, it's about the types of technology that make it happen as well and how these combine together. In the early days if I wrote an article in a newsgroup, people might reply to it. With Web2.0 you can not only reply to it but you might be able to vote on it and even edit the original, this is how wikipedia works - people collaborate together using a wiki as a tool for sharing information. The articles in a wiki are often authored by several people rather than just one. Similarly it wasn't just that blogs made it easy for people to write their own content, the platforms they used to write their blogs held and published the content in a structured way and this allowed the content to be easily reused in other contexts using a technology called RSS (Really Simple Syndication). What this means is that you didn't have to go to the blog to read the post, you could pick up the notifications of new posts via an RSS reader or another website entirely. Sites can also publish a programming interface called an API which can support the same functionality as RSS and more besides. RSS feeds are particularly useful at following new content - e.g. new news article, new blog posts or more specialised searches such as new jobs matching your requirements on a job board. API calls are better for more generalised searches e.g. "how many twitter users are based in Edinburgh" or "Who posted the first tweet about Michael Jackson's death" or "give me the data to plot a graph of the number of times President Obama's Nobel prize was mentioned in the hours after the announcement was made", etc.

As an example of RSS in action, my posts here automatically feed out to twitter and friendfeed. My friendfeed is then published on my facebook pages. This sharing of data across many sites and applications and interpreting the content in different ways is one of the key distinguishing features of web2.0 over web1.0. This is quite a long post, too long for the 140 character limit for twitter, but the connection between my blog and twitter takes care of that. Similarly when I post something new to the photo sharing platform Flickr, it also appears via a link on Twitter even though twitter doesn't directly support photos - the sites all interact with the same content but in different ways.

Taking this example of data sharing further you can combine (mash) information from different sites to produce something new, this is called a mashup. An example might be pulling in data from Google maps, geotagged photos from Flickr, public rights of way information from the government or council and accommodation information and reviews from a hotel booking site. Combining this information together using the publicly available data would allow you to show walks overlaid on a map together with examples of the views you could expect to see along the way and recommended places to stay en-route.

So Web2.0 is about people creating content (blogs, photos, statuses) together with the supporting technology (facebook, wikis, twitter) allowing this content to be shared, connected and reused in many different ways. It isn't really about endless "beta", rounded graphics, pastel shades and large fonts although these are incidental elements of the Web2.0 scene.

Just as there's no single definition of Web2.0, there is even less clarity about what might come next for Web3.0. The leading consensus is this will be about the semantic web. This represents a bigger challenge than web2.0 because it is about taking the largely unstructured and often ambiguous content on the web and tagging it in ways that allow it to be more clearly defined and reused. For instance if I type London Bridge into Google, there is no way at present to distinguish if I meant the actual bridge itself, the railway station with the same name, the underground station with the same name, the hospital with the same name or the bridge that got shipped to Arizona. Another example is differentiating text with a particular meaning from the same text that occurs by coincidence - e.g. a Digital Will is a type of Will (a legal document for when someone dies) that covers digital assets such as your emails, photos, MP3s, on-line contacts, etc. However, if you search for this term in Google you get some references to both the legal document but also the same phrase occurring in entirely different contexts such as "Digital will overtake print" and "Western Digital will move to Irvine". The semantic web will not only help to classify how words are used from a linguistic point of view but it will also allow content to be queried as data - for instance on a restaurant website you could mark-up your opening hours and this would allow people to search using a semantic search engine for restaurants open at a particular time of day. The biggest challenges faced by Web3.0 are in agreeing the common vocabularies and then deploying them effectively across the billions of web pages that already exist.

As you can see, although Google is quite good at being able to find pages containing certain terms it is currently very poor at making sense of the data in a structured way. This is because without the data being marked up in a semantic way (either through the use of markup directly or by attempting to deduce the context), it is an exceptionally difficult task for a search engine to provide this functionality. Web3.0 will make this job a lot easier but the means by which Web3.0 will emerge is still unclear. What we do know though it that it should make searching for information a lot more powerful and specific. Google is also exceptionally poor at searching sites that already have structure - for instance if I wanted to find a hotel room for tonight I would use an accommodation search engine and Google would find me the site which listed the accommodation rather than the accommodation itself. Google can't tell me what rooms are available tonight but it can point me towards sites that are likely to have this information. This will all change with Web3.0 and the use of intermediary sites will significantly decline as the information they hold begins to open up to more generalised search engines.

I hope this has been helpful. If anyone is looking for a Web2.0 or Web3.0 specialist, please get in touch via craig@siliconglen.com, twitter, facebook or linkedin.

Craig
I do Internet things, manage large websites, play around with language, campaign for good causes, try to explain things and have fun singing along the way (not all at the same time!).

Labels: , , , ,


23 April 2009

 

Cheap printer cartridge replacements

I'm switching to MoreInks for my replacement printer cartridges as they are by far the cheapest I have found so far, and importantly the replacements they sell include the necessary chip in the compatible cartridges so you don't need to mess around for ages trying to pry the chip off the standard cartridge and onto the clone.

£3.99 for a replacement black cartridge (with chip) for a Canon printer, can't complain at that price, or a whole set of 4 chipped cartridges for £12.99

many thanks!

Craig

Labels:


11 December 2008

 

Web accessibility guidelines updated - WCAG 2.0 comes into force

The de facto standard for web accessibility was updated for the first time since 1999 today. Version two of the Web Content Accessibility Guidelines, or WCAG 2.0, has been published following several years of development and debate.

One wonders when all the website owners who didn't think WCAG 1.0 applied to them or pretended the Disability Discrimination Act 1995 (affected websites from 1999) didn't apply to them either might start paying attention.

Craig

Labels: ,


27 November 2008

 

Microsoft project rubbish


I attach a dump from the hated Microsoft Project.


This is the start of a plan, i.e. the top line is task #1. Why does project insist on taking tasks which are a round number of days or zero for a milestone and then rolling them up into fractional days? For the two rolled up tasks in the image, one is a whole number of days and the other isn't. Why is this?! All the tasks are using the same standard calendar.



thanks

Craig

Labels: ,


29 July 2008

 

Problem with Iprofile: Contact details to log faults

I use Iprofile which is the online CV designed to make life easier for recruiters.

However, the system is extremely buggy, insecure and worse that that it's next to impossible to contact iprofile as they seem to ignore support requests sent through their webform and like so many user-hostile websites fail to publish a support phone number. Non existent customer service? Time for them to "read my blog"!

If you are experiencing similar difficulties with iProfile and want their customer service phone number it is available on the parent group website and just in case you missed it, here it is: 020 7025 0555 (I will also post the variant 02070250555) just to ensure it is picked up by search engines.

I was thinking of launching a startup website where people could log faults and see what faults had been logged, a bit like bugzilla but just as you can search for bugs in bugzilla by project, my idea would be that you could search and log bugs on other people's websites irrespective of whether they used bugzilla or not. Users could then vote on the bugs they wanted fixed first and if the company had any sense, they would look at the lists and do something about it. Here is this morning's batch of iprofile issues:

iprofile.org, bug 1. When I apply for a job, the acknowledgement I get back has someone else's email address in the candidate username link. This is a security risk as it exposes someone else's details (they work at barclaycard). I told you about this bug in May, you eventually responded in May saying the only way to fix it was the rather poor cop out of rebuilding my profile. I reluctantly agreed, however the bug is still present. Why?

iprofile.org, bug 2. My available from date has to be today or a date in the future. I have set it to today's date and I do this whenever I go into iprofile. However, several hours later I find it reset to a date 6 weeks ago in June which means I have to go in and manually change it again. Please fix this bug as it presents misleading information to prospective employers. I see you have also fixed the related bug which changes my jobseeker status from "actively looking" to "not actively looking", however other related problems persist.

I am aware of similar sites such as suggestion box but what I'm after here is more along the lines of a cross between that and utest.

Irrespective of your issues with iprofile, you might like to vote for this idea on reddit, maybe it will get some investors my way and we can start to use crowdsourcing to shame buggy websites into fixing their problems - satisfied users might actually help such sites to make more money?

Craig

Labels: ,


23 July 2008

 

Sorting out UK Government data privacy

Please view this idea I posted on the Better Regulation website to attempt to sort out the conflicts in UK privacy laws. Comments welcome. Following my posting here, this letter was published in this week's computing magazine.

Craig

Labels: , ,


17 July 2008

 

Using twitter as a free trade platform

Buy and sell anything online using Twitter for free.

I thought this was worth a try. Twitter has taken off because it is short, simple, easy to use and readily accessible from a number of different platforms. It's so easy to post a short tweet when that's all you want to say rather than a long blog article. It's more immediate and like SMS is particularly useful when you have a short message or series of short messages to put out quickly. Microblogging is taking off, even the Prime Minister uses it. Having received a twitter message from a government minister earlier today, it seems to be an effective way to reach people.

However, rather than considering Twitter as the SMS equivalent of blogging, what about using the Twitter API via sites such as tweetscan to scan the entire twittersphere for anything of interest? Twitter needn't just replace blogging - the free posting to a large audience via Tweetscan and others could rival other free advertising platforms such as Craigslist (ugh) and Gumtree (also ugh), both owned in part by Ebay. It needn't stop there - if enough people set up twitter wanted feeds you could list for free on Twitter rather than paying to list on Ebay.

Paying for such a service is a problem with no feedback mechanism but it's no worse than currently exists with Craigslist and Gumtree.

However, let me suggest a format. This is based loosely on the XML content I receive in RSS feeds for jobs etc and seems to work well enough for that.

You have 140 characters. I suggest the "tweet trade format" as follows (illustrated by examples)

<WANT|BUY|SELL|LIST>:<ITEM NAME> :<PRICE> <Tiny:ITEM URL> <CITY/LOCALITY/COUNTRY> <EXPIRY>



Supposing you have a mobile phone for sale in Mt View California. The listing would look like this:
SELL: Nokia E61 (Used) :$50 http://tinyurl.com/siliconglen Mountain View/CA/US 2008-07-20

Maybe you want to buy a house?
BUY: House 4 bed :$500000 http://www.example.com/moredetailshere Sunnyvale/CA/US 2008-08-31
The price here being the maximum

Supposing you have a job listing, this is a service listing so comes under the LIST category. Contract Project Manager in London, UK for £500 per day.

e.g. LIST: Contract Project Manager Agile PRINCE2 :£500pd http://tinyurl.com/siliconglen London/UK 2008-07-20

The "where" would end with the 2 letter ISO country code (ISO3166). If the item is relevant to a global audience then WW could be used (world-wide) as in WWW (world-wide web).

e.g. WANT: Domain for Web2.0 startup :$10000 http://www.example.com/contactme 2008-08-21
The price here being the maximum price willing to be paid.

Dates would be in international ISO8601 format. That way Americans and Europeans will have the same format and we don't get confused over 04/07/2008 being the 4th of July or the 7th of April.

The URL could of course point to a page on your own site, your blog, a listing on Ebay, a listing on Craigslist or Gumtree or for an item wanted, you could give more detail about what is you want by linking to a similar item on Ebay, Amazon, whatever. It could also link to an openID page for people to contact you, mine is https://getopenid.com/siliconglen

If you think this is a great idea, drop me an email - I'm compiling a mailing list of interested parties who think being able to list products and services on the internet and sell them /effectively/ for as much as it costs to list a webpage in Google (ie nothing) is the way to go and I'm keen to build up a userbase to convince prospective investors that this will take off. It has a long way to go past twitter listings, this is just an early toe in the water.

If anyone wants to build a tool to build up the listing in the standard format via a webform, then drop me a line.

Then with these listings, you can search for them simply using http://www.tweetscan.com or use Tweetscan to sign up for email alerts when something matches what you are looking for (just like eBay favourite search notifications). You can also use tweetscan to search up a search and associated RSS feed for it.

I can see this format evolving over time, but that seems enough for a starter. Comments welcome.

Labels: , ,


 

Company directors at high risk of ID theft due to government data loss

Letter to Computing:

Following the recent string of data losses by HM Government, no-one seems to have taken on board the institutionalised data leaks which HM Government practices as part of its statutory liability and the implication for openly publishing tens of thousands of names, addresses and dates of birth free of charge on the Internet for any ID thief to easily pick up on and make use of.

If this was the general public there would be a national scandal, as there was with the HMRC data loss. If the general public had their names, addresses and dates of birth openly accessible online with no restrictions on who could access them, no payment required and no traceability on who had downloaded them then heads would roll.

Yet this is the exact practice which goes on at Companies House if you are a company director, something that increasing numbers of people are doing to find work as contractors in a shrinking employment market. Whilst it may be a statutory duty to gather such information and whilst it may be perfectly valid to have such information to validate people's IDs in the same way the same information is used to apply for credit cards, I can see no compelling reason why the entire database needs to be dumped uncontrolled for anyone on the web to access unrestricted. We need to move to a model where such private and confidential data is treated the same way irrespective of whether it is a private individual's data on the HMRC computer or a Company Director's data at Company's House - it's the same data after all. The forthcoming changes in the Companies Act only allow the address to be withheld, so even after these changes the director's full name and date of birth will be public and can still easily be tied up with historic electoral registers before the edited versions were introduced. Simply publishing the age is also not enough since the data of birth can be deduced by querying the site once per day for a year, a task easily automated.

You reported on 3rd July, front page, that one person had accessed the name, address and phone number of another businesses' details on-line at the PAYE site. The scale of openly publishing the private details of the directors of 2 million limited companies in the UK is surely much more significant.

Company Directors are not immune from ID theft, yet the government does nothing to protect the ID of over 2 million company directors. Why not?

Labels: , , ,


02 July 2008

 

End of the website login

The future looks bright for those who struggle to remember their password as they log in to a particular website thanks to a rare tie-up between Microsoft and Google.

On Friday, the duo set aside their rivalry to join Oracle, Equifax and PayPal to become the founding members of the aptly-named Information Card Foundation.

With support from other A-list internet players, the non-profit group will push virtual replacements of physical ID cards, like a driving licence, towards the mainstream.

Unlike cards in their wallets, consumers would be able to amend the details on their on-screen cards though; like the offline world, would have multiple cards.

Central to this is the e-wallet, which would let users choose an icon for the card they want for a specific website, bypassing the need to type and remember any password.

As the wallet is online, consumers could select their ‘i-cards’ from anywhere in the world, with enhanced security and interoperability with major sites as standard, the ICF hopes.

“Rather than logging into web sites with usernames and passwords, Information Cards let people ‘click-in’ using a secure digital identity that carries only the specific information needed to enable a transaction,” said Charles Andres, its executive director.

Read the full article here.

Thank goodness for that, I was writing about this multiple login username nonsense back in 2003. Why does it take the IT industry so long to solve these problems?

Craig

Labels: ,


26 June 2008

 

Internet top level domain for Scotland

Following the news today that Internet overhaul wins approval, perhaps now is the time to move ahead with a campaign for a top level domain for Scotland.

Labels: ,


08 June 2008

 

Government CIO demands Green best practice

Government CIO, John Suffolk, demands Green best practice for IT.

That being the case, why is it that all the government jobs I go for, not one has suggested that the interview is held via webcam (which I could do from my house) or even via hi-def video link (which you think I ought to be able to do from a government office in Edinburgh for an interview in London.

Come to think of it, why have none of the dot.com companies I've interviewed for suggested this either? OK to be a trendy dot com Web2.0 company using people on the Internet from all over the world to make your company a success, but still stuck in the mindset that employees all need to be in the same room?

Is it acceptable to have a day trip in a plane to physically attend an interview when the technology is adequate to see what I look like?

Besides the environmental impact, it would save me approx £200 in costs. I'm sure if the government were paying these costs for a permanent position, the tax payer would save in terms of reduced government costs and the environment would also benefit.

So why does noone seem to want to offer video interviews? Surely this is an easy first step to Green IT as the technology has already been around for years.

Craig

Labels: , ,


27 April 2008

 

The three rules of test driven development

A useful first step in proving the functionality of software, websites etc. Now all we need is a link up to ensure that the unit tests ensure what is being tested is actually what the end-user (as opposed to the customer) actually wants to use.

Craig

Labels:


25 April 2008

 

Scottish IT consultation with Enterprise minister

At an industry consultation earlier this week, ScotlandIS Members, including myself, met with the Enterprise Minister, Jim Mather. Issues raised included the increasing difficulty in accessing public sector contracts, the contribution the industry can make in helping to grow the economy, and the skills challenges the industry faces.

For more details including the White Paper prepared for the Industry Consultation see the page on the ScotlandIS site.

Craig

Labels: , ,


28 January 2008

 

PRINCE2 + AGILE = Common sense?

I put "used an Agile/PRINCE2 development strategy" on my CV. It's been quite the conversation starter at interviews. So I thought it would be of interest to blog about it here and gauge the reaction/feedback.

First off PRINCE2 is an acronym for "PRojects IN Controlled Environments" (version 2). PRINCE2 is a generic project management method for exercising control over a project's startup through to closure (SU1 to DP5 for all you who enjoy punch card like references). It's a generic project management method that had its origins in IT but which now makes no reference to IT and could be used from anything from building a ship to planning your summer holiday. Whether you would want to use it on the latter is entirely up to you. The same flexibility of choice is not however accorded to the large number of public (and increasingly private) sector projects that use it since it is seen as the de-facto project management method and its use is frequently mandated, despite there being other methods that may be more relevant for the task in hand. There have also been a large number of complex and extensive government IT project failures recently many of which would have used PRINCE2 and which highlight that even a refined method such as PRINCE2 can run aground on large scale, long running projects that are subject to considerable change.

On paper, PRINCE2 is logical, reasonable and linear. However, as experience suggests - for example in the long series of failed UK Government IT projects where PRINCE2 is the mandated method - simply being logical, reasonable and linear, is not sufficient. It is not sufficient to make it the effective project management method business and public sector organisations really need."
From PRINCE2 problems by Business Transition Technologies


PRINCE2 is based around project control. Control is clearly a Good Thing, however being a generic method with no reference to IT, the closest IT development method would be the waterfall method, which is very well lampooned on the Waterfall2006 site. It is just these shortcomings of the waterfall method which seem to cause the biggest problems with PRINCE2 projects, especially those which due to their complexity and length of development are prone to large amounts of change. PRINCE2 also does not account for software projects comprising multiple versions and how these are handled, nor for website development and deployment which can be an almost continuous process.

Change is inevitable in projects. In response to this Agile development methods arose to deal with this change more effectively, particularly from a software engineering perspective and unlike PRINCE2, cover in detail the more day to day activities such as sprint planning, daily meeting structure etc. Agile does not have comprehensive cover for project management, however the Agile DSDM development method was developed with PRINCE in mind, as detailed in the paper using DSDM with PRINCE2 [PDF]. Thus the combination of Agile and PRINCE2 is not as contradictory as it might at first seem. One is a development method for managing change, the other is a project management method for exercising control, so the two compliment one another and should result in a management method for control in a changing environment. One can see from this white paper on integrating DSDM into a PRINCE2 environment [PDF] that at the actual delivery level the focus is much more on the agile processes rather than PRINCE2.

Alistair Cockburn (no relation) and others have produced a set of agile management methods however this has grown out of the agile community and consists of a set of principles rather than the sort of detailed how-to that would make it easy to sell to the PRINCE2 diehards.

The most complete agile project management method I have come across is DSDM Atern which is described as follows:
What is DSDM Atern?

Atern is an agile project delivery framework that delivers the right solution at the right time.

Importantly, Atern harnesses the knowledge, experience and creativity of end users. It uses an iterative lifecycle to evolve the most appropriate solution to satisfy project objectives.

Using planned, visible timeboxes with clearly-specified outcomes control is exercised throughout by the project manager and the team members themselves.

Roles are clearly defined and work is divided into timeboxes with immoveable deadlines and agreed outcomes.

Atern Agility
Atern’s agile approach avoids the cumbersome rigidity of ‘big design up-front’ without the inevitable risks of ‘no design up front’.

Since it is worth spending some early time examining the structure of the overall solution before building any components, Atern advocates that projects should do just ‘enough design up front’.

Atern flexibility
Atern can be used to complement other project management disciplines such as PRINCE2TM and PMI without duplication of effort.


So it seems to me that you could effectively use PRINCE2 for the high level governance of a project, Atern for the structure of how the project development is to be organised and prioritised and scrum for the day to day elements of effectively organising the software engineer's time and daily priorities.

This is just intended as an overview to illustrate that PRINCE2 and Agile are not necessarily contradictory and that is possible to combine elements of both successfully, particularly when it comes to the managing a stage part of PRINCE2 - Agile turns this into many small stages comprising stable components of work suitable for release. However, what remains a mystery to me is why government departments have been so reluctant in the face of the number of IT failures I have blogged about to promote an agile implementation of PRINCE2 and how it can best be delivered for complex IT projects running into billions of pounds.

This whole sense approach to software development from project governance to day to day management would seem to be the holy grail for minimising such failures. Perhaps it is time to encourage those who mandate PRINCE2 to understand this in order to minimise further wastage.

Craig

Labels: , ,


27 January 2008

 

BarCamp Scotland 2008

BarCamp Scotland is on 1-2 Feb 2008. See the barcamp2008 page for more info or view the event on upcoming.org.

Incidentally, if you are less technically inclined and fancy some music and culture instead, there is the monthly Bothan at the Scottish Storytelling centre at 8:30pm on Friday 1st Feb. £3.

Details:
Bothan meets again this Friday (1st February 2008) at 8.30pm in the Scottish Storytelling Centre, High Street, Edinburgh, when popular singer Mary Macmillan (Uist) who won the Traditional Gold Medal at the Lochaber Mod last year, along with various Bothan instrumentalists, will entertain the company. Please come along and enjoy the music, songs and crack and catch up with news from the Gaelic world. The evening’s entertainment will only cost £3 – a real bargain at today’s prices!


I expect I must be about the only person in Scotland for whom both the above represents a potential diary clash :-)

Labels: ,


03 December 2007

 

Towards a more flexible e-commerce model

Argos (a top 5 e-commerce site in the UK) reports on its website when you go to buy something:

Remember, you don't need to register to purchase on this website!


Glory be and hallelujah.

About the only site I know of that allows people to log in if they want to (potentially saving time in the long term) as well as not logging in (thereby saving time for one off purchases and especially if you have forgotten your password etc)

When I go to shop in a normal high street shop, I am not required to log in. Nor am I required in the main to have their store card and use it allowing every purchase I make to be tracked on every visit. Nor am I required to set up a username before I think about putting stuff in my basket. Nor am I required to give my date of birth before purchasing non-age related goods from them.

Yet on-line retailers indulge in this nefarious data gathering just because they can. Tesco.com requires to have a clubcard before purchasing with them (thereby allowing all your purchases to be tracked). Toysrus.com requires a date of birth when registering, even though the vast bulk of their products are non-age related and even though all they need to know is whether I am over 18 or not, see this analysis of their site in terms of the data protection act.

Argos were reviewed as Pants back in 2003 and still persist with the silly practice of requiring everyone to have a courtesy title even when many prefer not to use one. But nonetheless, credit where it's due for being courageous enough to say no to the marketing department's endless quest for customer data "we take your data because we can" and having a site that gives the customer the option of a quick purchase without having to log in as well as using their account if they have one.

A site that offers true customer choice, how long before others follow this lead?

Craig

Labels: , ,


17 November 2007

 

Bollocks security

Continuing the theme of e-mail/Internet security.

Tonight I wanted to set up a new bill payment. The bank, in response to customer paranoia about Internet security and phishing attacks now require me to carry my bank cards and their calculator like number generator that I now have to take with me on business if I want to set up a bill payment. No thanks. No, I don't want to trail a variety of calculator like devices around with me one for each account or service I might want to use. I think the encryption offered by the bank site together with the random letters and digits from a security password is secure enough.

However, aside from that, let us now look at the two options the bank presents:

1. Log onto the website, have it over a secure encrypted channel, type in a customer number securely, random digits from two separate passwords securely and use the calculator device to randomly generate a number. Pretty secure huh?

2. Alternatively, use a phone, have the conversation in clear text, have the audible key presses recordable by anyone in earshot with a microphone, no need for the card reader calculator device either. Set up bill payment successfully.

Does the analogy of having 50 billion million trillion zillion locks on your front door and only 1 on your back door apply here?

Which way do you think a burglar would want to break in?

Why do banks and other sites continue to believe that the phone is a secure means of communication?

Labels: , ,


14 July 2007

 

Have you had a rude (no reply) email recently?

I hate companies being rude to me. This includes Amazon.com, Dell and other companies that supposedly pride themselves in high quality customer service.

They are rude to me by sending me emails and then denying me the opportunity of replying via the same channel. Obviously they know I have an email address, as they are using it. Obviously they know I have access to the Internet because I can use it to collect said email. They then assume incorrectly from those two assumptions that my preferred means of response is via a secure web form. It isn't.

They write to me via email, they get a reply via email. That's the way it works.

Problem 1.

You are disabled and although some sites might be web accessible it's a slow process navigating round them. Every site is different. Your email client is laid out identically regardless of who you email, it's convenient. Companies that deny you the opportunity to use email waste your time.

Problem 2.

An increasing number of people pick up email on PDAs (Blackberry, Nokia E61 etc). Said people have no problem connecting to pick up email, a few Kb if you have a decent spam filter. Sending a quick reply is less than 1K. Fast and cheap. Bring up a web browser on a small screen and wondering where the relevant link is an then navigating drop list spaghetti to find the right option, and then eventually getting to the right form and typing in all your details whilst staying connected the whole time is extremely wasteful of time and it only takes a few such instances to use up several Mb of bandwidth which isn't much if you are on a fixed package. It's astronomically expensive if you happen to be abroad (or even close to a border as your phone can roam to the foreign network even though you are inside the border). A huge waste of time and money compared to the 1K email. There's a vast difference between broadband access from a fast PC and "dial up" speeds on a PDA in another country. Make no assumptions when dealing on the net where your customers are or how they are accessing the Internet.


Problem 3

The website isn't compatible with your PDA. I can't use Jobserve with my PDA web browser as I get a crippled version that is totally unusable (it is impossible to log in and actually apply for a job without having to write to the job link sent to me in email manually and hoping I have entered it correctly). So much for click and go. I can't access the full site as they have disabled access from PDAs.


Problem 4

The website requires you to log in. Since you access hundreds of websites that require log ins and for security reasons you have a different log in for each site, more time is wasted while you fire up the browsers, access the forgotten password feature, wait for the mail to arrive and then try again.

Problem 5

Amazon gave me this reason
The reason that Amazon.co.uk do not provide customers with email addresses to respond directly to us is to prevent spam and viruses from getting onto the Amazon system. This policy also protects the integrity of our customers' accounts, keeping their details secure.

OK, My email is secure. My system has no viruses. I assume that a company the size of Amazon can buy a decent spam filter, virus filter and can assure me that none of its employees will ever introduce a virus directly. However, since Amazon have told me that email isn't secure, why are they sending me correspondence via email? I want a web form right away. I want every company on the planet to have to use my webform to contact me. I want every company to have an annoying random graphic to decipher before they get anywhere near my mailbox, oh and they can have 10 annoying drop lists like ebay to fill in before they get anywhere near the webform. I'll even throw in a useless wizard to hinder and annoy then. Then when they have filled in their details on my secure webform I'll even give them an auto generated response that tells them to get lost if they even think of replying to it. Yeah, that'll do nicely. I'll be secure then. I wonder how bloody inconvenient the companies that send tens of thousands of email each day would find THAT. Then when they reply they might appreciate how valuable MY time is with all this secure webform bollocks nonsense.

I sent my comments to Amazon who then changed their tune somewhat and wrote:

In response to your comments on our email communications system, email is not necessarily a "risky medium". But by not having a direct email address, we can prevent time consuming spam and junk mail that is often automated and sent indiscriminately. By not having a direct address, we avoid this, and spend our time replying to relevant customer queries.


Yeah, right. Like you can't get a decent spam filter? How many billions are you worth? Here's my response if you still have problems, even with a spam filter.

1. Send me an email using a custom reply address with the issue number in it. e.g. amazon-helpdesk-abcd1234@amazon.com

2. Only accept emails to the above address from the email address used to log the particular issue (in this case, my address)

3. If you like, you can expire the above address a few weeks after the issue is closed.

That's it. Didn't take a brain the size of Jeff Bezos' to work out that one. Indeed if they did implement such a system, rather than trying in vain to navigate PDA hostile webforms at great expense, I might actually have more free time when I get back to a real PC and use that time on the Amazon site buying that Harry Potter book etc. that's coming out soon. We all want more free time and certainly I would have more if I didn't have to waste it on webforms when email should be good enough.


I have worked on a large number of help desk systems that deal with responses to emails, filter them correctly and then file them against the relevant issue provided the subject is left intact. It works. Big Rude Companies Please Pay Attention.

I realise it is somewhat ironic having to fill in a webform to reply to this blog, but this blog is a web based medium, so using the web to reply to a web based medium doesn't contradict the above.

Thank you for listening to Rant Of The Day.

Labels: , ,


23 June 2007

 

Email security. But it is more secure than the phone

I just got another one of those Very Annoying messages. One where you send an email to the very useful customer service email address for a company and they respond with a stock template

"We are unable to discuss account matters via email, please call our contact centre".

Which is of course another way of saying "we live under the mistaken impression that email is less secure than the phone, so please contact our contact centre, press loads of irritating buttons, pay a premium rate, listen to annoying hold music and adverts and generally waste your time". Especially when I can send email for free then read the response at my leisure but taking up 15 minutes of my time listening to hold music on my mobile is certainly not free.

I wrote about this in 2003 and the arguments are just as valid today.

Since getting email in 1983 and sending on average 30 emails a day (would have been less in 1983, considerably more since 1987 when I've used it on a daily basis for my job) I figure I must have sent around 260,000 mails. In that time, I can't think of a single instance where one has been maliciously intercepted en route.

Consider those odds of 260,000:1 versus the odds of calling from an open plan office or in the street and everyone hearing the login details that you have to speak down the phone or indeed hearing the gist of why you are actually phoning and then using that to commit fraud.

I accept email isn't 100% secure. However, I believe the phone to be less secure than email. So why can't we move on and accept email as a valid communication channel for secure conversations and then build the appropriate support and encryption channels around this rather than sticking our heads in the sand and resorting to plain text expensive 19th century communications technology?

Craig

Labels: ,


25 May 2007

 

Firefox useragent - changing the string manually

I appreciate there are tools to change the useragent in Firefox, however the plugin needs to be compatible with the version of Firefox you are running and if you have the latest alpha / nightly build etc the plug in might not work.

I had this situation recently where I couldn't get Firefox 2.0.0.3 to run reliably, so I downloaded Firefox 3.0 (Gran Paradiso). All was well, except I was barred from banking sites because my browser ident string wasn't on their authorised list. Silly banks, surely they know that checking the browser user agent via Javascript is more reliable?

Anyway, even if I did have a compatible user agent switcher plug in, very few of them include the latest released version of the browser in the pre-programmed list which again makes it hard to convince the banks that you are running the latest stable software.

So here are the instructions on how to set the user agent string yourself on Firefox

Goto the browser address bar:
Enter
About:config

Right mouse click to get the context menu and choose New->String from the menu.
Enter

general.useragent.override


As the preference name.

Then enter this as the value


Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3


For the average user running Windows XP, this should be fine to get past the pedantic banking sites who don't have a robust way of checking the browser version.

Labels:


24 May 2007

 

Why it's important to prepare a Digital Will

Many of us can't be bothered to prepare a real Will, with the resultant tax confusion and uncertainty that this causes especially in the event of premature death. However, we live in the first age where our digital possessions matter and important emails, contacts, music collections, online accounts, photos, domain names and online financial details may be difficult or even impossible to obtain after our death especially if they are encrypted.

Living in the age of the birth of the machine, I suggested last August to Cambrian House the idea of how to access files after the owner dies. With a strong interest in genealogy, I imagine a future where the online assets of the people of today will be of interest to the genealogists of tomorrow. My grandfather was born in the 1870s and lived to old age, yet despite living in the era of photography only 2 pictures of him remain. In this modern age where we have thousands of digital pictures, our grandchildren will surely appreciate access to these historic pictures rather than having them wiped out by bureacracy.

Consider this. A close friend dies, but like many people nowadays their contact details for their friends are electronic, many held online. The funeral is in 5 days. You have approximately 3 days to get access to their account and contact people and they need to pick up the e-mail or instant message in time to be able to make travel arrangements for the funeral. In many cases, with the complexity of bureaucracy surrounding getting access to a person's account, faxing death certificates (often sending them overseas) and dealing with ISPs and organisations many of whom might not have an "after death" procedure or policy, you probably wouldn't be able to contact these people in time. As the digital age progresses, our dependency on hard copy letters from friends, address books and so on will diminish and the problem will get worse. Encrypted and password protected data (including accessing paypal balances) is another matter entirely.

Take just one element of this puzzle - accessing the deceased person's webmail to contact people is at the whim of the webmail provider, some might not provide access at all - as was discovered last year in the case of families trying to access the accounts of Iraq war victims, If you're not successful in gaining access, within a few months it will be deleted forever. Law.com covers this story in further detail. On the other hand, trying to cancel an AOL account is difficult enough when you're alive - if someone else tries to do it on behalf of a deceased person it's only going to be much more difficult.

Another popular email provider, Gmail, doesn't publicise their terms, I looked for death in the Gmail help centre and got this:

Your search - death - did not match any answers in this Help Center.


For the level of complexity regarding access to digital data you need only look at this article which details the Gmail procedure as follows:
Google needs your full name and contact information, a verifiable email address, the full header and content of an email you have received from this person's account, a copy of the death certificate and a copy of the document that gives you power of attorney over the email account.

"If you are the parent of the Gmail account owner and she or he was under the age of 18, you must submit a copy of the birth certificate as well, and power of attorney is not required," he says. But keep in mind that after nine consecutive months of inactivity, Google is likely to delete the email account.


It is all very well for online providers to uphold user's privacy, but as detailed in this zdnet article that on death, privacy rights cease yet this is often what is cited when trying to access the deceased's data.

In summary, I would suggest these things.

1. That you list your important accounts in your Will
2. Your Will references a file where the passwords are kept. Don't put the passwords in the Will itself, they change too frequently for this to be practical. The file should be in a location that is secure, but ideally not online.
3. That collectively, online service providers agree a common procedure for dealing with the accounts of deceased people which is secure yet still allows efficient and
straightforward access to the account once a death certificate is produced and allows the account contents to be retrieved and closed under the control of the deceased person's estate in a way which is no more complex than closing their bank accounts.

Please help to promote this important campaign. One day you, or future genealogists, may need it.

Craig

Labels:


 

Free 3D first person shooter in your web browser

Visit Rasterwerks for a great, free, multiplayer, first person shooter game all running in your browser. Amazing!

Labels:


17 May 2007

 

Shut down vista via the keyboard

In a breathtaking act of complete user ignorance, the so called new user experience of Windows Vista is now significantly harder to shut down via the keyboard than good old Windows XP. Gone is the really useful Windows+U, U, Return. No, in all the extensive development and testing and usability studies it didn't seem to occur to Microsoft that people might find a keyboard shutdown in Windows Vista useful. Never mind disability access issues and people prefering not to use a mouse because of an impairment. Never mind also the logistical difficulty of trying to use a mouse when using the laptop on a train or other moving environment. In all the studies that Microsoft did and the millions of dollars spent did noone point this out?

So here's how you do it without the mouse in Vista. Windows Vista (because we know you like things complicated)

1. Press the Windows button
2. Press the left arrow key
3. Press the right arrow key (bizarrely this does not put you back to step 1!)
4. Press return

Here's a longer alternative:

1. Press Windows+D
2. Press Alt+F4
3. Press down arrow
4. Press down arrow (3 and 4 may be combined depending on your setup depending on the options in the drop list, press down arrow until Shut Down appears).
5. Press return

Why make life so difficult for the user for something they might do several times a day?

Labels:


16 May 2007

 

ID card fiasco, yet again

I have blogged in the past about the UK government's appalling record on IT systems yet that earlier article was only about a £141m system going tits up and tax payers' money getting toileted. Today we have the news that the ID system "may" be out of control and that MPs must act on runaway ID project.

What is laughable about this is the government IT systems are run via a project management system called PRINCE2, which was written by the Office of Government Commerce and generally regarded as heavy on the project management side of things is supposed to control this sort of failure. PRINCE stands for Projects in Controlled Environments. When the London School of Economics is calling to see whether the ID system is getting out of control after the costs have risen by nearly 1 BILLION pounds, can I make a few suggestions:

1. You are supposed to be running a controlled project. Where is the control?

2. When a project over runs by nearly a billion pounds, you don't need one of the foremost centres of learning in the world to ask you to see if it might be out of control. It is, deal with it.

3. I posted in June 2006 about wasting money on the ID card system and July 2006 and other IT projects in September 2006. Since these faults with the ID card system were well known nearly a year ago, why has the government apparently done nothing about it?

Labels:


 

BlogThis and the Google Toolbar

For some unknown reason Google has removed the very useful BlogThis feature from the Google toolbar. However if you want the BlogThis functionality you can get BlogThis! instead.

I'm using it to post this. Just install the extension, restart Firefox and then BlogThis is available from the right click context menu.

You'll see a few more posts using BlogThis, just to prove it works!

Craig

Labels:


This page is powered by Blogger. Isn't yours?