The next Software in the Public Interest board meeting will take at 2000 UTC (noon PST / 15:00 EST / 20:00 GMT / 21:00 CET) on Wednesday 19 November 2008 on irc.oftc.net #spi. The agenda is online, but I’ve not seen an announcement yet.
I’m surprised there’s not much on the agenda. Missing topics include supporting FACIL. What else do you think SPI should be doing?
I just had a very nice chat on the phone with a man whose first attempt at online shopping seemed to have resulted in a fraudster using his card to buy mobile phone top-ups. I don’t understand why he called us (it wasn’t one of my web shops), but I hope I did the right thing by directing him back to his credit card company’s fraud department.
While I was talking to him, I was checking the shop he had problems with. I wouldn’t have bought from it. Here’s how I checked it:-
Open the front page of the site in one browser window and then use another window to get to a page that ought to be secure (the payment/checkout page is my usual one). Look at them both. Do either of them show any logos from well-known payment (Barclays, RBS, Protx, …) or security-checking services (thawte – who else?)? That’s not entirely reliable, but it’s usually a good sign because those companies attack people using their marks without permission.
Look at the payment/checkout page – does the address in the address bar start “https”? If so, is the padlock in the browser status bar (usually bottom right) closed? That usually means it’s encrypted with a Secure Sockets Layer (SSL) certificate.
Open the certificate details. In Firefox-based browsers, double-click the padlock, then click the “View Certificate” button. Then pick “Subject” in the second list box. Usually, it looks like this:-
Basic Certificate Screenshot
in that case, as long as the “CN” (common name) is the webserver you thought you were using and the “O” (organisation) and country code (C) make sense, then there’s nothing wrong.
Some shops now use Extended Validation certificates and give a bit more information. Here’s one from a train company:-
Extended Validation Screenshot
In addition to the CN and O, it shows Organisational Unit (OU), Location (L), State (ST) and also other address parts and company number that Firefox doesn’t display neatly. This is a bit more reassuring, but also a lot more expensive for the shop owner (around 20 times more, last I checked), so I don’t blame shops for not using them.
By this point, the payment processing and actual transaction are looking pretty good. Finally, I check the recipient. Find the business details on the web shop. Does it include a geographic address? If it contains a company registration number, look it up on the Companies House website.
Then I find the business details on the domain names – you can use CoolWhois to look up domain names. If any of the addresses or numbers don’t match (Website, SSL Certificate, Whois), then I call them to ask why their website says they’re based in Bristol but their domain name is registered to Bolton. If they don’t answer messages, or – worse – the domain name says “Non-trading Individual” and the address has been omitted from the public listing, I give up on them and look for another shop. There’s no point securely paying someone that you can never reach if there’s a problem.
All being well, I then buy stuff and check my credit card statement each month before I pay it. I think any web shop owner (or webmaster – I help some people with this sort of thing) should be taking care of the basics above. Do your shops measure up?
Despite the above checks, I can only remember not buying something online once in the last year. A couple of times, I’ve worked through the above steps and it’s changed which shop I bought from – and I’m pretty sure it saved me from losing £400 on one purchase.
The mobile phone I travel with is pretty good and I use JabberMixClient to instant message from it. Version 2.1 finally got rid of the avatar-replacement bug, so I only wanted to solve my inability to make an SSL connection to our servers. (The linked email is slightly wrong: it’s signed by our own Certificate Authority, not self-signed.)
The answer was to install TTLLP’s Certificate to the phone, as suggested on Sony Ericsson’s developer site. After a few unsuccessful atttempts, I corrected my two mistakes: firstly, I needed to install our CA certificate, not the server certificate; secondly, use PEM format, like on tjworld’s k800i. The exact command was obexftp -b $PHONE -p ca.pem and then the phone prompted me whether I wanted to install it.
Now I can jabber from the phone without the phone company eavesdropping and without having to MidpSSH to a server. Can’t I?
Maybe, like me, you’ve noticed that you’ve had less junk email this week and you’ve been wondering why. News sites are reporting that a large spammer-friendly hosting service in California has been disconnected by its service providers after they were sent evidence about its activities. (Check out the “Next” links on the report to see how the story develops.)
For the technically-minded, Changes in Spam Levels this week Posted by simonw illustrates the level of disruption and may grow an interesting discussion from server managers – it seems the reduction is less than the 75% reported in some news services, but still significant.
This is great news for all good internet users. It’s disappointing if the spam hosting service won’t have to pay any of the costs they’ve inflicted on other computer users in some way. The only practical negative that I’ve noticed so far is that much of the stopped spam was pretty easy to identify and filter out, so the reduction in spam reaching my “unsure” mailbox hasn’t been anything like 50%. Still, less spam hitting the filters means less computer power used, which means less electricity and network data transfer used, which means lower costs for us. Yippee!
And finally, I smiled at this comment over on the WebmasterWorld discussion:-
“Our spam email has dropped so much in the past 2 days that I was beginning to wonder if there was something wrong with our email accounts.”
I wrote to a site owner last week and I thought I was writing to a webmaster. The site owner complained about some of the jargon and, while explaining who I thought I was writing for, I explained some of it because I think more website owners might benefit from these three explanations:-
“Expat-like terms” – made available in a way that is freely sharable, modifiable and redistributable, similar to the Expat software package, whose terms are published at http://www.jclark.com/xml/copying.txt – this is often used as a clear, simple example for encouraging wide distribution of electronic resources (software).
“clandestine Google Analytics” – Google Analytics is a service from Google, Inc for tracking users through a website in various ways. I believe the Data Protection Act means that English websites should obtain informed consent from users by publishing a Privacy Policy on their site which discloses what the GA service will be used for and linking through to GA’s own Privacy Policy. Some websites attempt to run Google Analytics on users’ computers without explaining why and without any Privacy Policy. That is what I mean by “clandestine”.
“valid xhtml” – validating against the eXtensible HyperText Markup Language standards published by the World Wide Web Consortium (W3C) – the underlying language of the web. There is a test service provided at http://validator.w3.org/ and passing it is a key stepping stone towards making an accessible website. There’s not really such a thing as “invalid xhtml” – if it doesn’t pass validation, it’s not xhtml. So I guess I’m guilty of using a tautology sometimes – sorry about that.
Is it worthwhile knowing those three phrases? Are there other key technical phrases which you think site owners should know?
After seeing Five to launch on Freesat over on the DTG website, I tried rescanning 28e and a channel called 6335 (or similar) appeared in the channel list but it had a FIVE logo in the corner. Maybe those DOGs do serve some purpose sometimes – but it would be better if they actually set the channel name correctly.
So, if you have a free-to-air satellite set pointed at 28e (which most UK dishes are), then you now have Five. If you have Freesat, you’ve another week before it appears on your EPG. It’s better to be free-to-air. I’ve not seen much of five since leaving Norwich about a decade ago: North End King’s Lynn is “fringe” reception for even the main channels, while neither the Kewstoke nor Cardiff transmitters broadcast it yet. It looks like it’s changed quite a lot.
Anyway, I’ve updated the alt.satellite.tv.europe FAQ to move five into the list of FTA channels. Anyone know about getting the Freesat EPG on MythTV yet?
Unite to Reunite Refugees
So, as everyone knows by now, the party which is a lot like our Conservatives won the US elections (instead of the other party which is a lot like our Conservatives). I’m particularly touched by Aq’s comment:-
The mood in America has been likened to the one here in ‘97 when we managed to kick the conservatives out for the first time in about 20 years, which amuses me. However, the fact that ours failed to live up to that optimism doesn’t mean yours necessarily won’t
Oh well, at least it was better than drifting further to the right (in both cases). I’ll wait and see whether it lives up to the optimism.
As you may know, SPI is associated with the Open Voting Foundation. That doesn’t sit well with me – while paper voting is imperfect, it seems more verifiable and scalable than machine voting. I’ve been assured that OVF seeks to replace current election machines, rather than spread machine voting to new places and it looks like my area is not under immediate threat (ORG latest news), so I’m not working on it just now. Broadly, I agree with Simon Rumble on Voting machines: a solution searching for a problem?
So without even going into the serious problems with voting machines, it seems they don’t actually solve any actual problems, and I suspect cost a lot more to operate
I’m currently finding out more about standing for election to The Cooperative Group committee and ThePhoneCoop board – I’m not sure yet, but I think both still use paper voting. Cooperatives-SW and TTLLP both use in-person voting. What’s the current thinking here? What’s best?
Today is the first of the Library Open Source Webinars run by WiLS. It takes place in a few hours (2pm CST, which I think is 14:00:00-0600, or 20:00:00Z) and costs USD25 per session or USD100 for all six. Future sessions will cover Drupal and Evergreen – sadly not Koha, as far as I can see.
I’m told that “standard browser, standard phone” is all that’s needed to attend live, but recordings are Windows Media Video (WMV) files, which I think isn’t great for an Open Source Webinar. I’d be interested to hear from anyone who attends, including whether it played nicely with your software.
I’ve flirted with it in the past and resisted it for a while, but you can now follow me on Identi.ca and Twitter if you are so inclined. Seems like I might have picked a good time to try this because TwiTip just soft-launched.
There’s some overlap between my accounts, but they’re not identical because different third-party sites connect to each one. Both will get told when a new article appears on this website, but Twitter is likely to see more links to other sites and Identi.ca will get more status updates. Other than that, usage will be determined by popularity at events or with communities – or by suggestions here. How would you use them?
At first glance, the two services are similar but different. Both sites seem to be “cooperative deserts” (not many cooperative members on them), both sites seem to be running on non-free software (I consider AGPL non-free until its big questions are resolved) and neither site seems to have an easy way to backup one’s data or participate without registration. Identi.ca seems to have some SEO-spammer problems, while Twitter’s interface has some silly needless javascript uses. Identi.ca supports OpenMicroBlogging (OMB) but I don’t understand that yet – it seems a terrible specification. It opens with references (but not web links) to three other things I’ve never heard of, then continues into a dictionary where terms like “listener” are redefined (ouch!) and doesn’t contain an examples section.
New article announcements are done by a WordPress plugin I’ll publish soon. Because of the above problems with OMB and that I can’t find whether Twitter supports it, the plugin uses the simpler status HTTP POST interface. Does anything other than Twitter and Identi.ca support that? I tried a few sites and got bored with them requiring me to apply for an API key before they’d tell me much.
