Monthly Archives: March 2011

XML Support in APR and Apache

Recently the subject of bundling or non-bundling of expat within APR and Apache HTTPD (the web server) re-emerged on the dev list.  I’ve always been against bundling: it’s a third-party library and should be a dependency.  We’ve moved gradually towards that, but current practice includes bundling it in an optional dependencies package.

APR’s use of expat is in practice pretty limited and straightforward: the core does nothing very demanding with XML.  And in practice, when applications such as Apache Modules need to work with XML, expat is often too limiting.  So modules need to introduce an alternative XML library.  The most usual choice is libxml2 as in, for example, mod_proxy_html, mod_transform, and mod_security.

Libxml2 is not just a much bigger and more powerful library than expat, it’s also very nearly a drop-in replacement.  In particular, it provides a compatible SAX API.  So if we could use it in place of libxml2 in APR we have a win-win for web servers (and other applications) involving libxml2: replace expat in APR, and load just the one XML library instead of two.  At the same time, we don’t want to impose libxml2 as a dependency on APR applications that have no need for it.

So this week I’ve finally got around to rewriting APR’s XML module to decouple the parser and use either expat or libxml2.  The choice of XML parser is now available at compile time.  While libxml2 support should be considered experimental for the time being, it should become the preferred option for users of applications requiring it, potentially simplifying your configuration and reducing your  footprint.

For the time being, anyone interested will need to download APR from trunk.

Advertisements

Insewerants

March is the time of year my home insurance comes up for renewal.  This year I took the time to shop around using online price comparisons, and found a far better deal than my existing insurer.  No great surprise there.

I gave it a while to mull over, and read the new insurer’s cover in detail.  Compared to the old one it’s actually rather more comprehensive.  For just over half the price!  OK, let’s order this one, and cancel the old one.

The renewal notice from the old one has a freephone line.  So I ‘phoned it, and after a couple of menus I was through to a customer service person.  He was of course keen to quote me the best deal (and was perfectly pleasant about it) so I agreed to let him give me a quote.  When he mentioned a very low excess, my reaction was one of Good Lord!  In that case I should’ve claimed when my friend’s dog ripped my coat! Before that conversation it hadn’t even crossed my mind to claim on insurance for that.

His reaction was instant and clearly automatic: I should have been able to claim against my friend’s insurance.  Yep, it’s all about shifting liability.  My reaction was a slightly-horrified What?  It’s hardly something to go around suing my friends over!

Two different mindsets, and the insurers win because people don’t claim.  But what if I got over my instinctive revulsion at the idea of suing my friend?  Just treated it as a business transaction: no hard feelings, no guilt?  That’s what I should be doing in my insurer’s world!  They’re pushing us into being cold, calculating, and ruthless.  Discounting such nebulous irrelevancies as friendship.

From where I sit, that’s a big hurdle to making a claim.  But if I were to cross that hurdle, surely the logical next step is on to fraud, as in let’s just lump in existing damage or wear-and-tear with what the dog did[1].  That step is surely much smaller than the hurdle I’ve crossed to claim against my friend.  And from there it’s small steps to much bigger fraud.

It seems a logical conclusion that insurers have only themselves to blame when they suffer large scale fraud, such as staged car accidents.  They’ve trained us to think that way!

Oh, and yes I did switch my home insurance.  As well as my stuff (which I’m unlikely to claim for unless I suffer catastrophic loss like a big fire or burglary), it explicitly covers things like tenant liability if I were to burn down my landlord’s property, and of course the usual third-party things if I were held liable for something while out walking or cycling.

[1] there wasn’t any with the coat in question, which was brand new just a week earlier. But that’s not the point!

Spring!

After a false start in February with about one day of warm, fine weather before it turned first wet and then much colder again, this time it seems to be here for real.  Not quite warm yet, but about a week now of borderline T-shirt weather when out in the sun (of which there is now plenty).

Yesterday just walking over Whitchurch Down to Lidl, the real signs of spring were all around.  A lady of pensionable age sitting out on a park bench to enjoy reading her paper.  The buzz of the bumblebee.  The startling scent of spring blossom after the drab winter months.  Etcetera.

Alas, this reminds me of what we’ve lost.  This year and last we’ve missed our customary early springtime when the once-lovely tree in Paddons Row would blossom gloriously, upwards of a month earlier in the season.  It’s looking very dead, having  borne neither blossom nor leaf as of late.  Could it be the winters?  Or has some human activity cut off its roots, or poisoned them?  Surely a tree that size has seen its fair share of winter, which leaves the perils of its concrete-jungle location as prime suspect.

Reporting ‘phone spam

Dear Lazyweb, is there an app for any kind of mobile ‘phone that’ll take the number of the last incoming call and submit a quick complaint to OFCOM?  The phone in question is a Nokia E71 (Symbian 60), but if that’s not available then an equivalent app for AN Other platform would seem a startingpoint for hacking it

I’ve long suffered from phone spam, but getting it every day on the mobile is a new affliction this year.  The computing power of today’s phones ought to bring some benefits in combating this curse!

Training to be a victim

A couple of weeks ago, I received two essentially-identical letters in the post.  They claim to be from Capita Registrars. There’s a Capita logo, and a footer referencing contact details for Capita Registrars. So far so good, but does that mean they’re from Capita?  A competent fraudster might very well impersonate them to get my identity details and a foot in the door of my finances (whatever they may be).

The letters run:

IMPORTANT: Protecting your shareholding against fraud

Dear [me]

We have recently received an instruction to change details on your holding.
The following details have been changed:

– The way you receive your payments

If you did not ask for any changes, please contact us immediately by telephoning 020 8639 3312 or +44 8639 3312 if you are outside the United Kingdom.

This letter is sent in the interest of shareholder security so you can let us know if we have made any changes you did not ask for.

Yours sincerely

[scrawl]

For and on behalf of
Shareholder Security Team

I haven’t instructed them to make any changes, but I do have two new shareholdings with instructions to pay dividends direct to my bank account. If it’s genuine it’s good they’re taking care of security, but I can’t verify it.

  • There is no reference to what shareholding they might be talking about.
  • I can’t verify that phone number. Google finds it not on Capita’s pages, but in a list of 0208 numbers that have had complaints against them, which doesn’t exactly inspire me to ring it[1].

This is almost as bad as Verified by Visa.  Not quite as bad: the fraudster still has a way to go from convincing me to ‘phone their number to getting their hands on my assets.  But it’s the same principle: as soon as I respond to a letter, I’m doing exactly what a fraudster needs me to do to fall victim.  And of course, when I ‘phone the fraudster’s number, they will naturally need to ask a bunch of sensitive questions to verify I am really me: sufficient to identify me, and if they’re good at blagging they might get a whole lot more.

To follow this up, I started with Google and Capita, through which I established to my own satisfaction that the Capita Registrars website was genuine.  Searching it for contact information I could safely use, I found the choice of a couple of email addresses, or ‘phone numbers.  Or could I check it all myself online?

I tried signing up for Capita’s online shareholder services: if I can verify my shareholdings and associated payment details, I can see for myself whether the letters really need following up!  I’ve tried that before, but this time I carried it through.  I am indeed similarly signed up with other registrars: ComputerShare’s online service which works to a satisfactory level, and Equiniti’s which is amazingly bad but might at least have been sufficient to follow up these letters.

Signing up for this online service, I first gathered together all my Capita-issued share certificates.  Ten of them (seven distinct holdings; eight distinct stock codes).  Following the signup procedure, I entered the details for one of them and created an account.  From there I was able to verify that that shareholding was in order, but I was completely unable to access any other holding.

After trying every bloomin’ path in the system, I logged out, and tried logging back in using another share certificate.  It rejected the username/password I’d just created!  Seems the system requires me to create a separate account for every holding.  Indeed, not merely create it once, but log in eight separate times – each a complex process – any time I get a shareholder security letter in future.

Well, bugger this: surely I must be missing something????  OK, try emailing.  That got me an automated reply promising attention within 48 hours.  The following day a human reply, offering to ‘phone me and follow up on points I’d raised.  Great, I’m getting somewhere!

I took up the offer and they duly ‘phoned.  We were quickly able to trace the matter of the two letters to my new shareholdings, thus resolving the original issue.  I also raised my concerns about their system: letters indistinguishable from phishing, scarce information with which to follow up, and is their online system really as useless as it seems?

Encouragingly, the lady I spoke to sounded good: she wasn’t some call-centre drone reading from a script, and she sounded receptive to my points about phishing and unverifiable information.  She told me they were proud never to have suffered fraud, but that begs the question of how you count responsibility for a phishing victim who subsequently suffers identity theft but not loss of the specific shares.  I stressed that if it hasn’t happened yet, it can only be a matter of time.

On the question of their online services she confirmed yes, amazingly, they really are that bad!

Let’s see if anything changes following my call ….

[1] By posting here I’m creating another google result for anyone seeking to verify that number.  If you found it at random through a search, you probably don’t know me.  Am I who I seem, or part of the fraudster’s operation?