Category Archives: web

Saved from Visa

I’ve written before about the Fraudster’s Friend misleadingly named “Verified by Visa”.  Most directly in my post Phished by Visa, though Bullied by Visa perhaps also deserves a mention.

Today I went to place an order with Argos, who I’ve used several times before and who have always – in contrast to some of their competitors – delivered very efficiently.  This time alas the shopping process has become significantly more hassle, and they’ve introduce the VBV cuckoo into the process.  But I was pleased to note that, when I came to the VBV attack, Firefox flagged it up as precisely what it is: an XSS attack, and in the context of secure data (as in creditcard numbers) a serious security issue.

I hope Firefox does that by default, rather than just with my settings.  Though it would be courageous, to take the blame from the unwashed masses who might think VBV serves their interests when it doesn’t work.  Doing the Right Thing against an enemy with ignorance on its side has a very bad history in web browsers, as Microsoft in the late 1990s killed off the opposition by exposing their users to a whole family of “viruses” in a move designed to make correct behaviour a loser in the market (specifically, violation of MIME standards documented since 1992 as security-critical).

Alas, while Firefox saved me from the evil phishing attack, the combination of that and other Argos website trouble pushed me to a thoroughly insecure and less than convenient medium: the telephone.  Bah, Humbug.

Endarkenment

I’ve been on the ‘net a lot longer than you.

Well, that won’t apply to all readers.  This blog is aggregated at Planet Apache, so is likely to cross the feeds of some true veterans.  But I’m sure I’ve been online far longer than any of the politicians or journalists who are getting into another frenzy about online porn and ‘protecting’ the children.  Without getting into the nitty-gritty of what counts as an ancestor of the modern ‘net, I first accessed a computer remotely in 1983, subscribed from home and saw my first online pics (of sorts) in 1987, and got my first access over a ‘net using today’s protocols in 1990.

And in all that time, I’ve never encountered anything I’d describe with any certainty as porn.  The most dodgy material I’ve seen is at the sites of trashy newspapers: specifically the Daily Mail (to which I occasionally follow a link) and Pravda (which I use as a test site when developing internationalisation software like mod_xml2enc).  Both of those seem to bombard me with lots of pics of scantily-clad young people, predominantly female.

And violence?  I don’t read novels online, though I might indulge in occasional dodgy media.  Far and away the most violent content I’ve encountered is music from less politically-correct times, setting words from that ultra-violent text, the Bible.  Blessed is he that taketh the children of the heathen, and casts them upon the stone.

So how is this relevant?  I think it firmly gives the lie to the myth that you can stumble inadvertently on anything nastier than you’d see in your local newsagent or bookshop.  If you want porn, you have to seek it out proactively.  And if you seek proactively I expect you’ll find it, regardless of anything idiot politicians do to try and stop you.

The Rape of Lucretia: Illegal online?

We already have the censor blocking a widening range of contents.  Now apparently we’re to have a whole new raft of Big Brother legislation.  So as a very minor protest, I just googled for contents that will become explicitly illegal.  Tizian’s Rape of Lucretia looks pretty unambiguous: it’s not merely a representation of rape (enough to make it illegal), but true, violent rape!

In fact, I think today’s news just prompted me to seek out the nastiest image I’ve seen in 30 years online.  The further they go in the direction of book-burning and aggressive censorship, the more I shall feel inclined to opt out.  I certainly won’t accept filtering of my ‘net contents while I have any choice[1], and if choosing Shakespeare over Bowdler puts me under suspicion from Big Brother then so be it.

I have no interest in porn (and 30 years to prove it), but now legislating to make it ‘impossible’ introduces an element of interest.  How might I go about finding it?  A search for “Rape of Lucrece” finds the soon-to-be illegal image here[2], but what search term might find something more modern?  Maybe I can get a handle on some search terms by looking at the spam appearing on – and more usefully being filtered from – this blog.  Here’s a sample, though those particular search terms are probably long-since outdated.  I’ll leave the details as an exercise for the reader, but if you start a blog at WordPress.com you’ll have access to an akismet log containing lots of clues, likely to be more current than any stupid block-list.

[1]  Unless our governments were to do something genuinely useful and take serious action against spam.
[2] At least, logically speaking.  I expect they’ll find a loophole for anything that can get itself classified as art.

Waste Collection or Hot Air

West Devon has introduced a new waste collection regime.

They started by leafleting us some time ago.  Fine.  The leaflet promised more information nearer the time, so I didn’t pay too much attention except to note the date: second half of October.  They also promised a recycling box and a food waste box.  The recycling box duly arrived, but no sign of the food waste one.

Last night I was due to take the rubbish out.  A fortnight’s worth: I don’t take it out every week.  Since I have no food waste box, it includes food waste.

I check the recycling box.  In it is a leaflet, longer than the original one.  But it’s illegible!  Or rather, it’s stuck together and won’t open: slicing it delicately with a swiss army knife shows traces of print on the corner of the inner pages, but it’s irretrievable.  But visible on the back page is a collection calendar, which shows there’s no general waste collection this week.  Damn!  We’ve always had weekly collections in the past.

OK, I can live with that.  Awkward when one is away on a Monday night and misses the opportunity for a fortnightly collection, but so be it.  Just so long as I know and can plan around it.  At least I can fill the recycling box this week!

So I went to the West Devon website, to check the full information, any further guidance on what goes in the recycling box, and those leaflets.  This is where it gets surreal: I found myself going round and round in circles on the site, but not finding any substantial information.  The first link claiming to be PDF turns out to be a page about PDF (and acrobat), and I curse my way through several more links to it before I find an actual PDF leaflet.  That then turns out to be a useless one-pager, not the ones I’m looking for.  Some annoying rummaging at home finds the old leaflet in its glossy printed form, but nothing I can reference without the hassle of paper.

Now truly p***ed off at this vacuous website, I try sending them a complaint:

Your leaflet on kerbside recycling and refuse collection describes an “outside food bin” and “kitchen caddy”, and implies we should be provided with them before the new service starts.  The new service has started, and none have been seen here.

OK, not a big deal: I can presumably contact you to ask for them.

However, having only a vague memory of the leaflet, I naturally came to your website to look for the information.  I was also looking for the leaflet that came in the big green boxes, but is illegible due to inadequate production quality.

WHY THE **** ARE THESE LEAFLETS NOT AVAILABLE ON YOUR WEBSITE?

Is this nothing but hot air?

Now it gets all the more surreal.  It refuses my submission, telling me something on the form is incomplete.  I go through the normal fields again looking for the little red star, iterate several times.  WTF???

Finally, a break and a cup of tea later, I find it.  The last entry in the form is a big textbox captioned:

If there is anything which makes it difficult to use our service, for example if English is not your first language or you have a disability, please use the space below to tell us how we could help you.*:

It’s refusing form submission because I’ve left that box empty.  This is vintage irony: their misguided attempts at accessibility have made the thing inaccessible!  I entered in that box:

How about enabling submission with this box blank?  For those of us who are sufficiently able-bodied and english-speaking to fill your form, but whose eyesight isn’t quite sharp enough to spot a tiny red star above this box?

(Pardon the grammar, but it was past 2 a.m. and I’d been struggling for far too long with it to care.  Not an excuse, but a plea for mitigation).

For any techie readers, this mess of a site proclaims WCAG AA accessibility, at which I can only shake the head.  A look at the source reveals heavy div-soup that is void of any HTML semantics.  An automated analysis reveals markup that is surprisingly close to AA conformance in box-ticking terms.  While not as bad as many 1997-style monstrosities, it shows all the hallmarks of following rules with no insight into their meaning.

I guess the whole website is a box-ticking exercise, just as waste collection is a box-filling one.  Maybe B for effort, C- for outcome.  I could forgive the missing receptacles and the web design if only they’d provided those simple leaflets!  Grrrr ….

Phished by Visa

The title is in honour of Ben Laurie’s excellent piece here.  Ben is by any standard a leading expert in online security, and his short article is strongly recommended reading for anyone who shops online.

I’ve just placed an order with ebuyer, timed to get a few bits & pieces before VAT goes back up.  Ebuyer seems like a good bet these days: they’ve done nothing to force me to blacklist them (e.g. Dabs), nor is their website full of flash crap to make it painful to use (e.g. Scan).  And I’ve been happy with them in the past, as a low-cost retailer that delivers efficiently.

The shopping and ordering process went smoothly, marred only by one item of six on the shopping list being out of stock (I’ll try Argos next – they probably have an equivalent).  I entered all the usual details including my Visa creditcard, and it appears to have accepted my order.

It then took me to a “Verified by Visa” screen.  This was in a frame, and the frame contents were generated by a script, so I could not easily verify where my sensitive data were being sent.  This is precisely the phisher scenario, and a magnet for identity theft, as Ben describes!  I reluctantly submitted the first VBV screen, as it hadn’t required sufficient sensitive information to complete a phish.

The second screen then asked me to create a new VBV password.  Since I am already (reluctantly) signed up for VBV, I pulled out at this point and sent a note to ebuyer under the heading of reporting a website security issue.  Having said that, the issue appears to be with VBV rather than with ebuyer, and the fact that my purchase was accepted seems to indicate that VBV was, despite appearances, not actually required.

Grrr ….

Sun Glassfish Webstack 1.5

Sun Glassfish Web Stack 1.5 is out this week, for Solaris and Linux platforms.

This is the latest update to the webstack, and like previous versions is available both as a free download and commercially as a supported product in a choice of bundles, to meet the needs of everyone from enterprise clients, through small and medium size business and startups, to students and hobbyists.  The most striking change for most users will probably be the shiny new Enterprise Manager dashboard.

Open sourcers will note the updates to the constituent open-source components of the webstack.  In this context, and in view of my recent blog entry, I should perhaps mention that while the Apache HTTPD version bundled is 2.2.11, it does include local patches, most importantly the security fixes in this week’s 2.2.12 release from Apache.  Other components are similarly upgraded.

Browsers for Mac

Dear Lazyweb, is there a web browser for Mac OS X that lets me view images but disable image animations?

Let me clarify. I know they all have configuration options to do that, but I want one that works!

My normal desktop platform is Linux, but I have a Mac laptop. It’s one of the first generation of Mac/Intel boxes, and it’s the cheapest (13 inch) model.

On Linux (and other *X), Konqueror has long let me browse in a rich graphical environment but nevertheless disable image animation crap. Other browsers have configuration settings to disable animations, but they simply don’t work. When the Mac was new, I struggled and failed to find a working browser. That included installings addons like SafariStand that supposedly get rid of the crap, as well as a range of different browsers.

When Firefox 2.0 was released, it finally worked. On both platforms, and even Windoze. Great, a browser I could use anywhere I want from the Mac.

A week or two ago, with the latest security update, Firefox started animating images on me (as version 1.5 had done). Disabling it just stopped working. So now I am without a web browser I can use away from safe sites on the Mac.

Grrrr …

Web sites that suck: UK Gov carbon calculator

I just tried the UK govt’s “carbon calculator” (as reported here). In brief, it’s horribly broken, at the taxpayer’s expense. So I found the feedback link to email them a little rant.

I have three comments on this site. First, about the calculation itself, and secondly about the presentation.

The calculation makes no sense to me. First, it asks questions about the house, including energy bills, and tells me:

Your CO2 Result for your home is 0.42 tonnes per year.

It then proceeds to ask about appliances, and tells me:

Your CO2 Result for your appliances is 0.82 tonnes per year.

(Minor comment at this point: it completely excludes the effects of my shopping or working habits).

Now, my usage of all those appliances is *included* in the electricity bills, which were *already* part of the first calculation. Since the appliances in question are clearly domestic (e.g. fridge, cooker, telly, computers), it makes no sense at all to separate them from the total gas and electricity consumption figures.

This leads to my second point: your “FAQ” is hard to read. Firstly, it lacks an index or quick overview. Secondly, its author has failed utterly to grasp the basic principles of HTML markup, and consequently has produced text that is a strain to read – at least for my middle-aged eyes (though I expect it looks good on the author’s own PC).

In support of the above assertion, and before moving to my third point, I should perhaps briefly present my credentials to criticise the site at a technical level. I am widely acknowledged as an expert in a range of web technologies. I am a published author, developer of the “Site Valet” suite of QA and Accessibility evaluation tools, and for several years served as Invited Expert with the Worldwide Web Consortium in their Quality Assurance and Accessibility activities.

Having thus introduced myself, let me introduce the first principle of developing a website: follow the basic standards!

Analogy: If the electrician who wired my house had installed a system that would work with a Hoover but not with an Electrolux appliance, I would be rightly aggrieved. But of course, the electrician follows basic interoperability standards, so there’s no question of that kind of incompatibility.

Developing a website is exactly the same. But your calculator fails so badly as to make it completely unusable in at least two of my browsers, including my first choice (Konqueror; also known as Safari in Apple’s own-badge packaging). Even in Firefox it is extremely rude, messing about with my browser window.

This level of brokenness does not happen merely due to time and budgetary limitations. It takes an order of magnitude more effort to mess it up so badly than to produce a simple, working site (the calculator itself is very simple). Furthermore, there is a *separate* flash 8 version for those who might prefer to treat it as entertainment. The so-called HTML version I used is supposedly the simple fallback.

In brief, please get a competent web developer for a day, and stop pouring taxpayers money into some entertainment-industry wannabe’s self-indulgence.

“Web 2.0” with substance?

I often have the radio on in background. And so it was that I got to hear the BBC’s “click on“. It’s a “pop-web” magazine program, and the presenter (inevitably) introduced some “blogging pioneer and web 2.0 expert” to talk about “Web 2.0”. Yeah right. More hot air.

Well, blow me down if this interviewee didn’t say the first sensible thing I think I’ve ever heard1 about Web 2.0. Namely, that it’s not new: it’s returning to what the Web started out as in the early to mid ’90s, before vacuous brochureware became dominant. Corollary: it’s been there all the time, thank you for starting to notice.

[1] Not just on mainstream meeja.  That includes the High Priest of “web 2.0” hot air, who I saw last year at OSCON with many of his acolytes.

Web 2.x?

OK, who else has had more than enough “Web 2.0” hype, telling us how marvellous and new the things we were doing more than ten years ago are?

Time to move on, perhaps?

Web 2.2 Enabled!

(Yes, that’s deliberately vulgar and ugly. Yes, it’s an off-the-shelf GIMP script-fu thing; I wasn’t about to waste time on anything more exciting).