Quoted By The Daily Mail

This morning Tweetdeck pinged and alerted me to this tweet from a friend of mine.

He was right too. The article was about Reddit’s Button and about half-way though it, they quoted my tweet.

My reaction was predictable.

I was terribly embarrassed. Being quoted in the Daily Mail isn’t exactly great for your reputation. So I started wondering if there was anything I could do to to recover the situation.

Then it came to me. The Mail were following Twitter’s display guidelines and were embedding the tweets in the web page (to be honest, that surprised me slightly – I was sure they would just take a screenshot). This meant that every time someone looked at the Mail’s article, the Mail’s site would refresh its view of the tweet from Twitter’s servers.

You can’t edit the content of tweets once they had been published. But you can change some of the material that is displayed – specifically your profile picture and your display name.

So, over lunch I took a few minutes to create a new profile picture and I changed my display name to “The Mail Lies”. And now my tweet looks how you see it above. It looks the same on the Mail article.

As I see it, this can go one of two ways. Either I the Mail notice what I’ve done and remove my tweet from the article (in which case I win because I’m no longer being quoted by the Daily Mail). Or they don’t notice and my tweet is displayed on the article in its current form – well at least until I get bored and change my profile picture and display name back again.

This afternoon has been quite fun. The caper has been pretty widely shared on Twitter and Facebook and couple of people have told me that I’ve “won the internet”.

So remember boys and girls, publishing unfiltered user-generated content on your web site is always a dangerous prospect.

Public Service Announcement: Aegon Pensions

Do you have a person pension with Aegon? If so, I suggest you ask them to double-check the statements they have been sending you, as they might well be incorrect. I’ve recently discovered that mine have been wrong to the tune of several thousand pounds for seven years.

This year I’ve been transferring all of my personal pensions to a SIPP at Hargreaves Lansdown. It has generally been a painless process. You fill in a form and sent it to HL, they contact your current pension provider and a week later the money is sitting in your HL account.

Of course, you’ll want to know how much is in your pension fund, so you know how much money to expect to be transferred. But your current provider will be sending you annual statements. As the stock market has been rising for a lot of the last twelve months, the amount you’ll get will almost certainly be a little more than the amount on your last statement.

But there will be two values on your statement. – the fund value (FV) and the transfer value (TV). FV is the amount your fund is worth if you leave it with the current provider. TV is the amount they’ll send to your new provider. Looking at all of my statements, FV and TV were the same amount. So all was well with the world.

I found that I had six personal pensions (I really have no idea why I had so many – it seems rather more than you’d need) and, over a period of a few weeks, I set the transfers going on all of them. Five of them worked fine – I got a little more money than I expected. The sixth was with Aegon.

One Friday afternoon I got a phone call from an adviser at HL. Aegon wouldn’t make the transfer unless I confirmed that I was aware of the current valuations. He read out the valuations that Aegon had given him. TV was about 20% smaller than FV. This meant that I’d lose about a fifth of my money if I transferred the fund. I asked him to put the transfer on hold until I could confirm this with Aegon.

Aegon’s customer support line is closed over the weekend, so I couldn’t speak to them until Monday. But I double-checked my statements. There was a different between FV and TV in 2007, but since 2008 every statement had shown the two values to be the same. And, naively, I assumed that my statements were accurate.

On Monday I called Aegon. Their customer support people tried to help but really all they could do was to pass my questions on and tell me to wait for ten days or so.

A couple of weeks later I got a reply which basically just said that my statements were wrong and that, yes, there was a 20% early exit fee on my plan. I wasn’t happy with that so I wrote back to them asking how their system could issue incorrect statements for seven years without anyone noticing.

Today I got a reply to that letter. Here’s what they say:

Statements are system generated reports which are issued annually. These are usually issued directly to Policyholders or Financial Advisers without being checked. It was only when you brought the error regarding values to our attention the the matter has been investigated and future automated statements have been inhibited.

So there you go. There was apparently a bug in Aegon’s system which went undetected for seven years, until I tried to transfer my pension fund away from them.

I’m going to continue to try and find out how I can get my money out of Aegon without losing a large chunk of it. Given that most of the industry doesn’t work the same way that they do, I suspect my best approach is to accuse them of mis-selling the policy in the first place.

But if you have been receiving statements from Aegon over the last seven years, I’d ask them to check the values if I was you. Let me know what you find out.

TwittElection

I was convinced that the general election in 2010 was going to be the “Twitter election”. I built a web site (now sadly lost somewhere in cyberspace) that monitored what PPCs were saying on Twitter in my local constituency. But, all in all, it wasn’t very impressive. I gave a talk about how disappointing it had all been but then I forgot about it all.

But there’s another general election coming. And, surely, this one must be the Twitter election? A lot has changed in the last five years. Everyone is using Twitter. Surely this time some useful and interesting political discussion will take place on Twitter.

I set the bar a lot higher this time. Instead of just monitoring my local constituency, I’ve created a site that monitors all 650 constituencies in the country. Each constituency has a page, and on that page you’ll find a Twitter widget which displays a list I’m curating which contains all of the PPCs I can find for that constituency.

Well, when I say “I can find”, that’s a bit of a simplification. Obviously, finding details of all of the PPCs for 650 constituencies would be a bit of a mammoth task. But I’ve had help. There is a wonderful site called YourNextMP which is crowdsourcing details of all of the PPCs. And they have an API which allows me to grab their data periodically and update my information. If you have any information about PPCs in a constituency that they don’t already have, please consider adding it to their database.

After I found YourNextMP, it was just a simple matter of programming. I made heavy use of the Twitter API (via the Net::Twitter Perl module) and I’ve hosted the site on Github Pages (so I don’t need to worry if it suddenly gets massively popular). All of my code is available on Github – so feel free to send pull requests if there are features you’d like to add.

Oh, and obviously there’s a Twitter account – @TwittElection. Follow that if you want updates about the site or general chatter about the election campaign.

Today marks 100 days until the general election. I thought that was an appropriate day on which to officially launch the site.

Please let me know if you find the site useful.

Taxing Affairs

People complain about the Inland Revenue. Of course they complain about the taxes they have to pay. But they also complain about the level of service they get from the people in the tax office. Sometimes they might question the level of intelligence of people in the tax office.

Here’s an example of why they might do that. It concerns my company’s VAT return.

At the end of November I needed to fill in a VAT return. My accountants have a great online system where it does all that calculation for me. I can even submit the return online. The only thing it doesn’t do is to transfer the money to HMRC.

So on the 29th November I logged in to my account and saw that I needed to pay HMRC £X. I logged into my company bank account and transferred £X to HMRC’s account.

In December I went off on holiday.

In early January I returned from holiday and found a letter from HMRC saying that I hadn’t submitted a VAT return and that they had therefore estimated my payment as £Y. £Y was less than £X.

I emailed my accountant, she looked into it and soon realised what the problem was. Although I had made the payment for the VAT owed, I hadn’t actually submitted the return. I logged on and did that immediately. This should have been the end of the matter.

This morning I received another letter from HMRC. One written on 9th January. Today is 17th January. I don’t know what mechanism HMRC use to send letters, but it’s not particularly fast.

This morning’s letter said that my company had an outstanding VAT debt of £377.30.

£377.30 is £X – £Y. That is, it is exactly the amount by which the the payment I made was greater than their estimate of my liability.

This is very confusing. I have paid more than their estimated that I owed and they still think that I owe them money. I have no idea how they could have reached that conclusion.

But I hope my accountant can find out when she gets back to her office on Monday.

2014 in Gigs

Slightly later than usual, here’s my overview of the gigs I saw in 2014.

I saw 45 gigs in 2014. That’s 25% down on 2013’s 60 (which is my current record). Letting it drop below an average of one a week is disappointing. I’ll have to try harder this year.

I saw both Martin Carthy and Chvrches three times in 2014 and Annie Eve twice. Martin Carthy is definitely the artist I’ve seem most since I’ve been keeping track of such things. And it’s the first time for many years that I haven’t seen Amanda Palmer. But that’s only because she didn’t play London in 2014 (well, she played one small gig at the British Library, but I didn’t hear about it until it was far too late to get tickets).

What was less than impressive. Well, my review of Yes at the Albert Hall upset a couple of Yes fans. And Eddi Reader wasn’t as good as the previous time I saw her. But, in general, the quality of things I saw was pretty high. Perhaps I was being more picky and that’s why I saw fewer shows.

Anyway, here (in chronological order) are my ten favourite gigs of the year:

  • Haim – Haimwere on my top ten list from 2013. I saw them again early in 2014 and they were just as good.
  • Chvrches – I saw Churches three times. I’m going to choose the Somerset House show as my favourite. Because I was standing about five rows away from the stage.
  • Annie Eve – I saw Annie Eve twice. I think the first show (at the Lexington) was just better, but only because the Lexington is a much better venue than the Borderline. I’d love to see her play somewhere like the Union Chapel.
  • Rick Wakeman – Something a bit different here. Rick Wakeman playing all of Journey to the Centre of the Earth. Very cheesy. Very pompus. Very wonderful.
  • Lorde – Lorde couldn’t be more different than Rick Wakeman! But this was probably my favourite gig of the year. I can see myself enjoying Lorde shows for many years to come. Coincidentally, Lorde was also the support at the next gig on the list.
  • Arcade Fire – I had wanted to see Arcade Fire for a few years. This show was every bit as overblown and wonderful as I hoped it would be.
  • Hazel O’Connor – Another complete contrast. 80s legend playing a low-key show in the pub at the end of my road. Wonderful stuff.
  • Kate Bush – Probably on everyone’s list. For all the obvious reasons.
  • Tunng – Always love seeing Tunng. And this career retrospective show was great.
  • Peter Gabriel – And another stadium show to close with. I was astonished to find out that it was twenty years since I saw Peter Gabriel. It certainly won’t be another twenty until I see him again.

As always, there were shows that were unlucky to fall just outside the top ten list. Special mentions should go to Paper Aeroplanes, Neutral Milk Hotel, Lisa Knapp and Banks.

Right, so what’s happening this year?

First Direct Update

Earlier in the week I talked about my concerns with First Direct’s new password policy. I got an email from them about this, but it really wasn’t very reassuring.

But I kept digging. And on Thursday I got a bit more information from “^GD” on the @firstdirecthelp twitter account. It still doesn’t answer all of my questions, but I think we’re a lot closer to the truth. Here’s what I was told.

The obvious question that this raises is why, then, do they limit the length of the passwords. I asked and got this (three-tweet) reply.

To which, I replied

And got the response

I thought that “as a business we are satisfied” rather missed the point. And told them so.

I got no response to that. And @brunns got no response when he tried to push them for more details about how the passwords are stored.

So, to summarise what we know.

  • First Direct say they store the passwords “encrypted”, but it’s unclear exactly what that means
  • It was a business decision to limit the length of the passwords, but we don’t know why that was considered a good idea
  • It still appears that First Direct believe that security by obscurity is an important part of their security policy

I haven ‘t really been reassured by this interaction with First Direct. I felt that the first customer support agent I talked to tried to fob me off with glib truisms, but “^GD” tried to actually get answers to my questions – although his obvious lack of knowledge in this area meant that I didn’t really get the detailed answers that I wanted.

I’m not sure that there’s anything to be achieved by pushing this any further.

First Direct Passwords

I’ve been a happy customer of First Direct since a month or so after they opened, almost twenty-five years ago.

One of the things I really liked about them was that they hadn’t followed other banks down the route of insisting that you carried a new code-generating dongle around so that you can log into their online banking. But, of course, it was only a matter of time before that changed.

A couple of weeks ago I got a message from them telling me that Secure Key was on its way. And yesterday when I logged on to my account I was prompted to choose the flavour of secure key that I wanted to use. To be fair to them they have chosen a particularly non-intrusive implementation. Each customer gets three options:

  1. The traditional small dongle to carry around with you
  2. An extension to their smartphone app
  3. No secure key at all

If you choose the final option then you only get restricted (basically read-only) access to your account through their web site. And if you choose one of the first two options, you can always log on without  the secure key and get the same restricted access.

I chose the smartphone option. I already use their Android app and I pretty much always have my phone with me.

Usually when you log on to First Direct’s online banking you’re asked for three random characters from your password. Under the new system, that changes. I now need to log on to my smartphone app and that will give me a code to input into the web site. But to get into the smartphone app, I don’t use the old three character login. No, I needed to set up a new Digital Secure Password – which I can use for all of my interactions in this brave new world.

And that’s where I think First Direct have slipped up a bit.

When they asked my for my new password, they told me that it needed to be between 6 and 10 characters long.

Those of you with any knowledge of computer security will understand why that worries me. For those who don’t, here’s a brief explanation.

Somewhere in First Direct’s systems is a database that stores details of their customers. There will be a table containing users which has a row of data for each person who logs in to the service. That row will contain information like the users name, login name, email address and (crucially) password. So when someone tries to log in the system find the right row of data (based on the login name) and compares the password in that row with the password that has been entered on the login screen. If the two match then the person is let into the system.

Whenever you have a database table, you have to worry about what would happen if someone managed to get hold of the contents of that table. Clearly it would be a disaster if someone got hold of this table of user data – as they would then have access to the usernames and passwords of all of the bank’s users.

So, to prevent this being a problem, most rational database administrators will encrypt any passwords stored in database tables. And they will encrypt them in such a way that it is impossible (ok, that’s overstating the case a bit – but certainly really really difficult) to decrypt the data to get the passwords back. They will probably use something called a “one-way hash” to do this (if you’re wondering how you check a password when it’s encrypted like this then I explain that here).

And these one-way hashes have an interesting property. No matter how long the input string is, the hashed value you get out at the other end is the same length. For example, if you’re using a hashing algorithm called MD5, every hash you get out will be thirty-two characters long.

Therefore, if you’re using a hashing algorithm to protect your users’ passwords, it doesn’t matter how long the password is. Because the hashed version will always be the same length. You should therefore encourage your users to make their passwords as long as they want. You shouldn’t be imposing artificial length restrictions on them.

And that’s why people who know about computer security will have all shared my concerns when I said that First Direct imposed a length restriction on these new passwords. The most common reason for a maximum length on a password is that the company is storing passwords as plain text in the database. With all the attendant problems that will cause if someone gets hold of the data.

I’m not saying for sure that First Direct are doing that. I’m just saying that it’s a possibility and one that is very worrying. If that’s not the case I’d like to know what other reason they have for limiting the password’s length like this.

I’ve send them a message asking for clarification. I’ll update this post with any response that I get.

Update (17 July): I got a reply from First Direct. This is what they said.

Thank you for your message dated 16-Jul-2014 regarding the security of your password for your Digital Secure Key.

Ensuring the security of our systems is, and will continue to be, our number one priority.

All the details that are sent to and from the system are encrypted using high encryption levels. As long as you keep your password secret, we can assure you that the system is secure. As you will appreciate, we cannot provide further details about the security measures used by Internet Banking, as we must protect the integrity of the system.

Our customers also have a responsibility to ensure that they protect their computers by following our common-sense recommendations.  Further information can be found by selecting ‘security’ from the bottom menu on our website, www.firstdirect.com

Please let us know if you have any further questions, and we’ll be happy to discuss.

Which isn’t very helpful and doesn’t address my question. I’ve tried explaining it to them again.

Sky Broadband Update

It’s probably time for an update on my Sky Broadband situation.

I last wrote about Sky on 16th April. That was the date of their second failed attempt to connect me to their broadband. It was the date that I decided to cancel my order and go elsewhere.

First the good news. I was considering alternative providers. I called Virgin Media and they told me that I could have a 50 Mb fibre connection for an extra £2 a month over what I already paid them for my TV and phone package. And, as a bonus, they could do it within a week – still five days earlier than Sky had scheduled their third attempt at connecting me. I ordered it, they came round on the promised day and everything works fine. Very happy with them.

This then left me trying to cancel my Sky order. This was slightly complicated by the fact that Sky had successfully connected my phone line[1] and also the fact that this phone line is used for monitoring my ADT burglar alarm. I didn’t want to cancel the phone line until ADT had moved the alarm monitoring to the Virgin Media line. I explained all this to Sky and  they seemed to understand.

A chap called Andy in Sky’s customer service took it upon himself to take on the project. He took to phoning me weekly to ask me what was going on with ADT. To be honest, I got a bit lazy and it took me a while to get in touch with them.

Then my hand was forced. In the middle of May, some error lights on the burglar alarm started flashing. I called ADT to see what the problem was and they told me that it looked like the phone line was dead. I plugged a phone into the line and was able to confirm this. The phone line had been disconnected – despite my explicit instructions about not doing that until I asked for it.

I was a bit stuck. Calling Sky’s customer support from a non-Sky phone line is very expensive. And the only Sky line I had was dead. I tried their online chat facility, but the people you get on that are absolutely useless. Luckily Andy was due to call me for a progress update the following day, so I decided to wait for that.

When Andy called, I asked why they have disconnected the phone. He said that they hadn’t. He ran a few line checks and discovered a fault on the line. He offered to send an engineer to fix it. I told him not to bother and to go ahead with the cancellation. He told me that there was some problem with their systems that prevented him cancelling the contract right away but that he had reported the bug and would let me know when it was fixed.

Time passed.

Earlier this week, I wondered idly what was going on so I sent them an email asking for a progress report. A woman called and told me that my records said that someone (Andy, I assume) had been checking into my account daily and leaving notes explaining why he still couldn’t close the account.

The following day, I got a call from Andy (I’m sure it was pure coincidence that this was the day after I had chased them). He told me that the bug had been fixed and asked me to confirm that I still wanted to cancel the account. I told him that I did and he started the process. He warned me that I wold receive a few automated emails.

Within half an hour I got the first email, telling me that my services would be cancelled on Thursday 6th June. Hooray. But that wasn’t the end of the story.

The following day, I got another (presumably automatic email) offering me twelve months of free line rental if I changed my mind. Then I got the same message by text. And today I’ve got a missed call from a number which Google tells me is Sky’s customer retention department. They certainly seem keen to keep me. It’s a shame they didn’t put so much effort in back in April when they might have been able to salvage something from the disaster.

Oh, and I’ve received a bill. They want to charge me a month’s line rental for the phone line. A phone line that only ever really existed to serve a broadband connection that they weren’t able to provide. A phone line that I’ve used to make one call – the call to Sky customer services on 16th April when I first told them to cancel my order.

I’ve cancelled the old Be Broadband direct debit that they were planning to use to take the money. I’m amazed that they wouldn’t just waive those charges.

So, two months on I’m still (to some extent) a Sky customer. But the end is (hopefully) in sight.

Oh, and throughout all of this, the  @SkyHelpTeam Twitter account has been a source of much amusement. They reply to every mention, but haven’t got a clue what is going on. They use a social media customer tracker called Lithium. But they must have it configured wrong because each conversation starts with them knowing no history of this problem at all. And, having watched the product video, that’s exactly what Lithium is for.

Throughout this hold affair all of Sky customer service people (with about two exceptions) have shown themselves to be rubbish at their job.

[1] You’ll have noticed, no doubt, that we had to phone lines. The home phone (along with our TV) has been provided by Virgin Media for years. I also had another phone line for the broadband. I had this on a separate contract because it had been paid for through the limited company that I use for contracting.

National Rail Travel Alert

This is the text of a National Rail travel alert email that I received this morning.

Problems have been reported which may affect your journey between Balham (BAL) and Shepherd’s Bush (SPB)

More details of this disruption can be found here: http://nationalrail.co.uk/service_disruptions/76437.aspx

To see how this disruption affects your journey and to get alternative options planned for you, please use the Online Journey Planner

Alternatively, for up to date information for your station, use the Live Departure Boards.

Prefer to get in touch by phone? Call TrainTracker on 0871 200 49 50 (10p per min, mobiles higher) or text your journey details to 84950 to use TrainTracker Text

You can manage your alerts by visiting: http://ojp.nationalrail.co.uk/personal/member/myAccount

Don’t forget, you can also follow us on Twitter or Find us on Facebook for the latest rail travel news

Please do not reply to this email as it is sent from an unmonitored address. If you need to contact us, you can do so here: http://nationalrail.co.uk/feedback

Can you spot the obvious idiocy here?

It’s an HTML email. That’s obvious from the links that appear in it. Links to things like the Online Journey Planner and the Live Departure Boards. But there are a couple of links that are written as plain text URLs – ones that you can’t just click on. And one of them is the most important link in the email – the link to the full information about the problems.

In order to read whatever is on the other end of that link, you’d need to copy it and paste it into the location bar in your browser. That’s simple enough, of course, on a desktop computer. But surely one of the important use cases for these alerts is people standing on a platform trying to work out what’s going on with their train – in which case they’d almost certainly be using a smartphone. And copy and paste isn’t the easiest of things to do on a smartphone.

Someone in the National Rail Travel Alerts department is more than a little confused about how URLs in email work.

Free Web Advice: Marvel

It’s been a few years since I wrote a “free web advice” piece, but I got really annoyed by the Marvel web site this morning.

About a year ago I subscribed to Marvel Unlimited – a plan that gave me access to all of Marvel’s digital comics for about £40 a year. This morning, I got an email from them saying that my subscription was about to be renewed but that my credit card had expired so I should log on to my account and update my credit card details.

I went to log on and found that I had forgotten my password. So I used the “forgotten password” link expecting to get an email containing a link I could use to reset my password. Instead, I got an email that contained both my username and my password in plain text. If Marvel are able to send my password to me, then they must be storing everyone’s password in a readable format. It’s astonishing that a company the size of Marvel don’t understand just what an incredibly stupid idea that is. And sending both my username and password in the same email just compounds their error.

So that’s strike one – storing plain text passwords.

Having recovered my password, I was able to log on and found the page where I could give them my credit card details. But it looked like this:

Marvel Credit Card Maintenance Page

If you look closely, you’ll see that three fields – credit card type, expiration date and country – have captions, but no way to enter the required data. I’ve tried this page in both Firefox and Chrome and get the same results in both. I expect I’ll have to dig out a PC running Windows and try it on Internet Explorer as well.

I didn’t actually notice the missing fields at first. I just filled in the fields I could see and submitted the form. At that point I got an error pointing out what was missing. It’s interesting to note that the credit card type isn’t marked as required on the form (there’s no red asterisk next to it) but the error I got complained that it wasn’t filled it.

So that’s strikes two and three.
Strike two – always ensure that your web pages work on all the popular browsers.
Strike three – always mark your required data inputs accurately.

At that point I gave up trying to give money to Marvel. I poked around the site for a while to find a contact form. When I found it, it had the same problems as the credit card form – most of the input fields didn’t appear. Luckily, the contact page also gave an email address (that’s a really good idea that most web sites don’t follow). So I used that to report the problems. I’ll update this post if I get a response.

Interestingly, on my account page I was also given the option to upgrade my account. Apparently Marvel and I disagree on the meaning of the word “unlimited”. It’s not clear to me what extra benefits I could expect.

Update (four months later): Somehow, Marvel managed to renew my subscription, even though I never managed to update my credit card details. But bizarrely, this evening (over four months after writing to them) I got a reply from Marvel’s customer support. It said this:

Thank you for contacting Marvel’s Online Support services. We apologize for the delay in getting back to you. We see that you were able to renew your subscription, after contacting us. If you have any further questions, please do not hesitate to contact us. Thanks again for contacting Marvel.

Four months to reply to a simple customer support message must be some kind of record.