June 2006 Archives

Blog aggregators are the latest thing. Well, ok, they aren't really the latest thing - but they're starting to become popular. And tools like Plagger make it easy to set up an aggregator. Actually, that's not true either as the documentation for Plagger is shocking and you often end up reading the source code.

But anyway, the point of this post is that there are a lot of aggregators out there. And this blog is appearing on quite a few. The interesting thing about aggregators is that it's a good way to find other blogs that write about similar subjects.

So if you're interested, here are the aggregators that this blog currently appears on:

• Planet Balham - blogs based in or about Balham
• Planet London.pm - blogs written by London Perl Mongers
• Planet GLLUG - blogs written by members of GLLUG
• Planet OSCON - blogs written by people who write about OSCON or EuroOSCON

And my use.perl Journal is aggregated into Planet Perl.

Fans of Bloom County (and is there anyone who isn't a fan of Bloom County?) will enjoy these photos of a Banana Jr. 6000.

An interesting article in today's Independent (read it quickly before the paywall drops into place) about the gradual erosion of civil liberties by Blair's government.

In another example of the Government's draconian stance on political protest, Steven Jago, 36, a management accountant, yesterday became the latest person to be charged under the Serious Organised Crime and Police Act.

On 18 June, Mr Jago carried a placard in Whitehall bearing the George Orwell quote: "In a time of universal deceit, telling the truth is a revolutionary act." In his possession, he had several copies of an article in the American magazine Vanity Fair headlined "Blair's Big Brother Legacy", which were confiscated by the police. "The implication that I read from this statement at the time was that I was being accused of handing out subversive material," said Mr Jago. Yesterday, the author, Henry Porter, the magazine's London editor, wrote to Sir Ian Blair, the Metropolitan Police Commissioner, expressing concern that the freedom of the press would be severely curtailed if such articles were used in evidence under the Act.

Mr Porter said: "The police told Mr Jago this was 'politically motivated' material, and suggested it was evidence of his desire to break the law. I therefore seek your assurance that possession of Vanity Fair within a designated area is not regarded as 'politically motivated' and evidence of conscious law-breaking."

Scotland Yard has declined to comment.

The main part of the article (which I haven't quoted from for fear of Special Branch banging down my door) is the Vanity Fair article in question. Once the Indy's paywall has dropped, you may still be able to read it on the Vanity Fair web site.

I was in a meeting just before lunch and I passed the time by trying to remember the Litany Against Meetings. Of course, Google found the full text easily.

I must not attend meetings.
Meetings are the mind killer.
Meetings are the little-death that brings total obliteration.
I will face my meeting.
I will permit it to pass over me and through me.
And when it has gone past I will turn the inner eye to see its path.
Where the wasted time has gone there will be nothing.
Only I will remain.

With apologies to Frank Herbert and thanks to the denizens of the #perl IRC channel which is where I first heard it.

My stepdaughter's boyfriend is in a band called Toybox (they're on My Space too). They're playing a gig in London on Saturday and somehow we've been roped in to going along and giving support. On one hand, I'm quite looking forward to it. It's been far too long since I saw any live music. But on the other hand I'm slightly worried that I'll be twice as old as anyone else there.

It's at the G-Lounge in Camden if you're interested in joining us.

You know, it's really nice that the IRS are trying so hard to get in touch with me in order to refund this $63.80 that they claim to owe me. But I can't help thinking that they should probably check their records a bit more closely because, as far as I can recall, I've never paid any tax in the US.

And why are they asking me to submit my claim via a web server based in Korea?

Yesterday I wrote my first Ajax program (it's for a client and on their intranet, so I can't link to it). So that's another buzzword to put on the CV.

I couldn't have done it without Ajax Hacks (which I read on Safari).

Is anyone taking bets on when Tony Blair will go. Here's my prediction.

If left to decide the date for himself then Tony Blair will resign on or soon after Wednesday 19th November 2008.

Why that date? On that date he equals the amount of time that Margaret Thatcher was PM.

p.s. I've just noticed that the Wikipedia description of the last Francis Urquhart story includes this point:

His popularity is at its lowest, as many feel that he has outstayed his welcome, yet he remains in power simply because he wishes to beat Margret Thatcher's record

Looks like the police have closed a brothel that was based in a flat on my road. Amazing how little you can know about your own neighbourhood.

Of course I don't expect PC World staff to be able to answer any of my questions about the Linux compatibility of the products they sell. I just ask them as a bit of sport and in the vain hope that they might be reporting back to head office about the level of interest that Linux gets.

However I was very surprised this lunchtime to find someone who had never heard of Linux. Is it really possible to be interested enough in computers to work in a computer shop and to have never even heard of Linux. Apparently it is.

To celebrate the Summer Solstice here's a link to Stonehenge on Google Maps. Note that Google have their own idea of where Stonehenge is and seem to have missed the large stone circle a small distance to the east.

(via NeatORama)

Oh. And here's another one.

More and more people are designing their web sites using CSS. And that's obviously a good thing. If you don't know why that's a good thing and you're designing a web site then I suggest you quickly buy and read a copy of Designing with Web Standards[1].

But the problem is that many people don't know CSS all that well. And therefore they make mistakes. So here's a nice little tip for you. The Javascript console in recent versions of Firefox will show you any errors it encounters whilst parsing your CSS (as well as any Javascript errors in your page - which is its main function). So before you unleash your latest HTML and CSS masterpiece on the internet, why not take a few minutes to open the page in Firefox (well, you do most of your development in Firefox anyway don't you?) and bring up the Javascript Console (it's on the 'Tools' menu) and see if you get any CSS (or Javascript) errors. If you do, then take the time to fix them - thereby doing your bit towards making the world wide web a nicer (and more standards compliant) place.

[1] Bugger. I've just seen that the second edition is imminent. There goes another twenty quid!

I'm not as bothered by spoilers as many people that I know. I don't turn over quickly to avoid the "coming next week" clips at the end of TV programmes.

But I do think that the Doctor Who spoilers that have been all over my usual newsfeeds this morning are taking things a bit too far. I really didn't need to know what happens at the end of this season in as much detail as I now do.

Now I'm all grumpy.

I've just found two more web companies that don't know how to handle passwords. And one of them was a company who I had a lot of respect for.

Fotango are closing down their photo service. So that their users weren't left stranded by this, they set up a deal with Photobox whereby Fotango customers would get a Photobox and all of their photos would be transfered over for them.

I don't have any photos on my Fotango account (I'd actually forgotten that I had a Fotango account) but Photobox are offering 30 free prints, so I thought I'd go through the process anyway. The transfer seemed pretty painless and I was left looking at the Photoshop web site. I was logged on, but I requested my password anyway as I couldn't remember the password I'd used when I set up the Fotango account.

Seconds later my password arrived in my inbox. And I really mean my password. Not a new randomly generated password or a link to change my password. My real password. In plain text.

So this means:

1/ Fotango have been storing my password in plain text.
2/ Fotango transfered my password to Photobox in plain text.
3/ Photobox are continuing to store my password in plain text.
4/ Photobox are happy to send my password to me in email in plain text.

Am I completely out of step with the rest of the internet here? Do most people not care that passwords are stored in plain text and sent around the internet without the most basic of security precautions? Ok, I know it's only a few photos, but if people are used to this level of insecurity then they won't expect it when it's important - like online banking.

I've changed my Photobox password. But the change didn't even go across an SSL connection!

There seems to be some kind of football competition going on...

Ok. I'm determined not to spend the next month complaining about the World Cup. I'm going to do my best to just ignore whenever possible. And this is actually going to be a positive post about the World Cup.

You see, it all looks very depressing when you see the wall-to-wall tv coverage and the jingoistic tabloid coverage, but until Saturday I'd forgotten the best thing about the World Cup - empty streets.

I was out in Balham on Saturday afternoon and there were probably a quarter of the normal number of people that you'd expect to see at that time. It was great. I blew it slightly by walking home during half time. There are bars on both sides of the road at the end of my road and at half time people were grabbing a bit of fresh air and both pavements were packed with people and getting past them wasn't easy. But that was a small price to pay.

I understand that the next England game is a 5pm on Thursday. I'm looking forward to an extremely pleasant tube journey home.

Over the last few weeks we've been gardening. Well, when I say "gardening", I mean "razing to ground and rebuilding from scratch". Some of you will realise that the outdoors is not my natural habitat and manual labour is not my first choice of ways to spend the weekend.

However, it had to be done and it's (finally) very nearly finished. We had one major problem left yesterday - the huge pile of jungle that we had removed in order to replace it with low-maintenance gravel. I started cutting it up and putting in bags, but it soon became obvious that this a) would take several hours and b) was no fun. So we switched to plan B. We burnt it.

Bonfires fun. Fire good.

Whilst I'm on a digital music roll, it's worth also mentioning that the BPI chairman, Peter Jamieson, has said that the BPI won't press for prosecution of users who make digital copies for use on portable players of music that they own. The BBC report is here and the BPI's version is here. Jamieson was speaking to the House of Commons Select Committee for Culture, Media & Sport inquiry into New Media and the Creative Industries.

BPI Chairman Peter Jamieson was quizzed on the fact that the “all rights reserved” nature of British copyright law means that - without specific authorisation - any UK consumer who rips CDs they have bought in order to fill an iPod or other MP3 player is currently guilty of copyright infringement.

“Traditionally the recording industry has turned a blind eye to private copying and has used the strength of the law to pursue commercial pirates,” he said.

“We believe that we now need to make a clear and public distinction between copying for your own use and copying for dissemination to third parties and make it unequivocally clear to the consumer that if they copy their CDs for their own private use in order to move the music from format to format we will not pursue them.”

Notice what he has said though. Some media are reporting this as "copying music for personal use is not illegal". Jamieson was very careful not to say that. He is saying that the BPI will not prosecute people who make copies for personal use. Not that they couldn't if they wanted to. Just that they won't. Under a strict reading of the law, making these copies is copyright infringement.

I got my first Flickr spam today. It was some religious nutter telling me all about their imaginary friend. The account that it came from has no photos, no contacts and no information in the profile. I've blocked the user, but I know they'll just create new accounts.

I really hope that Flickr stamp on this quickly. Orkut become unusable very soon after the spammers found it. I hope Flickt doesn't go the same way.

Update: Here's the response I got from Flickr.

We've received multiple complaints about this member. We've scrubbed the Flickrverse of the spam and deactivated the account.

Whilst most of the attention is on the BPI's attack on All Of MP3, another MP3 download site quietly died yesterday.

Karma Download is currently showing a page which says that it's "temporarily suspended", but I hear that it's very unlikely to return.

That's a real shame. Like All Of MP3, Karma Download sold its music without any DRM. You were free to play the files wherever you wanted.

Of course, I'm slightly biased here as in early 2004 I wrote the backend of the site and it's a project I'm really proud of. In a couple of months I took a prototype that was written in a very nasty selection of technologies (Cold Fusion, Access, IIS, Windows) and rewrote it using sensible technologies (Perl, MySQL, Apache, OSX - the last one wasn't my choice!)

The places where you can legally buy digital music files without DRM are shrinking fast. It's no wonder that people are drawn to places of dubious legality (like All Of MP3) or illegal file-swapping networks.

Oops. Looks like the BPI has started taking an interest in AllOfMP3.

Better spend all the credit in my account as soon as possible.

Last night I watched God's Next Army a Channel 4 programme about Patrick Henry College. PHC is a christian evangelist college which takes largely home-schooled teenagers from religious communities and turns them into people who they believe will be at the forefront of the fight to "re-christianise" the USA.

It was all very worrying. These students had obviously been brought up to believe that the modern world is their enemy and that they should do everything in their power to return the US to an earlier, simpler and more superstitious time. And the scariest thing was that they were getting there. These kids are apparently very popular as aides for Republican polititians working in Washington. For example, one sequence showed a group of students lobbying congress members about an inheritance tax because its terms seemed to go against the bible.

The US has one major advantage over the UK in that its constitution guarantees the separation of church and state. The teachers and students of PHC are doing all they can to ensure that that has as little effect as possible.

The nice people at GLLUG (the Greater London Linux User Group) have invited me to speak at their meeting on July 24th. I'll be giving a slightly revised version of the "What's Wrong with ORM" talk that I gave to london.pm in March.

The meeting is free and there are a couple of other (far more interesting sounding) speakers.

The All Party Internet Group of MPs has been looking at DRM and has now announced it's results. Their main recommendation is that all digital content should be clearly labelled with details of what you can and can't do with it.

I think this is a great idea. Record companies have been slowly introducing DRM by adding it to products without really making people aware of it[1]. That way, they hope that people don't become aware of what rights they have lost until its too late. I've learnt to be careful and not to buy copy protected CDs, but many people don't check (and even I've be burnt a couple of times when buying CDs over the internet). If CDs and downloads were clearly labelled with a list of things that you can't do with them, then hopefully that will make the issues surrounding DRM more public.

The BBC story about this has a nice quote from Suw Charman (the executive director of the Open Rights Group). She says:

We think people rightly feel that once they buy something, it stays bought

Update: Full details of the report are here.

And here are some of the suggestions for labels:

• You are not permitted to make any copies of this CD for any reason and if you try to make a copy, you should note that we have tried very hard to ensure that you will fail
• This CD may not play in all devices
• If your current player device breaks or is stolen this content may become inaccessible
• Moving this content to a new device will not be possible if we cease supporting this platform or go out of business
• You cannot access some parts of this DVD without a working Internet connection to enable us to record your identity
• Your playing of this song may be recorded in marketing databases in foreign countries

[1] Bad publicity like the Sony Rootkit disaster is still rare.

As I mentioned yesterday I raised a bug report against Typepad because of its insecure password handling. This is the response that was waiting for me this morning.

Thank you for your feedback on this. We will keep this in mind for future updates to the system.

While we cannot share specific technical details on how user information is stored in TypePad, it is stored securely. The email you received is not an indicator of how this information is protected.

Please let us know if you have any other questions.

That clearly comes from someone who doesn't really understand the problems. Notice how she tried to reassure me that my password is stored securely despite all appearances to the contrary. I don't believe a work of it. If my password is stored securely then it should be impossible for Typepad to send it to me as it should be impossible for anyone in Typepad to find out what it is.

I'll press on.

It's six months since I wrote my rant on password handling and, of course, there are still companies out there who don't seem to care about handling customers' passwords with respect. Today I was surprised to find that Six Apart were one of the worst offenders.

Following on from my earlier post I had a quick look at Type Pad. When trying register, I discovered that I had already registered but that I had forgotten my password (actually, I had forgotten that I had registered!) So I clicked the "I forgot my password" link, entered my email address and waited for the email.

Moments later, the email appeared. I was stunned to find that it included not only my password and my username, but also a link to log into Type Pad. Thereby ensuring that anyone who intercepted that email would have all of the information required to log on and use my Type Pad account.

Six Apart are breaking a number of fundamental principles here.

Firstly they are storing customers' passwords in their database in plain text. This means that anyone who gains access to that database can read anyone's password.

Then, when asked for a password, they just send it to the user. They should be sending a time-limited link to a URL that the user can use to change the password.

Then, they are unnecessarily sending the username in the same email. Like the Queen and the Prince of Wales, usernames and passwords should never travel together.

And finally, just in case anyone who intercepts the email isn't sure which system they've just been handed a login to - they also include a link to the login page on their site.

I realise that people's blogs don't need the same level of security as a banking system. But it's the principle of the thing. They should be taking more care of your password. Every web site should be taking care of its users' passwords. It's a matter of respect.

Try this experiment. Click the "I forgot my password" link on three or four of the web sites that you are registered with. See how many of them send back your password in plain text. I bet it's a lot. Write an email complaining if they do.

I've raised a bug report against Type Pad. I'll let you know what happens.

p.s. Incidently, someone in Six Apart must know the right way to handle passwords. The passwords in the Movable Type database are all encrypted. But that requirement was obviously dropped when they were writing the specifications for Type Pad.

I've been running the blog here for almost four years, but the recent spate of comment spam has made me reconsider my options. The comment spam seems to be under control for the time being, but I know it's only a matter of time before it comes back again.

So I'm thinking that maybe I should consider a hosted blog. Let someone else's servers take the brunt of the comment spam. I might even be able to turn trackbacks back on.

Hosting my own blog has obvious advantages. I have complete control over how the blog looks (yes, I take complete responsibility for the crap design) and I can even dig into the raw database if the need ever arises (which, to be honest, it rarely does). But not having my server brought down every few days by what effectively amounts to a denial of service attack would massively outweigh those considerations.

There are a number of hosted blog systems to choose from. Maybe it makes sense for me to use something from Six Apart as their systems are likely to be closest to the Movable Type system that I'm used to.

So that gives me Live Journal and Typepad to look at (actually, I've tried Live Journal before and didn't really like it). And I understand that their new system Vox might well launch today - so that's something else to investigate.

There are also other systems like Blogger and Yahoo! 360 or even MSN Spaces and My Space.

So what am I looking for? Easily configurable templates for the appearance of the blog. The ability to incorporate external RSS feeds and things like my Flickr and Technorati links. It would be nice if I could import all of the (1000+) entries from this blog so that the blog history is in the same place as the new entries (and, of course, the ability to export all of the entries for when I decide to move elsewhere later). Free would be good, but I don't mind paying a few quid every month.

If anyone has experience of using a hosted blog service and has any opinions, then I'd love to hear them.