Financial Account Aggregation

Three years ago, I wrote a blog post entitled Internet Security Rule One about the stupidity of sharing your passwords with anyone. I finished that post with a joke.

Look, I’ll tell you what. I’ve got a really good idea for an add-on for your online banking service. Just leave the login details in a comment below and I’ll set it up for you.

It was a joke because it was obviously ridiculous. No-one would possibly think it was a good idea to share their banking password with anyone else.

I should know not to make assumptions like that.

Yesterday I was made aware of a service called Money Dashboard. Money Dashboard aggregates all of your financial accounts so that you can see them all in one convenient place. They can then generate all sorts of interesting reports about where your money is going and can probably make intelligent suggestions about things you can do to improve your financial situation. It sounds like a great product. I’d love to have access to a system like that.

There’s one major flaw though.

In order to collect the information they need from all of your financial accounts, they need your login details for the various sites that you use. And that’s a violation of the Internet Security Rule One. You should never give your passwords to anyone else – particularly not passwords that are as important as your banking password.

I would have thought that was obvious. But they have 100,000 happy users.

Of course they have have a page on their site telling you exactly how securely they store your details. They use “industry-standard security practices”, their application is read-only “which means it cannot be used for withdrawals, payments or to transfer your funds”. They have “selected partners with outstanding reputations and extensive experience in security solutions”. It all sounds lovely. But it really doesn’t mean very much.

It doesn’t mean very much because at the heart of their system, they need to log on to your bank’s web site pretending to be you in order to get hold of your account information. And that means that no matter how securely they store your passwords, at some point they need to be able to retrieve them in plain text so they can use them to log on to your banks web site. So there must be code somewhere in their system which punches through all of that security and gets the string “pa$$word”. So in the worst case scenario, if someone compromises their servers they will be able to get access to your passwords.

If that doesn’t convince you, then here’s a simpler reason for not using the service. Sharing your passwords with anyone else is almost certainly a violation of your bank’s terms and conditions. So if someone does get your details from Money Dashboard’s system and uses that information to wreak havoc in your bank account – good luck getting any compensation.

Here, for example, are First Direct’s T&Cs about this (in section 9.1):

You must take all reasonable precautions to keep safe and prevent fraudulent use of any cards, security devices, security details (including PINs, security numbers, passwords or other details including those which allow you to use Internet Banking and Telephone Banking).

These precautions include but are not limited to all of the following, as applicable:


  • not allowing anyone else to have or use your card or PIN or any of our security devices, security details or password(s) (including for Internet Banking and Telephone Banking) and not disclosing them to anyone, including the police, an account aggregation service that is not operated by us

Incidentally, that “not operated by us” is a nice piece of hubris. First Direct run their own account aggregation service which, of course, they trust implicitly. But they can’t possibly trust anybody else’s service.

I started talking about this on Twitter yesterday and I got this response from the @moneydashboard account. It largely ignores the security aspects and concentrates on why you shouldn’t worry about breaking your bank’s T&Cs. They seem to be campaigning to get T&Cs changed so allow explicit exclusions for sharing passwords with account aggregation services.

I think this is entirely wrong-headed. I think there is a better campaign that they should be running.

As I said above, I think that the idea of an account aggregation service is great. I would love to use something like Money Dashboard. But I’m completely unconvinced by their talk of security. They need access to your passwords in plain text. And it doesn’t matter that their application only reads your data. If someone can extract your login details from Money Dashboard’s systems then they can do whatever they want with your money.

So what’s the solution? Well I agree with one thing that Money Dashboard say in their statement:

All that you are sharing with Money Dashboard is data; data which belongs to you. You are the customer, you should be telling the bank what to do, not the other way around!

We should be able to tell our banks to share our data with third parties. But we should be able to do it in a manner that doesn’t entail giving anyone full access to our accounts. The problem is that there is only one level of access to your bank account. If you have the login details then you can do whatever you want. But what if there was a secondary set of access details – ones that could only read from the account?

If you’ve used the web much in recent years, you will have become familiar with this idea. For example, you might have wanted to give a web app access to your Twitter account. During this process you will be shown a screen (which, crucially, is hosted on Twitter’s web site, not the new app) asking if you want to grant rights to this new app. And telling you which rights you are granting (“This app wants to read your tweets.” “This app wants to tweet on you behalf.”) You can decide whether or not to grant that access.

This is called OAuth. And it’s a well-understood protocol. We need something like this for the finance industry. So that I can say to First Direct, “please allow this app to read my account details, but don’t let them change anything”. If we had something like that, then all of these problems will be solved. The Money Dashboard statement points to the Financial Data and Technology Association – perhaps they are the people to push for this change.

I know why Money Dashboard are doing what they are doing. And I know they aren’t the only ones doing it (Mint, for example, is a very popular service in the US). And I really, really want what they are offering. But just because a service is a really good idea, shouldn’t mean that you take technical short-cuts to implement it.

I think that the “Financial OAuth” I mentioned above will come about. But the finance industry is really slow to embrace change. Perhaps the Financial Data and Technology Association will drive it. Perhaps one forward-thinking bank will implement it and other bank’s customers will start to demand it.

Another possibility is that someone somewhere will lose a lot of money through sharing their details with a system like this and governments will immediately close them all down until a safer mechanism is in place.

I firmly believe that systems like Money Dashboard are an important part of the future. I just hope that they are implemented more safely than the current generation.


TwittElection at OpenTech

Last Saturday was OpenTech. It was as great as it always is and I’ll write more about what I saw later. But I gave a talk about TwittElection in the afternoon and I thought it might be useful to publish my slides here along with a brief summary of what I said.

  • I started with a couple of screenshots of what TwittElection is. There’s basically a main page which shows how many days are left until the general election and a page for every constituency which has a widget displaying a Twitter list for all of the candidates in that constituency.
  • Why did I do it? Well I love elections. I have vague memories of one (or perhaps both) of the 1974 general elections and I have closely followed every general election since then. In the 90s I was occasionally  one of those annoying people who ask you for your voter number as you’re leaving the polling station and in 2005 I worked all night to make sure that the results on the Guardian web site were up to date.
  • I love Twitter too. Who doesn’t?
  • In 2010 I created a site that monitored the candidates in my local constituency. It wasn’t just Twitter (which was far less important back then) but any kind of web feed that they produced. That’s easy enough to do for one constituency, but it’s a bit more of a challenge for 650.
  • The technology for the system was pretty simple. It was the data that was going to be a lot trickier.
  • Just as I was considering the project, Twitter made a couple of changes which made my life substantially easier. Firstly they increased the number of Twitter lists that each user could create from 20 to 1000 (I needed 650). An secondly, they removed the restriction that Twitter list widgets were tightly associated with a specific list. Under the old system, I would have needed to create 650 individual widgets. Under the new system, I could create one widget and pass it a list ID in order to display any of my 650 lists.
  • I wrote the code in Perl. I made a throwaway remark about it being the “programming languages of champions”. Someone in the audience tweeted that quote and it’s been retweeted rather a lot.
  • I hosted the site on Github Pages in case it got too popular. This was a ridiculous thing to be worried about.
  • I used Bootstrap (of course) and small amounts of various Javascript libraries.
  • The data was harder. We have 650 constituencies and each one will have about six candidates. That means I’ll be looking for data about something like 4,000 candidates. And there’s no official centralised source for this data.
  • Back in November I asked my Twitter followers if they knew of anyone who was collecting lists of candidates and Sam Smith put me in touch with the Democracy Club.
  • At the time, the Democracy Club were just building a new version of YourNextMP – a crowd-sourced list of candidates. It did all that I needed. Which made me very happy. [Note: My talk followed one from the Democracy Club which went into this in far more detail.]
  • So with data from YNMP and my code, the site was build.
  • And it worked pretty well. There were a few bugs (including one that was pointed out by a previous speaker in the same session) but they all got fixed quickly.
  • I became an expert in Twitter error codes.
  • 403 and 429 are the codes that Twitter returns when you make more API requests than you are allowed to. There are two ways to deal with Twitter’s rate limits. You can keep a careful count of your requests and stop before you hit the limits. Or you can keep going until you get one of these codes back at which point you stop. The second option is far simpler. I took the second option. [Note: At this point I forgot to mention that the rate limits were so, well…, limiting that when I got my first complete data dump from YNMP, it took almost two days to build all of the Twitter lists.]
  • 108 means you’re trying to do something with a user that doesn’t exist. Basically, you’ve got the username wrong. Sometimes this is because there’s a typo in the name that YNMP has been given. Sometimes it’s because the user has changed their Twitter username and YNMP doesn’t know about the change yet. One common cause for the latter is when MPs changed their Twitter usernames to remove “MP” whilst the campaign was in progress and legally, there were no MPs. [Note: One of the YNMP developers spoke to me afterwards and admitted that they should have handled Twitter usernames better – for example, they could have stored the ID (which is invariant) rather than the username (which can change).]
  • Error 106 means that the user has blocked you and therefore you can’t add that user to a Twitter list. This seems like strange behaviour given that candidates are presumably using Twitter to publicise their opinions as widely as possible.
  • The first time I was blocked it was @glenntingle, the UKIP candidate for Norwich North.
  • I wondered why he might be blocking me. A friend pointed out that he might be embarrassed by his following habits. It turned out that of the 700 people he followed on Twitter, all but about a dozen of them were young women posting pictures of themselves wearing very little.
  • There was some discussion of this amongst some of my friends. This was apparently noticed by Mr Tingle who first protected his tweets and then deleted his account.
  • I’m not sure how good I feel about hounding a candidate off of Twitter.
  • Another UKIP candidate, @timscottukip, also blocked me. And I heard of another who was running his account in protected mode.
  • Some users didn’t understand crowd-sourcing. Every constituency page included a link to the associated page on YNMP along with text asking people to submit corrections there. But I still got a lot of tweets pointing out errors in my lists.
  • 72% of candidates were on Twitter.
  • Results by party were mixed. 100% of the SNP candidates were on Twitter, but only 51% of UKIP candidates (or perhaps I couldn’t see the others as they were blocking me!)
  • Was it worth it? Well, only 1000 or so people visited the site over the course of the campaign.
  • I haven’t yet seen if I can get any stats on people using the raw Twitter lists rather than looking at my web site.
  • I need to rip out all of the information that is specific to that particular election and encourage people to use the code for other elections. YNMP is based on software called PopIt and I think my code could be useful wherever that is used.
  • There are 1790 days until the next UK general election (as of Saturday 13th June 2015).

First Direct Update

Earlier in the week I talked about my concerns with First Direct’s new password policy. I got an email from them about this, but it really wasn’t very reassuring.

But I kept digging. And on Thursday I got a bit more information from “^GD” on the @firstdirecthelp twitter account. It still doesn’t answer all of my questions, but I think we’re a lot closer to the truth. Here’s what I was told.

The obvious question that this raises is why, then, do they limit the length of the passwords. I asked and got this (three-tweet) reply.

To which, I replied

And got the response

I thought that “as a business we are satisfied” rather missed the point. And told them so.

I got no response to that. And @brunns got no response when he tried to push them for more details about how the passwords are stored.

So, to summarise what we know.

  • First Direct say they store the passwords “encrypted”, but it’s unclear exactly what that means
  • It was a business decision to limit the length of the passwords, but we don’t know why that was considered a good idea
  • It still appears that First Direct believe that security by obscurity is an important part of their security policy

I haven ‘t really been reassured by this interaction with First Direct. I felt that the first customer support agent I talked to tried to fob me off with glib truisms, but “^GD” tried to actually get answers to my questions – although his obvious lack of knowledge in this area meant that I didn’t really get the detailed answers that I wanted.

I’m not sure that there’s anything to be achieved by pushing this any further.

First Direct Passwords

I’ve been a happy customer of First Direct since a month or so after they opened, almost twenty-five years ago.

One of the things I really liked about them was that they hadn’t followed other banks down the route of insisting that you carried a new code-generating dongle around so that you can log into their online banking. But, of course, it was only a matter of time before that changed.

A couple of weeks ago I got a message from them telling me that Secure Key was on its way. And yesterday when I logged on to my account I was prompted to choose the flavour of secure key that I wanted to use. To be fair to them they have chosen a particularly non-intrusive implementation. Each customer gets three options:

  1. The traditional small dongle to carry around with you
  2. An extension to their smartphone app
  3. No secure key at all

If you choose the final option then you only get restricted (basically read-only) access to your account through their web site. And if you choose one of the first two options, you can always log on without  the secure key and get the same restricted access.

I chose the smartphone option. I already use their Android app and I pretty much always have my phone with me.

Usually when you log on to First Direct’s online banking you’re asked for three random characters from your password. Under the new system, that changes. I now need to log on to my smartphone app and that will give me a code to input into the web site. But to get into the smartphone app, I don’t use the old three character login. No, I needed to set up a new Digital Secure Password – which I can use for all of my interactions in this brave new world.

And that’s where I think First Direct have slipped up a bit.

When they asked my for my new password, they told me that it needed to be between 6 and 10 characters long.

Those of you with any knowledge of computer security will understand why that worries me. For those who don’t, here’s a brief explanation.

Somewhere in First Direct’s systems is a database that stores details of their customers. There will be a table containing users which has a row of data for each person who logs in to the service. That row will contain information like the users name, login name, email address and (crucially) password. So when someone tries to log in the system find the right row of data (based on the login name) and compares the password in that row with the password that has been entered on the login screen. If the two match then the person is let into the system.

Whenever you have a database table, you have to worry about what would happen if someone managed to get hold of the contents of that table. Clearly it would be a disaster if someone got hold of this table of user data – as they would then have access to the usernames and passwords of all of the bank’s users.

So, to prevent this being a problem, most rational database administrators will encrypt any passwords stored in database tables. And they will encrypt them in such a way that it is impossible (ok, that’s overstating the case a bit – but certainly really really difficult) to decrypt the data to get the passwords back. They will probably use something called a “one-way hash” to do this (if you’re wondering how you check a password when it’s encrypted like this then I explain that here).

And these one-way hashes have an interesting property. No matter how long the input string is, the hashed value you get out at the other end is the same length. For example, if you’re using a hashing algorithm called MD5, every hash you get out will be thirty-two characters long.

Therefore, if you’re using a hashing algorithm to protect your users’ passwords, it doesn’t matter how long the password is. Because the hashed version will always be the same length. You should therefore encourage your users to make their passwords as long as they want. You shouldn’t be imposing artificial length restrictions on them.

And that’s why people who know about computer security will have all shared my concerns when I said that First Direct imposed a length restriction on these new passwords. The most common reason for a maximum length on a password is that the company is storing passwords as plain text in the database. With all the attendant problems that will cause if someone gets hold of the data.

I’m not saying for sure that First Direct are doing that. I’m just saying that it’s a possibility and one that is very worrying. If that’s not the case I’d like to know what other reason they have for limiting the password’s length like this.

I’ve send them a message asking for clarification. I’ll update this post with any response that I get.

Update (17 July): I got a reply from First Direct. This is what they said.

Thank you for your message dated 16-Jul-2014 regarding the security of your password for your Digital Secure Key.

Ensuring the security of our systems is, and will continue to be, our number one priority.

All the details that are sent to and from the system are encrypted using high encryption levels. As long as you keep your password secret, we can assure you that the system is secure. As you will appreciate, we cannot provide further details about the security measures used by Internet Banking, as we must protect the integrity of the system.

Our customers also have a responsibility to ensure that they protect their computers by following our common-sense recommendations.  Further information can be found by selecting ‘security’ from the bottom menu on our website,

Please let us know if you have any further questions, and we’ll be happy to discuss.

Which isn’t very helpful and doesn’t address my question. I’ve tried explaining it to them again.

National Rail Travel Alert

This is the text of a National Rail travel alert email that I received this morning.

Problems have been reported which may affect your journey between Balham (BAL) and Shepherd’s Bush (SPB)

More details of this disruption can be found here:

To see how this disruption affects your journey and to get alternative options planned for you, please use the Online Journey Planner

Alternatively, for up to date information for your station, use the Live Departure Boards.

Prefer to get in touch by phone? Call TrainTracker on 0871 200 49 50 (10p per min, mobiles higher) or text your journey details to 84950 to use TrainTracker Text

You can manage your alerts by visiting:

Don’t forget, you can also follow us on Twitter or Find us on Facebook for the latest rail travel news

Please do not reply to this email as it is sent from an unmonitored address. If you need to contact us, you can do so here:

Can you spot the obvious idiocy here?

It’s an HTML email. That’s obvious from the links that appear in it. Links to things like the Online Journey Planner and the Live Departure Boards. But there are a couple of links that are written as plain text URLs – ones that you can’t just click on. And one of them is the most important link in the email – the link to the full information about the problems.

In order to read whatever is on the other end of that link, you’d need to copy it and paste it into the location bar in your browser. That’s simple enough, of course, on a desktop computer. But surely one of the important use cases for these alerts is people standing on a platform trying to work out what’s going on with their train – in which case they’d almost certainly be using a smartphone. And copy and paste isn’t the easiest of things to do on a smartphone.

Someone in the National Rail Travel Alerts department is more than a little confused about how URLs in email work.

Free Web Advice: Marvel

It’s been a few years since I wrote a “free web advice” piece, but I got really annoyed by the Marvel web site this morning.

About a year ago I subscribed to Marvel Unlimited – a plan that gave me access to all of Marvel’s digital comics for about £40 a year. This morning, I got an email from them saying that my subscription was about to be renewed but that my credit card had expired so I should log on to my account and update my credit card details.

I went to log on and found that I had forgotten my password. So I used the “forgotten password” link expecting to get an email containing a link I could use to reset my password. Instead, I got an email that contained both my username and my password in plain text. If Marvel are able to send my password to me, then they must be storing everyone’s password in a readable format. It’s astonishing that a company the size of Marvel don’t understand just what an incredibly stupid idea that is. And sending both my username and password in the same email just compounds their error.

So that’s strike one – storing plain text passwords.

Having recovered my password, I was able to log on and found the page where I could give them my credit card details. But it looked like this:

Marvel Credit Card Maintenance Page

If you look closely, you’ll see that three fields – credit card type, expiration date and country – have captions, but no way to enter the required data. I’ve tried this page in both Firefox and Chrome and get the same results in both. I expect I’ll have to dig out a PC running Windows and try it on Internet Explorer as well.

I didn’t actually notice the missing fields at first. I just filled in the fields I could see and submitted the form. At that point I got an error pointing out what was missing. It’s interesting to note that the credit card type isn’t marked as required on the form (there’s no red asterisk next to it) but the error I got complained that it wasn’t filled it.

So that’s strikes two and three.
Strike two – always ensure that your web pages work on all the popular browsers.
Strike three – always mark your required data inputs accurately.

At that point I gave up trying to give money to Marvel. I poked around the site for a while to find a contact form. When I found it, it had the same problems as the credit card form – most of the input fields didn’t appear. Luckily, the contact page also gave an email address (that’s a really good idea that most web sites don’t follow). So I used that to report the problems. I’ll update this post if I get a response.

Interestingly, on my account page I was also given the option to upgrade my account. Apparently Marvel and I disagree on the meaning of the word “unlimited”. It’s not clear to me what extra benefits I could expect.

Update (four months later): Somehow, Marvel managed to renew my subscription, even though I never managed to update my credit card details. But bizarrely, this evening (over four months after writing to them) I got a reply from Marvel’s customer support. It said this:

Thank you for contacting Marvel’s Online Support services. We apologize for the delay in getting back to you. We see that you were able to renew your subscription, after contacting us. If you have any further questions, please do not hesitate to contact us. Thanks again for contacting Marvel.

Four months to reply to a simple customer support message must be some kind of record.

Sky Broadband

Back in October 2009, I wrote about how I had cancelled my Demon account and switched to Be Broadband. Be were the broadband provider of choice for the discerning geek. None of their customers had a bad thing to say against them. All was well with the world.

And then, just over a year ago, the sky fell in.

Or, rather, Sky brought out Telefonica’s broadband business – and Be was one of Telefonica’s broadband brands. It was terrible news. Geeks all over the UK were appalled that their favourite ISP could be owned by a company that so many of us have strong political objections too. The news got worse soon afterwards as it was announced that we would all be migrated over to Sky’s broadband network within a year.

A mass migration of geeks started. The internet was awash with discussions of the best alternatives. If Sky were watching, then I’m sure that they were rather taken aback by the reaction.

I was one of the people who was determined to leave. I spent many an hour perusing other broadband providers’ web sites – weighing pros and cons.

But a combination of lethargy and business took over and I never left.

In January I got a letter from Sky announcing that I would be migrating in the spring. They proudly announced that my new plan would be cheaper than my old Be plan – a fact that was only true because of a 12 month discount that they gave me. The letter came with a brochure explaining all the advantages of being with Sky. It also told me that my old Be router would work with my new connection.

Still, I didn’t change providers.

In March I got another letter telling that I’d be on a different plan (fibre, not ADSL) and that it would cost quite a bit more than my Be plan. There was no explanation of the change, but I didn’t object as I quite fancied a fibre connection.

Then I got more communication. An email telling me my  new IP address. And another telling me that my new Sky Hub was on its way. That’s the replacement router that they told me I didn’t need. Then another letter telling me that my broadband would be switched over on 10th April. And then the router itself arrived.

Then, last Thursday, the day of the changeover arrived. In the middle of the afternoon my Be connection was switched off. And replaced with nothing. The Sky connection wasn’t turned on. I was told that it could happen at any time up until midnight so I didn’t worry (much) until I got up the next day and still had no connection.

I needed to call them. But their support line costs 5p/minute unless you call from one of their phones. So I waited until I got to work. On the way I got a text from Sky telling me that I had missed an installation appointment. Which was weird because a) I didn’t have an appointment and b) my wife had been at home all day.

When I got to work, I called them. And sat there on hold for thirty minutes. Eventually I spoke to someone. He couldn’t explain why I hadn’t been connected or why I had been told I’d missed a phantom appointment. But he said that our only option was to book a new time with the BT Openreach engineers (the people who actually needed to do the work in the exchange). He said he would phone them and call me back with a date. He also set my expectations and said that it wouldn’t probably be before the middle of the next week.

He called back in about half an hour. He said that he had been offered a date of 28th April but that he had argued that down to the 16th. I realised that there was nothing else I could do, so I hunkered down to weather six days without an internet connection.

Today was the day that the connection was finally going to be made. I was slightly worried as my “track your order” was still showing the “we have a problem” message from last week. But I put that down to Sky’s incompetence and tried to think positive thoughts. My wife was at home and resetting the hub every couple of hours to see if it would spring into life – but to no avail.

When I got home this evening, I plugged our house phone into the Sky line and called their support number. I got through quickly and explained my problem. At first the adviser tried to convince me that it could still happen any time up to midnight, but I persuaded him to speak to the actual installation team. When he took me off hold he had some rather bad news. Somehow, the change of date from the 28th to the 16th had never been confirmed. And the installation team weren’t planning to do anything to my line for almost two weeks.

I explained again what I had been told. He spoke to the installation team again but they were adamant that my service was going to be turned on at the end of the month.

So I finally did what I should have done a year ago. I cancelled the contract. Well, I asked to. He put me through to a colleague in what I assume was customer retention. I explained the whole sorry tale again. He asked for half an hour to try and salvage the situation, which I agreed to. But when he called back, he said that he could do nothing to fix things. So the contract was cancelled.

All of which leaves me with no internet provider. And a long weekend coming up. I might need to leave the house. Or I might just buy a Y800.

But it’s all very disappointing. Some fundamental mistakes have been made. What Sky don’t seem to realise is that Be customers are used to a company that routinely exceeds customers’ expectations. Sky seem content to fall well short of them. There are three areas in particular where I think Sky fell down.

  • Their project planning is terrible. If you’re removing a service and replacing it with another one, then it’s basic common sense to ensure that you don’t remove the first until you’re sure that the second is ready to be put in place. I would happily wait until the end of April or beyond for my new Sky connection if they hadn’t turned off my Be connection.
  • It seems that part of the problem here is the BT Openreach team who do all of the work in the exchange. Sky are making commitments to their customers using resources that they have no control over. This is clearly ridiculous. Sky (and, I suppose all of the other ISPs who resell Openreach products) need to get contracts in place that hold Openreach to their promises. If an Openreach engineer misses an appointment, then the customer should get an emergency appointment the next day – not in two weeks time. And Openreach should compensate the ISPs for any missed appointments.
  • Sky’s communication with me throughout this has been terrible. A lot of the time I have felt like people are just telling me what I want to hear. Or I’ve been told contradictory things by two different people. I never got an explanation of why my service was upgraded from ADSL to fibre. Sky need to better train their support staff. They can learn a lot from the staff that they have inherited from Be.

So. What ISPs should I be looking at. I’m considering Virgin Media, because I already get my phone and TV through them. The broadband is a separate account (paid for by my company) but VM say I can get what sounds like a pretty good connection from them for only £2 a month more than I’m currently paying them.

But I’m open to alternative suggestions.

Macs and Me

“It never stops raining!” ranted the lorry driver. He thumped the table, spilt his tea, and actually, for a moment, appeared to be steaming.
You can’t just walk off without responding to a remark like that.
Of course it stops raining,” said Arthur. It was hardly an elegant refutation, but it had to be said.
“It rains … all … the time,” raved the man, thumping the table again, in time to the words.
Arthur shook his head.
“Stupid to say it rains all the time …” he said.
The man’s eyebrows shot up, affronted.
“Stupid? Why’s it stupid? Why’s it stupid to say it rains all the time if it rains the whole time?”
“Didn’t rain yesterday.”
“Did in Darlington.”
Arthur paused, warily.
“You going to ask me where I was yesterday?” asked the man. “Eh?”
“No,” said Arthur.
“But I expect you can guess.”
“Do you.”
“Begins with a D.”
“Does it.”
“And it was pissing down there, I can tell you.”

– So Long And Thanks For All The Fish (Douglas Adams)

When I try to explain my experience of Apple hardware to people, I’m always aware that I end up sounding like Douglas Adams’ Rain God. My Mac hardware always breaks down in some interesting and unpredictable way. People tell me that I’m exaggerating, it can’t be true that it always breaks down. But I’m not; it does.

To be precise here, every piece of Mac kit that I have ever owned has been replaced because it has stopped working in some way. This is in contrast to the large number of non-Apple laptops and desktop PCs that I have owned over the same period of time. They have all been replaced, while in good working order, because I’ve suddenly realised that I’ve owned them for a long time and there’s probably a newer, better model out there.

I’m not exaggerating here at all. It happens every time. Every. Single. Time.

I know that the plural of anecdote is not data, but here’s what I remember.

  • My first Mac was a second hand Powerbook. The battery stopped working. Because it was second hand and out of warranty, we just lived with using it plugged in. Which was fine (well, not really, but we coped) until the power lead broke because of a ridiculous design which put the most stress on the weakest point. Replacements were stupidly expensive, but we got through two of them before giving up on it.
  • Then there was the Macbook where the battery stopped working if you ever let it drain completely. We tried all of the workarounds that we found on the web, but nothing worked. Turned out this was a known fault. I took it to the Genius Bar two or  three times and each time they replaced the battery free of charge. Good service, I admit, but it shouldn’t be necessary.
  • In the end, it was a different fault that killed that Macbook. Eventually the power supply unit failed completely.
  • I can’t remember which of those first two Macs it was, but at one point we went through a fun period where every time I updated the system software the wifi connection would fail. This went on for about eighteen months. Got to the stage that I had a CD with a backup of the last known working wifi drivers that I could use to replace the buggy new ones.
  • Then there’s our current Macbook. After owning it just a year or two, the rubber covering started to come away from the base. This also turned out to be a known fault and Apple sent out a replacement base that I fitted. Good service again, but annoying that we needed to do it.
  • And finally, a few days ago, the trackpad stopped working. You can still move the mouse, but it doesn’t register clicks. It seems that this is another pretty common fault. Apparently as the battery ages, it expands, pressing against the bottom of the trackpad and preventing it from working properly. I can try loosening the screws to see if that helps but in the meantime, we’re using it with a USB mouse. I’ve got an appointment at the Genius Bar next week to see if they can help.

But I suspect that this Macbook is on its way out. Which means buying a replacement. And that’s always so depressing. Mac hardware is always so much more expensive than the equivalent non-Mac system. And it never works properly (at least in my experience).

I’ve started browsing the Apple web site. And I see that they’ve stopped making the Macbook. It’ll need to be a Macbook Air. Which means it’ll be even more expensive and, astonishingly, less functional – they don’t have a CD/DVD drive.

I know what you’re thinking? If I have such a hard time with Mac systems, then why do I still buy them. It’s not for me. My wife likes them more than Windows systems. But I think that this time we might need to have a Serious Talk about what we’re going to buy.

Year of Code on Newsnight

You’ve probably already seen the section on the government’s Year of Code initiative that was on Newsnight last Wednesday. But, in case you haven’t, here is it. We’ll wait while you catch up.

Most of the commentary I’ve seen on this concentrates on Lottie Dexter’s performance in the interview that takes up the second half of the clip. We’ll get to her later on, but the problems start long before she appears on screen. Within the first couple of minutes of the report, reporter Zoe Conway has referred to code as “baffling computer commands” and “gobbledigook”. One lesson that I’ve learned as a trainer is that a sure-fire way to ensure that students don’t understand what you’re about to teach them is to describe it as difficult or complex, so Conway’s descriptions of programming languages are hardly going to encourage people to take up programming. As Conway says “baffling computer commands”, here’s the code that appears on  the screen:

if (distance < radius) {

} else {

} // END if statement

Perhaps the fact that I’ve been programming for thirty years is clouding my judgment here, but I really don’t think that this code is “baffling”. Lily Cole does her best to counter this misinformation – saying that it’s “really cool to see how quickly we can pick it up”. I hope people listen to her and not the (obviously out of her depth) reporter. We then move on to the idea of children being taught to program at school. Various people tell us how important it is and we see a class who are trialing the programming syllabus that will be rolled out nationwide this autumn. Conway then gets to the heart of the issue. She visits East London’s “Tech City” and explains the severe shortage of programmers that the companies there are experiencing. There simply isn’t the supplier of programmers that the UK’s tech industry needs. Anything that addresses that problem should be welcomed. And then we’re back in the studio where Jeremy Paxman is talking to the Year of Code initiative’s director, Lottie Dexter. This is when it gets really weird. Let’s get a couple of things straight. I don’t think it’s a problem that Lottie Dexter isn’t a programmer. She didn’t try to hide that. She was clear about it right from the start. I also think that it’s great that she want to be a guinea pig for the Year of Code by saying that she wants to learn to code over the next year. But I do think that it’s a real shame that before coming to the interview she couldn’t find someone in her organisation[1] who could spend an hour briefing her so that she could sound like she knew what she was talking about. Instead, she just made the whole initiative look bad. Let’s look at some of the things she said.

  • “You can actually build a web site in an hour – completely from scratch.” This is true. I build web sites in an hour all the time. I install a copy of WordPress, choose a nice theme and install a few plugins. Of course, there won’t be any useful content on the site. And it will look like hundreds of other sites out there who also use the same theme. Of course, I can only do it that quickly because I’ve done dozens of previous web sites this way and I have a good idea about what works. Oh, and there’s no coding at all involved in this – so it probably falls way outside of what she was talking about. If I wanted to code up a web site from scratch, the minimum time for a web site that does something non-trivial is probably a couple of days.
  • “I think you can pick [teaching people to code] up in a day.” If you know how to code and you know how to teach, then I imagine that’s possible. But for a teacher who doesn’t already know anything about programming to pick it up in a day is a ridiculous suggestion. At college, I did a course on C which was taught by an experienced programmer and lecturer who didn’t know that particular language and who was reading the standard textbook a week ahead of us. The result was a disaster.
  • “If we start thinking about it now, I think in time for September when this goes onto the school curriculum teachers should feel confident” Colour me unconvinced
  • “I started a campaign last year. And if I had learned to code at school I could have done my own web site, I could have done my own app, I could have done my own graphics. I would have saved a hell of a lot of time, a hell of a lot of money and I think I could have done a lot better.” Sure, doing it yourself would have been cheaper. But I doubt it would have been quicker than having a professional do it. And I’m not at all sure that it would have been better. Or is she suggesting that when everyone knows how to code that we will no longer need professional programmers and web designers? I really hope not (or is that just my professional bias getting in the way?)

Paxman wasn’t much help either. I know he has a rather adversarial approach to interviewing, but was it really necessary to be quite so sneering about the whole idea? He did ask one good question though. He asked why it was necessary to code. And he’s right, of course, no-one absolutely needs to know how to code. But I think there are three reasons why teaching everyone to code is a good idea:

  1. We don’t know who is going to be good at programming. So teaching it to every child seems to be a good way of making sure as many people as possible get to try it.
  2. Even if many children don’t take up programming full-time, the fact they have been exposed to it demystifies it. They will be less likely to see it as a “black art” and will have more idea of what is possible.
  3. People who have some programming experience will be at an advantage over people who don’t. The future is going to be about data manipulation – extracting useful information from reams of data. See, for example, the Hacks and Hackers group.

So, yes, of course I agree with the idea of teaching children to code. The UK is already desperately short of programmers and that demand is only going to continue growing. But I worry slightly that the Year of Code project is just about being seen to do something rather than working out what the best thing to do it. The government have a awesome IT department doing wonderful things. I wonder what input they have had into this process. And please, can someone spend an hour or so explaining the basics of programming to Lottie Dexter before she makes her next TV appearance.

Update: Emma Mulqueeny has been working in this area for many years with her Young Rewired State project. Her reaction to the Year of Code is very interesting.

[1] Although, Tom Morris has severe doubts about the amount of technical know-how within the organisation.

Jessica London

Recently, I started getting unsolicited email from a company called Jessica London. They sell women’s clothes and they seem to think that I’d be interested in all of their latest offers. I have no idea where they got my email address from. I know I have never dealt with them so it’s not a case of me forgetting to uncheck the “please spam me” box when registering with them or anything like that. In fact they have been using an email address that I never use for those kinds of purposes.

But I think they’re a real company. So today I decided I’d use the unsubscribe link in their email to see if that would actually remove me from their mailing list. I know this is a risky strategy, but I like to live on the edge sometimes.

The link took me to a page where I could tell them why I was unsubscribing. There was a series of radio button – which means I could only select one of them. It’s interesting to note the reasons that they think it’s worth tracking.

  • Receive too many emails from Jessica London
    Well that’s true, but I don’t think it really gets to the heart of the matter
  • Email content wasn’t relevant to me
    Also true, but misses the point
  • I no longer plan to shop at Jessica London
    I never had any plans to shop at Jessica London
  • I am cutting back my spending on clothing
    That’s not the case. I’ve never spent that much on clothing
  • I prefer to stay connected via Social Media (Facebook, Twitter, etc.)
    I like to connect to people via social media – but not to brands that I have no interest in
  • Other

In the end, I chose “other”, hoping that they would then give me a text box where I could write “because you’re a bunch of obnoxious spammers”. But no such box appeared. So they just know that I had “other” reasons for unsubscribing.

I was left with no alternative other than to write this blog post in the hope that Google will help them discover my actual reason for unsubscribing.