Saturday, 30 March 2013

Software wears out

One of the things that non programmer friends often find hard to grasp is the concept that software can wear out and get old.

It should not happen - code is code - it does not change on its own, how can it wear out?

Well, over time, and I mean years of time typically, things happen.

1. For a start, any maintained system will undergo a number of small changes, more at first, but over the years there will be slight tweaks. In essence the requirements are changing subtly over time. This is not a surprise, requirements do change, and any business systems will have to move with changes in the business, and regulations and policies and so on.

Each change will be considered, and one of the decisions that has to be made is whether to start again, or modify the existing system. Each change is usually small enough that the right choice is a modification. This is normally from purely pragmatic grounds. Starting again takes time, costs money, and adds risks as all code comes with some bugs.

The problem is that over time the code becomes a complicated mess with sticking plaster on top of sticking plaster. It may have started with an elegant and easy to understand design, but over time that is lost.

In some cases the original requirements lead to a design that simply does not fit now, so the code is doing it the wrong way, but with work-arounds to make it work.

You also find that comments and documentation are not quite up to date with all the changes, so it makes it hard to follow.

2. As a programmer, you change. Even now, after over 35 years coding in almost every language you can think of, I still find myself learning better ways to code. I have also built up a load of my own libraries which are used extensively in the business, and these are themselves programming projects which get old.

This means you look at old code, even code that has had no patches or changes, and just think "what idiot wrote this - it is messy", and it was yourself, a year ago.

3. Bits of code become obsolete over time, as the code and the requirements changes, but you end up with code that nobody knows why it it is like that. You can see special cases added in a panic to fix something that was broken and serious, and you know it was special and important at the time, but is it still needed? Thankfully good commenting and source control help with this, but even so, you still find the one line change you committed years ago, and can't understand the explanation you logged now. You have no idea if it is safe to remove this special case or not.

With all of this in mind, some times, you just have to start again. Making a new specification of what is actually needed, and trying to incorporate any special cases that exist in the current code - or at least understand why they are not needed.

This month we did that with one of the most important parts of the business - the BACS payments and collections system. It all started because we had to change the last step - sending to BACS - as Lloydslink was closed down. We could have just bolted on an extra sticking plaster to convert the Lloyds files to a new format, and indeed, that is what was done for the initial testing. However, the more I looked, the more I pulled at this thread - and found "worn out code" in place.

The result is all new code, using current versions of all my libraries, and a style of coding that is much better than before. It has all of the features we need, and at least one that I had missed (ooops). It is faster, more efficient, and easier to maintain with more comments.

Even so - in a year's time it will look old again, and you can bet some requirement will have changed and some patch applied.

With all of that said, I have to say that it is very rewarding rewriting something like this, if you can find the time and motivation.

One of my real programming jobs, when I worked for a mobile phone manufacturer, meant re-writing other peoples old and worn out code, and I had great fun capturing the real requirements, making a new and elegant design, and coding it in half of the previous code space (we were short of RAM and EPROM for this project so it was needed). It was nice to make things "work better" and be cleaner code. This was not a slur on the previous programmers - if it was my own "old and worn out code" it would have been the same.

At the end of the project the team leader had to complete a report for management and so he got stats from the source control system - including how many lines of code each of us had done. Turned out I had not only coded many times more lines of code than anyone else on the project, something which does not surprise me at all, but I had deleted a hell of a lot more lines of code than I had added. The team leader refused to report this as a huge negative number, for some reason. Shame, I was hoping to break someone's brain with that in senior management. Those were real Dilbert days...

Tuesday, 26 March 2013

Internet on the train

Once again I find myself on a 2+ hour train journey to Leeds. It happens :-)

So, I try and get some work done. I did once try and play WoW, but that really did not work well. For a long time I have used a MiFi. They are excellent. Today I tried a few alternatives, largely because I totally forgot to bring the charger/USB lead for the MiFi...

The first thought was tether via wifi to the iPhone. That would work, but would, in this case, be some horrid Three NAT internet service. One reason for using the MiFi is it can take an A&A data SIM which really "just works" and has a fixed IP and full 1500 byte MTU and so on. Yes, it is also on Three, but a business grade service. It is also then using an IP that is on my LAN at home, which is handy.

I am at a loss as to why Apple do not include a mobile modem in the MacBook Pro - they really should.

So, not using MiFi, I tried the East Coast Trains in-train WiFi. That was a huge mistake! Pings at 3 to 5 seconds, and sometimes 15s. Loads of loss. Unusable for anything interactive (like ssh and vim).

I realised I could tether the iPad mini. It has an A&A data SIM too. That works (via WiFi). But as I want to keep it charged I plugged in the USB lead, and of course the Mac simply tethers by USB, so even better.

The data SIM in the iPad means I am now seeing much more sensible latency, usually under 100ms, and much more reliable connection. I suspect this will be my preferred way of working now rather than using a MiFi at all. It was good while it lasted, but this "just works" too.

But one thing for sure - don't use the in-train WiFi, it is dire.

Thursday, 21 March 2013

The Big Broadband Survey 2012

Thinkbroadband have conducted a massive survey which asks a lot of important questions about the way people view their broadband. Well worth a read.

There are some impressive stats relating to AAISP, e.g. pages 28 (value), 29 (speed), 31 (reliability), 32 (customer service), even 34 (social media use), 38 (loyalty).

However, the survey covers much more than just rating ISPs, such as people's views on parental controls for Internet access, how long they spend accessing the Internet per day, and what things are most important to them...

Well done everyone at Thinkbroadband - it is an impressive survey.

Tuesday, 19 March 2013

Trying out our MP again.

So, I have sent the following - lets see what happens.

Dear Phillip Lee,

I wonder if you are in a position to propose an amendment to the The Privacy and Electronic Communications (EC Directive) Regulations 2003, or perhaps advise how one goes about suggesting this. Specifically an amendment to section 30 Proceedings for compensation for failure to comply with requirements of the Regulations

Here, we receive a significant number of unsolicited marketing calls and faxes even though on TPS and FPS, and undoubtably suffer damages by wasted time and resourses. However, the actual value of damages for any one call or fax will be unprovable and negligable.

What I would like to see is a financial value in the regulations as a default or minimum, much like the Late Payment of Commercial Debts (Interest) Act 1998 defines a £40 amount (or more if provably more).

If there was a value of, say, £50, whereby the claimant would not have to justify the value of damages, just that they were the victim of a breach of the regulations, then I can see the legislation being much more effective.

Yours sincerely,

Rev Adrian Kennard

Monday, 18 March 2013

Click for large image

Really?


And what is worse is, when you "Click for large image" it looks the same size blue square and not actually any larger :-)

Well done www.theonlinepencompany.com

Thursday, 14 March 2013

Short email addresses

As some of you know I use a very short email address. It is only 6 characters long. I also use a specific email address per web site or contact, but that is @ and a short domain, only 4 characters. This allows me to see who has leaked my email to spammers.

Lets pretend my email is x@x.xx and daft web sites get daftwebsite@x.xx as an email address. I don't plan to put my email addressess on a web site for fear of more spam, obviously...

Both of these cause problems from time to time.

One is the social/real issue of people not understanding that you can have a short email address. You quote it as x@x.xx and they go "what, .com?" and do not understand. This is normally OK as they accept what you say and it leads to fun conversations.

What is worse is web sites not believing the email addresses. The issue is that web developers make their own rules for checking an email address syntax. Instead of actually using the rules in the RFCs, which are clear and well understood and have been around for many years, they make up rules themselves based on email addresses they have seen. Some will not allow email addresses less than a certain length, and some do not allow domains that are too short. The rules they make are arbitrary and wrong, which is stupid.

It is very frustrating for me and most of my family and several people I know. All of my familily have email addresses of the form x@x.xx. The domain we use is not cheap, but it works and saves a lot of typing :-)

What is classic is that most of these web sites then have a contact form, which asks your email address. Most of these do not have the same checks, and allow a complaint using the email address they do not like. Needless to say I have had people email me at x@x.xx saying x@x.xx is not valid and getting a reply from me...

Some notable sites that get it wrong are the tax disk renewal web site, and, until recently, www.bacs.co.uk. I was shocked today as I complained two days ago, and today I find they have fixed it and let me know they have fixed it. This is a first - actually listening to me and fixing the brokenness.

I do have special email addresses using @stupidwebsitethatdoesnotunderstandshortdomains.e.gg for this reason...

So, well done BACS.

HMRC RTI and privacy

HMRC have a new system in place for payroll that means payroll details are sent to them each time people are paid. That is not too bad, but there is this new system for BACS payments too that allows HMRC to check the actual payment is made to the employee as well. It is a convoluted system that involves an extra field in the BACS payment and has led to a whole new way of running payroll if you use BACS. The BACS system advises HMRC of hashes that allows the payment to be checked without giving HMRC all of the details.

Anyway, there is a side effect that has occurred to me here. The receiving bank will no doubt see the BACS fields including this previously unused field. The field is not meaningful in itself, it is 4 characters, and for HMRC us has to start with a "/" character and then has three random characters.

However, the receiving bank can, now, in effect, see if a customer gets "proper payroll payments" in to their account. There will, of course, be lots of legitimate paid employers that get paid without a payroll bureau or direct BACS or some such doing this, but the bulk of people being paid by large companies or via bureaus will have this extra field on their pay. Indeed, as using this is part of HMRCs risk management, that will encourage more and more employers to use this for paying people.

So banks get to see if you are a "proper" paid employee, with pay details "properly" reported to HMRC, or not. Or at least have a clue towards that. It is not in fact definitive - nothing stops me sending this field on all payments we every make to anyone - but in practice the BACS systems will do "paying suppliers" and doing "payroll" as separate systems. So the presence of this field is a clue.

Will banks use this to consider the credibility or creditworthiness of a customer?

Wednesday, 13 March 2013

BACS Submissions

As I posted a while ago, Lloyds have dropped their BACS Bureau (Lloydslink) and we had to find an alternative. This has been most educational, and very different to when we first started.

So it may be useful if I share some of the lessons learned...

Three day BACS cycle.
One of the things people do not realise is that there is still a standard "three day cycle" BACS system in place. Whilst a lot of stuff has moved to almost instant Faster Payments, the old BACS system is alive and well. It is used for collecting Direct Debits, and also by lots of people to pay suppliers and payroll. The way it works is that you send a BACS file to BACS which contains payments and/or DD collections on day 1. On day 2 the file is processed by the banks. On day 3 the money moves. Unlike when you do a payment from personal on-line banking on the three day cycle, the money moves on the 3rd (working) day - it is not in limbo for 2 days. It is also necessary to send details of the new and cancelled DD instructions via a BACS file.

HMRC RTI
All of this is because HMRC have insisted that payroll which is paid by BACS has to have an extra field which was previously unused. This messed up Lloydslink, and has meant everyone using BACS has had to make changes. The extra field is a 4 character entry which is used with some other attributes to make a hash that is sent to HMRC so they can match payments to payroll submissions.

Sponsoring bank
In order to do any of this you need a service user number (SUN), also called an originator identification number (OIN), and a sponsoring bank. The sponsoring bank is taking risk if you screw up and so this can be tricky. There are various ways to do it, and we luckily managed to get sponsored by Lloyds without many catches.

Sending the BACS file
There are several ways to get the file to BACS. It is possible to use services which make DD collections under their SUN (as I understand it) and charge a lot per transaction. There are bureau services that allow a file to be sent (e.g. via a web page) and then they send to BACS for you using your SUN. And there are software packages that allow you to send to BACS yourself (Direct Submission). The pricing is complicated, and typically a bureau charges per transaction and per file but are quick and cheap to set up. BACS s/w (BASTEL-IP) is usually more expensive to set up and in ongoing fees but less per file/transaction. We do enough transactions that direct submission is cheaper.

Managed services
It seems there are also bureau type services that work at a different level - managing the DD setup, notice to the customer of collections, regular collections automatically, and allowing ad-hoc collections to be uploaded. These are not quite the same as a BACS bureau as you are not really sending BACS files as such, but they do manage a lot of the admin for you and ensure you meet the rules properly.

Smart cards and stuff
Lloydslink used a card and reader (like a PINSentry) to verify that the file we uploaded was from us. It was a proper challenge/response system. It did have a bug once that meant a null response was accepted and only javascript stopped this, but they fixed that when we told them :-) Otherwise it worked well. It seems most bureaus don't do this and simply allow file upload to a (secure) web site. However, if you have direct submission software you need either a SmartCard from your sponsoring bank or a hardware security module (HSM). The difference is something like £10,000 (based on various quotes we had). With the smart card you have to enter a PIN when sending the file to BACS to get it signed using a key in the card. An HSM allows hands-off processing, and is what bureau services use behind the scenes. It is hard to see how, logically, the two are different, to be honest as a SmartCard  is a hardware module which provides security (signing).

Windows
Sadly all of the solutions we found seem to pretty much need a Windows machine to run. This is rather annoying. Some people suggested they had linux code, but we did not get far with that. So we have had to buy a Windows machine just for this. Oh well. Locked down (physically and firewall).

Recommendations
So, who have we gone with and why?

We spoke to several people. Some said how much better and cheaper the software was, and how expensive a bureau was. Some said how hard to use and set up software was and how quick and cheap a bureau is. It seems to depend which solution they sell. Some seemed horribly expensive. Some less so.

We initially spoke to Smart Debit. It turns out they are a really good managed service provider. Unfortunately we are all set up to use a simple bureau like Lloydslink, and so this did not fit what we needed. If you want something managed for you they seem like a good bunch, handling notice to customers, and regular collections, and so on, all via a web interface.

What we finally went for is Experian BASCTEL-IP windows software supplied and installed by Checkprint, along with their backup bureau service. The backup service is useful as if the PC fails for any reason we can send the same files to the bureau. It is costing a bit more than £2k/year, but Checkprint are very slick - they managed to get everything sorted and us submitting files in just over a week from start to finish (even with the lead time for the bank to send smart cards). They configure it for you and allow various file formats - we went for something simple which allows us to send one file, but they can have different users allowed to provide different files and different formats (e.g. paying suppliers, payroll, AUDDIS for setting up DDs, and DD collections), and different people allowed to import these or sign or send them. If you have a larger company with more people involved, it looks like it will work well for that. For us we just need one file signing and sending by one person and they were happy to set that up.

So, Checkprint highly recommended for this if you need it.

Tuesday, 12 March 2013

Call recording

We provide call recording services to customers and record calls ourselves.

We know of OFCOM guidelines on this. We have set up at the office so that each member of staff records their calls individually for their own use and they alone get the call recording.

Alex recorded his call he made to Simplify Digital (well, he intended to call broadband.co.uk not Simplify Digital). See his blog post for details. He made the recording for his own use, and had no intention of publishing it.

I think that means, based on the OFCOM guidelines, that (a) he did not have to tell anyone he was making the recording, and (b) the making of the recording itself was legal at the time. I assume it cannot be made retrospectively illegal, can it?

Alex used the recording to ensure his memory of the call was correct when making the blog post, which is his personal use of the recording, so all OK there.

Then, his integrity was brought in to question by some of the commentators, and he felt the only way to prove what was said was to post the recording on the blog. To be clear, up until that point, he had no intention of publishing the recording.

I have been in the same position, making a recording for my own personal use with no intention to publish it, and then later publishing the recording. It is only after the call that I feel it should be published for review and comment publicly as a journalistic news item on my blog. When making the recording I have no intention of publishing it, else I would be publishing all my calls!

So, I think making the recording is all fine, what would be wrong with publishing it? The obvious one is copyright, which was itself raised by Simplify Digital.

Again, I am not a lawyer, but it seems there is a copyright in the sound recording itself. However, that copyright vests with the person that made the recording, i.e. Alex. What else could there be? Well, if the words used, even if made up on the spot, counted as a performance of a literary work, then they would be copyright too. I don't think the content of the call can really be called a literary work, but is it? If so, is quoting it, or even publishing the recording, a breach of copyright?

Thankfully they have stated to Alex that they will not take any action regarding the recording. Even if they did, they would have to contrive what damages they suffered by it on top of simply what was stated in the blog post, I think, so I don't think Alex has anything to worry about.

But, in theory, could this have been legally wrong, and if so why? I wonder.

Interested in any comments.

Monday, 11 March 2013

WorldSIM con?

Well, I expected this to be a con, and wondered quite what sort of con it would turn out to be - so I got one on a BA flight to Venice.

The SIM is clever, it has multiple IMSIs allowing it to work in various zones, and have cheap calls. In some cases it does a call back for outgoing calls (I assume their interconnect makes that cheaper somehow).

It is advertised as coming with a UK and US number. The US number has to be requested (simple process) and has a 25c/min incoming call rate, which is (as I understand it) consistent with the way US mobile numbers work.

However, the UK number is free to receive calls in the UK and during the week in most of Europe as well, which is nice for roaming.

So, what's the con?

Well, obviously, I was not fooled for a second by the "Calls to X countries, from 1p/min". As expected only one country on the list (USA) is 1p/min and the rest are all a lot more. But this was not actually a lie, much like the use of "up to" in other contexts.

The catch is that it is not a UK number. The number starts 074520 (or +4474520 if you like). WorldSIM argue that as it starts +447 it is "considered a UK number".

Well, it is not, simple as that. It is not actually a UK number, and not "considered a UK number" by any carrier from which you can call it.

It is a Manx number. Isle of Man is not in UK, and, more importantly, anyone calling this number does not find their telco "considers it to be a UK number" for charging purposes - they charge more. E.g. weekend BT main call rates for UK mobiles is 3.406p/min but for this Manx mobile it is 16.8p/min. A big difference for those calling me. Similar (or worse) differences exist with other carriers.

It is a cunning con, as they don't publish rates to call the number - you would not expect them to as it is (a) not a premium number and (b) down to the telco you are using to make the call. However, saying (incorrectly) that it is a "UK number" implies to the customer that it is in fact a "UK number" and so is normal rates for callers to call the "UK number", which is not true.

It is therefore, in my opinion, a con. And BA should not advertise it as having a UK number, and neither should WorldSIM. Trading standards seem uninclined to take up the matter, sadly.

Document management

Odd as it may seem we have only just set up a proper document management system at the office. That is not really a fair thing to say - we have management for all the documents we ever generate, and a way of sensibly recording and filing and referencing the paper documents we get. We scanned some things (mainly cheques). What we have added now is a generic scan and store system that covers letters we get, scans of cheques, and purchase invoices/receipts.

The key part of any system to manage paper documents is a scanner, and this is where things get interesting. There are may cheap USB flatbed scanners, and they work. But they are not really up to the job. So I went for a sheet feeding scanner.

First mistake was getting an Epson GT-S85N. It claims to be a network scanner, but is in fact a USB scanner with an Edimax network attached USB host adapter. It is no different to a windows based USB scanner with a different cable. That has gone back.

What we ended up getting, based on advice from a company called Response Technical Services was the Canon ScanFront 300. This really is a network scanner.

It is a fast, duplex, sheet feeding scanner that will email or ftp or write to a shared windows folder. With a bit of tweaking you can make it just sit there with a number of "job buttons" on its full colour touch screen. You drop in a document, press the button, job done.

To be honest, the screen is overkill. It would be much cheaper if they had not used windows internally (yuck) or had the big screen. A few simple buttons for pre-set jobs would have done. Also, I see no IPv6 address, which is odd, and annoying, and against our usual policy on purchasing equipment. I'll ask Canon about that :-)

I am, however, impressed with how simple it is to use. I am also impressed that it has a half decent OCR built in, embedding searchable text in the PDF it sends.

I am also impressed with some of the details, like the way it will de-skew an image, and crop cleanly, and skip blank pages, and so on. I can scan business cards, and cheques, and even plastic cards if I want. I can scan horrid thermal receipts. And it has no trouble with 30 page contracts. It pretty much "just works", which is all you can ask for really.

Initially I made our systems use the built in OCR (pdftotext is the command on linux to extract the text from the PDF). This was pretty good, but some tests showed that tesseract was actually better. The trick was to use pdfimages to extract the scans from the PDF and run through tesseract without any rescaling (which is what gs would have done, and I tried first). The resulting details, including OCR are stored in a mysql database and linked in to our accounts system which is what tracks documents we create. One annoying small detail was finding how many pages a PDF has, and eventually I used pdftk.

I also allowed upload of PDFs in our back end systems so we don't have to print stuff, scan it, and shred it! However, for purchase invoices we have few enough that box files and paper copies make sense for the simple logistics of handling a VAT inspection. We should, however, be able to scan and shred lots of other paperwork we get.

The other nice touch that I added to our back end systems was using zbarimg to pick out any barcodes on documents and store that too. Can be useful. It will allow us to put stickers on documents that are keyed in, and use that to automatically tie in to the right record when later scanned, etc. We'll have to work out the details. I also tried dmtxlib to extract datamatrix barcodes, but that is unbearably slow and I may have to find something else or not bother. Shame as I like IEC16022 Datamatrix barcodes.

I am surprised they did not include any sort of digital signing and timestamp in the scanner. It would have been simple to do and provided a way to prove the scan was not later edited. I wonder if there is a web service to do that, and if not, we could make one - a simple API passed an SHA1 and returning a signature...

Anyway, all good fun...

Update: It does IPv6!

Wednesday, 6 March 2013

Digging deeper

I am pleased to say that Alex has done some research :-

http://www.okcheersbye.co.uk/ofcom-accredited-comparison-sites/

Surprisingly there is only one accredited broadband comparison site under 4 different names. Do read it.

Update: Apparently one of them is not the same!

10% of lines are faulty for many ISP?

OFCOM do have a code of practice on broadband speeds. We (AAISP) don't subscribe to this (it is voluntary) for good reason, and we actually have our own code which we think is better.

This is a bit of a repeat of a rant from years ago really, but I was reminded of this as one of the comments broadbandchoices made to ASA was that they expected ISPs to sign up to the voluntary code of practice on speeds. This could be a snag. I am not sure I want to sign up.

Basically, any ISPs signed up to this are saying that at least 10% of their customers have a fault!

That is not really a statement I am prepared to make.

It comes from 26(c) which defines the minimum guaranteed access line speed as "If asked to explain further or asked to state the definition of "significantly below", the ISP should provide information on the access line speed achieved by the bottom 10th percentile (or above) of the ISP's similar customers ("the minimum guaranteed access line speed") and explain that if the customer's actual access line speed is below the minimum guaranteed access line speed, then it will follow the process set out in the 4th Principle."

The 4th principle allows customers to leave a contract with no penalty (within 3 months of sign up) if their line is below this minimum. In fact, it has wording in 32(a)(ii) that is "Log the problem as a technical fault if the actual access line speed is at or below the minimum guaranteed access line speed".

What is also rather annoying is that OFCOM do not force BTW to reflect this requirement and allow ISPs out of the 12 month min term for FTTC services. This means 10% of FTTC customers where there is no actual line fault are considered faulty, the ISP cannot actually do anything as the line gets what speed it gets, and the ISP loses out as it has to pay BTW for 12 months anyway.

Granted, there will be lines that have faults, but just because lines are slow does not mean there is in fact a fault. DSL is a rate adaptive service. 10% of lines will be at or slower than the 10th percentile. It is just like people getting cross that half the population are below average!

There are grey areas - how does one define "similar customers" and the like, but the more narrowly you define it the more people end up "at or below" that 10th percentile. Indeed, all FTTH customers in each speed class are at or below the 10th percentile as the speed is not variable. It is was just "below" as 26(c) implies, not "at or below" as defined in 32(a)(ii) then there would be some hope - ISPs can define "similar customers" to be "customers getting exactly the same speed as you" and so have zero customers that are below the 10th percentile, making a mockery of the code of practice.

What this means is that at least 10% of customers on any ISPs signed up to the OFCOM code of practice are operating at or below the minimum guaranteed access line speed and this has to be considered to be a fault.

To be honest, I think this makes us more likely to be considered one of the "best ISPs" than those that do sign up to the code, as we don't have anything like 10% of our customers that we define to be faulty! Why do these ISPs agree to such a crazy statement?

Tuesday, 5 March 2013

AAISP not one of the "best broadband providers"

Well, I am rather puzzled.

Broadbandchoices.co.uk claim to compare the best deals, and do not include AAISP in their offering.

They told me (as AAISP) that it would be not logistically possible to list us - an odd statement given that other comparison sites manage it. They did not reply to my suggestion that they ask Think Broadband about logistics.

However, oddly, they have told the ASA that they only list the "best" ISPs, implying we are not one of them. Given we have ranked top or 2nd on several comparison sites and were consistently the best scored in independent surveys which BT conducted for several years (and which, sadly, I cannot publish), it seems odd to suggest we are not one of the best ISPs. We are, that is a fact. There are several criteria where, if you need them, none of the choices they include offer, and so we are better than all of them. I think none offer IPv6, so none actually offer internet access based on OFCOMs definition. Hard to see why they do not include us, and perhaps should exclude all the providers they do list.

It is also odd that they seem to say there are criteria they have for listing ISPs. Well, if that is the case I am sure we can meet them. They also, rather oddly, seem to think that dispute resolution is a voluntary code from OFCOM when in fact it is a legal requirement under the Communications Act.

I am also intrigued that the ASA provide their recommendation as "confidential" when I don't believe I have any confidentiality agreement with them or any such duty. Even so, as MD of AAISP I cannot fail to also read it as the director and take offence (as AAISP) to the implication that we are not one of the "best" ISPs.

This needs to go further. AAISP need to formally write to ASA on this case with evidence that we are one on the best ISPs and were not refused listing because of that but because of logistical impossibility.

Personally I suspect the reason we are not listed is we are not paying broadbandchoices.co.uk but that is a personal and cynical viewpoint that I would be delighted to be proved wrong.

The battle commences :-)

Monday, 4 March 2013

PGP signed email

Obviously, we know Randall is being sarcastic here, really...


But, specially for my friends that do get emails from me that start like that, you may want to know what this is about.

PGP (Pretty Good Privacy) is a standard way to both sign and encrypt emails and other things. You don't have to understand the computing and mathematics behind it, just rest assured that there are people that do.

Signing a message means adding an extra bit to the message (the big block of jumbled characters at the bottom) which can be used to check the signature of the message. This is not really for you to read, but for your mail client to check for you. If you have PGP installed then your mail client will normally hide all this and provide an nice green tick or some such to indicate all is well, or maybe a big red X if it is not right. You can't manually check it. The block of characters is different every time and for every message. If even one character in the message had been changed (e.g. changing "now" to "not" which could radically change the meaning) then the signature would not match correctly. But the signature does not just check that the message is intact but also who signed it. This relies on keys and you will have keys for people you know and trust, otherwise you may see a "good signature from untrusted key" type message. There are ways to check that the key is really who it claims to be, and in my case my business cards even have a key fingerprint on them which you can use to check the key is mine. One could get in to long debates on the meaning of identity at this point, but lets not :-)

In short, to check the signature, you have to have the right software on your computer (in the mail client, normally) and you have to have the senders key and trust it to be from the real sender. If you start using PGP a bit you'll soon get the hang of it.

When I send a signed email I have to use a pass phrase to confirm it is really me. This is somewhat more secure than a signature on a paper document.

Encryption is a different matter, and some people get confused and think that a signed email is somehow encrypted. The only way I could send you and encrypted email is if I have your public key which I then use to scramble the email in such a way that only you can read it. You have the other half of the key and usually a pass phrase (a long password which is usually some sort of sentence) which unlocks the key and allows the email to be read. Again, you have to have the right software on your computer to do this, and you have to have your key, and your pass phrase, and I have to have used the right key to send the email to you.

So, obviously, don't just do what Randall says here - install PGP on your email client. Check signatures properly. Sign emails if you want. We live in a world of both spooks and data thieves, so taking some precautions may even be sensible.

Sunday, 3 March 2013

Venetian Blind

The only Venetian blind we saw all weekend
A weekend in Venice is not to be contemplated by those who have trouble walking, and sadly, I am starting to fall in to that category. It was, however, interesting, and a nice present from my wife.

Venice is an interesting place, with lots of history. It is unusual in that it has no roads (and not in a Back to the Future way). The main island has a large, wide, canal snaking through it, which originally had a single bridge (the Rialto) in the middle. There are then small canals carving up the island. Then there are small alleys, some very small, some wider, all walkways only, and lots of small bridges over the canals (at which a gondolier will be offering his trade). A holiday in Venice means a lot of walking.

We explored most of the region between the Rialto bridge and San Marco, which is the biggest square and at the entrance of the Grand Canal to the south. This appears to be the main tourist area. Everywhere we went the tiny walkways are lined with buildings at least 3 stories high with shops on the ground floor. There are smaller squares of various shapes, usually where there is a church. You can't walk more than a few hundred metres without encountering a bridge over one of the small canals.

We did go for a pre-booked serenaded gondola ride which turned out to be 6 gondolas each of 6 people in convoy with one chap between us singing and someone with an accordion. It was a brief trip round the canals. I suspect we would have done better buying a ride for two across town from one of the gondoliers by any of the bridges.

Oh, and oddly, there seem to be a few dachshund dogs on the island!

The shops have much the same everywhere, apart from some places where you have Prada, Gucci, and so on, they are all small shops selling:-
  • Glass - Venice is famous for glass, and there is a selection of local glass in every small shop (plus some Chinese imports). Usually animals, some interesting art, and oddly: clowns!
  • Masks - everywhere and every shape and size and style. Some simple, some whole shop window impressive and grand. There are even glass masks!
  • Calligraphy - not something I expected, but many shops have various styles of calligraphy and wax seals, quite impressive, but the same in every shop.
  • Handbags - typically Italian Leather, and very nice too (if you are in to that sort of thing, which, sadly, Sandra is). We got a rather nice Mary Poppins style one, and a summer handbag, as you do!!!
  • Pasta - in a variety of shapes and colours in bags. You can tell the class of shop by whether they stock all of the shapes, or not. I'll say no more for now.
Being English, we did not do well for food :-) We did try some of the local restaurants, but eventually managed to find the only McDonald's on the island. A useful tip is to find this (there are signs), not just because it is more predictable (and hence boring) food, but because it is in a more normal High Street with more sensible shops including a proper supermarket. Though to find marmite involved searching some of the smaller shops and sadly was only found on the last day. Oh, and to Sandra's horror, there is no Starbuck's on the island! We found a nice little cafe behind to the hotel (Bar XiXi) which did nice snacks and cafe latte, recommended.

I was rather intrigued by the clocks on the old buildings, which appeared to be 24 hour, but different styles. One was marked with Roman numerals I to XXIIII (not XXIV, I noted) starting on the right. Another was marked J to J2 (1 to 12) twice, starting at the top. A 24 hour clock makes a lot of sense to me, but odd that there were two totally different styles in the same city.

We even managed to find some less touristy places like the fish market! I don't like fish, so it was a tad gross, but interesting non the less.

So, overall I would say that this is an interesting place if you can get past the tourist shops and look at some of the architecture and history and culture, and if you can walk all day (which I cannot).

There is, however, one serious tip I have to give, and that is to avoid the Hotel Rialto. It is a 4 star hotel, supposedly. It has no bar or restaurant. It has no room service. We ended up with the third room after only two days - the first being a dark and tiny broom cupboard (as Sandra called it), the second was OK I guess, but next to an alley with road works which go on all night and are very noisy (and tell you to F off if you ask them to be quiet). The third was better, still small, on 4th floor (lift went to 2nd) and there was some noise but we managed to sleep mostly. No way to make, or get, tea/coffee. Breakfast did not even include toast! The staff were pleasant enough, but the real issue was managing expectation. The description and pictures shown by travel agent (Thomas Cook) were nothing like the rooms in the hotel. This meant that the holiday, which Sandra had gone to great lengths to make in to a special and romantic long weekend away as a present for me/us, did not live up to expectations. This had her in tears, which upset me somewhat, so left us unhappy. When you go to that level of detail with a travel agent you expect that to happen, at least mostly. It seems many of the lower star'd hotels out of the centre are better (after discussions with people we met), so either avoid Hotel Rialto, or have more realistic expectations.

We did take Ignis (The FireBrick dragon) - he even had his own seat on the BA flight (seeing as some were empty next to us). We managed a few pictures of him until he was kidnapped by a small boy on which we took pity and has now liked FireBrick on FaceBook. They said they would send pictures of his travels :-)
[update: We're pleased to see Ignis had a gondola ride]

Needless to say I took rather a lot of pictures, including quite a few of the Alps as we flew back.

Overall it was a worthwhile trip - thank you Sandra.
Rialto bridge