Thursday, 26 September 2013

Zebra ZXP 8 Card Printer

We just got a new card printer for the office - prints on credit card size plastic cards. We have had one for a long time (Evolis Pebble). Unfortunately the SIM cards we do now have a different type of plastic or surface texture or something and they would not print. In the past it only managed black on a SIM card anyway. So time to get a new one, the Zebra ZXP8, for around £2k. The guys at were great.

I have to say that this is a serious card printer. It is over twice the price of the Evolis, and a bit faster. It is about the same running costs, maybe slightly less. It is way better!

What makes the ZXP8 model special is that it is a re-transfer printer. It prints the images on to a transfer film, and then separately heat transfers that on to the card. This is important as the heat for printing is very different to the heat needed to transfer on to some types of card. Direct printers are fine on perfectly smooth PVC blank white plastic cards. They do not work well at all on a SIM card, often not a smooth surface and with gaps and contacts and a dent for the chip on the back and so on.

I have to say it is impressive. It can do full colour, edge-to-edge, double-sided, and can print on SIM cards perfectly.

There are some points worth noting. The ribbons come in various sorts:-
  • YMCK, allows full colour (YMC) and a solid black (K) layer as well.
  • YMCKK, designed for double sided, YMCK one side, just K the other
  • YMCUvK, does full colour, black, and Ultra Violet!
  • YMCKI, does full colour, black, and Inhibit.
You can also get single colour (e.g. black). The YMC being Yellow, Magenta, Cyan (more commonly stated as CMY) are the three secondary colours used for printing, and K is black. This is normal print process stuff, but the last two ribbons deserve some explanation.

The Uv is quite cool. It is a separate print layer that is invisible. To work properly it needs a second transfer ribbon process of just Uv (all done seamlessly), but the end effect is something you can't see, so what's the point? Well, shine a UV light at your driving licence or some money or bank cards, they all use UV for security. The result is pretty cool. We did this at the LONAP/ISPA event this week for fun and found a fake tenner in someone's wallet, ooops.

The Inhibit is also rather fun, and for the SIM cards. It stops the re-transfer for an area of the card. This allows me to avoid printing on the SIM contacts, and for a mag card would avoid the mag stripe too. In practice, the SIM contacts do not stick, so no need, but would be needed for mag stripe I expect.

Also, it is able to cope with CMY on one side and K on the other, which is not an uncommon arrangement, and allows double sided for the same price as single sided in such cases. The transfer ribbon always uses two panels on this model (shame). But this is a nice feature to save on colour panels on some card designs.

There are several options, and I have gone for the SIM contact reader and the Mag stripe encoder/reader, just for fun. Not using either just yet. You can even get a separate laminater for added protection of the surface or using custom laminates with holograms and the like.

For the technically minded, the colour layer is 8 bits per colour and usually sent as RGB and converted to YMC by the printer. The Uv is 8 bits per pixel. The black and inhibit are 1 bit per pixel. It is 300dpi. Print area is 1024x648 which overlaps the edges of a normal card (1012x637 ish) so proper edge-to-edge even with minor feed/alignment variation.

Of course, having got this Monday morning, I had some work to do - it comes with Windows drivers. I had to find a Windows laptop (sales had one in a corner for use with BT eCo on IE). I spent the morning packet dumping (it is a network connected printer). I spent the afternoon coding linux drivers for it, and was surprised it took me until 6pm to print a card (my excuse is lack of blood sugar, too engrossed to eat).

Packet dumping was done using FireBrick pcap dump and tcpdump to decode, though mostly that meant reading hex.

So I have published the drivers now:

Basically it talks on TCP 9100, has a 16 byte command and 32 byte reply system with optional data payload. Several commands worked out (see comments in the driver code). The application I wrote takes separate postscript or BMP files for each layer, being colour, black, inhibit or Uv for each side, and sends to print. It can also make a preview BMP to see what would print.

I have yet to try and decode talking to the SIM card contacts (useful for smart card coding too) or the Mag stripe encoder, but that should be simple and will be added to the driver code as I need.

Why don't people either produce linux drivers or at least publish the interface specs? How hard can it be?

Update: Mag card read and encode was a doddle, but cannot get it to talk to the SIM cards yet!

It is quite neat that I can tell it to take a card from the hopper, manual feed, or left in printer, and tell it to send a card to the output, a reject tray, or left in printer. This means I can suck in a card, read it, print, mag encode, etc, all as separate jobs. When I get the SIM reader working I can get the SIM ID and then make a print job to print the details on the card. It is pretty slick.

P.S. It talks IPv6

Friday, 20 September 2013

Dumb question!

So, had a few odd transactions on my bank statement. Of course, they did not trigger any alerts or block the card - the fraudulent ones never do! Anyway, card replaced, and I get the paperwork from the bank.

First question: "Could anyone have or had access to either your debit card details or your debit card?"

What a dumb question - the answer is, of course, yes, as every time I buy anything on-line or in person, someone gets access to my debit card details. Of course, the bank also have my card details. Why even ask?

Do they do this as a trick question? After all, they then say: FALSE STATEMENTS CAN RESULT IN PROSECUTION

Strange people.

Monday, 16 September 2013

Bending the rules?

The ICO still cannot get it through their heads that in the case of my "work email address" the company, Andrews & Arnold Ltd is not the subscriber. They are still saying that the email is for a corporate subscriber because "the company in questions is a Limited company". They think that A&A is like any other company that has a contract with a provider for email. Well, A&A don't. A&A run mail servers and have contracts with subscribers like me. Being a ISP makes us special, it makes us the other side of the contract in the definition of "subscriber". I am trying once again. They declined to answer my simple yes/no questions for some reason.

Anyway, this leads me to ponder a simple service A&A could offer.

When companies buy email from us it is normally for a whole domain, typically a company domain. We contract with the company for the domain, DNS, email and web space, normally.

However, there is no reason, technically, why we could not contract with individual members of staff at a company for their work email address within such domains. As the domain is not "ours", the company would have to give us permission to do that, and the company would no doubt already have clauses covering work email with their staff ensuring they keep it confidential and used for work purposes, so no DPA implications. From a technical point of view the service would be identical where staff access an IMAP mailbox from work computers. The only change would be the contract, which would be between us and individual staff members at a company.

What that would do is make all of those work email addresses come under the definition of "individual subscriber" under the regs. As we would not be their employer, we would not be providing it as part of employment to them, so even the ICOs made up rules on that would not make them corporate subscribers. It would not be the employer contracting with the staff for email, it would be us. This is important as we are providers of public electronic communications services, and our typical business customers are not.

The hassle is the admin of charging people for individual email addresses. Thankfully we do have a very efficient direct debit system in place, so charging even £1 a year or some less would not necessarily mean we lose money.

Do let me know if anyone thinks this is a useful service? Not saying we would definitely offer it yet, and it would really only be sensible if we were to convince the ICO of the validity as well.

Then we just need to push MEPs to make the spam laws cover corporate subscribers anyway.

Saturday, 14 September 2013

Ubiquiti APs

I posted before about a Ruckus, and indeed, it is impressive. The only catch with a Ruckus is that to do it right you need multiple APs and a controller which soon adds to the cost.

So, I am now trying the Ubiquiti APs. There is a nice pack of 3 units which linitx do: Ubiquiti UniFi UAP AC 1300Mbps 802.11ac - 3 Pack.

High end pricing for consumer APs, but compares very well with the Ruckus pricing. I am testing the 802.11ac units which cost a bit more but still good compared to Ruckus. The more standard 802.11n and 802.11a stuff is very reasonably priced.

I had to install the app to configure them, which was easy and works on the mac with no problem. It is actually very impressive. I was able to detect the APs and attach to the network. It was very quick and easy to set up.

They are PoE, and come with PoE injectors, though we had have a couple of PoE switchs in the house. They come with wall brackets. My son may even find a shorter, white, patch lead for his games room wall, but I am not sure he cares.

The control app allows you to do a floor plan, which it will quite happily snap shot from google maps.

It has nice reports on usage, pie charts of which AP is used by which device, throughput figures, all sorts. And it just works as a seamless set of APs.

It has plenty of bells and whistles as you would expect - multiple SSIDs linked to VLANs, a "guest" management system.

What did surprise me is that it seems "better" that the Ruckus. One specific point was starting to annoy me of late with the Ruckus. I would open my MacBook Pro, put in the screen lock password, and then still have to wait a noticeable amount of time before the Mac would get a signal. Yes, this is even with the numerous amusing SSIDs all removed. I would also find that it sort of stalled occasionally when in use. The latter point was improved massively by forcing 2.4GHz, though the 5GHz was showing full signal when connected and it was close to the AP. Using the Ubiquiti the Mac has found signal before I have finished typing the screen lock password, is on 5GHz and not stalling or being odd in any way. The next real challenge will be testing VoIP calls from the iPhone over wifi, which was a strain to use on the Ruckus. So far it seems good, but I need to do a few more calls and longer calls to be sure. Obviously, even in a house, having more than one AP helps, but we had managed to place the Ruckus centrally with good signal everywhere, so that should not have been the issue. Long term I expect two will be more than adequate for the house, though I may get one of the LR (long range) units to cover the garden.

Overall I am impressed. We'll be setting up at the office as well. It does leave me with a couple of spare Ruckus to play with :-)

Why am I playing with APs? Well, we have tried many small APs, and so many are iffy in one way or another. The apple airport are around the best of the cheap ones we have found. But we get asked by customers for WiFi, and we need to really be sure what we are selling will be sensible. So we are trying different kit and evaluating at the office and in a home/office environment. We like to have used what we sell or recommend.

This does look like a system we could sensibly sell to customers and expect to just work for them. It would fit well with a FireBrick in our Office::1 package as that can handle VLANs and dish out DHCP on separate LANs for different uses.

Update: Install at office looks tidy:-

Thursday, 12 September 2013

WTF Novatech

So, popped in to Novatech in Reading around 10:30 this morning to get a 3D windows gaming PC.

I explained what I wanted, to be able to play games like WoW in 3D. Asked for recommendations. Was sold a good windows PC, and BenQ 3D monitor. All good. Helped to car with it all. Very helpful. Sorted.

Get home to find that there are no 3D glasses. WTF. Why the hell did he not say. How is what they sold me going to do what I asked? FFS!

Drive back to Reading, around 1pm, only to find the shop shut. The sign clearly says they are open until 7pm.

What a waste of time. I'll find someone else to sell me the 3D glasses, and any other PCs and parts I ever want to buy ever again. Really not amused.

P.S. Sign on the window says this - it is not as clear as it could be! It does not say permanently closed. A nice big heading like "This store is closed down" or something would be clearer - it looks like they have just popped to Portsmouth for a meeting!

They say this was something they did not know until this morning - the board informed them they were closing all except Portsmouth. Obviously someone had printed up the posters in advance. What a way to run a company.

Update: They junk mailed me (I am on the mailing list, but not for long). You can guess my reply:-

Tuesday, 10 September 2013

ICO being a tad strange still

Whilst not relevant for my court case in November, I asked ICO to consider as an email in relation PECR. I pay A&A for email under as an individual so I think the regulations apply. They do not.

Their latest reply:-

I can confirm that having reviewed your correspondence your email address would still be deemed to be a corporate subscriber under the PECR. This is because you are using the email address in the workplace in your capacity as a Director of the organisation and not using it for individual purposes. Whilst the PECR do not mention specifically work email addresses it does refer to corporate and individual subscribers. Email addresses provided by employers to their employees, including Directors, are considered to be corporate for the purposes of the PECR.

Now really? This makes no sense. The PECR has actual definitions in it, and they are outright ignoring them! It defines "corporate subscriber" even and I do not meet that definition. So my latest reply is as follows. We'll see what they say...

P.S. just to clarify why I am doing this - this is about as extreme and edge case as I can find which, in my view, meets the regulations. I am trying to find exactly where the line is drawn on this. If the ICO agree this, then it makes the rules much clearer for everyone.
Relating to email address and services for

1. Do the ICO agree that I meet the definition of "individual" as per
section 2 of the regulations?

“individual” means a living individual and includes an unincorporated
body of such individuals;

I believe I come under the "living individual" part of that, I have a
heart beat and everything, and would be worried if I do not.

2. Do the ICO agree that I meet the definition of "subscriber" as per
section 2 of the regulations?

“subscriber” means a person who is a party to a contract with a provider
of public electronic communications services for the supply of such

I appreciated that is more complex, so lets break that down:-

2a. Do the ICO agree that I am a party to a contract for "such services"
for that email address?

If it helps, I can show you the invoice I pay every month for that.

2b. Do the ICO agree that the other party to that contract, Andrews &
Arnold Ltd, are a "provider of public electronic communications services"?

If not, then A&A get out of a hell of a lot of other laws and
regulations. OFCOM will not be amused.

Now, if you said "yes" to all of these, you have to agree:-

3. Do the ICO agree that, for the email address, I am meet the definition of "individual

I look forward to some simple yes/no answers and will publish them on my
blog. If you say no, please explain, as I really cannot see the loophole
here no matter how hard I try.

Oh, finally, I nearly forgot:-

4. Do the ICO have to actually operate in accordance with the law as
written and actually use the definitions in the law?

Nominet Moots BAN on Swearing and Bad Language in UK Internet Domains

This shows such a lack of clue it is beyond belief.

"The government believes that preventing bad words in domains names could help to tackle abusive behaviour on the Internet"

I have to wonder what other nonsense the government also believes. What the hell happened to evidence based policy - where is this belief coming from.
  1. The idea of banning swear words is mad! The whole idea of what constitutes a swear word changes over time, and depends massively on context. Domain names lack context, so is swearing? It would be a nightmare to manage a list and handle disputes.
  2. Banning a word in a domain name registered at Nominet does nothing for all of the other top level domains. People in the UK often use web sites and email using .com domains or one of the hundreds of other top level and second level domains in the world. Our neighbour in the trading estate here persist in using a domain. If people cannot register in Nominet they will register elsewhere - so how does that, in any way, tackle abusive behaviour?
  3. Banning a word in a UK domain at Nominet does not stop the word being used in a UK domain (especially with second level .uk domains being considered). If I have I can have as a web site or in email address and the ban will have no effect on that as only the part is managed by Nominet.
  4. You cannot tackle behavioural issues by such petty technical means anyway. If there are behavioural issues that need addressing, address the cause not the symptom.
  5. This is, once again, an attempt at censorship, which is bad for lots of reasons, and breaks basic human rights to freedom of expression.
We'll respond to the consultation, but Nominet is wasting its members money - my money - by even considering this - they should simply have replied with "No!", or possibly "Don't be an fucking arse!" [well, perhaps that is not P.C.]

Whatever next? banning spelling mistakes in domain names?

Anyway, I have renewed until 2022 just in case.

[apologies to owners of the example domains I used here]

Update: I am reminded of the case of a company registration, where Companies House do in fact ban swear words. They refused the name Buck & Follocks Ltd, yet they refused to say why! On the same day that they refused it, they did allow Bol Lox Ltd, for example? They made the mistake of suggesting that if there was a Mr Buck and a Mr Follocks maybe it would be OK. So Buck Ltd was created and Follocks Ltd was created. And they were the initial shareholders and directors of Buck & Follocks Ltd and this time it was accepted. Which proves how broken the system was as the judgement of it being inappropriate was not impartial or consistent.

Monday, 9 September 2013

Junk caller pays

We got a junk call to a TPS number at the office, and so we sent a bill for £5 for Alex's time.

We sent it to S Three plc (sound familiar) as the caller claimed to be part of S Three, but it turns out S Three have sold the company, Jobboard Enterprises Ltd who also trade as IT Media, to Dice Holdings Inc (US).

I now have a nice letter from Dice Holdings Inc, by fed ex, clearly taking it seriously (sorry, it really is that badly printed), and saying they will pay the £5 I have claimed, yay!

Jobboard Enterprises Ltd also send me personally loads of junk emails, so I have replied asking for them to settle those claims too. We will see what happens.

But, another win!

Update: The £5 arrived.

Saturday, 7 September 2013

S Three / Huxley and contradictions.

So, on 2nd July 2013 S Three plc wrote to the court and stated that we had come to a settlement agreement:-

Yet, now I am suing for breach of that agreement they say that I could not have accepted that offer, so how could we have come to an agreement.

Bear in mind that offer, which was supposedly not capable of acceptance asked me to accept it, clearly indicating that they were going to finalise the matter (releasing payment) that very day.

They now state in the defence that we could not come to an agreement.

At the moment we have an arbitration call later this month on the original case, where I will explain that we already have a settlement agreement which I am enforcing. We'll see how the arbitrator copes with that.

I am also in discussions with the ICO to formally clarify that as A&A are a provider of public electronic communications services, and as I personally have a contract with A&A that makes me a subscriber for email covering the email address to which Huxley originally emailed, that it is definitely covered by the regulations.

Also, for some reason, they are changing the defendant to S Three Staffing UK Ltd. The offer to settle was made on S Three plc letterhead so I'll advise the court that they are the defendant. [update: re-reading, S Three plc made the offer on behalf of S Three Staff UK Ltd, so maybe that is right]

Should be fun.

Friday, 6 September 2013

Cracked crypto?

Interesting article in the Guardian.

Of course, anyone involved in any news story will have some idea of the quality and accuracy of reporting, and even if the reporting is accurate, there is no doubt some usefulness in these agencies spreading FUD (Fear, Uncertainty and Doubt) by saying they can crack stuff that they cannot.

Ultimately any security system is crackable, what matters is whether that takes micro seconds (and so is done on every message monitored) or takes until the sun burns out, or somewhere between. The key to any security is ensuring data stays secure long enough not to matter, or in a way that it is not worth the effort and cost of cracking it.

The claims in the article are quite varied...

At one point it is claims they have worked to have control over setting of international encryption standards. This would suggest that they have influenced the actual standards used in a way to dumb them down in some way to make them easier to crack. My understanding is that this did happen in the design of GSM encryption where, at a late stage, changes were made at the insistence of governments to dumb down some of the protocols. However, open standards would be very difficult to dumb down like this - they are designed in an open and public forum.

Then they talk of the use of supercomputers to break encryption with "brute force". This seems unlikely, and is where the cost of breaking a message is high, so has to be very targeted. In practice you can't just brute force encryption, but anything with a user chosen password can be, as people are stupid when it comes to picking passwords. Again, this would be somewhat targeted.

Then they talk of the most closely guarded secret of all – collaboration with technology companies and internet service providers themselves. This is not entirely clear. Obviously encryption is end to end, and so if you access a secure web site, anyone working with the site owner can access everything without cracking any encryption. I am not sure how working with ISPs fits. If you are using end to end email encryption then this will have no effect.

And finally: Through these covert partnerships, the agencies have inserted secret vulnerabilities – known as backdoors or trapdoors – into commercial encryption software. This is interesting. The key word here is "commercial". There are lots of non-commercial, open-source, widely checked and validated systems for encryption and you use them every day. The most popular web servers in the world are apache based, which is open source. One of the key email encryption systems is PGP which is still available open source (GPG). Open source means that anyone can see every line of the source code, and can see any back doors that have been added - there are a lot of very smart people all over the world that make a point of checking this stuff.

What they seem to miss in the article is one simple thing that is widely believed to be happening. The provision of certificate authority keys to the NSA, GCHQ, etc. This allows man-in-the-middle attacks on https without warnings on your browser as they can create valid certificates for their interception systems on the fly and decrypt your traffic just as the endpoint could. This is risky to use as it is something that could be detected.

There is one final point which is rather odd. GCHQ team has been working to develop ways into encrypted traffic on the "big four" service providers, named as Hotmail, Google, Yahoo and Facebook. This basically makes no sense. These are web based services that use https. For any form of legal interception they simply need to work with those companies, via their hosting governments, to request the data from them. They do not need to decrypt anything.

The real messages here are, use open source software, you have to trust the endpoint, use GPG to send encrypted emails wherever possible so that it is normal and not a sign of "hiding something".

Wednesday, 4 September 2013

BBC fooled by my tarpit

I was surprised when someone from the BBC emailed in asking about buying one of our numbers as they had called it and heard (after a loop of announcements)  that the number is for sale.

I was all excited and explained that it was for sale and we had other numbers for sale.

Then I get "Well that hardly explains why the NRSA[sic] threat with suggestions of terrorist activities and pretend 'I'm slightly deaf' announcements should be on the line." and "I will delete the number and suggest you consider listening to the messages and see if you think they are an appropriate was[sic] for a rebuttable[sic] business to behave."

He sounds cross to me. So I listened to the message again as suggested. We start :-


"You have called the wrong number, this number is not actually in service. However, this message will continue as we are trying to catch out junk callers..."

That is 100% clear, and nobody should be at all fooled by that. Apparently someone from the BBC was. Sorry if it confused you - hope you listen more carefully in future.

More than happy to work with you guys on a story about the annoyance of illegal junk callers...

They must have noticed, surely?

OK, I admit it, I was re-watching Stargate Atlantis season 3 back to back, as you do, thanks to Sky On-Demand boxed-sets.

But the same applies to many TV series, especially Sci-Fi.

Almost every episode there is some peril that is un-surmountable, yes they always somehow find a solution or get unexpected help at the last moment. No matter how dire the situation.

Indeed, Stargate has been going long enough that the script writers take the piss slightly and comment on this some times.

But surely the characters in the plot should have noticed how implausible their life is by now? Why don't they notice?


I was pondering... life on Earth has resulted from such unlikely sequences of events and continues in the face of huge risks from meteors, volcanoes, some of our own stupidity, and all sorts. We are so implausibly lucky...

Aw! crap!

[No, I don't believe in a "script writer" either, honest, it is just that the lucky ones are the only ones that get to reflect on how lucky they have been, that is all]

Tuesday, 3 September 2013

Crashing blog post

I have had a rather odd comment from someone about my previous blog post, which I would point out does not crash my safari due to some aspect of the way blogger are presenting the characters. It was also tested with several other people.

The comments were :-

19:11 So I'm really curious why you think it's acceptable to crash people's software on purpose?
19:12 I consider that un-professional, childish and in general a jerk move.

To my view this is very very misdirected anger. The error lies with Apple, not me. And I wonder what would happen if the sequence that crashed browsers was something like "flubble" or even something simpler like "hello" - would posting such, even knowing it crashed people, be unacceptable. What if it was someone's name (even if in Arabic)? Saying that everyone should avoid posting that person's name, even knowing that some people with broken software have some inconvenience, would be crazy. The fact it is a more obscure sequence of characters does not really change the fact that it is a valid UTF-8 sequence and there is no reason I should not post it.

He went on:-

19:12 I'm sure that if someone did the same to you you'd be all waving "Unauthorised acts with intent to impair, or with recklessness as to impairing, operation of computer" at them or some such

This gets rather interesting. I is being suggested that technically, an act as to impairing operation of a computer is a crime. But if this Act was applied to this sort of thing, then I'll tell you now that I will be using a browser which crashes (is impaired) when it sees the word Cameron (as a made up example), so anyone tweeting or posting that on any forum is being reckless as to the impairment of my computer and breaking the law so must not do it. The scale is not a factor in breaking the law - intending to impair one computer is enough. Bingo, I now have a new troll hammer. It clearly makes no sense. In practice the legislation talks of unauthorised acts. For a start neither I, not the web server, did any "act" at all, the person choosing to navigate to my blog did the act, but even if you consider the server somehow complicit in an act, the act of "displaying text in a broswer" in such a context is clearly authorised bt the browser user, so IMHO(IANAL) it is not covered by the CMA anyway, so tough!

Yes, there is a risk that my blog caused some annoyance, or rather Apple's incompetence has caused some annoyance, not my blog post. Some people using rss feeds have suffered, apparently. The fact the blog post itself did not crash the browsers I tested meant I believed that it was not an issue, and so was not in fact reckless.

The annoyance needs to be directed at the party that has made the error, Apple.

My particular annoyance is not directly at the making of the error - I write software, I know the issues. The concern is the time taken to fix it. I am quite shocked that 24 hours after I knew about it Apple have not taken the current stable code on iPhone, iPad and Mac and patched it and released a patch with no other changes. They have the update mechanisms in place. Even with serious change control procedures, a patch like this that has such major impact should have been released.

What is worse is that one web site suggested Apple knew 6 months ago. Expecting 24 hours is probably optimistic for a large company, but not unrealistic for something major, but 6 months delay is totally unacceptable.

So, as it says at the top of my blog, "If you find any words or pictures menacing or offensive, stop reading now." Maybe I need to add "or likely to impair your computer".. I'll do that.

Monday, 2 September 2013

سمَـَّوُوُحخ ̷̴̐خ ̷̴̐خ ̷̴̐خ امارتخ

Update: See article in the register. Suggests it can be done with as few as 4 characters...

Seriously, if Apple knew 6 months ago, as is being suggested, why was a patch not released. They have an upgrade mechanism.

I can't open my texts until my idiot son sends some new texts to replace the one he sent.

I can tell exactly how many people are using irc on a mac directly and not via irssi on our irc channel.

They better have an update for this damn quick.

Update: Apparently it can be done with 6 characters, three of one, a space and two of another, making 11 bytes in total. I wonder what the bug is.