I’ve had a few weekends fully of party. It’s no wonder I’m knackered.
Andy’s 30th
First, there was Andy‘s 30th birthday. Ruth, JTA and I slogged our way over to Cardiff to celebrate in style with pizza,
booze, and dancing.
Dancing to Black Lace at Andy’s 30th birthday.
Siân‘s got more to say on the subject, but suffice it to say this: it’s been a long, long time since I’ve found myself
dancing in a nightclub until half past two in the morning, then grabbing a thoroughly disgusting-looking (but remarkably good-tasting) portion of fried food as an after-club snack. Oh,
and Alec drooled all over himself long
before he ended up sharing a bed with me.
Honestly, I didn’t think I had it in me to party like that any more: I’m such an old man (having myself turned thirty a good year and a bit prior). Didn’t stop me from getting up before anybody else the following morning for a quick geocaching
expedition, though…
Summer Party On Earth
The following weekend was the Summer Party On Earth: an event that
started out with Ruth saying “Let’s have a summer party!” and finished as a nostalgia-themed marathon of epic proportions.
This… was a party with everything. It had kids’ toys like Brio wooden railway, Lego bricks, and a marble run; it had soup and buffets and a barbeque and cakes; it had board games and
party games and drinking games; it had beer and wine and cocktails; it had the world’s tiniest and most-nettley geocaching expedition… and from the time that we first started
entertaining guests to the moment that the last of them left, it lasted for an exhausting 36 hours.
Some early guests play Ca$h ‘N’ Gun$, a live-action game of gun-toting gangsters.
It was particularly interesting to get together with people from all of our varied social circles: workmates, former workmates, local friends, distant friends, partners of friends… all
kinds of random folks coming to one place and – for example – pointing foam guns at one another.
Gareth, Rory and Adam put the finishing touches on their (second) wooden railway layout. I’m pretty sure we ‘lost’ them for more than half of the party as they disappeared into the
‘playroom’.
In order to help us identify, classify, and dispose of some of the vast collection of booze that Ruth has recently inherited, JTA invented a drinking game. What can I say about it?
Well: it certainly brought us all a lot closer together to suffer through some of the drinks we were served…
Everything seems a little blurry, and Alec isn’t grimacing as much as he did with some of the other drinks he’s been forced to try.
As usual for any party at which Ruth caters, everybody was required to consume their own weight in (delicious, delicious) desserts, and we only just finished eating the very last of the
party food, almost two weeks later.
Matthew & Katherine’s Wedding
Finally, then, just the weekend after that, was the wedding of two folks I know via the Oxford Quakers: Matthew
and Katherine.
Matthew and Katherine cut the cake in the garden of the Quaker Meeting House.
I turned down the curious “What to expect at a Quaker wedding” leaflet as I entered: after all, I felt like an old-hand now, after helping make Ruth & JTA’s wedding into one of the most spectacular events ever. Well, maybe I shouldn’t have, because
every wedding is as different as every bride and groom, and Matthew and Katherine’s was no exception. They’d clearly put so much thought into exactly what it is they wanted to do to
celebrate their special day, and – with their help of their friends and family – had pulled everything together into a beautiful and remarkable occasion.
The céilidh. More weddings should have cèilidhean.
For me, particular highlights included:
One of the most adorable couples ever.
Not just a “vegetarian-friendly” meal, but one where vegetarianism was the norm (and guests were required to state if
this wasn’t okay for them).
Catching up with folks who I don’t see as much of these days as I might like (and meeting new people, too).
A céilidh! More weddings should have these (although it’s the first time I’ve ever seen a “first dance” where the bride and groom were given
instructions on what steps to do right before the music started).
Those of you who’ve been following Three Rings over the last decade (either
because you’ve volunteered somewhere that used it, or because you’ve listened to me rave about it over the years) might be interested in this new post on the Three Rings blog. It’s about how Three Rings has evolved
over the last 10+ years of its life from a tiny system designed specifically for the needs of Aberystwyth
Nightline into the super-powerful charity management tool that it is today, and how it’ll continue to evolve to meet the needs of the helplines and other charities that use it
for the next ten years.
Three Rings as it appeared about seven years ago. Do you remember this?
It still blows my mind that something that began as a bedroom project has come to support over 13,000 volunteers around the UK, Ireland, and further afield (we’ve recently been getting
started with supporting Samaritans branches in New Zealand and Australia). Now, of course, Three Rings is a volunteer-driven company with a “core” team of half a dozen or so… as well as
tens of others who help with testing. It’s eaten tens of thousands of development hours and it’s become bigger and more-important than I’d ever dreamed. Of all of the volunteer work
I’ve been involved with, it’s easily the one that’s helped the most people and had the biggest impact upon the world, and it still excites me to be part of something so huge.
Warning: this post contains details of the nature of the accident that killed my father, including a summary of the post-mortem report and photographs which, while not
graphic, may be evocative.
Last week, I attended a coroner’s inquest, which (finally) took place following my father’s sudden death earlier this year. It’s been five months since he fell to his death in the Lake District, while he was training for a sponsored trek to the North Pole
this spring. Despite the completion of the post-mortem only a week or so after his death and the police investigation not running on too much longer after that, it took a long time
before the coroner was ready to set a date for an inquest hearing and finally put the matter to rest.
A selection of “lawyer things” notably absent from our minimally formal inquest hearing. Photo courtesy “_falcow” (Flickr).
I made my way up to Kendal – presumably chosen for its proximity to the coroner who serves the hospital where my father was airlifted after his fall – in a rental car, picking up my
sisters and my mother in Preston on the way. We were joined at the County Hall by my dad’s friend John (who was with him on the day of the accident), Kate (a partner of my dad’s), and – after his complicated train journey finally got him there – Stephen (one of my dad’s brothers).
Mostly, the inquest went as I’d anticipated it might. The post-mortem report was read out – the final verdict was that death was primarily caused by a compression fracture in the upper
spine and a fracture of the base of the skull, which is a reassuringly quick and painless way to go, as far as falling injuries are concerned. John’s statement was summarised, and he
was asked a series of clarifying questions in order to ensure that my dad was properly equipped and experienced, in good health etc. on the day of his accident.
The last walk my dad ever made: the yellow line shows where he and John walked. The magenta line shows the path of my dad’s fall.
This was clearly a painful but sadly-necessary ordeal for John, who’d already been through so much. In answer to the questions, he talked about how he and my dad had rambled together
for years, about how they came to be where they were on that day, and about the conditions and the equipment they’d taken. And, in the minutes leading up to my dad’s death, how he’d
been coincidentally taking photographs – including the one below. He’d been in the process of putting his camera away when my dad slipped, so he didn’t see exactly what happened, but he
looked up as my dad shouted out to him, “John!”, before he slid over the cliff edge.
Later, we heard from the police constable who was despatched to the scene. The constable had originally been en route to the scene of a minor road crash when he was diverted to my dad’s
accident. He related how the two helicopter teams (the Air Ambulance hadn’t been able to touch down, but paramedics had been able to leap out at low altitude, so an RAF Search & Rescue
helicopter was eventually used to transport the body to the hospital) had worked on the scene, and about his investigation – which had included seizing John’s digital camera and
interviewing him and the other ramblers who’d been at the scene.
This photo of my dad, approaching a snow bank as he scrambles up the hillside, was taken only moments before he slipped and fell.
That’s all very sad, but all pretty-much “as expected”. But then things took a turn for the unexpected when Kate introduced herself as a surprise witness. Making an affirmation and taking the stand, she
related how she felt that my father’s walking boots were not in adequate state, and how she’d told him about this on several previous occasions (she’s now said this on her website, too).
I’m not sure what this was supposed to add to the hearing. I suppose that, were it not for the mitigating factors of everything else, it might have ultimately contributed
towards a possible verdict of “death by misadventure” rather than “accidental death”: the subtle difference here would have affected any life insurance that he might have had (he
didn’t), by giving a reason to reject a claim (“he wasn’t properly-equipped”). John’s statement, as well as subsequent examination of my dad’s boots by my sister Sarah, contradicted
Kate’s claim, so… what the hell was that all about?
A further photo by John, showing one of the two helicopters that were involved in the operation, hovering above the spot where my dad is attended by paramedics. A selective blur
filter has been added.
We all handle grief in different ways, and its my hypothesis that this was part of hers. Being able to stand in front of a court and describe herself as “Peter’s partner” (as if she
were the only or even the most-significant one), and framing his death as something for which she feels a responsibility (in an “if only he’d listened to me about his boots!” way)…
these aren’t malicious acts. She wasn’t trying to get an incorrect verdict nor trying to waste the courts’ time. This is just another strange way of dealing with grief (and damn, I’ve
seen enough of those, this year).
But I’d be lying if it didn’t cause quite a bit of concern and confusion among my family when she first stood up and said that she had a statement to make.
Anyway: regardless of that confusing little diversion, it’s good that we’ve finally been able to get the coroners’ inquest to take place. At long last – five months after my dad’s death
– we can get a proper death certificate I (as an executor of his will) can start mopping up some of the more-complicated parts of his estate.
After a few years break, I’m once again heading up to Edinburgh for the Fringe Festival. As on previousocassions, I expect to spend a lot of time enjoying Peter Buckley Hill‘s Free Fringe, which is just about the
best thing to happen to the Fringe ever. And this time, I’m going to be better-prepared than ever. I’ve made a map.
You can be better-prepared, too, because my PBH Edinburgh Free Fringe Map 2012 is here for you, as well.
Sharing is caring, so I’ve made the map available to you, too. Click on the picture to see the map. Because it’s in
Google Maps it ought to work on your mobile phone. If you’ve got GPS then you can get lost in Edinburgh in high-tech ways you never before thought possible. Click on any given venue for
a web address where you can find a list of events that are occurring at that venue.
Or if you’re really nerdy, you can download the KML and go geocaching-for-comedy. Just me? Okay then…
Update: you can now view the map on the frontpage of the Free Fringe website, too.
Bee, by Emily Short, uses the Varytale platform to produce a “Choose Your Own Adventure”-style tale that’s insightful and compelling.
On account of having a busy life, I only just recently got around to playing Bee, Emily Short‘s interactive book on the Varytale platform. Varytale is
one of a number of recent attempts to make a modern, computerised system for “choose your own adventure“-style fiction, alongside the likes of Undum,
Choice Of Games, and my personal favourite, Twine/Twee. As a beta author for the platform, Emily was invited to put her book on the front page of the Varytale website, and it’s well worth a look.
Bee is the story of a young girl, home-schooled by her frugal and religious parents. After a few short and somewhat-linear opening chapters, options are opened up to the
reader… and it doesn’t take long before you’re immersed in the protagonist’s life. Her relationships with her sister, her parents, and the children from the local homeschool
co-operative and from her church can be explored and developed, while she tries to find time – and motivation – to study for the local, regional and national spelling bees that are her
vocational focus.
The choices you make will affect her motivation, her spelling proficiency, and her relationships, and in doing so open up different choices towards one of the book’s four possible
endings. But that’s not what makes this piece magical (and, in fact, “choose your own adventure”-style games can actually feel a little limiting to fans of conventional interactive
fiction):
[spb_message color=”alert-warning” width=”1/1″ el_position=”first last”]Minor spoilers below: you might like to play Bee for yourself, first.[/spb_message]
What’s so inspirational about this story is the compelling realism from the characters. Initially, I found it somewhat difficult to relate to them: I know next to nothing
about the US education system, don’t “get” spelling bees (apparently they’re a big thing over there), and certainly can’t put myself in the position of a home-schooled American girl
with a super-religious family background! But before long, I was starting to really feel for the character and beginning to see how her life fit together.
To begin with, I saw the national spelling bee as a goal, and my “spelling” score as a goal. I read the book like I play The Sims: efficiently balancing the character’s time to
keep her motivation up, so that I could get the best out of her cramming sessions with her flashcards. Under my guidance, the character became highly-academic and driven
by achievement.
Apparently there existed a short-lived British game show called Spelling Bee, which was on television way back in 1938! Click the picture for more information.
After I’d won the local spelling bee with flying colours, I came to understand how the game actually worked. Suddenly, I didn’t need to study so hard any more. Sure, it
was important to get some flashcard-time in now and then, but there were bigger things going on: making sure that my little sister got the upbringing that she deserved; doing my bit to
ease the strain on my family as financial pressures forced us into an even-more-frugal lifestyle; finding my place among the other children – and adults – in my life, and in the church.
By the time I made it to the national spelling bee, I didn’t even care that I didn’t win. It was almost a bigger deal to my mother than to me. I thought back to the blurb for the
story:
Sooner or later, you’re going to lose. Only one person wins the National Spelling Bee each year, so an elementary understanding of the odds means it almost certainly won’t be you.
The only question is when you fail, and why.
Then, everything made a little more sense. This was never a story about a spelling bee. The spelling bee is a framing device. The story is about growing up, and about finding your place
in the world, and about coming to an age where you can see that your parents are not all-knowing, not all-understanding, far from perfect and with limits and problems of their own. And
it’s a story about what you do with that realisation.
Before I started working for the Bodleian, I’d never worked somewhere where there was a significant risk of a film crew coming between me and my office. But since then, it seems to
happen with a startling regularity.
This morning, I was almost late for work as I fought my way past a film crew shooting The
Quiet Ones, some variety of supernatural thriller B-movie.
This guy. That bridge. Listen.
So, when you end up watching it: wait until you get to the scene where this guy walks under the
Hertford Bridge, and listen carefully for the sound of somebody walking across gravel just off camera.
That’s me, putting my bike away having finally squeezed my way past all of the cameras and equipment on the way to my office.
Eurovision Night 2012. In a moment of surreal awesomeness, Matt R holds a mirror up to the webcam in order to show Gareth the collection of whisky that’s just outside of his field of
vision.
Sometimes it’s really like we’re living in the future. Exciting new technologies keep appearing, and people just keep… using them as if they’d always been there. If
tomorrow we perfected the jetpack, the flying car, and the silver jumpsuit, I’ll bet that nobody would think twice about it.
Recently, I’ve had two occasions to use Google+ Hangouts, and I’ve been incredibly impressed.
The first was at Eurovision Night 2012, which was quite a while ago now. Adam did a particularly spectacular job of putting together some wonderful pre-Eurovision entertainments, which were synched-up between our
two houses. Meanwhile, he and I (and Rory and Gareth and occasionally other people) linked up our webcams and spare screens via a Google+ hangout, and… it worked.
It just worked. Now I know that the technology behind this isn’t new: back in 2004, I upgraded the Troma Night set-up in Aberystwyth
to add a second webcam to the Troma Night live feed. But that was one-way, and we didn’t do sound (for lack of bandwidth and concerns about accidental piracy of the
soundtracks to the movies we were watching, of all things, rather than for any particularly good reason). But it really did “just work”, and we were able to wave at each other and chat
to each other and – mostly – just “share in the moment” of enjoying the Eurovision Song Contest together, just like we would have in person when we lived in the same town.
At the weekend, I was originally supposed to be in Lancashire, hanging out with my family, but owing to a series of unfortunate disasters (by the way; I’m walking with a stick right now
– but that’s not interesting enough to be worth blogging about), I was stuck in Oxford. Despite torrential rain where I was, Preston was quite sunny, and my family decided to have a
barbeque.
I join a Google+ hangout at my (late) father’s house, where the rest of my family are having a barbeque.
I was invited… via Google+. They didn’t have Internet access, so they used a mobile dongle plugged into a laptop. I connected in from my desktop computer and then – later – from my
mobile phone. So yes, this was at times a genuine mobile-to-mobile multi-party video conference, and it was simple enough that my mother was able to set it up by herself.
Like puzzles? Like webcomics? Then here are two things you ought to see:
Crimson Herring
The first is the short-lived webcomic Crimson Herring. Personally, I’m hoping that it’ll come back to life, because it
really had lots of potential. In each episode, a “crime drama” plays out, and you – the reader – are left with just enough clues to solve the case. Sometimes you have to really pay
attention to the pictures, other times to the words, and it’s really got a good idea going for it.
A frame from Crimson Herring – Duel at Dawn.
Even if it turns out to be completely dead, now, you can go back and read the archives: start here! And if you like it, leave a comment and let the author know; see if we can get it brought back again.
The idea behind the comic is really quite clever; but once you’ve worked out the key, putting the panels into the right order isn’t difficult at all. Give it a go!
Opera 12 has been released, and brought with it a handful of new features. But there’s also been a feature removed – a little-known feature that allowed power users to have the
web address appear in the title bar of the browser. I guess that the development team decided that, because the title bar is rarely seen nowadays (the space in which a title once
occupied has for a long while now been used as a tab strip, in the style that Google Chrome and Mozilla Firefox eventually copied), this feature wasn’t needed.
But for users of the KeePass Password Safe, this has the knock-on effect of crippling
the ability for this security tool to automatically type passwords and other form data into web pages, forcing users to take the long-winded route of manually copy-pasting them each
time.
KeePass for Opera Plugin
To fix this problem, I’ve released the KeePass for Opera browser extension. It’s
ludicrously simple: it injects a bit of Javascript (originally by Jean François) into every page you visit, which then appends the URL of the page to the title bar. This allows
KeePass to detect what site you’re on, so the usual Global Auto-Type command (typically Left Ctrl + Alt + A) will work as normal.
[button link=”https://addons.opera.com/en-gb/extensions/details/keepass-auto-type/” align=”right” size=”medium” caption=”KeePass for Opera”]Install[/button]
Now that the list of new top-level domain applications for 2013 has been revealed, geeks around the world can
start planning for the domain hacks of the future. Please.do.not.disturb.me was fun, and all, but the if many or all of these new
registries are willing to sell their domains to anybody, there’s a lot of potential for new and unusual domain names.
http://please.do.not.disturb.me/ – a website based on a simple domain name hack
I suspect we’ll soon be typing in addresses like:
jack.and/jill – the .and TLD is clearly supposed to be for the Andalusian community in Spain, but I doubt that’s going to stop people from coming up with imaginative uses for
domain names where you can just “put your own suffix” after the .and/, like we used to do before .isgay.com before it got taken over by domain squatters. (note
that .gay will soon be a TLD, so there’s probably going to be a whole raft of these new sites soon…)
crow.bar – or as we’ll say at the time, “.bar – it’s not just for bars any more!”
I quite like the idea of sugar.beats, but I think a far more popular use will be “put your own suffix” sites, again,
like rock.beats/scissors.
ro.bot- .bot is one of the many TLDs that Amazon is going for, and it seems likely to me that they’re going to try to resell domains underneath it. I’m just not sure
whether sex.bot or ro.bot will be first to be snatched up.
not.just.broke.but.broker – perhaps you have to be in my head to find this amusing.
fizz.buzz. This web site would have the best hit counter ever on it (why?).
s.care, s.cars, s.expert, s.tab, and dozens of other domain names that are only a letter away from
meaning something completely different – and that letter is often “s”.
mon.day, sun.day, dooms.day, birth.day – etc. etc. I’d buy birth.day if the
price was right, and then run a basic site spanning happy.birth.day, first.birth.day, and the like, with automatically-generated content on
each. It’d be fun.
yo.dog – a complete abuse of the .dog TLD, no matter what its purpose is supposed to be. Better still, I’d put a page at
http://yo.dog.yo.dog/yo.dog, containing the message “I heard you like domain names in your domain names, so I put a domain name in a domain name.” (why?)
electric.fan – the website that Koreans will set as one another’s home page, as a cruel prank against the superstitious.
jelly.fish would be an awesome domain name! Who wouldn’t want to have the email address throw.stones@jelly.fish?
mtee.ggee- the future domain name of Hungry Horse pubs? (get it? “empty gee-gee”?)
a.boy.named.goo, after the Goo Goo Dolls album. But then, I don’t object to domain names with possibly-excessive numbers of dots in them, as the Summer Party On Earth website probably gives away. Hell: I could possibly be using
a.home.called.earth as the domain name for our house, in 2013.
fag.got – I’ll bet that homosexual sex blogger Dan
Savage, who’s been trying to reclaim the word “faggot”, would love to have the email address hey@fag.got!
bl.ink – I’ve got an idea for a webcam-based site, like ChatRoulette, but with facial recognition software
that watches your eye movements. You get paired up with a random stranger and the pair of you have a staring contest, right over the Internet. If you win, you get a point. It’ll be
awesome.
commun.ist, rac.ist, anarch.ist, etc. – I’m sure that Istanbul, for whom the .ist TLD is intended, won’t mind if
we borrow their new domain name for a few amusing addresses. Like the email address shoot@the.rac.ist, for example.
bob.lob.law/law/blog – with apologies to those who don’t follow Arrested Development.
bi.ngo – sure,.bingo is likely to exist anyway, but this way’s more fun.
fuck.off – I have no idea what anybody else expected the.off TLD to be used for, if not this.
child.ren – I quite like this, because it makes not only a full word, but the first part is a word, too.
im.off.ski – faux Russian is never going to go out of style.
tube.tube.tube – if I can, I’m totally setting this site up in 2013. All that there’ll be is the picture, below, which makes me smile every time I see it.
Tube tube tube. Soon to appear at http://tube.tube.tube/, if I get my way.
Honestly, though: it feels like all of these new top-level domain name opportunities take a lot of the fun out of domain hacks. The more TLDs we have, the easier it is to put together
words and phrases with the opportunities given.
Scrabble wouldn’t be so enjoyable if each player had a rack of, say, 30 tiles, rather than just 7. The restriction (and working around them) is what makes
domain-name-based jokes so funny, in my mind. What are we supposed to do in a world where anybody with a spare $185,000 USD can have anything he wants?
When I realise that the era of funny domain hacks is coming to an end, it makes me a little sad. But then I look at that picture of a polar bear and everything’s okay again.
Tuuuuuuube!
The mobile app presents you with a special six-digit code that is used to withdraw the cash.
RBS Group this week
rolled out a service to all of
its customers, allowing them to withdraw cash from an ATM without using their bank card. The service is based upon the same technologies that’s used to provide emergency access to
cash by people who’ve had their cards stolen, but integrates directly into the mobile banking apps of the group’s constituent banks. I decided to give it a go.
The first step is to use the mobile app to request a withdrawal. There’s an icon for this, but it’s a bit of a mystery that it’s there unless you already know what you’re looking for.
You can’t make a request from online banking without using the mobile app, which seems to be an oversight (in case you can’t think of a reason that you’d want to do this, read on:
there’s one at the end). I opted to withdraw £50.
Next, it’s off to find a cash machine. I struck out, without my wallet, to try to find the nearest Royal Bank of Scotland, NatWest, or Tesco cashpoint. The mobile app features a GPS
tool to help you find these, although it didn’t seem to think that my local Tesco cashpoint existed, walking me on to a branch of NatWest.
The readout of the cash machine demonstrates that the roots of the “Get Cash” system lie in the older “Emergency Cash” feature: the two are functionally the same thing.
As instructed by the app, I pressed the Enter key on the keypad of the cash machine. This bypasses the usual “Insert card” prompt and asks, “Do you wish to carry out a
Get Cash or Emergency Cash transaction?” I pressed Yes.
The number displayed upon the screen is entered into the cash machine.
The ATM asked for the PIN I’d been given by the mobile app: a 6-digit code. Each code is only valid for a window of 3 hours and can only be used once.
The cash machine asks for the PIN a second time, and then asks for the sum of money to be withdrawn.
I’m not sure why, but the ATM asks that the PIN is confirmed by being entered a second time. This doesn’t make a lot of sense to me – if it was mistyped, it’d surely fail anyway (unless
I happened to guess another valid code, within its window), and I’d simply be able to try again. And if I were an attacker, trying to guess numbers, then there’s no difficulty in typing
the same number twice.
It’s possible that this is an attempt at human-tarpitting,
but that wouldn’t be the best way to do it. If the aim is to stop a hacker from attempting many codes in quick succession, simply imposing a delay would be far more effective (this is
commonplace with cash machines anyway: ever notice that you can’t put a card in right after the last transaction has finished?). Strange.
Finally, the ATM asks what value of cash was agreed to be withdrawn. I haven’t tried putting in an incorrect value, but I assume that it would refuse to dispense any cash if the wrong
number was entered – this is presumably a final check that you really are who you claim to be.
It feels strange taking money and a receipt from a cashpoint without first having to retrieve my card. I spent a few minutes after the experience with a feeling that I’d forgotten
something.
It worked. I got my money. The mobile app quickly updated to reflect the change to my balance and invalidated the code: the system was a success.
The banks claim that this will be useful for times that you’ve not got your card with you. Personally, I don’t think I ever take my phone outdoors without also taking my wallet with me,
so the chance of that it pretty slim. If my card were stolen, I’d be phoning the bank to cancel the card anyway, so it wouldn’t save me a call, either, if I needed emergency cash. But
there are a couple of situations in which I’d consider using this neat little feature:
If I was suspicious of a possible card-skimming device on a cash machine, but I needed to withdraw money and there wasn’t an un-tampered ATM in the vicinity. It’d be nice to know
that you can avoid having your card scanned by some kid with a skimmer just by using your phone to do the authentication rather than a valuable piece of plastic.
To send money to somebody else. Using this tool is cheaper than a money order and faster than a bank transfer: it’s an instantaneous way to get small sums of cash
directly into the hands of a distant friend. “Sure, I’ll lend you £50: just go to a cash machine and type in this code.” I’m not sure whether or not this is a legitimate
use of the service, but I can almost guarantee that it’ll be the most-popular. It’ll probably be reassuring to parents of teenagers, for example, who know that they can help their
offspring get a taxi home when they’ve got themselves stranded somewhere.
What do you think? If you’re with RBS, NatWest or Tesco, have you tried this new mobile banking feature? Do you think there’s mileage in it as an idea, or is it a solution in need of a
problem?
This blog post is about password security. If you don’t run a website and you just want to know what you should do to protect yourself, jump to the
end.
I’d like to tell you a story about a place called Internetland. Internetland is a little bit like the town or country that you live in, but there’s one really important difference: in
Internetland, everybody is afflicted with an unusual disorder called prosopagnosia, or “face-blindness”. This means that, no matter how hard they try, the inhabitants of Internetland
can’t recognise each other by looking at one another: it’s almost as if everybody was wearing masks, all the time.
Denied the ability to recognise one another on sight, the people of Internetland have to say out loud who they are when they want to be identified. As I’m sure you can imagine, it’d be
very easy for people to pretend to be one another, if they wanted. There are a few different ways that the inhabitants get around that problem, but the most-common way is that people
agree on and remember passwords to show that they really are who they claim to be.
Alice’s Antiques
Alice runs an antiques store in Internetland. She likes to be able to give each customer a personalised service, so she invites her visitors to identify themselves, if they like, when
they come up to the checkout. Having them on file means that she can contact them about special offers that might interest them, and she can keep a record of their address so that the
customer doesn’t have to tell her every time that they want a piece of furniture delivered to their house.
Some of Alice’s Antiques’ antiques.
One day, Bob came by. He found a nice desk and went to the checkout to pay for it.
“Hi,” said Alice, “Have you shopped here before?” Remember that even if he’d visited just yesterday, she wouldn’t remember him, so crippling is her face-blindness.
“No,” replied Bob, “First time.”
“Okay then,” Alice went on, “Would you like to check out ‘as a guest’, or would you like to set up an account so that I’ll remember you next time?”
Bob opted to set up an account: it’d only take a few minutes, Alice promised, and would allow him to check out faster in future. Alice gave Bob a form to fill in:
Bob filled in the form with his name, a password, and his address. He ticked the box to agree that Alice could send him a copy of her catalogue.
Alice took the form and put it into her filing cabinet.
The following week, Bob came by Alice’s Antiques again. When he got to the checkout, Alice again asked him if he’d shopped there before.
“Yes, I’ve been here before,” said Bob, “It’s me: Bob!”
Alice turned to her filing cabinet and pulled out Bob’s file. This might sound like a lot of work, but the people of Internetland are very fast at sorting through filing cabinets, and
can usually find what they’re looking for in less than a second. Alice found Bob’s file and, looking at it, challenged Bob to prove his identity:
“If you’re really Bob – tell me your password!”
“It’s swordfish1,” came the reply.
Alice checked the form and, sure, that was the password that Bob chose when he registered, so now she knew that it really was him. When he asked for a set of
chairs he’d found to be delivered, Alice was able to simply ask, “You want that delivered to 1 Fisherman’s Wharf, right?”, and Bob just nodded. Simple!
Evil Eve
That night, a burglar called Eve broke into Alice’s shop by picking the lock on the door (Alice never left money in the till, so she didn’t think it was worthwhile buying a very good
lock). Creeping through the shadows, Eve opened up the filing cabinet and copied out all of the information on all of the files. Then, she slipped back out, locking the door behind her.
Alice’s shop has CCTV – virtually all shops in Internetland do – but because it wasn’t obvious that there had been a break-in, Alice didn’t bother to check the recording.
Alice has CCTV, but she only checks the recording if it’s obvious that something has happened.
Now Eve has lots of names and passwords, so it’s easy for her to pretend to be other Internetlanders. You see: most people living in Internetland use the same password at most or all of
the places they visit. So Eve can go to any of the other shops that Bob buys from, or the clubs he’s part of, or even to his bank… and they’ll believe that she’s really him.
One of Eve’s favourite tricks is to impersonate her victim and send letters to their friends. Eve might pretend to be Bob, for example, and send a letter to his friend Charlie. The
letter might say that Bob’s short on cash, and ask if Charlie can lend him some: and if Charlie follows the instructions (after all, Charlie trusts Bob!), he’ll end up having his money
stolen by Eve! That dirty little rotter.
So it’s not just Bob who suffers for Alice’s break-in, but Charlie, too.
Bob Thinks He’s Clever
Bob thinks he’s cleverer than most people, though. Rather than use the same password everywhere he goes, he has three different passwords. The first one is his “really secure” one: it’s
a good password, and he’s proud of it. He only uses it when he talks to his bank, the tax man, and his credit card company – the stuff he thinks is really important. Then
he’s got a second password that he uses when he goes shopping, and for the clubs he joins. A third password, which he’s been using for years, he reserves for places that demand that he
chooses a password, but where he doesn’t expect to go back to: sometimes he joins in with Internetland debates and uses this password to identify himself.
Bob’s password list. Don’t tell anybody I showed you it: Bob’ll kill me.
Bob’s approach was cleverer than most of the inhabitants of Internetland, but it wasn’t as clever as he thought. Eve had gotten his medium-security password, and this was enough to
persuade the Post Office to let her read Bob’s mail. Once she was able to do this, she went on to tell Bob’s credit card company that Bob had forgotten his password, so they sent him a
new one… which she was able to read. She was then able to use this new password to tell the credit card company that Bob had moved house, and that he’d lost his card. The credit card
company promptly sent out a new card… to Eve’s address. Now Eve was able to steal all of Bob’s money. “Muhahaha!” chortled Eve, evilly.
But even if Bob hadn’t made the mistake of using his “medium-security” password at the Post Office, Eve could have tried a different approach: Eve would have pretended to be Alice, and
asked Bob for his password. Bob would of course have responded, saying “It’s ‘swordfish1’.”
Then Eve would have done something sneaky: she’d have lied and said that was wrong. Bob would be confused, but he’d probably just think to himself, “Oh, I must have given Alice a
different password.”
“It must be ‘haddock’, then,” Bob would say.
“Nope; wrong again,” Eve would say, all the while pretending to be Alice.
“Surely it’s not ‘h@mm3rHead!’, is it?” Bob would try, one last time. And now Eve would have all of Bob’s passwords, and Bob would just be left confused.
Good Versus Eve
What went wrong in Internetland this week? Well, a few things did:
Alice didn’t look after her filing cabinet
For starters, Alice should have realised that the value of the information in her filing cabinet was worth at least as much as money would be, to the right kind of burglar. It was easy
for her to be complacent, because it wasn’t her identity that was most at risk, but that of her customers. Alice should have planned her security in line with that realisation:
there’s no 100% certain way of stopping Eve from breaking in, but Alice should have done more to make it harder for Eve (a proper lock, and perhaps a separate, second lock on the filing
cabinet), and should have made it so that Eve’s break-in was likely to be noticed (perhaps skimming through the security tapes every morning, or installing motion sensors).
But the bigger mistake that Alice made was that she kept Bob’s password in a format that Eve could read. Alice knew perfectly well that Bob would probably be using the same password in
other places, and so to protect him she ought to have kept his password encrypted in a way that would make it virtually impossible for Eve to read it. This, in combination with an
effort to insist that her customers used good, strong passwords, could have completely foiled Eve’s efforts, even if she had managed to get past the locks and CCTV un-noticed.
Here in the real world: Some of Alice’s mistakes are not too dissimilar to the recently-publicised mistakes made by LinkedIn, eHarmony, and LastFM. While
these three giants did encrypt the passwords of their users, they did so inadequately (using mechanisms not designed for passwords, by using outdated
and insecure mechanisms, and by failing to protect stolen passwords from bulk-decryption). By the way: if you have an account with any
of these providers, you ought to change your password, and also change your password anywhere else that uses the same password… and if this includes your email, change it everywhere
else, too.
Bob should have used different passwords everywhere he went
Good passwords should be long (8 characters should be an absolute minimum, now, and Bob really ought to start leaning towards 12), complex (not based on a word in any dictionary, and
made of a mixture of numbers, letters, and other characters), and not related to you (dates of birth, names of children, and the like are way out). Bob had probably heard
all of that a hundred times.
But good passwords should also be unique. You shouldn’t ever use the same password in two different places. This was Bob’s mistake, and it’s the mistake of almost everybody
else in Internetland, too. What Bob probably didn’t know was that there are tools that could have helped him to have a different password for everybody he talked to, yet still
been easier than remembering the three passwords he already remembered.
Here in the real world: There are some really useful tools to help you, too. Here are some of them:
LastPass helps you generate secure passwords, then stores encrypted versions of them on the Internet so that you can get at them
from anywhere. After a short learning curve, it’s ludicrously easy to use. It’s free for most users, or there are advanced options for paid subscribers.
KeePass does a similar thing, but it’s open source. However, it doesn’t store your encrypted passwords online (which you might
consider to be an advantage), so you have to carry a pen drive around or use a plugin to add this functionality.
SuperGenPass provides a super-lightweight approach to web browser password generation/storing. It’s easy to understand and
makes it simple to generate different passwords for every site you use, without having to remember all of those different passwords!
One approach for folks who like to “roll their own” is simply to put a spreadsheet or a text file into a TrueCrypt (or
similar) encrypted volume, which you can carry around on your pendrive. Just decrypt and read, wherever you are.
Another “manual” approach is simply to use a “master password” everywhere, prefixed or suffixed with a (say) 4-5 character modifier, that you vary from site to site. Keep your
modifiers on a Post-It note in your wallet, and back it up by taking a picture of it with your mobile phone. So maybe your Skype suffix is “8Am2%”, so when you log into Skype you type
in your master password, plus that suffix. Easy enough that you can do it even without a computer, and secure enough for most people.
Door Anguish languish moose beer month a moth faux net tickley verses tile ant flecks a bill languishes spur ken honours. Wither ladle procters, eaters easer two ewes whirrs inn quiet
weedy queue louse weighs.
Dizzy woo nose a tin naan teen fitter sex, ah gentile moon aimed Hough Ardle Chase deed eggs ark lead art? Hear oat uh buck kern tame in severer furry tells, nosier rams, fey mouse
tells, ant thongs, end duke cane henge joy atoll own lion. Half pun
wit tit!
Par hips eye shut starred rye teen owl may blocks boats lark these?
I’d just like to say a few words of praise for Andy‘s new album, The Signal and the Noise. It’s not
the first time I’ve said nice things about him, but it’s the first time since he’s been recording
under his full name, rather than as “Pagan Wanderer Lu”.
I can say this for sure, though: The Signal and the Noise has finally dethroned my previous favourite Lu album, Build Library Here (or else!). It’s catchy, it’s
quirky, and it’s full of songs that will make you wish that you were cleverer: so far, so good. I think that one of the things that particularly appealed to me in this album were that
the lyrical themes touched on so many topics that interest me: religion and superstition, artificial intelligence, the difficulties of overcoming materialism, cold war style espionage,
and cryptography/analysis… all wrapped up in fun and relatable human stories, and with better-than average running-themes, links, and connections.
One of the joys of Andy’s (better) music comes from the fact that rather than interpretation, it lends itself far better to being issued with a reading list. To which end, here’s a
stack of Wikipedia articles that might help you appreciate this spectacular album a little better, for the benefit of those of you who weren’t lucky enough to have read all of this
stuff already:
Oh; backing vocals, you’re too kind! But this is just another chapter in the story of my life.
The Omniscient Narrator
The final track’s a little weaker than the rest (the actual final track, not the “hidden track” bit), and I’m left with a feeling that this was so-close but not quite a concept album
(which would have been even more spectacular an achievement), but these are minor niggles in the shadow of an otherwise monumental album.
Go get a copy.
By the way; I’ve got a spare – who wants it? Spare copy’s gone to Claire as an early birthday present. Somehow she failed to preorder a copy of her own.
It feels like most of the time I’ve spent in a car this year, so far, has been for travel related to somebody’s recent death. And so it was that yesterday, Ruth, JTA and I zipped up and down the motorway to attend the funeral of
Ruth’s grandmother.
It went really well, but what I wanted to share with you today was two photos that I took at service stations along the the way.
A sign I discovered at a motorway service station.
This one confuses me a lot. If I buy alcohol from this service area, I can’t drink it either inside… or outside… the premises. Are they unlicensed, perhaps, and so the only way they’re
allowed to sell us alcohol is if we promise not to drink it? Or is it perhaps the case that they expect us only to consume it when we’re in a parallel dimension?
Costa have decided to cut down on graffiti by writing all over their own walls.
It’s hard to see in the second photo without clicking (to see it in large-o-vision), but the sign on the opposite wall in this Costa Coffee implies the possibility of being an
“Americano Addict”. And there was something about that particular marketing tack that made me cringe.
Imagine that this was not a café but a bar, and substitute the names of coffees with the names of alcoholic beverages. Would it be cool to advertise your products to the “wine addicts”
or the “beer addicts” of the world? No: because alcoholism isn’t hip and funny… but caffeine addiction is? Let’s not forget that caffiene is among
the most-addictive drugs in the world. Sure, caffeine addiction won’t wreck your liver like alcohol will or give you cancer like smoking tobacco (the most-popular way to consume
nicotine) will, but that doesn’t detract from the fact that there are many people for whom a dependency upon caffeine is a very real part of their everyday life.
Is it really okay to make light of this by using such a strong word as “addict” in Costa’s marketing? Even if we’re sticking with alliteration to fit in with the rest of their
marketing, wouldn’t “admirer” or “aficionado” be better? And at least that way, Costa wouldn’t leave me with a bitter taste in my mouth.
![Cash machine: "Do you wish to carry out a Get Cash or Emergency Cash transaction? [No] [Yes]"](/_q23u/2012/06/IMG_5833-300x200.jpg "Cash machine: \"Do you wish to carry out a Get Cash or Emergency Cash transaction? [No] [Yes]\"")
