Source control your relationship

pipe-cleaner-people-1177056-640x480An interesting parallel was drawn by a colleague recently between relationships with your significant other and source control. Both need total engagement by all parties and both can quickly unravel when a lack of commitment or adherence to the agreed guidance and conventions isn’t all it could be.

There is the sitcom-esque “commitment issues” whereby either party is afraid to really commit to a relationship either monogamously or sealing the deal through marriage. Programmers who exhibit a tendency to hold on to their code, avoiding regular commits, store up problems both for themselves and their team.

Maybe your other half feels that she has been put on the shelf, forgotten about and fleetingly appearing in your life as you pass by over dinner or scanning the repo. And you better make sure you get your [file]names right first time if you want to avoid a rapid appearance of irreconcilable problems.

Source control remembers everything you did, all your commits, experiments (branches) and log comments (not as private as one might like). “She” is equally able to remember all your mistakes with unnerving accuracy. Your branches (experimental flings) are on your permanent record, as are your seemingly innocuous comments logged (“I’m fine”). When differences approach the irreconcilable, you start reaching for the Patches.

Any experiments you may have on your branches/flings, are always a time of nervousness to merge back into the trunk/relationship and can rarely be fully re-integrated. Conflicts and lost assets are inevitable. “She” prefers exclusive checkouts, you might prefer a more … distributed approach.

Perhaps where the metaphor starts to fail is the real-world relationship’s difficulty of reverting commits. A programmer can quickly back out of some embarrassing moments in code with a right-click, returning silently to the state of their source and team relationship as if nothing happened. On the other hand, “she” remembers all your mistakes and your attempts to repair them.

By the way, to save embarrassment, this tongue-in-cheek parallel is drawn with no reference to any relationships past or present, real or imaginary. So, no need to perform any Diffs here.


Chip and PIN safety is just smoke and mirrors

I’m no expert on credit/debit card safety but I’m concerned enough to share my thoughts and experience based on recent “hacking” stories in the news and complacency of retailers when storing your card data.

Chip and PIN is not more secure

Chip and PIN Security abstract imageFrom 2004, Banks have been pushing the Chip and PIN “safety in numbers” campaign to encourage customers (and particularly merchants) to shift to the new Chip and PIN technology. Previously, a payment was authenticated using a signature on a receipt (either produced via swiping in a magnetic card reader or a physical imprint of the card details). This had a high rate of fraud due to the weaknesses in signature authentication and ability for cards to be cloned – the magnetic strip became a single point of failure.

On the surface, it appears more secure. France saw an 80% drop in fraud when switching to Chip and PIN. The two factor authentication of Chip and PIN (what you have, what you know) has significantly reduced card cloning; the user doesn’t have to hand over their card whilst worrying about double swiping and their PIN is shared with their ATM PIN so the usability was maintained. However, card fraud has increased in the years since, resulting in the movement of fraud attempts rather than their elimination.

Without considering the vulnerabilities, four immediate problems come to mind.

Firstly, if you don’t enter your PIN correctly, the merchant will invariably downgrade to a Chip and Signature transaction. To the consumer, this mirrors the older process of signing the receipt. The difference is that the merchant has specifically opted in to using the less secure protocol and assumes the risk of fraud. (Given the attention I’ve seen sales assistants pay to the validity of the signature, I wouldn’t put any confidence in this mechanism).

Secondly, CCTV cameras are routinely aimed at the tills, for good reason. But these also collect what users are entering in PIN pads. Of course, we’re encouraged to conceal our entry with our other hand, but we do live in a society and this creates an implication of distrust of your fellow customer. If the card is stolen or is cloned in some way by a compromised terminal, your authentication is compromised but your card is fine.

Thirdly, what confidence do we have that the terminal has not been compromised? Consider the new means of robbing a bank, from an apartment a few blocks away. Santander and Barclays were both targeted with inexpensive IT kit installed by supposed IT engineers which allowed direct access to banking systems. What’s to say the same technique hasn’t been employed, with a sales assistant being duped into allowing “upgraded systems” to be installed from “head office”? A man-in-the-middle device can trick a card into believing signature authentication was used even when an invalid PIN was entered, leaving the incorrect PIN count held in the card intact.

Finally, there is the competence of the merchant. Hotels and bars often hold cards “open” to allow for future drinks/etc. to be added to the account at the customer’s convenience. Theoretically, when the customer signs the receipt when the account is closed they would identify any anomalies (assuming they’re not drunk enough not to realise). I’ve managed to pay for two expensive cocktails in a 5-star hotel without entering my PIN or signing due to this account system being incompetently applied.

In these the weakest security is the person, and it is most often the merchant at fault. Then there are the known exploits in Chip and PIN such as man in the middle attacks (PDF), so-called “yes-cards”, offline authentication, card cloning for use abroad, electronic authentication downgrade and good old robbery.

Cardholder not present is still not secure

Cardholder not present (CNP) is a technique of authenticating the card when the merchant cannot guarantee the authenticity of the cardholder, typically when ordering online or over the phone.

There are various ways of “proving” the identity and validity of a card in this scenario.

Firstly, the Card Security Code (CSC) attempts to prove that the card is in the possession of the purchaser (note, not necessarily the cardholder) at the time of ordering. These are the three digits on the reverse of your card. The CSC is not encoded in either the chip or the magnetic strip on the card, therefore a cloned card would not contain the CSC, rendering the transaction invalid. This can authenticate the transaction (and by implication, the validity of the card, if not the purchaser) but relies on the competence of the merchant to avoid these values being compromised. For instance, the PCI standard mandates that the CSC must not be stored within a database following transaction authorisation, should the database containing card data become compromised. The recent case of StaySure having their CSC data being hacked shows that this is not guaranteed and the customer has no way of knowing. (Ask yourself, if the CSC is needed for an electronic CNP transaction, how can Amazon ask for this code only once and continue to bill your account.) This comes down to the reliability and trustworthiness of the web sites and the individuals running them. How does the company store your card data? Do they retain your data, and for how long? Are there opportunities for individuals within the company to access that data unencrypted? Are paper trails generated containing your card details? The web site is a sealed box into which you have no view of how your financial data is managed. Phone-based and mail-based orders may be written down and printed off and left in accessible piles on employees’ desks (which is why PCI mandates physical access security to cardholder processing areas).

Secondly, Visa’s “3-D Secure” authentication mechanism known under the brands “Verified by Visa” and “Mastercard SecureCode” whilst seemingly authenticating the cardholder by asking more pertinent questions directly related with the cardholder’s bank account, does not provide real assurance to the cardholder that it is indeed genuine. The technique used by the scheme requires a web commerce site to embed an IFRAME within their checkout process that acts as a “window” into the banking system, requesting extra verification data. However, the user does not necessarily know that the site within the window is genuine. A malicious web site may embed a false authentication site, the user’s computer may be infected allowing false authentication sites to be used or DNS poisoning may be used to redirect valid authentication sites to malicious parties.

The Chip and PIN programme does provide benefits to the consumer, without a doubt, though this is largely based on usability. Any argument for increased security is a smoke and mirrors marketing campaign by the card issuers. Fraud has increased, particularly in Cardholder Not Present scenarios (and coupled with weak IT security on the part of web sites) and attacks have merely shifted to alternative weaknesses as opposed to being prevented. The big winners are the banks, because they are able to transfer the risk of a fraudulent transaction from themselves to the merchant or the customer. Stringent merchant contracts allow the bank to transfer liability of fraud to the merchant should the merchant chose to downgrade their authentication or to the cardholder if it can be proved that fraud was attempted. Interestingly, if a PIN has been entered, the banks refused to accept liability until 2009 even if the user denied having used the card.

5 finger Kit Kats: we’re through the looking glass now

The food and drink industry has been under fire for some time about portion sizes and questionable marketing tactics. Chocolate bars are bigger, fizzy drinks are sweeter and even supposed ‘teeth friendly’ products have questionable benefit.

The industry’s apparent response is to continue to create large portions but instead use the guilt-loaded, responsibility abdicating verb ‘share’. Packs are share packs, share your bottle of Coca Cola with Ian and reseal that huge pack of Maltesers.

Seems to me the marketing departments have stepped up their game and excused their products from blame should someone decide to eat a whole pack themselves.

Public information by PDF … fail

The Isle of Man is currently experiencing a minor water inconvenience due to the recent storms, resulting in water needing to be boiled for users’ assurance that it is safe to be used/consumed.

Cue panic. “Is it contaminated?”, “Are the schools open?”, “what about farmers?” are questions that have all been asked. The water authority posted information on their web-site, informed the Police and local radio stations to get the word out that there is a “boil water” notice for 48 hours. I believe they did everything they could have. Texts, tweets and the like have been flying round. Though typical Chinese whispers/incompetence resulted in terms like “raw water” being incorrectly understood as “raw sewage” and the Police stating water had been “contaminated”.

Except, that once again, the actual information for users is buried within a PDF. The whole Isle of Man Government web-site is just a thin layer over some sort of internal document library intranet. It is exceptionally poor in this regard.


So information that people need to know to understand how they can use their boiled/unboiled water is hidden inside a heavy document format that requires specialised reader software to download. Sure, PDFs are widely used and the “standard” for document publishing online, but why require users to:

  1. Click a link, then
  2. possibly have to download and install reader software, then
  3. navigate through more information to get to the important parts?

The government web-site is frequently guilty of this. Some people don’t want to click links, don’t want to have Adobe PDFs on their machines, are nervous when asked by their browser that access to their PDF software is required. It is a total usability fail and shows complete lack of care and attention that the information contained in the leaflet cannot be put on the original web-site. As I tweeted yesterday, putting public health information in a PDF is like sending SOS using Semaphore over Morse code.

In my opinion, PDFs are superfluous. They are useful to maintain formatting and perform form completion exercises, and nothing more. Of course, paper-copies of health information exist and this will also usefully be available in PDF form. But PDFs should support and complement existing hypertext, not form the only source of information.

I believe a new web-site is on the way. I hope new people behind the web-site are going to come with it.

6 Peaks Challenge for WaterAid

6 PeaksNow I like walking, but climbing 6 of the largest peaks in the British Isles within 72 hours? That’s just nutty.

That’s what my manager, Charles Douthwaite, has decided to participate in. A keen walker, Charles may be seen striding over hillocks at some speed, usually deep in thought listening to his Spanish lessons on his MP3 player.

The challenge is simple, Charles, along with the rest of his team “Ny Glastinyn shee” must climb to the summits of:

  • Snaefell in The Isle of Man
  • Snowdon in Wales
  • Scafell Pike in England
  • Ben Nevis in Scotland
  • Slieve Donar in Northern Ireland
  • Corran Tuathail

The team must drive between the locations, catching what sleep they can in the interim. The team also consists of Gail Green and Nigel Maddocks, all keen walkers who seem to be setting a considerable pace, already reaching the summits of two of the mountains in first place by some margin!

The effort (or is it expedition?) is in aid of WaterAid, a charity that works with local communities to provide sustainable and clean water to communities, often including the world’s poorest people. The team have set a sponsorship target of £3,000 and are well on their way of achieving this goal. So why not show your support for their effort and that of WaterAid’s by donating using their Virgin Money Giving site?

If you’re a keen walker yourself, check out Charles’ blog at, which includes his routes, maps and many photographs he took along the way. Beware, though, there is often some experimentation involved with his routes!

We’ll be tweeting the team’s progress on the @iww Twitter account of Island Web Works Ltd. You can also keep track of their progress on the 6 Peaks Challenge site, which includes a live Google Map of their progress.

TT Race week Tweet-up, Thursday 7th June, Castletown

John McGuinnessThe TT is upon us again, which is always a great opportunity to get out and enjoy the atmosphere that the road-racing festival offers. After a few expressions of interest, we thought we’d arrange an extra-special tweet up. Special in that it’s during TT Race week and that gives us opportunity to extend the invitation to people who aren’t usually on the island, and even more special because we can also extend a welcome to our southern friends by holding it in Castletown.

Between @PerrynIOM, @andrewjskatz, @johnbinns, @isleofmandan, @BugJo and @NettyIOM we’ve agreed on The Royal George, Castletown town square at 19:30 on Thursday 7th June (TT Race week). We thought this is a central location for everyone to be able to find.

If you’d like to join us, please chime in on Twitter by contacting either myself or one of the others or by commenting on this post. As this is a southern event, anyone travelling further north that could offer a lift or would like to share a taxi towards Douglas would be an extra special “tweetheart” 😉

Isle of Man Ghost Tours – Milntown House

Last week we joined a tour of Milntown House, held by Isle of Man Ghost Tours. While I’m of a sceptical and scientific mind, that is not to say I have an answer to everything. The tours put on by Alan and Barry are always good fun, and offer lots of history, intrigue and anecdotes while maintaining a degree of respect for the properties, history and any residual elements remaining. This is not Most Haunted!

I don’t want to steal the thunder of the Isle of Man Ghost Tours team so will only mention that Milntown House goes back hundreds of years, with the most famous residents being the Christian family, who moved in in the 16th century. Since then, it has been a ‘Home School for the Daughters of Gentlemen’, returned into family use by the Yates and finally by the Edwards before being put into Trust as specified by Sir Clive Edwards before his death. The house and gardens are steeped in history and the estate is but a fraction of its size during its heyday.

I am of a fiercely scientific and analytical mind. There is no god, UFOs are unlikely to come from outer space and even more unlikely to carry extra-terrestrial life. Dowsing is a result of micro-movements in the user’s hand and wrist possible as a result of the idiomotor effect, mediumship and clairvoyance is cold reading (or just plain cheating) and astrology is a load of rubbish.

Victorian GhostBut a few phenomena stand out and resist my explanation, for what it’s worth. Amongst these is the existence of ghosts. The accepted understanding of a ghost is a spirit form that has occupied some previous time, typically linked to a particular geographic location. This may be our understanding of it, but what is behind this understanding? Can we really say that despite our scientific endeavours we continue to fail to prove outright the existence of the otherworld and its occupants? Or is it more likely that we are drawing on one or more known or little understood phenomena and grouping it into a single, if romantic phenomena?

Five phenomena were highlighted during the evening:

  • Corner of the eye phenomena. Why do events typically happen when people least expect them? Are we in a more susceptable state when we’re not actively looking for evidence?
  • White noise experiments. Are we seeing patterns that aren’t there? The human brain is primed for pattern recognition, and is a capability afforded to us from the very earliest of our tenure on Earth. We’ve all seen grainy pictures of ghosts or shadows and are more keen to find a colourful, romantic history and accompanying manifestation to explain it than a particular configuration of light and shadow.
  • Orbs are reknowned in the ghost-hunting community for  being the early forms of a spirit trying to manifest itself in our awareness. Or maybe light reflecting of tiny dust particles? I took a few pictures on our tour of The Gaiety and came across MANY orbs, but I guess it would be difficult to dust everywhere in such an old theatre. (Unfortunately, I can’t for the life of me find them.)
  • Electromagnetic Field disturbances are often recorded and explained as manifestation of paranormal phenomena, in particular ghostly activity. Electromagnetism is a complex field (no pun intended) and someone trying to listen to Radio TT by an electrical appliance will tell you that the most innocent items create interference. One man’s interference caused by a mobile phone is another man’s interference from the other side.
  • Interaction with ghosts is sometimes described, whereby people converse with ghosts, often not realising that the ghost is not actually a real person. Again, this leads us back to being caught off guard. Maybe we hear what we want to hear. If you ask someone how they are, you expect to hear they’re fine! When was the last time you sent an email and had someone react to that email as if they had actually read it? Yeah, I thought so.

After the event, we are inevitably subject to our own memories, which are not great. Even within our own internal reasonings of activities, we’re prone to exagerating explanations of phenomena if only to come to an ultimate explanation, whether that be scientifically understood or otherwise.

But this is not to take any value away from the ghost experience, phenomena or particularly the Isle of Man Ghost Tours. It remains a mystery, and Alan and Barry are respectful of that. They research tirelessly into local myth and legend, even to the point of identifying 6 Moddee Dhoo! They are also respected in the supernatural phenomena community, being brought in to help with major TV show productions and research projects by key members of the community. What you get is a fascinating insight into history at the very least, but also with a peek into another world delivered in a personal manner.

Until a scientific explanation (even if that scientific explanation proves the existence of ghosts in their commonly understood form) is found, we will continue to be fascinated by ghosts and how they are able to bring even the most mundane history to life in a cynical, dry, modern world. But it is important to challenge one’s understanding of one’s understanding (sic). Without challenging ourselves and our beliefs, faith, understanding or basic “skeet”, our progress will falter.