last.fm

Annie Eve – Hunters

http://www.last.fm/music/Annie+Eve
last.fm

Annie Eve – Elvis

http://www.last.fm/music/Annie+Eve
last.fm

Annie Eve – Bodyweight

http://www.last.fm/music/Annie+Eve
twitter

@virginmedia My wife is at home in SW12 and says she has no broadband connection. Have you heard of any problems in south London?

twitter

@AntonioLulic *wonders idly what became of Lauren* Ah... nostalgia.

twitter

@AntonioLulic I had a girlfriend in Brockley once. I lived in Homerton. Long distance romances never work out :-/

twitter

@bigdaddymerk I suspect you're just taking my tweet rather more seriously than I intended it :-/

twitter

Perl programmers never use soap. No, wait. That's not right. Perl programmers never use SOAP. (Capitalisation is important!)

last.fm

Laura Marling – Don't Ask Me

http://www.last.fm/music/Laura+Marling
last.fm

Kirsty MacColl – Mother's Ruin

http://www.last.fm/music/Kirsty+MacColl
davblog

First Direct Update

Earlier in the week I talked about my concerns with First Direct’s new password policy. I got an email from them about this, but it really wasn’t very reassuring.

But I kept digging. And on Thursday I got a bit more information from “^GD” on the @firstdirecthelp twitter account. It still doesn’t answer all of my questions, but I think we’re a lot closer to the truth. Here’s what I was told.

The obvious question that this raises is why, then, do they limit the length of the passwords. I asked and got this (three-tweet) reply.

To which, I replied

And got the response

I thought that “as a business we are satisfied” rather missed the point. And told them so.

I got no response to that. And @brunns got no response when he tried to push them for more details about how the passwords are stored.

So, to summarise what we know.

I haven ‘t really been reassured by this interaction with First Direct. I felt that the first customer support agent I talked to tried to fob me off with glib truisms, but “^GD” tried to actually get answers to my questions – although his obvious lack of knowledge in this area meant that I didn’t really get the detailed answers that I wanted.

I’m not sure that there’s anything to be achieved by pushing this any further.

The post First Direct Update appeared first on Davblog.

github

davorg commented on issue blogs-perl-org/blogs.perl.org#285

Dave Cross

Yep. I get the same behaviour :-(

davblog

First Direct Passwords

I’ve been a happy customer of First Direct since a month or so after they opened, almost twenty-five years ago.

One of the things I really liked about them was that they hadn’t followed other banks down the route of insisting that you carried a new code-generating dongle around so that you can log into their online banking. But, of course, it was only a matter of time before that changed.

A couple of weeks ago I got a message from them telling me that Secure Key was on its way. And yesterday when I logged on to my account I was prompted to choose the flavour of secure key that I wanted to use. To be fair to them they have chosen a particularly non-intrusive implementation. Each customer gets three options:

  1. The traditional small dongle to carry around with you
  2. An extension to their smartphone app
  3. No secure key at all

If you choose the final option then you only get restricted (basically read-only) access to your account through their web site. And if you choose one of the first two options, you can always log on without  the secure key and get the same restricted access.

I chose the smartphone option. I already use their Android app and I pretty much always have my phone with me.

Usually when you log on to First Direct’s online banking you’re asked for three random characters from your password. Under the new system, that changes. I now need to log on to my smartphone app and that will give me a code to input into the web site. But to get into the smartphone app, I don’t use the old three character login. No, I needed to set up a new Digital Secure Password – which I can use for all of my interactions in this brave new world.

And that’s where I think First Direct have slipped up a bit.

When they asked my for my new password, they told me that it needed to be between 6 and 10 characters long.

Those of you with any knowledge of computer security will understand why that worries me. For those who don’t, here’s a brief explanation.

Somewhere in First Direct’s systems is a database that stores details of their customers. There will be a table containing users which has a row of data for each person who logs in to the service. That row will contain information like the users name, login name, email address and (crucially) password. So when someone tries to log in the system find the right row of data (based on the login name) and compares the password in that row with the password that has been entered on the login screen. If the two match then the person is let into the system.

Whenever you have a database table, you have to worry about what would happen if someone managed to get hold of the contents of that table. Clearly it would be a disaster if someone got hold of this table of user data – as they would then have access to the usernames and passwords of all of the bank’s users.

So, to prevent this being a problem, most rational database administrators will encrypt any passwords stored in database tables. And they will encrypt them in such a way that it is impossible (ok, that’s overstating the case a bit – but certainly really really difficult) to decrypt the data to get the passwords back. They will probably use something called a “one-way hash” to do this (if you’re wondering how you check a password when it’s encrypted like this then I explain that here).

And these one-way hashes have an interesting property. No matter how long the input string is, the hashed value you get out at the other end is the same length. For example, if you’re using a hashing algorithm called MD5, every hash you get out will be thirty-two characters long.

Therefore, if you’re using a hashing algorithm to protect your users’ passwords, it doesn’t matter how long the password is. Because the hashed version will always be the same length. You should therefore encourage your users to make their passwords as long as they want. You shouldn’t be imposing artificial length restrictions on them.

And that’s why people who know about computer security will have all shared my concerns when I said that First Direct imposed a length restriction on these new passwords. The most common reason for a maximum length on a password is that the company is storing passwords as plain text in the database. With all the attendant problems that will cause if someone gets hold of the data.

I’m not saying for sure that First Direct are doing that. I’m just saying that it’s a possibility and one that is very worrying. If that’s not the case I’d like to know what other reason they have for limiting the password’s length like this.

I’ve send them a message asking for clarification. I’ll update this post with any response that I get.

Update (17 July): I got a reply from First Direct. This is what they said.

Thank you for your message dated 16-Jul-2014 regarding the security of your password for your Digital Secure Key.

Ensuring the security of our systems is, and will continue to be, our number one priority.

All the details that are sent to and from the system are encrypted using high encryption levels. As long as you keep your password secret, we can assure you that the system is secure. As you will appreciate, we cannot provide further details about the security measures used by Internet Banking, as we must protect the integrity of the system.

Our customers also have a responsibility to ensure that they protect their computers by following our common-sense recommendations.  Further information can be found by selecting ‘security’ from the bottom menu on our website, www.firstdirect.com

Please let us know if you have any further questions, and we’ll be happy to discuss.

Which isn’t very helpful and doesn’t address my question. I’ve tried explaining it to them again.

The post First Direct Passwords appeared first on Davblog.

books read

The Docker Book: Containerization is the new virtualization

The Docker Book: Containerization is the new virtualization
author: James Turnbull
name: David
average rating: 5.00
book published: 2014
rating: 0
read at:
date added: 2014/07/16
shelves: currently-reading
review:

perl hacks

London Perl Mongers Meeting

I thought you might be interested in a couple of events that the London Perl Mongers have coming up in the next couple of months.

Technical Meeting

24th July 2014, Conway Hall
Currently, four talks have been announced.

Meetup event / Facebook event / Lanyrd event

Hackday

20th September 2014, London Hackspace
This is a new experiment for us. Do you want to hang out with some Perl Mongers and hack on one of your current projects? Or do you want to find a Perl project to hack on? Then come and join us at the London Hackspace in September.

Meetup event / Facebook event / Lanyrd event

Hope to see you at one or both of these event.

The post London Perl Mongers Meeting appeared first on Perl Hacks.

github

davorg pushed to master at davorg/lystyng

Dave Cross
  • Dave Cross 6f04652
    Added Perl 5.20 to Travis tests
github

davorg pushed to master at davorg/dmp

davorg pushed to master at davorg/dmp
Dave Cross
  • Dave Cross 8a468a9
    Started to add images to odt
github

davorg pushed to master at davorg/dmp

davorg pushed to master at davorg/dmp
Dave Cross
  • Dave Cross d9f058e
    Added LibreOffice version (incomplete)
github

davorg pushed to gh-pages at davorg/twittelection

Dave Cross
  • Dave Cross 5ac0b00
    Added a .travis.yml (even though there's no Perl code to test yet.
perl hacks

Perl School Slides

In 2012 and 2013 I ran an experiment called Perl School. I ran cheap Perl training on a Saturday at Google Campus. I got some great reactions but I stopped it after almost a year because it wasn’t getting the traction that I hoped for and attendances were starting to drop.

That’s not the end of Perl School though. I have a couple of ideas that I’m considering and it will return at some point (in some form).

But I thought that the courses were good. And I realised earlier today that I hadn’t made some of the slides public. So I uploaded them to Slideshare and they are embedded below.

Let me know if you find them interesting or useful.

Database Programming with Perl and DBIx::Class from Dave Cross

Object-Oriented Programming with Perl and Moose from Dave Cross

The post Perl School Slides appeared first on Perl Hacks.

slideshare

Object-Oriented Programming with Perl and Moose


slideshare

Database Programming with Perl and DBIx::Class


books read

The Complete Works of H.P. Lovecraft

The Complete Works of H.P. Lovecraft
author: H.P. Lovecraft
name: David
average rating: 4.31
book published: 2011
rating: 0
read at:
date added: 2014/06/12
shelves: currently-reading
review:

davblog

Sky Broadband Update

It’s probably time for an update on my Sky Broadband situation.

I last wrote about Sky on 16th April. That was the date of their second failed attempt to connect me to their broadband. It was the date that I decided to cancel my order and go elsewhere.

First the good news. I was considering alternative providers. I called Virgin Media and they told me that I could have a 50 Mb fibre connection for an extra £2 a month over what I already paid them for my TV and phone package. And, as a bonus, they could do it within a week – still five days earlier than Sky had scheduled their third attempt at connecting me. I ordered it, they came round on the promised day and everything works fine. Very happy with them.

This then left me trying to cancel my Sky order. This was slightly complicated by the fact that Sky had successfully connected my phone line[1] and also the fact that this phone line is used for monitoring my ADT burglar alarm. I didn’t want to cancel the phone line until ADT had moved the alarm monitoring to the Virgin Media line. I explained all this to Sky and  they seemed to understand.

A chap called Andy in Sky’s customer service took it upon himself to take on the project. He took to phoning me weekly to ask me what was going on with ADT. To be honest, I got a bit lazy and it took me a while to get in touch with them.

Then my hand was forced. In the middle of May, some error lights on the burglar alarm started flashing. I called ADT to see what the problem was and they told me that it looked like the phone line was dead. I plugged a phone into the line and was able to confirm this. The phone line had been disconnected – despite my explicit instructions about not doing that until I asked for it.

I was a bit stuck. Calling Sky’s customer support from a non-Sky phone line is very expensive. And the only Sky line I had was dead. I tried their online chat facility, but the people you get on that are absolutely useless. Luckily Andy was due to call me for a progress update the following day, so I decided to wait for that.

When Andy called, I asked why they have disconnected the phone. He said that they hadn’t. He ran a few line checks and discovered a fault on the line. He offered to send an engineer to fix it. I told him not to bother and to go ahead with the cancellation. He told me that there was some problem with their systems that prevented him cancelling the contract right away but that he had reported the bug and would let me know when it was fixed.

Time passed.

Earlier this week, I wondered idly what was going on so I sent them an email asking for a progress report. A woman called and told me that my records said that someone (Andy, I assume) had been checking into my account daily and leaving notes explaining why he still couldn’t close the account.

The following day, I got a call from Andy (I’m sure it was pure coincidence that this was the day after I had chased them). He told me that the bug had been fixed and asked me to confirm that I still wanted to cancel the account. I told him that I did and he started the process. He warned me that I wold receive a few automated emails.

Within half an hour I got the first email, telling me that my services would be cancelled on Thursday 6th June. Hooray. But that wasn’t the end of the story.

The following day, I got another (presumably automatic email) offering me twelve months of free line rental if I changed my mind. Then I got the same message by text. And today I’ve got a missed call from a number which Google tells me is Sky’s customer retention department. They certainly seem keen to keep me. It’s a shame they didn’t put so much effort in back in April when they might have been able to salvage something from the disaster.

Oh, and I’ve received a bill. They want to charge me a month’s line rental for the phone line. A phone line that only ever really existed to serve a broadband connection that they weren’t able to provide. A phone line that I’ve used to make one call – the call to Sky customer services on 16th April when I first told them to cancel my order.

I’ve cancelled the old Be Broadband direct debit that they were planning to use to take the money. I’m amazed that they wouldn’t just waive those charges.

So, two months on I’m still (to some extent) a Sky customer. But the end is (hopefully) in sight.

Oh, and throughout all of this, the  @SkyHelpTeam Twitter account has been a source of much amusement. They reply to every mention, but haven’t got a clue what is going on. They use a social media customer tracker called Lithium. But they must have it configured wrong because each conversation starts with them knowing no history of this problem at all. And, having watched the product video, that’s exactly what Lithium is for.

Throughout this hold affair all of Sky customer service people (with about two exceptions) have shown themselves to be rubbish at their job.

[1] You’ll have noticed, no doubt, that we had to phone lines. The home phone (along with our TV) has been provided by Virgin Media for years. I also had another phone line for the broadband. I had this on a separate contract because it had been paid for through the limited company that I use for contracting.

The post Sky Broadband Update appeared first on Davblog.

davblog

National Rail Travel Alert

This is the text of a National Rail travel alert email that I received this morning.

Problems have been reported which may affect your journey between Balham (BAL) and Shepherd’s Bush (SPB)

More details of this disruption can be found here: http://nationalrail.co.uk/service_disruptions/76437.aspx

To see how this disruption affects your journey and to get alternative options planned for you, please use the Online Journey Planner

Alternatively, for up to date information for your station, use the Live Departure Boards.

Prefer to get in touch by phone? Call TrainTracker on 0871 200 49 50 (10p per min, mobiles higher) or text your journey details to 84950 to use TrainTracker Text

You can manage your alerts by visiting: http://ojp.nationalrail.co.uk/personal/member/myAccount

Don’t forget, you can also follow us on Twitter or Find us on Facebook for the latest rail travel news

Please do not reply to this email as it is sent from an unmonitored address. If you need to contact us, you can do so here: http://nationalrail.co.uk/feedback

Can you spot the obvious idiocy here?

It’s an HTML email. That’s obvious from the links that appear in it. Links to things like the Online Journey Planner and the Live Departure Boards. But there are a couple of links that are written as plain text URLs – ones that you can’t just click on. And one of them is the most important link in the email – the link to the full information about the problems.

In order to read whatever is on the other end of that link, you’d need to copy it and paste it into the location bar in your browser. That’s simple enough, of course, on a desktop computer. But surely one of the important use cases for these alerts is people standing on a platform trying to work out what’s going on with their train – in which case they’d almost certainly be using a smartphone. And copy and paste isn’t the easiest of things to do on a smartphone.

Someone in the National Rail Travel Alerts department is more than a little confused about how URLs in email work.

The post National Rail Travel Alert appeared first on Davblog.

cpan

WWW-Shorten-3.05

"{^­öœzÚD»!¢»^ž)à²+^
perl hacks

Training in London

For many years now a regular feature of my training calendar has been the annual public courses that I have run in London in conjunction with FlossUK. Normally these happen in February, but this year I had to postpone them as I was in the USA for a lot of February.

But FlossUK still wanted to do them, so we’ve arranged to run the courses in November instead. There will be two two-day courses which will be held at the Ambassadors Hotel in central London.

For full details (and soon, I hope, a booking form) see the FlossUK web site.

 

The post Training in London appeared first on Perl Hacks.

davblog

Free Web Advice: Marvel

It’s been a few years since I wrote a “free web advice” piece, but I got really annoyed by the Marvel web site this morning.

About a year ago I subscribed to Marvel Unlimited – a plan that gave me access to all of Marvel’s digital comics for about £40 a year. This morning, I got an email from them saying that my subscription was about to be renewed but that my credit card had expired so I should log on to my account and update my credit card details.

I went to log on and found that I had forgotten my password. So I used the “forgotten password” link expecting to get an email containing a link I could use to reset my password. Instead, I got an email that contained both my username and my password in plain text. If Marvel are able to send my password to me, then they must be storing everyone’s password in a readable format. It’s astonishing that a company the size of Marvel don’t understand just what an incredibly stupid idea that is. And sending both my username and password in the same email just compounds their error.

So that’s strike one – storing plain text passwords.

Having recovered my password, I was able to log on and found the page where I could give them my credit card details. But it looked like this:

Marvel Credit Card Maintenance Page

If you look closely, you’ll see that three fields – credit card type, expiration date and country – have captions, but no way to enter the required data. I’ve tried this page in both Firefox and Chrome and get the same results in both. I expect I’ll have to dig out a PC running Windows and try it on Internet Explorer as well.

I didn’t actually notice the missing fields at first. I just filled in the fields I could see and submitted the form. At that point I got an error pointing out what was missing. It’s interesting to note that the credit card type isn’t marked as required on the form (there’s no red asterisk next to it) but the error I got complained that it wasn’t filled it.

So that’s strikes two and three.
Strike two – always ensure that your web pages work on all the popular browsers.
Strike three – always mark your required data inputs accurately.

At that point I gave up trying to give money to Marvel. I poked around the site for a while to find a contact form. When I found it, it had the same problems as the credit card form – most of the input fields didn’t appear. Luckily, the contact page also gave an email address (that’s a really good idea that most web sites don’t follow). So I used that to report the problems. I’ll update this post if I get a response.

Interestingly, on my account page I was also given the option to upgrade my account. Apparently Marvel and I disagree on the meaning of the word “unlimited”. It’s not clear to me what extra benefits I could expect.

The post Free Web Advice: Marvel appeared first on Davblog.

perl hacks

Data Munging with Perl

Data Munging with PerlMany years ago, I wrote a book called Data Munging with Perl. People were kind enough to say nice things about it. A few people bought copies. I made a bit of money.

Recently I re-read it. I thought that some of it was still pretty good. There were some bits, particularly in the early chapters, that talked about general principles that are still as relevant as they were when the book was published.

There were other bits that haven’t aged quite as well. The bits where I talk about particular CPAN modules are all a bit embarrassing as Perl fashions change and newer, better modules are released. Although it was still available from Amazon, I really didn’t want people paying for it as a lot of it was really out of date.

But today I got an interesting letter from the publishers, telling me that they have taken the book out of print. And that all  the rights in the book have reverted to me. Which means that I can now distribute it in any way that I like. And people don’t have to pay a lot of money for a rather out of date book.

So, you can download a PDF of the book from http://perlhacks.com/dmp.pdf. Or I’ve embedded the book below.

I might even have the original documents somewhere. So if I get some spare time I might be able to produce a more reasonable ebook version (but don’t hold your breath!)

Let me know if you find it useful.

The post Data Munging with Perl appeared first on Perl Hacks.

perl hacks

Installing Modules

If you’ve seen me giving my “Kingdom of the Blind” lightning talk this year, then you’ll know that I’ve been hanging around places like the LinkedIn Perl groups and StackOverflow trying to help people get the most out of Perl. It can be an “interesting” experience.

One of the most frequent questions I see is some variant of “I have found this program, but when I try to run it I get an error saying it can’t find this module”. Of course, the solution to this is simple. You tell them to install the missing module. But, as always, the devil is in the detail and I think that in many cases the answers I seen could be improved.

Most people seem to leap in and suggest that the original poster should install the module using cpan (advanced students might suggest cpanminus instead). These are, of course, great tools. But I don’t think this is the best answer in to these questions.

In most cases, the people asking questions are new to Perl. In some cases they don’t even want to learn any Perl – they just want to use a useful program that happens to be written in Perl. I think that launching these people into the CPAN ecosystem is a bad idea. Yes, eventually, it would be good to get them using perlbrew, local::lib and cpanminus. But one step at a time. First let’s show them how easy it can be to use Perl.

In many of these cases, I think that the best approach is to suggest that they use their native package manager to install a pre-packaged version of the required module.

Yes, I know the system Perl is evil and outdated. Yes, I know that they probably won’t get the latest and greatest version of your CPAN module from apt-get or yum.  And, yes, I know there’s a chance that the required module won’t be available from the package repositories. But I still think it’s worth giving it a try. Because in most cases the module will be  there and available as a recent enough version that it will solve their immediate problem and let them get on with their work.

There are three main reasons for this suggestion:

  1. People in this situation will almost certainly be using the system Perl anyway. And the  system Perl will already have pre-packaged modules installed alongside it. And installing modules using cpanminus alongside pre-packaged modules in the same library installation is a recipe for disaster. The package manager no longer knows what’s installed or what versions are installed and hilarity ensues.
  2. The pre-packaged versions will know about non-Perl requirements for the CPAN module and will pull those in as well as other required CPAN modules. One of the most common requests I see is for GD or one of its related modules. Your package manager will know about the underlying requirement for  libgd. cpanminus and friends probably won’t.
  3. The user is more likely to be used to using their package manager. Teaching them about the CPAN ecosystem can come later. Let’s ease them into using Perl by starting them off with tools that they are familiar with.

I know that both Fedora/Centos/RHEL and Ubuntu/Debian have large numbers of CPAN modules already pre-packaged for easy installation. Let’s suggest that people make use of this work to get up and running with Perl quickly. Later on we can show the the power and flexibility that comes with using the Perl-specific tools.

Of course there’s then a debate about when (and how) we start to wean these people off of the system Perl and pre-build packages and on to perlbrew/cpanminus/etc. But I think that having a community of people who are used to using CPAN modules (albeit in this slightly restricted manner) is an improvement on the current situation where people often avoid CPAN completely because module installation is seen as too difficult.

What do you think? Are there obvious errors in my thinking?

The post Installing Modules appeared first on Perl Hacks.

sources

Feed Subscribe
OPML OPML

Powered by Perlanet