Pages

Monday 30 September 2013

Cracked cracked

I go to cracked.com for the laughs. Some of what's there is quite funny. I went there today, and ... it's been cracked. Google warns me that people going there can have malware installed on their system without their consent.

I'm not too worried; it's people running Windows and/or Explorer that are usually the target. Even so, I didn't press on. Here's the Google page explaining

The web is full of snares and traps. I'm sure that cracked.com will sort this out fairly soon, but until they do, I'm holding off going there.

Playing bridge makes you angry

Ladysolly came home from her bridge game this afternoon, fuming. She is, apparently, playing against some very rabbitty players, and they make so many elementary blunders that they make her angry. She showed me some of them, and I commiserated. At one point, one of her opponents revoked, she got very upset when she found out, and said the "cheat" word, which wasn't right, because it was a mistake, and they got very upset at being called cheaters, and matters deteriorated. Words were Said.

She wants to play with someone good who improves her standard, and I know who she's hinting very strongly about. But I played a *lot* of bridge at college, and a bit afterwards, and I keep telling her I'm not going to. Been there, done that, I'd rather do other thngs.

New wheel

The back wheel on Bike.2 has developed a bit of a wobble; it's the bearings. Rather than submit it to the tender mercies of the Bike Shop, I decided to fix it myself. The method I chose was - replace the entire back wheel, plus gears and freewheel.

I did it this afternoon. I took off the old wheel, removed the tire and inner tube, inspected and cleaned them, and they seemed fine, put the same tire and inner tube on to the new wheel and put the new wheel onto the bike. It took me an hour or two, and it works fine now.

£25 for the wheel. No wobble!

Bread and circuses

Panem et circense. Juvenal said it first.

Already long ago, from when we sold our vote to no man, the People have abdicated our duties; for the People who once upon a time handed out military command, high civil office, legions — everything, now restrains itself and anxiously hopes for just two things: bread and circuses

The modern equivalent? "Energy price freezes" and "Help to Buy" for the bread; TV for the circuses.

The energy price freeze will have two main effects. On energy prices, energy companies will put them up ahead for the freeze, and raise them again afterwards. On everything else -note that suddenly in the UK, a company thinking of investing here can't rely on being able to seel their products at the price that they think is right.

Help to Buy, of course, will mostly benefit the rich at the expense of the poor; the main effect will be to push house prices up.

The trouble is, it's extremely difficult for governments to do the right thing, which is, in most cases, to do nothing at all. The people have a problem, so government is expected to fix it. And when (as is nearly always the case) they can't, then instead they do something that looks like it might fix it, but which usually, because of the overwhelming effect of the side effects, actually makes things worse.

And I'm not going to discuss the quality of TV, because I'm not qualified to do so. I read "Heart Throb" by Ben Elton recently (recommended) which is a vicious satire on, I think, X Factor, or maybe on Come Dancing, or possibly another of the "talent" contests that I've never watched, and I was unable to appreciate much of it because I'm so totally ignorant of this kind of thing.

Groping in the dark - part 8

Update.

BMS have removed the CVC requirement from one of my accounts, now I'm waiting for them to remove it from the other.

Bucksnet isn't working again. They say it's either a problem with HSBC or with BT. It's been down for six hours and counting. At least their phone number works now.

Sagepay never did call me back to follow up my enquiry. I guess the poor darlings are suffering from too many customers. I'm not going to chase them.

Sunday 29 September 2013

To Silkingrad

Today, I went with ladysolly to Stevenage to do a ring that claimed to be 2 3/4 miles (ladysolly reckoned it's more like four). We found 18 caches, and I did one replacement. My leg was fine, and so was ladysolly's.

Saturday 28 September 2013

Liars and thieves

Are they all liars and thieves? Surely not all.

Last night, I saw Chris Huhne on the TV, pontificating about ... I wasn't actually listening. Climate change, I think?

It seems like only a few months ago that he was in prison for telling lies under court oath. Why on earth do the people who plan TV, think that he's a credible spokesman for anything whatsoever?

And while on the subject of climate change ... I think that a lot of people have the wrong end of the stick. "Save the planet" is nonsense; the planet will be just as happy with or without human beings. The issue is "save ourselves". And anyway, I don't actually think it's as black-and-white as that - things seldom are. If the average temperature becomes a few degrees warmer or cooler, and the sea level rises a couple of feet, the impact will be on costs.

A lot of things will get a lot more expensive; maybe a few things will get cheaper. Largish amounts of money will have to be spent on flood defences, because so many cities are at or near sea level. Think of London, for example. Some crops will give lower yields, decreasing the food supply, and increasing the price of food. Lots of people won't get enough to eat. The human population might fall a bit. There might be wars over resources, just like there always have been in the past. Maybe an increased number and severity of hurricanes on the US east coast.

It might actually be cheaper for us to take actions that stop this happening. But humans have never been much good at sacrificing short term benefits for long term advantages. We just rely on muddling through.

But the planet will continue to swim through space.

Friday 27 September 2013

New caches

My first new cache "who is" has been solved and found within hours of going live. The second one "Night mail" was too close to another cache, so I've moved it and resubmitted it.

Thursday 26 September 2013

Two new caches

Two new puzzle caches submitted.  Both of them in large buckets.

One of them contains a robot dog, plus controller, charger and manual; a presnt from a daughter several years ago. I haven't played with it for a long time, so maybe some kid can have fun with it. Also several hard drives, some working, some not.

The other one contains a bunch of stuff; several hard drives (some working, some not), several books and a little something to revive the tired parent.

They should be published soon.

Bike repairs

I replaced the motor controller, and the bike works again! While I had it in the repair workshop, I also raised the rear carrier; I had it as low as it would go to accomodate the battery rack, but now that I'm not using the battery rack, I was able to raise it an inch or so.
That meant a bit of drilling so that I could lock it in the new position.

I also put on a bracket for a rear light; longer nights are coming along. And I tested the idea of putting a powerful beam torch on my helmet; that works fine for the helmet that has air grooves. It won't work with the dome helmet that I prefer to us in cold weather.

The third thing I did, was to install a screamer. A screamer is an electronic device that screams at 110 decibels when you switch it on - it's great for burglar alarms, which was where I had used it before. Now, I combined it with a 9 volt battery, a reset switch from a broken DSL router and a couple of yards of bell wire, so now at the touch of the button, my bike can scream.

I have it in mind for the following situations:

1) Pedestrians on towpaths and similar tracks; when I'm coming up behind them, I like to give them a ding on the bell to warn them that a bike is about to whizz past. If there's more than one of them, they're usually walking side-by-side, so I need them to clear a path for me. If they ignore the ding, and the second ding, I can now give them a yell with the screamer.

2) Dogs. Some dogs love to play at chasing bikes. I don't really mind being chased, as long as the stay out of my way. But some dogs like to weave in and out in front of me, and risk being run over if they time it wrong. So maybe the screamer will deter that.

3) Cars. Some drivers get very angry that a mere bike is occupying THEIR road, and want me to go away. So they honk their honker at me. Now I can scream back at them.

Wednesday 25 September 2013

Grittleton Gadabout

Ladysolly said she'd be bridging till late today, so I went out for the first time in two weeks. I should have taken it easy ... but I didn't.

First, a ring of 18 on bridleways and byways called "Drew Grit", on the bike. I did several extras as I went round, including a 1 km excursion on foot, to see how the leg went. It went well.

Then, three caches from the end, the electrics on my bike stopped working. That's annoying, but not critical, as it means I still have a bike - it just means that I have to do *all* the work.

Back at the car, I had lunch, and thought about the afternoon. I'd planned on maybe doing a six mile circuit "Hiking Hullavington". I say "maybe" because I wasn't sure how my leg would work; remember, two weeks ago, I could barely shuffle across my hotel room to visit the en suite toilet because of my fall from the bike. But the one-kilometer test convinced me, so I set out.

By the time I finished, both thighs hurt and my back hurt. But that's just my usual exercise pain; the formerly bad leg was no worse than the other one.

53 caches done, no DNFs.

Back home, I had a look at the bike. I think the electronic controller has gone, and also a fuse in one of the batteries. That's a 20 amp fuse, which I don't have, so I ordered some from Ebay.

As it happens, I have a spare controller, because I had to get a new one to control the wheel motor that I got from Alienocean, that doesn't have sensors. So tomorrow, I'll put that in, to see if it works.

And since that leaves me without a spare controller, I ordered one on Ebay, they're only £20. And then I had a thought. The back wheel on that bike is getting increasingly wobbly; the problem is the bearings. I know I could take it to the bike shop and get them to fit new bearings, although they might say it needs a new hub too, plus fitting, and it'll probably be cheaper to buy a whole new back wheel rather than pay the labour cost of threading the spokes, and I'll be lucky to have much change from £100.

But while I was on Ebay, I had an idea. Suppose I buy a new back wheel, with 7-speed gears and freewheel? Which turns out to cost only £26.49. I'll put on one of my super-thick thorn-resisant inner tubles, and a kevlar tire, and that gives me a new back wheel, without wobble!

No word from BMS re the CVC issue.

Weight report 64

15 stone, 6 pounds

Tuesday 24 September 2013

Groping in the dark, part 7 - almost there?

Now that it seems to work in the "test" environment, it's time to try it out ni the "production" environment. But first, of course, a test, using my thing that will let me bill just one card.

With the billing in dollars, I got the pesky "Some of the data entered is incorrect" message. With the billing in Sterling, I got "CVC missing at input, but CVC check requested".

BMS tech support told me that the dollar problem was that I was giving the wrong password. So I changed that, and now I get the "CVC missing" message. Progress.

Here's the problem.

I bill from my database, just like Amazon and Payapal and (I'd guess) a zillion other people, where you gave them your credit card once, and they use it for you from now on. But the PCIDSS (payment card industry data security standard) says that you're not allowed to store the CVC, not nohow, not even encrypted. At least, that's what I think it says. So I don't. Which means I don't have the CVC.

In the "test" environment, CVC isn't mandatory, but in the "production" environment it is. BMS tell me that they're going to ask the product suppliers (that's Ogone) to "see if we can get this rule removed".

If they can, it looks good. If they can't? I have no idea.

Sunday 22 September 2013

Pointless

Ladysolly and I went out today to a pub quiz in the style of "pointless", a quiz show I'e never seen.

We were knocked out in the first round, but that didn't matter because we'd have been knocked out in every round after that. My knowledge of Max Headroom and the 2010 England football team isn't merely limited, it's zero.

I feel appallingly ignorant.

Still, it was quite fun.

Philips shaver head

One of the three heads on my Philips rotary shaver is damaged. So, a replacement?

I looked at Philips web site. They come in sets of three for £30 or so, depending on the model. So I looked at my shaver, and although there's *loads* of information printed on it, such as "Mappin and Webb" and "Reuters", all of who I guess are paying for the advertising (although why I would buy anything from Reuters because their name is on my shaver, I can't imagine), there's nowhere on the shaver that gives you the model number. Unless you click open the hair trimmer, which I did in a moment of inspiration, and found HQ 7390. Which isn't listed on the Philips site.

On Amazon, I find "HQ6 heads fit the razor types: 74--, 76--, 78--" but I'm 73--.

Further investigation gets me "Philips Norelco HQ8 Sensotec Spectra (3 Pack) For Use With Philips Shavers: 7100 Series, 7200 Series, 7300 Series" for £28.90. Shavers.co.uk offer a three-pack for £30

A new Philips HQ6925 rotary shaver costs £35. That comes with three heads, as well as all the electrics motors and stuff.

Well.

So I went to the DealExtreme web site, which specialises in offering goods from China.

I ordered a GUANGKE reciprocating shaver, washable, lots of good reviews, $11.60 which is £7.25, postage is free, and I know it's a good shaver because I already have one that works fine and I'm buying this one because if the one I have stops working, it takes over a week to ship something from China. But I could buy five of these for the cost of the Philips replacement heads (if you buy five, they're $10.12 each).

It's just as well that companies in the UK are so good at providing services, because they certainly can't compete on manufactured goods. Heaven help us if the Chinese ever find a way of providing a better level of service than the UK companies that offer credit card processing services.

Saturday 21 September 2013

Sagepay and Bucksnet

The alternative people I was considering for card processing were Sagepay and Bucksnet.

I called Sagepay, they said they'd call me back the next day, and they didn't. I guess they have too many customers and don't want any more. I'm not going to nag them.

So what about Bucksnet? Well, as I explained, I already do a small amount of business with them, and every day I send a small number of transactions their way.

I tried to do my usual Bucksnet transactions tonight, and they all failed with "Invalid parameters". I've had that before with them, and I think it means their server is down, or incommunicado, or something serious like that.

So I tried to tell them. The out-of-hours number I had for them, no longer works. The number on their web site is  01296 432486 and all I get is the "All of our representatives are currently busy, you are first in line" which I could listen to for hours if I wanted to. I sent a message via their web site, and I emailed the guy who most recently emailed me.

2 1/2 hours later, it was still out of action, and I don't even know whether they know about it, and I have no way of telling them.

This is what happens when you try to run a business that needs to be open 24/7 (because at least one of their credit card processing customers is right now unable to do billings, and is unable to tell Bucksnet that they have a problem) and you don't have any way for your customers to get in touch with you except by sending an email.

Oh, and when I try to log on to their server at https://secure.bucks.net/PaymentGateway/ which (I guess) is their Payment Gateway, I get "An error occurred processing your request:
Required parameters missing or invalid". And there's no place to give a username or password, so that can't be the issue.



 ... later ...

It looks like the Bucksnet problem wasn't global, it was just me. Because I couldn't log on to their server to see my statistics and reports, I had asked them to give me a new password. The password they changed, was the one that I use for server-to-server transactions, and that's why they all failed.

Being unable to get to them by phone compounded the problem

I tried putting the new password into my software, but because the password includes a ( the program is deeply unhappy, and complains about a ( that doesn't have a ). So I've asked them to change the password again.


Some of the things that banks don't tell you about the credit card system.

If you cancel your card, you can still be billed. That surprised me, too.

If you (a merchant) get an AUTH code for a billing, that should mean that the card exists and has sufficient funds (but doesn't guarantee payment). Actually, it means nothing, because a bank can decide to "stand in" for another bank and give an AUTH code even though no-one even checked that the card exists. I know this because I've had billings reversed because the "card doesn't exist" even though I had an AUTH code.

Speaking to somone in the bank about AUTH codes, he told me that they are always six digits. Cobblers. They are always six alphanumeric characters, but not always six digits. And I wouldn't even rely on the six.

You see your card number as a password to your money. The banks don't - they see it as an account number. That's why, although banks keep telling us to change our passwords frequently (and even enforce this), they don't change your card number, even when you get a new card because the old one expired.

So is there a password? Well .... no.  I can bill a card without knowing the three digits on the back of the card, and without knowing a four-digit PIN number, and without me having physical access to the chip embedded in it. This isn't because I'm doing anything clever, it's just the way it is. So - you need to keep your credit card number as secret as a password, even though the banks don't see it that way.

Some of the digits on your card are well-known. For example, it you're a Barclays customer, the first four digits of your card are 4929. So if someone knows (or guesses) that you're a Barclaycard holder and tells you the first four numbers on your card, that proves nothing whatsoever, and you shouldn't assume that they know the rest.

Banks randomly decline your attempts to spend your money. They have a "fraud-detection" system, which seems to go off without any obvious reason, leaving you embarrassed in front of whoever you were about to pay. You can see why they do this, and they think it's a great idea, but when you're trying to explain to a headwaiter why you can't pay your dinner bill, it's not so funny. That's why I always carry enough cash hidden somewhere (I'm not going to tell you where) in case that happens to me while I'm buying petrol or something.

Gift cards can be a problem. There can be unexpected charges levied, so things cost a bit more than you expected when you use it, there's lots of situations where gift card just don't work, and some of them have an expiry, so that if you haven't spent every single penny of the money, it goes back into the bank's pockets. Oh, and if the gift card comes from a company that goes into administration or bankrupcy, you lose the lot.

When I phone my bank to talk to them about stuff, they want to take me through a security check, to verify that I really am me. Usually, they ask for the sort code of my bank and my account number. The reason why this is stupid, is that everyone I've ever sent a cheque to, has this information. It's not a secret.

And one very very good thing about credit cards. If someone, anyone, bills your card and you know that this was fraudulent, you tell your bank, you fill in a form that swears to this, and you get a full refund. It's called a "chargeback", and the money is snatched back from the people who billed you.

Groping in the dark, part 6 - the broad sunlit uplands

I've sorted out the parsing of the return from BMS; the program has to decide whether the answer it gets back means that the card was successfully billed, or not. You'd think that would be easy, but again I ran head-on into a thicket of contradictory and absent documentation.

Here's a useless but interesting fact.  The code I use to mean "Card approved" is 0111800. This random-looking collection of digits is a fossil. My billing system has been through many incarnations; Barclays, Royal Bank of Scotland, Nat West (because RBS took them over), Commedia and then back to Barclays, with a side-order of Streamline. Somewhere along that lot, one of them was using 0111800, so I started using it, and I've just never changed it to the more obvious value of "0".  Why so many changes? Because when I'm someone's customer and they start making life difficult for me, or think that as I'm tied to them they can hike up the prices, it's Goodnight Gracie and suddenly they lost a customer.

The four links that should have led to the definitive list of error codes, just don't work, and the information in part 3.2 of the IGSSS manual is contradicted by the example given a couple of inches above it.

But I did a bit of Googling, and there's some code publicly available, which I suspect at least one of the companies that has it didn't mean to make publicly available, but I don't know that, so I'm not breaking the law, which gave me a bit of help. I've emailed BMS tech support with the additional documentation issues.

But.

I now think that I've got working, on their test platform, one of the three programs that I need to convert, the billthedoubtfuls.cgi. And the other two will be a doddle, I'll just copy what I did for billthedoubtfuls.cgi. But before I do that copying I want to check that my parsing of the response from BMS is correct, and for that, I need the full and accurate documentation.

So!

If anyone is struggling with Barclays Merchant Services DirectLink, or indeed any Ogone-based system, I can offer help, although my daily charging rates are eye-wateringly high because making sense of this stuff is head-achingly difficult.

Groping in the dark, part 5 - a glimmer of light

I did a GET from Firefox to the BMS server that merely echoes back the data you send it, and that worked. But that isn't getting anything processed, so I went to bed last night rather down, and lacking in any ideas on how to make progress.

This morning, I checked my email, and Tom Anderson, of BMS tech support, suggested that I try doing a GET to the test server for processing payments. So I tried that from Firefox, and wow, it worked! For the first time, I got a response that wasn't "Some of the data entered is incorrect. Please retry".

So I thought about this a bit, and it pointed a way forward. I could use lynx (a command line browser in Linux) to send a GET, and then parse the response. I tried it, and I didn't have lynx on DATA1. So I Yummed, and lynx installed, and I tried it using lynx, and it didn't work, except that the BMS server wanted to install a cookie, which I allowed, but no response after that. So I thought a bit, and I thought, well, if not lynx, which is a very old bit of software, maybe something else? I tried elinks, and HEY! It worked! For the first time, I was able to squirt a package of billing data (using the card 4111 1111 1111 1111) to the BMS test server from DATA1 and I got back a response that I could use.

So I was thinking, I can spawn an elinks from my perl program and work with the data I get back, which is a less elegant solution than using LWP (which lets you emulate a browser from within a perl program), but hey, as long as it works, I can live with inelegance. But then I thought, why isn't LWP working when elinks works? So I did an access with the package of data to one of my servers from elinks, and saw what was received (by looking at the server log). And then I did the same thing with LWP, and what was received was ... nothing at all! It saw the access, but not the data package. What the hell? Remember, this all worked fine with the old BMS system.

So I changed the url that I was accessing from

https://mdepayments.epdq.co.uk/ncol/test/orderdirect.asp

to

https://mdepayments.epdq.co.uk/ncol/test/orderdirect.asp?$carddata

(where $carddata is the package of data, including the card number, expiry date and so on).

Previously, I was putting the package of data into the content of the request. I still don't know why that wasn't working, but this new way? Totally worked!

So, now I can read data from my database, assemble it into the format that BMS Directline wants, send it to their server, and get back a response that I can parse to determine success/failure of the billing; if it's success then the AUTH code (if you don't know the AUTH code then the bank can reverse the billing on the grounds that you didn't get an AUTH code, which happened to me once but I was able to tell them the AUTH code). Not that the AUTH code does anything. It doesn't mean that the billing is authorised, which is what many people think it means. It doesn't mean that the card number exists and has sufficient funds, which is what the banks think it means, because I've had cases where I've gotten AUTH codes when the card didn't actually exist. All it means is that someone along the chain of banks that pass this data along, has assigned an AUTH code. But I digress. If the billing fails then it tells you why, which, in my experince, is one of two reasons. "DECLINED" means you didn't bill the card, and we aren't going to tell you why, and "RETAIN" which means you didn't bill the card, and don't give the card back to the customer. Which for electronic transactions is, of course, nonsense. I think it means "Card is reported stolen".

Anyway.

What this means is that I now have a basis for finishing this project. I still have a fair amount to do; I have to convert three programs from the old style to the new (including changing the parsing of the results), and test them, then get the production server enabled, then try all this on the production server, then, with trembling fnigers and bated breath, move over entirely to the new system.

And hope that BMS don't decide to change it all again next year.

Friday 20 September 2013

Groping in the dark, part 4

So I've made a new version of billthedoubtfuls.cgi, and using the test card number, I tried to run it. After several attempts when I got no answer whatsover from the BMS server (because of a wrong URL got from the mistaken page in the documentation) or the wrong port), eventually, I got a response.

Hurrah!

The response is "Some of the data entered is incorrect. Please retry."

Sigh.

So I googled that. And I decided that I had to change my BMS setup.

Actually, I have eight, count them, eight accounts. There's test and there's production. There's dollars and there's sterling. And there's the admin user, and the ordinary user.
So I went into a flurry of calls to BMS front line support, because if there's one thing that any front line support can deal with, it's password issues. Each time I call, by the way, they ask for my name, my merchant number, and then as a security check, they ask for something that only I can know. My bank sort code and my bank account number. Which is, of course, on every cheque that I send out, so not really very secret, is it? But they're a bank, poor lambs, and shouldn't really be expected to know anything about security.

So eventually, I got all eight of these set up with passwords that I could remember, and tried again. "Some of the data entered is incorrect. Please retry."

This has got to be one of the worst error messages in the world. It tells you nothing useful. The only good thing about it is that it's so ungrammatical that when you Google it, all the hits are for the Ogone software. And none of the hits are of much use.





IGSSS, paragraph 2.2.2 suggested that I have to tell BMS the IP addresses of the servers that are sending it data. Actually, they suggest you go to the "data and origin verification" tab, and the tab is actually "data and origin" and then they send you to "Checks for Direct Link" when they actually mean "Checks for Barclaycard Direct Link and Barclaycard Batch (Automatic)".
And there I put in the range of IP addresses that I'm coming from. On the same page, there's a line for SHA-IN pass phrase, and that turned out to be a lure and a delusion, because I filled that in, because it has it twice on that page, once for "Checks for e-Commerce" because it said in big red letters that I had to, and once for  "Checks for Barclaycard Direct Link and Barclaycard Batch (Automatic)" because it seemed like a good idea.

Which is wasn't.

Because then I had to code up a SHA-1 checksum using that passphrase, and I had to sort the elements into alphabetical order before computing the SHA, and then I had to send the SHA with the data for each transaction. BMS provided a handy page so that I could make sure that my computation of the checksum agreed with theirs, which it did after I wasted about an hour thinking it didn't when actually the problem was I had a leading space before the string that I gave to their test page, but once I sorted that out, my computed checksum agreed with theirs.

 "Some of the data entered is incorrect. Please retry."


So then I found their  "Create a test payment with Barclaycard Direct Link" page

 https://mdepayments.epdq.co.uk/Ncol/Test/testDPR.asp

And that lets you give a fake transaction and see if it works. Which it didn't. Because it was failing the SHA test. And it was failing it, because there was no way to tell the test page to compute the SHA.

So I called BMS tech support for a bit of help, and while the support guy was talking, he happened to mention about users needing to be given API access. Which means that unless I send the data with a username that has API access, no chance. So I gave a user API access.
 
"Some of the data entered is incorrect. Please retry."

So I removed the SHA from my BMS setup and tried another transaction on the "Create a test payment with Barclaycard Direct Link" page . Which worked!!! That's encouraging, but what I need to do is send it from my server DATA1 to their server. and when I tried to do that, I got ...

"Some of the data entered is incorrect. Please retry."

If they gave me some clue about what their system thinks is wrong, that would be *SO* helpful. But they don't. And, I think, they can't because BMS didn't write this system, it's just bought-in (or leased or hired or something).

So I phoned BMS support, and got a call back from Tom Anderson. He's very helpful, but by the time I'd gotten my call back from him, I'd solved a lot of the problems (see above). Or have I? All I know is that I started off getting  "Some of the data entered is incorrect. Please retry." and now I'm getting "Some of the data entered is incorrect. Please retry."

The BMS setup also  asks for the referring URL that calls the orderstandard.asp page, and I gave it a URL, and I told my billthedoubtfuls.cgi to give the same referer, but that's for "e-Commerce", and I'm using "Direct Link", so I doubt if that's going to help. I checked that the referer was appearing correctly by using billthedoubtfuls.cgi to access one of my servers and looking at the log, and it did, so I tried it on BMS.

"Some of the data entered is incorrect. Please retry."

I emailed the data string that I was using for testing to Tom, he looked at it, and says it's OK. So the problem isn't actually the data entered, it's something else. And I think I've run out of ideas to try.

So - I don't think I need a SHA, but I can't be sure, and I'm set up to compute one if I need to, but I'm currently not using it. I don't think I need a referer, but I've got one set up anyway. I've told it the IP addresses that I'll be using. I'm using the test system. And still ...

"Some of the data entered is incorrect. Please retry."

And I think I've run out of ideas to try.



Groping in the dark, part 3

I started off with a program I wrote called "billthedoubtfuls.cgi". When a card fails an attempted billing, and fails a couple of retries, it becomes what I call "doubtful". NAlso when a card is used for the first time and fail to be billed. Most of these are caused by excessive caution on the part of the bank - some American banks seem to think that any billing from any foreign country it likely to be fraud, and for a reason I don't understand, they could UK as foreign. Which, of course we're not, it's them that are foreign. Anyway, "billthedoubtfuls.cgi" is a mechanism for billing the very few cards that are submitted for billing, which are already in the doubtful category. Actually, the word I use is a lot stronger than "doubtful". Never mind.

I set up a file containing suitable fictional data, using the card number 4111 1111 1111 1111 which is the card number that is universally used for testing. And then I created a new version of billthedoubtfuls to try the billing. My working documentation was "ePDQ technical MPI reintegration guide" (ePDQTRG), which was written by BMS to help people like me who are trying to migrate from the old system to the new one. It explains that the old ePDQ MPI (I have no idea what that stands for) is going to be replaced by DirectLink.

It says that "the integration is less complex". I don't think so.

So, page 5 of ePDQTRG is entitled "What do I currently send to ePDG MPI. And it give a sample. But the sample omits the "CLRCMRC_XML" that you have to put in the font (I can't remember why, or how I discovered that) and it omits the "<?xml version="1.0" encoding="UTF-8"?>" that follows it. That's stuff that I call "throat-clearing", before the meat of the data is sent. And it's sent to port 11500

So when I turned to page 7, and there was no "throat-clearing", I thought, maybe they've forgotten it here, too. Also, on page 5 they give as their example transaction type "auth", which means "Authorise and make a sale". On page 7, they translate that to "auth", which (I think) doesn't mean the same thing in the new system, what I actually want is "SAL" meaning Sale. And page 10 of ePDQTRG it definitely says that the old AUth translates to the new SAL.

So then, where do I send this data, and using what port? It tells me to send it to https://payments.epdq.co.uk/ncol/prod/ and it doesn't say which port.  And that turns out to be *SO* wrong. It turns out that they should have said :

https://payments.epdq.co.uk/ncol/prod/orderdirect.asp

But even that is wrong.

The next documentation that I got hold of was "Integration Guide for the Server-to-Server Solution v 4.3.3 (IGSSS). Part 3.1.1 gives the correct URL. Actually it gives two.

Production environment:    https://payments.epdq.co.uk/ncol/prod/orderdirect.asp
Test environment:    https://mdepayments.epdq.co.uk/ncol/test/orderdirect.asp

I started off using the Production environment. After all, I'm using a test credit card, and I expect it to be refused. And I wasted a lot of time on this before I finally realised that, actually, BMS haven't enabled the Production environment for me, and won't until I've got everything working using the Test environment. And test and production, are on different servers, I guess, so I have different userids and passwords for each. So I stopped trying to get the production working, and just worked on the test

As you can see, thus far I've made very little progress. Mostly, I've just been distracted by contradictory documentation, and wrong information. And, of course, when I called BMS for tech support, I can only talk to front line tech support (who, of course, know very little), and they can ask the real tech people to call me back, which happens within 24 hours.

A 24 hour turnaround for questions when I'm trying to write software? I'm groping in the dark.

So I made a list of questions. For example, the IGSSS says that CVC (the three digits on the back of your card) is "mandatory", but PCIDSS rules say you're not allowed to store the CVC, so I don't. So I can't give it.

Groping in the dark, part 2

First, the firewall. I started off with "Firewall configuration for the Transaction Platform Traffic", a slender 1-page document that tells me which ports and which IP addresses I have to allow.

And that gave me the first set of problems. The server that handles this stuff called, imaginatively, DATA1) is behind a firewall, a "Sonicwall". And the Sonicwall firmware for the device I use, only allows 20 firewall rules, which is really puny. I guess they want me to buy their heavyweight model.

But from the documentation, it looked like I had to allow inbound traffic from four IP addresses to two ports, and outbound traffic from two ports to four ranges of IP addresses, and the poor little Sonicwall wasn't going to be able to handle so many rules.

So I swapped the Sonicwall for a Cisco Pix, which doesn't have a silly limitation like that.

And then I couldn't contact DATA1. Eventaually, I realised that, as I'd changed the firewall, it had a different IP address, so I had to change the gateway address for DATA1. Then I found that I could contact DATA1 but only from some computers, and it was a while before I realised that I had to flush the ARP cache, and now I could log in to DATA1.

And then I couldn't get DATA1, to contact the outside world. It could do that when it was behind the Sonicwall, and other servers connected to the same firewall could contact the outside world, but this one could not. And I never did work out why. I spent a good few hours fighting this, before finally deciding to put DATA1 behind a different Pix (and change the Gateway, and the Hosts file, and flush the ARP) and then it worked. I could contact the outside world. Hurrah.

So then I told the Pix to allow access from the four IP addresses and two ports to DATA1, and to allow stuff outbound, and at last, AT LAST, I was ready to tackle the real job.

Now I needed to write the code to format the data for a billing and send it to the BMS server via the right protocols

Groping in the dark, part 1

Barclaycard Merchant Services (BMS) have decided to abandon their old system for accepting payments, and are bringing in a new system. Ugh.

When I started doing billings, the whole idea of ecommerce was so new, they had no clue. What they wanted me to do, was print each transaction out on a piece of paper, and march down to the bank with it, and they'd key it all in and do the transaction. I persuaded them that I should put 20 per page, otherwise the cost of paper would have been appalling. So that worked for some years, except when they lost a batch (I had a signature for it from the bank, but they managed to lose it after they'd accepted it). They only discovered this several months after they lost it, which meant I couldn't rebill the people, who would have rightly wondered why I was billing them and would have disputed it. I managed to persuade the bank to take the loss, since it was entirely their fault.

Then things got a bit electronic. For a while, I was using ftp to send a file for processing (and, as you know, nothing is encrypted as it goes on its merry way). But then they got a bit more clued up, and realised that the way to go was to use https to send stuff, so it's end-to-end encrypted.

So, for the last several years, I've been using the Barclays Merchant Services ePDQ system. Each transaction is squirted to them via https, and I get a response back to tell me if the billing was successful or not.

And then a few years back, they decided that I had to conform to the PCI DSS (Payment Card Indusrty Data Security Standard) which was a bit of a pain in the arse, but a couple of weeks installing new hardware, and programming, and writing documentation, got me past that.

Happy days.

But now they want to use a different system, that they've bought in (or licenced, or something) from Ogone. It's called "Direct Link".

They first I heard of this was by accident - I called about something else entirely, and heard of this change. So I explained to them, that what they really ought to do, is set up something so that their customers could continue to send stuff to the old server, using the old protocols and format, and they could translate this to the new format, and pass it on to the new server. So they'd have to do a conversion program, as distinct from each of their customers having to do the job.

They've explained to me several times why they aren't going to do this. Each time, what I hear is "We'd rather our customers, if indeed they want to remain out customers, do this big job, than we do it". That isn't what they actually say, of course. But it's what I hear. This sounds silly to me. My view is, each time you put up a barrier to someone remaining your customer, you lose a percentage of your customers.

I do have other options. I could send my data via Bucksnet; I already use Bucksnet, so I already know their format and protocols, so it wouldn't be a big job. But they are more expensive, being a middleman - 20p per transaction on top of what I'd be paying BMS. And Bucksnet refuse to do phone support, which I can sympathise with, but I really don't like dealing with companies that won't let me talk to them on the phone. Another possibility is Sagepay - I phoned them, and they said they were going to call back, but didn't, and if they're that casual about getting new business, what would they be like with supporting a customer? And I'd have to make my data conform to their format and protocol.

So I decided to give Barclays Merchant Services new system a whirl.

This call is costing you ...

I found another great way to handle the people phoning me to get me to make an accident claim, or claim a PPI refund. One called me yesterday, and I tried it out. He launched into his script, but I interrupted him immediately to say:

"I am legally required to inform you that you have called a premium number which will be charged at 95p per minute."

"What?" he said.

So I repeated myself, more slowly, followed by "Now please continue with what you were telling me."

He hung up on me.

Wednesday 18 September 2013

Relay on the Pi

It was Martin Oldfield who clued me up on this - you can get a little relay for about £1 that you can connect to a Raspberry Pi's GPIO pins, and use it to control mains voltage at ten amps.

Here's the relay (you can also get two, four and eight channel relays).

Here's the wiring:

    Pi                                          Relay Board

                                                         +-------------------------+  Switched
    --------+                                         |                                 |   contacts
         . o |  <-- 5V ---------      Vcc -- | o                            . |
          . . |                           --- IN1 -- | o                           o | <----
         . o |  <-- Ground - / - GND -- | o                           o | <----
          . . |                        /                 |                                 |
          . . |                       /                 +-------------------------+
         . o |  <-- GPIO 18
          . . |
          . . |
          . . |
          . . |
          . . |
          . . |
          . . |
              |
              |
 
And here's the code to control the relay:

cd /sys/class/gpio
echo 18 > export
cd gpio18
echo out > direction
echo 1 > value
echo 0 > value


Simples! I tried it, and it worked fine.

I think it's pretty obbious how you extend that to control multiple relays.

Monday 16 September 2013

Stitched up like a kipper.

This happened nine years ago. My computer got taken over. Stitched up like a kipper.

What happened, was I accessed theregister.com, a tech news site run by some good people who are UK-based. I read it pretty much every day, as a good way to keep up with what's going on.

So, one day, I went to the Reg to read the news, using my Windows 98 computer (which tells you something about how long ago this was) and bish-bash-bosh, as soon as I accessed the page, lots of things happened, and my computer told me that there was a problem. I don't recall the exact message, but I seem to remember that the gist of it was that I needed to spend £40 on some software to deal with this problem. Like hell I will! It's not that I would refrain from forking out £40 for something useful, it's that my first thought was, they're trying to sell me something that is probably malware, to get rid of the malware they just saddled me with?

It turned out to be an iframe exploit that did the installation of the nasty, and it came not from the Reg itself, but from the adverts on the site, which are hosted by an advertising company. Bottom line - this was a perfectly serious and respectable site, and I got stitched up like a kipper.

I spent half an hour trying to get rid of it by deleting stuff, but it kept coming back. I suppose I could have done a proper analysis of what was going on, but reverse engineering stuff like this can be very time comsuming, and I decided it wasn't worth the effort in order to clean up just one computer. Because there was another way. I zapped the hard drive. That means, not just formatting it, it means writing zeroes on every sector, so that you're starting with a really clean slate (formatting doesn't do anything to the partition sector). My idea was, reinstall Windows 98. But after I'd finished the zap, I thought, hang on, wouldn't this be a good time to start using Linux as my every-day workstation for browsing, emailing and so on?

By 2004, I'd been using Linux on servers for several years, and I knew my way around it. I also knew that there was a graphical user interface I could use, but I'd never really tried it seriously.

So I installed Red Hat Fedora, whatever was the latest version in 2004. And I found that pretty much everything I needed was included in the (free) install. And that the user interface (Gnome) was enough like Windows that I already knew how to use it. Even today, I run a Windows box for just three things - Memory Map, GSAK and iTunes. I don't access web sites from a Windows box now.

And for the last nine years, I've not had a problem.

Freelander fixed

The replacement wing mirror arrived today. The old broken one came off easily, and the replacement installed, no problem. I tested it and the motors work fine. So that's all good. Cost was £90. which is probably a few hundred less than if I'd let an Authorised Dealer do it.

Second update on the leg

The leg is feeling great. There's still a bit of pain when I lift my knee high in the air, and a bit of a bruised feeling on the side of my thigh, but I seem to have gone from almost unable to move across the room last Tuesday, back to full mobility. I'm going to continue to take it easy for a few days, but I should be out caching by next week.

Finding out your PIN

I didn't know this until Kewfriend just told me, and it really quite surprised me. If you have a Barclaycard, you can view your PIN online. You have to be registered for "mybarclaycard", and I'm glad to say, I am not. So I can't tell you what actually happens when you use his "service".

Because I'm not registered for "mybarclaycard", I don't know what precautions they take before displaying your PIN number to whoever is able to log in to your "mybarclaycard", but I rather suspect that they aren't enough, because to my eyes, banks are generally pretty poor at security.

As a general thing, I'm very wary about online banking. Of course, it's difficult to live these days without spending money online, so here's what I do.

1) I don't do online banking.
2) I mostly buy things via Ebay, who have a confilct resolution system that's been good to me in the past.
3) I use Paypal, but the Paypal account is fed from a credit card. That way, if anything naughty happens, I can  appeal to Paypal to sort it out, and I also have the protections that you get with a credit card. You don't get anywhere near as good protections with a debit card, or by linking Paypal to your bank account. So I can also appeal to my credit card provider to sort it out.
4) I only give my credit card number to Paypal, Amazon and a very small number of  companies that I've dealt with a lot in the past. And NEVER to any company that doesn't give their address and phone number on their web site.

I'm always surprised that people are willing to give details to companies that don't seem to want to give out an address and phone number.

So what raised my awareness of this? Kewfriend (that's his Facebook name) has had an identity theft. They got a couple of his email addresses, his Paypal password, and I can't remember what else, and it was only because Paypal sent several messages to his email, that got pushed to his Blackberry, that he knew that anything was amiss. He acted fast, and hasn't actually made a loss, except of time and trouble, and the hassle of having to call banks and notify people and change passwords and reformatting his computer and reloading it.

There's a lot of ways this identity theft can happen. Using the same password on multiple sites is one, and getting a trojan installed on your computer is another. Kewfriend wasn't using the same password everywhere, but he was using Windows, and now he's switching to Linux for most purposes. You can read his posts on Facebook.

Saturday 14 September 2013

Update on the leg

After falling off my bike on Tuesday, by the time I got back to the hotel, I could barely move. Just getting across the room to the bathroom was a major effort, because I couldn't push my right leg forward, the pain was too great.

On Wednesday, we were going home. In the morning, I was, just, able to move, so I shuffled about the room and got packed, loaded up my suitcase, shoulder bag and computer festooned about my person, and slowly hobbled downstairs, knowing that I would be able to make only one trip down. With ladysolly in the car beside me, I drove back to the caravan site, where I was fed cake and biscuits while the girls played some more bridge, and I tried not to listen to their bidding and play.

The drive home wasn't too bad; we stopped off at a services, and I hobbled inside while ladysolly roamed over to the other side to get pizzas for us. Then on home.

I put a rubber foot onto a walking pole, and used that to help me get about, but I spent the rest of Wednesday and all of Thursday sitting down, reading my way through the Sharpe ouvre (I now have a complete collection, and I've been working my way through them in historical order).

On Friday, I was feeling a bit better, and decided that maybe some proper medical advice was in order. I tried to make an appointment with my doctor via the web, but the next two weeks were fully booked, and so were the two weeks after that, and you can't book any further than that. Besides, I wanted advice now, not a month from now. So I tried NHS-Direct.

I went to the web site and filled in the self-diagnosis form, but that wound up telling me to go to A&E. So I phoned 111, and spoke to a nice lady, who took me through much the same questions, plus a few others (did I bang my head? No) and wound up recommending me to go to A&E.

I think I've discovered one of the reasons why A&E is so jammed with cases that aren't emergencies.

After a chat with ladysolly, we decided to go to Stoke Mandeville A&E. So I packed five books and my Kindle for reading while we waited, because I reckoned that *anyone* else who turns up there will be more urgent than me, and they don't see people in order of who turns up - if you're bleeding out you jump the queue, of course. And we went to the Minor Injuries Unit at Mount Vernon, near Rickmansworth, with the thought that maybe they'd be up to the job, or maybe they'd decide that my bruised thigh was so awful that I'd need to visit a proper A&E, but at least we had enough books to last several hours of waiting.

I've been to that MIU before, and it's a jewel. I went once for a splinter, but not any old splinter that I'd be able to get out muself, this was a splinter lodged under a fingernail, and I just could not handle it. And I went there when a dog bit me on a bridleway, to get properly disinfected and to get antibiotics because who knows what you can get from a dog bite. Both times, I was seen very quickly, and dealt with easily.

The same was true on Friday. Ladysolly drove me there and dropped me at the entrance, so I didn't have a long walk from the car park, and by the time she got back from parking the car, I'd been dealt with. The nurse I saw had a look, had a bit of a prod, got me to stand on the affected leg (the fact that I can stand on it pretty much proves that there's no fracture), and told me to take paracetamol to reduce the pain, because even though I didn't need painkillers (when I'm sitting down, there's no pain) she explained that the pain would affect my gait when I did move around, and that that could cause other problems later. So, on the way home, we splashed out 94p on a packet of Paracetamol (I can't take Aspirin or Ibuprofen because I'm on Warfarin) and I took a couple of those. Then I phoned the doctor's surgery, because the nurse had told me to.

I got an "emergency appointment", meaning that if they didn't see me in the next four weeks as per a "non-emergency", any additional damage would have been done by then. And the same day, I saw a doctor. The big question I had, and which was my main reason for wanting proper medical advice all along, was, should I use ice compresses or hot water bottles? He explained that in the first several hours after such a bump, ice is best, because it reduces inflammation and swelling. But after that, hot water bottles are best because the heat promotes blood flow, which helps healing. We also talked about physiotherapy (which the nurse at MIU had mentioned), but he had a photocopied piece of paper that showed me what to do, and I knew, from previous experience, that seeing a proper physiothrapist probably wouldn't happen for several weeks.

Today, my leg feels a lot better. I can walk up and (more difficult) down stairs, for example. And I've stopped using the stick, except as a prop to impress ladysolly.  And I got a good nights sleep last night (for the last two days, I had trouble getting into or out of bed, trouble lying on my side, and sleep wasn't as good as it is normally for me).  I'm using the hot water bottle, and that's quite comforting to my thigh. And I probably won't be up to dancing for a few days, but for the first time since I came off the bike, I can move about freely.

But.

It's September, and my local medical practice is jammed solid. A&E is being sent people who fell off their bike and just want a bit of advice as to whether to use heat or cold to treat the minor injury. Winter is coming, more people will get ill, more people will get flu, more people will slip on the ice and fall, and I really don't know how the NHS in my area is going to cope.

Well, actually, I do know. They won't.

Thursday 12 September 2013

Spammers fined £440,000

The Information Commissioner's Office has just fined two spammers £440,000

This is very good news, of course. At last, there's a significant downside to spamming in the UK. The spammers breached the Privacy and Electronic Communications Regulations 2003 - that's the one that I always tell spammers about.

Here's how to complain to the ICO . I've just sent in a complaint about a company selling children's clothing. I called the company to complain, but they refused to tell me who they bought their spamming list from, so I've passed this on to the ICO.


Wednesday 11 September 2013

Disaster in Dorsetshire

Ladysollywas going to Lyme Regis with three of her chums to play bridge, so I was inveigled along; the plan was that she'd use the Devil's Bible while I went out caching.

The first day went well. We drove down to Dorset, and had lunch at a Papa John's along the way; I had two rather good small pizzas. We found the card-playing venue (a mobile home in a trailer park), then dropped off our luggage at the B&B we were staying at. Then I went off caching. I did ten caches, including a solved puzzle, and a series that built up to another puzze. A third solved puzzle defeated me - the footpath that should have taken me to it, just wasn't there. Or at least, if it was, I couldn't find it. And it was too late in the day to approach from the other end.

Here's a view I took that evening.




The next day, ladysolly trotted off for a full day's cardplay (although later I was told that they'd also gone in to Lyme Regis for a nosh-up). Meanwhile, I tackled a rather nice-looking series "A Hell of a Walk", which also mingled with two other series. And it was all on roads, byways and bridleways, so ideal for biking.

Or so I thought.

It turns out that the area isn't exactly flat, not like Essex, Cambs and Hunts. But worse, the track called "Hell Lane", (hence the name of the series) was not good for bikes; it wasn't merely very rutted, there were places where getting a bike through was quite an effort.

This might have given me a clue about what was to come ...


An avalanche blocking Hell Lane



The flood in Hell Lane


But I pushed through regardless, picking up the clue letters as I went. Eventually, I had seven out of the ten, but I did some good guessing, and found a likely place for each of the two final bonuses. And one of them was right (and the other one is too, I think, but I didn't get to find out, because ...).

So, things were going pretty well, I thought, although it was taking me longer than I'd hoped, especially when one cache "under the fallen tree" wasn't because the fallen tree had been towed away by the farmer, and I found the cache, after a very long time, under a small log.

But, as I said, things were going well enough, until disaster struck. I was pootling along on the bike, saw a soggy wet patch coming up, steered for a drier part of the track, the bike toppled and I fell off. And I fell downhill, which means, of course, further to fall.

I lay there shocked for a few seconds, then checked that I hadn't broken any teeth (my mouth had snapped shut hard when I landed), which I hadn't, and then counted my arms and legs, as one does. Then I tried to stand up. Ow ow ow.

Usually when I fall off, it's no big deal. But this time, I'd fallen hard on my right leg, and my thigh was hurting pretty badly. I limped along with the bike to the next cache, found it, and by the time I'd done that and got back to the bike, I was limping hard.

But I had to continue. I mean, I had to get back to the car.  And the best route back, was the one I'd already planned, because it wasn't very far the the road, and the dozen or so caches after that, were all along that road, and that led me back to the car.

And then I drove back to the hotel, but on the way I decided to have an early supper, which was just as well because by the time I got back to the hotel, the pain in my leg was such that I could barely move.

And that's where I am now. I can walk, but slowly and with a stick, and with much pain.

Sunday 8 September 2013

Hey, hey, NSA, did you read my blog today?

Hey, hey, NSA, did you read my blog today?

I don't think so. Not because it's encrypted, it isn't. Not because they can't, because they could read it as easily as you can. But ...

Well.

It's like this.

During WW2, we set up a huge organisation at Bletchley Park to read the German Enigma traffic. It was worth doing, because all of the communications were between military units, and many of the communications have valuable intelligence. It was even more worth while to crack Tunny, because that was the most secret communications between OKW (armed forces HQ) and the generals in the field. Hence Colossus; indeed, hence ten Colossuses. You can see one of them in action at the National Computer Museum in Bletchly Park - recommended.
The point is, a large percentage of what was intercepted, was useful.

Now consider the internet. Quigglebytes of information every day, mostly pictures of kittens doing cute things and teenagers sending each other pictures of what they did at the party. Millions of bloggers blurting unconfirmed guesses to each other, endless Facebook posts about outings to Disneyworld and a flood of tweets about what I just had for breakfast.

Somewhere in that lot, there's maybe a few people plotting to do something bad.

The problem is, there's only going to be a few such things. And some of them will be in an unbreakable code.

Many people think that there's no such thing as an unbreakable code. To them, I have the following message:

G

You can subject the "G" above to as powerful a computer as you like, and you won't be able to decide whether the cleartext is "Buy another cabbage" or "Please send me two dollars" or any other of an unlimited number of possible messages. That's just one example of an unbreakable code. There's lots of others.

If you were, for example, wanting to discuss the planning of something very naughty, you'd talk about a "stag party". Or a barmitzvah. Or lunch. And the recipient would know what you were actually meaning.

Bad guys probably know this already. And so that reduces even more the number of messages that you might intercept that lead to bad things for bad guys. Oh, and the other thing that most bad guys probably know is that if you use the internet, or the phone system, for plotting to do bad things, you're barmy.

So, we're looking for a needle in a very large haystack. That's bad enough, but one of the big rules for searching for a needle in a haystack is, "don't start off by making the haystack a lot bigger".

So that's why I don't believe the stories that are going round about the NSA reading and analysing all internet communications. It fails a test that is commonly not applied - "does this actually make sense?"

If I were the NSA, which thank the lord I'm not,sir, then what I'd do is analyse email headers. Email headers tell you who the email came from, and who it's destined for. And those cannot be encrypted, because email works by being stored and forwarded from server to server, and that can only work if each server in the chain knows where the email is trying to get to.

Here's a typical chain of servers that handled one of the emails I received recently:

virus-l.demon.co.uk
smtp.demon.co.uk
tch.inty.net
internal.ip.redacted (the IP is 121.74.243.168 which actually turns out to be telstraclear.net, which is Vodafone new Zealand, which fits in with what I already knew about where my correspondent lives)
drsolly.com

That's a list of the servers that handled the email as an email. So from this, I know who sent the email (my pal Nick), and who it was for (me).  And all the servers in between also know this. But there's more servers in the chain, those that just store-and-forward packets, not caring whether it's an email or a web access.  So I did a traceroute to virus-l.demon.co.uk, and here's a list of the servers that it passed through:

drsolly.com
se3-1-0-1-2-4-3-0.ar06.hx2.bb.gxn.net
te0-1-0-0.cr02.ts1.bb.daisyplc.net
ae0-1802-xcr1.lsw.cw.net
ae10-xcr1.lns.cw.net
xe-11-2-0-xur1.lns.uk.cw.net
warr-inside-1-g7-0-0.router.demon.net
gi6-1-0-dar3.lah.uk.cw.net
warr-inside-1-g7-0-0.router.demon.net
war1-access-1-175.router.demon.net




cw.net is Cable and Wireless, a very big noise in the internet packet transit business. So if you can persuade them to give you a copy of all their traffic, you have a copy of my emails to
virus-l.demon.co.uk.

And you could do the same with the other big packet transiters, there's not a great many that you'd have to talk to. And the info in that header isn't encrypted (it can't be if you want your email to arrive) and it's public, in the sense that it's read by every server in the chain.

So, given that information, what I'd do is make a map of who is communicating with who. And if I had someone who I knew was a major bad person (because some reliable source gave me that info) I'd be able to easily see who he was communicating with, and who they were communicatiing with, and so on, and maybe match that up with other known-bad-people. So you could build a map of bad-guy clusters.And to do that wouldn't be an awfully big job; it wouldn't need the ridiculous amount of storage and processing power that you'd need if you tried to embrace the full haystack.

But, given the email address, how do you get the street address? Because the email is delivered to a particular IP address, and with a suitable court order, you can get an ISP to give you the real-world details of who was using that IP address at that time. Tough luck if that turns out to be an internet cafe, or a public wifi access point, but you could always do a stake-out and hope to scoop them up later.

So I don't think that the NSA, or GCHQ are reading the unconfirmed guesses in this blog, even though I used the word "lunch".

Salt beef and roast potatoes

Today we visited ladysolly.brother and wife; also there were daughter.1 (and grandson.1 and nmbf), daughter.2 and fiance, and niece+spouse. Ladysolly spotted a suspicious-looking vagrant lurking about in the front garden, but that turned out to be nephew+beard.

Lunch was butternut squash soup (I had two bowls because daughter.2 didn't want hers) followed by salt beef, one of my absolute favourites, and I pigged out totally, followed by coconut+chocolate+wine cake. Then we watched Ratatouille, and ladysolly had a lesson in how to access movies on the TV, although I doubt if we'll make use of this, because she prefers to play bridge and I'd rather read a book.

Tomorrow we go to Lyme Regis, where ladysolly will be playing a lot of bridge while I go out caching around Bridport. We'll be driving down tomorrow, stopping off at a Services for lunch and then arriving at the kennels she's booked for a few days.

Daughter.1 has got herself paid employment; her award as Personal Trainer of the Year a couple of years ago (pre-baby) has led to her being recruited as a PT for a Scottish magnate who is mostly in Dubai but stays in Claridges (I might have the wrong hotel) while he's in London. She says that this is just the start - she'll pick up lots more clients and be thriving.

Saturday 7 September 2013

Fixing the Freelander

I had a look. Replacing the wing mirror is going to be pretty easy, plus £80 for the part. I did the necessary dismantling today, just to check that I could. Five screws, three nuts and a bit of levering-off.

Friday 6 September 2013

An outing to Andover

On the way there, it was drizzling, but I had confidence in the weather forecast.  I was listening to the Today program, and they were talking about the idea that the NSA and GCHQ can decrypt the kind of internet messages that are sent with HTTPS encryption, and they got Graham Cluley in as the expert to talk to.  Graham seems to be the goto guy for the media for anything to do with computer security. I must have trained him well! He, of course, had no idea whether this is true or not, and I wouldn't expect him to. But he covered up his ignorance well, in a blaze of jargon and a display of irrelevant information. As one does.

Unfortunately, I didn't have lunch with me though - the garage where I'd planned to pick up petrol and a sandwich was coned off, and the next one along was closed; permantently, I think. But I thought, I can live off the land, at this time of year there's nuts and berries, maybe an unlucky rabbit, and probably an open pub.

So I got on my bike for the first circuit, the Colour Coded caches; I needed to pick up the clues for four bonus caches as I went around.

I was stymied almost immediately. Cache 4BC1M was blocked. As I went along the road towards it, I encountered a lorryload of concrete dumped in the road, still wet, and stretching from side to side. I decided that I'd try to approach this from the other side after going round the series the other way, but when I did that, I was equally blocked. So I went to the footpath that led in from the side, but that was also cordoned off, and when I looked, I could see that even if I climbed over that cordon, they'd dug an eight foot trench in the road, and even if I struggled over that somehow, the cache was under a big pile of pipes that they were about to lay. So, no go on that one.

But I got all the others, and the weather met my hopes and expectations. I had to go a very long way round to get past the road works, but that's not too bad on a bike, because it was all road. Then I went for the four bonuses, which I found, and on the way to those I passed "The Bell", which offered a carvery, so after I got back to the car, I went there for lunch. And although they didn't have rabbit, they had great parsnips.


The seond series I did was the Andover Orbital, and I managed to find all of those.

So, a good day out, 45 finds. But on the way back, a huge lorry clipped my wing mirror on the motorway. Not too big a deal; when I got home and looked on Ebay, I can get a replacement for maybe £75, and I think I can fix it myself. Meanwhile, the generous application of duck tape (they can't call it duct tape, I guess that's a brand name) gives me a temporary fix.

Also, my steel bike carrier arrived. Well, it was advertised as steel. But what turned up was alloy, which is annoying, because I had specifically wanted to try a steel one, because I've had two alloy carriers fracture, and maybe steel will stand up better to the cross-country that I do. So I emailed the vendor with the complaint, and suggested very strongly that they correct their mistaken description, plus I'm giving them a change to make me less unhappy before I give them negative feedback on account of the item is *significantly* not as described.


Thursday 5 September 2013

Selling a bike

 In 1966, I bought my first bike.

I couldn't ride a bike, but I'd just gone up to Cambridge to do Maths, and everyone there had a bike. And I was at Fitzwilliam, which is way out of town to the north, so I needed a bike, lectures and all the fun stuff being in the middle of town. I went to the cattle market which is way out of town to the south, found a second hand bike for £5, and bought it. I learned to ride it on the way back to my digs; by the time I got there, I was a cyclist.  I had no idea what I was buying, but I got lucky. This bike had three gears (Sturmey-Archer), and I worked out how to make them work. No helmet, because no-one wore bike helmets then (I don't think they existed) but I soon learned to wear gloves. I did all my own maintenance; cotter pins and ball bearings, brake pads and gear changers. I rode that bike for three years around the town, and at the end of my time there, I sold it to a friend for £5.

Fast forward 40 years.

Back in 2007, I bought my first electric bike.

I'd been caching on Susan's old 20-inch wheel, three-gear Raleigh along a cycleway, and then on my daughter's old 26 inch wheel, 21 gear mountain bike. My old Dawes racing bike?  I can't remember what happened to it. But even on the old Raleigh, it felt like I was flying. I'd forgotten the pleasure of cycling, having last done it in 1969.

So, I thought, if biking is so good, electric biking must be double plus good, and I bought an Ezee Forza from 50 cycles. It cost around £1000, and it was a good, sturdy bike. Sturdy, of course, is a synonym for "heavy", and it weighed about 50 pounds, battery not included.
I went round Oxford on it, and Milton Keynes, and Swanley Forest. It was superb on roads, and magnificent on cycleways. And OK on bridleways. Not too good going up hills, it only had eight gears.

And not so good at going over stiles. Also, every time I wanted to take it out, I had to mess around putting the bike carrier on the back of the car.

So my next bike was a folder. No need for bike carriers, I could get it inside the Freelander, and I could get it through most kissing gates without lifting. But it was a 20 inch wheel, and no back rack, and only had six gears, and those are drawbacks.

So I got a 26 inch wheel folder, Everest, non-electric. And that worked well, except it was non-electric.

And then I got the Haro full-size folding mountain bike, 21 gears, back rack, not as heavy as the Forza, with an electric conversion. Actually, I got two, because the Ebay auction was for two. And that, I think, is the best possible bike for me. I don't need to use the bike carrier on the car, and I can get it through most kissing gates, and with a heavy heave, over every other barrier. I've only ever encountered one barrier I couldn't get through, and I found a way to go round it, albeit with a two mile diversion.

So where does that leave me?

1. Haro electric folding bike, rear wheel a bit wobbly because the bearings are worn.
2. Haro electric folding bike, with a motor wheel I got from China because the old motor died.
3. Everest folding bike, converted to electric with motor from Alienocean and controller from electric-hybrid-bikes.com.
4. Synergy 20-inch wheel folder; I replaced the bottom bracket and it works fine now.
5. Another 20 inch wheel folder, made out of a non-electric 20 inch wheel bike called a Downtube, with eight Sturmey-Archer gears and the motor wheel from another Synergy whose frame broke.

and

6. The Forza.

Do I need six electric bikes? I do not. So I've decided to sell the Forza, as that's the bike I'm least likely to use, it being non-folding. I listed it on Ebay. This is the first time I've sold anything on Ebay. You can see it here

Sheppey crossing

At the end of July, I went over the Sheppey Crossing for an enjoyable days caching on the Isle of Sheppey. I've never been there before, and it is a great place to visit.

Today, there was a huge crash on the Crossing (which is a big flyover bridge).  130 vehicles involved. It happened in thick fog, on a road with a limit of 70 mph.

I can imagine what happened. People drive *far* too close to the car in front, and stand no chance of stopping if the car in front stops suddenly. Some people stopped in time, and were then hit by the car behind, pushing them into the car in front.

They drive too close in good visibility; when there's thick fog, they're playing Russian Roulette. I really hate it when someone like that gets up my rear.

So what's to be done? I don't think new laws will help - there's already laws against dangerous driving. No, what I think will make our motorways and other high speed roads safer, is self-driving cars.

A self-driving car would, obviously, have some way to see what's happening in front. Radar, maybe, or vision, or both. And it simply would not drive too close to the car in front. So if the car in front does suddenly stop, your car'll be able to slow down and stop in plenty of time. Maybe even giving enough time for the idiot non-self-driving car behind to be able to stop.


Weight report 63

15 stone, 2 pounds

Tuesday 3 September 2013

One inch thorn

Bike maintenance - I need to replace the back rack, although the replacement hasn't arrived yet. But I also noticed that the valve on the back tube was at a 45 degree angle to the radius; this means that the tube has somehow slipped round the wheel, and if that continues, it will sheer off. That happened to me once - instant blowout!

It's easy to fix - I deflated the tube, and worked it back into place, and then reflated the tube.

Or rather, I didn't. It wouldn't pump up. Eventually, after trying a few times, I took the tube out and inflated it, and there was a whooshing of air - a puncture! Just a hole in the outer edge of the tube, as if something had gone through the outer tire. So I ran my fingers round the inside of the outer tire, and found the culprit. I worked it out of the tire, and at first, I thought it wa a one inch nail, but it wasn't, it was a one inch thorn. and it had penetrated straight into the tire.

Even my kevlar tire, gel lining and thorn resistant inner tube wasn't going to stop this big beast. But, easily fixed. I did a puncture repair on the tube, and replaced it with a new one, since they're really quite cheap. I used one of the Giant tubes I bought recently at a bargain price, and as I installed it, I noticed that the tube itself said "Kenda". So it was actually the same thorn-resistant tube I've been very happy with before, only at a much lower price. I got them at jejames.co.uk at £1.75 each, which is a fraction of the price you'd expect to pay for thorn resistant (i.e., very thick) inner tubes.

But the big mystery is, how come this huge thorn didn't lead to any loss of air from the inner tube? Don't get me wrong, I'm very glad, I really don't like to have to mend a major puncture while 20 kilometers from the car (although when I'm going on a long circuit, I do take with me everything I need to repair a puncture, not that I've ever actually used it). My guess is that I didn't actually have a puncture of the inner tube, the thorn was deflected from it by the armour, but after I deflated and re-inflated the tube, the thorn was able to do its dastardly work as the tube expanded to meet its doom.


Monday 2 September 2013

A bike ride in the Colne Valley

Out today with my slightly re-engineered bike; the battery is no longer on a bracket behind the saddle, it's in the panniers. The new arrangement worked well, and I did much mileage.

First I did a few caches round Springwell Lake, then south along the canal. I do like biking along canals; the track surface is usually good, there's no hills and there's no obstacles that have to be lifted over.

When I reached the southernmost point for the day, I turned east, did a few in Uxbridge, then north to Uxbridge Common and the playing fields just east of there. That took me up till just after 5pm, and I had to head back to the car to avoid being locked in the car park.

44 caches done, and several DNFs.

Sunday 1 September 2013

Bike maintenance

A few things.

First of all, at some point yesterday, probably while heaving the bike over an obstacle, I managed to break the wires leading to the voltmeter. Not a big problem, it just means that I didn't have a measurement of the battery life remaining. Of course, the battery has its own way of letting me know that it's empty.

So I did some maintenance today, and since I was going to be fixing that, I decided to reorganise the way that the battery is carried.

The way it's supposed to work, is that there's a platform that sticks out behind the bike, clamped to the seat post, to carry the electronics and the battery. This is probably fine for normal cycling on roads, but I'm going on very bumpy ground cross-country (or at least, on bridleways, some of which are very chewed up by horses hooves). So the metal platform has gradually been sheering off, and I don't really want to wait until it actually breaks completely while I'm in the middle of nowhere.

I removed this rear platform, and I clamped the small controller box to the rear carrier. The power inputs to this, are soldered to a plug (obtained by sacrificing a male-female kettle plug extension cable). The other end of that cable, is soldered to a connector that plugs into the battery, and the battery goes into a pannier that hangs from the rear carrier. So when I want to take the battery off (for example, if I'm lifting the bike over an obstacle), all I need to do is unplug that kettle plug (more precisely, an IEC 60320-1 appliance coupler, connectors C13 and C14) and lift the pannier off the bike. I tested it, and it works fine.

Then the voltage display. I have two displays, one which is just red blobs, which gives me a very rough idea of when the battery is getting empty, and the other tells me the voltage, in volts. But that's hard to read in sunlight while bouncing along on the bike, so I mostly rely on the blobs, and it was the blobmeter that wasn't working, because the negative wire had pulled away very close to the casing. So I took it apart, soldered in a new negative wire, and now that works fine.

While I was doing this, I noticed that the rear carrier had fractured; one of the supports was no longer bracing it. It still feels fairly firm, and I've wound it with tape to help, but I've also ordered a replacement from Ebay; this time, in steel, which I'm hoping will stand up better to the terrible punishment it gets on the rough terrain (the previous one was "alloy", which I think means mostly aluminium, with maybe some silicon, copper or zinc added. This gives a metal that's lighter than steel, but not as strong. These carriers are rated to 25 kg, and I'm usually loading them with 5 or 10 ... and still they fracture. So, I'll try steel.

And at the same time, I ordered a small pannier, because when I'm going on a short route, I won't need to take the big pannier and all the other stuff (bike repair tools) that goes with it.

As I was putting the tools back into the pannier, I thought that the cardboard case that's supposed to protect the rubber cement, wasn't going to stop it from getting squashed. Also, the plastic box containing the patches and suchlike, was broken. I had a look around, and now I'm using a Raspberry Pi case (the kind that comes free with the Pi as packaging) to hold the rubber cement, patches, chalk, marker, emery and tire levers, all in that one fairly rigid box.