How I managed to donate to OpenStreetMap

Using Internet cafe computers while travelling can be a proper nightmare. I know of people who got so fed up with fighting to clean their USB sticks from viruses all the time that they bought a netbook to use while travelling.

As I have been travelling by bicycle for a few months now, I am very careful about what I carry. Weight and space is at a premium. So I have tried as hard as possible to keep myself from buying a netbook to avoid using Internet Cafes. I am well aware of the risks I am taking, but for the time being I am still finding using Internet Cafes borderline worthwhile. It also helps that my trip will finish in less than 2 months so by this point the investment in a new netbook is just not worth it.

So I use Internet Cafes around Chile and Bolivia. I have seen a couple of well maintained machines (the pinnacle of which are the Ubuntu machines in Rancagua´s bus terminal!), but the overwhelming majority of them is in an appalling state. Illegal copies of Windows XP, not receiving updates, with illegal copies of antivirus software not receiving updates, etc etc… all wrong. Using such machines feels like digging with your bare hands in a patch of mud right after you have seen a flock of sheep relieve themselves on it.

Such a machine gave my USB stick a virus that hid my folders and replaced them with executables. It replaced folder icons with its own shortcuts to ensure you were tricked into executing it with your current privileges every time you wanted to access a folder on the USB stick.

Tricking the user into executing script by double-clicking on a "folder" icon

The antivirus software of public machines proved useless – it did not even detect anything. I had no idea what this virus (call it malware, call it trojan, I don´t really care exactly what genre it falls in) actually does. But I will assume the worst. It eavesdrops on my every keystroke, steals my passwords, my credit card information etc.

As it happens I really wanted to donate some money to the OpenStreetMap Hardware Upgrade Fund, but I didn´t want to jeopardise my credit card information. I needed to use a computer I could trust not to steal my credit card information. Here is how I created one:

1. I found a computer with what seemed like a decent Internet connection with Mozilla Firefox installed. On Firefox, I installed my favourite download manager as an extension – DownThemAll!. Great, I can now make massive downloads easily.
2. I downloaded the latest Ubuntu ISO file with DownThemAll. It´s a large file (700MB) so a download manager is necessary – otherwise you run the risk of the download hiccuping and getting corrupted if the network link goes down for a few seconds. It can also be faster to use DownThemAll, as it downloads multiple segments of the file at the same time.  After a couple of hours I had an Ubuntu ISO file on the (probably infected with malware) computer I was using.
3. I then created a bootable Ubuntu USB drive following the instructions on http://www.ubuntu.com/download/ubuntu/download . Unfortunately this did not help my cause because the public computers I could reboot and attempt to boot from USB where so old that they did not support booting from USB! (we are talking 2003-era hardware, not exactly top-end for its time either…) So my only remaining option was to burn the ISO to a CD. I bought a blank CD and burned the ISO on it, and then booted one of the computers I had access to with the CD.
4. Success! I was now booted into an operating system I could trust not to be infected, since Windows viruses on the computer cannot jump into the Ubuntu Linux environment started from a CD. I was able to simply open a web browser and provide my credit card information for my OSM donation in confidence.

So there you have it. If you are travelling and concerned about your passwords or other sensitive information (and you should!) this is a method of getting a system you can trust. It does suppose that you have access to a computer you are allowed to restart and boot from removable media, but hotel/cafes around Chile seem to be quite laissez-faire about allowing people to restart their computers.

Amazon Kindle 3 review

After a couple of months of having an Amazon Kindle 3 (purchased mid-2011) and travelling with it, here is my list of good and bad things about it:

PROS

1. Decent battery life if NOT using wireless. With intensive reading it lasts upto a week.
2. The display is much easier on the eyes than a traditional computer screen.
3. You can carry a lot of books and personal documents with you in a single small device
4. Friends and family can send you books to read in digital form
5. Project Gutenberg opens thousands of books for immediate download and reading for free
6. You can buy any book off Amazon and it will be in your hands in minutes
7. Registering two kindles under the same Amazon account lets you duplicate all your paid content on both devices.
8. For 10 quid you get the Independent delivered to your device automatically as long as you have GSM coverage every morning for a month… even if you are wild camping in a forest.
9. You can browse the Internet and do emails from wherever at no additional cost.
10. You get an English dictionary for free and it is easy to lookup any word in any document while reading in a non distracting way.

Cons

1. Using the 3G wireless drains the battery in less than 24 hours.
2. The battery takes approximately 3 hours to fully charge from empty when connected to a wall plug. Upto twice as much when charging from a USB port.
3. The display is much easier on the eyes than traditional LCDs… but you still get more eye strain than reading on paper.
4. You end up buying books only from Amazon, killing any competitors or smaller bookshops.
5. You don´t own the kindle books you buy. Amazon does. They control your device at all times. Amazon can and has deleted books remotely from Kindles, a-la 1984.
6. Organising your content is very limited and labour intensive.
7. There is no reasonable expectation of privacy. Amazon can see everything you do with your Kindle.
8. The pricetag for the 3G keyboard model is quite hefty at more that 150 quid.
9. A Kindle purchased and registered in the UK is not allowed to buy from amazon.com US site. You are forced to purchase books only from amazon.co.uk which is more expensive.
10. The keyboard is ergonomically cumbersome and not suited for extensive use.
11. The web browser is of limited functionality. It doesn´t handle popups gracefully and has problems displaying pages that try to open in a new window.
12. The display is black and white only.
13. The refresh rate of the display is very slow. Eg. it´s impossible t scroll through text without it all becoming a blur. Turning pages is slow. Eg. it takes a full minute to turn 30 pages.
14. You can not do anything with the books you have bought like give them to friends or family or sell them or save them in a less restrictive file format.
15. To create customer lock in and make a good profit Amazon use their own DRM which imposes a lot of unneccessary restrictions on the content you buy. They make it easy to convert anything you want to their DRM locked down format but very hard to do the reverse and convert Kindle content to less restrictive formats.
16. There is no international support. Only English. The Kindle can display international non english characters, but thats about it. Impossible to change the interface language, impossible to type in anything other than Latin characters.

Overall, the Kindle 3 + 3G is a good ebook reader with a great global Internet connectivity package, that is almost worth the hassle if you need to travel light and can afford to buy books that will remain locked in to Amazon for good. Perhaps an easy way to unlock Kindle books will become available in the future. Perhaps you won´t mind re-purchasing books that you might want to read on another, better device in a few years´ time.

The choice is yours.

Update March 2012
I dropped my Kindle, breaking its screen. Luckily I had it insured, so I got a replacement within 48 hours with no questions asked. I was very happy with the customer experience, until I tried reading my documents on the new Kindle:

What do you mean licensed to a different user?

Somehow the Kindle has screwed up its elaborate Digital Rights Management (DRM) logic and is therefore refusing me access to material I have paid for! This is negating my right to read by mistake, but certainly demonstrates that buying books on the Kindle 3 only gives you the illusion of ownership – access can be revoked at any time.

The story ended with a long phone conversation with Amazon Kindle support during which I established the following:

1. Re-sending my books & documents to the new Kindle resolved the problem for all books & personal documents. Annoyingly manual process (have to be done one by one!) but it did the job.
2. If this happens, and you have archived issues of magazines/newspapers/periodicals to which you have in the meantime cancelled your subscription, you are stuffed.You cannot re-download those issues. From Amazon’s UK “Kindle Subscriptions” page:
   

   Once you cancel a subscription, you will stop receiving new issues immediately and you will no longer be able to re-download back issues [...]

After having been through this I am convinced any DRM-strangled ebook technology will just not be good enough for me to use. A model like O’Reilly publishing, who sell DRM-free ebooks is the only thing I will consider.

Otherwise, paper books are just fine, thank you very much.

I pay for it, I own it. End of story.

SMS 419 scams

I recently received my first SMS scam message on my ancient mobile phone:

From: +447549354914
FREE MSG: Our records indicate that you may be entitled to £3350 for the accident you had. To apply free reply CLAIM to this message. To opt out text STOP

Do not reply to such messages. Just delete them.

The +44 prefix looks like it originates from the UK (where I live, therefore local number, therefore safe) but it’s actually a “personal number” that could be routed anywhere in the world, incurring high fees even for a simple SMS reply.

More examples of such scams in this F-Secure weblog post.

When automatic “software updates” break the software

During a regular maintenance run on a MacOS X machine I asked Skype to check for software updates. It cheerfully confirmed that a new version of Skype was available for download. I allowed it to download and install the update.

Then I tried to launch Skype which to my surprise came up with “You cannot use the application “Skype” with this version of Mac OS X”.

Now, hang on.

All I did was ask the application to check if there are any updates. Updates that made it work better, closed security holes, improved stability and all that. Not updates that would stop it from working. Given that the local installation of Skype has knowledge of the OS environment and knew this was a Mac OS X 10.4.x , it shouldn’t have suggested the update  as there was no possible positive outcome for the end user.

To confirm this was by design and not a software glitch I resorted to the forums, where I found this:

Leaving aside the usability aspects of an application that prompts the user to take its suicidal advice, one has to wonder at the customer service lessons that can be learned here. Skype push out an update killing their own software (under conditions they don’t check), someone takes the time to report this mistake and the answer is “Won’t Fix”.

This is not just annoying, but damaging to the education of end users who are constantly hammered with “always update your software!” from security people.

Guess what real people would rather have: A working but potentially vulnerable version of Skype to talk with their family abroad, or an installation that “cannot be used with your machine”?

Windows Explorer: How NOT to resolve conflicts

Let’s say you have a “drafts” folder and a “final versions” folder, and every time you publish a new version of a document you drag’n'drop the latest draft into the “final versions” folder. This used to work fine with Windows XP, you’d get a prompt saying “are you sure you want to overwrite the file?”, you’d say “sure” and it was done.

 

With Windows 7 someone thought it was a great idea to confuse the users as much as possible by throwing this at them:

Could this be more confusing?

I think not. I spent a good 3 minutes staring at this. Reading and re-reading it. I had to completely switch my mental context from my primary task (what I was actually doing) to deal with this riddle. I got worried I might be trying to do the wrong thing. Was I at a risk of imminent data loss? Were my backups up to date? Was this a good day for moving files? One file is newer, the other is larger… what’s going on here? There is too much information and no “just do as you’re flippin’ TOLD!” button.

I shiver at the thought of users who are presented with this. Most of them will click the red “x” to close the window and make the problem go away.

I’d love to have a chat with the usability people who conducted the study that showed more information and more choices to be a good thing for end-user interfaces. Because from the perspective of the type of users I know, this would be an unsolvable, anxiety-inducing nightmare.

Don’t take control away from your users

From a technology usability perspective, you can’t do much worse than make your users feel they’ve lost control. It’s maddening (and a bit frightening, if we admit it) to feel that “the computer” is doing things without your consent. We’re tolerant to allowing actions we don’t understand (after all, not everyone should be a technologist or a computer scientist), but we always want to have the kill switch at hand.

End-user operating systems (Windows, MacOS, GNU/Linux desktop environments etc) always have such a kill switch – it’s usually something red and obvious on every window (like the big “X” in the red box at the top right corner in Windows XP/7). If you don’t like what it’s doing, you have the power to kill it. Why? Because it’s your computer, dammit, and you should have the final word!

I stumbled upon an example of breaking this rule the other day, when I was helping a family member reinstall a computer that had bombed:

Here is a screenshot of the “Windows Genuine Advantage Notifications” tool (a propaganda term if there ever was one) installer: All application controls (back, next, cancel) have been disabled, and so has the omnipresent “X” that is supposed to offer users the warm & fuzzy feeling of control in every single Windows application.

Installers have for years now had ways of trapping window/application interrupt requests and responding to them gracefully.

Taking away control from the end user in such an obvious manner is both unsettling and frustrating.

A practice best avoided.

MBNA: Not responsible for viruses

“You just need to read and accept these terms…” but golly, don’t scroll down and actually read what’s in there:

“MBNA accepts no responsibility for any damage caused by viruses contained within the electronic files at this website.“

Sometimes companies go the extra mile to truly make you feel like a “valued customer”. Well done, Bank of America.

How much Java do you need?

Sun Oracle has been giving us a few reasons to get rid of the Java Runtime Environment (JRE) from end-user machines for a while now.

I’ve been struggling with this decision, as I need Java for my favourite mind mapping software but I don’t want it to be used against me by Internet criminals.

My initial reaction was to remove Java completely and just keep the installation package around, for whenever I needed to do mind mapping. This soon got ridiculously cumbersome, so I’m now on to the next model:

Keep Java for local use, but disable Java for the browsers.

This still allows local applications to use Java, but stops Web-borne remote exploits from being delivered to my machines.

First of all: Get the latest Java

First things first. Always ensure you run the latest software. Visit http://java.com/en/download/installed.jsp?detect=jre&try=1 to verify that you have the latest version (currently 1.6.0_24)

If you haven’t got the latest version, download and install it from http://www.java.com/

Then verify that auto-update it turned on and frequent enough. For Windows users, go to Control Panel -> Java. Switch to the “Update” tab of the window that comes up and then click the “Advanced…” button. This should show you something like this:

The default is to check for updates once a month, which is a bit pathetic. Change this to weekly at the very least, or daily if you’re serious about your computer’s security:

Then click “OK” to save & close this dialog and “OK” again to save & close the Java settings window.

Now, onto the browsers:

Firefox 3.x

Go to Tools -> Add-ons and you see something similar to this:

Click on “Disable” for both Java extensions, to get this result:

Don’t restart Firefox just yet! Now, onto the “Plugins” tab of the same window:

Click on both Java entries and on the corresponding “Disable” button of each entry, until the window looks like this:

Now it’s time to hit that “Restart Firefox” button in the Add-ons window to restart your browser.

After you’ve restarted, visit http://java.com/en/download/installed.jsp?detect=jre&try=1 with Firefox to verify that Java is disabled.

You should get the following result:

Congratulations – Java has been disabled in Firefox!

Note: Some people may point out that using the NoScript plugin achieves the same goal in a more elegant way – i.e. it allows one to selectively allow the execution of Java code in Firefox. The problem here is that NoScript works on the premise that websites you trust will not deliver malicious code to your machine. Unfortunately there are reports that claim that up to 75% of websites serving malicious code are legitimate websites that have been compromised. Add to that the fact that malicious code can be delivered to your machine through ads served from trusted domains like google.com and yahoo.com.

The only way of protecting against this headache is really to keep all browser plugins updated and disable the ones you don’t absolutely need. Java is not the only culprit here, Adobe’s PDF reader and Flash plugin, as well as Microsoft’s DirectShow and Media Player are also repeat offenders.

Internet Explorer

If you’re forced to use Internet Explorer (e .g. because some luminary in your organisation had the brilliant idea that the “free” SharePoint server was a good developing platform for your corporate websites…), follow these steps:

First, make sure you have the latest version of the browser. Microsoft itself is begging people to stop using IE6, as it’s an open window for remote control of your machine by criminals. Download and install the latest version of IE.

Now, let’s disable Java in Internet Explorer:

Go to the menu “Tools” -> “Manage add-ons”.

(this example is from IE version 8 on Windows XP, your version might be slightly different)

In the “Manage add-ons” window, select “Show add-ons” on the left hand side pull-down menu:

Now you can see all Java add-ons listed. Select each of them with a single click and hit the “Disable” button:

The final result should look like this: (all Java add-ons disabled)

Now click the “Close” button on the bottom right and close your browser.

Annoyingly, I’ve found it necessary to also disable the Java plugin from the Java Control Center – as disabling it from IE only seems to not be enough…

Go to Control Panel -> Java and then to the “Advanced” tab. Make sure the options look like below:

Save & close with “OK” – you will get a popup similar to this:

Click OK and then fire up Internet Explorer to visit http://java.com/en/download/installed.jsp?detect=jre&try=1 to verify that Java cannot be executed in IE.

You should get one or more of the following popups:

(this means you disabled the add-on in IE but not in the Control Panel. Unfortunately this seems to result in Java code somehow getting executed regardless!)

(surreal web page, telling you both that Java *is* and *isn’t* working, but there you have it)

If you’ve disabled everything appropriately you should see the following:

Clicking “OK” will eventually land you in this page:

…which is lying to you. You don’t have an old version of Java. You just have a disabled installation.

If you need to use Java for local applications, that’s the best place to be.

Otherwise, if you’re tired with all this faffing about, just uninstall Java completely to get it over with and have one less thing to worry about.

How difficult can Denplan make it for customers to protect their personal information?

It turns out the answer is “quite”.

Consider the following gem from the “corporate claim form” – this is a piece of paper you have to sign and send to Denplan if you’ve had treatment and are claiming back the costs, as covered by your corporate dental insurance:

(Click the image for a larger version)

This is how I understand this part (let’s call it “Part 1″):

• As long as you use our services, we’ll send your personal information to anyone we like.

Reading on, we reach Part 2:

(again, click on image for larger version)

Here we are told: “You may be contacted by phone, telephone or electronically if appropriate. If you DO NOT wish us to do this please tick below as appropriate.”

This is how I understand this:

• Ticking below will stop us from contacting you.

And then, the million-dollar statement:

“Denplan Limited may send you details of other products and services.”

The way this is phrased, putting a tick right next to it directly implies “YES, you may”! Even though the sentence above implies the exact opposite.

The lunacy continues with Part 3:

(click on image for larger version)

This part says “To enable them to send you details of their services we may also share some of your details with other AXA group companies based within the European Economic Area [TICK?] and with other carefully selected companies based within the European Economic Area [TICK?]“

Again, it’s not clear how the customer can indicate “No, I don’t want my details shared with others!”, as both phrasing and intuition say “don’t tick here”, but the instructions tell you to “tick as appropriate if you don’t want this to happen”.

Absolute rubbish. Certainly a strong candidate for the Plain English Campaign‘s Golden Bull Award.

If you’re a Denplan customer, I’d suggest writing to them to point out this gobbledygook and get it fixed.

It’s a simple web page!

No it’s not.

Most pages on the web nowadays:

1. draw content from multiple sources
2. execute programs (scripts) on your computer, also from multiple sources

What does this mean for you?

Well, for starters it’s important to leave behind the misconception that a web page is a simple thing. There is usually a lot going on in the background that you don’t see. But it’s there. This is how online advertising revenue is generated, and how “advanced” online services operate.

It’s also important to realise that “trust” is a very thorny issue. Visiting the website of (for example) National Geographic shouldn’t be an issue – I mean they’re a respectable business, right? But hang on, on closer examination, look what happens when you visit a single page:

All of a sudden it’s evident that this web page, hosted on nationalgeographic.com  is requesting content from EIGHT (8) different domains, not all of which have an obvious relevance to the web page you are trying to see.

Do you know and trust all of them?

Further, aggregating content from many different domains in one web page usually translated to executing code in your browser, on your computer, from all those different domains you had no idea you were communicating with!

In summary:

All you did was request to see a web page from nationalgeographic.com – which you trust.

Subsequently, and without your express permission or knowledge, your computer was instructed by nationalgeographic.com to download content from virtualearth.net, zozi.com, google-analytics.com, 207.net, quantserve.com, dl-rms.com, imrworldwide.com and ngeo.com.

Your computer also downloaded and executed programs (scripts) from the following domains: googleadservices.com, google-analytics.com, 2o7.net, quantserve.com, virtualearth.com, dl-rms.com, scorecardresearch.com, and doubleclick.net.

I’m only aware of this carnage because of two Firefox addons I use: NoScript and RequestPolicy. But they’re cumbersome to use and require constant adjustments.

Have that in mind next time you catch yourself thinking “I’m safe online because I don’t visit random websites”.