Signing up for Creative Cloud was not a pleasant experience. Here is why:

1. When I tried to go through your payment process, I was left with some flashing boxes and nothing else happened. This is apparently because I made the “error” of using Safari (Apple’s default web browser) to attempt to purchase from you.

   It is evident that you didn’t test your payment process in Safari properly (at least the last time you changed it) before you made it live. This is not acceptable.

2. You then had me download an installer for “Adobe Application Manager”. This is fine, but it failed, giving the error message

   

   Leaving aside for the moment the stray capital letter ‘p’ on the word “Please”, this message does not mean anything useful and it is not obvious what to do about it.

3. When I go to your support website and choose “Troubleshoot Creative Cloud Installation and Download”, I get this:

   

4. On further investigation, I was able to locate the installer that had been downloaded, which makes the following claim:

   

   Leaving aside the presentational inconsistency that the text in this window appears to be white rather than black, and the fact that in 2012 it is not reasonable (especially given the cost of your products) to merely throw your hands up when presented with a case-sensitive filesystem, the fact is that my filesystem is not case sensitive.

   Let me repeat for the hard of hearing:

   MY FILESYSTEM IS NOT CASE SENSITIVE

   Since you (Adobe) most likely won’t take my word for it (though I can’t imagine why), here’s a quick test in a Terminal window to demonstrate:

   

Now, having tried your software before, and having discovered in the past that the installers are totally broken, I was aware that the fact that I normally log in to the machine as a network user (albeit one with local administrator privileges — as a developer, that’s pretty much a necessity) was most likely going to cause your software to fail. Note: that is not any kind of excuse. It’s your shoddy work that makes it fail, not my choice to operate my computer system in an entirely reasonable, Apple-supported configuration.

I did eventually get your software to install, however:

• It is abundantly clear that you do not test your installers sufficiently well on Mac OS X. In particular, you need to make sure you address the following situations:

  1. When the user doing the install is not, themselves, an administrator.

  2. When the user doing the install is a network user whose home directory is on a fileserver somewhere.

  3. When the user doing the install has a case-sensitive home directory, but the rest of the filesystem is case-insensitive. THIS IS AN APPLE SUPPORTED CONFIGURATION and is quite common in set-ups where the fileserver is running some other flavour of Unix.

  There is no reason you should not be able to install successfully in all of these cases, even if you can’t be bothered to properly support case sensitive filesystems for your application bundles.

• It is also apparent that you did not properly test your purchase form with Safari, which is the dominant web browser on Mac OS X.

• You need to stop throwing your hands in the air when presented with a case-sensitive filesystem. It may not be supported for boot, but it is supported (at least) for peoples’ home directories and for other disks on the system. Some of these people might want your software installed in one of these other locations, and you should make sure that it works.

  If you are so utterly incompetent that you cannot work out that doing this is actually no more effort than making it work for case-insensitive systems, I have a library for you. Link against it, and all your case-sensitivity woes will go away. Though you may have some security bugs instead, if you don’t think too hard about it.

A result of all of this is that the purchase process was not smooth. As a developer, I was able to figure out what to do to get things to work; most normal users would not have been able to.

I have a couple of observations:

1. “Ray” is a software developer. Assuming he cannot get a job writing software, he must be a reasonably intelligent chap and should therefore be capable of getting himself all kinds of office work, never mind unskilled labour of one sort or another. Instead, apparently, he has been jobless since 2001.

2. The breakdown of their spending includes the following items, which, I submit, are luxuries that they have no right to expect the state (in the form of you, me, and everyone else) to provide for them. Namely:

   • Shows. This is listed, but not explained, under “Other”.

   • Entertainment. What Ray does on a Friday night is up to him, but if he doesn’t have the money, he doesn’t have the money. Maybe his friends would care to buy his beer for him, instead of expecting us to buy it?

   • Sky TV (perplexingly listed separately from “Entertainment”). This is justified with the wonderful “We get the Sky Movies package because we’re stuck in the house all week - otherwise we wouldn’t have any entertainment”.

     Of course (a) Ray does not have to be stuck in all week — he could get a job; (b) there is a perfectly good free TV and radio service; (c) there are always books and board games; and (d) if all else fails, there is the public library! I might add that public libraries often lend out films as well as books, just in case Ray has forgotten how to read while sitting on his arse.

   • Mobile phones. I don’t care that Ray says his teenagers will whinge at him if they don’t have them. They can’t afford because their dad can’t be bothered to find himself a job.

   • “24 cans of lager, 200 cigarettes and a large pouch of tobacco”. Really? 200 cigarettes costs at least £50, right there.

3. The amount that they will lose in benefits if this cap comes in is less than they are spending on tobacco and alcohol every week (I estimate this at the £20 “Entertainment”, plus £50 for 200 cigarettes, plus £15 for 24 cans of cheap lager and another £8 or so for the pouch of tobacco, which is £93).

The story ends with a quote from Ray: “I see eight people here having to choose between eating and heating.” Personally I see a lazy scrounger who can’t be bothered to go out and get himself a job. Any job. I don’t care if it’s as a software developer or as a damned toilet cleaner, quite frankly.

The article makes the usual arguments about the over-estimation of economic loss to copyright holders, who, of necessity, talk about opportunity loss rather than concrete losses. Of course, in practice it’s impossible to come up with a definitive figure owing to the nature of copyright infringement—simply put, infringers don’t tell the copyright owner about their infringement (the only case where that can really happen is with software, and software that makes any kind of effort to do that usually upsets the privacy lobby). My perspective, as a copyright holder, is usually that even if we assume conservatively that only 10% of pirates would pay, given sufficient incentive, it would still represent a sizeable loss on any reasonable estimate of the number of pirated copies of our software.

However, the article does make a few more interesting claims. First, it claims (giving the example of a pirated TV show) that the loss, however large, from infringement is offset by the “$15 to $85 worth of enjoyment” that watching a pirated TV show would create. This, it seems to me, is a bogus argument. A car enthusiast may get £100,000 worth of enjoyment from driving his Porsche; that does not mean that stealing one from the dealer is no longer a loss to society. And it certainly does not make stealing a £50,000 Porsche a net gain to society of £50,000.

It also points out that the loss to the copyright holder is not necessarily an economic loss to society overall, as the infringer may use the money saved to (for example) visit a pizzeria. Again, this argument is suspicious; it seems to me that it would apply equally to mugging… for instance, if I am mugged for £100, which is then spent on burgers, I have lost £100, the burger joint and its suppliers have gained——and by Matthew Yglesias’ argument, society has not lost out overall.

Taken together, these arguments are even more suspect. Not only can I steal a Porsche and have my £100,000 worth of enjoyment, but the £50,000 I saved on buying it can now be spent as well! Society doesn’t lose out at all, and I can claim (as Yglesias does) that the entire £100,000 worth of enjoyment was a gain for society too. Win-win, right?

Yglesias then goes on to say that, because the BBC has yet to release the second series of Sherlock in the United States, he has been downloading it illegally over BitTorrent. Leaving aside for a moment my irritation that, as a U.K. license fee payer, Yglesias has just admitted stealing from me, it seems to me to be difficult to take him seriously when he talks about the pros and cons of copyright infringement if he is also indulging in it himself.

The article proceeds to claim that there’s a “considerable” benefit in forcing copyright holders to compete with “free-but-illegal downloads”, citing the existence of iTunes and Hulu as examples of legal options that he feels might not exist without pressure from piracy. Again, I find the argument rather thin; piracy is essentially identical, economically, to having a competitor who is engaging in dumping). I have yet to hear an economist argue that it would be good if goods and services were stolen and dumped in order to depress the market price. On the contrary, the usual view is that price dumping of any sort tends to force competitors out of the market, and in the case of piracy, the competitors are the people making all of the content that is being dumped.

As for whether or not there’s a problem on the consumer side—as distinct from commercial pirates—I think Yglesias’ analysis is facile. First, the current situation, where there is an excess of entertainment available to the consumer, is a hang-over from the previous situation in which making music and movies was a highly profitable business. There is still a lot of that money in the system and it will take time to drain away.

Second, there is a tendency to under-estimate the scale of the problem of consumer infringement. Talking to ordinary people (and even celebrities like Stephen Fry, actually, whose own income is dependent to some extent on copyright), will rapidly disabuse you of the notion that piracy is not a widespread thing. Many people I have spoken to boast openly about how clever they are to get things for free rather than paying for them. Ordinary people. Not computer whizz-kids, not stay-at-home living-in-mum’s-basement types. Yet everyone always assumes that “it’s just one copy”, “it’s just me”, “the movie/ music/software company is rich enough anyway” and so on. In a way, Yglesias has demonstrated that himself—he apparently feels that it’s socially acceptable enough to tell us that he’s illegally downloaded the BBC’s Sherlock.

When piracy was just a case of sharing something with your friends, it was less of an issue for copyright holders. Of course, many of them protested the illegality of doing so, but I think even they knew that it wasn’t hurting them that much overall. The problem is that the Internet has changed “sharing with your friends” to “sharing with anyone who cares to”; the scale has increased out of all proportion.

Finally, I think consumers fail to understand the motives of some of the players in this argument, and many of them end up—effectively—astroturfing on behalf of big corporations who are making a profit from others’ piracy. There is a reason that Google searches for The Pirate Bay still work. There is a reason that registrars providing WHOIS hiding services refuse to stop hiding the details of their customers even when they are egregiously infringing the rights of others. There is a reason that ISPs refuse to enforce their own Terms of Service. None of these things happen in the case of child pornography, but all of them happen for copyright infringement, even when it is blatant.

It is certainly the case that advertising and donations on dedicated piracy sites makes money for their operators. Money that should, rightly, be going to the people who produced the copyrighted content that they help to distribute, but which, right now, is going to line the pockets of the operators of the site, of their ISPs and registrars, of payment processors and of advertising networks. SOPA, above all else, appears to be an attempt to curtail that flow of money, and so it is hardly surprising that many of the companies involved are protesting about it, though their PR departments have obviously concluded that it’s far better for their respective images to frame it as a stance on the moral high ground of opposition to censorship rather than admitting their somewhat baser motives.

There are lots of breathless claims all over the Internet about the degree to which these bills will cause harm to the Internet, just as there were with DMCA before them. Indeed, people are talking about how any site might be taken down without notice, how payment providers and advertising networks might be forced to stop providing revenue streams and so on and so forth.

Most of these complaints are from people who have not bothered to read the full text of the bills, and are really just parroting what they have heard elsewhere. The result is that while they may be aware that SOPA could in principle be used to take down a site, they are unaware of the conditions attached to this, namely that:

• The owner or operator must be committing or facilitating the commission of criminal violations under sections 2318, 2319, 2319A, 2319B or 2320, or chapter 90 of title 18 USC.

• The site would be subject to seizure in the United States as a result of these violations if its owners or operators were located in the United States.

That is, in order for a site to be subject to take-down, it must already be breaking United States copyright law, and it would already be subject to take-down if its owners and/or operators were in U.S. territory. So, really, this part is just extending existing provisions in U.S. law so that they apply where the domain registrant is overseas. That seems fair enough, frankly, particularly as U.S. registrants might otherwise pretend to be overseas to escape the existing legislation.

Another thing that SOPA and PIPA do that is causing consternation is that they provide a mechanism for those whose rights are being infringed to notify payment processors and advertising networks that they must not process transactions for or make payments to the alleged infringer. This requires a notice similar to the ones specified by DMCA, and, just like DMCA, it is possible for the affected site to file a counter notice. And just like DMCA, if a counter notice is filed, it is the courts that must be used to decide what happens next.

They also create a limited immunity for anyone acting voluntarily to prevent copyright infringment; potential liability to their own customers has been used an excuse, historically, by registrars, payment processors and others, for continuing to allow their customers to egregiously infringe others’ rights even when their own Terms of Service explicitly ban such behaviour.

There have been all kinds of claims about the technical consequences of SOPA and PIPA, though most of these have been (as far as I can tell) baseless, since neither act makes any kind of stipulation about the technical measures that may or may not be used in its enforcement. I tend to think these are really a case of special pleading from a group of people who are making not inconsiderable sums of money from other peoples’ copyright infringement and/or are worried that enforcement might create additional costs for their businesses. These are not disinterested parties.

Anyway, regardless of your views on SOPA or PIPA, the blackout by Wikipedia is childish, affects countries other than the United States, whose citizens have no say whatsoever in whether or not the U.S. Congress or Senate pass their respective bills, and in addition has been done in a half-assed way.

For anyone who wishes to browse Wikipedia with Safari today, here’s a Safari extension that undoes the blackout.

Confidentiality of communications

6.—(1) Subject to paragraph (4), a person shall not use an electronic communications network to store information, or to gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.

(2) The requirements are that the subscriber or user of that terminal equipment—

(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and

(b) is given the opportunity to refuse the storage of or access to that information.

(3) Where an electronic communications network is used by the same person to store or access information in the terminal equipment of a subscriber or user on more than one occasion, it is sufficient for the purposes of this regulation that the requirements of paragraph (2) are met in respect of the initial use.

(4) Paragraph (1) shall not apply to the technical storage of, or access to, information—

(a) for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network; or

(b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.

ICO is emphasising the impact of these rules on cookies, but as you can see from the text of the actual regulations, above, they also cover any “information stored”. This would seem to include

• The User-Agent string

• The Accept-Language header

• The URL itself (which may be covered by the exception in (4)(b), but not if it happens to contain session data)

• Various information that is accessible to Javascript on the client side, but which may be of interest to the server merely to improve the end-user experience — for instance, the end user’s display size or colour depth, whether or not Adobe Flash or Java is installed and enabled, whether or not the end user is using a screen reader, and so on.

It is difficult to argue that the exceptions in (4) apply to all of this information, yet in most cases it would be unreasonable to demand explicit consent from the end user for any of it.

Further questions surround use of services like Google Adwords’ conversion tracking functionality; websites using this feature of Adwords are relying on the Adwords system setting a cookie on the end user’s machine when they click on an advert. This cookie isn’t actually under the control of the site operator—instead, it’s set by Google (via the googleadservices.com server). How is “informed consent” supposed to operate in that case? It isn’t as if Adwords conversion tracking is the kind of thing that anyone should be worried about—all it does is tells the person paying for the advertising how much each advert-driven sale is costing them.

ICO also rightly points out that the legislation applies to session cookies. Yes, you did read that right. And looking at ICO’s updated guidance it’s hard to get the impression that they plan on ignoring that fact.

Ironically, the regulations are actually worse for free services than they are for paid-for services, because the definition given for an “information society service” in The Electronic Commerce (EC Directive) Regulations 2002 is

“any service normally provided for remuneration, at a distance, by means of electronic equipment for the processing…”

and so exception (4)(b) doesn’t apply where remuneration would not normally be expected!

There’s some very wooly language in the ICO guidelines about what ICO considers would and would not fall within the exception, but even if ICO doesn’t think something is worth pursuing, there’s nothing stopping some crazy privacy campaigner from pursuing a private prosecution.

ICO does quite clearly say that you can’t rely on the availability of the “Do Not Track” header and associated browser preferences, contrary to the previous mutterings coming out of government on the issue.

I tried writing a letter to government to suggest some changes to the legislation that would provide some sanity, for instance by explicitly permitting the use of information sent by default by the user’s browser (like the User-Agent string), along with exemptions for session cookies and non-identifying properties of the user’s terminal equipment. In response, I was told that it wasn’t possible to change the law because that would require renegotiating at EU level—not an option at present, apparently. (I note, by the way, that the Danes apparently do not agree that additional work at EU level is necessary, since they have explicitly exempted session cookies, which cures at least one of the problems.)

At present, then, the European Union has broken the web. It turns out that most EU countries have been so slow at implementing the law that this hasn’t been a problem so far, but that situation won’t persist forever.

All of this could have been avoided had the EU actually consulted someone with sufficient technical expertise before changing the law. I made that point in my letter, and was told that various industry players had been consulted (the response listed Google, Apple and others), but it seems to me highly improbable that any competent technical expert would not have objected to the wording from the EU Directive, so my guess is that this consultation was after the fact.

Right now, the simplest thing seems to be to incorporate outside the European Union, and have the new entity run your company website. That would place both the site and the entity operating it outside of this idiotic piece of legislation and the regulators whose job it is to enforce it.

I’ve been very quiet about all of this; partly for reasons I’ll explain below, partly because I’ve been busy, and partly because, well, it’s just too amazing for words.

Software development is, as has been decried many times, horribly male-dominated. Even more so than engineering in general, and that is pretty male-dominated itself. All of us would love for this not to be the case, but it is, and for the moment at least, however much effort all of us put in to changing the demographics, we have to live with it.

One result of this is that we’re very unlikely to meet anyone at work, and worse, those women we do meet are very probably quite fed up of the unwanted attention they reportedly get from some of our number, are therefore on the defensive from the outset, and in any event are quite probably already spoken for.

Anyway, the upshot is that a fair number of us end up on online dating sites. In my case, the first one I tried was match.com, but came to the conclusion that it’s basically a rip-off; yes, I had a few actual dates, and even an actual relationship, but even using the site makes my skin crawl… sharp practice doesn’t even begin to describe the way match.com and others treat their customers. In many cases you won’t get replies to your messages for the simple fact that the person you sent it to hasn’t paid to be able to send e-mail. That’s right, both parties have to pony up in order to get a response. Either that, or you can buy the right to get replies from people who haven’t paid up, but that, as you might imagine, tends to be an expensive extra. To my mind, the sector needs regulations to protect customers from this kind of thing; if you pay to send messages, it should include the right to receive replies, end of story. Anything else is bilking the customer.

On Twitter, I’d heard about another dating site, OkCupid, which doesn’t force you to part with large sums of money before you can contact one another and which treats its members more reasonably. Obviously, since it’s free, it’s ad-funded (i.e. you are the product), though you have the option to pay to disable the ads if you find them objectionable. I should say, since I’m singing their praises somewhat, that OkCupid has since been bought by match.com, which may or may not have had an impact. It did result in the post about paid online dating that I linked above being removed although OkCupid insisted that that was because it wasn’t accurate, rather than being instigated by match.com.

So, around the end of last year, I had an e-mail on OkCupid from Jo, to which I replied asking if she’d like to go out for a meal with me at the excellent La Regatta in Southampton. Very convenient as she was living on the Isle of Wight at the time, and it’s right opposite the ferry terminal. Owing to the bad weather, we postponed our date until the New Year, but it’s something of an understatement to say we got along like a house on fire; we basically forgot to eat, we were so busy chattering. Our second date wasn’t really much different, though we did actually manage to eat something! I really don’t have the words to describe how much I love Jo; she’s the best friend I’ve ever had, the most wonderful company, and I don’t know now what I’d do without her.

Anyway, a couple of months later, I proposed, and she accepted.

So the first piece of news (to readers of my blog) is that I’m getting married, next July.

The second piece of news — in some ways even more amazing — is that Jo and I should be having our first child some time over the next couple of weeks. We’re both over the moon about this (Jo especially, as she wasn’t sure it was possible), and hopefully there will be another blog post soon enough to welcome a new life into the world.

(In an ideal world, I would have preferred to do this the other way around, but when I met Jo at the start of this year, she was separated but not yet divorced. This is also why I haven’t mentioned anything up to now — neither of us wanted to do anything that might upset the divorce proceedings.)

Jo, if you’re reading this, I love you so much.

If you’ve done any shopping on the Internet in recent years, chances are that you’ve happened across the joy that is 3‑D Secure (aka Verified by Visa or MasterCard SecureCode). This is a system that can be adopted by your bank, supposedly to provide you with additional reassurance that your card details cannot be used fraudulently by a third party to make purchases on Internet sites.

You’ll know if your bank has “enrolled” your card for this scheme because when you make your purchase you’ll very likely be presented with a screen like the one on the right.

Unfortunately, 3‑D Secure is still, in 2011, ten years after it was first launched, a total disaster. Why? Well:

• Some banks don’t tell their customers about it, but have still signed all their cardholders up to the scheme.

• Some banks’ implementations ask cardholders for things they frankly shouldn’t (for instance, in the United States, the customer’s Social Security Number). This frightens cardholders, because they have been told never to enter these details into a website because of the risk of identity theft.

• Typically there is no way to proceed with the purchase without using the 3‑D Secure form; all you can do is use it or cancel. This is often the case even when the user is being prompted to sign up for 3‑D Secure, and as a result some customers abandon their purchase.

• Banks generally outsource their side of 3‑D Secure, which means that the end user is seeing a page from a third-party. Of course, current recommendations from Visa and MasterCard say to use an HTML iframe anyway, so maybe they don’t see that, but if they do have the inclination to check it out, they may very well panic anyway.

• Customers simply don’t expect to suddenly see a page displaying their bank’s logo while trying to pay for something. This is, of course, made substantially worse by their bank not mentioning to them that this will happen.

• Some banks’ 3‑D Secure forms are not as concise as the example above and even in some cases require that the cardholder re-enter(!) all of the information they have already given to the site trying to sell them something. Yes, I did say re-enter.

But, more pertinently, passwords are a terrible way to verify customers’ identities. Even assuming the cardholder doesn’t choose the same password they use everywhere else, they’re likely to forget their password (which is very frustrating), and in any event it is susceptible to phishing or keylogger-based attempts to capture the necessary information.

The sad part is that 3‑D Secure itself is actually able to provide any authentication technique your bank cares to use. There is nothing stopping your bank from choosing something a little more human-friendly - for example, showing you pictures of faces and asking you to choose the correct one - or even providing a card reader and allowing your bank card to directly communicate its physical presence to the bank.

Each member of the MPC has expertise in the field of economics and monetary policy. Members do not represent individual groups or areas. They are independent. Each member of the Committee has a vote to set interest rates at the level they believe is consistent with meeting the inflation target. The MPC’s decision is made on the basis of one-person, one vote. It is not based on a consensus of opinion. It reflects the votes of each individual member of the Committee.

Yet, month after month, the MPC has voted consistently against raising interest rates.

Note that the MPC committee is not supposed to vote to set rates according to anything other than inflation. It isn’t supposed to care one jot about anything else, and while it does explain that there is supposedly a lag of “about two years”, the data consistently shows an upwards trend over a much longer period. Put another way, going by the data, interest rates should have been higher in the past, and should be higher now.

However, there are a few pieces of software that are hosted here, and so I’ve made a page dedicated to those and set up links so they’ll still be available.

One might retort that I could just have set something up on TypePad, or Blogger or some such, and that’s true, but it doesn’t really provide the kind of service I’m after. So I waited, thinking that eventually I’d get around to organising myself another server with MovableType on it. Of course, this never happened (too busy), so the situation persisted, and in the meantime I’ve built up quite a few things I wanted to say, but didn’t really have anywhere to say them.

Then, just the other day, we received the sad news that Steve Jobs, the visionary behind Apple, NeXT, Pixar and all of the great work that flowed forth from those companies, died. Sure, I posted something brief on my company’s blog, but more than that doesn’t seem appropriate for that location.

Anyway, in the meantime, Matt Gemmell had been talking about changing blogging platform as a result of persistent performance problems with WordPress, and indeed had actually switched to Octopress. MovableType, my previous blogging platform of choice, doesn’t suffer from the performance issues that plague dynamic blogging software such as WordPress, but Octopress does offer other advantages, especially the fact that posts are stored in plain text files, under version control.

So, I’m switching. This does mean that it might be a little while before my website settles back down again, and I’m intending to move one or two things about a bit. Plus I’m vain enough to want my blog to look unique, so now I have a new blog theme to design. But hey… it’s all fun.

Yesterday, while listening to the speakers at the first day of NSConference, I managed to find the time to tidy up what I had and to make it build and run properly on Snow Leopard.

The code isn’t perfect — I can think of lots of things that need doing to get it to the stage where I’d want to use it myself in an app — and because it was started way back in 2005 and slowly tinkered with over time, I’m sure there’s plenty that could be tidied up too… but it does provide a lot of examples of using all kinds of Cocoa functionality, some of which is not so obvious until you’ve tried it once or twice.

Anyway, it’s available under an MIT-style license from Google Code.

It would be very easy for the 3-D effect to become the centrepiece of a 3-D movie, but it seemed as if it was carefully thought out. Nice touches included the fact that some of the humans’ display devices were themselves displaying images with depth and the various things floating in the atmosphere (including the Atokirina’ and the dust after the destruction of the Na’vi Hometree).

The only thing really wrong with this type of 3-D right now is that you can’t focus anywhere other than where the camera is focused. Of course, fixing that is incredibly difficult, since you’d need to be able to adjust the focal length for specific areas of the image in the projector, not to mention adding the requirement of being able to film everything in every shot in perfect sharp focus in the first place.

Pandora itself is amazingly beautiful, particularly at night with all of the bioluminescence, and it really is difficult not to marvel at the amount of work that went into designing the lush and importantly believable landscape of the Pandoran forest and its native wildlife.

Anyway, it’s a wonderful film; let’s hope James Cameron gets to make a sequel. Let’s also hope that unlike the Alien series (which has been fatally marred by the awful Alien Resurrection, not to mention a certain amount of stupidity in the AvP films), the studio knows when to call it quits.

The first one was a U.S. bank that decided it’d be a great idea to ask its customers to enter their Social Security Number into a web form on the Internet. U.S. citizens are understandably very wary about giving out their Social Security Numbers on-line, particularly on websites they don’t recognise, and it also seems that the bank in question apparently hadn’t mentioned to the cardholder that it might go and ask them for this information during a card payment transaction, resulting in a worried e-mail to us asking if it was some sort of scam.

The second incident involved a credit union that had told its members that it would never ask them to enter their credit union member number online. And then it did, in its 3-D Secure authentication form. Again, we get an e-mail asking us if it’s some sort of scam.

Most of these problems seem to be due to inept security policies at U.S.-based card issuers. At the very least if you are going to enroll your customers’ cards for 3-D Secure, you need to make sure they know what to expect when they see the Verified by Visa or MasterCard SecureCode boxes appear. Otherwise it’s actually a major security risk, because someone could set-up a site that pretends to use VbyV or MCSC and asks for information like Social Security Numbers that can then be used for credit fraud.

Then I spent the rest of the day doing customer support. We all do that at Coriolis Systems; it’s good that we software developers get involved with real customers and see what the real problems are with our products. All too often people are divorced from the actual customers because they have (sometimes layers) of customer support staff in between them and the real world. We don’t. The downside of that is that it can be a bit of a drag at times, dealing with yet another “I forgot my password”, “My e-mail address is wrong” query, punctuated with occasional customer angry that “we didn’t reply” (translation: they, their IT department, and/or their ISP are not competent to run a mail server, but are trying to anyway, and have cunningly configured it to ignore/junk/bounce e-mail from us).

Anyway, the remainder of yesterday was spent doing that. We always get a lot of mail to deal with on a Monday, because we don’t work weekends, but I really don’t like not making progress with whatever else I’m working on.

Today, on the other hand, was great. Made plenty of progress with what I’ve been working on. It still isn’t perfect (just checked it remotely, and it’s broken :-)), but it’s definitely getting there, which is good news indeed, as it means I’ll soon be back working on what I was doing before (both more interesting and more fun, quite frankly).

Also managed to do a load of housework when I got home, so that’s good too. Surprising how much work it is to keep on top of all the housework, but I really do love living in my new house :-) :-)

POSIX semaphores currently don’t support this feature on OS X; nor do System V semaphores. Mach semaphores do support timeouts (see /usr/include/mach/semaphore.h), but it isn’t immediately obvious how to pass one to another process.

Anyway, I thought I’d stick together a simple Mach server to implement named semaphores…

Update 2011-10-14

I’ve moved the code and most of the description to a new page, as that seemed better than leaving it here.

The scam is hard for police or other agencies to investigate because the individual sums of money involved are very small.

I wonder if the political class or the general public realise the implications of this situation, or the true scale of the amount of money that goes missing, entirely without police investigation for the simple reason that the amount is “too small”.

Fairly recently, we had a purchase put through our website from a customer in Paris, France. This customer used someone else’s card to make the purchase, and the owner of that card was understandably irritated and complained to their card issuer who, under the card scheme rules, returned the money, which was subsequently recovered from us along with a so-called “chargeback fee”.

The account on our website was locked and the licenses cancelled so they couldn’t re-activate the software if they needed to at any point in the future.

Subsequently, the same person made another purchase, using an entirely different set of card details belonging to another third party, who also complained at their card issuer, who returned the money as before, recovering it from us and resulting in another “chargeback fee”.

It is entirely obvious that this person has access to multiple sets of stolen credit/debit card details. It is equally obvious that the total amount that is likely to be at stake is many, many times the amount of any individual purchase. Yet when we asked the police to look into the matter, we were told that the French police wouldn’t investigate because the sum of money was too small¹.

It should be immediately apparent to anyone with half a brain that this attitude results in the perverse outcome that even large-scale credit or debit card fraud involving multiple small transactions in foreign countries, ideally spread across many online retailers, will go undetected and more importantly unpunished, while vendors (particularly of digital goods and services, where the losses are almost invariably passed on by the card issuer) are unfairly penalised for being the final victims of this fraud.

This amounts to nothing less than a license to defraud and is, quite frankly, a disgrace.

This isn’t exactly news as far as copyright holders are concerned. We’ve known for ages, because of the capricious and unhelpful way that ISPs act when we ask them to remove illegal copies of our material, that they are, on the whole, supporters of copyright infringement. They may not admit it, of course, but since it drives use of bandwidth, encourages customers to use their services and results in a net revenue stream for them, it’s pretty easy to see why they would support it.

It’s also interesting to consider the comments of Rupert Goodwins, one of ZD Net’s editors. Interesting because the press, particularly the dead tree variety, has also been largely pro-infringement—as long as we aren’t talking about their content, anyway. Predictably, therefore, Goodwins trots out the ISPs’ tropes about how expensive and impractical it will be, how it might infringe peoples’ human rights, how there isn’t enough evidence that it’s really harming peoples’ livelihoods and so on. He even at one point talks about ISPs having to “cut off their own customers… for no reason”. Not to mention implying that the changes to the proposals have something to do with Peter Mandelson’s meeting with David Geffen.

Hows this for the NHS - My Dad had a heart attack 2 months ago, within 4 minutes the paramedics arrived with in 25 mins we were in A&E and within 2 hours he was on a specialist ward, life saved! - All this for Free, Oh forgot it must be Evil! - MURRRHAHAH!!

Since then I have been so impressed by the NHS and their staff, I have been applying for jobs with them, even on less salary than I currently am.

This is one Brit with pride in our NHS and its staff

john s, wigan

where the commenter appears to think that the NHS is free. It isn’t. It’s free at the point of use, but that just means that we pay for it through taxation.

And boy, do we pay for it. Government spending on health is listed in the 2009 Budget as £119bn, much of which is covered by the £98bn that was collected in National Insurance payments. National Insurance, for those who don’t know, is an over-complicated form of income tax that is paid by both employers and their employees so that the government can increase it by a notional 1% and actually get 2% extra (of your gross salary) in tax. It’s widely criticised (and rightly so) as being a tax on employment, and the excuse for its existence is that it’s there to pay for the NHS and the state pension scheme¹.

But it’s very unlikely that the health figure on that graph includes payments related to debt interest on NHS-related projects, or the costs of PFI, all of which must come from somewhere (hint: that’s your pocket, stupid). See, for instance, this or this. Quite a chunk of the £28bn of debt interest payments shown in the Budget will relate to these kinds of things. There’s also a very suspicious £72bn of “Other” shown in the Budget…

Anyway, even if we believe the figure of £119bn (and I don’t know about you, but I’m skeptical that that number is the whole truth of it), the NHS costs us each around £2,000 per annum (or between US$3,000 and US$4,000 depending on exchange rates).

In reality, not all of the population pays National Insurance; it’s only paid by those in employment, and even then not everybody pays. The Office of National Statistics tells us that 28.93 million people are currently in employment, so the figure per working person is more like £4,000 per working person, per annum, assuming that everyone pays which I’ve already noted is not the case. (For the benefit of U.S. readers, that’s between US$6,000 and US$8,000 depending on exchange rate fluctuations!)

Of course, we can also look at this another way, which is to consider what “the man on the street” actually pays in National Insurance contributions, including his employer’s contribution (which, whether he knows it or not, comes out of what his employer is prepared to pay for him to work there).

According to average weekly earnings figures from the ONS, in May 2009, average weekly earnings were £440. Using the NI tables HMRC publishes, we can work out roughly² how much someone on average weekly earnings pays £36.30 per week in Employees’ contributions, and a further £42.24 per week in Employers’ contributions that they usually don’t see (though it still effectively comes out of their pay, of course). That’s £78.54 per week, or a little over £300 per month. Or £4,000 per annum. Yes, that’s right, a person on average income has to pay over £300 per month for the NHS (that’s US$450 to US$600 depending on exchange rates).

So is the NHS free? No, it isn’t.

How does it compare with the U.S.? That’s a difficult question to answer sensibly and I’m not really going to attempt to do so here. But I note that here in the U.K. it’s quite likely that a family of four will have two parents out to work, especially if both are on average incomes (in which case the total NI contribution is around £8,000pa, or US$12,000-ish), while the National Coalition on Health Care estimated that in 2008, employers paid on average US$12,700 for a health plan for a family of four. Again, as an employee you may only be expected to front up US$3,400 of that, but the rest still comes out of what your employer is prepared to pay for employing you.

There are lots of other factors, of course. While the NHS theoretically provides dentistry and optometry and so on, in practice those are usually paid for separately. And I know in the U.S. there are excesses, limits and co-payments to worry about.