turbotas.co.uk

The problem surrounds Amazons choice to let merchants pick their own shipping costs and the poor way in which Amazon makes those charges visible to the customer.

In essence, when you search for a product and Amazon returns the result, you never see the P&P charges that will be applied.

The important point here is that unlike eBay, who show P&P charges right on screen with the search results, it’s impossible to compare suppliers shipping costs on Amazon.

Try this for yourself: Go to Amazon and try to buy a 1 gig Micro SD card.  Attempt to predict how much you will pay based on the returned results.  You can’t because the merchants are all dropping the product price and pumping the P&P cost to such an extent that on all the first few pages of results, the P&P cost will double the price you pay.  Worse is that you can’t even find out what the shipping price will be.

The end effect of this problem is that it’s nit possible to trust any purchase on the Amazon Store.  TurboTas advice is to go use eBay so that you can see upfront how much you will pay.

Winning the both the Dumbest Company of the Year award and the Shoot-yourself-in-the-customer award so early in the year is a 1st, but I'm pretty sure that this is not going to get beaten this year, so I duly announce the Ford Motor Company to be the Dumbest Company of 2008 in the whole universe.  While I'm at it, they win next year and last year too.

It all started when the 9000 member strong Black Mustang Club decided to make a calendar of their cars.  these are the guys that Ford makes it's cars for.  Guys that cherish and enthuse about cars all day.

The members duly photographed, cropped touched and generally toiled on collecting a great showcase of their wonderful black mustangs and submitted the artwork to CafePress for making into a calendar for sale to BMC members.

The problems started immediately: CafePress notified the group that Ford legal tits had contacted them to block the publishing of the calendar.Get this: Ford claim that they own all representations of Ford vehicles in any photograph ever published and that no photo of a Ford may ever be used by anyone ever without their say so.  So there.  CafePress were worried enough by Ford hounding them that they have complied with the request and you cannot now get CafePress output with ford cars at all.

Hilarity ensued with around 9000 Mustang owners suddenly realising that although they have the car of their dreams, it’s a dream manufactured by probably the most tainted and evil company in the world.

A ford spokesman today suggested that any car owners wanting to take pictures of their cars should buy a GM or BMW vehicle instead.

You may also like to think about finding a printing house that understands copyright and trademark law too!

More on this crazy trademark issue here.

Yes, not content with ripping customers off on the food, McDonalds have now started charging £125 if you spend to long eating it too.  And don't think you can get away with it.  McDonalds are using high tech number plate recognition devices to make sure you get lost within 45 minutes.  Of course they don't confront you in the store, they nab your details from DVLA and the first thing you know is when you get a letter weeks later asking for £125.

Oh, and McDonalds don't go soft either, the fine Rises to £213 if you don't pay.  Would you risk your house for a Big Mac.  Nope me either!

A spokesman for McDonalds said today: "If you don't like it, don't eat at our restaurants". 

TurboTas advises you to follow the tainted arches advice and go to Burger King, who still treat their customers like….. customers!

GMD or Gross Map Distortion is the practice of making a map look completely unlike reality, normally for commercial gain.

This weeks winner is Olympic Holidays who due to the inconvienient closeness of the airport to their resorts in Kremasti and Ixia, moved the airport 10 miles down the coast.

I suppose it could be an accident.  In this day of GPS enhanced accuracy, I suppose it's completely possible to slip and place the airport down the happily uninhabited west coast of Rhodes due to an error with a slide rule, but somehow I don't think so. Check it out for yourself on our handy map!

Olympic Holidays were, unsurprisingly, unavailable for comment today. 

It is with some hilarity that I recount that the Mozilla foundation is being seen as the new Satan.  WTF I hear you ask?  Well, it's all about the failure to display advertising content using an extension for Firefox called adblock plus (ABP) which prevents ads from being displayed on the most common sites.  What it actually does is modify the pages after downloading but before display so that the user does not get to see the ads. Think of it as a popup blocker on steroids.

Well, not surprisingly, some people are a bit miffed about this.  In their version of reality this constitutes theft as the user is bypassing the revenue stream which supposedly supports the site in the first place.

Okay, so to cut it a bit short, some plum has started a one-man hate campaign about this and is advocating that webmasters use the browser UA string to block anyone using Firefox. Any webmasters mad enough to actually block Firefox users redirect there users here. Further than that, this chap has decided that the people to blame for this are the Mozilla foundation.

Not the people that install and use ad-block plus? Nope.  Not the people that write the ABP extension? Nope. How about the people that maintain and issue the filter sets for ad-block plus such as filterset G?  Nope. Maybe then the harmless and beneficient people that make the best browser on the planet for free?  Could be!

Although I can empathise to a micro extent with the affected organisation which rely on the income from the ads to support their sites, I think the point is that ad sponsored websites don't really work too well.  It's always a juggling act between in your face adverts and keeping the site useable. 

Click though rates are so low that an awful lot of people have to suffer the ad just to get that one sale.  Personally, I expect this to change a lot in the future as it becomes more aparent that ad supported surfing does not work.

This has always been an issue for TV: maximising ad revenue.  Have the TV companies got it right?  Nope, but we don't have a choice.  Every ten to fifteen minutes we go wander off for 5 minutes.   Whats the upshot of this?  TV programmes are unable to persuade you to suspend your disbelief and get into the show.  The only fix is to use a recorder and bypass the ads.

How would it be if we applied this to other media forms and claimed a moral responsibility (and these guys would also claim it's a legal obligation) to view ads?

Is it against the law to take a piss when the advert break is on in the middle of Lost?  These people are arguing that you must watch the adverts and take a break during the feature!

When you buy a newspaper,  are you legally obliged to read all the adverts, particularly the crappy ones for big slippers and hearing aids? These people think you must read all the adverts and skip the content if you run out of time.

Well what is the answer then?  Tough one that. You need to take a long hard think about why you have a website, how you fund it and whether your audience will bugger off somewhere else if you put too many ads on the screen.

What have I decided to do?  Well, I like adblock plus and I use filterset G to dump the ads.  I've stopped surfing at work because the sites I use look rubbish in IE with all the ads. I'm being serious here: soem third rate news sites do horid things like have javascript powered keywords that put up advberts on mouseover.  I can't cope with that rubbish, so I stay in my comfort zone and don't use such invasive sites from the office.

I could change the UA string on the browser or the proxy so that the webserver thinks Opera is at the other end and get around the redirect, but then why:  The Firefox embargo has been in place for a month and I've never received a warning.  I would guess that the most badly affected people are those who run Blogs and things and are using the most invasive (and therefore the most commonly blocked) ads to try and make a couple of bucks.  I seem not to use those sites.  For now I can live with the fact than someone doesn't like me 'taking a leak' when they are trying to feed ads to my browser!

In the future, if a really important site takes issue with my lack of advertising consumption and I can't read their content, like say Google, BoingBoing or SlashDot, then perhaps I'll think again and maybe take a premium feed. Or maybe I'll find another site.  Until then, I'm really greatful there are plenty of IE users reading the ads so that I don't have to.

Remember information wants to be free but the whole world want to makey money from it!

2012 (twεnti twεlv) vb (usually derogative). The act of cocking something up so badly the only sane recourse is to assume a different name, leave the country, leaving behind a disaster of such imense proportions that the only recourse is to cover it with topsoil and start again from scratch, e.g. turning up to meet the queen nude or smearing excrement on your head during a job interview.

Acclaimed artist Antony Gormley has placed 31 statues of himself in various locations in London. All of them face towards the Hayward Gallery on the south bank where he presently has an exhibition on. Check out the locations of the statues in the Steve and Toby whistle stop tour. Hint: Look Up!  The homepage for Blind Light, the Gormley Exhibition on through August at the Hayward, can be found here.

The statues are all made individually by Gormley and his team and each is made by taking a fresh cast from Gormley himself. The casting process leaves rough edges and the channels used to pour the metal are left in place giving the statues an attractive, almost unfinished appearance.

All of the statues can be seen from the sculpture terraces at the Hayward, however there are some great viewing spots around london and each of the sculptures exhibits a life of its own when viewed in its local context. 

Yesterday I invoked a ridiculously disproportionate response to a piece of SPAM.  No I don't want to buy a Renault and I don't appreciate not having an unsubscribe option either. This email must have been harvested by buying what is euphemistically called an opt-in list.

So not only were there no unsubscribe instructions, but if you visited the Renault website, the only way to unsubscribe was to provide more information: name, address, phone number, email address and information about my current car.  All this to stop receiving rubbish!

So my disproportionate response is a simple mail filter than trashes any email with the word renault ANYWHERE in the message & a greasemonkey script that removes Renault from any text rendered in Firefox. It's now not possible to send me an email with Renault anywhere in the message. 

In my internet world, Renault no longer exists.  Perhaps one day corporates will notice that sending marketing emails without explicit opt-in permission is a no-no!

Thats it.  February 11th 2007 was the day.  The DRM system used by both HD DVD formats was broken completely today.  The DRM system which cost billions of dollars and years of effort to create was sent tumbling dwon by two people in just a few days with almost no expense other than some time and some software engineering knowhow. It turns out that all thats needed to defeat the DRM system is a knowledge of the AACS standard itself. What does this mean? Simple, it means that it's now possible to extract the HD DVD video stream from the disc and back it up or burn it or whatever you want to do with it.  Any Disc.  No Key seaching needed.

For those of you that need to know:

09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0

I know this sounds crazy, but bear with me just a second.  The problem with Firefox and popups is that it's so good at blocking them!  Great at home where I don't use any other browser, but bad at the office.

The office is a nice sensible controlled environment where I can't change the security settings (or just about any settings for that matter) in the IE6 browser.  The funny think is that I'm so used to not seeing popups at home, that I often manage to click them at work just because they are convincing and I'm not used to seeing them: like the one that looks like the screensaver setup dialog or a GPF.  It's just too easy to click 'ok'.

So my point is that those IE users who get popups all day long do end up far more sensitive than us that use a more securley setup browser. 

So the moral of the story: Firefox users: take especial care when using IE at work!

If you've tried to purchase petrol at a Shell station with your credit card over the last few days, you may have been surprised when the shopkeeper put the receipt on the counter and asked for your signature. In fact, Shell has withdrawn Chip and PIN from all their non franchised stores in the UK over a potential £1M scam.

If you believed the advertising campaign surrounding Chip and PIN, you'd be forgiven for thinking that the scheme is supposed to bar far less fallible than plain old signatures. Alas, all is not that simple.

Presently, it's believed that the POS terminals used in some stores have been tampered with to record the pin numbers of a massive number of customers. This information has presumably subsequently been used to withdraw cash or make purchases.This is a bit scary: The central Chip and Pin guys accredit every terminal model prior to its use in the field. They are supposed to be tamper proof and stop working if any attempt is made to muck around with them, such as to persuade them to record pin numbers.

Of course, in real life the Chip and PIN POS terminals have become so ubiquitous that many will undoubtedly find their way into the hands of that element of society that would probe them and find a way around the anti-tamper mechanisms built into the device.

The point here is that you don't really _need_ to fiddle with a terminal: It would be quite easy to produce a device which sat on top of the authentic device whilst recording everything the user does and just passing the signals on to an authentic terminal. This would be executed in much the same way as the card skimming devices that get fitted to ATM machines from time to time.

Indeed, take this a step further, in a hypothetical attack, imagine a POS terminal that routes the signals to an accomplice in a different store: when you type in your pin, you are not paying for the petrol at all but for a £2000 plasma TV. The beauty of this attack is that you never know.

Use of such a device would probably require cooperation of local staff, but there will always be ways to buy staff.

There are some pretty advanced techniques around for getting the PIN number and it's not difficult to see that any of these could aggregate to a powerful attack. Remember we only have 9999 different PIN Numbers (Actually, it's less than that but lets not do that discussion now).

1) Key timings
Use of the timings between key presses to predict what the number might be. Get an audio recording and feed it thorough a filter to detect the exact timings between the keys… Compare with statistical averages and guess the pin.

2) Key sounds
On some terminals, it's possible to detect slight differences in the sound made when the key is pressed.

3) Social engineering.
It's amazing how many people will give you one digit of their PIN without much prompting. Finding out about the target may give away valuable information: Phone numbers, dates of birth, anniversaries. Lets face it, most people use a PIN number than means something to them.

4) Shoulder surfing

5) Non intrusive tampering with the Terminal (Dusting the keys for example). This would give you 4 digits with only about 24 permutations: Not a bad reduction from 10,000. In conjunction with technique 1 or 2 you might get a 90% hit rate.

Defences

The best defence I can come up with is

1) Soft keys. I've seen these on high security door locks. Each key has an LED digit on it. The idea is that when the credit card is inserted, the keys re-arrange themselves in a random pattern, so that rather than

789
456
123

The pad might look like this…

697
198
324

The obvious idea being that this counters shoulder surfers and other techniques involving studying the equipment non-intrusively. The key displays would be pretty directional so the chap standing next to you can't see them.

Well you clearly need to think hard to use this and it's no good for the visually impaired, but you can easily see the benefits of such a system.

Even when you consider the slower number entry due to the thought required this scheme has tremendous potential, although it should be noted that many people remember their PIN by position on the pad and not the actual number itself.

It's interesting to note that all attacks on Chip and Pin are likely to be based around getting to know the PIN. 4 digit numbers are considered quite adequate as secret passwords: 10000:1 odds are good enough to be considered unguessable.

As a final thought, consider the legal position of Chip and Pin. Presently, the banks are claiming that anyone complaining about phantom withdrawals is probably lying. This is the default position. They have won court cases and continue to do so daily where they simply state that the burden of proof is on the customer to show that the transaction was not undertaken with their knowledge. They simply claim that the customer gave the PIN number away willingly.

The problems we have talked about today are all related to a wired device which _should_ be easier to secure. Consider the challenges facing wide scale RFID implementations such as the national ID card.

Expect more articles on this interesting subject soon.

Being an IT professional, I have to hang my head in shame and admit to you that I nearly lost data today. I was resigned to restoring from the last full backup I took, which was ages ago. In the end a last ditch attempt came to fruition.

It all started innocently enough with the upgrade of the main server from FC3 to FC5.  I hate upgrading TurboTas so much that i missed out FC4 completly.   The upgrade began and (as with FC3), the installer baulked at my lvm drives.  not at all of them, just the striped 160s.  I guess this happened coz i use them native, not with any partition table. 

The installer warned me that it wouldzero the partition table on hdc and hdd if i continued.  I selected cancel and the install proceeded anyway.  Lo and behold, after the upgrade Linux booted fine but no LVM on the two big drives.

All LVM tools suggested that there was nothing LVMish about the two drives which left me a bit stumped.  The net was symathetic, but no actual help.  I tried vgrestorecfg, but this reported that the vg memebers were not correct.  In desperation, I wrote new signatures to the PVs using pvcreate.  I had to use -ff as lvm already thought they were in a vg.  

Next I tried the vgrestorecfg tool again, but now was told that the signatures were wrong.  In desperation I edited the backup file and changed the drive signates to those now reported by pvdisplay /dev/hdc and hdd.  Amazingly, vgrestorecfg worked. 

A few minutes later and I had mounted the drives and discovered that I seem to have lost nothing at all other than a few clumps of hair. 

The lesson, dear readers is to do those backups even if they are manual and a pain in the butt.  I've had my warning: you may not be so lucky.