PhoneSwipe provides an example of how consumers lack protection from online e-commerce scams, thus demonstrating the need for auditable, delivered transaction receipts.

My wife had been using Square for her business’ credit card processing for about a year. About eight months ago she decided to look for an alternative. Her main issue with Square was that they would not share her customers’ email addresses with her and that they only supported Square Register on iPads and not on her Android phone (Update Dec 2013: Square Register is now available on phones).

A promising looking alternative was PhoneSwipe. PhoneSwipe’s pricing looked good and they supported a register feature on phones. She signed up on PhoneSwipe’s web site, entering just as much as was required in order to try the product. Unfortunately PhoneSwipe’s Android app was dismally implemented. It was cumbersome, ugly and frequently crashed and/or locked up. So she stuck with Square and ended up buying an iPad, just so she could use Square Register.

Fast forward and we find that for six months PhoneSwipe had been charging her business a monthly fee of $12. This is despite the service being advertised as having no monthly fee (the monthly fee, monthly minimum and cancellation fee are all advertized as None on their site). Apparently there was also a feature where you could sign up for a reduced swipe rate if you paid a monthly fee. She did not sign up for this feature, though that is what PhoneSwipe claims in order to justify the fee. PhoneSwipe never contacted her via email or any other means to confirm or provide a receipt showing that she had signed up for this additional service.

Read on →

Web Virtualization is a cloud technology that sits between you and the internet or your intranet delivering an interesting set of security, compliance and experience enhancing applications.

Imagine accessing the web via an intelligent proxy server that had the ability to look into, analyse, filter and even change the content you are browsing before the content hits your device. For end users you would like this server to provide you with a safe, and maybe even enhanced, browsing experience. Your computer would be protected from drive-by malware attacks, spam, black-listed sites or content, and would maybe even anonymize your web access. For parents you might like to protect your children from violent or pornographic material. Businesses might like to see protection for their data, preventing leaks of confidential information. For compliance or security reasons, businesses might also like to monitor, audit, and even automatically flag access to or redact sensitive content.

Read on →

I don’t miss XML

I don’t miss XML. XML would only have been a quarter as bad as it is if it didn’t introduce the ambiguity of trying to decide whether data should be an attribute of an element or the value of an element.

<element attribute="attribute-value">value</element>

It would only be half bad if it didn’t introduce the unwieldy syntax of triangle brackets and an end-of-comment closing syntax that use more triangle brackets and a second copy of the element name. It would only be three quarters bad if the syntax for comments didn’t also use triangle brackets, along with a few hyphens and a required closure at the end of each line.

Read on →

Today I migrated a web site from Express 2.5 to Express 3.0.0rc3. This is a non backward compatible version change. Express has a Migrating from 2.x to 3.x wiki page, but it doesn’t quite leave you prepared for the more time consuming incompatibilities that you’ll need to fix. I’ll enumerate some of these differences here. Note that some of these issues may be ironed out in later releases of Express.

Read on →

How Dropbox and the App Store are a counterpoint to Web Apps

About five years ago a colleague and I were lamenting the fragmentation of identity and storage caused by the new crop of web apps. You could edit a Powerpoint-like presentation at one site, a photo at another, and check on your calendar at a third site. Each site required a separate login, and your content was stored in some unique new format in a cloud database that you couldn’t extract your data from. We saw a case for abstracting identity and storage to make life easier and less confusing for users and to help with archiving content beyond the life of the web site (e.g. 280Slides, which is now defunct). We were focusing on fixing identity using OpenId-like solutions, but we also thought the answer to cloud storage might be to provide a standard storage service that all the web apps could use.

Read on →

This week I turned paper delivery back on for T-Mobile and all my credit card statements. I didn’t do this to save the US Postal Service from extinction. I did it because these businesses’ statement ePickup services weren’t delivering an adequate level of service. I call their electronic statement services ePickup because instead of delivering the statements they send you an email notice telling you to go pick up your own statement. Read more about ePickup in my previous post.

Read on →

Sophos ran an article this morning describing how “two typosquatting sites, and, have been forced offline and fined £100,000 ($156,000) each by a UK telephone regulatory agency.”

We’ve all mistyped URLs and encountered typosquatting domains attempting to profit from these fat-finger errors. A good way for you to prevent this happening is to bookmark the pages you visit most often and never type their URLs. This is particuarly import for financial institutions or anywhere else where you are likely to enter a valuable userid and password. Use these bookmarks rather then typing the URLs or clicking on links that have been emailed to you.

A good percentage of users don’t practice organized bookmarking. Users would benefit from a cleaner or more automated approach to adding and using bookmarks for all the sites they log in to, or at least the higher value sites. They need to be further educated to never click on URLs sent by email or obtained other sources, and to only access these services from the bookmarks.


For the forthcoming Mountain Lion release of Mac OS X, Apple is advancing their support of iCloud and introducing the Notification Center. Third party app developers will not have access to iCloud and the Notification Center unless they release their software through Apple’s App Store.

Developers may not want or be able to use the App Store for any number of reasons:

  • The app cannot comply with Apple’s sandbox rules,
  • The app requires a complex installer or launches a daemon,
  • The economics of handing 30% of the software sales price to Apple does not make sense for the developer.

Those that are not in a position to use the App Store will miss out on these features. This will impact larger software developers such as Adobe Systems the most. As these features become more mainstream, Adobe will be put at a competitive disadvantage.

It may be that access to iCloud and the Notification Center are being restricted for security reasons, but I can’t see why this would be true. Any app today can access Growl, so why wouldn’t any app be allowed to access the Notification Center? As I’m unclear on Apple’s motivation here, it may be premature to draw conclusions. But it sure feels like this can be added to the growing list of Apple’s anticompetitive moves. If this only affects companies such as Adobe then I would not expect a backlash because large companies tend to attract little sympathy.


I covered passwords in enough detail in this post. You’d think most companies would have got the message by now and the only companies with stupid password rules would be those with legacy sites. You’d think.


Today T-Mobile introduced their new stupid password rules:

  1. Must be at least 8 characters long
  2. Must contain both letters and numbers
  3. Must contain both uppercase and lowercase letters
  4. Cannot contain spaces or special characters (!, @, $, %, \‘)


Read on →