Pie Palace

I’ve put together a Gnome applet that checks the balance of an online bank account at predetermined times and emails the balances to a selected email address. It’s unimaginatively titled “balancer“.

It’s (1) useful, and (2) scares the crap out of me.

The useful part is pretty self evident. I want to know my current balance so I can reign in my spending if I’m going overboard.

The scary part is equally self evident. balancer keeps bank credentials on the user’s computer. That’s a terrible idea. An attacker who wants to make some cash just has to trawl the secrets stored in the GnomeKeyring to get access to the user’s life savings. In theory, GnomeKeyring could be secure-ish, if it kept all of its secrets on a portion of the disk hidden from users and blocked access on too many failed access attempts. But it doesn’t seem to. It looks like it keeps secrets in ~/.gnome2/keyrings. If an attacker can subvert an app owned by the user, then they can read ~/.gnome2/keyrings/balancer.credentials.keyring and pass the file offsite for an offline dictionary attack. Eep!

On top of that, GnomeKeyring differentiates between apps based on the path to the app binary. I guess this works for native applications, but it breaks when the app runs in a virtual machine. My app, balancer, is written in Python. After I run it, other Python apps are able to dig into the GnomeKeyring without the user being prompted for a password. Noes!

It’s funny. I tried Wesabe, and had no problem putting myself at the same risk balancer would inflict on me. Even though the Wesabe client has the same security problems, I put them out of my head because someone else wrote the code. But I’m having a hard time doing that with something I wrote.

Gawp has impressed on me the value ofcuration – that’s the process of normalizing and verifying data so that it can be used elsewhere. Clean, useful data is clearly awesome, but I didn’t realize it would be possible to build a business on it. AggData apparently has. They scrape publicly available data, normalize it and make it available for a small fee. I’m amazed that they can employ five people with a business model based on pure curation. Good for them! Further proof, if any was needed, that we live in the future. (Via Weather Sealed)

My fiancé’s mp3 player died last month, and mine is on its last legs¹. Since my lady love is a bit of a technophobe, I started looking into iPods. One of the first stories I ran across when I was looking into them was about the suicide of Sun Danyong – an employee of one of Apple’s suppliers. The guy had apparently lost an iPhone prototype and then been subjected to a week of abuse at the hands of his employer, Foxconn. He then committed suicide.

When I buy stuff, I try to keep to the ethically made goods. I buy fair trade when possible, and I avoid products that don’t have a fair trade option. But because iPods have a reputation for usability and my sweetie deserves the best, I crafted this letter to Apple’s PR contacts.

Dear Ms. Cotton and Mr. Atkins,

I’m in the market for a new MP3 player. Before I buy an Apple gadget, I’d like to know what Apple is doing to ensure that its suppliers are treating their workers well. The ongoing coverage of Sun Danyong’s abuse and subsequent suicide has me reconsidering Apple products.

e

I don’t expect Apple to get a TransFair certification any time soon, but I can at least ask if they’re doing anything.

1. I don’t recommend Creative Labs Zens. When shifting off of “Lock” mine occasionally cranks the volume to 100% or 0% percent and locks up. Alternately painful or annoying. (back)

I’m back. My wrists aren’t 100%, but they’re much better than they were. To prove it, I’ve squeezed another feature into Blogawa: events. Our friendly events robot reads OttawaEvents.org daily, randomly picks some upcoming events, and posts them to Blogawa.

The events are currently jumbled together, regardless of category, but that may change with time.

I’ve always liked the idea of open source bounties. I want open source coders to be able to make money on what they do, so I like the idea of users banding together to pay for a feature. The only drawback is that I’ve never actually seen a bounty collected. As an experiment, I’ve picked a worthy project, and I’ll be matching donations to it that (a) link back to this post, and (b) total no more than €60, (c) comment here. So hit Cofundos and take my money! (Yes, I’m avoiding typing. But this is a minipost, so it doesn’t count.) UPDATE: I’d like to make clear that I’m only offering €60 in total, and that’s matching on any single donation made after the original date of this post (April 14, 9:00am-ish, EST). I also added (c) above, so that I don’t have to check the cofundos site.

Phew. The upgrade worked. I’ve redirected the old feed URL to the new URL, and everything should be smurfy on Blogawa itself.

Of note:

• Comment links should now work (thanks MG).
• We’re now displaying 25 posts/page (thanks RG).
• Updates should occur much more often now. If I’m hitting your blog too often, let me know.
• If you’re an author, and you want your gravatar to show up, email erigami@piepalace.ca and let me know.

As far as I know, all of the feeds imported properly. Let me know if there’s anything amiss.

As alluded to last week, Blogawa is undergoing a reskinning. The new site will be pretty much the same in terms of functionality, except that it should look a bit nicer. The only major change will be the use of Gravatars to provide avatars for authors.

The URL for the RSS feed will change. I should be able to set up a forward to send your RSS reader to the appropriate place, but I may not. So if you find that your feed reader breaks, come back to blogawa and resubscribe.

Aaaany day now…

Blogawa is ugly. Ugly, ugly, ugly. So I’m redesigning the look. As part of the redesign, I’m putting together a wordmark that will be shown on the mast head. Here are some of the possibilities:

(The source HTML is available as well)

What are your thoughts? Suggestions? Constructive criticism?

Have you ever wished, fellow blogger, that you had a way to tell your readers when you comment on somebody else’s blog? I have. Whenever I comment on dubroy.com (for example), I’d like my blog to show that I did that.

I’ve put together the Elsewhere plugin to do that magic. When you comment on a blog with Elsewhere installed, that blog will ping the URL you entered in the ‘Website’ field on the comment form. If that website has Elsewhere installed, a link to your comment will be displayed in your sidebar.

Miniposts 0.6.8 is now out. It’s another fix release that removes post duplication issues, cleans up the preferences page, and fixes a couple of bugs with the smiley code that nataan contributed.

The big news is that the miniposts plugin is now hosted on Wordpress autoinstallation site, meaning that installation and upgrades should be easy peasy. Since this is my first hosted plugin, I’ve taken a quickie screenshot, so I can remember when my plugin’s average rating was 5/5: