@madpilot makes

Just a quick announcement that Perth BarCamp #1 is finally on!

Where: Central TAFE, 140 Royal St, East Perth WA 6004

When: Saturday 30th June 2007 9am-5pm

Cost: TBA (Probably around $10)

So get your thinking caps on, your laptop batteries charged and read up on what it is all about!

After that, go and register.

The wait is over folks, the hex colour t-shirt shop is ready and rumbling! Price is $30 + postage and handling.

Go on. What are you waiting for?

I just released version 0.7 of twitteresce. This release fixes a couple of bugs with the automatic updating system, displays how long ago tweets and direct messages were posted and it now remembers what tweet you were looking at when flicking between the tweet view and read tweet view – trust me this makes catching up out the twitterverse much easier!

As always, get it from the MadPilot website.

Thankfully the goings on of the WA Web Industry Association and the WA Web Awards is a little more exciting than this blog post title.

The April mini-talk podcasts and slides are up – unfortunately, the podcast gods decided to send Nick’s recording to the Bahamas on a junket, leaving Bronwen’s talk to fend for it’s self. Thankfully, he supplied his talk notes, which should give you a fair idea of what is going on.

This month’s talks will be Richard Giles from Scouta with his talk “Digital Social Networking, For Fun and Profit” and Stephen Carrol on “Government grants and assistance”. For those of you who want get in to the wonderful world of Web 2.0 social startups, and want some advice the talks are on Wednesday 2 May 2007 at the Velvet Lounge behind the Flying Scotsman in Mt Lawley from about 6 o’clock. Talks will start at 6:30.

We (we being the WA Web Awards sub-committee) have quietly launched the new WA Web Awards website for 2007. We will loudly announce it in a couple of weeks once tickets and entries are open to the public. I would suggest heading over and subscribing to the RSS feed and newsletter, so you can receive the loud announcement.

We are looking for sponsors for said awards at the moment, so if you think your company would benefit exposure to a couple of hundred web developers and designers, drop me a line and I can hook you up with a proposal.

A list apart is conducting an online survey of the web industry. If you are in the industry I would recommend you take 10 minutes out of your day – the more responses, the better the data.

Have you done it yet? It’s ok, I’ll wait.

Twitteresce 0.5 has been released! This update includes:

1. direct messaging support: you can now read you direct messages
2. the ability to “Close” Twitteresce rather than exiting – this means you can leave Twitteresce in the background. It will then popup and alert if you are running in automatic mode and you have a new tweet.
3. a fix for the annoying bug where the the post screen would disappear if new tweets arrived.

You can download here.

Enjoy!

Edit: Had to release 0.6 to fix a regression bug – Sorry!

I’ve got the Twitter-bug bad. Real bad. So much so that I’ve spend a large chunk of my leave this week learning J2ME (Java for mobile phones) by writing Twitteresce. Twitteresce is a small app that runs on you Java-enabled mobile phone – currently it allows you to download both public and private tweets and post updates.

I think it is so much more convenient than trying to use the twitter web page on your phone, or receiving SMSs because you can receive your tweets when you want (The API also seems more stable than the SMS alert system).

There is a list of compatible phones of the twitteresce web page, but I know the list is no where near complete. If you download the app on a phone that isn’t listed and it works, please let me know and I’ll add it to the list.

You can go to the official webpage the app here or type in http://tinyurl.com/2de636 into your phone browser and download it directly.

Any bugs, let me know.

Enjoy!

Warning: The following post is an usability rant aimed squarely at the incompetent software developers contracted to Citibank. Please enjoy the ride.

When I went to the UK about 4 years ago, I opened a Citibank UK bank account so that I could get paid whilst I was working. The actual account is really great – much better than any account you can get over here in Australia. There are no fees at all – none, nada, zip. At they time they also provided some great overdraft facilities. As I still occasionally do work for UK clients, and as it costs me nothing, it remains opened.

Significant point #1: I can’t go to a branch, and I need to call international to talk to a customer support officer – I rely on internet banking heavily.

Unfortunately, the online banking experience does not reflect the quality of the account. There are so many usability issues, the developers should be brought before some sort of tribunal.

Javascript Keyboard: This is a favourite amoungst banks as they believe it provides security from key logging software. BOLLOCKS! Javascript is a very dynamic language, it would be extremely simple to write a Javascript function that could be injected onto a page which would reveal the password. All a Javascript keyboard does is increase the chance of me getting my password wrong and slows me down. in fact, if someone was shoulder surfing, they would be able able to read my “keypresses” much easier than if I typed them on a normal keyboard. JavaScript keyboards are stupid.

Secret Question and Answers: Next, Citibank requires you to answer one of five pre-defined question/answer pairs. In a previous session, I was required to spend twenty minutes picking and answering questions. Why twenty minutes? Because you need to enter your username, password twice (both times using the previously labeled stupid Javascript keyboard), then finally pick five out of twenty questions, type in answers, then type in answers AGAIN to confirm them. After you enter an answer, they are automatically starred out, so you can’t see them.

Challenge Questions are not secure. A small amount of digging will allow you to get most of these details about someone. Heck, if you can get hold of someones bank statement, you can work out at least a couple of answers. All they do is make it frustrating for legitimate users. I couldn’t remember if I used capitals (To this day, I’m still not sure if they are case sensitive) or whether I used abbreviations. And what happens if my favourite colour changes? I’m screwed. Challenge questions are stupid!

Guess what, I couldn’t remember the specific format of the challenge question I was asked, so I was locked out, which meant I needed to go through the above procedure again. This time, I took too long, so the session timed out.

I click the login link once more, enter my username and password (again, stupid Javascript keyboard) but it confirms that my username is locked. I need to click the “unlock username” link. I click said link, and it tells me I NEED TO ENTER A USERNAME AND PASSWORD. Two problems here:

1. Generally people do not expect text links to be associated with text boxes. if you want the data in a text box to relate to an action, make that action a button.
2. There is no indication that I need to fill in this information until AFTER I have tried.

Finally, I have navigated to the “unlock username” page. Only to be presented with another stupid form. This time, I need to fill in my username, card number, e-Pin (welcome back stupid Javascript keyboard) and account number. Now, I don’t know about you, but as far as I’m concerned, my credit card number is probably more valuable to a thief than my e-Pin, yet the former is in full view of everyone and isn’t protected by stupid virtual keyboards.

Now, after attempting this frustrating process a number of times, I am completely locked out from my online account and I will need to call the UK to get it sorted out. Go team Citibank.

So what can they do about this to make the process simpler? I think BankWest has got it right:

1. They issue a Personal Access Number (PAN) – The number is short, so it is easy to remember, but it is not easily derivable from the account number of any user details.
2. they politely remind users that they haven’t changed they password in a while. Which is much nicer then forcing me to do it. If I’m stupid enough to not change my password regularly, even when warned, well that is my tough luck.

Other things worth trying:

1. Limit the amount of money that can be transferred in a day, especially for person-to-person transfers – having access to online banking accounts is not much use unless you can transfer the money out.
2. Give users the choice of blocking person-to-person transfers and BPay – I only ever check my balance through this system so I have no need for transfer facilities.

The bottom line is these “security” measures aren’t that much more secure that a standard username/password conbination yet they are infinately more annoying and frustrating.

So banks: PLEASE STOP USING THEM.

WordPress has the ability to generate permalinks, which is great for Search Engine Optimisation. But what can you do if you need to change between them? Changing them in WordPress isn’t a problem – you go to the “Options” tab, click permalinks, and select a new one. However! If others bloggers have linked to your posts, or a search engine has already indexed your blog, their links will break.

With a little bit of .htaccess trickery you easily* change between the different options without breaking your old links!

Why the star next to the “easily”? If you have a lot of posts, it could take a while, but read on….

Out of the box you have three options (There is a fourth, but if you use that option, you probably don’t need this guide!):

In terms of SEO, The best option is Date and name based – having the title of the post should give a higher ranking. Next best is Numeric, but only because it gets rid of the &p=123 part from the URL. Luckily moving from Default and Numeric to Date and Time is easy!

If you are moving from Default to one of the other options, then there is nothing else to do – WordPress automatically responds to this style of this URL regardless of what option is selected.

There are two ways of moving from the Numeric Option to one of the other options – the quick way and the right way!

The Right way

The right way uses a permanent redirect (using Apache’s mod_alias module) for each blog entry – this will tell search engines that the page doesn’t exist any more and that they should index the new page instead. Unfortunately, this doesn’t update links of other peoples pages, so you will need to leave the hack for the life of the blog.

Open up the .htaccess file and add the following BEFORE the # BEGIN WordPress line:

<li class="li1">
  <div class="de1">
    RedirectPermanent /blog/<span class="nu0">2007</span>/<span class="nu0">02</span>/<span class="nu0">05</span>/this-is-my-blog-post /blog/?p=<span class="nu0">123</span>
  </div>
</li>

<li class="li1">
  <div class="de1">
    RedirectPermanent /blog/archive/<span class="nu0">123</span> /blog/?p=<span class="nu0">123</span>
  </div>
</li>

<li class="li1">
  <div class="de1">
    <IfModule>
  </div>
</li>

You will need to dig into the database to find what ID number corresponds to each post. This is tedious even for a small number of posts, so I prefer the quick way. The IfModule line check to see if the mod_alias module is installed. The first RedirectPermanent link shows an example of changing from the Date and Title option. The second line shows how to change from the Numeric option.

The Quick way

The quick way uses Apache’s mod_rewrite module to rewrite the URL – as such it will only work when converting FROM numeric mode. If you need to convert from Date and Name to numeric, you have to user the Right way. Drop the following code BEFORE the # BEGIN WordPress line:

<li class="li1">
  <div class="de1">
    RewriteEngine On
  </div>
</li>

<li class="li1">
  <div class="de1">
    RewriteBase /blog/
  </div>
</li>

<li class="li1">
  <div class="de1">
    RewriteRule ^archives/<span class="br0">(</span><span class="br0">[</span><span class="nu0"></span><span class="nu0">-9</span><span class="br0">]</span>+<span class="br0">)</span> /blog/index.php?p=$<span class="nu0">1</span>
  </div>
</li>

<li class="li1">
  <div class="de1">
    <IfModule>
  </div>
</li>

The IfModule line makes sure mod_rewrite is enabled, the next link tells Apache to turn mod_rewrite on. The RewriteBase line tells apache to automatically prepend /blog/ to all rewrite tests. The second last line is the meat and potatoes: it tells apache to rewrite any url that looks like /blog/archives/[one or more numbers] to /blog/index.php?p=[the numbers].

I would highly recommend using the Date and Name option – thankfully converting to that option is the easiest to do!

I have a client for whom I created a CakePHP-based website for over a year ago. He has since come back to me and asked for a number of changes. I thought I would take the opportunity to use capistrano, because there are a number of steps I always had to perform when updating his site and I hate having to do them manually.

I went about checking all the necessary requirements on his host:

1. SSH access – check! The host his site was on allows an SSH connection which is required by capistrano
2. Apache follows symbolic links – check! Because capistrano uses a symbolic link from the document root to the latest version of the site, Apache needs to be able to follow them (i.e the site’s apache configuration needs FollowSymLinks enabled)
3. Has svn installed – fail! This could be a problem. Capistrano by default checks out the HEAD revision from the defined repository – if it can’t use SVN, it can’t download the latest version of the site.

So close! If only I could download the HEAD revision of a site using a common command line system. I thought about writing a SVN-to-web interface, that would check out the latest version and post them as a website, but then I remembered SVN does that out of the box using the SVN apache module. Thankfully, when I was building my development machine, I made I installed the SVN module – it was now time to use it!

First I needed to tell Apache serve up the a copy of the SVN repository. Dropping the following into the Apache config file did the trick:

<li class="li1">
  <div class="de1">
    <ins class="in"> </ins> DAV svn
  </div>
</li>

<li class="li1">
  <div class="de1">
    <ins class="in"> </ins> SVNPath /path/to/svn/repository
  </div>
</li>

<li class="li1">
  <div class="de1">
    <ins class="in"> </ins> AuthType Basic
  </div>
</li>

<li class="li1">
  <div class="de1">
    <ins class="in"> </ins> AuthName &#8220;My Secret SVN Repository&#8221;
  </div>
</li>

<li class="li1">
  <div class="de1">
    <ins class="in"> </ins> AuthUserFile /path/to/a/.htpassword/file
  </div>
</li>

<li class="li1">
  <div class="de1">
    <ins class="in"> </ins> Require valid-user<span class="sc3"></span><span class="re1"><span class="re2" /></span>
  </div>
</li>

<li class="li1">
  </Location>
</li>

For those playing at home, replace /url/you/would/like/to/access with a nice easy path – this is the URL you will access to download the files, replace /path/to/svn/repository with the actual physical path to your repository and create a .htpassword file so you can limit access to the repository by using the htpasswd2 command: htpasswd2 -c /path/to/a/.htpassword/file username would work in this case (After substituting a username and real path, of course)

If you point you browser to the URL you just setup, you should see the root directory of the repository, after you enter the username and password you setup. Congratulations! You are basically there. Now you just need to reconfigure your capistrano to use wget instead of svn. I do this by overriding the deploy method – because I’m not using rails for this project, the paths and shard folders are different anyway. If you are using rails, you might need to have a look at the original recipe file and replace the svn command with the one below.

<li class="li1">
  <div class="de1">
    <ins class="in"> </ins> <ins class="in"> </ins> <ins class="in"> </ins> <ins class="in"> </ins> run <span class="st0">&#8220;wget &#8211;user=#{wget_user} &#8211;password=#{wget_pass} -m &#8211;cut-dirs=4 -nH -P #{release_path} -q -R index.html #{repository}&#8221;</span>
  </div>
</li>

<li class="li1">
  <div class="de1">
    <ins class="in"> </ins> <ins class="in"> </ins> run <span class="st0">&#8220;ln -nfs #{release_path} #{current_path}&#8221;</span>
  </div>
</li>

<li class="li1">
  <div class="de1">
  </div>
</li>

<li class="li1">
  <div class="de1">
    <ins class="in"> </ins> <ins class="in"> </ins> <ins class="in"> </ins> <ins class="in"> </ins> run <span class="st0">&#8220;rm -rf #{release_path}/app/webroot/files&#8221;</span>
  </div>
</li>

<li class="li1">
  <div class="de1">
    <span class="kw1">end</span>
  </div>
</li>

The only modification to that line is the number after the –cut-dirs switch – it should be equal to the number of directories in the URL. In our example the URL is /url/you/would/like/to/access so –cut-dirs it needs to be equal to 6.

The last thing to do is to setup the wget_user and wget_pass variables to be equal to the username and password you created using htpasswd2.

That should do it! You can now deploy to a server that is sans SVN!

Caveats: Because of the way the SVN module and WGET work, I’ve had to not include he downloading of index.html (Basically WGET treats the directory listing as a page, and will output it as index.html) so this technique will not work if you have any pages called index.html in your structure. Work around: Rename all instances of index.html to index.htm

You might get some weird results if some one checks in code at the same time as you do a deploy – unless you have a bucket load of developers working on your system and you have no communication between developers, this is pretty unlikely.

(Names have been changed to protect the innocent)