a convenient truth

I’ve been trying out a few of the online services for managing money.  I have a couple of pretty simple use cases for this:

1. Am I being robbed?  Look through credit card and bank statements for activity I don’t remember, subscriptions I thought I’d cancelled or Direct Debits that shouldn’t be taking money.
2. Cashflow projections based on different debt mechanisms (i.e. if I pay x off a credit card, what does my cashflow look like)
3. Slicing, dicing and browsing to see where money is really going.

Pretty typical usage for most people I think.  I have a few credit cards, and I use my debit card a lot, so tracking all of this manually is quite a pain.  Ideally I’d use a service that fetches all this data automagically from the various institutions, and provides me with a decent interface.  I’d settle for uploading my statements manually.  I’m happy to pay for this service.

I’ve found four options:

Mint.com

Mint has had rave reviews, and sounds excellent.  Unfortunately it’s US only for now.  They plan to roll out in the UK “late 2008, early 2009″.  But not right now.

First Direct

I use First Direct, the HSBC online bank, for my current account.  Their web interface isn’t the greatest, but it works reliably.  I can do all the things I want to, even if sometimes it’s a bit tortuous.  They provide an additional pay-for service called Internet Banking Plus that integrates with other banks and shows your statements for every account.  I don’t know what else it does, but it sounds worth a try.

Unfortunately it requires Windows and Internet Explorer, so it’s complete FAIL.

Kublax

This is a beta service that’s aiming to do the same sorts of things as Mint.com.  I registered for this and went through the various options for telling it your transactions.  It has an automagic integration (using Yodlee) with every bank I need – you provide your access details for the bank, and it connects and pulls down your transaction details.

Unfortunately, the security for this is a complete disaster.  If you go to http://www.kublax.com and log in, you remain on an unencrypted connection.  When they pop up a form asking for your banking details, this submits the details over an unencrypted connection.  You can see a screenshot from firebug below (click on the image to get the full-size view).

That last GET request is the one that contains all your lovely super secure banking details – going over the public internet in the clear.  Thankfully I was paying attention and saw everything was in the clear, and entered only “foo”s. I suspect most people don’t notice.

The impact of this might not be obvious.  For those who don’t know, lots of internet equipment has been hacked by bad guys, and you have to assume that anything that isn’t strongly encrypted is being snooped successfully.  In addition of course, if you are on a wireless connection that isn’t using WPA, your data is easily snooped locally too, using any old laptop.  Not so much of a problem at home perhaps, but try not to do your online banking in airports, ok?

I’ve informed Kublax about this breach incidentally.

You can navigate manually to https://www.kublax.com and then do the same thing, but this time over an encrypted connection. All they need do is switch to an encrypted connection early enough.  It is quite upsetting that they provide any service over unencrypted http to be honest – just bouncing every http request directly to an https URL would be the best solution.

Once I’d convinced myself my details were going over a secure link, I tried automatically downloading my statements from a bank account and a credit card, but neither actually worked, and I got a non-specific error at the end of the process.  So after all that, it didn’t work.  sigh.

Perservering perhaps more than was sane, I uploaded some bank statements that I had manually downloaded from my bank.  This functionality works pretty well, although to get to the point of adding a manual account you have to go through a whole bunch of hoops that are difficult to repeat.  It supports QIF and OFX formats, which all of my banks provide, so that’s ok.

Once the statements are uploaded, you are presented with some basic analytics on your data, and you have the option to categorise your transactions.  Categorisation is klunky and difficult to apply, with an interface that requires quite a few clicks and mouse movements to execute.  When you’re doing this for dozens of transactions it gets painful quickly.  Seriously guys, this is 2009, do some bloody usability work before coding ok?

Also, changes didn’t always stick – I’d categorise an item, it would claim to be categorised, but if i paged off and back it would go back to being “Uncategorised”.

Finally, when I’d got a bunch of data categorised I couldn’t really do any of the things I wanted with it.  It shows a flash pie chart, and you can slice and dice, which is kind of interesting.  But I couldn’t find any functionality for doing much more than that.  This was better than the competition though, depressingly.

In conclusion for Kublax: security fail, usability fail and coding fail.

If I were a VC who had funded this I would be quite upset.  if you are a VC who funded this, then give my company, Isotoma, a call – we build web apps that are secure, a joy to use and that actually function, unlike your current lot.

Wesabe

Wesabe looks promising – the site design is much better than that of Kublax, and it shows some smarts. It has two options for providing your transaction data – for banks that they support automatic access, you can enter your credentials for your bank and it will fetch the data.  Alternatively, they have a Firefox plugin, which is would be a good idea if it actually worked.

The browser plugin works by recording your activity – you tell the plugin the starting url for your banking site, and then it records what you enter to download a statement.  It can then replay this to get your statement.  Thing is, banks have instituted specific measures to defeat replay attacks – most sites now ask you for specific letters from a longer password.  This specifically stops this kind of automation from working.  In addition my current account site uses a popup for the banking interface, which is obviously a bit crap of them, but it defeated the Wesabe plugin completely.  It could replay as far as clicking the button to open the popup, and then stopped.

So, stopped at the first hurdle – I never managed to get any data into this site.  If there is a manual upload facility, so I can put my statements in, I failed to find it.  I’d be happy doing this too, to be honest – uploading six statements once a month isn’t that onerous.

Conclusion

None of these sites satisfied me.  Kublax came closest, since I actually managed to get some data into them and view it, but it’s interface was klunky enough, and their security feeble enough, to stop me wanting to go back.  There is a real opportunity for someone to clean up here, and it could well be Mint.com, if they do a competent release in the UK.

A speech by Stephen Fry that really everyone should read.

The Government wants ISPs to stop illegal downloads.

This is so wrong headed it’s hard to see what on earth they’re thinking of. Presumably they envisage a technology solution, which is pretty typical amongst people like government ministers – hey well my computer can tell when I’m writing a letter and show me a paperclip, so surely it must be able to stop copyright infringement!

Here’s a few issues that I think are pretty much insoluble:

How can you tell what content infringes copyright?

There’s a couple of options here. Blacklisting known infringers sounds like a good idea, but it’s got problems.

Sites such as The PirateBay don’t themselves distribute copyright material. They host only the (non-copyright) torrent tracker, and the downloaders all share the content amongst themselves.  These downloaders are on moving IP addresses and come and go pretty randomly, and are all over the world and the UK.

So who do you blacklist?

A team of people inspecting torrent sites for suspicious material, and then tracking the torrents, finding the IP addresses of all peers and then adding them to a rolling blacklist that’s used by all IPs might work.  Well work as in generate an actual list of blacklistable IP addresses.  This is the sort of technique the Chinese use, with quite a lot of success.  There will be a lot of collatoral damage though, and in a free society that’s very difficult to justify.  And justify it, in court, they are going to have to do.

Blacklisting The PirateBay sounds good, and is much easier, but new torrent sites will pop up all the time. Again the judiciary will have a very dim view of arbitrary censorship of people who have been convicted of no crime.  I don’t see this method working beyond the first few lawsuits.

Alternatively they might imagine some sort of fingerprinting. Every stream will be examined on the fly, perhaps for the evil bit. With a bit of work it’s possible to probably identify some copyright work using fingerprinting, with quite a few mistakes. Of course, this is defeated utterly by encryption. Right now torrents aren’t encrypted, but I think it will take approximately 1.2 nanoseconds for everyone to move to encrypted torrents if something like this comes in.

Some ISPs might go as far as blocking bittorrent. This is relatively easy to do, and much harder to avoid, however loads of services use bittorrent now that are perfectly legal. Even the BBC’s own iPlayer uses the same sort of technology, and I can see how popular banning that would be.

How do you know it’s working?

They are threatening to punish ISPs unless they “do something”. Precisely how are they going to decide who to punish? Is there going to be some sort of quota – “you have banned 50 users this week, you have unlocked an achievement!”. Sorry, that should be “50 customers”.

There just isn’t a reasonable success metric, and ISPs are not going to voluntarily ban their own customers.  They’ll kick and scream and resist wherever they can, so whatever .gov.uk comes up with is going to have to be enforceable in court.  That means metrics that are clear, fair and measurable.  I just don’t believe such a thing exists.

Ultimately this is just the content exploitation industries failing to address the fact that their business model was temporary. It relied on a particular coincidence of technological limitations and market opportunities. This has changed and now they are about as useful as a bicycle to the proverbial fish.

I just can’t see this happening without a huge amount of damage to the government, and the whole idea being binned in the end.  I just hope they aren’t dumb enough to do it.

Microsoft are going to buy Yahoo!. No way this isn’t going to happen now. Shareholders will love it and the only place where the combined company might trouble competition authorities is in webmail – which they don’t care about.

Microsoft have just bought one great big heap of trouble. Tens of thousands of FreeBSD boxes running PHP. They found digesting Hotmail famously hard. Yahoo is going to be way harder.

Microsoft’s motivation here has to be the growing, and obvious, realisation that they are incapable of competing with Google in their current form. Google are full of smart new ideas and they manage to pull enough of them off to be a truly innovative company.

Microsoft, OTOH, are culturally incapable of innovating. They haven’t ever invented anything new, and I don’t see that changing.

(A long digression. Clearly any sort of software development involves innovation somewhere. So when Microsoft copied VisiCalc to make Excel, yes there was some innovation. Same when they copied the PARC UI to make Windows.

In a January 2001 article, The business of software: the laws of software process, there’s a discussion of process in software, and where it works, and where it doesn’t.

The interesting bit of the article uses levels of ignorance to evaluate where process works – the more ignorant you are about a subject, the less process is applicable to it.

If you sort of take the reciprocal of this idea you get a structure for levels of innovation. The greatest innovation happens where you know nothing, where you have to invent the problem space itself, or perhaps even the basic terms of reference.

Google really grok this. Nobody out there was saying ‘hey, what I really need in my life is a zoomable, rotatable model of the Earth!’. Even less was someone suggesting they’d pay for it. Yet Google Earth is probably one of their most valuable properties in the long term (honest).

Now back to your regularly scheduled transmission).

Microsoft are good at taking requirements they understand from people in business they understand, and delivering pretty good applications. And then screwing them for every last penny they possibly can. They’re just a great big boring old software shop.

From Powerpoint to the DRM hydra that is Vista, they’ve got a clear picture in their head of the Dude in a Suit that they’re aiming at. Bully for them. However Microsoft Powerpoint does not the Interweb win.

From a Microsoft analysis (remember, the only people they really care about are Dudes in Suits – the rest of us are NPCs) what they need to beat Google is scale. If only they get enough eyeballs, some of them will be Dude in a Suit Eyeballs who might buy Microsoft Visio 2008 Dude in a Suit Edition. Yahoo gives them eyeballs, some of which indeed might be tricked into buying a Microsoft product, perhaps whilst drunk or distracted or operating heavy machinery or something.

They certainly don’t give two hoots about some of the really spiffing technology Yahoo have. It would be insane to try and move all of Yahoo onto a Windows platform, but I think that’s just what they’ll do. It’s like the biggest case of cognitive dissonance ever. “We bought Yahoo because they were better than us and we really needed them… but our software is better! hell yeah!”

Where they’ve got a parallel product they’ll port the data and the users to their own product (i.e. Hotmail) and shut down the Yahoo offering (Yahoo! Mail) – even when the Yahoo offering (Yahoo! Mail) is the best available anywhere.

Like John Gruber says, the weird boutique items (Flickr) will be sold off or spun off. Not enough Dudes in Suits use Flickr, and the opportunity for selling them Office upgrades is limited. They are mostly filthy mac users anyway.

I have to think this is going to be a slow train crash, punctuated by the screams of loyal Yahoo users as they flee. If I were a Yahoo shareholder I’d take the cash and put it straight into Google.

The best quote I’ve seen (via Daring Fireball) is from Andy Baio: It’s like tying the Titanic to the iceberg. It’d keep you from sinking just long enough to freeze to death.

Last.FM have announced that they will be providing a huge amount of their catalogue available for free, streamed from their site, with artists paid from advertising and possibly some sort of subscription model.

This is part of a worldwide trend anticipated by many of us for a very long time. Several mobile phone networks are in the process of releasing “music plus” packages, where you get pretty much any music you like, for free, at any time. Again, artists are paid from the phone subscription package.

Obviously streamed music can be copied. Over at Rogue Amoeba, who produce Audio Hijack Pro, they’re an interesting post on this, wondering if this is going to be a problem for the free-streamed model Last.FM have developed.

I don’t think it matters. You won’t bother keeping a copy for yourself for much longer in any case. Why have copies of all those CDs, or MP3s, when it’s all available from the Internet, all the time, at zero cost and effort? The only reason to keep a copy yourself was an artifact of the primitive method of packaging and distribution – not because there being millions of individual copies of a piece of music is inherently useful.

So, in ten year’s time, I reckon the kids won’t have a single copy of mainstream music themselves. Their record collection will consist of a set of bookmarks only – and the whole “music business” as it currently stands will just be a brief “blip” in the history of music, from it’s origins in live-only performance to it’s future as a ubiquitous cultural service in the cloud.

I had to get this off my chest.

Over at alistapart there is a post about a new proposal for getting around the complete failure of the IE dev team to produce anything other than dogfood. In summary it pushes the burden of future IE compatibility onto us web developers, rather than onto the IE dev team, who are the people who can actually fix it.

I work at a software development shop. We build a varied lot of software, but pretty much all of it has a web interface somewhere.

When those web interfaces go beyond helloworld we end up paying the IE Tax, just like all the other web developers out there. We develop for proper browsers, then we have to make a succession of tactical changes to try and make IE work with what we’ve developed. I think it adds something like 5-10% to the cost of everything we do.

Multiply that across all the developers in the world and it’s quite a lot of money – more than enough to pay for a really big scaffold from which to suspend the IE developers by their necks until dead. Amen.

But enough about my fantasies. Supporting the failings in IE is a painful issue for everyone in this business, and there are two real answers.

1. Everyone stops using IE. There’s no real need for anyone to use it after all. This is the dream solution.
2. IE8 actually conforms to standards. You’d think this would be trivial these days – all the code to do this is Open Source, they could just incorporate the Gecko or Webkit engines and be done with it. Cheap and easy. If they want to be all proprietorial about it they could even hire a few developers from somewhere and build their own that actually works.

But Nay! Nay, nay and thrice: nay! For the problem it seems is that lots of web developers are dumb as rocks, and built broken websites that work in IE6 and 7 – and they will be incapable of fixing their broken websites!

This really is a prize excuse for Microsoft not fixing their own mess, and it comes from the Web Standards Project themselves:

Now sure, you could just shrug it off and say that since IE6’s inaccuracies were well-documented, these developers should have known better, but you would be ignoring the fact that many developers never explicitly opted into “standards mode,” or even knew that such a mode existed.

Diddums. Poor ickle developers. I can tell there is a tear of pity rolling down your cheek at this moment.

This is such a feeble excuse I am left panting in amazement. Because a load of historical web developers may have been dumb – and I’m happy to accept this is possible, although I’ve seen no analysis – the entire future of web development has to conform to this lame ass suggestion? EPIC FAIL.

In reality, this is just a feeble excuse to stop Microsoft from having to admit to all their users what the rest of us know. They suck. If they release IE8 and it actually works it’ll break a load of websites. Then they’ll have to own up finally to how bad IE6 and 7 really are. They are temperamentally incapable of any such thing – any discussion of IE6 differences has to be couched in doublespeak. Scientology levels of brainwashing are required to keep the typical Microsoft employee in line. Admission of mistakes is NOT an option!

If this was just typical Microsoft lameness it would hardly rate a blog post, but they have managed to get the Web Standards Project to float this particular balloon for them. Which says a lot for their PR nous at least, but not much for the author of the piece — who even now is probably trying to get onto an FBI witness protection programme to escape the web developer lynch mob currently collecting in his comment stream.