Trust Us, We’re a Payment Gateway

A friend told me today about an experience of attempting to book a flight on His credit card wasn’t working, but there was an option for bank transfer (EFT), so he chose that.

The EFT option used SID, a payment option promising secure EFT transactions. All good so far, so he followed the link.

The SID window asked him to enter his bank account login details… You know, the kind you’re constantly warned about to never give to anyone and never to enter on any other site except your banks.

I couldn’t believe that this is actually what happened (perhaps the friend had missed his morning coffee), so I checked it for myself. Looking into SID’s documentation, they claim to be externally verified, not to store the login details, and to use the bank’s own security system. But yes, you are asked to enter your bank account login details in their window.

I’ve got no reason to doubt that SID does what it says, but the methodology seems hopelessly flawed.

Let’s say I start a new payment system called SAD. At the same time I launch my casino website, relying on trusted SAD security. I state clearly that SAD uses the bank’s own security systems, and doesn’t store any of the login credentials. Totally secure!

The transaction succeeds, and the customer has a credit to spend on my casino site. They spend many happy hours on my casino website, winning up a storm, and dreaming of their new Tesla. For some reason the cashout option isn’t working today, but check back soon…

Some time later, they decide to check their bank balance, and find, to their horror, it’s all gone. They immediately phone their bank. Perhaps the conversation goes something like this:

HORRIFIED CUSTOMER: There’s a transaction clearing out my entire balance! It wasn’t me! The transaction needs to be reversed!

BANK: Hmm, our records indicate you logged in from internet banking, and transferred the money out. When was the last time you remember logging in?

HC: Er, I logged in to and made a R50 transfer to their account from my bank account, using the safe and secure SAD system.

BANK: OK, no problem, we’re refunding the money now, apologies for the mistake.

Or perhaps not…

Perhaps the bank, in their charming and professional manner, laughs you off the phone and tells you you’re and idiot for giving your login details to another site.

Merchants asking customers to trust them, assuring them that their bank details are secure, is a recipe for disaster. Just don’t do it.

Related posts:

Image from Wikimedia Commons

Learning Man and the Talent Exchange

I’ve just come back from Learning Man festival, held on a farm just outside Riviersonderend.

The festival describes itself as a call to co-create a great social experiment in community resilience, focusing on Experimenting with Off Grid Living, Adventures in Freedom, Learning skills for an empowered life and Using Our own Economy.

Learning Man continues until after New Year, and I’m back early, not because I didn’t enjoy it, but mainly because it was too hot. If anything will make me emigrate to New Zealand, it’s not to see hobbits, it’s because (for now at least) it’s usually a lot cooler there. There was a river to swim in, and ample showers, but mostly I spent the time feeling too hot. Since today was 40° in Cape Town, I’m very happy not to have been roasting out there today.

Besides the heat, I need to up my camping game. The tents next to me included such must-haves as:

  • misting spray to keep cool
  • outside lights to guide the way back at night (after my first after-dark return was spent bumbling around in the dark with all sense of direction gone)
  • blow-up mattress (I used the sleeping bag as a mattress)
  • camping chairs
  • food (I had the bright idea of fasting while I was there and taking only a box of chia meal along for emergencies. Not so easy when all around are cooking and inviting you to eat with them)
  • bug repellent (I’ve come back having provided much sustenance for the local insects)

So, I was hot, not particularly comfortable, and missing Dorje who didn’t come with.

The festival is highly child-friendly. Dorje has many advantages over my childhood, but one of the ways he’s worse off is in rarely experiencing the freedom to roam without supervision, and the festival would have been perfect for this.

As the name suggests, one of the main purposes of the festival was learning, and there were numerous interesting talks and demonstrations on offer, such as How to build a compost-heated water system, Fire walking, Money alternatives – crypto-currencies and community exchanges, Sacred economy: The re-emergence of the collaborative commons and peer production as a viable economical model, Conduism and Channeling with the Ancient Shamanic Plant Medicine Iboga. There’s a longer list at Learning Man website, and there were also a number of spontaneous offerings, such as a couple’s discussion on their experiences with polyamory.

The festival was used as an opportunity to boost the Talent Exchange – all offerings at the festival needed to be either gifted, exchanged, or exchanged for Talents. There’s been a burst of new offerings as a result, but the concept was also challenged, as some of the participants objected to being “forced to join a website”, or “expected to sell things in order to earn Talents”. The discussions were animated, some misunderstandings were cleared up, and once again the Talent Exchanged proved a great way to introduce many financial concepts to people.

The festival is still ongoing, but it’s been an interesting experiment in bringing different communities together. Many of the people that attend the Space of Love events, based on the Anastasia books, were there. Those gatherings are usually much more contained and intimate, and there seemed to be differing expectations of the levels of participation, volunteering, and so on. Similarly, it’s likely there’ll be a big influx just for the New Years party,which may change the dynamic some more.

There was a police visit during the festival. I’m not sure if it was for a drugs raid, but they would have been highly disappointed at the findings (I didn’t even see any alcohol while I was there), and seeing child-friendly areas of the festival where not even smoking cigarettes was permitted.

It’s been a worthwhile experiment, and hopefully will continue to develop in future years.

Related posts

Swiss Precision

Bathroom scaleI have an old analog scale, inherited from my parents. It sits in Dorje’s room, mostly gathering dust.

I’ve never worried much about weighing myself, but in my own mind, I’ve been 80kg most of my adult life, and, more recently, since becoming “fat”, moved up to 85kg. The analog scale is not particularly accurate – I can lose 5 kg in 30 minutes, but still, on the rare occasion I stood on it, I never went above 85kg.

The friends I stayed with in Switzerland had a bathroom scale. All digital, shiny and new, measuring to the 100g. I decided to give it a try. Since I’d walked up a storm in Berlin and Prague, and felt a little lighter than when I arrived in Europe, I imagined something like 83.9kg.

No. 91.1kg it claimed! So much for Swiss precision… Clearly one of those scales handed out as free marketing for a weight-loss supplement.

After a few days of alpine walking, on the morning I left, I braved it again. 90.9kg! Pfft. No more accurate than before.

I rushed to weigh myself on the old scale when I got back home to Cape Town. A sprightly 75kg! Much more like it.

Still, it may not be coincidence that I’ve jogged around the field outside a few times the last couple of days. Yes, jogged. I don’t think I’ve jogged since school – it’s been all sedate walking or all out action since then. And have obviously managed to put on 5kg of pure muscle, weighing in at 80kg two days later.

I don’t really know how to explain the increase to 82kg since I started writing this post though… Perhaps those 7-minute workouts I do every few weeks have a delayed muscle-building effect?

Related posts:

Image from Wikimedia Commons

South African Literary Awards Online – 6 Years Later

In 2009, I wrote about the sad state of South African Literary Awards online. While sites such as do great work keeping on top of things, the bodies administering the awards did not and, at the time, many did not even have up-to-date, or in some cases any, pages listing their award’s winners.

Jumping ahead six years, surely things are rosier? Even if it’s just a Facebook page, surely not even the most digital-phobic or badly-administered award would have failed to recognise the importance of having some sort of web presence?

In short, no, and in some cases it’s even worse.

I’ve been helping to keep the South_African_literary_awards section on Wikipedia more or less updated with recent winners since then, but every now and again I dive into looking up some of the missing historical winners, and am still amazed at how poor the record-keeping is.

As an example, let’s take the English Academy, which administers a number of awards. In 2009, they had a page listing award winners (albeit only until 2007). In 2014 I noticed that this page had disappeared (breaking the Wikipedia citations), and wrote to them asking them to restore the link, or let me know the new location. They responded a few week’s later by saying that they were updating the list and hoped to put it on the website soon. As of today I’m still waiting, but they have achieved something special by making their new awards page one of the more unreadable out there. One (very) long page begins with a call for submissions for the 2015 Olive Schreiner Prize, continues with a blow-by-blow account of the 2015 award ceremony, including a list of who was thanked in the speeches, and of the wine and good food enjoyed at the ceremony. Next up is a description of the 2014 Gold Medal award winner, including his full acceptance speech. After much scrolling, next up is a press release on the 2014 Percy Fitzpatrick award, followed by a horribly formatted table of winners of various awards from 2012-2013, where the nominators names are more prominently displayed than the winners. Next up is a slightly-better formated table of the 2011-2012 winners. And so it continues, acceptance speech, citation, acceptance speech…

By the end of the page my mouse wheel is crying for mercy, but there’s no list of winners. If I’ve been playing very careful attention, I may have been able to decipher some of the recent winners, but nothing resembling a comprehensive list.

What about the award described as the most prestigious in Afrikaans literature, the Hertzog Prize, administered by the Suid-Afrikaanse Akademie vir Wetenskap en Kuns? The page used as a citation on Wikipedia again disappeared, but at least they replaced it with a new page, even if they didn’t bother to redirect the old link. “New” is perhaps overstating it, as the list of winners stops at 2013, so while perhaps the 2014 winners of the most prestigious award in Afrikaans literature may be mentioned somewhere on their site, it’s nowhere to be found on the awards page.

The litany of woe continues from award to award. What about the Media24 Books Literary Awards? Surely Media24, the dominant online media empire in South Africa can get it together and have a comprehensive list?

Sadly it appears not, and unlike most of the other awards, which at least give it a brave try, Media24 don’t seem to even have any sort of awards page.

While there’s always Wikipedia (and the section needs some love, so feel free to help out), it’s sad that so few of the local literary awards respect their own awards enough to bother recording them somewhere accessible.

I know, say, the Alba Bouwer prize is not the Nobel Prize for Literature, but some of us are still interested!

Related posts:
* South African Literary Awards and the internet

Picture from Wikimedia Commons.

Film heaven with Mubi

I’ve recently joined Mubi, a video on-demand site for film lovers. Netflix, which, in spite of users having to jump through DNS hoops as it’s not officially available in South Africa, is extremely popular, while Mubi is not well-known at all.

Mubi has some advantages though.

Firstly, it’s officially available to South Africans, so no need to pretend we’re American. It has an interesting model. At any one time, only 30 films are available. Each day, one drops off the list, to be replaced by another. Knowing they’re going to be disappearing soon creates a sense of urgency to watch the films.

So while the range at any one time is limited, most importantly, they show the kind of films I like to watch, which they describe as cult, classic and award-winning films.

To give you an idea of the films they list, here’s what I’ve watched in the last few days (remember these will be dropping off each day so may not be available by the time you read this)
* Lascars, an animated film about two petty crooks set in a French ghetto
* Dancer in the Dark, the Lars von Trier classic featuring the brilliant Björk
* Trash Humpers featuring actors in old people masks humping trashcans (I didn’t get much further than that before moving on to something better, but I’m sure it has a cult following).
* Pink Saris, the award-winning documentary following Sampat Pal Devi, ‘Pink Gang’ leader and her attempts to bring justice to abused women on the streets of Uttar Pradesh in India.

So, after a long drought, I’m in film heaven. I don’t normally like affiliate schemes, but if the site appeals, this one benefits you too. Sign up on your own and get a 7-day free trial, or through this link, and get a 30-day free trial.

And let me know if Trash Humpers turns you on and I’ll be sure to leave the rubbish bin out next time you visit.

Related posts:
* The Bloody Miracle
* Inside Job, ideology and regulatory contradictions
* Shortbus
* Sithengi

June 2015 African Language Wikipedia Update

I recommend that anybody new to Wikipedia editing starts, if possible, with one of the smaller Wikipedias. It’s far more fun, contributions will probably be openly welcomed, and there’s less likelihood of experiencing some sort of bureaucratic nightmare. An example fresh in my mind is the OpenCart article, which doesn’t exist. Anyone attempting to create it will be faced with this page, and need to persuade the administrator who locked it (due to previous abuse) that they should be permitted to do so, and who therefore holds veto power over its creation. A bridge too far for most new editors!

While the English Wikipedia makes the news due to the declining number of editors, and has a particularly bad reputation (as can be seen in the mailing lists) amongst African editors who’ve had experience with some of its trigger-happy bureaucrats, how are the African language Wikipedias themselves faring?

African Language Wikipedias

Language 11/2/2011 13/4/2012 9/5/2013 17/6/2014 29/10/2014 26/6/2015
Malagasy 3,806 36,767 45,361 47,144 47,061 79,329
Afrikaans 17,002 22,115 26,752 31,756 33,392 35,856
Yoruba 12,174 29,894 30,585 30,910 30,989 31,068
Swahili 21,244 23,481 25,265 26,349 27,021 29,127
Egyptian Arabic   8,433 12,440 12,934 14,192
Amharic 6,738 11,572 12,360 15,968 16,229 12,950
Somali 1,639 2,354 3,646 3,680 3,446
Shona     1,421 2,077 2,091 2,321
Kabyle     1,503 1,876 1,967 2,296
Lingala 1,394 1,816 2,025 2,077 2,087 2,062
Kinyarwanda   1,501 1,817 1,832 1,834 1,780
Hausa 1,386 1,345
Wolof 1,116 1,814 1,161 1,201 1,148 1,023
Igbo 1,017 1,019
Northern Sotho 557 566 685 691 966 1,000

Malagasy has shot up, but it’s always been an outlier – a language for which, due to its unusual characteristics, there’s always been a great deal of outside interest. Afrikaans continues to grow steadily, albeit at a slightly slower pace than before. Swahili, in 4th place, is growing at a faster pace than Yoruba in 3rd. Yoruba had a huge burst from 2011-2012, but has only been slowly growing since then.

Egyptian Arabic is also growing steadily, but after that there are some interesting figures. Amharic has lost over three thousand articles. Articles being deleted is not uncommon. Spam gets removed, articles get merged and so on. Losing so many articles simply means the growth before was mostly made up of these kinds of articles, and that there’s little growth outside of that.

With the exception of Kabyle, most of the languages that follow share a similar fate, or are static. Wolof has even fallen to lower than its 2011 level. The one noteworthy milestone is that Northern Sotho has (just) joined the 1000 club.

So, barring Malagasy, while the only fireworks amongst the top African language Wikipedias are of the going out kind, and there are no trigger-happy bureaucrats to blame this time, are things in the far south looking any better? What about the South African language Wikipedias specifically?

South African Language Wikipedias

Language 19/11/2011 13/4/2012 9/5/2013 17/6/2014 29/10/2014 26/6/2015
Afrikaans 20,042 22,115 26,754 31,756 33,392 35,856
Northern Sotho 557 566 685 691 966 1,000
Zulu 256 483 579 630 686 683
Tswana 240 490 495 510 513 503
Swati 359 361 364 400 408 410
Xhosa 125 136 148 333 380 356
Tsonga 192 193 240 303 309 266
Sotho 132 145 188 197 202 223
Venda 193 190 204 209 208 151

So while Afrikaans continues steadily, Northern Sotho makes it to 1000 articles (albeit with the energy of an athlete somewhere near the back of the pack crawling over the finish line at the end of the Comrades marathon) and Sotho has managed to haul itself off the bottom, all the other languages are static or have shrunk.

The Xhosa deletion log, for example, gives an idea of the kind of articles being deleted, while the latest article to be created at the time of writing, Star Wars, is just blank, and probably also not long for this world.

Northern Sotho is an interesting case, as for a long time it sat in the Incubator, but the experience seems to have helped, as in spite of having less native speakers than both Xhosa and Zulu, it sits well above them in articles created.

Hopefully there’ll be some fireworks to report in the next update!

Related articles

Image from Wikimedia Commons

Le Chocolatier and the chocolate scam

When I was involved in Ethical Co-op (from its startup in 2005, until April 2014), there was a remarkable stream of dubious products presenting themselves for potential sale, trying to market themselves as organic in order to charge higher prices. One of my favourite tasks was investigating and rejecting a product due to not meeting our criteria. Many times it was simply ignorance on the part of the supplier, but quite often the information was intentionally misleading. Sometimes there would be a genuine attempt to correct things, in other cases the guilty would quietly skulk away.

My son and I have great fun looking at product labels. Recently we saw a mango juice that, on the front, boldly proclaimed that “mangos are a good source of vitamin C”. Looking at the ingredients on the back, the juice contained 0% vitamin C. I don’t know the updated legislation well enough to know whether this is illegal, but it’s clearly unethical, and meant to mislead people into thinking the artificial “juice” in the bottle is a good source of vitamin C, is “healthy”.

Reading between the lines of a misleading label is one thing. Then there’s Le Chocolatier.

This month, someone created a Facebook group, Le Chocolatier South Africa scam. According to the documents on the Facebook page (all well-documented, so go take a look), their 70% bar at the time claimed to be:
* Sugar-free
* Fat-free
* Organic
* Raw

A true wonder bar! Everyone loves chocolate, and just about every health-conscious person out there would be attracted to a chocolate like this. Except that every one of these claims appears to be false.

First, the sugar. According to the two tests listed on the page, the product contained 30.89% sucrose, and 27.9% sucrose. Sucrose, in case you’re not clear, is plain old sugar.

The fat content turned out to be 40% (and on one of Le Chocolatier’s own labels, 39g/100g (39%). There also appears to have been a change of label, where the fat-free claim was removed, and replaced with “banting and paleo”, two other health buzzwords.

The organic certificate holder, Pronatec AG, stated they don’t sell to any South African companies. That left the possibility of them buying from a wholesaler, but Le Chocolatier never responded to the organic certifier.

Pronatec also rubbished Le Chocolatier’s claim to be raw, saying they they don’t sell raw chocolate.

If all of these claims are true, then it’s very unlikely that Le Chocolatier has just made a few mistakes on their labels, and more likely that they’re just another in the long line of fraudsters attempting to make a quick buck.

The people behind the Facebook group initially (and may still be – I haven’t followed the thousands of posts!) opted to remain anonymous, which aroused suspicion. Why remain anonymous if you are sure of your facts? In their statement, they said that it was the “practical reality of dealing with a human being who has a reputation of trying to legally bully those who expose him” and that “just because something is easily defendable in Court does not mean that you still won’t have to spend R100k+ doing that. Whether it is true or not we have been warned by more than one person that this is the kind of thing that Daniel is liable to do.”

And that’s just what Daniel Waldis has been doing. As a result of the exposure, a host of people have publicly and often at their own expense tested the products. Some were ardent supporters of the chocolate until their suspicions were raised. To my knowledge, all of these people have been threatened.

His marketing leaves a little to be desired if, as a supposedly organic chocolate, he’s threatening legal action against a whole bunch of organic retailers.

It might sound trivial, but sugar for many is a poison. There have been diabetics and cancer patients, whose health is at serious risk if they consume sugar, happily buying his products and putting their health at risk (read one account here). Some had even expressed their doubts to him, only to be personally assured of the product’s integrity.

Daniel Waldis seems to have had an interesting past. He is (or was) also, according to a press release, an “acclaimed dermatologist” who owned the company Swiss Dermal Technology, which performed “skin rejuvenation without plastic surgery”.

An anonymous blog comment, in response to a review, asked:

Can you please investigate this “doctor” further? He has a hell of a past.
He has been in the hunting business, he has been in jail in Switzerland several times.
Didn’t pay his rent in Willowbridge for the clinic etc etc etc. The list is endless!

So, a fun story for an investigative reporter to enjoy getting stuck into.

But it’s been interesting to see the positive coming out of the process. There’s a growing commitment to taking personal responsibility, especially in the shark-infested health food waters. And some collective action. Besides the growing likelihood of legal action against Daniel Waldis, there’s the potential formation of something so far dubbed CERA – the Conscious & Ethical Retailers & Consumer Alliance, co-ordinated by Debbie Logan from Organic Emporium (read the details on her blog).

My gratitude to everyone who helped expose this. It’s wonderful to see people caring and taking action.

In the meantime, there are more than enough great chocolates out there, so I’m happy to pass on Le Chocolatier’s, and on any retailer lacking integrity enough to still be stocking them.

South African Banks SSL Security

After coming across an article testing the security of the SSL implementations of Australian banks, I decided to run the same tests on the South African banks, using SSL Lab’s SSL Server Test. I have a little bit of inside info into some of the banks systems, so was not too surprised how bad the results were.

Bank Overall Grade Protocol Support Key Exchange Cipher Strength
Capitec A- 95 80 90
FNB B 95 80 90
Nedbank B 70 90 80
Absa F 0 90 90
Standard F 0 0 60

None of the banks score an A (they all fail with Forward Secrecy), but pick of the bunch was Capitec, whose only only other failing was using a relatively weak signature.

FNB is limited to a B by accepting the weak RC4 cipher, and Nedbank adds supporting only older protocols to the list of failings.

You’d hope for better security from banks, but the failings of Capitec, FNB and Nedbank are not too serious. On to the others…

Absa has all of the above failings, does not support secure renegotiation, uses the obsolete SSL3, and most dismally of all, is vulnerable to the POODLE attack against TLS servers.

Although Standard Bank also gets an F, it stands alone in the number of criteria it failed. It uses the even more old and insecure SSL 2, supports insecure Diffie-Hellman (DH) key exchange parameters, supports 512-bit export suites and might be vulnerable to the FREAK attack as well as being vulnerable to POODLE.

It’s quite astounding that Standard Bank may still be still vulnerable to the FREAK attack, which has been known about for over two months, and which is extremely serious.

These results match the banks scores in other areas as well, such as bank fees and customer satisfaction. So Standard Bank clients will be happy to know they’re not only with the least secure bank, but also with the most expensive and the one with the worst customer service.

Related Posts:

30 Artists in 30 Days #30 – Gabby Young

Gabby Young

(Slightly more than) 30 days have raced by and the final choice is nigh. I settled down for a long night of searching, determined to make discovery number thirty a special love affair. I had multiple tabs open with possible candidates, but never got past the first one.

It was ecstasy at first sight, and 30 Artists in (slightly more than) 30 Days is Gabby Young.

I was a little stuck on how to describe them (the full band is Gabby Young and Other Animals), but they helpfully describe themselves as “an eccentric eight piece British pop band, bringing together gypsy, folk, rock and jazz”. That scratches the surface of their variety.

Even better, I’ve been looking for an artist featuring an accordion. My parents met in an accordion band, and although their music, putting it mildly, was never my favourite, there is lots of reinvented accordion music I enjoy. So to find the accordion making an occasional appearance in some of Gabby’s videos was the vegan ice cream on top.

Currently Gabby has 40 patrons pledging $226.00 per song.

See Gabby Young’s Patreon page.

See all the 30 Artists in 30 Days here.

30 Artists in 30 Days #29 – Unwoman


The penultimate 30 Artists in 30 Days, artist number twenty-nine, is cellist-singer-songwriter Unwoman.

The name was apparently inspired by the unwomen from Margaret Atwood’s novel, The Handmaid’s Tale, and refers to the label given to women who didn’t fit into that rigid society.

Her music, described by Russian gothic label Shadowplay as “dark trip wave”, suits the Steampunk conventions she regularly features at. Besides being selected as today’s artist, she also, unbeknownst to me, has just won two reader’s choice Steampunk chronicle awards. Go Unwoman!

Currently Unwoman has 293 patrons pledging $593.61 per song.

See Unwoman’s Patreon page.

See all the 30 Artists in 30 Days here.

Before, you are wise, after, you are wise. In between, you are otherwise.