From Accessibility to Zope

The past couple of days have been spent tidying up my accounts in GnuCash. It’s great when it all comes together and your accounts reconcile perfectly with your statements.

I like GnuCash a lot actually. It’s slightly harder to get your head around than just listing your accounts in a spreadsheet, but much more powerful when it’s done. Because money always has to go from somewhere, to somewhere, you can view transactions from both ends immediately. So every time I pay for a domain name on card, I see the money transfer from my credit card, with the net cost going to the registrar, and the VAT value going to my VAT account and reducing my debt to the VAT man. And then I can turn it round and see the actual cost to me of the domains, or track my VAT debt.

The other neat thing is that accounts are nested, so for example, I can create an account for each client within Accounts Payable, and see how much each client owes, plus clients’ debts to me can be included within my assets. GnuCash’s own customer invoice tools don’t do use subaccounts though, which makes them actually harder to work with than doing it manually, I find.

At first I found GnuCash kind of quirky, and I did struggle with it. But the new 2.0 series is better on the UI front (now a GTK2 app) and now I know what I’m doing with it, it’s actually quite easy to get everything to work and incredibly useful when it does. It becomes quite frustrating that all the other accounting information I receive is in a simple flat transaction list, like a spreadsheet or a bank statement or some printed accounts. It’s not wrong; there may be no other way to do it; but it’s simply not so elegant and right.

All I need is some way to get the accounts data to my accountant.

I tried a few different ways:

• Linux VM with GnuCash and accounts, burned to a CD along with VMware player. Couldn’t get Ubuntu VM to fit on a CD; Debian and Damn Small Linux wouldn’t install properly.
• Converting to QIF with a Java tool. Tried importing this into Grisbi and it looked a mess.
• Importing GnuCash directly into Grisbi (with the intention of exporting to QIF or CSV or something). Seemed to make a mess of it, not as much as the Java exporter, but the account balances were all wrong.
• Transforming to Gnumeric sheet with an XSL stylesheet and sabcmd. No account balances, but these can be added quite easily within the spreadsheet app. Required me to install Gnumeric.

I sent the QIF and the spreadsheet (saved as XLS) to the accountant. Other ways that occurred to me:

• Hand them an Ubuntu CD and my GnuCash files. This would require them to reboot into Ubuntu and GnuCash isn’t even included on the CD anyway.
• Hand them an Ubuntu CD, an empty VMware VM and my accounts, and let them install everything. Probably too technical and overkill.
• Set up a VNC server that they can log into to access a copy of GnuCash. Security aside, I don’t know what kind of connection they have. It could either be too slow for them or it could DoS my outbound connection.

Just had an idea: how about using Javascript to record client-side usage of your website?

The principle is this:

1. Register Javascript listeners which construct a list of events, particularly mouse, scroll and click events, along with the time that the event was fired.
2. Register an unload event which posts the information as XML with AJAX to a script on the server when the user leaves the page.
3. Browsing sessions can be collated on the server using cookies.
4. Create a player, which reads the events as XML and renders them using a DHTML ‘cursor’ and/or by firing events within the DOM. Could have a time slider and fast-forward controls, etc, depending on how complex you want to get.

Voila - see exactly what people are doing with your site. I have knocked up a test which implements the first two steps, for mousemove events, and that much works, so the whole concept would be workable. I can imagine it would break down if your site uses plugins (or Javascript navigation, depending on how easy it is to replay the events accurately) but that’s a limitation you would have to live with.

There are obviously privacy concerns but this is relatively mild as no personal data would be recorded. Perhaps it could pop up a Javascript window.confirm() dialog asking if it’s OK to record your behaviour. But it would be a very useful tool for examining site usage, especially for commercial sites. This is the way modern marketing works. I leave it up to your conscience as to whether it’s ethical.

I’m increasingly amazed by the number of banks and other secure services that seem to spread their online services over dozens of differerent domains. Simple put, a domain is one unit of trust, for a variety of reasons, and this is even assumed for security reasons in many applications (cookies and XSS sandboxing spring to mind). It’s cheaper, easier, more secure, and visibly more secure to use subdomains than purchase a separate domain to redirect users to for secure services.

Some of the culprits I’ve come across:

• NatWest (at natwest.com) use nwolb.com for online banking.
• RBS (which owns Natwest) also owns Streamline Direct, a payment gateway. RBS’ merchants’ customers get redirected onto Streamline Direct (at streamline-esolutions.com) to enter credit card details. Most won’t have ever heard of them. But if you did Google for them you’d find them at streamline-direct.co.uk and/or streamline.com.
• Paying for domains online yesterday (at streamline), I was redirected to securesuite.com, ostensibly some Mastercard security thing, and asked to enter my credit card details a second time.
• Barclays’ (at barclays.co.uk) runs their payment gateway out of epdq.co.uk
• Play.com hands over to playsecureserver1.com to take card details.

And just to contrast the way it’s supposed to work, let’s think of a few examples of big sites with secure services:

• Amazon (www.amazon.co.uk) uses https://www.amazon.co.uk.
• If you pay Google for advertising (adwords.google.co.uk), you’ll pay at https://adwords.google.co.uk.
• What domain does Paypal (www.paypal.com) use for secure services? https://www.paypal.com/.

It is relatively trivial for a hacker to obtain an SSL cert for an arbitrary domain, but extremely hard to obtain an SSL cert for someone else’s domain and then insert his machine into their DNS. Either way, he still has to compromise a web server somewhere to get his machine inserted into the chain, but web servers do get compromised, and he would have to find it beneficial to redirect to a third-party machine rather than set up some credit-card interception on the compromised host, but that’s not that hard to imagine either - maybe he can’t obtain the requisite privileges, or perhaps it’s less traceable to redirect to a different (perhaps also compromised) server.

Maybe I’m just paranoid, but more important than technical security measures are social measures: How can the public be expected to avoid phishing attacks when legitimate services are being given untrusted domains?

Mauve Internet has had two new enquiries about e-Commerce sites this week, which is good. First in a while.

I suspect that there is typically a slump in the summer as smaller business owners plan more for their weekends than the future of their business. As summer has now passed, people start looking ahead more.

This does however mean that I will have to pimp my shop codebase. It really needs tidying up - lots of things that I wouldn’t do the way they are done now that I’ve had some experience of maintaining the codebase.

I have a ton of integration to do. There are two branches to the codebase:

• One (let’s call it ’stable’) has seen bugfixes and customer-driven improvements, but has been branched a dozen times and is a huge mess.
• One has had some refactoring and more developer-driven improvements, but currently crashes due to character set issues.

After that is done, the administration interface needs to have some serious work done. Most importantly, the ImageChooser service needs to be pretty much redone. It all needs a bit of AJAX on top to make administration a more smooth experience, and I need to hook up TinyMCE to bolt in a minimal CMS.

The difficulty, if I do this work, is that I may still have to work with the aforementioned ’stable’ version even though I will have a much improved next-generation version available. Perhaps I can cut a deal on that.

I’m also considering supporting osCommerce, because it would be cheaper in terms of codebase maintenance, but I wouldn’t be able to make the same guarantees I can about implementation of bespoke features and use of future-proof technologies. This would be available as an alternative to my shop software.

What I most want to do is rewrite everything in Python. Python is much faster to develop with than PHP, and leads to much tidier and more legible code.