Over the last couple of years, I’ve been building a self-hosted web app called Manyfold (previously named VanDAM, because a weak pun is fine to start with). I built it to scratch an itch I had with managing a large library of 3d model files for 3d printing, but over the years, a few other people have started using it and finding it useful.

In the summer, I put in a wild application for grant funding to NLNet Foundation’s NGI Zero Entrust fund, which supports work on open standards, open data, and open source software for the good of the Internet as a whole. To my very great surprise, they agreed, so starting today I get to spend a few months working on Manyfold and the software it’s built on, to make something useful for even more people.

The work is in 6 main milestones:

1. Core feature enhancements; adding a bunch of things like model format conversion, licence information, internationalisation and translation, and more.
2. Improved deployment; making the app easier to set up and run in different environments, from personal NASes (NASii?) to full-on cloud deployments.
3. Security & compliance; making sure the app is secure, accessible, and sustainable.
4. Documentation; user guides, admin manuals, contributor guides, all that good stuff.
5. 3D model compression; 3d models can be large and lots of formats are inefficient. I’m intending to create a new format based on the progressive meshes algorithm that will enable models to be streamed efficiently. This is particularly cool, as this was part of the background I learned about doing my PhD; about time that was useful.
6. ActivityPub federation; make the site multiuser, build feeds and social features, and then make it federate using ActivityPub (like Mastodon and others). If I get this right, then we can create a “decentralised Thingiverse”, where it will no longer matter which site your content is on.

Those last two are the coolest, and I’m particularly excited about getting started on those. I’ve got about 6 months of funding to do this, which is frankly incredible, though I’ve got no idea what happens after that. I’ll also be available for small contracts to build up a diversity of income, so let me know if you have anything I can help with!

If you’re interested in the project, you can follow progress in the Fediverse at manyfold@3dp.chat, and of course if you want to get involved or run your own, check out the GitHub repository (better documentation coming soon).

When ChatGPT first launched, almost a year ago, it didn’t take long for people to realise that it could write code. My immediate reaction to that was “lol, call me when it can open PRs on my projects to fill in all the tests I didn’t get round to writing”.

Fast forward a few months (and the last few months in AI/LLMs have been wild), and it seems that I wasn’t the only person who thought that. Enter Sweep (ignore the slightly-offensive tagline that it’s an “AI-powered junior developer”, let’s call it an “LLM-powered PR generator”). I’ve tried it a couple of times on my own side-project code (more on that later), and I’m definitely intrigued.

It works in a way that’s tightly integrated into the GitHub workflow, so you start out by opening an issue asking it to make a particular change. For instance: Sweep: add unit tests for application_helper.rb. There’s a bunch of code in that file that I wrote in a hurry, and because this is a hobby project, I didn’t fully TDD it. So, can Sweep backfill the gaps for me?

I tried this first in the summer, and frankly Sweep fell flat on its face. It produced invalid code that didn’t even parse, let alone pass any tests. So, I forgot about it for a while. But, the other day, I gave it another shot, and yeah, it’s got a lot better.

Sweep goes away and starts adding comments to the ticket about what it’s doing. It’s very very open about how it’s working, which is unusual for AI tools; you really can see how it’s breaking down the problem and what it’s currently up to. First, it reads the entire codebase and interprets the request with that in mind - then it comes up with a plan of changes to make, before it finally goes to make them.

Once it’s done that, it opens a pull request with its changes, just as a human would. The tests and checks run, and if something fails, Sweep automatically reads the errors, feeding it back into the changes it made. You can then do a human pass over the PR (as you would with any code) and provide feedback just as you would for a human colleague.

So how does it do? In the case linked above, it wrote a new test file, added a load of happy-path tests, which (a) made sense, and (b) passed! It made one mistake, which brought up a failing test, and honestly it was a pretty reasonable error. I can imagine a junior dev calling over their colleague to say “why doesn’t this pass?”. It took me a minute or two to realise what was wrong, then I left a comment for Sweep. Sure enough, a few minutes later it fixed it exactly as I intended.

Here’s where things go off the rails a bit though. It also had some code style errors, and when I asked it to use double quotes for strings in the whole file to fix a lint problem, it completely misunderstood and went off on a rampage writing more tests (which, to be fair, were useful, just not what I asked for). Then when I asked it to undo that commit and go back to the previous version, it just started spewing out syntactically broken code. So, it’s not perfect yet.

BUT, those first two commits and the tests it wrote were great. So, I manually rolled the branch back and merged it in. My app is now partly written by a chatbot; strange days.

Sweep also hits a lot of other buttons that make me prefer it over things like Copilot. It’s open source, you can self-host it, and it’s open about how it’s working. There’s no black box here, apart from the actual ChatGPT LLM itself.

So, am I afraid AI is coming for my job? Well, not really. I think we might see it being used more and more though, in certain places. I don’t want AI to help me write algorithms or structure my architecture - that’s the interesting and fun bit. But, if something can run through my code finding errors, filling in gaps, take away the less-fun work that tends to get pushed aside, but is really important? Yeah, I’m interested, and I’ll keep exploring the possibilities.

Dear Jeremy Quin,

I’ve been disgusted in the actions of the Government in which you serve for years now, and yet your party keeps finding more scrapings at the bottom of the barrel, and keep finding new depths of ineptitude and mendacity.

How can you be OK with all this? Boris’s disdain for the law and consitution was bad enough, but then to elect undoubtedly the most incompetent leader we’ve ever had, and finally finish off the UK’s standing in the world? What are your party thinking? What are YOU thinking? How can you stand with these people, how can you take their instructions and toe the party line when that party line is set by obviously completely inept people who seem to have wandered into Westminster by accident and are mainly just confused about where they are.

You have a job to do. You are failing. Your constituents deserve better, and your country deserves better.

I was going to ask politely, but the time has passed for that. There are three things you need to do to salvage some semblance of integrity:

1. Publicly support calls for a General Election - you may not want it, but the country demand it. I’m sure your seat will be safe anyway.
2. Do not let Boris Johnson anywhere near the leadership of the Conservative Party.
3. Resign the whip and sit as an independent. You should be ashamed of your party and if you have any integrity, I’m honestly not sure how you could remain part of it.

I have stepped back from active politics in the last few years, because truth and reason have been completely undermined and honestly I don’t know how to operate anything I believe in in that environment. But I’m reconsidering; if there’s a General Election, I’m sorely tempted to stand again just so I can be on stage with you at a husting and say all this to your face in front of hundreds of people, and demand an answer for them.

Yours in severe disappointment and anger,

James Smith

If you’re as angry as I am, maybe do the same.

Not because they shamble on slowly, seemingly unstoppable. Not because they keep popping back up again when you thought you’d killed them. And not even because of the unfortunate smell…

No, legacy systems are like zombies because they survive on brains.

Any institution that’s been around since before the Information Age (however you measure that) will have built up its processes and systems with people and paper.

If we were to draw this in a modern technical architecture diagram (I’m using the C4 model in PlantUML for these diagrams), it might look like this:

The systems storing the information are paper and filing cabinets, and all the data flows through the people and their tangled web of communications.

Moving into the digital realm, organisations took these processes and replaced the paper with computers. But all too often, the data flows weren’t changed too much – the information still flows between the systems via people’s brains.

Francis Irving gave a great talk about “digital paper” a few years back – this is where many institutions still are. Take a paper form, and put it on a computer. And this stuff really matters. Governments spend billions dealing with it, and legacy systems are often blamed for policy failures.

If we reflect that, our diagram now looks like this:

It’s OK, some new things are possible, like Eve digging into the databases directly for her audit information, but it’s not really a different system.

Now these diagrams are all well and good, but there’s something missing. Often we think of these old paper systems as simplistic, and our job with digital transformation is to make things smart.

But that’s not the case at all. Yes, paper itself is basic, but secretly every connection between data stores is mediated by an impossibly sophisticated pattern matching AI system, with its own attached data storage as well. These are very impressive machines, incredibly smart, but can be rather buggy, the I/O is somewhat slow, and the backup and failover options are frankly nowhere near up to scratch.

I mean, of course, human brains. Let’s redraw our diagram, treating our people as technical systems rather than humans, and peel back the layers so we can see inside the brains (ew).

Now we have a truer view of the system, and we can see that if we want to do proper digital transformation of it, we have a problem. If we only think about changing the digital systems, which is the usual context, we’re leaving out a vast part of the existing system. And that part of the system will route around damage. It could treat our transformation as damage to its data stores, and instead find other options. For example, shadow systems and personal knowledge.

So, the job of digital transformation is not to make the system smarter. That’s impossible, given that the most complex machines in the universe are already an inherent part of it. What we want to do is move those machines to the edges, where they can do the work they’re uniquely capable of, and get all the stuff in the middle to work by itself.

So how do we do this? Well, how about we replace the meat computers with actual computers? Let’s start with some recent hotness, a bit of Robotic Process Automation (RPA) (or as we old hackers call it, scraping).

Now our digital systems are used by actual robots, and the humans are out at the edges where they can do uniquely human work like decision making, caring about people, solving unforeseeable problems, and watching Countdown with a cup of tea. There’s a whole seductive thing about automating these sorts of tasks instead of the stuff in the middle – for instance, AI that makes court judgments. This is The Wrong Approach, but that’s a whole other post. Let me know if you want me to write it sometime.

The problem with automating work that’s best for humans

There are 2 problems though. By moving the humans out to the edges, but not changing the existing digital systems, we’ve not dealt with some really important stuff. We think we’ve solved it, but we’ve ignored that web of links between the human systems, and we’ve ignored the shadow data stores that are inherent in each link.

No matter how clever our RPA tools are (and they’ll always be less clever than the humans), we’re going to lose something here if we just try to replace the people with actual AI systems. This leaves out many other implications of RPA, like embedding legacy IT even further into the organisation. There’s more about this in the MITSloan Management Review article Five Robotic Process Automation Risks to Avoid.

What we need to do

Instead, we have to fundamentally rethink our systems from the ground up. We can build new microservices in an agile way, delivering value quickly, but we have to build that on a thorough understanding of the true nature of the complete old system, and at least a rough plan for the new one. Ignoring those things, and assuming that service-focused User Research and Agile Development (wonderful as those things are) will solve the core issues, won’t work for an organisation-wide transformation; I like the term Architecture Nihilism for this approach.

We have to rethink the middle. We don’t want to make it smarter, because we inherently can’t. We have to make the middle less intelligent so we can move the smarts to the edge.

We need to look at what’s on the paper, and what’s in the shadow data stores inside the people. Then we need to combine those into a domain model, a coherent view of what the organisation knows, what the world looks like to the organisation. Then we need to remodel and design boundaries and connections between subdomains, and redesign our services taking into account all the official and unofficial communication paths in the old (human) systems.

Connecting the data within our domain comes next. If we have a record about a person in 2 different legacy systems, we have to be able to know that they match up. We can’t rely on our pattern matching AIs (humans) any more to tell us whether John Smith in system A is the same as John Q. Smith in system B based on a misspelt address and a birth date. We humans can handle that. Our databases can’t, unless they’re told explicitly.

Getting computers to do the boring stuff

This is where RPA can help – taking old data and extracting it, connecting it, and making those inferences is going to have to be done by someone. The right automated tooling can be really good at doing the bulk of that, with support from a human to make the tougher calls. It’s sometimes known as a Joint Cognitive System – the automation deals with the easy stuff, and bumps things it’s not sure about up to its human user for a judgement call.

But that’s best done as a one-time data transformation; we wouldn’t want to do that amount of processing every time we want to use some information in our system. For one thing, think of the environmental cost of all that excessive computation. And of course, it can’t get the information out of the shadow data stores in all those brains.

If we can transform our data and connections properly and intentionally, we can get to a state where the middle of our system is, frankly, really really… boring. And that’s a good thing. Computers are really good at boring, simple, repetitive tasks. We know exactly how to make them do those.

In the end, when we consider the whole system, maybe we can end up with something more like this (I know I’ve skipped ahead a huge amount here; this is a really complex problem solving process, which many others have explored better than I can here. Maybe next time):

The transformed data and joined up domain means that the services can work together, and lets us move the human data storage into that coherent digital domain over time.

That finally lets us free up the people to work at the edge, being clever, compassionate, and caring (and talking to each other about Countdown) instead of using all that incredible brain power passing data around. If the data is connected, we can stop thinking about the people in the system as glitchy meat computers, and instead treat them as the wonderful, incredible, powerful things that they are, and let them do their best work.

Thanks to F, Joseph, Dom, and Chanelle and all the other smart dxw people who helped bounce around the ideas that fed into this. Love you all.

I recently treated myself to a secondhand Elegoo Mars, a resin-based (SLA) 3D printer. It’s great, but doesn’t include any capability for printing over the network.

OR DOES IT?

The Mars is based on a board from ChiTu Systems, who provide it for numerous manufacturers. Some of their boards include network capabilities, and if you have an early Mars, yours does too! It’s just hidden away! But it’s pretty easy to unlock.

I didn’t work this out myself, just pieced together a process from various places across the Internet. All sources are listed at the end of the article.

Before you start, note that this is SLOW. Using sneakernet and carrying a USB stick back and forth to your printer would be a lot quicker. But I don’t care, I’m in no hurry. If this method doesn’t work for you, look at Mariner. It’s probably better, but the nice thing here is we’re using the native capabilities of the machine.

You will need

1. An Elegoo Mars, revision M01 to M08. To find your revision, look at the first three digits of the serial number on the bottom of the machine. M09 and above reportedly have custom boards that don’t have the connections available. Sorry!

2. Up-to-date Elegoo firmware. I’ve only tried this on my machine, which was running V4.2.20.3_LCDE /1440x2560 /F2.9 FW. If you’re running something older, look at the instructions on the Elegoo Mars forum, you might need to do a couple of other steps.

3. The hex keys that come in the Mars toolkit

4. A FAT32-formatted USB stick

5. If you want Wifi, a ChiTu Wifi module. This only cost me about £6 including shipping, and it came all the way from Shenzen in about a week.

6. A healthy disregard for product warranties

Break open the UI

First thing we need to do is get access to the network settings on the machine itself. The code is all there in the firmware, but it’s hidden away.

ChiTu’s firmware is interesting in that it separates out the core machine firmware from the user interface firmware. That means we can replace the UI firmware with a version that will give us access, without touching the fundamentals of the machine or any actual settings. ChiTu’s download page even has an app that lets you build a custom UI, presumably so that any manufacturer can create their own interface. The really useful thing is, it comes with default firmware that has everything enabled.

1. Go to the ChiTu download page, open the “ChiTu UI editor” section, and download UI_ALL_LCD.bin.

2. Put that bin file on your empty USB stick, and insert it into your Mars.

3. On the Mars, print that file. You should get a progress bar and after a few seconds, confirmation that it’s worked.

Your user interface will now look a bit different, and in the System menu, you should see a new section called “Network”.

Connect up with Ethernet

Now that we’ve got visibility of the network settings, let’s connect up.

1. Unscrew the four screws in the rear side panel. You might want to slacken off the screws on the top and bottom that hold the vertical pillars in place too, so you can move the panel.

2. Slide the rear panel off. On the left of the machine, you should see the motherboard, and on there if you have the right variant, you will see an RJ45 connector.

3. Plug in an Ethernet cable and turn the machine on. When you go to the network settings UI we enabled in the last step, you should see it get an IP address.

Congratulations! Your Mars is online. If Ethernet is good enough for your needs, then you’re basically done with the machine itself, except you’ll need to find a way of getting that cable out of the box so you can close it back up. A decent way might be to print a backplate with a hole in it, though I might get round to making one that takes an actual RJ45 extension connector at some point so you can unplug it without disassembling the machine. Watch this space.

Connect via Wifi

If you want Wifi though, there’s a bit more to do. It’s time to install that ChiTu Wifi module.

Note: It might be possible to use any old EPS8266 board, but from the Wifi page on ChiTu’s website it seems you still need to buy some sort of official code even once you’ve installed their firmware. Still, if you try it, let me know if you get it working!

1. Remove the front panel from the printer in the same way as you did the back, and slide it out. Don’t break the display ribbon cable.

2. Take a look at your board. You’re looking for a black 8-pin header at the top of the board, snuggled behind the vertical pillar. It’s got “WIFI” written underneath it. If you’ve got one, then you’re good to go.

3. Unscrew the top screws from the vertical pillar, and loosen the bottom ones, so that you can move the pillar out a bit. I used the panels to hold up the top while I did this.

4. With the pillar moved out a little, you should be able to insert the Wifi module into the black header (obviously do this with the printer off). It fits pointing downwards towards the other side of the motherboard, not sticking up above it.

5. Turn on your printer. You should see a red LED come on on the Wifi module.

6. Reassemble the vertical pillar and fix the front and rear panels back into place.

7. Get your USB stick, and create a file called wifi.txt on it (the name doesn’t really matter). In that file, add the following line, with your Wifi network details. Mind the quotes: M9003 '"YourWiFiName","Password"'

8. Insert the USB stick into your printer, turn it on, and print the text file. After a few seconds, it should finish.

9. Look at the system network settings page - flip the display to Wifi by clicking the icon in the top left. You should see your SSID on the page, and with luck, an IP address! It’s alive!

Enable network connections in ChiTuBox

The final step is to enable network support in ChiTuBox so we can actually send things over. Make sure you leave your USB stick in the Mars, the machine doesn’t have any other storage so it will store your prints on there.

1. Open ChiTuBox. I’m running v1.8.1, so these instructions are for that version. Yours may differ.

2. Export your configuration. In my case, that was done via Menu / Help / Export Configuration. Save the file somewhere you can find it.

3. Load up that file in your text editor of choice.

4. Search through the file for anywhere it says bNetSending:0, change it to bNetSending:1, and save.

5. Back in ChiTuBox, import the configuration file.

Now, when you have sliced your print, above the save button you should see “Network Sending”. Click that, and you should get a dialog appear with your printer listed in the dropdown - ChiTuBox has found it automatically over the network. Hit send, and your file is on the way! (It WILL take ages, make a coffee or learn to juggle or something).

Once the upload is complete, it will even ask you if you want to start the print! Proceed to enjoy the feeling of success as you start a resin print without leaving your chair. You can also print the file from the screen in the usual way, the file is on the USB stick just as if you’d copied it there yourself.

ERROR: lp0 on fire

Thanks to everyone who came before me:

• u/mmm1808 on Reddit for asking the question that got me started on this.

• The admin of the Elegoo Users Forum, for their fantastic instructions using the EPAX UI. If something here doesn’t work for you, read that thread.

• ChiTu for providing firmware downloads, documentation, and detailed instructions for their boards. Even though it’s not open source, they’re pretty open with their information. Thanks folks.

• And of course Elegoo for making a wonderful machine!

But despite it being presented as a bad thing all my life, I’ve joined a union, and I want to explain a little bit about my own views and reasons.

Important note: those reasons are not about where I currently work – they’re much wider than that. There is no subtext here, no words between the lines.

Companies are not people

While companies are made of people, they are not people, and they are subject to different laws and limitations. For instance, we all think it’s terrible that Amazon doesn’t pay “fair” taxes, but it’s legally bound to avoid paying tax wherever possible. If it didn’t, its shareholders would be entirely within their rights to sue the company for financial negligence. A company isn’t immoral; it’s amoral. Morality just doesn’t come into it. (I’d argue that the system that makes that true is immoral, but that’s a different post, or more likely a pub chat. God, I miss pub chats.)

We work in an industry that likes to think it’s progressive, but in reality, as most of us have experienced over our careers, the tech industry is full of exploitation. From games companies forcing young programmers to work weekends for 6-month-long crunches, to startups underpaying staff with the promise of worthless options; it’s also an industry rife with stress, burnout, anxiety and a whole range of other mental health issues.

So why do we need unions?

Unions are there to stop exactly this sort of exploitation. They did it in traditional industrial settings (giving us “health and safety”, aka people not getting killed), and there’s a rising tide of acknowledgment that the tech industry is in need of the same thing.

Now, I don’t work at a company in that exploitative mould; so do I need a union? No, not really, not now. But that’s not the point.

Installing the alarms

Have you got a smoke alarm? You have, right? You have an alarm in case something happens, though you sincerely hope you never need it. You didn’t wait until the house was burning down to install it, and similarly now that you have one, I assume you’re not any less careful about things catching fire – and you certainly aren’t setting fire to the sofa on purpose.

Being part of a union is the same; it’s there in case something happens. For the situations we can’t see yet. As long as nothing’s on fire, you’d never even know it was there. I don’t want to need it. But I might, one day.

Raising the tide

And there’s one more reason too. Unionisation is weird in the tech industry, as in society as a whole. If we do it, it makes it more normal. And by making it more normal, we make it more acceptable for those people who do need it right now.

Where I work, a great many of us have our pronouns on stickers on our laptops, and introduce ourselves with them. But I don’t do that because I’m regularly misgendered; it’s because I know it helps normalise that behaviour, and that helps those among us to whom this does happen on a regular basis. It’s like masks, too – it’s not for us, it’s for others.

I would like to see the most progressive parts of the tech industry do the same around union relations. To show that unions aren’t the Big Bad we’ve been told about all our lives, to show that a positive engagement is possible that we can all be proud of, and to use that as a way to raise the tide and lift the boats across our wider industry, that is in desperate need of it.

Fin

If you want to discuss anything I’ve said, get in touch, and if you want to know more, I recommend taking a look at Prospect, the union I chose to become part of.

Hi Jeremy,

Thanks for responding to my previous message. I am very disappointed that you don’t share my concern for the UK constitution and the rule of law. The 11 supreme court justices fortunately do, and have found your Prime Minister to have acted unlawfully in shutting down our Parliament two weeks ago, and of having lied to the Queen in order to do so.

If you are going to reply to me with the standard government line, as you usually do, then please don’t bother, because I’ve heard it.

Instead I want to appeal to you, personally. Not as a Conservative, not as a member of the government, not even as an MP, but as a person.

The organisation you are working for and allying yourself to is led by liars; it is shredding the UK’s institutions for personal and party gain. You call yourself a Conservative. What exactly is it that your party is conserving right now? Even leaving Brexit aside, your party is sowing division and on the verge of destroying the consensus by which this country hangs together.

I hope I can appeal to you as a man of principle, to stand up and defend our country. Toeing this party line will not benefit you in the long term; I hope you can see that.

Yours hopefully, James Smith

We’re in an era of lies and propaganda, euphemistically labelled “fake news” and “alternative facts”. Many of the efforts of the alt-right are to muddy the waters of facts, to erode people’s confidence that facts even exist.

As Clay Shirky implied during Trump’s election campaign, facts are not sufficient to win this war:

Seeing my timeline during the convention last night made me despair. We've brought fact-checkers to a culture war. Time to get serious.

— Clay Shirky (@cshirky) 22 July 2016

However, facts are necessary.

More and more we need to be able to rely on the news we read and the posts we share to be factual. We can’t fall into the trap of using propaganda ourselves, or not caring what we say as long as it hurts the other side. By doing that, the confusion rises further and the forces of chaos win.

Fortunately we have technologies to help us. The web is built on links; linking back to primary sources of information is cheap and easy, and in the war on lies we need to do it more.

We’ve asked journalists to link to their source materials in online news articles for years. Now it’s a moral imperative to do so. And if you’re sharing an image online, for god’s sake include a link to the source data or article in the image. Even if it’s a silly meme.

If you make an unsourced statement, it’s indistinguishable from lies.

If we link our sources, then we can build a web of trust that will keep the lies at bay. At the bottom, theirs will have no substance. Ours will. Yes, I know that it means a few readers might click away from your precious content, but guess what; it’s more important than that now.

Link your goddamn sources, for truth and freedom, and then we can get on with the next stage of the fight.

A little while ago, my colleague Stuart hacked a couple of Amazon Dash buttons to create a behaviour scoreboard for his son - an experiment in Internet of Parenting, if you will.

I thought that was pretty cool, so I popped a Dash button onto my Amazon wishlist, but without a clear idea of what to do with it; just for fun. Then though, my wife asked what it was, and a couple of days later came up with an idea. And this time, my hacking around might actually be useful.

The Challenge

My daughter has Cri du Chat Syndrome, a genetic condition that causes global learning delay and a bunch of other things. One side effect of it is that she has always suffered from chronic constipation; she’s been on medication for it for years, and it’s a constant mission getting her to poop regularly - her bowel muscles just aren’t strong enough, or something.

Anyway, we’ve changed her medication and it’s had some effect, but to be sure we need to track when all her bowel movements happen - this stuff doesn’t have an instant effect.

So, writing it all on paper is a bit useless, when we can do better. And what better than to make a “poo button”. Let’s get a Dash button, stick it on the wall, and use it to log (no pun intended) her logs (OK, pun was intended). I’m not the first to do this of course - one of the first hacks for the Dash was to track nappy changes.

The Button

First thing - set up the Dash button in the normal way using the Amazon app on a phone. When it comes to selecting a product, don’t choose anything, just exit. Then you have a dash button connected to the local network, but that won’t order anything from Amazon.

Intercepting The Presses

Then, we install the node-dash-button library. I’m using a Mac Mini as a home server so it was a matter of installing npm with Homebrew, making sure I had XCode installed, and away we go following the setup in the README. The installation worked better as a global thing rather than just for one user:

npm install -g node-dash-button

We then run sudo /usr/local/lib/node_modules/node-dash-button/bin/findbutton and get something like this:

Watching for arp & udp requests on your local network, please try to press your dash now
Dash buttons should appear as manufactured by 'Amazon Technologies Inc.'
Possible dash hardware address detected: xx:xx:xx:xx:xx:xx Manufacturer: Microchip Technology Inc. Protocol: arp
Possible dash hardware address detected: xx:xx:xx:xx:xx:xx Manufacturer: Amazon Technologies Inc. Protocol: udp
Possible dash hardware address detected: xx:xx:xx:xx:xx:xx Manufacturer: Apple Protocol: arp
Possible dash hardware address detected: xx:xx:xx:xx:xx:xx Manufacturer: Amazon Technologies Inc. Protocol: arp
Possible dash hardware address detected: xx:xx:xx:xx:xx:xx Manufacturer: Microchip Technology Inc. Protocol: arp

The Amazon ARP one is the one we want, so we’ll keep the address (just shown as x’s above) for later.

Now we need a bit of code to detect the button press. I’ve shamelessly ripped of the code Stuart created in his post - I won’t repost it here, take a look back at his post for the breakdown.

Storing The Data

To store the data, I could do what Stuart did and use Bothan, but my wife will be happier with a spreadsheet. So, let’s set up one of my favourite tools of the moment, Zapier, to store the data somewhere useful.

I’ve created a Zap with a webhook trigger and a Google spreadsheet output. I really wish Zapier would let me publish zaps publicly so you could see it, but they don’t, so you’ll have to take my word for it that it’s easy.

To test it, we can send a message to the webhook with curl (this project is so pun-rich it’s amazing):

curl -X POST -d '{"when": "2016-01-01T09:00Z"}' https://hooks.zapier.com/hooks/catch/.../.../

Zapier detects the POST, and then sends the when value into my spreadsheet. Easy as pie. Now all we need to do is get the code to send that POST when it detects a button press.

The Code

In the end, the entire code is as simple as:

var dash_button = require('/usr/local/lib/node_modules/node-dash-button');
var request = require('/usr/local/lib/node_modules/request');
var poo_button = 'xx:xx:xx:xx:xx:xx' // The MAC address for the button goes here
var webhook = 'https://hooks.zapier.com/hooks/catch/xxxxxx/xxxxxx/';

var dash = dash_button([poo_button], null, null, 'all');

dash.on("detected", function (dash_id){
  if (dash_id === poo_button){
    console.log("Parp!");
    requestData = {
      "when": new Date().toISOString()
    };
    request({
      url: webhook,
      method: "POST",
      json: true,
      headers: {
        "content-type": "application/json",
      },
      body: JSON.stringify(requestData)
    });
  }
});

There’s a lot of cleanup to do with that code, like sorting the include paths, package.json file, extracting the secure variables, and so on, and I’ll carry on doing that and post the source on GitHub when it’s OK for public consumption. I know it’s shonky as hell right now, but it works!

I press a button, and the current time is logged in a spreadsheet. Bingo!

Next

So there are a few things that would be good to do next.

• Somehow enable use of the Bristol Stool Scale to store the type. This is kind of helpful, though not essential. We could have more than one button, or we could somehow detect multiple presses. But I don’t know if it’s necessary.
• A way of packaging this up so it can be used by non-experts. The Internet of Things is all very well, but too often it’s about $700 juicers, and not about making people’s lives easier. I’d love to know who’s really applying this stuff to making life easier for people with extra needs.
• The Dash button is really cool, but it’s hard to set up to take control of. An open version that could hook up to an arbitrary URL would be amazing. Maybe that’s something IFTTT should look into - they have a DO button app already; a hardware version would be great.

After the 2016 US election, we have an extensive surveillance apparatus in the hands of a man who I definitely don’t trust with it. Given that, it’s time for another security upgrade.

This part focuses on network security hygiene, and the ability to avoid surveillance. As I said in part 1, this isn’t because I’m doing anything illegal, but as I’m politically active, and in declared opposition to many of our current illiberal leaders, it seems only sensible to create a bit of safe space now in case someone decides to make my activities illegal in the future.

Uplink

First up - time to get a decent Internet Service Provider. The UK is passing law after law allowing logging of connections, mandated filtering of Internet content, and so on. The government is on a path to deciding what you can do online, and being able to check up on you. They will rely on the ISPs to enforce this for them.

However, there is one out there that resists this at every opportunity. Andrews & Arnold is a small ISP designed for technical users, and is explicitly opposed to monitoring and filtering. That page includes a warrant canary for secret monitoring equipment as well, so that’s good.

As a bonus, they PGP sign all their emails, run a support channel on IRC, support the Open Rights Group, and regularly give evidence to MPs about communications policy. Basically, I know they have my back, and they’re now the only people I trust with my uplink.

Browser & web security

HTTP is the normal way to connect to websites; HTTPS is the secure version, and these days there is no reason not to use it. Many sites still don’t send you to an HTTPS version by default, but still allow unencrypted connections. This means your communications can be easily read in transit.

Avoid this by installing HTTPS Everywhere in your browser. It automatically rewrites everything it can to HTTPS, helping you to stay secure.

I’d also recommend Privacy Badger, which is a browser extension that blocks various evil web tracking methods, helping maintain your online privacy. That means it also blocks all the ads that are doing nasty things, leaving only the ones that behave themselves. I like that over blocking all ads, though to be honest web advertising is so sleazy that I basically don’t ever see any - Privacy Badger kills them all.

Which browser though? I use Firefox, personally. It’s open source, free, and well-supported. Chrome (and even the open source version Chromium) sends a bunch of information about you back to Google without telling you, and I’d rather that didn’t happen, so Firefox it is. I also now use Firefox on iOS as well; if you want things like bookmark sharing, you can have them.

One last thing on this - drop Google and change your search provider to DuckDuckGo, a search engine that doesn’t track you. I’ve found the results to be perfectly fine and have been using it well over a year now.

VPN

Next, low-level network security. If I’m sat in a coffee shop, I’m probably on some unencrypted wifi network surrounded by a load of other people. It’s quite simple to read network traffic in that situation, or even provide a honeypot wifi connection that will man-in-the-middle all your network traffic. So, even though we’re as secure as we can be in our browser, let’s be 100% sure and set up a VPN (Virtual Private Network).

A VPN is basically a fully-encrypted “tunnel” from your computer to another one somewhere else. That tunnel can go over unencrypted connections, but nobody will be able to see anything inside it.

I’ve set up a VPN server on a machine in my house, because I want my tunnel to basically allow my communications to be as secure as they are in my home. I’m not worried about anonymity at this point. The VPN will basically route all my network activity through my home, and through my trusted ISP.

So, I’ve got a Mac Mini running OSX El Capitan, with OSX Server (£15), which comes with the ability to run a VPN. Setup is dead simple for this use case. You can pretty much just enable the VPN in the server app, and the defaults will work. I’m using L2TP, which is the best on offer there. OpenVPN is supposed to be a bit better, but the software setup and maintenance looks like a headache I’d rather not have.

You then set up your VPN on your devices. On OSX that’s in the Network preferences window - add a new interface and enter your VPN details. Same on iOS, under General settings.

The main problem is that you need to know where to connect to. Many ISPs don’t provide a static IP, so you end up using Dynamic DNS. Your router may have support for this built in, but mine doesn’t, so I’m using ddclient running on the Mac Mini to automatically update my Cloudflare DNS records. Works like a charm. I’ll probably do a separate post just on that config, because it’s a little involved, but this isn’t the place.

I’ve since found a little OSX menubar app called VPN monitor that for a couple of quid automatically connects to your VPN whenever you connect to a network. You can add safe networks, like home and work, where it won’t bother, but the rest of the time it’ll route your traffic via the VPN automatically. Security by default is always a good thing.

Anonymity

Of course, that only gives me security, not anonymity. All the traffic still flows over my home ISP uplink as if I was in the house. For proper anonymity, we need something more, and that thing is Tor.

Tor works by encrypting your traffic, sending it all over the network through multiple hosts, then having it emerge somewhere else on the network completely unrelated to you. It slows things down a lot, so you wouldn’t use it all the time, but it’s a great option to have available.

I’ve got two Tor options set up. The first is simple - just install Tor Browser. That gives you an anonymised browser session without any further setup. For most people that’s probably fine.

The second is more involved. If I need to cover my tracks with anything that’s not browser based, or I want to hide my machine completely, I can route all my network traffic through a tor proxy running in the background.

Setup isn’t hard. You can install Tor with homebrew (also useful for installing ddclient), and the default installation pretty much sets up the proxy for you.

I then created a new network location in the Network preferences on my laptop, and in the advanced settings for the wifi connection, enabled the SOCKS proxy to localhost port 9050. That means that anything on that network connection should be sent through the proxy first, which will route it through Tor. Then you’ve got two network locations to choose from, which you can switch between in the Apple menu. One-click switch to anonymise all my traffic? Nice.

Now, there are good reasons not to do this if you’re really paranoid. Because your entire network traffic is being routed together, it might be possible to tell who you are from things like background processes checking in with Apple, or similar correlations. It’s not something I would do unless it was really necessary, but it’s nice to have it there ready.

It also still leaks metadata via DNS, because your DNS lookups don’t go via the proxy, but it’s a step in the right direction and should be OK for casual use. If I manage to improve it I’ll update here.

What next?

So I think that’s everything I’ve got set up, security-wise. What should I do next? Suggestions appreciated!

Today is a strange day in the UK. We’re divided, confused, and have taken what I think is a self-defeating decision about our place in the world. Our political institutions are in turmoil, and there’s change in the air, though of what sort nobody knows.

In this atmosphere, it’s increasingly obvious that the old politics is broken, and that we need something better for the future. Somewhere where we could have explored the EU question sanely, without the lies, deceit and hate building up and polluting our society.

I think there’s a better way, and it lies in a movement that’s been building with the rise of the Internet and the World Wide Web. Since the dawn of the network revolution, the world is increasingly about sharing, collaboration, and working together. We’re connected peer-to-peer as a species, in a way we haven’t been since we were a single tribe thousands and thousands of years ago. We are building a global mind, and we need to learn how to use it.

This new age for society is about working together and sharing, about being open. We can do amazing things with openness; it gives us the scientific method, open source software that runs the modern world, open exchange of ideas. Openness helps us get better quicker.

I believe that the old political axis of left/right is outdated and irrelevant in the 21st century. Instead we have new axes; open/closed, together/alone, optimistic/fearful, innovative/static.

I think the future is about openness, working together, and being optimistic and innovative. I know there are a great many people I know who feel the same way.

My message to them is this: the things we believe, the future we want, is a political statement.

It is not enough for us to tinker around the edges of an industrial-era system and make a system that is more transparent and accountable, but just as dysfunctional. We need to present our vision of a better open future clearly and loudly, in the arena of public discourse.

This isn’t about Internet freedom, or digital rights, or any of that. It’s about the network-era transformation of society, for a better world for everyone.

I’m working on this by building a startup network-era political party, Something New, here in the UK. There are similar efforts cropping up across the world as well, we’re not alone. If you want to help, please do, we need you. If you want to do it better, please do that too, and we’ll join in. I don’t care who wins, whose name is on the thing; all I know is that it needs to happen, and if we don’t do it ourselves, nobody will.

We all know old institutions have trouble innovating and adapting, and are often outclassed by smaller disruptive companies who can adapt to the new environment they find themselves in. What’s true in startup 101 is also true of our political system. The status quo is ripe for disruption; let’s start working together, in the open, and innovate our country a better future.

We believe that data infrastructure is fundamental to our future. What we normally mean by this is “data as infrastructure” – data is becoming part of the infrastructure of society. In ODI Labs, we have a slightly different take on the issue: if data is to be infrastructure for society, what does that mean about the technology underlying the “infrastructure for data”?

Photo source: Flickr - r2hox (CC BY-SA 2.0)

If data is becoming essential to society, then it must be:

• resilient – always available when needed, with access able to route around damage. It can’t drop offline because of a datacentre outage, or a forgotten domain renewal.
• robust – data must be verifiable and reliable, resistant to tampering. The concepts of maldata and data spam aren’t in wide circulation yet, but at some point they will be.
• scalable – having vital data hosted on a single server will not scale up when that dataset is suddenly in high demand.

A new class of technologies is appearing that cope with many of these problems. In particular, distributed data storage – where the data doesn’t reside in one place but across the network itself – is on the rise. And a lot of people are talking about one specific implementation of that idea: blockchains.

By the way, if you don’t know what I’m talking about, blockchains are basically a way of storing information (transactions, in the case of Bitcoin) in a distributed fashion across the Internet without needing a trusted central server. This quick primer from the BBC is a good introduction to the idea.

There is a lot of hype about “putting things into the blockchain” at the moment. While the technology is fascinating and has huge potential, there are a few things we need to be aware of.

A blockchain, or THE blockchain?

Photo source: Flickr - r2hox (CC BY-SA 2.0)

There’s a confusing tendency for people to talk about THE blockchain, as opposed to A blockchain, and that implies Bitcoin. Storing data in the Bitcoin blockchain is possible, and has been done since day one, but it isn’t really advisable.

So, instead of using the Bitcoin blockchain, most blockchain data storage systems are using their own chains – for instance, Namecoin, Ethereum, and Factom (who are putting Honduras’ Land Registry into a blockchain).

However, all of these still have a cryptocurrency involved. The work to verify the blockchain is done by many people, and they need to be paid for the compute time they contribute. Therefore, these systems all have their own currencies internally, like “Ether” or “Factoids”.

Is it realistic to run a distributed data store based on a pseudocurrency model? Does the very concept of financial return introduce the wrong incentives into the system? At the end of the day, who pays to maintain an effective yet radically distributed system?

Immutability

Photo source: Flickr - r2hox (CC BY-SA 2.0)

Blockchains are designed to be immutable, to have data written into them and be available forevermore. Technically, that seems a desirable quality as it means you can’t go back and rewrite history: nobody can deny that a transaction took place, even if it was revoked later on.

A digital register may supersede or expire your permission to do something, but it shouldn’t be able to later refute that permission was ever issued to you. Paul Downey

However, technology, meet society. In the sphere of human life, immutability can be a major problem.

What about the recent EU right to be forgotten ruling? What’s your legal recourse when the data you want removed from public view is stored in an immutable data store? Is there any truly immutable data?

Here’s an example: in the UK, if you change your gender, you of course have the right to have your new gender reflected in all official records. That, though, includes rewriting history and backdating your new gender, so that the gender you were assigned at birth doesn’t appear even in old records. If, say, your driving licence is stored in a blockchain, the old version can’t be modified. It can be revoked and replaced with an updated one, but the original record is still there.

Sure, you could solve those problems by storing only pointers to data in a blockchain, and having the data somewhere else, somewhere mutable, but then you’ve lost the resilience aspect of the technology; the data is still centralised, even though the index is distributed.

How then, do we design data storage in blockchains so that immutability is limited to the things that need to be immutable?

Beyond blockchains

Photo source: Flickr - r2hox (CC BY-SA 2.0)

Nowadays, when most people say “blockchain”, and even when I say it myself, I treat it as a shorthand for “undefined radically distributed storage technology”. There are many other options out there, from the non-bitcoin blockchains like Ethereum and MaidSafe, to other systems like Tahoe-LAFS, and even older technologies like BitTorrent. (For great in-depth discussion of these and many others, watch the Redecentralize interviews).

Make no mistake, there is huge (and radical) potential in this technology area for data, and for society as a whole, but we need to understand how these technologies are best applied.

Standards

And whether it’s blockchains or something else, there are plenty of questions. How do we standardise storage in such a system so that we get a single network of data, as opposed to having to use a different storage system every time we want a new type of information? What are the data protocols for distributed storage? How do we talk about, and perhaps enforce, ownership and licensing?

What are we doing?

We are exploring the potential applications of these technologies in the context of data infrastructure. This applies at different scales: global, national and city data infrastructure. It also applies across sectors: finance, agriculture, nutrition and global development.

ODI Labs are exploring these issues and, as with everything we do at the ODI, we will be collaborating with our network of Partners, Supporters, Nodes, and Startups. If you would like to get involved in collaboration, and sponsorship, please get in touch.

We want to experiment with the technologies, work out some of the tricky social questions, and help guide the future of distributed data storage in the right direction.

The other day though, I got a kick up the arse. I went to the doctor about some new depression symptoms, and he did a blood test to check my general health at the same time.

When I called up for the results, the receptionist asked me to schedule another test in six months as I was “glucose intolerant”. This was a surprise to me, and the next day I managed to speak to the doctor for more information.

Basically, I’ve got persistently elevated blood glucose. I’m only just outside the normal range (HbA1c 6.2), which means it’s not type 2 diabetes yet, but I’m heading that way. It puts me in a category of risk much higher than normal; 50% risk of type 2 over the next 10 years, for instance.

Needless to say, I don’t want that to happen.

It was a shock, and made me consider my own mortality for a while, but this is a good thing. I’ve found this out at a point where I can properly do something about it. I know that the consequences are coming if I don’t act.

So, what to do? At this point it’s all lifestyle change, and I already know:

• I’m vastly overweight
• I don’t get enough exercise
• My diet could be better.

Let’s look at those in turn.

Weight

We’ll start with the most obvious. I’m overweight, in fact well into obese. I weigh in the region of 120kg at the moment, with a BMI of 35.4. This is far too much. Apparently to get into a “normal” BMI bracket, I need to lose 35kg, to get down to 85. That’s almost a third of my body weight.

Now, I’m a big chap. I’m 185cm tall, but also I’m pretty broad and have a large ribcage. I know that BMI isn’t a good indicator in these situations, but I’ve not found anything else to give me a target so far. I’m hoping that our local wellbeing scheme can help me work out where I need to get to.

First step to losing this is that a couple of months ago, my wife and I started doing the FAST (or 5:2) diet. I don’t like diet fads, but as this one seems to be based on proper science (and I first heard of it on Horizon), I’m more inclined to have a go. It’s going OK so far, fasting two days a week, and some weight is coming off. We probably need to be stricter though to get the full benefit.

I’m tracking my weight using the Fitbit tools. They’re not great (I’d like a running average), but it does the job of data capture well enough. I really liked True Weight on the iPhone, but it doesn’t really integrate with anything else, which is a pain these days.

I keep considering getting a Fitbit Aria or Withings smart scale to make measurement easier, but putting a number in an app isn’t that hard, so I’ve not done it yet.

Exercise

This is the big one, really. To lose more weight and get my blood sugar down, I need more exercise. I cycle 7 minutes to the station a few times a week, which is better than nothing, but more is necessary.

I keep trying to start the Couch to 5k running scheme, but all the times I’ve done it my schedule has got pre-empted and I’ve never made it out of week 1. I’ve started again though, and this time will do my utmost to make it stick.

I’m using the NHS Choices couch to 5k app, which could be better for music playback, but it’s good at the training prompts, is free, and has no ads.

I’ve started using Strava to log these runs, and will log my station cycling as well, to get a complete picture of my exercise and what I need to add. It’s great that Strava integrates with Fitbit to include the exercise in that system automatically. If I need to double-enter any data, this won’t stick.

The social aspects of Strava are already feeling great. Each time I do a run, my cousin gives me kudos for it (despite my runs being pathetic in comparison to his). It feels like a support network, which is what I need.

Diet

The last aspect is improving my diet. I’d like to track all my calorie intake so I can keep it on track without excessive denial (which will cause failure), but calorie tracking apps are all terrible. How the hell do I know what the calories are in the home-made shepherds pie we had the other night? How do I know how much is one serving of skimmed milk, without measuring everything out with scales and a jug?

There doesn’t seem to be a light-touch calorie counting mechanism that I’ve found yet. This would help with regular diet, but also with tracking the fasting days intake.

Can someone please make something using AI and image recognition to give me a calorie count of a meal if I take a photo of it? That would be fab, thanks.

Genetics

I’ve ben wondering about getting a 23andme kit for years. This news has taken out the last obstacle for me, that of “do I really want to know” for the risk factors.

I now know I have a risk factor for one thing. Knowing more seems only sensible now, if I have to manage that knowledge anyway. I’ll get a kit on order soon after the next payday, I think.

Dashboarding

My plan is to integrate this data into a dashboard that I’ll display in the kitchen at home all the time. Making information visible helps me to manage it, so having a lifestyle dashboard seems sensible.

I’ve not found anything yet that does it yet in a way I like, so I suspect I’ll break out the Fitbit API and starting pulling data into a dashing board or something.

Meditation

I’m also trying to get a hold on stress and tension using meditation. Again, I’ve started these things before but never made them stick. I’m hoping that I can get properly going this time, with a combination of Headspace for regular meditation and Buddhify for more casual hits.

Better tools

I’m also thinking now about better tools; I mentioned the scales already. I have a Fitbit One, which is fine (and better now I’ve got a watch strap for it), but would I find this easier with something more recent? Would it help to get an Apple Watch, for instance? I’m quite interested in measuring my heart rate on a regular basis, for stress management if nothing else.

I want to find a nice open ecosystem for this stuff, but it doesn’t seem to exist. Hopefully I can forge my own using the APIs and my own code.

Schedule

One thing that will cause failure (and always has in the past) is fitting this into my life. Having kids, something always comes along that disrupts something. Even sticking to regular fast days is proving tricky. For that though, I’ve just got to sort it out; I can’t stop this time.

Suggestions

I need help here from anyone who’s been down this path before. There’s so much out there, but recommendations are always helpful. I ideally want an open, interoperating ecosystem of tools and devices to help me manage this lifestyle transition. It has to work easily and integrate with my already busy life in the simplest way possible. Bad UX will cause failure as well.

If you have anything to suggest, add in the comments below. I’m all ears.

I’ve always been vaguely dissatisfied with my personal security setup. I’ve been happy it’s pretty secure and safe, but the software hasn’t been great. However, that’s changed recently with a few new releases, so I thought it might be worth sharing my setup with the world. I’m on OSX, so this is specific to that platform, but most things are open source and cross-platform, so there might be something to learn anyway. Also, some of you might tell me how I can improve it even further.

Passwords

Basic security hygiene means having strong unique passwords on every different site, but obviously that’s very difficult. Enter the password manager app, which can generate secure unique passwords and store them in a single place, behind a strong master password.

Obviously make sure the master password is strong; however, it still can be memorable and easy to type. Use Correct Horse Battery Staple to generate a good one. I’d recommend going over the top on this; make it at least 6 words long.

KeePass database

I’ve used the KeePass format for many many years, because the format is an open standard, there are many cross-platform apps, and it can be verified as secure by looking at the design. Also, as it’s a single file that stores all passwords, there’s no cloud storage, and I know that my passwords are not being shared with anyone else. I just don’t trust things like LastPass or 1Password, because giving away your passwords is inherently defeating the point. So, KeePass avoids that by giving me complete control over access to the file.

But, because cloud synchronisation (and backup) is useful, I store the file in Dropbox. It’s encrypted securely on my machine before uploading, so I don’t really care whether Dropbox is secure or not (as far as that file’s concerned anyway). We do the same with a shared password file for work stored in Google Drive.

KeePass clients

For a long time I was using KeePassX, which worked, but didn’t have some of the nice features like browser plugins to auto-fill password forms, so there was lots of copying and pasting, and I tended to let the browser store the passwords as well (again defeating the point of a secure store, especially in Chrome).

However, last week I found MacPass. This is a native OSX client, which works nicely and is under active development. Even better, there is a proposed patch that adds KeePassHTTP support, and someone’s prebuilt the app with that built in; that’s the version I’m using.

KeePassHTTP is a little server in your KeePass app that lets other apps access the database locally, and that means browser integration finally.

UPDATE: KeePassHTTP is now supported directly in MacPass using a plugin, so no patch required. Download the standard install of MacPass, then follow the “Using precompiled version” instructions for MacPassHTTP. Works a treat.

Browser integration

Browser plugins were the thing that made me jealous of LastPass and 1Password users; yeah, they were potentially giving their passwords away, but it was so easy. Now I have MacPass+KeePassHTTP, that’s changed.

I’m using Firefox (because Chrome just gets more evil over time and has been purged from my machine), and I’m using a plugin called PassIFox. That’s really simple to link up to MacPass, and then you can just right-click in forms and tell it to fill in password fields.

I’ve since turned off all the built-in browser password storage and syncing, and am much more pleased with the system than I’ve ever been. I’m not sure if it can generate passwords from within Firefox yet, I’ve not tried it, but I don’t mind generating in MacPass; it’s not exactly hard.

iOS app

What about on my phone? Well, that’s why the database is stored in Dropbox. I use an app called iKeePass which can read the file directly from Dropbox and open it. Then it’s a simple click to copy passwords into the iOS browser app. It’s not massively trivial, but it’s not too hard for the rare times when I need to use it.

UPDATE: I’ve changed to using Keepass Touch instead, which streamlines the process a bit. It still syncs from dropbox, but allows you to unlock the database with Touch ID, which makes everything quicker. It also supports editing the database and creating passwords on iOS, which is great.

Encryption

I’ve also used PGP since around 1998, and I’m really please to see that it’s basically the only encryption system that’s not known or suspected to be compromised by our security agencies. If it’s still good enough for Edward Snowden, it’s good enough for me.

GPG Suite

On OSX, if you want to use PGP, you install GPG Suite. It’s a nice set of tools and integrations which make using PGP reasonably simple (though it’s still not a trivial process to get set up).

Again, pick a good long and memorable passphrase for your PGP key. You’ll be typing this one a lot, so make sure it’s easy to get right. Also make sure it’s different from the KeePass one above! You’ve still only got two to remember :)

Once you’ve generated a key pair (one private, one public) using GPG Suite then you will want to back up the private key somewhere nice and secure. I currently have mine in a Truecrypt volume, which is again backed up in my Dropbox account, though Truecrypt seems to be dead, and not GCHQ-proof any more, so that will change soon.

UPDATE: I’ve binned TrueCrypt as it was seemingly compromised. Instead I just keep my exported keys inside KeePass instead.

Mail integration

For a long while I was using Apple’s built-in Mail app as GPGTools integrated nicely with it. However, recently, I’ve found that Airmail 2 has a PGP plugin, and it works almost perfectly. That means I have a decent mail client with encryption support finally.

Keybase

Of course, if you want to encrypt email, you need other people’s keys. You can share in a number of ways through GPGTools, but one of the easiest is to use Keybase. It’s invite-only (shout on Twitter if you want one, plenty of people have spares, including me), and it’s basically a way of linking your PGP key to your social network accounts, and letting people get hold of your key easily.

The one big thing I’d change about Keybase is that they should just get rid of the ability to generate and store a private key on their site. I know they’re trying to make it easy, but it’s a massive security antipattern and even people who I know have decent technical knowledge have used it; it’s just too temptingly simple.

Instead, generate your key with GPGTools locally, and upload just the public key to Keybase. That has the advantage that you can pop the right email addresses on it as well.

iOS mail encryption

Forget it :)

Seriously, this isn’t a thing. If you’re dealing with encrypted mail, or want to make sure yours is signed, don’t bother trying to do it on a phone.

Miscellanea

I’ve enabled full-disk encryption (FileVault) on my Mac. There’s just no reason not to.

Obviously all remote logins and file transfers are done via SSH as well. My SSH key has a similar master password to the ones above on it to unlock it, and all remote servers I use are set up to only accept login with the right keyfile.

Every website I use that supports it has two-factor authentication turned on. If it supports the Authenticator app then I use that for the second factor, otherwise I fall back to SMS verification, though I consider that insufficient for decent security after my phone was hijacked a few months ago. So, I’m looking at you Twitter; authenticator app support please.

What next?

I’m interested in these FIDO U2F keys; it would be good to have the OSX encryption linked to a hardware token like that, so my machine can only be used with it plugged in. Also that can be used with some two-factor auth systems. This needs to be looked into.

However for something physical that can be lost, I’d want to be sure there was a way of having at least two keys that can unlock things, and obviously it would be hard to use with anything that needs unlocking on iOS.

I also need to work on my network security and privacy. I want to get a VPN routed via my home connection for use while out and about, and some way of easily swapping onto the Tor network that’s got decent usability for when I want to be anonymous (or look like I’m in a different country). I’ll follow up with a further post if I get any of that sorted.

UPDATE: I’ve now written part 2, with information on my ISP, Tor, and VPN setup.

Summary

Security is complex, but the software tools are finally getting good now that it’s not hard.

Everything I use that’s involved in dealing with secure information above is open source, which means I can be more confident that there aren’t hidden backdoors (though of course you can never be 100% sure). There are equivalent apps for every platform, so I hope this sort of setup is something that anyone could use and be reasonably safe.

I’ve mentioned the security services above, but I want to finish by saying that I’m not trying to avoid the law. I’m not doing anything illegal, but we’re now in a world where strong security hygiene is a necessary skill online. Not just because your emails are routinely tracked by our own (and therefore many other) security services, but because the weaknesses they’ve introduced into online security make it easier for everyone to access your communications. By irresponsibly weakening our security standards and introducing backdoors into common security-related code, you have to assume that everything is visible to everyone.

That means compartmentalising your security with unique passwords, and using strong non-compromised encryption wherever possible.

Remember, it’s not paranoia if they’re really watching you.

TL;DR: Something New formed in September 2014, the Electoral Commission objected, and we only got finally registered on 6th March, 8 weeks before the election, only 3 weeks before nominations opened, and after a lot of stress. Want to know why? Read on…

Do we need a party?

In late June 2014, I announced that I’d be standing for election in the 2015 general election, using the OpenPolitics Manifesto as my platform. It was an experiment in seeing how accessible democratic participation was, and in taking an Open Source approach to politics.

I initially announced as an Independent, but I was never really happy with that. We’d had a few discussions within the manifesto project about forming a party, about what we could be called, and so on, but nothing serious had surfaced. However, I firmly believed (and still do) that in our current system, you have to have a party to build a serious movement. If I stood as an Independent, there wouldn’t be anything to build on afterwards.

As for joining other parties, that’s an option, and something that people should do more, but it wasn’t what I wanted to do. The entire approach of the open source manifesto was important, and joining any existing party would have meant dropping that. This was a truly new way of doing things, and it deserved its own identity.

Something New?

Over the next few weeks, I had a lot of coffee with a lot of people, and eventually met up with a guy called Alex Hilton for a beer one evening, after being put in touch by a colleague. Alex was a long-time political animal, but was disillusioned with the current state of affairs. I went along, expecting an interesting chat and an hour of political advice, perhaps.

As it turned out, we got on pretty well, and agreed on a lot of things, including the need for new choices in our electoral system.

Halfway through the evening, Alex said that he thought British politics needed a new fresh brand, without the baggage of the past. And he said he had it. He said it was something new.

I waited for him to say what it was.

“No, that’s it. Something New”

I went through the initial stages that many people do when they hear the name. “That’s daft, you can’t… wait, that’s not bad… no, that’s awesome”. It worked on so many levels, and before too long it was clear that it was a brand that reflected what we were actually working for.

We decided to form the party soon after that, based around a core set of values, and using the manifesto for the details.

Registering the Party

So, we started the paperwork. A political party is a bit like a company, in that you need at least three named positions, but two of them can be held by the same person. However, I roped in Paul, my brother in law, and we got started. Alex was Treasurer, I was Party Leader, and Paul was Nominating Officer. All three of those are required by the commission. No anarchist collectives here.

After doing a simple constitution and financial scheme (basically how we would handle the money), we paid the £150 registration and sent in the forms. Easy!

As it turned out, Something New had been registered before, by Alex. He’d never done much with it though, and had let the registration lapse by not filling in the returns a few months earlier. This may have worked against us later, though we’ll never really know.

First Refusal

On the 27th October, we got a really annoying email from the Electoral Commission.

I am writing to let you know that the Commission has considered your application and is unable to register your proposed party name.

Er, this was registered before. What gives?

Under the Political Parties, Elections and Referendums Act 2000 (PPERA), when considering an application to register a political party, we must ensure that the proposed name is not the same as, or would not be likely to result in electors confusing it with another registered party. Upon consideration of your application, we have reached the view that the proposed name is confusingly similar to an existing party description registered by the Democratic Republican Party ‘For a new beginning’, such that a voter would be likely to be confused between the parties if the proposed party name were approved for registration.

Wait, what? “For a new beginning”? Really?

Naming Conflicts

It turns out that under PPERA, the commission does have to check new registrations against others to avoid confusion. This comes from instances where someone registered the “Literal Democrats”, and the more recent example of “An Independence from Europe” in the 2014 EU elections. It seemed the Commission were getting a lot more careful.

Still, ours seemed pretty different. “Something New” vs “For a new beginning”. And the second one was a description, not a name! (It wasn’t until a lot later that I realised that only name or description is shown on the ballot, so the DRP could stand with just “For a new beginning” on the ballot paper.)

There was also the fact that the last time Something New had been registered, the DRP had already been registered and had the same description. The same process a year previously had gone exactly the opposite way. Something had obviously changed.

Appeal

OK, well, let’s just talk to them. Let’s work out how to appeal the decision. Turns out this was really hard.

We had a look at the EC complaints page, which said:

Complaints about decisions made as part of our statutory enforcement work, or other statutory regulatory decisions taken by the Commission (for example registration of party names, descriptions and emblems) are dealt with under our regulatory policies and enforcement policy and/or case management procedures. Depending on the nature of the matter case there may be further rights of challenge by way of statutory appeals or judicial review.

Talking to the Electoral Commission, we were told:

You can complain about a decision on your application to register the party if you believe we have not adhered to proper processes in making the decision on your application. Your concerns will be independently investigated under the Commission’s complaints procedure. The information about how to lodge a complaint is contained in our guidance. As the guidance states, the complaints procedure will look at the process that led to the decision and not the decision itself. Appeals against the outcome of the decision will not be considered. You may have rights of challenge by way of judicial review to pursue this.

So we can appeal the procedure but not the decision? We can’t just talk to someone? Judicial review involves taking them to court, that’s ludicrous! There must be a better way!

But no. No luck in all our attempts to discuss with them.

Because the only thing we could do was appeal the procedure, we started trying to find out what the procedure was via FOI. I could tell already, this problem was going to be a massive waste of time and energy, but the name was too good to let go.

At this point, we were also trying to get in touch with the Democratic Republican Party to see if they themselves objected to the name, and if they’d help us out with the EC. No luck yet though.

Pre-action letter

Nothing was helping, so in early November we took the first step towards judicial review. We knew that we couldn’t actually take them to court, but the first step was to write a pre-action letter outlining our case and intention. If that didn’t work, then we’d have to drop it.

We opened the letter with a request for a simpler process, and that we didn’t want to do it this way, but it was the only way open to us. We were trying to keep them onside as much as we could, and not annoy them. After all, they held the power.

The letter outlined that eleven different parties use the word “New”, the only shared word causing the objection; many more share other words. The only other shared part was the suffix ‘-ing’, used by 107 parties. Also, we pointed out that we were being stopped due to a conflict with another micro-party, and confusion was very unlikely.

The whole thing felt pretty stupid to write. A four page letter about basics of the English language. Still, we had to, so we did.

Talking to the DRP

About a week after this, in mid November, the Democratic Republican Party got in touch in response to our emails. While I was in a pub being filmed with the Whigs and Populace for a Daily Politics report, Alex was having a Skype conversation in the corner with Peter Kellow, party leader of the DRP.

Turns out Peter had a pretty low opinion of the EC, but agreed with us on a lot of things politically, so was willing to help. Unfortunately he wanted to wait and see, and make something of it if the EC didn’t make the decision we wanted. He was looking for a fight. We, however, were looking to move on.

Anyway, after a couple more conversations, he agreed to remove the description from their party registration, and tell the EC he didn’t agree with the exclusion. Looked like we were sorted!

Legal response

Another week after, we got a response from the Commission’s lawyer. It was very long and detailed, but consisted basically of a very long “we get to decide and we disagree with you”, finishing with something along the lines of “you could have just talked to us instead of threatening court”.

AAARGH.

As we wrote back:

I would like to contest that I did raise my concerns in detail with your colleague, and I was told that judicial review was my only recourse as I have no reason to believe you have made an error of procedure. I was not made aware of any informal process for raising this with you.

What a mess.

However, by now DRP had agreed to remove the strapline, so we asked the Electoral Commission to look at it again based on that new situation.

Some FOI fun

We’d started looking into the law, and into PPERA itself. The act says, in section 28.4.a.ii:

Where a party sends an application to the Commission … , the Commission shall grant the application unless in their opinion the party proposes a registered name which would be likely to result in electors confusing that party with a party which is already registered in respect of the relevant part of the United Kingdom.

What does “be likely” mean in the eyes of the law? It seems completely undefined. So, let’s find out what the EC’s internal guidance on this is. They must have a policy that defines what’s “likely”.

Using WhatDoTheyKnow, I wrote a Freedom of Information request, asking for the guidance, and whether it had changed recently. I eventually got a response; the internal guidance is here, and really is just as vague:

31.4 It is necessary for the purposes of section 28(4)(a)(ii) that the elector’s confusion with another party is ‘likely’ and as such it will not be sufficient if confusion is a mere possibility.

Nothing in there more specific at all, and no change. So the written guidance was the same as in 2013 when the party name was accepted, and yet this time it was refused.

How can you appeal against the procedure when the procedure is basically “whatever we reckon”? Utterly useless, but a dead end it seemed. All down to human judgement.

Incidentally, at this point, we’re almost into campaign season proper, and we can’t open a bank account, can’t fundraise, etc. This is getting annoying. We’re getting worried, and start thinking about new names just in case.

Christmas Present

On Christmas Eve, another month later, I got an email from the EC saying that until the DRP remove the description, our application cannot proceed.

I thought they’d done that. Turns out they’d told the EC they wanted to, but not done all the paperwork

After the Christmas break, I wrote a very nice email to Peter asking him to follow through and basically set us free. This is getting really tight now, and we’re worrying a lot.

Text Comparison

Peter agreed to sort that out, helpfully, and also during our conversation shared a list he obtained under FOI about other rejections that had happened over the previous few months; they were having their own issues with the EC at the time, amid concerns that the Commission might make them change their name.

Anyway, this unleashed the data nerd in me; I had a list of all the rejections, and the text which they were rejected for. Now I could find out what the commission considered “likely” to confuse.

I put all the names in a CSV file and wrote a bit of code to run them through some text similarity algorithms. I started with the Levenshtein distance, though that’s not great for different-length phrases, so moved to the Ruby similar_text gem.

The results are in a CSV on GitHub, and it was pretty clear straight away that we were an outlier. Every other rejection had a similarity score of over 50%, most over 60%. We were at 31% similar.

It didn’t really matter at this point, but it was interesting to see, and have some hard evidence to back up our view that the rejection was unjustified. I ran the same algorithm against the full list of parties for a laugh, and needless to say there were plenty that were more similar than ours that weren’t having trouble.

Should the Electoral Commission have an internal similarity test based on a particular algorithm? I think perhaps they should, otherwise the whole system seems very arbitrary. At least as a mathematical check, if not for the final decision.

Breakthrough

In mid-January, we get confirmation from the Electoral Commission that the DRP description has been removed, and that we’re back in the queue for review.

I start to feel hopeful. I don’t believe that the EC are being awkward on purpose, and now that the blocker is cleared, we should be good to go. I just have to hope that’s true.

Others are less sure, and the conversations about whether we need to get a new name rumble on.

The Long Wait

My confidence starts to fade over the next 6 weeks as we wait to hear; I keep calling, keep offering help and information, but we’re just in the queue for review and need to wait.

I can’t find out how long this will take, at all. In late February, only a month away from nomination time, I’m getting really nervous. This might all be too late. I might have to be an Independent after all.

The Electoral Commission are SLOW.

Then, at the end of February, I finally get an email saying that we should be reviewed on Thursday. The committee apparently meet once a week(!) to review cases, and we should be up this week. As far as I can tell we’ve literally just been sitting in a pile for a month and a half.

I call back on the Monday after. Nope. Probably this week instead.

Success

It seems like I called a thousand times, though I think it was only another week’s delay before, finally, we got it!

I am pleased to inform you that we have approved your application to register Something New and the party is now on the Great Britain register of political parties.

They objected to a couple of our descriptions, and had left them off, but who cares! We’re in!

We were registered as PP2486, just two and a bit weeks before nominations for the election opened. After 6 months of the process, that was far too close for comfort.

What a pain

This was probably the biggest hurdle we had to get over in the whole election process. It wasted a lot of time, energy, and caused a lot of stress that was (in my view) completely unnecessary. Everything else went smoothly.

I don’t believe, unlike some, that the Commission were being obstructive intentionally. I do think though that their combination of vague internal guidance, unhelpful appeal procedures, inconsistent account management, and an extremely slow bureaucracy can make it look that way, sometimes.

Horsham Spending

The main difference here from the return is that the return doesn’t include:

• Spending before 19th December 2014 (listed above as pre-campaign)
• Election deposit of £500 (during the long campaign)
• Crowdfunder fees of £97.20 (during the short campaign)

So, we actually spend nearly double what was officially counted on the Horsham campaign itself.

South West Surrey Spending

We didn’t spend as much in the early days in South West Surrey, so it was all in the short campaign. Again though, the official return didn’t include deposit or crowdfunding fees. Here, we raised £750 against that spend from crowdfunding.

National spending

As well as spending on the local campaigns, there was some money spent on national-level stuff. This includes the party registration fee (£150), domain names, etc, but mostly is went on our NationBuilder subscription, which runs the website and manages our voter database. For a while we had multiple subdomains running for each local area, which bumped up the price a bit unnecessarily.

This stuff gets reported separately, sometime in the next month or so.

Everything

So, all in all, for the party bootstrapping and 2015 election campaign across two constituencies:

So, we’re a bit out of pocket, but a lot less than we would have been without our generous donors!

Just for fun; we got 695 votes, so we spent just over £6 per vote. Probably not massively efficient, but we were learning :)

Where did it go?

So most of the money went on the essentials; leaflets, deposits, fundraising fees. However, in Horsham there is about £400 that went elsewhere, which I probably could have used better.

Facebook ads

Over the year, I dropped £73.93 on Facebook advertising, and I’m pretty sure that was basically like throwing it into a black hole. The first campaign, 20 quid or so to get some likes on the page when we started out, seemed fairly successful, but after that, it really wasn’t. I would advertise the meetups we were holding (more on that in a minute), and near the end was trying to push 30-second pitch videos etc.

Without exception, the engagement rate on those ads was really really low. Each time I decided it wasn’t worth it, then a month later would get suckered in again, thinking that perhaps this time the content would work better.

Social media advertising is a black art, and Facebook make you spend a lot of money to reach anyone these days. Organic reach is dead unless you’re very lucky, and unless you have a massive budget, Facebook’s not going to help.

I’ll probably fall for it again though; please remind me of this when I do.

Face to face meetups

Through the campaign, I really wanted to be visible to voters, to be somewhere accessible to them. I ran meetups around the constituency, every week for about 6 months.

Admission time; that was a real slog, because a lot of the time they were empty. Sometimes I’d have one or two people come along, and the conversations we had were great and useful, but in general this wasn’t an effective use of time or money.

I started by booking meeting rooms in local halls, etc, but then changed to mostly meeting in pubs once it became clear that was just throwing money down the drain. All in all, £282.70 went on hiring meeting rooms, which was in all honesty probably just wasted.

I think there were two main problems here. First, telling people about them was hard; I could have done better with newspaper ads, local newsletters, etc, but that would have cost more, and I don’t know it would have worked anyway. Facebook advertising, even when specifically targeted, didn’t help either.

That comes down to the second reason, which is that perhaps people don’t really want to engage in that way. Who wants to go to the pub and talk to a politician? Really? I wish they did; I wish we had the town-hall meetings that we used to have, and that still seem to happen in the US, but it’s not where we are now. It will take time to rebuild that type of engagement.

Still, I’m glad I tried. I’m glad I can look back and say that I was available to people (even if they didn’t know it or want it).

Thankyou

So, there you go - that’s where your (and a decent chunk of my) money went! The crowdfunding money paid for the important bits; the leaflets, the deposits, etc. The rest was out of my own pocket, so I don’t feel too guilty that some of it wasn’t very effective.

There are definitely lessons to learn for next time; the main one is to get some social media expertise involved, because although I basically live online, using it effectively to get a message out is a completely different thing!

Thanks to everyone who supported us with their donations; it wouldn’t have been possible without you. We love you all :)

The Electoral Commission, as always, provide a whole load of documentation and help with filling in the data, which you can download from their website (see the resources in Part 3).

The return has to be in within 35 days of the election, so we have around another 10 days to finish it.

Short and long

There are two returns to fill in; one for the long campaign (19th December to 29th March) and one for the short campaign (30th March to 7th May). You need to account for spending and donations during these periods separately.

Worksheets

The commission provide two versions of the returns; PDF and Excel. I decided to fill it all out using Excel (well, LibreOffice), which would have been much quicker if they’d actually included formulae in the template sheets. As it was, I spent half the time putting in all the SUMs, cross-references, and so on that meant that it all added up correctly.

And of course, I had to do it twice, once for long and once for short, because there are two different sheets, even though they are basically identical except for the title.

Suggestions for the EC:

• Make one sheet and have an option for short and long campaign. Less for you to maintain.
• Include the formulae so that using the sheet is harder to get wrong.
• Make a nice simple webapp for the form instead. Probably not high up the list, but it’s a really easy problem; you could have one in a couple of weeks of developer work.

The data

We’ve been keeping our books openly all along, so we had everything we needed all ready to go. We have even been assigning things to the return spending categories as we go so as to be ready to fill this in.

It’s hosted on github in CSV files, and uses Jekyll to render the HTML views of each file. I started working on a Jekyll view to generate the actual return content as well, though there was so little to fill in that in the end I did it manually. I’d like to come back to that though, and make it so that our open data finances can automatically create the return numbers, not least so we can publish them ourselves.

I won’t publish the filled-in return we send in, as it includes donor addresses, which I would consider personal information. We already publish names, but I don’t think I should publish addresses for large donors, not without more thought anyway. Also, the commission will report the summary anyway, and you can see all the detail for yourself already.

Points of Interest

There are a few little points I learned along the way that are worth nothing down:

Verifying donors

You have to verify that all donors over £50 (not £50 and over) are registered voters. This, for me, involved calling up their local council’s election office and just asking. Given the name and address, they will just tell you if that’s right.

I suppose that’s fine, though it seemed a bit… easy. I didn’t have to prove anything about who I was, do anything in writing, or whatever. I guess it would be hard to abuse though; someone would notice if you were attempting to find someone by calling up 50 times with different addresses. Still, seems… leaky.

Overseas donors

Our largest donor (thanks Phil!) is overseas, though is still a registered voter here, so can legally donate. The form has a space for the donor’s address, which I suppose means they can double check the donors with the councils. However, his is abroad, so wouldn’t identify the council. In the end, I just wrote in the space after his address “Overseas voter, registered with Brighton council”. Hopefully that will work.

Small donations

The way the form is laid out, you only have to declare details of large donations over £50, but there is a box for “total donations” as well. If you’re filling it in with a formula, then you need somewhere to add in the small donation total, which isn’t there otherwise. I just added another row in the declared donations tab marked <=£50, with the total. Obviously all those are shown in our open finances as well, split out properly.

Sidenote: I want to see UKIP do that, and prove just how much of their finance comes from small donors, as they love to say, and how much comes from the owner of the Daily Express.

Crowdfunding

As we were crowdfunding during both the long and short campaigns, I’ve split the funds raised across the two returns based on when people pledged, rather than when the money was taken (which would all be in the short campaign). That’s based on the fact that you report spending based on when an invoiced spend was used, instead of just the date on the invoice. Seems like the right thing to do.

Fees

I had to call up the commission to ask about crowdfunding fees. Around £95 of the £1620 we raised ended up going to Crowdfunder.co.uk (quite rightly), but it was unclear how this should be counted, and where.

The Electoral Commission are still getting to grips with crowdfunding, even though a huge number of candidates did it this time. They had to go off and check the answer to the question, and still didn’t actually completely answer it.

The answer (so far) is that the donations should be listed as donated, not with the fee removed. So, if you gave 100 quid to Crowdfunder for the campaign, it’s declared as £100, not £95. If you paid with PayPal, you also paid their small fee on top, though it was itemised separately. As it wasn’t reported to you as being part of your donation, I’m not considering it part of the donation.

The fee will be listed somewhere, though they’ve yet to get back to me on that. I’m guessing (and will update here when I know) that it will go in as an administration expense under section F.

UPDATE: The commission got back to me, and said that the fees shouldn’t be included in the spending return at all. That means it’s in the donation figure but not the spending, and so it looks like I’ve stashed some of the money away! Ah well.

I’m surprised the Commission are still so unprepared for this; wasn’t it obvious that it would be a thing this time? Why isn’t it explicitly mentioned in the guidance?

Deposit

One last note. You don’t declare the deposit as spending, and in fact you don’t have to declare money raised to cover the deposit as a campaign donation. We didn’t split it out that way, so I’m just declaring the lot. That’s why it might look like we raised more than we spent; I assure you that wasn’t the case!

Party spending

We also have to declare any spending done by the party as a whole. This will include things like NationBuilder and Soundcloud fees, which were non-constituency specific. We have 3 months to fill in that return though, so I’ll come back to that another time.

Summary

All in all, pretty simple, though a little time-consuming. We didn’t have to deal with unpaid invoices, rejected donations, or anything complex, so I guess that made it easier.

So, this has been about the form-filling really (always a good topic for a blog post). I’ll follow up soon with a post that actually goes into the spending data, and talk about what we spent, why, and whether it was worth it!

The general election is over, and I have to say I really enjoyed the experience. It was hard work, but it felt so good to be putting across something positive rather than just complaining about the various options. I don’t think I’ve ever seen a campaign indulge in such negativity and fearmongering as this one did, so it was a real pleasure to be able to rise above it!

The results

Our full results are on the Something New site, but in the General Election, we got 375 votes in Horsham, and 320 in South West Surrey. That’s 0.66% and 0.56% respectively.

That may not sound like a lot, but when compared to other small parties and independents, we did great! We’ve tallied a list of other candidates standing on future-democracy type platforms, and both our results come right up near the top. Doing that in our first election, in very (small c and big C) conservative areas, is something to be proud of.

I think that shows that we have something here worth building on, and so I’d like to answer the one question that everyone asks:

What’s next?

We’re starting to think about the 2016 round of elections, and we have a by-election in Stepney Green in a few weeks, but as leader, I’m thinking mostly about how the party evolves.

The party exists because in the current political climate, names are important, and a strong name and brand can help cement your values in the minds of voters. I was originally going to stand as an independent, but always wanted it to be a party, because that means we can build something up into a movement. I love independent candidates; I wish every MP was an independent, but I don’t think our system is ready to accept that yet. I think we have to work within the system to change it. Ideally I’d like parties not to exist either, which I think makes Something New the only party that wants to deprecate itself.

The same goes for small parties. The job of changing the country is huge, much too big for any of us alone. We have to work together.

After the industrial revolution, the labour movement came together to find its political voice, which has dominated British politics ever since. The network revolution will be the same. Our generation, which is more interconnected than humanity has ever been, will find its political movement. People are calling for it all over the place. The politics of the network is rising.

Let’s work together

Now I’m talking directly to the Pirate Party, the Internet Democrats, Rebooting Democracy, Digital Democracy, the Whig Party, MyMP, Populace Party, Vox Pop, Democratic Reform, a whole load of Independents, and everyone else interested in this movement.

My message for you is simple.

Let’s join together to build a single movement, a broad 21st century progressive political party with the network at its heart, that can push for a better future. Let’s merge our communities to build something big enough to change the UK for the better.

Let me be clear; I don’t care what that party is called (as long as it resonates with voters). I don’t care who is in charge. This is not a power grab. It’s an honest attempt to build something that can have an impact.

We can talk about names, logos, technology, all that, later. But if we agree on our values and what we want to build, let’s join together and get to work.

What about Something New?

That said, I do have something to humbly add.

I believe that Something New’s results show that the message we have put across is worth pursuing..

We tested our message and brand in a very non-progressive area, with almost no money, minimal help, and no major media exposure, and it worked. We got better results than almost all of our allied candidates and friends. I don’t say this to boast, or try to score points. I say this because I think it might help.

We set out on this path to test if the message would resonate. I think we passed that test.

So, as a starting point, I would like to invite all those parties to merge with us. Again, not so that I can be in charge, or through arrogance, but because someone has to convene this, and I think we are in a good position to do so. As I said, we can talk about names, logos, identity, whatever. I’m open-minded on it, and we know we can’t be “Something New” forever.

Single-issue parties won’t change anything. Small fragmented parties won’t change anything. The old 20th century parties won’t change anything. But together, we just might be able to build a new choice for a society that is demanding change.

So, this is it. I’m writing this from the coffee shop at the Horsham count, at about midnight. This is my first count, so I’ll try to explain what it’s all about. Obviously I can’t disclose information during the count, so this will be published in the morning once it’s all over.

We’re in a sports hall at Christ’s Hospital School (which fortunately has public gym membership, therefore a decent coffee shop). The room is laid out with a bunch of tables, laid out in a sort of snake. The counters are all one one side, and the candidates and agents are all on the other. They count, and we can watch everything that’s happening from the other side of the tables.

It’s a bit odd just staring at what people are doing like they’re zoo animals, but I guess it goes with the territory. We’re all looking at the ballots anyway. I can’t help feeling that I should help out though!

Whenever a polling station box arrives, it’s dumped out and bundled up into batches of 25 papers. There’s no counting per candidate at this stage, but the agents are watching and keeping their own tallies, trying to get a bit of intelligence before the candidate counting starts in a couple of hours. At this point they’re just checking that there aren’t more votes than voters in each area. I guess also it’ll tell us turnout reasonably early on, though I don’t think we will be told.

As it stands, I’ve seen a few votes for me go by, which is nice. I’ve got no idea how that translates into a percentage, though the agents who are keeping tallies might do. There are lots of agents with clipboards keeping counts, but I’m just wandering around like the aforementioned zoo visitor, gawping.

For now though, it’s quiet and efficient.

02:00

Still going on the preliminary count, but it’s drawing to a close. The counters have checked and bundled the parliamentary votes, and also the local council votes to make sure there aren’t any missed ballots that went into the wrong box. Those will be counted in detail tomorrow.

So we should be seeing the proper count of the parliamentary ballots soon, I think. From looking at the ballots I’ve seen, I’ve certainly got some votes, and I’m probably not last, but I’ve still got no idea whether I’ll hit my own preferred outcome…

There are a lot of party activists hanging around; there are herds of kippers roaming the hall looking grumpy, which makes me happy at least.

Interestingly, the way the ballots are counted, I’m pretty sure that we could get results by ward, and probably by polling station even, which would be really interesting. However, those internal counts aren’t reported publicly. How can we make that happen, I wonder?

03:30

Yeah, the verification step is going on a long time. The 04:30 estimate for the declaration is out of the window. We’ve had three elections (parish, district and parliamentary) in some places, and verifying all of those to make sure there aren’t any votes in the wrong place has taken a long time. We’re just wrapping up the last few outlying wards, and then the next stage will start.

The baskets are out on some of the counting tables for the candidates. The ballots will be separated into the baskets first, then counted. Spoilt or doubtful ballots are separated for inspection as well at this point.

I’m desperate to take a picture of my (empty) ballot basket, but phones are banned in here, and I’m going to play by the rules. Not long though, and we’ll start to get a decent picture of the result and how I’m faring against the other small party candidates.

I’m heading up to the coffee shop to watch the rest of the country’s results coming in every now and again. In general it looks pretty bad for progressives, which is disappointing. There are plenty of morose Lib Dems wandering around here, certainly…

03:45

And we’re off! The ballots are being sorted into candidates. Interestingly, each table has a slightly different method, so in some places you can tell what’s going on, and some you can’t. I can tell straight away though that my target outcome of 5th place is probably not going to happen; the Greens have a good deal stronger showing, by the look of it. Still hoping for 6th though. This is probably going to take a couple of hours yet…

04:00

The coffee shop has closed. FML.

05:30

The basketing and bundling is pretty much done now. We’ve just been round each table and reviewed the doubtful ballots. Lots of “none of the aboves”; we should definitely be counting those properly. Currently they get bunged in with the unmarked and unclear ones, which is a pity. Ideally there should be a box on the form.

Also quite a few voting multiple times, normally with the same number of votes as for the district elections which people did at the same time.

Corrections tend to get accepted and counted for the corrected candidate, BUT in a couple of cases the voter signed their name next to the correction, like you might do with a cheque. Unfortunately that makes it invalid, as the voter can be identified. Even more unfortunately, one of those was mine :(

We’re very nearly there now. The bundles will be tallied up, and we should have an announcement soon, I think. I won’t beat the Green Party, as was my ideal goal, so it’ll be a scrap for the bottom three places. Too soon to tell where we end up. I’m certainly in triple figures rather than quadruple.

07:00

And we’re declared, finally. The candidates and agents get a preview of the final numbers before the announcement, and that’s it. They didn’t get us on stage and do speeches for anyone except the winner (a resounding Conservative victory, obviously). I guess Horsham is too obvious a result to bother with TV coverage.

Anyway, our result. I got 375 votes (0.7%), putting me in sixth place out of eight. Paul also got 320 (0.6%) in South West Surrey. While those might not seem like big numbers, they are probably enough to work with in the next phase of Something New, and to use in whatever comes next. I’ll talk a bit more about what that plan is once I’ve had a sleep.

For now though: thanks to everyone who supported us, with your encouragement, votes, fundraising, and belief. This is only the beginning; a better democracy is coming, and nothing can stop it. It’s just a matter of when.

Unusual activity

So, the first thing I know is when I get a call from my bank, about possible unusual account activity. These happen every now and again - you call back, confirm some transactions, and everything’s fine.

So, I call up, and get put on hold for the fraud dept. Unfortunately I have a meeting and have to hang up. An hour and a half later, I call back, and after some strangeness with my account access PIN not seeming to work, we find one unidentified transaction. So, my card is cancelled, and another will be in the post. This happens sometimes, I guess. End of story.

Where’s my SIM?

An hour after that, I get a text on my phone, thanking me for transferring to my new SIM card, and that the old one will be disconnected. I immediately call my mobile operator to see what’s going on, but my phone dies a couple of minutes later, kicked off the network.

Uh oh.

At this point I’m getting worried about Twitter hijacking, or somesuch. After all, we all have two-factor authentication set up to send SMS codes to our phones these days, right?

So, I borrow a phone from a colleague, and call the operator. Once I get through, they confirm that my number has been transferred to another SIM on my request. I tell them to kill it immediately, because that was NOT ME.

Once that’s done, and we’ve added some new security questions, we look at how this happened. The log shows that the previous caller didn’t know the account PIN, but confirmed ownership of the number by verifying the last direct debit amount taken from my bank account.

Oh, shit. They’re in the bank account.

Calling the bank back

Check the online banking - I can’t get in.

So I call the bank and get immediately routed through to the fraud department and go through an unusually large amount of security. They inform me that yes, something strange is happening, and did I by any chance recently make a large transfer out of my retirement savings?

Er, NO.

That’s OK, they say, we didn’t think so, and we didn’t let it through. The accounts are safe, and everything has been locked down. The attacker isn’t getting any further.

We set a special password that I make up on the spot so that nobody except me can access the account until everything is reset with new information.

Finally, after a fraught hour on the phone, I can relax a bit. We’re safe it seems.

So, what happened?

It seems the fraudster and I were interleaving calls all day.

After my first call, coincidentally, they called the bank and pretended to be me. The number was withheld, but they identified and passed security by giving my name, address, email, mobile number, card number and expiry.

As you might notice, all of that would be available to a store with whom I ordered something online. And that got them all the way into my account, or at least far enough for the next part. So much for security; we know that the security questions that protect the account online weren’t asked.

Anyway, once they where in there, I guess they looked up the most recent direct debits; found my mobile operator, and got the last amount I paid them. They then reset the security PIN (hence my failure to get in on the second call) and called my mobile operator to swap the SIM cards for my number.

They got control of my mobile number pretty much straight away; how do criminals get this level of service? Normally moving a number is a total pain in the arse.

Anyway, once they had that, they called the bank back (I was probably already on the phone to the operator at this point), and with the extra identification of calling on my number, initiated the transfer. The bank were suspicious though; they called my number back, and got them again, but weren’t happy about the response. They locked everything down, and their ride was over.

What went right?

So, the bank spotted the probe, and the hijack in time, so I didn’t lose anything. That’s good.

My mobile operator sent me a text with a reference number before they disconnected the phone. That’s also good.

But…

What went wrong?

This all comes down to companies being willing to work around their own security on the phone. If you act the idiot and claim you don’t have the security information, it doesn’t seem to take a lot to get in at least to the point where you can start to escalate.

The message I left the bank with after our various calls, was that this was all their fault. By allowing callers to work around security, they are exposing my accounts to hijacking. None of this was on me, as far as I can tell. Saying “don’t use online shopping” these days is not an option, because even if you shop offline, all that data is linked to, say, your Tesco clubcard. It’s basically available to anyone.

We all need to get more security conscious, and that doesn’t just mean having passwords; it also means companies asking for them, and denying callers access even if it pisses off a customer or two.

What did we learn?

The weakest security link is always the humans

My digital security is good; unique strong passwords, held in a secure password store behind another strong password. It would be hard to compromise. However, this attacker had only a bunch of data that you could hoover up from any online store order. Nothing specifically about me - they didn’t know who I was, where I went to school, my mothers’ maiden name, nothing. But it was enough to convince the bank that they were me. Social engineering is, as always, the best way to break security.

I guess that the banks and mobile companies have to deal with a lot of people who forget their security details all the time, so they have to subvert their own security in this way. That’s… terrifying.

Don’t use real information in security questions

My security questions weren’t asked, so weren’t compromised, but now I’ve changed them, I’ve decided not to use real information in these ever again. It’s far too easy to find my mother’s maiden name, or where I was born. From now on, this stuff gets made up.

Attacks are more complex than you think

This was a five-stage attack. First the obtaining of the merchant data with my details in. Second, the probe, to see if the card was still active. Then the simple human exploit to get into the bank account in a read-only capacity, followed by the phone hijack and the final transfer attack.

While the later stages can seem more secure, a simple breach earlier on can leak more information that allows the attacker to escalate their privileges.

Also, attackers know which attacks to use for particular services. It seems likely that the first call to the bank was intentionally looking for more information to escalate privileges with. Once they found my mobile operator, they knew that they would take the direct debit details as proof, so off they went.

SMS two-factor security is not good enough

I’m going to switch to authenticator app security codes, I think, where I can. My mobile is too easy to hijack to be a sufficiently good part of the security chain. I was immediately worried that the mobile hijack was a two-factor auth crack attempt. In the meantime, my authenticator app codes remained secure on the physical device, not linked to the number.

Be careful with incoming calls etc

A few times I had calls from the bank during this process, and I always asked them to prove to me who they were first. They didn’t know what to do. In the end I just had to make up my own security, and ask names of people who had dealt with my case previously, as that’s the only information I could think they could confirm. I think I might get a password put on my account for them to tell me in future. Not hard!

They also send special fraud centre phone numbers in emails and texts. I never called them, but instead always called the general customer service number and asked to be put through to the right area. How do I know where the email is really from? Publish a PGP key on your site so I can verify the email, and I’ll call the thing you want me to. Otherwise, no way.

The companies themselves are teaching people security antipatterns by doing this sort of shit.

Will it get fixed?

I suspect that as long as this sort of fraud costs the banks less than the cost of better security, then they won’t fix it. Therefore, I really don’t expect anything to change, unfortunately.

At least all I got was an afternoon of stress, and a few days without a mobile phone and debit card. Nothing was lost in the end, and a few valuable lessons were learned. That’s a win, I guess?