Fishy Facebook Ads: Earthly Citizens, Shutter & Contrast, and many more

(If you prefer this in form of a Twitter thread, see this one.)

Let’s start with the usual disclaimer that despite me working for a company that sells advertisement, this post is my own personal opinion, not my employer’s. I have written about Internet ads for years, well before I joined the company, and so it’s nothing new. To the usual disclaimer I’m going to add a few words to point out that there will be a few company names used in this post — I’ll be very clear when I think they are involved in something fishy, and when I think they are not involved at all.

This all starts with me deciding to get myself a new camera. While I’m very happy about the photos that my usual camera produce, I wanted something lighter that I could go around town more often with. But I also have been having issues with my shoulder, and I’ve been looking out for a good “handy” backpack to keep my stuff in. This is all relevant information.

Indeed, if you follow me on Twitter you may have seen me asking around for suggestions on backpacks. And this is also relevant: since I’m actually not minding ads for relevant content for myself, I have not hidden my looking for a new bag, I spoke about it on social media, and I have searched for backpacks and bags on my normal Google session. This is, again, all relevant information.

Because of my Google searches, I have been seeing a lot of ads related to photography. Including the one for the chain of photography stores that convinced me to go and grab my new camera from them. Very few of those ads are useful to me, but that one in particular have been.

Then the other day, on Instagram, I saw the ads for a backpack from a never-heard-before company advertising as Earthly Citizens. I’m not going to link directly to their website, although I’m choosing to explicitly name them here so that people who may be looking for them on Google and other search engines have a landing page helping them. The backpack that they advertised is this one (archived link) and it actually looks very nice in theory, on offer at £87.75 compared to a RRP of £159.61. To compare, my trusty Think Tank Airport Essentials is £147.04, and that’s one hell of a good bag.

The amount of red flags on that advertisement was high: unknown brand, no branding on the actual bag, unrealistic “flash sale” with no dates on it, and so on. So I didn’t really pay much attention. Then of course, since I have looked at the ad, I started seeing the same bag on Facebook — together with nearly 900 positive comments. I decided to do a minimum amount of digging into it, and found out that the website that the ad points to is a standard Shopify instance, which means that digging into it with IP addresses or WhoIs information is useless. And since there’s no address provided for the company even on privacy pages, there’s not much to go by. I walked away.

A day later, another set of ads start appearing on my Facebook stream, and they are for a backpack that is stunningly similar, or rather identical. But from a different page that has a more “photography” feel to it, called “Shutter & Contrast”. And that piqued my interest a little bit, because it sounded like another one of those cloned bags that I have seen aplenty on Instagram, and I would actually like to find the source at that point.

Just like Earthly Citizens, Shutter & Contrast don’t seem to be very well reviewed. Searching the web for the name and combination of reviews, backpack and scam don’t bring up anything useful. They also have a Shopify site, although their page for the same backpack (archived, again) is a bit more somber and “professional-looking”.

Funnily enough, it looks like they have blocked copy-paste and right-click, so that you can’t quickly reverse-image-search their photos. It didn’t surprise me, as I remembered a BuzzFeed article on fake fashion stores outright stealing real designers’ photos, so stopping the quickest reverse image search option would obviously be high in their intentions. Of course it’s actually easy to work this around, with any of the browsers’ developer tools.

Another interesting part from the Shutter & Contrast shop page is that they actually have an address in their Privacy Page: 11923 NE Sumner St, STE 813872, Portland, Oregon, 97220, USA. Again I’m repeating it here for sake of those looking any information on this company, because if you look up the address, you’ll probably find a Yelp page for a closed location called My Trail Gear, although it has a different “STE” number. The reviews, calling this a scam and pointing out that there is at least two more companies using the address, called “Bear and Tees” and “Shark and Tees”.

Checking the address on StreetView shows a smallish warehouse. My best guess is that there’s a service at that address that is similar to Ireland’s Parcel Motel and Parcel Wizard: companies that allow you to receive and send goods from that address, and then forward it somewhere else. The different “STE” numbers are used to route the parcels to the right customer. This means that despite the bad reviews on Yelp, Shutter & Contrast might be legit.

So I decided to take a closer look at the first one again. Earthly Citizen has a fairly active Facebook page, and if you read their About section, it says:

Our goal is to source all the best travel related documents from all around the world and bring them directly to your doorstep
Earthly Citizens Facebook Page

They don’t seem to be doing anything like that. Instead they seem to mostly re-post Instagram pictures by other people. At least it appears they are crediting the photographers — but it’s clear that they are using someone else’s pictures for their own marketing (so that they get people to follow their account). This should be worrisome enough, but it doesn’t stop there.

If you look at what they sell, they appear to be selling a lot of random stuff that you would find in those trinkets/gadgets shop in big malls, without brands, rhyme, or reason. So it does not look like they are the “source” of that bag to begin with. But is Shutter & Contrast then?

Earthly Citizens say that there are “too many fake websites that steal content”. They would know since they seem to be one.

A very quick reverse image search finds the same exact image appears on AliExpress (not archived because they seem to defeat it), the Chinese shopping website. There are multiple sellers for it there as well, and most of them have the same images — the same images that both Earthly Citizens and Shutter & Contrast used on their website.

It might very well be that these are the bag equivalent of Gongkai, as there are a few stores that sell them, and the fact that they come from Guangdong does not mean they are not good. I have a lovely tripod I bought at the Shanghai Xing Guang Photography Market, it’s a Chinese brand, it’s proper carbon fiber, and I paid for it half the price that you would pay in store in Europe, taxes included. If that is the case, the markups that Earthly Citizens and Shutter & Contrast are applying are thievery: they price it at $110 and $83 respectively, while AliExpress’s most expensive seller has it at $52.

But there is one thing that I forgot about during my Twitter rant, and that my girlfriend pointed out: what about the pictures of people in the advertising? Neither AliExpress nor Earthly Citizens appear to have a picture of the backpack with a person. There are people with cameras, but nobody with the actual backpack that you can reverse image search for. There is a video on Earthly Citizens’s Facebook page, which is the same used by the Instagram ad, and that suggests that the bag physically exist, but it’s heavily watermarked that makes it hard to find the source on. Shutter &Contrast has a video unlisted on YouTube, on a white background with no logos shown, and just re-captioned to fit their marketing of it. It appears uploaded in February 2019.

More useful, Shutter & Contrast appear to also have a still picture of someone wearing what looks like the backpack they are selling, and that’s the first time in this adventure I managed to find that. Reverse image search brings us to yet another Shopify instance under the name ConnectedTechPacks (archived), which can also be found as BestGearPack. Their website is a bit more well made, and it appears to only sell that single backpack. Are they the source? I doubt so, since both websites were registered in April this year, and we know that the backpack existed in February. But they also have a couple of different people with the same backpack, and another angle of the same guy.

Another reverse image search later finds yet another Shopify instance with the same backpack, a set of GIF animations that are also heavily watermarked, but are the same as Earthly Citizens’s version.

So where did all this investigation bring us? Not really anywhere. I can’t find any trustworthy brand selling the backpack, and while I may be willing to risk my £40 on the AliExpress version – rather than twice as much with any of the other Shopify instances that I found – I don’t hold my breath for it to look at all like they show it, or have the build quality that I would trust my cameras with.

It does show just how easy it is to fool people nowadays. It’s easy to set up a “storefront” without needing an actual space anymore. It’s easy to “gain trust” by having people follow your page with no original content, just by re-posting content that professionals provided.

What about the 900 positive comments that the ad received? Well it’s possible that they are actual real satisfied customers who didn’t realize they got charged probably twice as much as they should have for the same bag you can get from AliExpress. Or they may be “bought engagement”. Or just a bunch of bots that have harvested someone else’s name and pictures to create fake profile to sell the stuff.

You know all the panic around politics and elections and fake profiles? It’s not just the elections. Fake profiles sell scams. And that can hurt people just as much as political elections. I remember when it was just the artists complaining about pages re-posting their content… we should have paid attention then. Now the same pages and the same techniques are used for more nefarious purposes and we all pay the price, sooner or later.

A FreeStyle Libre Update

The last time I wrote anything interesting about Abbott’s flash glucose monitor (don’t call it a CGM) was when I compared it with the underwhelming Dexcom G6. I thought it would be a good time to provide an update, what with Abbott sending a number of email reminding you to update their FreeStyle LibreLink app in the past couple of weeks.

First of all, there’s the matter of supplies. Back in January, I decided to test Dexcom’s CGM because Abbott’s supply issues bit me in the backside, as I could not get new sensors to keep up with my usage — particularly as the more active life in London with my girlfriend meant losing a couple more sensors to mistakes, such as bumping into the doorframe. For a while, you could only buy three sensors every 25 days, and even then, sometimes the lead time to fulfill the order would be over a week; nowadays this appears to be much better, and the time limit for the orders was removed recently.

Since I was not particularly thrilled to switch to the Dexcom G6, I had to find a way around these limits, beside counting on the two extra sensors I “gained” by not using the Libre for a month. Luck was that a friend of my girlfriend found the Libre sensors on sale in a brick-and-mortar store in Sharjah, and managed to send me six of them. The store had no limits on how many sensors you could buy, despite the FreeStyle UK website only allowing orders of three at most, and only to already-established customers.

The UAE-bought sensors are effectively the same as the British ones, with the same manufacturing information printed on them, and even similar enough lot numbers. The most visible difference is that the two alcohol-soaked tissues, provided for cleaning the insertion point, are missing.

The other difference is not visible in the packaging, or indeed on the hardware itself: the sensors are region-locked. Or maybe we should say that the app is. As it is, my (UK) FreeStyle LibreLink install did not want to set up the UAE-bought sensors. The reader device had no such concern and both initialised and read them just fine. I was originally a bit concerned and spot-checked the values with fingersticks, but it looked like there was no issue with the sensors at all.

I’ve been wondering just how much the supply problem connects with the region locking. Or just how fine-grained the region locking is: my Irish sensors worked perfectly fine with the UK app, although by that point, the app was not available in Ireland at all. But possibly all of these problems are gone.

Now, to go back to Abbott’s email messages to update their LibreLink app. The reason for this update is not much about the UI of the app itself – although that did change a bit, in subtle and annoying ways – but rather a change in their algorithm for turning the sensors’ readings into a human-understandable blood glucose reading. The “curve”, as it’s sometimes referred to. It’s important to note that what the sensors communicate with either the app or the reader device are not “fully cooked” blood sugar readings, but rather a set of different sensors reading, and that the app and reader will then apply some formulas to provide an equivalent reading to a fingerstick.

Much more interesting to me, in the announcement of the new curve, is that they also suggest users to update the firmware of reader devices to make use of the new fine-tuned algorithm. This is interesting because it makes the FreeStyle Libre the first glucometer with an upgradeable firmware. I have not actually run the update myself, yet. It needs to be done just before changing the sensor, as the reader will forget about its last sensor at that point, and I’m a bit worried that it might not work with UAE-bought sensors anymore after that. So I’m instead waiting to finish the supply of those sensors, and maybe get another one later to test after the update.

I also want to try to get a usbmon trace of the whole procedure for the firmware update. I’m not sure when Abbott will ever publish another update for the reader, but at least starting collecting the protocol would be interesting. Once I do that, you can expect another blog post on the topic.

And as a final note, glucomterutils is being updated as I type this to support reading and setting patient names. While I would not suggest people to use that field for their own personal glucometer, I thought it would be nice to provide the building block for more doctor-focused apps to be built out of it. As a reminder, the code is released under the MIT license, because using it to build something else is a primary focus of it — we need better tooling for glucometers, and not just in the Free Software world, but in the world in general!

A story of ordinary discrimination

I don’t like writing about politics, despite me having strong opinions on some matters. The last time I spent time writing about this, it was about xenophobia in software, and this time it’s a very related story.

Before I start with the tale, I need to prefix that at a first read, it might sound like I’m making a mountain out of a molehill. This is probably true for me, as I’m playing on the lowest difficulty setting, being white, wealthy and from a country that is, in most parts of the world, well considered (what I have read more than a few racist commenter define “a good immigrant”). I want you to think twice, though, if this would be just as “silly” for someone with a higher difficulty setting.

So this tale starts with me signing up for a energy supplier programme. This is a Very British Thing to do, so let me explain a bit about this. Like at least a few countries in Europe, and all those I lived in, the UK has a “liberalised” energy market, which means the consumers (including the tenants) can choose which company to give their money to, for their electricity (or gas).

Because of human nature, capitalism, marketing, and whatever else happens, the normal behaviour of these suppliers is to offer you what is usually a very good deal with a lock-in contract of 12 months. After the contract expires, you’re on a monthly-basis on a terrible tariff — you can then either choose to lock in with them for another 12 months for a less-terrible tariff, or switch supplier to one that offers you a better deal yet. From a purely monetary point of view, switching is always a winning strategy. From the human point of view of not wanting to bother, it’s not uncommon to renew with the same supplier, or even not noticing the contract expired and being overcharged.

Since looking at different suppliers, figuring out the best option, and actually switching are time-consuming tasks, it can get to the point where the money saved is not worth the time spent. And that created an opportunity for middlemen to insert themselves into the picture, in the form of energy supplier switching programmes. These programmes take your information, find you a better deal, and even sign you up to switch, with various degrees of automation.

iChoosr in particular tries to find deals for groups, with the idea that you can get a better deal from a supplier by giving them a ballpark of how many people would sign up for it. This is the middleman that Unite the union chose to run their twice-yearly switching programme. I signed up for it last year, because I was able to — I was provided with a no-lock-in contract with EDF when I moved into the apartment, but was getting annoyed at them calling me every two weeks or so to ask me if I wanted to install a smart meter (my landlord didn’t want, I didn’t want to bother.)

Last year, the chosen supplier was So Energy, which turned out to have a very friendly website, too. I switched. Then this year when the time to renewal came I signed up for the programme again. The answer was different this year (unsurprisingly), and E-On Energy was chosen, which was even more interesting to me, as Santander also had a “retailer offer” to sign up for E-On.

And here is where things went badly. I got the offer and went to their website to fill in the form, but when I stated that I lived at this address for only one year and eight months, I was asked for my previous address, which had to be in the UK. No overseas address option was available in the form. And I couldn’t even mess up with the fields, because it wanted to look up the address by (UK) post code.

I already wrote about this in the previous post of course. So that’s not entirely surprising either, but it is a non-small annoyance. It turns out that you need three years of addresses in the UK to be able to pass the credit check that E-On requires. It’s a “tax on the immigrants” in the sense that you will have to choose a more expensive supplier if you can’t provide that data. I decided to renew with So Energy, if nothing else because they are not unfriendly to recent immigrants — and the difference being less than £100 a year made it not worth the hassle to chase E-On around.

I did, though, send a complaint to iChoosr about the fact that their service is not friendly to immigrants. And today that complaint got an answer:

Dear Mr Diego Elio Petteno,
Thank you for contacting us.
We are sorry for any inconvenience this may have caused. Please note that the system asks for your previous address for the credit check by the supplier. However, if your previous address is not in the UK we would advise you to please fill out that you have lived in the UK more than 3years. That way you may be able to complete your switchover process.
For your convenience Please find below the link to your personal offer (if the link does not work then copy the entire link and paste it into your browser’s address bar). This page provides you with your personal details, current energy figures and your offer:
[Continues with usual drivel with link and request for information — F]
“Dianah” from iChoosr support

As I complained on Twitter after reading this email, their answer is worse than the problem! (El tacon pexo del buxo in my dialect.) They suggested, in writing, for me to lie on a credit check form. Let’s not even comment at how they keep calling it a “personal offer”, given that it is not available to me.

Now it is very possible that, all other things being the same, the credit check would pass just fine. If nothing else, Santander giving me a credit card seems to have taken care of most of those problems. And to be honest, I could probably just have asked my girlfriend to sign up in my place, since she’s been living in the UK much longer than me. But beside me not wanting to give money to a discriminating supplier, there is the other “small” problem of lying in credit check forms.

Again, remember I’m playing at the lowest difficulty level. Lying on the credit check form will probably not do me any harm. But what about a worker with a lower salary who just arrived from a different country? What if the credit company noticed the inconsistency and marked their credit rating further down?

Anyway, after complaining on Twitter, because that’s something I do, iChoosr stated that this is not their standard operating procedure, and even offered to “manually switch” me, without the requirement of three years in the UK. Note that once again, this is for me, a white male working for a big company, coming from a country that is not associated with immigration as much as it should be.

This is unfortunately the norm. If you lived all your life in the UK, all of this is hidden away: of course you have more than three years worth of addresses! If you have enough money that you don’t really care about switching provider, then of course you don’t notice credit checks or anything of the sorts. But it does create a much less friendly environment for those of us who move into the country.

Luckily, there are other cases. The dentistry clinic that just opened across the street from us is staffed mostly by immigrants. They know how hard it is, they remember how annoying it was when they arrived. And they made sure that the financing company the signed up with is able to take overseas addresses. Given that there is no interest applied on the financing, I fear they might have just taken the hit of paying higher fees to guarantee that.

Of course the consideration there is not just for their own experience; assuming that would be naïve to say the least. The other side of that calculation is that their location in West London is as such that a lot of their customers are likely immigrants, that might or might not have lived for three years in the UK already, and might thus need a bit more relaxed credit check environment than, say, Richmond High Street.

This is why I’m upset with Unite, too. The fact that their provider does not care to select offers that accept immigrants out of the box throws a shade to them just as much as iChoosr: many of the people counting on these deals are likely on lower salaries than mine, and for them the price difference can be an actual difference. Even more so if they have recently moved to the country. I should send my complaint to them just as much at this point.

Take my experience of this molehill, think it through with the lenses of someone who might not be as privileged as you are, and then start pressuring the companies you work for, or that you pay money to, to actually care about the real people. Rather than just about their bottom line.

Boot-to-Kodi, 2019 edition

This weekend I’m oncall for work, so between me and my girlfriend we decided to take a few chores off our to-do lists. One of the things for me was to run the now episodic maintenance over the software and firmware of the devices we own at home. I call it episodic, because I no longer spend every evening looking after servers, whether at home or remote, but rather look at them when I need to.

In this case, I honestly forgot when it was the last time that I ran updates on the HTPC I use for Kodi and for the UniFi controller software. And that meant that after the full update I reached the now not uncommon situation that Kodi refused to start at boot. Or even when SSH’ing into the machine and starting the service by hand.

The error message, for ease of Googling, is:

[  2092.606] (EE) 
Fatal server error:
[  2092.606] (EE) xf86OpenConsole: Cannot open virtual console 7 (Permission denied)

What happens in this case is that the method I have been using to boot-to-Kodi was to use a systemd unit lifted from Arch Linux, that started a new session, X11, and Kodi all at once. This has stopped working now, because Xorg no longer can access the TTY, because systemd does not think it should access the console.

There supposedly are ways to convince systemd that it should let the user run X11 without so much fluff, but after an hour trying a number of different combinations I was not getting anywhere. I finally found one way to do it, and that’s what I’m documenting here: use lightdm.

I have found a number of different blog posts out there that try to describe how to do this, but none of them appear to apply directly to Gentoo.

These are the packages that would be merged, in order: 
 
Calculating dependencies... done! 
[ebuild   R    ] x11-misc/lightdm-1.26.0-r1::gentoo  USE="introspection -audit -gnome -gtk -qt5 -vala" 0 KiB

You don’t need Gtk, Qt or GNOME support for lightdm to work. But if you install it this way (which I’m surprised is allowed, even by Gentoo) it will fail to start! To configure what you need, you would have to manually write this to /etc/lightdm/lightdm.conf:

[Seat:*] 
autologin-user=xbmc 
user-session=kodi 
session-wrapper=/etc/lightdm/Xsession

In this case, my user is called xbmc (this HTPC was set up well before the rename), and this effectively turns lightdm into a bridge from systemd to Kodi. The kodi session is installed by the media-tv/kodi package, so there’s no other configuration needed. It just… worked.

I know that some people would find the ability to do this kind of customization via “simple” text files empowering. For me it’s just a huge waste of time, and I’m not sure why there isn’t just an obvious way for systemd and Kodi to get along. I would hope somebody builds one in the future, but for now I guess I’ll leave with that.

I’m told Rust is great, where are the graphics libraries?

While I’m still a bit sour that Mozilla decided to use the same name for their language as an old project of mine (which is not a new thing for Mozilla anyway, if someone remembers the days of Phoenix and Firebird), I have been looking from the sideline as the Rust language as a way forward to replace so many applications of embedded C, with a significantly safer alternative.

I have indeed been happy to see so much UEFI work happening in Rust, because it seems to me like we came far enough that we can sacrifice some of the extreme performance of C for some safety.

But one thing that I still have not seen is a good selection of graphics libraries, and that is something that I’m fairly disappointed by. Indeed, I have been told that there are Rust bindings for the classic C graphics libraries — which is pointless, as then the part that needs safety (the parsing) is still performed in C!

The reason why I’m angry about this is that I still have one project, unpaper, which I inherited as a big chunk of C and could definitely be rewritten into a safer language. But I would rather not do so in a higher level language like Python due to the already slow floating point calculations and huge memory usage.

Right now, unpaper is using libav, or ffmpeg, or something with their interface, depending on how much they fought this year. This is painful, but given that each graphic library implements interfaces in different ways, I couldn’t find a better and safe way to implement graphics processing. I was hoping that with all the focus on Rust out there, particularly from Mozilla, implementing graphics parsing libraries would be high in the list of priorities.

I think it’s librsvg that was ported to Rust — which was probably a great idea to prioritize, given it is exactly the type of format where C performs very poorly: string parsing. But I’m surprised nobody tried to make an API-compatible libpng or libtiff. It sounds to me like Rust is the perfect language for this type of work.

At any rate, if anyone finally decides to implement a generic graphic file input/output library, with at least support for TIFF, PNM and PNG, I’d love to know. And after that I would be happy to port unpaper to it — or if someone wants to take unpaper code as the basis to reimplement it as a proof of concept, that’d be awesome.

The problem for a lot of these libraries is that you have to maintain support for a long list of quirks and extensions that over time piled up on the formats. And while you can easily write tests to maintain bit-wise compatibility with the “original” C language based libraries for what concerns bitmap rendering (even for non-bitmap graphics such as JPEG and WebP), there are more things that are not obvious to implement, such as colour profiles, and metadata in general.

Actually, I think that there is a lot of space here to build up a standard set of libraries for graphics libraries and metadata, since there’s at least some overlapping between these, and having a bigger group of people working on separate, but API-similar libraries for various graphic formats would be a significant advantage for Rust over other languages.

Opinion: FinTech vs High Street

If you’re a regular reader of this blog, you may have noticed that I have strong opinions regarding consumer financial services, particularly when it comes to Revolut, which I wrote about a lot by now.

I didn’t start writing about these services because of a professional interest, but rather because when I moved from Italy to Dublin (via Los Angeles), I felt like I stepped back ten or more years with the banking system. And while this improved significantly when I moved to London, there are still a few things baffling me from time to time.

But as I discussed in one of my recent Revolut-bashing posts, compared to Ireland the high street banking options in London are so much more interesting that I’ve effectively ditched Revolut for day-to-day payments. So why would anyone care about FinTech products?

I have been thinking this for a while, not just as a customer, but with an awareness that, if I decided to change my perspective in life and go for a riskier professional position, from my rather cushy one, FinTech appears to be the place to be right now. Particularly given the unfortunate experience I have gained in this field by now.

One of the issues appears to be one of branding, and trust. Quite a few people appear to have a dislike for high street banks because of their association with previous scandals or news. And that’s what makes it funny to see how high street banks appear to just want to enter the market with new brands.

Another thing that Monzo appears to capitalize on, in their tube advertisements, is the ability to receive instant notification of the money spent. And that’s something that I deifnitely can relate to. This is particularly important when you get to more shady stores, or to coffee stores with untrained staff, that may suggest that a transaction didn’t really go through, and suggest you to pay cash instead, charging you twice.

Indeed, this was one of the biggest advantages of using Revolut for me in Ireland. The “famous” Tesco Bank credit card didn’t really have even an online banking platform, and the only way for me to confirm whether a transaction went through was by looking at my Tesco points statements. But this is not something revolutionary: I had notifications of all online transactions, and card-present transactions over €50, on my Italian pre-paid card in 2006 (via SMS, not via app at the time, of course.)

While I feel Monzo is right to take a swing to most high street banks for not implementing these notifications, even in 2019 London it’s not true that you need to “go FinTech” to have this level of support. My American Express does the same, and you cannot say that AmEx is a new player on the market!

And it doesn’t stop at just sending me notifications for the charges: American Express goes one step further, and integrates with Google Pay so that you get the notifications even without having the American Express application installed.

Indeed, I have a feeling that, for the most part, customers would be happy if the level of support in high street banking was on par with American Express:

Their website lets you log in with a simple username/password combination, rather than the silly security theatre of “Give me the 1st, 2nd, 123th character of your password, and 1st, 5th and 6th digit of your PIN” (seriously, setting aside the random index selection, why on Earth do you need two equivalent factors?)
New charges on the card are notified immediately, either through app or through Google Pay (I don’t know about Apple Pay but I assume that’s the case there as well).
You can get your card’s PIN online, which is usually verified by a text message OTP.

One of the things that AmEx does not do, that I think all of the FinTech players appear to do, is freezing/unfreezing the card on the fly. A feature that Barclays has been advertising all over as if they had invented it.

It is pretty much possible, or certain, that some UK high street banks already started providing all of these options, maybe in different combinations. As I said, Barclays does appear to have the ability to freeze/unfreeze the card. Fineco does not mail out the PIN but rather has you requesting it online and delivers it as text message. And as I made as a point before, Santander has a credit card with no foreign transaction fees.

Many of the articles I read over the importance to FinTech startups imply that the main reason why big banks can’t be this flexible or “innovative” is that they have old, heavy and difficult to manage backends. From second hand discussions, I can believe that the backends are indeed as heavy and clunky as they are purported to be, but it does seem to me that many of the features involved can’t be that tied to the backends, given that most of the banks can provide those features already.

A number of features that I see being deployed throughout different banks is the ability to “budget” expenses. While they sound particularly interesting, this appears to be mostly a “frontend” feature. Santander has this feature, but somehow they decided to implement this on a separate Android app only, which I gave up on. Indeed, it does not allow you to correct their classification of expenses, which makes it pretty much useless, not just because some vendors are classified completely wrong, but also because sometimes the same vendor might be used for different reasons (Boots, CVS, Walgreens, and similar all provide both medicines and groceries; how you categorize their spend depends on what you bought!)

While Santander have already won me over as a bank customer, I do feel that they would win over more of my credit card expenses from American Express if they implemented “this one weird trick” of informing me of charges as they happen. Because small things like that are one of the reasons I use my AmEx quite a lot in the UK, even after I reach the needed spend to upgrade my Marriott membership to gold.

So yeah, my hope is that high street banks will finally see the competition from FinTech as a list of features that they should, opportunistically, implement, rather than an excuse for the branding and marketing departments to come up with new ideas to be “hip”.

Dear Amazon, please kill the ComiXology app

Dear Amazon, Dear Comixology,

Today, May the 4th, is Free Comic Book Day. I thought this was the right time to issue a plea to you: it’s due time you get rid of the ComiXology app, and ask your customers to just use an unified Kindle app to read their comic books.

I love comic books, and I found ComiXology an awesome service, with awesome selection and good prices. I have been a customer for many years, starting from when I just had bought an iPad for a job. For a while, I have signed up for their ComiXology Unlimited service, that for a monthly fee gave you access to an astounding amount of comics — particularly a lot of non-mainstream comics, a great way to discover some interesting independent authors.

When Amazon bought ComiXology, I was at the same time pleased and afraid — pleased because that could have (and did) boost ComiXology’s reach, afraid because there was always a significant overlap with the Kindle app, ecosystem and market. And it turned out that my fears were just as real, as I found out last year.

I don’t want to repeat the specifics here, the short version is that the ComiXology app has been broken for over a year now for any Android user that relies on microSD storage rather than the internal storage, such as mine. After multiple denial from ComiXology support, the blog post helped me get this to the attention of at least one engineer on the team, who actually sent me a reply nearly 11 months ago:

I followed up with our team and a few weeks ago we met about your report. We realized you are 100% correct, and we’re re-evaluating our decision RE adoptable storage. I don’t have news on when that answer is coming, but the topic is open internally and I want to thank you for your detailed emails and notes. Hopefully we can figure this out and get you back.
Matt, ComiXology Support, May 30, 2018

Unfortunately, months passed, and no changes were pushed to the app. The tablet got an Android OS update, ComiXology got updates every few months, but the app to this day has any way to store its content on microSD cards. The last contact I have from support is from last summer:

Our team has tracked down what’s going on and you are correct in your analysis. They are working on a solution, though we do not have an estimate for when you will be seeing it. We will keep on checking in on this and making sure things move along.
Erin, ComiXology Support, August 13th, 2018

This is not just a simple annoyance. There is a workaround, that involves using the microSD as so-called “portable storage”, and telling the app to store the comics on the SD card itself. But it has another side effect: you can’t then use the SD card to download Netflix content. The Netflix app cannot be moved to the card, either as adopted or portable storage – just like ComiXolgy – but it supports selecting an “adopted storage” microSD card for storage, and actually defaults to it. So you end up choosing between Netflix and ComiXology.

And here’s the kicker: the Kindle app, developed by a different branch of the same company, does this the right way.

And this brings me back to the topic of this post: the Kindle app is not stellr for reading comic books in my experience, ComiXology did a much better job at navigating panels. But that’s where it stops — Kindle has a better library handling, a better background download support, and clearly better support for modern Android OS. But I can’t read the content I already paid for in ComiXology on that.

I think the best value for the customers, for the people actually reading the comic books, would be if Amazon just stopped investing engineering into the ComiXology app at this point, which clearly appears understaffed and not making any forward progress anyway, and instead allowed reading of ComiXology content on Kindle apps. And maybe Kindle hardware — I would love reading my manga collection on a Kindle, even if I had to upgrade from my Paperwhite (but please, if you require me to do that, use USB-C for the next gen!)

Will you, Amazon?

“Planets” in the World of Cloud

As I have written recently, I’m trying to reduce the amount of servers I directly manage, as it’s getting annoying and, honestly, out of touch with what my peers are doing right now. I already hired another company to run the blog for me, although I do keep access to all its information at hand and can migrate where needed. I also give it a try to use Firebase Hosting for my tiny photography page, to see if it would be feasible to replace my homepage with that.

But one of the things that I still definitely need a server for is keep running Planet Multimedia, despite its tiny userbase and dwindling content (if you work in FLOSS multimedia, and you want to be added to the Planet, drop me an email!)

Right now, the Planet is maintained through rawdog, which is a Python script that works locally with no database. This is great to run on a vserver, but in a word where most of the investments and improvements go on Cloud services, that’s not really viable as an option. And to be honest, the fact that this is still using Python 2 worries me no little, particularly when the author insists that Python 3 is a different language (it isn’t).

So, I’m now in the market to replace the Planet Multimedia backend with something that is “Cloud native” — that is, designed to be run on some cloud, and possibly lightweight. I don’t really want to start dealing with Kubernetes, running my own PostgreSQL instances, or setting up Apache. I really would like something that looks more like the redirector I blogged about before, or like the stuff I deal with for a living at work. Because it is 2019.

So sketching this “on paper” very roughly, I expect such a software to be along the lines of a single binary with a configuration file, that outputs static files that are served by the web server. Kind of like rawdog, but long-running. Changing the configuration would require restarting the binary, but that’s acceptable. No database access is really needed, as caching can be maintained to process level — although that would men that permanent redirects couldn’t be rewritten in the configuration. So maybe some configuration database would help, but it seems most clouds support some simple unstructured data storage that would solve that particular problem.

From experience with work, I would expect the long running binary to be itself a webapp, so that you can either inspect (read-only) what’s going on, or make changes to the database configuration with it. And it should probably have independent parallel execution of fetchers for the various feeds, that then store the received content into a shared (in-memory only) structure, that is used by the generation routine to produce the output files. It may sounds like over-engineering the problem, but that’s a bit of a given for me, nowadays.

To be fair, the part that makes me more uneasy of all is authentication, but Identity-Aware Proxy might be a good solution for this. I have not looked into that but used something similar at work.

I’m explicitly ignoring the serving-side problem: serving static files is a problem that has mostly been solved, and I think all cloud providers have some service that allows you to do that.

I’m not sure if I will be able to work more on this, rather than just providing a sketched-out idea. If anyone knows of something like this already, or feels like giving a try to building this, I’d be happy to help (employer-permitting of course). Otherwise, if I find some time to builds stuff like this, I’ll try to get it released as open-source, to build upon.

London, an Year and a Half Later

Given that nearly everything we hear, both here in the UK, and it appears everywhere else, is the stinking pile of burning rubbish that is Brexit, I thought I would bring at least a bit of positivity, by giving an update on my life in London, which I announced just shy of two years ago.

London has been a significant change of pace for me, both professionally (not always in a good way) and personally (almost all in a good way). I now live in a flat with my girlfriend, who’s the world to me. I have effectively stopped globetrotting, compared to Dublin — because I have so many things to do here, that were not available there. And I’m actually dedicating a forced 45 minutes a day to reading books (and another 45 are usually dedicated at reading the news), thanks to my higher-than-median commute.

As I said, the professional change of pace was not entirely positive. I ended up with a bad case of burnout between teams, and took two weeks of stress leave in February to “recenter myself”, which mostly involved me spending time on usbmon-tools, and a few kernel patches that (hopefully) I’ll be sending out this week. I am not entirely sure if this is due to a difference in the office environment, or in my own way to relate to the office itself. In Dublin I found there was more camaraderie, which might be caused by being a smaller office for my organisation, or the fact that so many of us lived in the same area that we spent a lot more time together outside of work too. As for myself, I find myself trying to put more explicit boundaries on how much I interact with my colleagues, even when I find them stimulating company.

On the personal level, the past two years (including the few months before the actual move) have been a roller-coaster ride, between the fear of change, my computer getting stolen, meeting my girlfriend, attending a number of concerts (not all, but most, metal), and getting photographed together with some of my most admired celebrities (I would put Simon Jones, John Lloyd, and Alexander Siddig as the top-three!)

And even when we didn’t go full-fan waiting over two hours to get a quick sketch of Spider-Man from John Romita, Jr, being able to go and see the Elves at No Such Thing as A Fish, or listen to Stephen Fry tell stories of ancient Greece all have had a very positive impact to my personal mental health.

And now that the rollercoaster is slowing down (and ending in a high note, at least on the personal side, ignoring Brexit), I think you may get more content from me. Because I have missed my blog tremendously, and migrating to WordPress was also a very good idea, as it allows me a lot more flexibility in writing.

Speaking of Foreign Transaction Fees

In the previous post about Revolut, I have left open a topic that I wanted to move to its own post: foreign transaction fees.

For those who are not acquainted with the terminology here, with foreign transaction fee I’m referring to the additional fee levied by banks and payment card companies when you incur expenses in a different currency than the one the card was issued for. Sometimes (particularly in UK and Ireland) this is referred to as an “overseas transaction fee” — which is confusing, particularly for Ireland, where the fee is applied for expenses in GBP (which is not overseas, but rather “up the road”), but not in EUR (which is mostly oversea).

This is a different cost incurred than the possible bad exchange rate that the financial institution may be applying, and it has nothing to do with the various DCC scams that you may run into when going to touristy destinations with a non-local card, although there is a link there: even online, services may suggest you to apply the charge in your local currency to avoid foreign transaction fees — as you can see in the linked post, that’s rarely a good idea, with a few exceptions (e.g. PayPal actually applies sane conversion fees in my experience, even if not the best ever).

These foreign transaction fees are set by the card issuers, and vary widely. I have seen cards with up to 6% “fex fees”, but that was back in Italy (why I say that will be clearer in a moment). In Ireland, with the exception of various fintech companies, the typical fex fees were of 2-3% — I was very happy with Tesco Banks‘s 1.75% fex fee (Tesco Bank no longer operates in Ireland.) In the UK, it appears most cards either have 0% fex fee, or 2.99% fex fee; there are a few divergences, but those two appear to be the most common options.

The reason why I am specifying this information with a country attached is that, in addition to telling you what the currency is, the mix of local-vs-foreign spend for the average person is also connected to the country. For instance, for my friends and family living in Italy, foreign transaction fees only exist when buying from foreign websites (or eBay), or when going on a “far” trip — Croatia and Switzerland being the closest countries that incur the fex fee. On the other hand, if you live in Ireland, you’ll probably have at least one recurring expense in GBP — depending on how Brexit is going to go this may change.

Indeed, for electronics you often need to look at the UK, rather than the continent — because of plugs, regulations, availability, etc. And quite a few eShops with presence both in the continent and the UK used to refuse you service from the European website, referring you to the UK one instead — this is another thing that may change after Brexit. There is a reason why, when discussing markets, most companies call it “UKI”.

I’m told that a similar situation exists for those living in Switzerland, and I can imagine this goes similar in the Nordics, given that Denmark, Sweden, and Norway have their own currencies as well, and likely a lot of services overlap.

In the UK (and again this may change after Brexit), you may very well never spend money outside of GBP because all the services exist within the country. Unless you’re an expat, in which case you’re probably still visiting the continent (Eurozone or not) fairly often, or may be paying for ongoing services (such as cellphone contracts) in that currency. This probably explains why the two sets of fex fee groups: if you’re part of the first group, you probably don’t need a card with no foreign transaction fees — while you really do in the latter case.

In my case, I have two credit cards: one from Santander, which I spoke of last time, with no foreign transaction fee, and an American Express with a 2.99% foreign transaction fee. I effectively spread the expenses on the two cards, depending on where I am — namely I try to use the Amex in the UK, and the Santander anywhere the other does not work. I could give up on the Amex, as the Santander is strictly a superset usage, but the perks provided by Amex are worth having. And that’s the most important thing: cards have perks, so you should probably consider those as well.

Thus the utility of fintech services like Revolut and Curve depend on the country you live in not just because it sets the band for foreign transaction fees, but also because they set the tone of foreign currency usage. In the UK, with the wide availability of debit and credit cards with no foreign transaction fees, their services are likely less useful than in other countries — except when it comes to perks. Indeed in the case of Curve, you would be able to keep most of the perks of a credit card, such as cashback, even if the card comes with a hefty foreign transaction fee. Except for Amex of course.

But is it convenient for you to pay for such a service? That’s another very good question. And to answer it, I’ll try to forget about the UK and go back to Ireland — mainly because here, as I now repeated a number of times, cards with no foreign transaction fee exists and you can just use one of those. Metro Bank has free current accounts with cards that come with cards without foreign transaction fees in Europe. Santander has a £3/month credit card with no foreign transaction fees, and 0.5% cashback. Halifax has a Clarity MasterCard that comes with no monthly fee, no foreign transaction fees (and of course no perks.)

But let’s go back to Ireland and take a look at the options. As I said the usual foreign transaction fee in the country was between 2% and 3%. In the case of Ulster Bank, the card I used to have had 2.75% foreign transaction fee. At which point would it have been cheaper for me to subscribe to Curve Black, at €9.99/month, rather than give Ulster Bank their fees? (And for simplicity here, I’m not talking about exchange rates; the exchange rate for their MasterCard is network-provided so it’s not at all bad, and in fact it’s comparable to Revolut’s.)

As most services would require a yearly commitment, we should consider the spend on an yearly basis too. This makes the cost €119.88, but we’ll call it €120 to make it easier to run umbers on them. Let’s just call the twelve cents a rounding error. If we’re ignoring the cashback options (as in Ireland there were none, beside Tesco Bank), the amount of foreign expenses you’d need to break even on Curve black with the foreign transaction fee noted above is about €4364 (divide the yearly cost by the foreign transaction fee). That’s the cost of fairly big vacation for a family (note that you can’t include flights in the vacation cost, as those would be billed by the currency of the country of origin, which is likely local).

If you have a card that provides cashback, then things become more complicated, because you’d have to include the cashback in the calculation. If you’re curious the following formula will give you the number, making S the yearly subscription cost of the service, F the foreign transaction fee percentage, and C the cashback percentage:

(S + (S/F) * C) / F

For Revolut Metal, with their variable cashback, figuring out the number is a bit more annoying. But we’re also talking about 1% in the best case scenario (all non-European spend). So the basic number (€5673) only goes down to €5616. The 0.1% cashback option of all European spend is so minimal that it’s not worth calculating exactly.

So what should you do if you don’t usually spend that kind of money on foreign transactions? You can still use the Revolut and Curve and other fintech services without paying for them, and grab the best deal you can until they go bust. Or if you don’t want to bother, you can just spend on your normal cards, get your usual perks and ignore the need for no foreign transaction fees.

Indeed, if your options are spending on Curve attached to a debit card with no cashback and no perks, or spend on an American Express Platinum Cashback Credit Card, you would need to spend more than £5330 a year in foreign transactions for it to be worth it — and that’s assuming you don’t qualify for the higher tier. And this is probably the worst case scenario for the UK, for a non-zero foreign transaction fee card.