Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - Arantor
3691
Off-topic / Re: Extract images with a certain tag from Instagram
« on April 20th, 2012, 02:10 AM »
You can add the setlocale call first before the wp_remote_get call if you like.
3692
Features / Re: New revs - Public comments
« on April 19th, 2012, 11:51 PM »
Quote
A tiny fix for French. Note to self and Pete: seriously, 30+KB is too large for the index language... It should only hold the most commonly used text strings, and certainly not things like a merge topic feature description... If anything, index.english.php should be short and easy to translate, so that we can have obscure translations that deal with at least the most common strings. (index.french.php)
Why the fuck is that string there? I certainly didn't put it there.

Mind you, this is related to what I've been saying about splitting some of those files - the view I hold is that index should hold stuff that's used everywhere or on the 'majority' of pages. Stuff in topics, for example, would be OK there.
3693
The Pub / Re: The Cookie Law (in the UK at least)
« on April 19th, 2012, 11:46 PM »
Quote
I'm sure Wedge will be fine with just a warning message at registration time. That could be disabled from the admin panel for users outside the UK or whatever.
If that were the case, we could just accept the fact it's in the registration agreement and go home. Except that it isn't the case, and until this is tested by a formal complaint, I at least have to assume that it will expected to be carried out as discussed.
Quote
The UK site has complied with the Directive as implemented in UK law but is not compliant under German law. As things stand, the Information Commissioner would have to agree that the web site concerned was in violation. But whether he would seek prosecution is entirely another matter.
This is my point. I agree that it would be found in violation, but I would expect that the ICO would not seek prosecution because what was being done was being done in good faith. (Assuming it was being done in good faith.)
Quote
But is there any other practical way of doing this? As a developer, you'd say "yes", I'll simply include hooks that cause the display of a cookie acceptance dialog so that developers of plug-ins that set cookies can get the user's acceptance. But from a user's point of view, to be presented with a succession of cookie opt-in dialogs is going to become tiresome to say the least. If we are going to go down that road, then I think two opt-in dialogs should suffice: one for first-party and the other for all the third-party cookies. That second dialog could optionally be re-presented to the user if additional cookies are added. How's that for compromise?
Bearing in mind the first- vs third-party cookies problem, the ideal solution to me seems to be offering an acceptance on first party cookies as a general consent, then a party by party acceptance of other cookies.

So the core cookies for a site itself with a single consent, then Google Analytics with a single consent for GA (ideally... I'd hold that in the browser with the assumption that opting me out of GA would opt me out of GA everywhere), then a single consent for whatever, etc.

Mind you, anyone who actually cares about privacy seriously wouldn't have GA on their site anyway.
3694
Off-topic / Re: QapTcha
« on April 19th, 2012, 11:41 PM »
Does it matter? The input etc is pushed from PHP, meaning that the information including the key is available without JS.

All the JS is doing is essentially saying 'if the user moves this box to here, *empty out this input*'. There is nothing more that it is doing.
3695
Archived fixes / Re: Time offset (auto detect)
« on April 19th, 2012, 07:37 PM »
Quote
Actually, it's 580+... I don't know why everyone in their samples, including you, insist on forgetting about that (admittedly very small but still a bit more important than Antarctica), continent called Africa...?
Actually, Africa IS listed. I see West Central Africa (UTC+1), South Africa Standard Time (UTC+2) plus places like Cairo that are in Africa last I checked.

Yes, it is 580+, but there are dozens that are legacy and deprecated.
Quote
I don't know, never seen that on other forums really.
XenForo and phpBB do it. Hell, even Windows, Mac OS X and Ubuntu do it.
Quote
Just keep to the server's timezone, and adjust user settings with the time offset... Voilà. If they ever get diverging hours (because of time savings), they can simply update their account page.
If you want to revert it, revert it. But I'm at the stage where I'm fed up with timezones and like other stuff I've done today, I'm a bit fed up with writing off chunks of my life as gigantic wastes of time, I still want to believe it isn't a waste of effort.

But I'd like for it to be correct, since everyone else can get it right and I don't see why we can't. I just haven't finished working on it, but hey, I guess I can remove all that and be done with it. I wonder if there's anything else that's a waste of my time working on.
Quote
I remember that... And for now we'll keep to it. I'd just like to be sure there isn't a better solution here. :)
There are three solutions: providing a fuck off big list to users that requires minimal work from us but looks ugly (like in the admin panel), providing a much shorter and more manageable list (like in the profile area, like XenForo, like phpBB, like Windows, like OS X, like Ubuntu) or we can revert to this unintuitive pile of crap that doesn't even work properly for countries that don't have hour-boundary places (like SMF)

An improvement to use proper timezones has been requested many times before for SMF but no-one's willing to take it on, because it's a minefield, and until recently SMF has been supporting prior to PHP 5.1 where all the date stuff was properly implemented.

Still, if you're happy with the shitty method, go revert it.

(I, on the other hand, will be going to find a drink to calm the fuck down. I should remember not to go visit certain people to sort out disentangling myself from my old life. Still, that should be dealt with soon enough and I can just start trying to forget the last 10 years.)
3696
The Pub / Re: The Cookie Law (in the UK at least)
« on April 19th, 2012, 07:28 PM »
Quote
That said though, I do wonder how many Forum sites operating from UK hosts actually comply with the requirements of the Data Protection Act. Very few, if any, would be my guess.
I actually did some investigation on this some time ago, when I first started running forums, and I don't believe anything's changed. Basically, a username and password is not considered personal information and as yet, neither is an email address. Consequently because you're not providing anything that comes under their definition of 'personal information', you don't have to get into the realms of being a registered Data Controller, and whatever's left regarding IP (which also, currently, is not considered personal information) is covered by the standard registration agreement, which is within the First Principle's approach to transparency.
3697
The Pub / Re: Starting date of the topic in the subject index
« on April 19th, 2012, 07:25 PM »
It's complicated, but in most of the cases, if you don't have that information directly, you have to have some manner of displaying it, which often requires actually having some other UI - hover to display something is a bit annoying. (In the case of thoughts, hovering actively shows you UI, which is cleaner than having the UI there all the time, and it's cleaner than having to hover to actually do anything because you'll be hovering in order to click Reply or whatever)

I'm well aware of the behaviour of the quick reply but I suspect that will actually provoke some use, as opposed to an item that people may not even know is there.
3698
Archived fixes / Re: SMorg
« on April 19th, 2012, 07:16 PM »
Remember that Karl was actually an SMF dev at one point ;)
3699
Plugins / Re: Plugins I refuse to do
« on April 19th, 2012, 07:11 PM »
Quote
I don't know... You know, fanboys! XenForo is 'on the way up'. Google Trends seems to prove that.
It is on the way up, I won't argue that. It has done so at a lot of vBulletin's expense, and to a lesser degree phpBB's expense. MyBB is flourishing because it's proving that it is a strong candidate in the free world that is under active development (as neither phpBB nor SMF can really make that claim, and we're not yet published publicly)
Quote
Even if we had a gold Wedge by now, I'm sure there would still be XF fanboys claiming that free software just can't compete.
Of course they would. There are a lot of idiots out there who equate expensive with better, without any real reason for it.
Quote
Starting to wonder if the people responsible for these names are Doctor Slump fans... (Ncha! Byecha!)
Well, CAPTCHA is a backronym for catching spam (i.e. they took 'capture' and figured out an acronym to basically fit) while MATHCHA is basically a portmanteau of math + CAPTCHA.
Quote
Sounds good to me.
Then the localized versions could use local 'common sense' questions like 'Quelle est la couleur du cheval blanc d'Henri IV ?' (What's the color of Henry IV's white horse? Famous one here. I think the answer is white, BTW. Uh no, it's blanc. It's a hard question for a US bot to answer, see.)
That works for me too, though I'd prefer to have something that's semi random too so that you can't just have bots build the library from our installer (i.e. detecting the question and using the answer) Perhaps a math question written out in words - but that would require having support for multiple answers so that people can put in words or numbers and have both be accepted.
3700
The Pub / Re: The Cookie Law (in the UK at least)
« on April 19th, 2012, 07:05 PM »
Quote
The unholy side-effect of that is that site owners based in Europe will have to know the applicable laws for each EU member as the Directive does not proscribe any particular wording.
That's true, but to a point one of the considerations is whether you're acting in good faith or not. If you're 'on the edge' but making an attempt in good faith to be compliant, you're probably going to OK, but if you're on the edge trying to bend the rules at every opportunity, when you do skirt the rules, it will come back to bite you a bit more.
Quote
The other bit of advice I've just been given is that site owners should clearly explain the content and use of any third-party cookies introduced on visitors' machines during their visit. But I note that even the ICO is unable to do this fully.
The ICO's own site is where I feel it's failing most: I accept that they may not know the specific details of each cookie - I don't know the specifics of what's in the Google Analytics cookies, for example, so that part I'm willing to accept the way they're doing it. What I don't like is the way they're using a single consent to accept *all* of those cookies, not bits and pieces.
Quote
The other rather laughable aspect of the ICO site is that it places a second cookie, in addition to their main one, if you agree to cookies -- surely the presence of their main cookie indicates that you've agreed to cookies!
It is, but at the same time, there's no other way to do it. They don't set any cookies, so there's no method other than this to indicate consent unless you're a registered member and have provided consent that way somehow.
Quote
Oh and thank you for posting a copy of your email to ICO. I am relieved and reassured to know that this issue is being taken seriously by the Wedge Team whilst those over at SMF are simply burying their heads in the sand.  You have just provided me with yet another in an increasingly long list of reasons to wait patiently for the release of Wedge! Thank you!
Well, as this discussion has shown, Nao and I both have reservations about how this will be enforced, and whether it actually will be or not. But I don't see that we - as platform stewards - can take that risk.

This is the problem I have with SMF: I understand their view that they're in the US and as such they take the view that it does not apply to them. But they're not offering advice on how to be compliant, and given what's involved, and how deeply rooted it is into SMF, with its session management and also the privacy concerns of Who's Online, and that's where the problem is. If the team isn't actively taking this on board, who is? Is anyone?

And that's the problem: it leaves people like you and me (taking off my platform steward hat for a moment) in the lurch because if the platform itself isn't going to take responsibility, that means the site owners have to, and without any guidance, how can they?

As I said in my email, I don't know if other platforms are taking this seriously, but I don't see big noises about doing so, put it that way.
Quote
'm still convinced that this is just 'for the show', and that this law is only going to be used in clear cases of privacy abuses, as legal grounds for action, rather than being mindlessly applied to every single blog or whatever.
Oh, I'm pretty sure that it is just for show, but until it's actually tested in a complaint, we have to assume that it isn't. Bear in mind that it is only to be used in the case of people complaining, rather than doled out by machine.

The thing is, even with the source code available, it isn't that easy to identify what the cookie does, especially if you observe that the PHPSESSID is actually potentially set for 3 years at a time when it is supposed to be a session cookie, it does make you wonder what's going on.

If we make it difficult or even impossible to be compliant, I myself can't use Wedge on my own sites, that's the bottom line. If I can't be reasonably sure that Wedge will be compliant, I don't see how I can in good faith or otherwise operate Wedge on my own sites, so even though I personally believe that it's for show, I can't take that chance for my own stuff, and I can't, thus, take that chance of dropping people in it who use Wedge in good faith.
3701
Features / Re: New suffixes for skin files...
« on April 19th, 2012, 06:48 PM »
Yes, as I mentioned elsewhere I could see the benefit of doing that :)
3702
Features / Re:
« on April 19th, 2012, 06:47 PM »
I thought textareas worked? They worked last time I checked on my devices but I'm using 5.0.

Select mostly works, the only thing that it isn't is the draggable/scrollable part IIRC?
3703
The Pub / Re: Bloc Madness
« on April 19th, 2012, 03:20 PM »
No, I'm not annoyed that you didn't take my advice. I'm annoyed that you didn't even listen to it, since there is a big difference. You can disagree with what someone is saying and even do exactly what I was advising against but you could have given me some sign that you'd at least read what I'd said and taken it into account. Except that you don't do that.
Quote
You are very good at doing long and elaborate arguments about *anything* in a fashion that makes it seem you have all the answers - which of course you don't.
And if you actually read those arguments, you'd see where I even acknowledge where I don't have the answers. I also actively encourage people to dispute my assertions and I will tackle them on the merits or flaws of the individual arguments. I don't know all the answers, but I've done enough that I have a pretty good idea. The difference is though, I'm also willing to entertain discussion on where I will be wrong.

I still find your hypocrisy incredible, because everything you accuse me of, you've done it on a far larger scale than I have. You want to point out my flaws, you should look at your own first.
Quote
But trying yet again the amateur psychology approach just shows how quick you are to conclusions.I blame it on the age.
I base my conclusions on the evidence provided. You want to act like a spoilt brat who thinks you are best, carry right on, since that's how you're acting based on all the available evidence. I'm not drawing any conclusions, I'm just calling it as I see it. (Though, I won't deny, the time I spent studying counselling some years ago has helped me figure out just how batshit crazy you actually are.)
3704
The Pub / Re: The Cookie Law (in the UK at least)
« on April 19th, 2012, 02:55 PM »
I've today sent an email to the contact email address at the ICO.

(click to show/hide)
Quote
Hello,

I'm a developer attached to a project that builds discussion forum software, and I'm trying to get some guidance on whether the software we have is compliant with the cookie laws or not, since the guidance is very confusing.

I would note also that our package ('Wedge') is derived from an existing US-based development ('SMF') and shares much of the same code including the cookie management. I should also note that SMF's developers have absolutely no plans to add any facilities for managing cookie privacy, so that UK site owners which use SMF will be left non-compliant, and not through their own fault.

Currently, Wedge offers two cookies, one is a session cookie created automatically for guests. The session cookie is not shared with any third party. The cookie itself is simply a session ID, though the session ID allows for counting how many non-registered users are visiting, and also the last action carried out by that session can also be logged, meaning that site administrators can identify what topics of discussion a given user is viewing.

When a user actually logs in, a second cookie is deployed. Due to a bug, the first cookie is not erased, though it is not used when this second cookie is. The second cookie is more persistent, however the user is asked how long the session should persist for. This particular cookie carries two items of information, namely the user id of the logged in user, and their session ID. (The user id is carried through primarily for performance, though either way, that session ID is tied to a user account.) It is also possible for administrators to view the actions being carried out by logged in users.

Now, there is a note in the standard registration agreement text, which reads:
"Also note that the software places a cookie, a text file containing bits of information (such as your username and password), in your browser's cache. This is ONLY used to keep you logged in/out. The software does not collect or send any other form of information to your computer."

I recognise that this is not sufficient for compliance and that something more obvious will be required.


Anyway, this at least is the current position, and I would note that pretty much all of the discussion forum platforms offer a similar collection of features, and to the best of my knowledge, none of them are compliant at this time, and I do not believe there are plans to address that, meaning that site owners are likely to place themselves at risk by using any of these software packages.

My understanding of the cookie laws is that the registered-user cookie would be acceptable, by expressly asking for consent during registration so that on creating the user account, it would be clear that consent had been given.

With respect to the session cookie, I am not clear as to whether this is acceptable or not. We will work on the issue where the session cookie is not removed as promptly as it should be, but given that its primary use within the system is to identify the number of active users who are not currently signed in (and potentially the action they are carrying out), it seems to me that we should ask for consent and not issue if it not given. I do note that the software will be used by people not based in the EU as well as people based there (the core development team consists of one person in the UK and one in France)

I am concerned, also, with respect to the logging of actions. The tracking is not entirely real time, but 'most' page views (certain internal actions are excluded, and there is a threshold whereby making page views in that time will not be logged, typically views less than 8 seconds apart) are logged, and it is tied to the session ID (regardless of being signed in or not). My concern is that currently we are not advising users that this is being done, and that unlike general access logs, it is tied to a user, and could readily be argued to be personally identifiable. I would note that this can be disabled by the site operator, though it is enabled by default.

On a related note, that same session log is also able to identify whether a given user is signed in or not and that information is often made available to all users (visually), even though every user has the option to 'hide' the fact that they are online from the general population, site operators will be able to see that fact regardless.

I appreciate that this is a complex list of information I am giving, but I feel that as I develop a platform that others will make use of, I am duty bound to get advice on what is acceptable within the bounds of the UK privacy laws, and perhaps some insight into what is required across the EU.

Thank you in advance for any insight you can provide.

Peter Spicer
Developer of 'Wedge', wedge.org.
3705
The Pub / Re: The Cookie Law (in the UK at least)
« on April 19th, 2012, 02:20 PM »
OK, so I've been reading up on the guidance issued by the ICO.

They actually go as far as to note that there is an exemption for 'important' as opposed to 'strictly necessary' cookies, and that they note that 'Cookies used for analytical purposes to count the number of unique visits to a website for example' is not likely to fall within the exemption.

Going back to the whole PHPSESSID thing, which is relevant here, we could remove PHPSESSID, and simultaneously drop the entirety of the problem with the cookie law in the process by simply not starting a session for guests (and take the view that if our own cookie wasn't supplied, it's nothing we're interested in). BUT, this would mean losing accuracy of the number of guests, and will require much more work under the hood.

The other thing is that if we go out and use IP addresses, that we do actually bend the other guidance that there is regrading behavioural tracking. Like a lot of things it is about the lawmakers making policies that don't really work - except that the ICO doesn't have the same view that the French authorities have.

It does also seem that there is a certain degree of insanity in the wording, from what I can tell, a user in the UK can complain to the ICO about a site based in Europe, regardless of being run in the UK or not, and for it to be taken up with the appropriate country's authorities on the matter.

We also have a problem that needs resolving, namely that setting the regular cookie to 'forever' also manages to set PHPSESSID as a cookie to forever too. I need to re-evaluate getting rid of PHPSESSID because if PHPSESSID is actually a session cookie, not a persistent one, we can much better argue its case as important. But still there is an issue with respect to privacy since the admin can see what users are doing because it's logged.

(That is definitely a privacy concern, btw. Going through logs is considered valid if you explain that you have that power. We can probably argue that it is much the same thing, except slightly more real time, and from a privacy perspective more problematic because it's not just logs, it's personally identifiable.)

Jeesh it's a mess.