A Proposal for Sanitizing Weboob

Almost since the inception of the Weboob project, we have received remarks on the name, the iconography, and lately the code comments. Until some time ago, that came from bystanders, social media, etc. However, the argument has been made by current contributors that we could be missing out on new contributors due to these aspects.

Now, we can’t exactly fork the universe to A/B test this hypothesis. Sanitizing Weboob will require at least these tasks to complete:

  • Rename the Weboob project to a unique and meaningful enough name
  • Buy new domain names, rename the various things in our infrastructure
  • Rename the WebNip class
  • Rename the various classes that contain Weboob in their name
  • Rename some modules (like popolemploi which refers to penises, bnporc)
  • Create a separate repository for porn or other possibly offensive modules
  • Coordinate with vendors on the rename (Distributions, companies, and the software that uses Weboob behind the scenes)
  • Rename most of the applications
  • Publish a migration guide
  • Come up with a new logo for Weboob
  • Redo most icons, keeping the constraint of parody for legal reasons

This obviously amounts to huge costs, and so far no help has been offered; in fact, my previous calls for merely redoing icons have been unanswered.

While I personally believe those who ask for a rename are more interested in power play and seek total capitulation for political motives, I have come up with a way to ensure we cannot be scammed by doing all the effort while gaining nothing in return. In turn, sincere people will be rewarded if the plan succeeds.

I personally don’t mind bland software, though some other contributors like the fun aspect of Weboob. However, we have to be sure there is something interesting to be gained for Weboob, instead of being tricked in working for free on boring tasks to please others, which would amount to self-flagellating in public.

Potential contributors who are repelled by the current naming and aesthetic choices of Weboob are welcome to make themselves known. To ensure they are sincere, a monetary deposit will be required, and will be refunded a year later if they have indeed become contributors. If not, the deposit will taken as a donation to Association Weboob to compensate for the energy wasted.

This operation is done in my name only, and only engages my responsibility. There is no support for it among the community or the association board yet outside of myself.

To be clear, the potential contributors will never have to contribute to “Weboob”, only the sanitized version.

Operating details (subject to change with feedback):

My low estimate cost for all the tasks is around 10000€. I would like the total of deposits to amount to at least that before starting doing any work.
Since we want to test for sincerity, the amounts don’t have to be the same for everyone, but ideally relative to income.

I won’t take deposits until I am sure the work can start with full support from the community and association board. I suspect the support for a rename mostly comes from the United States, so if I will make sure to store those deposit in dollars to shield the potential contributors from EURUSD fluctuations.

As a gesture of goodwill, if one succeeds in becoming a contributor, in addition to refunding the deposit, I will also donate my own money to Association Weboob in their name so they can become a member for free.

Potential contributors should contribute regularly over the year, with activity in the majority of the months, a decent number of new modules, and one non-module improvement. Obviously, the contributions have to be made in good faith, e.g. fixing typos while always welcome won’t count toward a contribution in this case.

Posted in Weboob | Leave a comment

My experiences with Kwixo

Kwixo is supposedly a response to PayPal, by some French banks.

I tried to use it to allow a simpler way to pay for the Weboob Association membership fee. PayPal is out anyway, given the fees it charges, we’d be lucky to see half of the actual fee make it back to a bank account.

We’ve tried two times. With the first member it failed because it was asking so many verifications he gave up. With the second one, given that his bank was one of Kwixo’s partners, it worked. Or so I thought!

After sending me an e-mail telling me it was received, one day later (a Saturday!) they tried to call me1. For something that is supposedly on the Internet, why not send an e-mail instead? Anyway, they told me the service was only an exchange between individuals, and since they saw the mention of “Cotisation” in the payment reason I had to register with their Association service by calling another number.

The thing is, I shouldn’t have to do this. This isn’t worth the hassle, and thus will be my last interaction with them. What this story tells us however is that they must get so little business they can still screen all transaction motives, and afford to call people instead of having some sort of semi-automated support system.

Anyway, most of the membership fees have been paid in cash, and the others SEPA. For more details, see here.

The BitPay option is for people with no access to SEPA, but is unlikely to be used anytime soon. But at least, I was able to explain what I would be using them for by e-mail.

However, I didn’t learn my lesson. I thought Kwixo could work, the other way, as a client. Unfortunately, I forgot to never trust a French bank.

I ordered supplies from a website, and chose to pay on delivery, by using Kwixo as an escrow. After all, it was my first order there, and I could use the extra safety.

They asked for a lot of personal details, to an extent I was never asked before; it already started smelling like a scam. The worst was that they first asked some documents, which I sent promptly, and they replied after a day that I forgot to send some others, even though they did not ask for them in the first place. This cycle took a whole week, and choked on the fact that my latest electricity bill was deemed “too old”, despite me explaining that it was the absolute latest.

So I told them to go fuck themselves – literally. They did not budge, and I figured they actually never read any text in the mails! So I sent an image showing them to go fuck themselves. It worked; they canceled the order, and I was able to order again without using them. I suspect the people I was interacting with did not even speak French.

This “fraud protection” lost Kwixo a customer, and almost lost the website a customer. Funny thing is, just looking at the order would make any fraud suspicions silly: the total was well below the machine it was for. Why would I steal that when I already paid much more? Is the car dealership afraid clients will steal their pens?

  1. I rarely answer to unknown numbers, as I dislike the unsolicited nature of phone calls. []
Posted in Technology | Tagged , | Leave a comment

In case you still think banks know what they are doing

Working with Weboob has confirmed my suspicions that banks’ IT departments are clueless (at least the French ones).

It’s not only that they have terrible websites with snake-oil security (i.e. keypads are easily logged, they only bother regular users).

It’s that their approach to security is from another world. When I was working with a client that was a bank a few years ago, they forced on us a lot of stupid things in the name of security, but to make things work the chosen solutions were worse from every point of view, including actual security.

This is not a technical problem; the problem is a lack of technical people where they should be.

The cherry on the cake is the BNP Paribas bank. They have been historically terrible at configuring their DNS server (with a tendency to return a different IP depending on yours, and of course those two IPs gave two different versions of the site… unless one of them was out of commission).
And now, for over a year, they have been forcing SSL connections to RC4 128 bits, which is a known weak cipher. If you try to force something better, the server will reject you!

Banks try hard to be taken seriously, and they usually are. I just can’t help laughing at them.

Posted in Security | Tagged , | 1 Comment