Saturday, November 24, 2018

Childcare management service provider Hubworks! shows us how not to deliver SaaS platform

Late this year, the Department of Education and Training required daycare services including Family Daycare services to transition to a fully-eletronic "Child Care Subsidy System" (CCSS). They supply a list of vetted and approved third party software providers to mediate between DET's CCSS and the FDC provider.

Which brings me to "Hubworks!" This company produces a hosted SaaS that amongst other things caters to family daycare services. You will be shocked to hear that this blog is not a ringing endorsement of their wonderful platform.

They managed to:

  • Produce the worst online enrolment form I have ever seen, and I've seen some truly bad web forms;
  • Have their support service ask my partner to send them her password;
  • Write me off as a parent, because there's only one "Primary Parent";
  • Trumpet on their website about all their amazing Web Based Web 2.0 with Bank Level Security while doing all this.

I reached out to Hubworks via support and internal channels months ago to raise some of these issues. I have been ignored and dismissed. My ticket has been marked "Fixed". So it's time to see if their marketing department cares more.

They've been very happy to direct me to seek support via the educator and the family daycare scheme, as "[t]his is policy of HubWorks! that we always direct parents back to the service as we do not provide assistance to families." From my experience so far, they also do not provide any assistance to the service or educators.

Monday, August 7, 2017

Discriminate against me, please!

I have all the advantages - I'm a healthy able straight young-to-middle-aged white man from an educated 1st world background, etc.

I strongly support "affirmative action" including quota systems to address workplace employment balance and diversity. It's important for all of us, including the highly advantaged and privileged. The recent Google memo kerfuffle has prompted me to explain why I would support things that are seemingly contrary to my own interests. But before you read further, please read this brilliant rebuttal of the above memo. (Tolerance is not a moral precept discusses the philosophy in more depth).

Tuesday, August 9, 2016

Gross overconfidence with public data

The Australian Buerau of Statistics is showing all the signs of being grossly overconfident with every aspect of the 2016 Census, bordering on incompetent.

You've heard all about the data retention in broad terms, but what exactly does it mean? And why could it be bad? After all the data is "anonymized" such that personally identifiable data is removed before being shared, right? Their original non-anonymized versions are encrypted and safe in the hands of ABS administration, so there's nothing to worry about.

Well, it's not that simple.

Lets talk about anonymization vs aggregation, how de-anonymization works, and why the "statistical linkage key" is appallingly flawed.

Wednesday, April 8, 2015

ACMA submission on wholesaler data usage

I've just made a submission to the Australian Communications and Media Authority regarding the 48 hour data usage reporting delay that mobile service wholesalers like Optus impose on their wholesale customers. This can lead to incredibly huge bills with no warning and no way to prevent the bill as part of the service.

The TCP ACMA bill shock provisions that came out of the RTC enquiry were supposed to prevent this, but left a huge loophole by permitting "up to" 48 hours delay in usage alerts and reporting. Optus, at least, appears to treat this as "at least 48 hours", failing to report usage until the 48 hour time. It was a limit, not a target, Optus.

The spend management alerts were supposed to be implemented by small providers by September 2014, but they have the same 48 hour exception:

Spend management
  • Suppliers to send notification alerts of data, voice calls and SMS usage within included value plans no later than 48 hours after the customer has reached data usage and expenditure thresholds of 50, 85 and 100 per cent.
  • Suppliers to include additional notification information about charges applying to included value plans when the customer has exceeded 100 per cent of data or expenditure usage

Industry players are seem to be using this to bypass the intent of the code, which was to provide "access to timely, accurate and comprehensible information about their service"


Thursday, July 24, 2014

Active missile defense is NOT the answer for airliners

ABC News (AU) just ran an article about active missile defense on airliners in response to the MH17 incident. It discusses the use of active missile defenses on civilian airliners, but seems to muddle different types of threat and different counter-measure, making it seem like countermeasures might've had some utility for the MH17 incident when that's unlikely to be the case.

Tuesday, July 22, 2014

Jenkins/Stapler: @DataBoundConstructor being ignored, parameter values not passed or null

If you're developing a plugin or patch for Jenkins, which uses the Stapler framework, you might run into issues where you define a new @DataBoundConstructor with an additional parameter, but it just seems to be ignored by the framework.

If so, look for an overridden newInstance method. It's probably being used instead of the constructor annotation.

Monday, March 31, 2014

WifiBaby - First Impressions

I bought a WiFi Baby remote IP camera / baby monitor from last week. It arrived today, and I wanted to share my first impressions.

Even though WifiBaby don't usually sell outside the USA and Canada they made a special effort to send me a PayPal invoice and they even pointed me at the discount code on their Facebook page (or rather, applied it, then told me they'd done so!). Huge props for this, I've never had better sales service.

Overall, the product its self is quite impressive, with a few disappointments that detract from what is overall a very good product.

It turns out to be closely related to the Y-Cam Cube, specifically a YCW003 VGA Y-Cam Cube. Y-Cam tell me it's not quite the same (different casing, somewhat different specs), and alas isn't firmware-compatible.

The good

It works! This much neglected feature is becoming rare in IT products, and should be savoured when found.

It's well presented, well built, and comes with a really solid mounting bracket. The power brick seems to be good quality, too, and supports 110-240V (though of course it has USA prongs).

Supports WPA2. None of that dodgy OFDM we-claim-it's-secure-but-you-can't-verify-it business of the proprietary camera vendors. (OTOH, see "HTTPs" below, it's not all roses).

The device comes preconfigured for DHCP with a sensible hostname (wifibaby) that makes it easily discovered on most routers, and it can be configured entirely via a web browser. A flash applet on the browser can be used to stream video, with the caveat noted below.

Image quality is excellent, with a high res image in both colour & active infrared. You can choose from several levels of streaming quality for different bandwidth levels. Active infrared quality is excellent, with pretty impressive range without too much foreground over-exposure. I cannot stress how amazing the infrared camera is enough.

Plenty of control over things like whether it uses infrared or not, whether or not it uses the IR cut filter, whether it publishes its address over dynamic DNS, etc.

Once connected to the network, setup is quick and easy with the browser based wizard.

Built-in support for dynamic DNS providers for those who don't have one already, and it even comes preconfigured.

Phone support for those who need it.

Wired Ethernet port. Very handy for maximum quality if you have the house wired anyway.

Multi-user viewing support - works extremely well.

Remote access from off-site (but see caveat below re HTTPs, password security).

No security screws, clips, etc. So if (OK, let's face it, when) I take it apart to get at its guts, it should be easy.

Neither here nor there

Initial setup to get it on the wifi is OK, but a bit dated. It doesn't support WPS (Wifi Protected Setup) for automatic setup, it expects you to plug it in over wired Ethernet and run a desktop application to discover the device. The quickstart guide is good, though, so inexperienced users should be OK. You don't have to use the app, either, you can just find the address it got over DHCP and visit that with a web browser. (Update: it looks like the current Y-Cam firmware supports WPS, but maybe WifiBaby haven't updated to it yet, despite WPS being added in August 2013 in firmware 5.46).

The web UI is crude but functional. Not much attention has gone into usability, but it's simple enough that that's OK.

Some apps support remote control of the infrared feature, etc. Awesome, except you have to buy 3rd party apps to do it, the browser based Flash app doesn't do it.

Ordering from outside the USA is a little bit of a pain and a bit pricey because of shipping, but on the other hand, they did it when they'd normally not ship at all. Try that with Amazon! (Update: Actually, you can).

The price. The base Y-Cam hardware (if I'm right about that) runs a newer firmware that doesn't seem to lack any functionality present in the WifiBaby and adds some more; it also costs 3/4 as much. Of course, you're not getting personal USA based tech support for that, nor the great sales service WifiBaby provide. Pick your priorities I guess.

Not so great

The camera doesn't seem to support HTTPs. Not impressive for a device that supports UPnP to open up a hole in your firewall for remote access - you have to send the credentials in clear text. They should fix this, especially since it defaults to being Internet accessible with a non-randomly-generated password.

The microphone is fairly poor, and it lacks a socket for an external microphone. That's a serious omission.

The infrared cut filter makes a less than quiet "click" noise as it switches in or out. It's not super loud, but it's sharp, sudden, and plenty loud enough to be disturbing. Not good in a baby product. The device does allow you to turn the use of the filter off, though.

There's over two seconds of time lag on the Flash based mobile viewer. This lag doesn't occur to anywhere near the same extent when using mobile devices that stream video from the device.

It doesn't make you generate a new password or enter a new one when you set it up. That'd be OK ... if it didn't also default to opening a hole in the firewall for streaming video. I can understand this one from an ease of support point of view, but think it'd be a lot better to offer a password reset that only worked on the local WLAN or via a wired connection and then encourage the user to generate or enter a better password/phrase.

It doesn't seem to enter much of a low-power mode, producing a fair amount of heat when not actively streaming. I hope it copes OK with the Western Australian summer.


In my opinion the vendor doesn't do a very good job of making it clear that the advertised mobile device support requires extra-cost third-party apps. The prices are shown in the apps section of the site, but there's no reference to them being extra cost where the mobile features are listed on the camera product page its self, though the page strongly highlights the features that are only available via those mobile apps. Mobile device logos are prominent, but lack telltale asterisks. It'd be nice to see this made more prominent - or alternately, for the vendor to license these apps and bundle rebrands of them with preconfigured detection of the wifibaby, which would make setup nice and smooth too.

There's no GPL compliance notice in the box, on the camera web page, or in the CD, but it appears to run Linux 2.6.x. I will be taking this up with the vendor. I could be wrong, so don't get too excited, especially as the distributor probably doesn't know anything much about the firmware produced by the manufacturer. (Confirmed by email discussion - I've sent them some information and guides, and will wait to see if anything happens.)

I've sent WifiBaby, and the hardware vendor Y-Cam, links to:

... so we'll see if anything happens there.

Feature wishlist

Talk-back / two-way audio. In a high end baby monitor. I'd really prefer to have this, and many IP cams support it, so it should not be overly hard (as anyone who's never done something always says, right?). They don't claim it supports two-way anywhere, so I didn't expect to have this feature, but it's something I'd like to see appear in a future version.

External microphone port, or a decent quality mike.

Quieter IR cut filter switch over.

HTTPs. Seriously.

Rate-adaptive streaming.


I've since found a similar looking device, which looks like another OEM rebrand of the same IP camera, sold as BabyPing. It's from the same manufacturer according to WifiBaby (update: That's Y-Cam), but unlike the WifiBaby it's a cloud-based device. So, y'know, security/privacy issues there.

The HomeMonitor is also a Y-Cam rebrand. It seems to be another version with a custom firmware reliant on a cloud service.

The Y-Cam cube its self, mentioned above, may be a good option to consider.

Jaycar sells what looks like a previous revision of the same sort of camera for less than a third of the price and has two way audio. Of course, it's probably rather primitive in image quality in comparison, too, and won't come with the same goodies.