fidzu : RubyOnRails

A little over a year ago I wrote up some instructions for deploying drupal sites using capistrano. It's proved a popular entry, still getting a good bit of traffic, but in the time since I wrote it Capistrano 2 has joined us and my techniques have moved on, so it seemed high time I updated [...]

23 Jul 2008 3:07pm GMT

There's something about this picture that encapsulates everything I love about San Francisco.

The eclectic mix of people, trading my car for public transportation (drop-top trolley!), views worthy of a Gap commercial, palm trees seemingly unaware of the cold, all the while heading towards the Farmer's Market bringing back memories of growing up in the Midwest. There's a bunch of internet people here, too, believe it or not :-)

Do yourself a favor and visit this city, I'll be in North Beach if you want to say hi.

23 Jul 2008 2:06pm GMT

Consulting firm Contrast talks about their upcoming app, Exceptional. Mike Gilbert of XLCRS talks about using Rails to solve everyday problems.
From Dublin, Ireland.

Sponsor

23 Jul 2008 6:36am GMT

Esquire's E Ink Cover

23 Jul 2008 2:10am GMT

update Several people have mistakenly thought my slightly tongue in cheek title to mean that I'm one of the part of the fringe paranoia groups here. While the USDOJ did bring down e-gold. The term "The Man" as well as the use of references to Black Helicopters were an attempt to caricaturize those paranoia groups. Now where did I put my tin foil hat.

e-gold is an 100% gold backed electronic currency. It revolutionized the electronic currency world using pretty simple double entry book keeping technology backed by currently 2.54 metric tons of gold and innovative legal structures to keep it safe. They are in the news today and there are lots of things startups can learn from their story about trust, innovation, legal structures, transparency and how not to deal with regulators.

It is with sadness I today read Douglas Jackson's blog post outlining the final blow to e-gold by the US government. It felt like this wasn't written by Doug, but by Doug with the NSA's secret alien mind control device implanted. In reality the mind control device used was the threat of 20 years of jail and a half million dollar fine.

Also as I write in the Agree2 User Agreement:

We are men of principles, but stronger men than us have changed principles with 3 hovering black helicopters over them. If you know what I mean.

This is a case where probably a bit more than 3 hovering black helicopters were hovering over them. So I guess we can only feel sad and hope the best for Doug and his family.

The Charge

The government had been after them for a while and where they finally got them to plea bargain admitting "Conspiracy to Commit Money Laundering" and "Operation of an unlicensed Money Transmitting Business". The real important of the two was the Conspiracy to Commit Money Laundering charge, which has nothing to do with Douglas Jackson carrying suit cases filled with $100 bills into banks in the Cayman Islands. It is failure to do "Know Your Customer" or KYC as it's known in the financial industry.

Know Your Customer

KYC requires financial institutions including money transmitters to know who their customers are. This can involve simply showing your id when you open an account in the US. Other jurisdictions such as Panama are way more conservative requiring bank references, lawyers references, information about your assets etc. In the US PayPal innovated by inventing that tiny authenticating payment to your bank account, which seems to be enough KYC for single purpose financial institutions such as payments and savings.

KYC since it was introduced in the late 90s as a requirement has been the single most destructive concept for innovation and startups in the financial space. e-gold was the last proud hold out against it as it went so against the principles of their operations. You could pretty much open any amount of accounts that you wanted to without any real documentation.

E-Golds innovation in Governance

Where e-gold truly innovated was their governance model. This is also what makes it so difficult to add a PayPal like KYC step to their technology. e-gold is built up of several different legal structures who are independent.

Gold and Silver Reserve Inc (G&SR) is the parent company of it all and run by Douglas Jackson. In 1999 they did a major restructuring, which is outlined in their e-gold Account User Agreement

The e-gold Ltd a company registered in Nevis in the Caribbean operated the book entry system. The book entry system is basically the servers containing the accounts and transactions. This is what you see when you go to the e-gold site. This site also has an innovative examiner tool as seen in the screen shots above and below:

The e-gold Bullion Reserve Special Purpose Trust is a little understood but very important part as they actually hold the title to the gold on behalf of account holders.

After that there are the 3 different gold repositories Brinks, Transguard and MAT Securitas Express AG who hold physical bars of gold in London, Zurich and Dubai.

OmniPay is the primary "exchange provider" or interface between the e-gold system and the outside world. This was/is operated directly by G&SR out of their offices in Melbourne, FL. If you wanted to buy or sell large amounts of e-gold you essentially wire them the funds and they provided you with gold in your e-gold account. From what I understand OmniPay was pretty thorough doing KYC.

Transparency and real time auditing by users

Since very early days. Probably earlier than 1998 e-gold has offered several levels of transparency that are still unheard of. When I was working in the payment space myself I liked to look at these as "live audit" tools as normal users can keep an eye on the system.

The most important tool is the e-gold Examiner which presents a live view of the accounts of the entire e-gold system. Many of the screenshots in this article come from the examiner. You can see how much Gold, Silver, Platinum and Palladium is held (the assets) and how much is in circulation or held by users (the liabilities).

Scrolling further down you can see how much is held at each repository. You can further drill down on these to see information about the exact bars held at each repository. This info includes the Brand, serial number, purity and exact weight of each. All of this information is verified annually by the auditors report.

Another interesting audit feature is the e-gold system statistics page. This contains interesting live statistics of the accounts and transactions held. As you can see there is still quite a lot of activity going on, however the amount of spends (transactions in e-gold speak) has gone down.

Account Holders

There are finally two other parties to the whole structure, the individual account holders and the independent exchange agents.

A key difference between e-gold and a bank is that as an account holder you actually own the gold in your account. When you deposit money in a bank account you strictly speaking don't own it anymore. You lend it the bank. For this the bank pays you interest. This leads to the risks that we're seeing again now when banks go bust depositors lose money. There are various band-aids such as FDIC to insure against this, however it is not perfect. Douglas Jackson could never touch your gold, reinvest it, sell it or otherwise.

In e-gold all transfers are final, which is one reason it became popular originally as an alternative to PayPal. The only way this can be done is by being at more than arms length distance from the banking system. The US banking system allow charge backs of just about any payment. So lets say you receive a wire of $100,000 from an investor. AFAIK theoretically speaking he could cancel that wire within a year. Foreign banks are normally the ones who are hurt most by this, but they grin and bear it. In e-gold one such chargeback could undermine the stability of the system.

Independent Exchange Agents

The Independent Exchange Agents was a very innovative idea that e-gold thought up as part of their reorg in 1999 to achieve this seperation of concerns. OmniPay would focus on large exchanges with established known players, but small independent local exchange providers would exchange between local currency and e-gold. Jackson and co decided from the beginning not to certify or regulate this, but rather let the market work it all out. This was extremely innovative, but might in the end have been one of the downfalls of the system. Theoretically this pushes legal compliance in each jurisdiction out to these exchange agents, but many of these were not following their local rules.

IceGold was an example of a really well run Exchange Agent run by Paul Vahur out of Estonia. Paul and his team would let you buy and sell e-gold at 2% below or above respectively of the official e-gold spot rate. Unfortunately a notice on his site says that they have been hit by the dreaded KYC as well:

Due to the adoption of Estonia's new Anti Money-laundering Law on Jan 28th 2008 we have decided to stop providing exchange services. The new law requires exchangers of alternative payment systems - such as IceGold - to identify all customers face to face.

Besides good guys like Paul, there were lots of instances with fraudulent exchangers. Several industry associations such as GDCA were set up to certify exchangers, but a quick google search shows me that there are still many around that don't exactly ooze trust. That said the Gold Pages Electronic Currency Directory still has 154 exchangers listed.

It also led to the development of a whole series of "Autoexchangers" which let you exchange e-gold automatically for other electronic currencies such as WebMoney. In his blog post Doug knowing well that he can't force them to stop yet pleads:

We are requesting that autoexchangers - even though the technical beauty of the autoexchanger concept is sublime - cease supporting exchanges to or from e-gold for the time being. The problem with the autoexchanger concept is that although the autoexchangers themselves may be perfectly compliant with requirements [promulgated by Webmoney and e-gold] to automatically put tracking data in their memo fields, and despite the fact that Webmoney is also committed to aiding in the suppression of cybercrime, the fact is that a substantial proportion of the cybercriminals that abuse e-gold have evolved into a modus operandi that involves autoexchanging possible proceeds of crime into Webmoney, sometimes within minutes of receiving the value, thus making interdiction a matter of catch-up or closing the barn door after the horse is gone.

Good Innovation

In the end the freedom that the lack of KYC and knowing that all transfers are final encouraged lots of innovation. People built special purpose currencies on top of e-gold. An online Casino created a series of bonds as an experiment that paid back depending on how many hands were plaid during the lifetime of the series of bond. Lots of small merchants as well as sites like Get a Freelancer accept e-gold due to both perceived and real pain accepting PayPal or Credit Cards.

Bad Innovation

All of this freedom also fit great with a less nice but highly profitable set of scams known as High Yield Investment Programs or HYIP's as well as other Ponzi like scams. These programs often claim to pay %100 interest over a period of a few weeks. There are 1000's of them out there and many of the use e-gold. E-gold was perfect. The two aspects that encouraged innovation lack of KYC and lack of charge backs made it easy for scammers to rob money from financially uneducated people.

The e-gold mailing lists were filled with people analyzing the E-Gold Stats page for any variations. Often they noticed large increases in a certain transaction size and you could guess that another popular HYIP was making the rounds.

All though e-gold claims that they have helped law enforcement bring hundreds of criminals to justice there are thousands more small and large crooks that have slipped through the cracks and this is likely why the US Justice Department started this case.

However following that do you need to charge the Federal Reserve Chairman for conspiracy to money laundering just because US currency notes are one of the most common instruments of payment used in criminal acts. Or if you look at e-gold as a merely a web service intermediary should Sergey and Larry also face personal criminal charges because lots of Ads for scams and illegal products are placed using Adwords?

Personally I am against the case but I find it was pretty much inevitable. To create such as system even partially on US territory is pretty much impossible. While the key aspects such as the trust and gold holdings being held outside the US as long as you have one toe in the US you are an easy target.

I was personally involved in creating an alternative currency system in Panama and I really wouldn't even recommend doing anything like e-gold in most of the traditional offshore jurisdictions such as Panama or Cayman Islands as they have way more difficult KYC requirements now than US and EU jurisdictions. The best bet is for you to do it within a major jurisdiction and follow the regulatory pain.

Alternatives

Several alternatives exist to e-gold:

Webmoney is probably one of the safest bets right now outside the US as they being in Russia are unlikely to bow to pressure from the US and EU. The downside of this of course is the image of anything todo with money and Russia. I don't known anything about them really except they've been around for a long time and seem stable. They also seem to have figured out a way to create trust in a very low trust society such as Russia.

GoldMoney is another good alternative to e-gold. They are gold based and have the same no charge back policy. There are many, many similarities between them and e-gold. However being pragmatic they instituted strong KYC practices early on and AFAIK don't allow independent exchange providers. You have to go through certain certified exchange agents.

They are regulated by the Jersey Financial Services Commision which probably means they are safe in EU. Their principals are in the US, so they could theoretically be hit by the "Operation of an unlicensed Money Transmitting Business" charge. However PayPal was hit by this and are still in business. I think as long as they are strict with KYC they will remain in businesses. This strictness though has meant that not quite as much innovation has been going on with GoldMoney as with e-gold. Granted far fewer scams have been perpetrated with GoldMoney as well.

PayPal is still around and is still the number one player in p2p and small business electronic payments (I think). Several interesting applications have been built on PayPal. That said lots of small businesses have had their businesses destroyed due to over reliance on them. Just google PayPal sucks for examples.

The interesting new player for startups wishing to innovate in e-commerce applications is Amazon's Flexible Payment System which opens up all kinds of interesting applications. It is very similar to the payment system I was working on in Panama. I am personally very interested in trying it out and will report back in the future on this.

Amazon has built up solid knowledge of seemingly half the world so KYC is way easier for them than for just about anyone else. This doubled with their operational experience in handling their own internal payments can only bode well for them in the future. Due to the interlinking with the traditional financial system charge backs are almost certainly still a problem, but they do have various interesting features for managing this risk.

An even more interesting new trend is that many FaceBook Applications are now financing themselves with their own virtual currencies. They sell currency units and/or allow people to earn them. Then they sell virtual products such as virtual flowers to their users. It will be interesting to see how this moves on and if some of them eventually will get hit by overzealous regulators.

The Legacy of e-gold

The innovations in governance that e-gold spear headed made e-gold a trusted system. It is still operational today, except that you can't create new accounts. Doug has done all kinds of bad moves in the past such as when he sued my old pal Ian Grigg and another friend of mine Charlie Evans in 2001. I was present at the EFCE conference in Edinburgh when they were both served. Doug and G&SR lost the case.

It is pretty interesting thought that even after this and other stupid moves by Douglas Jackson, people still had trust in the system. It will be interesting to see what happens in the e-gold economy in the coming months while they build KYC into the system.

Lessons for startups in 2008

Lessons that web startups can learn from this are i think in particular about governance and transparency. If people are relying on your service you need a user agreement that protects your users against you. Real time public statistics can also go a long way in providing transparency and trust in your system. It might even make it easier for you to get investors.

I wrote about e-gold earlier in How Doug took on the US Dollar. I should probably disclose that I have met Doug and several other people from the team during a visit to their offices in Melbourne, FL in 1999. I currently have probably less than a grams worth of e-gold in my account with a very low account number. I haven't logged in to it in years.

update Ian Grig whom I mentioned earlier comments on the case

Create a simple NDA with zero legalese in no time at all and for free at our service Agree2.

23 Jul 2008 12:48am GMT

Reading web pages on the iPhone is a very different experience than reading them the desktop version of Safari. Some things (like entering text and so on) are inevitably slightly more awkward because of the onscreen keyboard. But there's one thing in particular that I'd like to see in the full version of Safari: zooming in on page elements. For those who haven't used Mobile Safari, each page is initially displayed full width, which for most pages results in tiny text, but means that you can see at a glance the layout of content on the page. The magic comes when you double tap a page element like a column of text: it expands to fill the entire width of the page, which for most pages I've tried makes it perfectly readable. It also -- and this is why I want it in desktop Safari -- removes any of the other distractions on the page. This is perfect when you're reading typical sites with sidebars and other content at the side of the page, and is particularly good with online news sites where you have flashing adverts and other distracting elements to either side of the content.

It's the web browser equivalent of 'full screen mode' on a text editor, and I'm rather addicted to it. So much so that I tried double clicking a column in desktop Safari earlier today to concentrate on what I was reading.

22 Jul 2008 11:05pm GMT

Internationalization (i18n) is a tough nut to crack and has long been handled in Rails by a variety of plugins. Thanks to a concerted effort by the Rails i18n team we now have a standardized framework for providing internationalization.

Rather than rehash what's already out there, head over to Sven's writeup of the new Rails Internationalization framework for the skinny.

It's important to note that this does not provide actual language translations but merely a way for you to plug in other translations and internationalization implementations into your app.

tags: ruby, rubyonrails

22 Jul 2008 9:41pm GMT

If you're headed to OSCON 2008, I hope I'll have a chance to meet you. I'll be speaking on Thursday afternoon, something about Ruby performance. Come and heckle me if you wish. Here's the talk details:

• Who Wants a Faster Ruby?
• 07/24/2008
• 2:35pm - 3:20pm PDT
• Room: F151

Also, please do come check out FOSCON. This is the 4th year for FOSCON. w00t.

22 Jul 2008 3:49am GMT

I'm back from Rubyfringe which was hands down the best conference i've been to.

Pete Forde asked me to present on memcached (mem-cache-dee) after my popular blog article Secret to memcached. The talk covers different use cases such as simple html snippet stores to advanced expiry systems such as generational cache keys.

Every talk at rubyfringe was taped so I'll update this space with the video once its online. In the meantime enjoy the slides which probably make zero sense on their own.

Download the PDF or watch it on slideshare:

P.S: 30 minute is the ideal length for talks at a Tech Conference.

21 Jul 2008 2:37pm GMT

Secrets of book publishing I wish I had known: Secrets of book publishing I wish I had known

21 Jul 2008 12:06am GMT

There won't be a Living on the Edge this week, but you won't be starved for info because the Rails community is keeping up.

Ryan Daigle has been keeping up with some of the changes on edge Rails and has done a few awesome explanatory posts on them:

• Easy memoization with ActiveSupport::Memoizable
• Nested model mass assignments
• Metaclass accessor (aka the eigenclass)

Perhaps even more noteworthy is the introduction of I18n (internationalization) support to Rails core. Sven Fuchs explains the technical details and API as well as the history of Rails and I18n. I18n support is scheduled to be fully stable in the Rails 2.2 release. Have an interest in internationalization in Rails? Lend a hand with your ideas, feedback, and patches at the Google Group.

20 Jul 2008 4:38pm GMT

One of the dubious pleasures of being an academic is the annual graduation ceremony. On the one hand, it's lovely to see the students you've taught graduating and celebrating their success. On the other, you have to sit through an awful lot of names being called out and hands being shaken. You also have to wear an academic gown and mortar board, which is downright weird when your usual attire consists of jeans and t-shirts. All Universities have different colours for their gowns, and the Oxford PhD gown is spectacularly lairy. It's bright scarlet and electric blue, so you march solemnly into the hall looking exactly like a female eclectus parrot. In a hat.

The Birmingham ceremonies are quite nicely done, and we even get a brass fanfare as we process into and out of the Great Hall. I don't know if it's a long-standing tradition, but the music going in to the Hall is usually fairly solemn and a bit pompous. The music for processing out of the Hall, on the other hand, is often hilariously (and deliberately) inappropriate¹. One year we got the theme from the Dambusters, and this year -- hilariously -- it was the theme from Thunderbirds. I can't speak for my colleagues, but it was all I could do not to imitate a Gerry Anderson puppet walk, or pretend to that I was flying Thunderbird 2. Imagine that: a female eclectus parrot, in a hat, flying Thunderbird 2. You can't say that the Univseristy of Birmingham graduation ceremonies aren't memorable.

¹ One thing that I love about Brummies and the ethos of the city of Birmingham as a whole is that they refuse to take themselves too seriously. There's a constant level of dry wit and self-mockery that I like a lot. ↑

20 Jul 2008 4:15pm GMT

The ActiveSupport library now has a little nugget worth mentioning - a metaclass accessor available everywhere as metaclass.

Not sure what a metaclass (or singleton class, or eigen class) is? Let Ola explain it to you.

tags: ruby, rubyonrails

20 Jul 2008 4:48am GMT

Nested models (nested forms by another name) describe the scenario when you want to create and modify values of nested attributes through a containing model. For instance, if you have an user model with many phone numbers:

1
2
3
4
5
6
7
8
9

class User < ActiveRecord::Base
  validates_presence_of :login
  has_many :phone_numbers
end

class PhoneNumber < ActiveRecord::Base
  validates_presence_of :area_code, :number
  belongs_to :user
end

you may want to be able to create the user and a group of phone numbers at the same time. This is what this looks like with the new mass assignment functionality of Rails keyed off of the :accessible option of the association declaration (:phone_numbers, in this case).

1
2
3
4
5
6
7
8
9
10
11
12
13
14

class User < ActiveRecord::Base
  validates_presence_of :login
  has_many :phone_numbers, :accessible => true
end

ryan = User.create( {
  :login => 'ryan',
  :phone_numbers => [
    { :area_code => '919', :number => '123-4567' },
    { :area_code => '920', :number => '123-8901' }
  ]
})

ryan.phone_numbers.count #=> 2

A single hash of values being sent to User.create results in both a new user object and new associated phone numbers. Previously, you would have had to manually create your own phone_numbers= setter method on user to get this same functionality:

1
2
3
4
5
6
7
8
9
10
11

class User < ActiveRecord::Base

  ...

  def phone_numbers=(attrs_array)
    attrs_array.each do |attrs|
      phone_numbers.create(attrs)
    end
  end

end

Mass assignment now gives you this functionality for free.

This may not look like much, but it is a step in the direction of letting you use nested forms. Consider a user registration form where a user can enter their login name and their phone numbers in the same form (through the use of fields_for which will bundle nested model attributes into a single form):

1
2
3
4
5
6
7
8

<% form_for @user do |f| %>
  <%= f.text_field :login %>
  <% fields_for :phone_numbers do |pn_f| %>
    <%= pn_f.text_field :area_code %>
    <%= pn_f.text_field :number %>
  <% end %>
  <%= submit_tag %>
<% end %>

This form, when submitted to the following standard RESTful UserController, will correctly create the user and its associated phone numbers through the beauty of mass assignment.

1
2
3
4
5
6
7
8
9
10

class UserController < ApplicationController

  # Create a new user and their phone numbers with mass assignment
  def new
    @user = User.create(params[:user])
    respond_to do |wants|
      ...
    end
  end
end

Mass assignment can be used on all association types - :belongs_to, :has_one, :has_many and :has_and_belongs_to_many as long as the :accessible => true option is specified.

This is a very convenient addition to ActiveRecord, but the real zinger will come with full nested form support when you can create, update and delete these nested models directly from what is pushed down in the parameter hash of a form submission. This would allow for the functionality in this complex forms screencast with minimal hassle. What a fine day that would be.

tags: ruby, rubyonrails

20 Jul 2008 4:30am GMT

The schedule for RailsConf Europe sessions have now been made public. If you still haven't signed up to go, there is still time to make it. This is the last year we'll be in Berlin, so it's a great time to come by.

20 Jul 2008 12:07am GMT

I launched TimeCert a few years ago and haven't given it much love since. Now I'm pleased to announce the official relaunch of it.

TimeCert is a really tiny and light web application that does one thing and does it well. It records and presents the time it first saw something. If you look at the bottom of this post you can see a small TimeCert iframe which tells you the first time timecert saw this article.

The main application of this is really for intellectual property protection. But there are also various other applications. Lets say you've been blogging about an idea for a while and all of a sudden someone hits you with a Patent Infringement Suit. You know it could happen. Well TimeCert provides evidence as a trusted third party that you actually wrote your blog posts when you did.

One thing to remember though is that TimeCert can't back date any existing content. It only knows the first time it was presented with the data.

API

The API is so simple that it's not even funny. First of all you need to create a SHA1 hex digest of the data you want timestamped. This is easy in most languages. In Ruby it's:

require 'digest/sha1'
@digest=Digest::SHA1.hexdigest @your_data

Just perform a HTTP GET to TimeCert to one of the urls below changing DIGEST to the digest you created above:

• http://timecert.org/DIGEST for end user link
• http://timecert.org/DIGEST for use in an iframe
• http://timecert.org/DIGEST.time for a plain text file with ini style parameters
• http://timecert.org/DIGEST.ini for a plain text file with ini style parameters
• http://timecert.org/DIGEST.xml for xml
• http://timecert.org/DIGEST.yml for yaml
• http://timecert.org/DIGEST.yml for json

The easiest way to use it in a web application is to embed an iframe in your page like I've done here:

<iframe src="http://timecert.org/a94a8fe5ccb19ba61c4c0873d391e987982fbbd3.iframe" width="450px" height="30px"></iframe>

This saves you from manually doing a TimeCert request as the timestamp is created on the TimeCert server when the page is displayed the first time.

Best practices in Rails

To do this from Rails first create a digest method on your model:

  def digest
    Digest::SHA1.hexdigest("#{title}\n#{body}\n#{extended}")
  end

Note this is from my blog, I've decided that the important content in a blog article is title, body and extended. I'm also using the raw textile data to create this. This is the safest as an update to a textile library could change the digest completely and thus create a newer timestamp.

You could also create a separate digest column and updated it an before_save. I'll leave that task as an exercise to the reader.

Next create a helper method:

  def timecert_link(article)
    "<div class=\"timecert\"><iframe src=\"http://timecert.org/#{article.digest}.iframe\" width=\"450px\" height=\"30px\"></iframe></div>" 
  end

Now you can just include it in your views like this:

<%=timecert_link(article)%>

It would be great if someone with PHP/Python experience could create a similar example. I would expect it to be extremely simple to create a WordPress plugin to do this automatically, if someone is up to the challenge.

Open Source

This is not really a money making operation, it's just a service that I feel is important to have. Therefore I've open sourced it and you can find it on GitHub. I think this is an important part of being trusted. This allows anyone with ruby knowledge to verify that I'm not doing anything strange. It also opens it up to potential competitors, which I'm absolutely cool about.

TimeCert is written in Ruby using Merb and DataMapper.

Share your confidential code safely with a Source Code Confidentiality Agreement on our free web service Agree2

18 Jul 2008 12:58am GMT