Google is actively encouraging Gmail users to replace IE6 with something more modern. It’s about time. As a developer who has to support old browsers, the faster we can get people off IE6 the better. It’s been too long already.
Archive for the ‘Complaints’ Category
Finally…
Friday, January 2nd, 2009Passwords in the Clear
Wednesday, November 19th, 2008I recently made a purchase on MacUpdate and as part of the purchase I was required to setup an account with them (username, password, etc.). Annoying, but all well and good until I received both my username AND PASSWORD in the clear from them in the same confirmation email.
For most people, the reasons that this is very bad should be obvious, but for those for whom it’s not, here are a couple reasons why this is not good.
First, both my username and password were sent unencrypted across unsecured mail relays. At the very least, they should never be included in the same email as this would require a potential attacker to put together several pieces of communication to get all information needed. Regardless, user created passwords should NEVER be sent to a user, as they very well could be used for other things. If you must send the user a password, it should only be a randomly generated password to which the account has been reset. It would be best if this randomly generated password had an automatic expiration if the user did not go in and change it to something personal in the site.
The second, and perhaps less obvious implication, is that the fact that you can send me my own password tells me that you are either storing my password in your database unencrypted or with reversible encryption. Again, this is a bad idea. (I confirmed that they didn’t just send the password from the initial form by requesting my password be sent to me after the initial registration.) You should always store a password using one-way encryption (a hash) and then validate login attempts by taking the supplied password applying the same encryption to it, and comparing the result to the stored, encrypted password. This has the benefit of preventing an attacker from obtaining the actual passwords from your system in the event that you are compromised.
This isn’t even getting in to more advanced ideas for securing pages (not having the username/password fields on the same page for example), but rather just the very basics of not throwing sensitive information out into the network.
Anyway, needless to say, I was very annoyed at all this and sent them an email criticizing their security practices. I also asked them to remove my information from their systems as this is likely an indication of their security practices in general. Anyone who has done business with them in the past may wish to consider doing the same thing.
Left-turn Madness
Sunday, June 8th, 2008Shanley has posted a great rant about red left turn arrows in controlled intersections. Anyone who has driven in a car with me in Woodbury has probably heard a similar complaint (in addition to all the swearing).
Shanley frames the question in terms of political ideologies (big brother versus democracy). I tend to think of it more as an interesting technical problem, as I have some vision-based sensing ideas that could make the light algorithms more efficient in low traffic density situations. Either way, right now it’s just dumb.
Full Circle
Saturday, December 22nd, 2007I remember a year or two ago when I discovered Digg when linked from a Slashdot article. At the time, I was bored with Slashdot because the churn wasn’t fast enough and I had some serious time to waste while I avoided school and working on my thesis. Digg seemed like a savior with its endless supply of interesting stories that had a bit more variety than Slashdot but also covered the great technical topics that I loved.
Fast forward to today, and I’m moving back to Slashdot as my primary news feed. Digg today is full of so much junk it’s not interesting to read anymore. There is a huge social and political bias, but worse than that 90% of what you find there is random pictures of stuff that’s only somewhat entertaining.
I think we’ve observed a unique point in history. For years and years, pictures and video was accumulating without an outlet to share it with more than a few close people. Then sites like Digg and YouTube burst on the scene and allowed all this funny and interesting content to be viewed by the masses. Problem is, we quickly got through all of that content, and there is no way for the world to produce that much on an ongoing basis, so everything got stale.
A similar thing has happened with Facebook. This one could be more related to the fact that as you leave school, these social networking sites become less interesting, but I think the problem is more related to the applications that were introduced to the platform less than a year ago. I can think of lots of great ways to use this API for things that are useful, but it turns out that’s not what the masses want. The masses are interested in turning people into zombies, taking movie quizzes, and giving each other virtual free drinks. Yep. That’s about it.
Turns out the problem with these social technologies is society, as a whole, is not that interesting. I’ll take then endless stream of stories about linux making inroads on the desktop over that any day.
Congrats, Shoe, I’ve just validated your opinions.
Outlook Cannot Merge Contacts
Tuesday, October 2nd, 2007Outlook is a professional-grade messaging tool, right? So one might be able to imagine where with the thousands of contacts people accumulate, they might get into a situation where they enter a person’s data into two separate contacts. Now, one might think that there would be an option to merge two contacts into one (I mean, the Microsoft CRM has that feature, Plaxo has that feature, heck event the not “professional” OS X Address Book has that feature built in).
But no.
There are plugins that can help you eliminate duplicates contacts, but nothing that I can find built into Outlook 2007 natively. Oh, to dream…
We’ll Never Need the Draft Again
Friday, March 23rd, 2007Our parents had to worry about being drafted to serve in Vietnam when they were young adults. The military has a much better strategy these days. Instead, now they try to trick people to enlist with strategically placed ads on CareerBuilder. For example, you login to your account, and before it takes you to your profile, it’s shows you a form with most of your contact information filled in, and all you have to do is click the largest button on the screen and an Army recruiter will contact you personally. To continue to where you expected, you need to locate the smaller, “No, just continue” elsewhere on the page.
“You know, I was just trying to log in to my CareerBuilder.com account, but instead, I think I’ll join the military…”
The site does the same thing during the job application process. It’s actually worse there, because you’ve just been through the process of filling in a bunch of forms, and this one pops up at the end. If you don’t look carefully, you’ll just fill in the information and submit it.
On the upside, CareerBuilder.com will actually let you delete the account straight from their website. If you go and edit your contact information, there is a convenient link to delete your account. Nice and simple. Now was that so hard Monster?
Mark of the Beast
Friday, March 23rd, 2007For those of you who don’t know, I’ve just completed a job search and this morning I thought I’d try to go in and delete my accounts on the career websites I’ve been using. Simple operation you might think, but so far I’m 0 for 2.
The first site that I had to deal with was 3M. My first complaint there was that I kept receiving job postings from my “job agent” but the emails didn’t contain a link to unsubscribe from the mailings. Things got worse as I logged in, as I couldn’t find a way to delete my account (I was able to unsubscribe from the job agent, though). My solution here was to just enter bogus information. I’m now Big Bird at 651-555-5555 along with a bogus email address. Thankfully, they didn’t have much information on me, so it wasn’t too much to falsify.
The bigger challenge came when working with Monster.com. Now this is one of the best known career websites. You’d think they’d have easily accessible options for removing your information from their databases. No. I’m almost positive this is intentional. Some business genius figures that if they can avoid having people remove their profiles people will continue to use their service for their next job search. I’m sorry, there is no way I want to trust them with that much personal information in the long run. I really wasn’t comfortable giving them the information when I was looking for a job.
Anyway, after about 15 minutes of searching through the website, I came a FAQ that actually tells you how to delete your profile. You need to CALL them directly. This from a company who is pretty much entirely web based. The call center is (of course) in India, and when you manage to navigate through the multiple menu levels to talk to a real person, they still ask you if you’d like to just disable the account rather than delete it.
For those of you who may be google-ing for how to remove your info from monster, just call there phone number 1-800-MONSTER (1-800-666-7837). I think it’s appropriate that the first 3 digits of their # is 666.
CareerBuilder.com is next on my list. If things are as tough there as it was on Monster, I’m sure another post will be out this afternoon.
Vending Machine Economics
Tuesday, March 13th, 2007I wonder if anyone has done a study regarding the total dollar sales per customer based on the price of complementary objects in vending machines. I ask this because the vending machine down stairs sells gum for $0.55. Now if we can overlook the fact that you’re totally getting screwed by that price to begin with (at Sam’s it comes to under $0.25 per pack) you’ll notice something curious. Assuming that I pay with a dollar bill, I will be left with $0.45 in change. That’s less than the cost of the smallest item in the machine. If I’m going to make another purchase in the machine, I have to break another dollar bill.
Everyone is familiar with the idea of keeping prices just below the next big cutoff value. Psychologically, we perceive things as cheaper because we tend to forget about the digits that aren’t in the most significant place. That’s why you see prices for $9,999.95 instead of of $10,000.00. Five cents doesn’t really change the price, but it can change our perception when we look at it.
Anyway, to get back on topic, breaking a dollar is a significant cutoff. That’s a major purchase decision. Getting rid of the change in my pocket isn’t. So if the price of gum was, say $0.50 instead of $0.55, I bet I’d be a lot more likely to buy $1.00 of stuff in the vending machine instead of $0.55. Kind of makes it silly for the vending machine companies to be greedy for that last $0.05.
The security is scaring me
Sunday, February 4th, 2007I’ve had the privilege (?) of activating a couple credit cards and changing my account information over the last few days, and I must say, it’s freaking me out. You get the credit card with a sticker on the front that says to call a number to activate the credit card. All well and good. So I call the number, and after a short greeting (”Thank you for calling XYZ credit…”) it asks me to enter or say my 16-digit account number.
Ok, now I’m not a hacking or social engineering genius here, but John Technophoeb could come up with the idea to purchase 1-800 numbers that are just common dialing mistakes away from the credit card phone number. Then all you’d have to do is sit by the phone all day, pick up, ask people for their account numbers, then head off to the Bahamas. And it gets better. When people think they are talking to their back or credit provider, they’ll pretty much hand over any information that’s requested without.
Phone: Social Security Number?
Me: 987-65-4323
Phone: Mother’s maiden name?
Me: Boitano
Phone: Childhood pet’s sexual orientation?
Me: straight…what!?!
During the course of my various phone calls, I was asked for all of the following information: account number, last 4 digits of SSN, home phone number, zipcode, mothers maiden name. With all that info, it would be VERY easy to impersonate me, and the individual on the other end never really did anything to authenticate themselves other than silently nod when I got the answers right.
What’s really needed is some mutual authentication. Many financial websites are going to setups where they prove who they are before you completely prove who you are. For example, when I log into my brokerage account, they first ask me for my username. After that has been submitted they show me an image that I have selected, and if it’s what I expect, I enter my password and finish authentication. If I don’t see the right image, I know I’m not at the right site. Users should be leery whenever they enter there username as password on the same page. It’s easy to make a mistake when typing a web address.
Anyway, like I said, I’m not a security expert and I know work is being done to prevent fishing in web browsing. I just feel like I’m without any protection when I use the phone, and a lot of times I give away more personal information there than on a website.
This explains why my SNES is yellow
Saturday, January 13th, 2007Apparently there are some discoloration issues with the old SNESes. It was a little shocking when I first got the unit from ebay. At this point, the more annoying fact is that there is some loose change rattling around inside the thing.