May 08, 2008

Great security!

From the manual for the Best Buy store brand of the DTV->Analog convertor box:

bad security

Fwew. Good thing I don't have to remember my password anymore....

Technorati Tags:

August 31, 2007

More bad security: Dumb security questions

I recently created a new account for company whose service is a hybrid of web-era scalability and accessibility combined with metered, nearly-instant access to a physical product... in other words, a site which it's important that my account not be easily compromised, because someone somewhere could run up a bill for services I didn't personally get to use.

During the signup process, I got to the now-standard "Security Question" phase (though, they oddly call it a "Secret" question, even though they'll show it to anyone who pretends to be you having lost your password), and was amused to see this option. Here's what I saw:

Security Question

Yes, they're asking a question for which there are only 50 legitemate answers, for which many individual's friends will have a good chance at guessing correctly .... and then they go one step further, and exclude 3 of the states (Ohio, Iowa and Utah are not 5 characters long).

Fwew. Thanks goodness Ohio (sure to trivially show up, in my case, on an appropriate web search) wasn't long enough, or I might've fallen for it! :)

Technorati Tags:

July 17, 2007

In the doghouse:

I've been tinkering lately with the service, which offeres a SecureID-like service that's exposed as a webservice. Pretty nifty. I guess I was going to miss the two-factor SecureID I have working at PARC, or something. More on that once I've got something fun working.

However, looking for other places to test things out, I noticed they have a partner, iamdentity. These people win my first DogHouse award (in the style of Bruce Schneier). When you get to their website, it's not 100% clear what service they even offer. How does a service which keeps an additional copy of your personal information safeguard it, exactly? I suppose single signon is useful, but....

So, I click on the "New Client? Click to apply for an iamdentity account" link, which takes me to a scary questionnaire to "assess my risk". It's riddled with typos and questions you can't really answer correctly.... After scary questions like "Have you ever been successful in ensuring all your personal data has been deleted after canceling a subscription?", and "How often do you familiarise yourself with a sites data protection and online security policy?", you get to click a button and get an answer. I'm pretty sure the best result you can get is:

Although you do spare a thought for personal information security, you are not doing enough and risk becoming the victim of an opportunistic fraudster.

You have taken some precausions to prevent your identity being stolen, but not all the holes are covered yet.

Of course, you're still offered the chance to apply for an account. In the following form, oddly, they ask you for a ton of personal information. Hrm, how are they protecting me, exactly? This form loads from a different domain than iamidentity, some mysterious "". You want me to trust my privacy to a company that's too cheap to even follow standard practices and register their own SSL cert? And I'm never once given control of the encryption key that stores my data (if, in fact, there even is encryption against my stored data, which I highly doubt).

Once done with the form, you get e-mailed a confirmation link, which includes your initial password. When you log in, they e-mail you again, this time with the session PIN. Apparently, they'll do this each time you sign up. I'm unconvinced how much this helps security, but it certainly does slow down the process, increasing the chance someone's going to ditch their service entirely.

Once logged in, you can see that they're trying to integrate with a small list of probably e-commerce sites. I guess they do do something, after all. No one on the list I've heard of, so, no reason for the account, and the MyPW integration only comes if you pay MyPW $20/year for service on their token. Unfortunately, when I clicked on the "cancel account" link it leads to an error message implying I'll have to contact support to cancel my account (but with no link, error number, or other details). Huh, wasn't one of their questions "Have you ever been successful in ensuring all your personal data has been deleted after cancelling a subscription?" Sure gonna' be tricky this time. The initial e-mail links to a web page for support, but, when I go there, it says I have to e-mail for anything other than password or initial signup concerns. So, I do... leaving an ironic comment in the e-mail at the absurdity of this process from a company supposedly providing a user-information-management solution.

... and nothing happened. I made the request to cancel my account nearly 2 weeks ago, and yet, my account still exists. No response to my e-mail was received.

Stay far far away from these snake oil salesmen.

Update: Sheesh. One of my other problems with this site is that, at least for me, it's cognitively difficult to spell their domain. I, for some reason, easily type iamidentity, when it's just plain imdentity. They could have at least registered the common typo domain and redirected. sigh

Technorati Tags: , ,

June 22, 2005

Worst... UI trick.. EVAR!

Just browsing around looking at alternate-energy transit. Ran across this site, and got tripped up on this page, which, ostensibly shows a bunch of examples of fun technology. Actually, it’s a great example of a really cruddy UI trick.

So many things wrong here, but I’ll give a quick list.

  • Nothing visually cues you to the fact that this is anything other than a normal header/link list, until you try using it. * Things move way too fast.
  • Unlike the normal “move your mouse to where you see the target you want to click” motif, this system rushes the link to your mouse. Of course, the speed of such a move is dependent on the number of items. Under the “vehicles” tab, that motion is very fast, making it difficult to click on anything. On the “gadgets” tab, it actually zooms the links away from your mouse.
  • The behavior of the scrolling is different depending on whether you’re mousing over, mousing around under the list, or mousing around above the links. In two of the cases, the mouse tracks, in the third, there’s no motion at all until the mouse enters the box. Try, for instance, choosing a link when your mouse starts above the list of links.
  • The way it’s implemented, there’s no way to do deep linking. There’s a lot of content there, but it’s very difficult to send to anyone else, without a half paragraph of explanation of what to click on, when, and where.

Tags: ,

August 10, 2004

Guest Blog: The FDA on BSE

Hi again, everyone,

So, by virtue of my university affiliation, was able to attend a seminar last week given by none other than Lester Crawford (DVM, PhD), the acting commissioner of the FDA. The title of the seminar was “BSE AND BEYOND -- HOW THE U.S. GOVERNMENT IS TACKLING SOME OF TODAY'S BIGGEST HEALTH THREATS.”

I should state that though he had intended to talk about bioterrorism as well, due to copious pointed questions during his BSE (bovine spongeiform encephalopathy) section, he ran out of time… actually, ran over by about 15 minutes. This, should tell you, before I even get started, that he wasn’t very good at adequately answering questions. If you don’t want to read any farther in this post, the take-home message is that I am in no way reassured about the state of beef in this country after this seminar, and am possibly even more worried by Dr. Crawford’s apparent inability to give straight answers to a group of 40 or so scientists.

For those reading who don’t know, I gave up eating beef shortly after the first American mad cow was identified back in December 2003. What follows is the story of the seminar.

Continue reading "Guest Blog: The FDA on BSE" »

June 17, 2004

Who needs Longhorn?

Alright, I admit it, I haven't followed Longhorn's feature map. I'm referring to the supposed "search everything" metaphore that they're planning to introduce.

However, quite without intending to, I'm already mostly there. Many of you may know that my primary machine is an Apple Powerbook (12", the better to fit into my bag...). I've used several tools on it that bring search into my everyday use, and they're all really cool.

The first, now deprecated, was called Another Launcher, now known as Butler. This is a handy little Mac OS X tool which lets you set keyboard shortcuts to launch just about anything (bookmarks, apps, I think even contacts). But the defining feature was the ability  to set a keyboard shortcut that would search it's list of stuff. It's pretty easy (probably the default, I forget) for all applications in the normal places to be automatically included in this list.

I quickly stopped using the mouse to launch apps. Instead, I typed Cmd-Space, and typed part of the app's name, then enter. It did partial matches, and generally found the right thing. Need Mail? 5 or 6 keypresses, of the easiest non-finger-bending variety would get it for you. Same with Safari, or, more importantly, any of the 20-30 apps I use less than once a day, but still want to have easy access to. And no training myself how to launch each - just the one keystroke needs memorizing.

I used Another Launcher for a long time with happiness, until I ran across a review of QuickSilver. The version I have, apparently an older version than is being tested right now, is still a little green around the corners. But it still takes search up a level. I have it set to index pretty much my entire home directory (well, like 3-levels from home, which is good enough), and all of the sources of bookmarks and applications that I have set up on the machine. It also happens to support reading the Mac OS X address book, among other stuff. Same Cmd-Space assigned to it... Butler had to take a secondary keystroke, 'cause it wasn't as flexible. But, now, I can type part of any document name, application, folder, control panel, etc. and it comes up. I no longer need to know where anything actually is, spatially or otherwise, to get it up on the screen.

This might not be for everyone, but I heavily multitask. And I still plan to organize my documents into useful hierarchies for browsing. But I'll do that once, when I first save the document. From then on, I'll search for my active documents (ones recent enough that I remember what I called them), thank you very much. Browsing is slow, and mentally taxing, compared to instant-find.

Does anyone know about such tools for either KDE or Win32? I'd really like to bring the rest of my operating environments up to speed.

Caveats: Both of these tools only search metadata, which is perhaps less than Longhorn and similar technologies will provide. I imagine that such depth will be useful, but, since it implicitly increases the collision space for short queries, one of the charming elements of the use cases I describe above, I think it's going to need to be a secondary feature. What's lovely about QuickSilver is that, once you've used it a little (search results appear ordered somewhat based on which ones you've used before, if any), it returns a very relevant top-two to an extremely short query. Picking the right one is easy. If that relevance dropped even to top-5, I think its usefulness would drop significantly.

May 07, 2004

Misleading Business Practices?

Reader&quote;s Digest Sucks First of all, Ticketmaster sucks. I've now asked to remove my e-mail address from their lists, oh, about 4 times. Twice using their automated opt-out links on the included e-mail... unselecting all options, and making sure to hit "Yes I'm sure" or the equivalent.

When I kept getting their annoying weekly spam, I wrote customer service. And got a polite reply that it'd been taken care of... well, yeah. Until the next week. Another message to customer service lead to a "you have to wait 24-48 hours for things to take effect". I'm not sure they can do math, since it was over a week later. Nonetheless, I was assured I'd been removed from the list.

Except, I wasn't. I got another message today. A loose read of the CAN Spam Act suggests I might be due $25/incident. More if I could find a way to determine it was willful. Sheesh. Anyone else have this problem with TicketMaster? It would, of course, be much easier to get them to fix their shoddy business practices if there were others willing to help push the issue.

This reminded me of another task I'd been meaning to deal with... J received this apparent invoice from Readers' Digest. If you didn't read it, you'd probably assume you'd requested a Reader's Digest subscription, and forgotten to pay for it. It's all over the place... FEE FOR SERVICE, PAYMENT WITH REPLY WOULD BE APPRECIATED. They even go to some trouble to fake a handwritten note (image on the left - it takes examining the paper very closely to discover this is a fake). Now, mind you, I don't think I've ever received a bill, especially not for $10, or for a magazine, with handwriting on it. But I'm sure it suckers some people.

A little unethical to send unrequested offers? No, this happens all the time. What's terrible here, and I'm sure obvious to anyone who's read in this far, is how hard they went to hide their intention behind a confusing enough exterior to perhaps catch a few people who don't think too hard when they're responding to bills. And, by making it only $10, how many people would think twice if they didn't smell a rat right off the bat?

I guess the one thing it does show is that it can be fun to read junk mail. Can you believe this passes for a reasonable business practice? Sheesh.

April 18, 2004

Gmail "archive = delete" followups

Sounds like I need to better defend my position that "archive" = "delete" on Gmail.

First of all, the full translation of what I meant to say, but was apparently not getting across:

"archive" on Gmail is the same as "delete" on pre-Gmail e-mail systems.

At least, that's how it is for me. I've got nearly every message I've received in my personal e-mail since the fall of 1996. A simple procmail rule has created a monthly backup of inbound mail through my Linux server ever since I discovered I could. Even in 1996, disk space was so cheap that it didn't make sense to throw mail away. This has saved my butt dozens of times, when finding proof that someone made a promise, serial numbers of web-registered software, or just, generally, e-mail that I deleted.

The workflow was simple. My inbox was mail that I still cared to read, or remember I had to react to. A sort of todo-list of active discussions and items. When I was done with something, I deleted it from my inbox, totally assured that I still had a copy of it in my backup folders. If the message clung to some sort of theme or contact thread (in my case, groups by friend/family/work, and subgroups for each meme or person, depending on how general the discussion was), then I'd file the messages appropriately instead of deleting them. One of my coworkers has nearly every message she's received in 3.5 years of working here in her Inbox, for the opposite reason. If she deletes something, she might not be able to find it when she needs it. I just choose to use the "out of sight, out of mind" approach. She uses search a lot more than I do, I suspect.

(For those comparing how useful Gmail will be, my mail archives currently occupy 1428megs of disk space, of which 812 is the inbound stuff, and 6 are sent mail. Or, in other words, I'd have about 818megs of my Gmail account in use, had I gotten it in 1996. So, I expect Gmail will have a 8-15 year lifetime for me, at its current offered capacity).

Alright, so, why'd I say "archive"="delete"? 'cause that's what I do right now, and that's exactly the translation that is happening as I use Gmail more and more. When I'm through with a Gmail conversation, I hit "archive", just like the handy little gmail getting started guide tells you to. It just so happens, and the reason I was commenting, was that the "y" key, an apparently overloaded "archive/remove label" key, does exactly this, modulo the ability to apply several labels to a message. In effect, it does exactly the same thing as delete does on my current folders, assuming I ever copied a message to multiple folders, instead of moving it to one specific one.

So, yes, "archive"="delete". Gmail doesn't want you to ever delete a message, so you're supposed to shift your mindset to "archiving" mail that you want out of your attention threshold. If I'm in a label's conversation list, probably populated mostly by a Gmail filter, and I hit "y" while reading a conversation, it gets "deleted". Just like my existing e-mail system, it's not gone, merely forgotten. That's the way Gmail's designers assume you're going to use it, and that's exactly my point.

I've been using an inferior pre-pre-beta of a Gmail system for 8 years, and I have to retrain myself to use the beta release.

January 14, 2003

A Proposed Web Bug-based Micropayment Model

Use the dreaded web bug for good, not evil. Librenix has the story. This system would have tiny overhead for each micropayment. The web bug plus the code and cookies could be as small as a few hundred bytes, perhaps less than 1 percent of the size of the typical web page. All of the actual micropayment would be automated, lowering the overhead cost for the micropayment to a properly micro amount. My guess based only on the costs of online advertising is that payments under a cent would be viable with this method. Note:Original author, come forth, and claim your user name, now that user logins should be good again.

January 25, 2002

Verisign using questionable tactics?

We host an OpenSRS register ( Most of my observations come from me trying to deal with Verisign in that capacity. Although I have spoken with several other Registrars and they are seeing these same tactics. Note:Yet another story in the chronicles of commercializaton gone wrong. Verisign has always bugged me for their business practices. This diatribe just adds to the list of things they do wrong.

Continue reading "Verisign using questionable tactics?" »

November 20, 2001

Why Overlays are Cool

I recently discovered a very cool feature in winamp, that exploits overlays in the Win API. Winamp allows you to overlay a visualization to any color in your system. If you set the overlay color to the color of your desktop, you get the winamp visualization on your desktop! Try it out, its super cool, gives you a nice soothing animated desktop that jumps to your music.

November 04, 2001

XML to the rescue!

It seems that XML technology is developing quite well. I have been tracking the development of the Apache XML projects and MS's XML modules, and it seems like everyone is actually following standards. *shock* I believe in the standard so much, I have actually moved my entire webpage to XML. Btw, slashdot supports xml and rdf formats.

May 10, 2001

ASP, Perl, or PHP?

These days, there seems to be a lot of infighting in the web site development community. The young geeks scream PHP, the old geeks like Perl, and the people who get sleep at night love ASP. While there is no need for an agreement, because these are all server side, it does show a deeper part of our geek community. Note:Warning. Inflamatory development religion-speak inside. You've been warned.

Continue reading "ASP, Perl, or PHP?" »

April 23, 2001

"What? You... a geek?"

The American mind has been convinced that you are a geek by your outward apperence, I say, "Poo on you" to those people. I only recently was faced with the reality that no one except geeks really understand what it is all about. Note:(More follows)

Continue reading ""What? You... a geek?"" »

March 03, 2001

Knowledge transfer in Computer Science, Grade F.

Computer Science as a field really needs to get organized. There is lots of research and information discovery that happens everyday, but that knowledge is not being transfered properly. Many of papers written are hard to understand and even harder to code.

Continue reading "Knowledge transfer in Computer Science, Grade F." »

February 14, 2001

Transparent Windows, good or bad?

If you know what Litestep is, chances are you have seen those screen shots where some of the windows are transparent. Now that Windows2000 comes standard with that feature everyone can have their own transparent windows: transparent taskbar, Netscape, ICQ, you-name-it-we-can-do-it. Is this really a good thing? I don't want to look at my desktop while I am editing my homework. I don't want a chaotic desktop. Then again, I wrote the first transparent plug-in for Winamp. What can I say... :) It's cool.
Note:Chime in folks. Transparent (yes, there'll always be overhead), or plain-old overlaid windows? Do you need that Winamp transparency plugin? Grab it here

February 12, 2001

What is a She-Geek?

What is a she-geek? The simplest answer would be that a she-geek is a geek who happens to be female. The creator of this page has a very nice definition of the word "geek" on the main page of this web site, so there is no need to go into that. One might think that the female part of the word is also fairly obvious. In some ways, it is. But as with everything else, being female carries more distinctions with it than what part of the store you shop for clothes in. Some of the distinctions are fairly obvious, as when I'm the only person in the machine shop who has to make sure that my hair is pulled back so it won't get caught in something, and others are more subtle. It's the subtleties that get you every time. Note:The rest of the article is inside

Continue reading "What is a She-Geek?" »