A Special Message For Tickets.com

2013-03-28 21:14:14 by chort

After spending 15 unsuccessful minutes doing battle with their website and infuriating phone menu, I sent an email to customerhelp@tickets.com in a last ditch effort to actually be able to spend money on them.

I have to complain about the huge waste of time to walk through the annoying, automated phone menu with no hope of talking to a human. It's ridiculous for the synthetic voice to have a name, and it's patronizing for the message to claim "I found the seat you're looking for" when the only piece of information I supplied was a price. I was never given an option to select a section, side of the stadium, deck level, etc. How does your ignorant system determine that the seat it choose is one I'll enjoy sitting in? If your phone system was designed to piss people off, your product folks have done an outstanding job. If instead, they were trying to design a system that people would enjoy using and that would actually help them find what they wanted, perhaps you should actually use human beings who can listen and understand.

PS charging me an $8 "convenience fee" for using your phone menu must be one of these ironic hipster jokes I hear so much about.

Arrogant Anti-virus Doesn't Appreciate Your Choices

2013-03-15 08:00:35 by chort

I'm all for having safe defaults in security software, i.e. erring on the side of turning on protection, and leaving it up to the user to disable it if they feel it's too restrictive. Recently I had an experience with a particular anti-virus program that went well beyond this. Every time I turned me head, the program had overridden my choices.

Read the rest of this story...

The Farce of Hardening Guides

2012-11-05 07:37:35 by chort

Today I was directed to a blog post from VMware that discloses a leak of ESX source code. What struck me wasn't the leak itself, but the mention of security hardening guides. This isn't unique to VMware. Just about every enterprise IT vendor has hardening guides or knowledge base articles for how to take the default configuration, apply a bunch of changes, and make it more secure. This prompted me to muse about some ideal future where vendors instead post "softening guides" for the rare customer who wants to downgrade the default, highly-secure configuration.

Isn't that just wishful thinking on my part? Isn't it a good thing that vendors make the effort to create and publish hardening guides? I'll tell you why I think hardening guides are fundamentally dishonest and customers should demand better.

Read the rest of this story...

Don't Believe The Internet

2012-09-06 09:32:21 by chort

This week the Internet was abuzz with "news" of AntiSec leaking a list of Apple UDIDs and attributing it to an FBI agent. Other hackers claimed to have hacked Mitt Romney's tax returns. Both stories delighted critics of Apple, the FBI, and Mitt Romney respectively and quickly spread like wildfire on social media. The problem is, it's unlikely either of them are true. Even worse, while pointing out the dangers of repeating unproven claims, I fell for one myself.

Read the rest of this story...

Linux on the desktop sucks and always will

2012-07-01 21:35:54 by chort

Forgive me dear readers, I'm in something of a rage. You see the upcoming release of oclHashcat requires GLIBC 2.14, which for Ubuntu users means an upgrade to 12.04 is necessary. If you're anything like me, you dread the inevitable disruptions of an OS upgrade, but nothing could have prepared me for the horror.

This ordeal has reminded me of why I believe "Linux on the desktop" will never happen. Linux projects simply don't focus talent on the critical problems. When engineers design things, they expect users to act like engineers, and that's only the beginning of the problems.

Read the rest of this story...

Hey secure.onlineticketorders.com, your website makes me nervous

2011-06-24 16:27:04 by chort

Don't you just love those sites that try to make you feel "extra safe" by putting padlock images on everything, even the "next" button?

Read the rest of this story...

US Populace Doesn't Understand Satire

2011-03-07 14:00:44 by chort

I've been noticing a trend lately. The people participating in online "communities" these days are so blinded by the perceived inherent rightness of their beliefs that they are unable to see how their opinions are viewed by others.

This first struck me in an obvious way as I was wasted a perfectly good night on Youtube a few weeks ago. I got sucked-into The Key of Awesome. It's a Youtube channel that parodies pop music (fairly well, in my opinion). The creator often reads feedback on camera, most of which is facepalm-inducing. Most of the criticism goes along the lines of "dear so-and-so, I really love most of your videos, but the one about [my favorite artist] was totally ignorant! [my favorite artist] is awesome, and the fact that you made fun of them shows you don't understand their genius!"

What the hell is wrong with these people that they think any artist could be so perfect as to transcend criticism, or even caricature? They apparently have no concept of the difference between an opinion and a fact. Aside from that, if you can't even chuckle when someone adeptly roasts your idol, you have some real insecurity issues.

Another example of this can be seen in the Retarded Emails section of The Oatmeal comic. Apparently you can pick any arbitrary topic as the basis for your comedy and people will hate you for it, regardless of the obvious lack of seriousness.

This all makes me think: The massive push in the last 20 years to value self-esteem over any objective measure of merit has convinced each kid that their opinions are the only thing in the world that matters, utterly oblivious that every other human being in the world also has an opinion. We need to be teaching kids how to objectively evaluate themselves in the context of the world around them, or we are in for a future that makes Charlie Sheen look like a thoughtful critical-thinker.

Unauthenticated SSL Sends a Dangerous Message

2011-03-05 16:45:30 by chort

Recently I decided to write an application for Twitter to report changes in my friends and followers. As part of the process I went looking for a pre-built library of methods that I could use to interact with the Twitter API. I settled on python-twitter as an actively-developed solution that should keep up with changes to the API.

Due to Twitter's rocky past with SSL/TLS (henceforth simply SSL) support on their web interface, I decided it would be prudent to investigate whether their API used SSL. It turns out that it does, and it has a properly signed certificate. Then I looked at twitter-python to see if it had and option to connect over SSL, and was pleased to notice that it does by default. On a hunch I checked out the underlying library that python-twitter is using to make HTTP requests, and I was shocked at what I found.

Read the rest of this story...

Mandatory Use Means Your Product Sucks

2010-10-28 11:29:07 by chort

I was recently reading excerpts from an interview with Melinda Gates in the New York Times. What struck me is she forbade her children to have iPods when they asked, and instead offered Zunes. This is consistent with past articles I recall reading where Microsoft employees were criticized by supervisors for having iPods or iPhones.

It's easy to use the Microsoft examples, but I'm sure there are many others. Your initial reaction is probably along the lines of "how dare a company try to dictate what their employees use for personal entertainment", but really there is a more interesting aspect: What does it say about your products when you have to force your employees to use them?

Read the rest of this story...

Hard Work on Bad Design is not Commendable

2010-10-26 13:08:04 by chort

Recently I was talking with an executive about challenges they were having generating revenue from customers. The exec shared that they had some unprofitable customers, and most of the expense was in support. The problem was identified as the customers not having enough education on the product and/or not being smart enough to use it.

Since I have some experience with their product, I asked if the problem might be more due to the complexity of the product and the fact that even a training course isn't sufficient to make an administrator proficient with it. The exec admitted there are some complexities, but insisted they've been "working on it" and cited one example from long ago where they fixed a major usability issue. The exec then went on to point out how many hours the developers have been working and basically had a cheer-leading session for their efforts to roll-out new features.

Click here for the ranty bit.

Read the rest of this story...

Many security policies are a waste of time

2010-04-14 07:57:07 by chort

Ready for a shocker? A lot of the things your IT/Security department makes you do are stupid. According to Microsoft researcher Cormac Herley quoted in The Boston Globe, many "common sense" security practices are economically unwise. In plain English: You lose more money following a lot of security recommendations than you would by just letting the bad thing happen and dealing with the aftermath.

To continue, flip over the keyboard and read the sticky note...

Read the rest of this story...

Dear Apple: Please QA Parental Controls for OS X Apps

2010-04-13 20:12:06 by chort

As many people know, Apple introduced Parental Controls in Tiger. The current version in Snow Leopard allows administrators to block potentially inappropriate content, specific sites, and access to unapproved applications.

The first two work more or less how you would expect (although the error message when a site is blocked for content has been bewildering in my experience), but the application ACLs are a disaster. They prevent the application from being run if it's not approved for that user (in fact, with Simple Finder enabled you can't even see it), but it's when you try to allow a restricted user to access an application that the fun starts.

I haven't examined it in depth, but it appears that OS X adds some kind of wrapper or extended attribute to an application when you enabled a restricted user to run it. The problem is that this extra layer is extremely invasive, and most of the apps I've tried to use it with simply crash. Not only do the crash for the restricted user, but they also crash for unrestricted users. It's demonstrably the Parental Controls that cause this problem, because if you Trash the app and reinstall it, leaving Parental Controls alone, the app will run fine for unrestricted users.

Parental Controls have been around since Tiger, and this problem existed for sure in Leopard (possibly Tiger, I forget when I started using the feature) and definitely still exists in Snow Leopard. So I have a simple question for Apple: Did you bother to QA this feature at all? I know I've submitted the automated reports at least a few times after OS X detected an app crash and it does include audit trail information showing that Parental Control attributes were changed for the app prior to it crashing.

You must be at least > < smart to work in IT, pt1

2010-03-31 15:17:25 by chort

Today is has yielded a bumper-crop of FAIL from various organizations out there. Here is a sampling of the head-scratching stupidity.

Read the rest of this story...

Time for Apple to care about security

2010-03-25 14:59:39 by chort

Apple's operating system has long been considered a refuge for those sick of viruses and malware that plague Windows systems, but this reputation for safety has been widely misinterpreted to mean the design is safe. In fact, as has been widely recognized in the security community, it's the relative rarity of Apple machines on networks that simply makes them an economically uninteresting target.

Apple for their part have enthusiastically encouraged this misconception, and while they've benefited from the positive PR, they haven't actually taken the concept of safety to heart. Much like the corporation in Redmond that they delight so much in mocking, they seem determined to ignore security issues until they affect public perception.

Read on for the ownage ->

Read the rest of this story...

I really #$(*ing hate MacPorts now

2010-02-02 00:03:47 by chort

It took nearly 7 hours, that's right SEVEN HOURS to build the GIMP.app port (on a 2.33GHz C2D w/4GB RAM), which inexplicably included a full build of gcc4.3. Is that reeeeeeeeeeally necessary when 4.2.1 is included with Xcode? Did those 5 hours of my life have to be wasted? WHY WAS IT YOU COULDN'T JUST UPGRADE PERL???

That's not even the best part. The best part is it got all the way to the gimp-app port itself (after going through a quarter of a day worth of dependencies), and it failed. Yes, apparently there were incompatible functions, which were found three months ago! Diffs were uploaded 3 weeks ago, and 9 days ago instructions were posted for manually applying them, yet today the port was still broken when I tried to install it. Outstanding. Really nice work guys, seriously. Three months?

In case my warning didn't come in time and you actually tried to build this abomination, you need to go here for the solution. If you're even thinking about trying to install gimp-aDON't! There, it's like I just bought you enough time to say goodbye to half a dozen more relatives on your deathbed.