Archive for the ‘Web’ Category

« Older Entries

I guess I’m now a Mozilla core developer, too

Friday, July 23rd, 2010

About a month ago, I dived into the world of Mozilla add-on development by adopting the abandoned Thunderbird “Send Later” add-on and porting it to Thunderbird 3.1. The learning curve was pretty steep, and it took a lot more work than I expected to stabilize the add-on, but I think it was worth it, considering that in the two weeks since I released it, almost 2,000 people have downloaded it and at least 444 of them are using it.

Emboldened by that, I decided to take a stab at fixing two bugs in the core Thunderbird code that have been driving me crazy. That, too, required a steep learning curve, but in the end, I was able to submit fixes for two bugs, one quite old and one new in Thunderbird 3.1, affecting a whole bunch of people:

  • It was impossible to remove attachments from some MIME messages, including MIME messages generated by the Mac Mail client (Mozilla bug #351224). This bug has been reported by at least 30 different people and was first reported almost four years ago. Fixing it required rewriting pretty much an entire module within C++ source code for Thunderbird.
  • Thunderbird was incorrectly inserting a couple extra spaces at the beginning of some sent email messages (Mozilla bug #564737). This bug was first reported just a few months ago and has already been reported by at least 56 different people. This bug is in the core code that is shared between all Mozilla applications, which means that the fix will impact Firefox, Seamonkey, etc. as well as Thunderbird.

Needless to say, there are other things I should have been working on when I got distracted by fixing these bugs. But I’d almost forgotten how rewarding it is to be able to contribute to open-source software in ways that benefit a lot of people.

[Digg] [Facebook] [Email] More »
Powered by Bookmarkify™

Tags: , , ,
Posted in Computers, Free software, Internet, Web | 2 Comments »

Citizens Bank idiocy round-up

Thursday, June 24th, 2010

Citizens Bank has been particularly idiotic recently. Here’s the round-up of all the disappointments we’ve suffered at their hands…

(more…)

[Digg] [Facebook] [Email] More »
Powered by Bookmarkify™

Tags: ,
Posted in Boston, Computers, Consumer activism, Internet, Web | No Comments »

Supposed SysAdmin & Network Security experts don’t know how to run a secure Web site

Friday, April 9th, 2010

Yesterday, I decided I wanted to unsubscribe from one of the e-newsletters published by SANS, which bills itself as, “the most trusted source for computer security training, certification and research.”

There were no instructions in the e-newsletter for how to unsubscribe, so I went to their Web site. It told me that I had to sign into my Portal account; the only problem is that I’ve never had a Portal account, and I subscribed to the SANS e-newsletters long before such a thing existed.  I figured that perhaps they auto-created an account for me at some point, so I gave the site my email address and told it that I’d forgotten my password.  It claimed to have mailed password reset instructions to me and told me that I had to follow them within two hours, but over ten minutes later, they still hadn’t arrived.

Thinking that perhaps I could register my email address for a Portal account and would then “inherit” any legacy subscriptions under that email address, I tried registering.  It rejected my registration form, telling me that I needed to enter a valid email address.   I couldn’t tell whether it was rejecting the form because the email I entered was already in its database, or because it incorrectly believed that “jik@kamens.brookline.ma.us” was not a valid address (a lot of Web sites can’t seem to handle the idea that “kamens.brookline.ma.us” is a valid email domain).

At this point, I threw up my hands and sent them email describing everything that had happened and asking what the heck I should do.  I ended my email with, “The fact that you guys are supposedly experts at secure Web site design make this rather ironic.”

(more…)

[Digg] [Facebook] [Email] More »
Powered by Bookmarkify™

Tags:
Posted in Computer Security, Computers, Internet, Web | No Comments »

New Massachusetts unemployment insurance employer Web site crashes and burns upon launch

Thursday, January 14th, 2010

(Simulblogged at universalhub.com.)

The Commonwealth of Massachusetts has a convoluted(*) unemployment insurance system, under which employers are required to make various quarterly and annual filings and quarterly payments involving at least two different state agencies.

This system is administered by the Department of Unemployment Assistance (DUA), who decided to replace their old, paper-based system with a Web-based system called QUEST (“Quality Unemployment System Transformation”). The DUA promised QUEST would bring countless improvements: one-stop shopping, filings for all agencies in one place, faster filings, less wasted paper, reduced printing and postage costs, reduced data entry costs, no more data transcription errors, etc., etc. You’ve no doubt heard it all before.

QUEST went live at the beginning of 2010. As of the go-live date, the usage of QUEST for all employer unemployment insurance transactions was mandatory; paper filings were no longer permitted. I.e., the DUA went straight from paper filings only to on-line filings only, with no transition period or overlap.(**)

It would be an understatement to say that the QUEST go-live is not going well; in fact, it is a disaster. (more…)

[Digg] [Facebook] [Email] More »
Powered by Bookmarkify™

Tags: , ,
Posted in Boston, Computers, Government activism, Internet, Web | 20 Comments »

Sears violates CAN-SPAM act

Wednesday, December 9th, 2009

Today, I received a commercial email message from Sears Home Services, a.k.a., Sears Holdings Corporation.  They got my email address when I made a service appointment through their Web site, which I subsequently canceled when it became clear that they were going to charge me more than a local repair man.

The email message contained no instructions for opting out of future commercial email messages.  This is a clear and direct violation of the Federal CAN-SPAM act (see requirement 5 in The FTC’s CAN-SPAM Act Compliance Guide for Business).

Here’s what the privacy policy on their Web site says:

Can I “Opt-Out” of Receiving Promotional E-mails?

From time to time, we may send you e-mails with promotional offers if you opt-in to receiving such emails. If you would no longer like to receive e-mailed special event information, sales notifications or other promotional messages from this web site, you can unsubscribe from this site’s e-mail marketing list by following the unsubscribe link located at the bottom of each promotional e-mail. Your e-mail address will be removed from this site’s email marketing list within 10 days.

Therefore, in addition to violating the CAN-SPAM Act, they also violated their own published privacy policy.

Their Web site claims that registered users can edit settings on the site to tell Sears “whether you wish to receive e-mail about special sales, promotions and other events.”  So I registered on the site, using the same email address they spammed me on.  When I looked at my profile after registering, it said that I’m not subscribed to receive any email from them.  Nice!

There are no instructions in their privacy policy for how to notify them about violations.

I’ve submitted a complaint to the FTC as well as submitted a complaint to Sears through their Web site.  We’ll see what comes of it.

This is one of several reasons why I won’t be letting anyone from Sears into my house to repair my appliances.

[Digg] [Facebook] [Email] More »
Powered by Bookmarkify™

Tags:
Posted in Computers, Consumer activism, Internet, Spam, Web | 3 Comments »

Bye bye Chase!

Thursday, November 19th, 2009

Recall my recent letter to Chase, which ended:

As I see it, you have three options for what to do now:

  1. You can throw my letter in the trash. Result: I close my Chase account and get a new card from someone else.
  2. You can send me a useless, boilerplate response that does not address any of my concerns, and then throw my letter in the trash. Result: I close my Chase account and get a new card from someone else.
  3. You can use my letter to help you identify opportunities for improvement within your company and take advantage of those opportunities, and then send me a substantive response describing what you’ve done in real, concrete terms. Result: You restore my confidence and I stay a Chase customer.

So, what’s it going to be? I suggest you take a look at how much money you’ve made from the nearly $100,000 I’ve charged on my card in the past three years before you decide.

Apparently they’ve chosen option 2.  Today, I applied for a new Citizens Bank Platinum MasterCard with 3% cash back on gas purchases and 1% cash back on everything else.  Once my new Citizens card arrives, I will be closing my Chase account.  I’ve also sent hard copies of this blog entry to the woman who wrote to me and to the Vice President to whom she carbon-copied her response.

The following is the text of the letter I received from Chase today, with some commentary: (more…)

[Digg] [Facebook] [Email] More »
Powered by Bookmarkify™

Tags:
Posted in Computers, Consumer activism, Internet, Web | 1 Comment »

The Consumerist jumps the shark

Thursday, November 19th, 2009

I’ve been subscribed to The Consumerist since Continental lost my daughter last summer and The Consumerist picked up the story.  I was impressed by their reach and by the quality of stories that they ran.

Unfortunately, two or three months after I started reading them, the quality seemed to start going down.  There were a lot more stories that seemed frivolous or where it seemed like a big deal was being made out of something that wasn’t.  Furthermore, there were several instances where I sent them tips about stories which were far more relevant than some of the trivialities they were running, and they chose not to run them.

Then they started ending most postings with questions to spur discussion, a transparent tactic for increasing page hits on the site.  That’s all well and good, but when combined with the fact that they also started regularly running promotional blurbs for content published by Consumer Reports, which recently purchased them, it became clear what’s going on.

All of this came to a head for me when they ran an item entitled “AT&T Rep Wants To Die“, which purported to be a transcript of a chat between a customer and AT&T in which the customer at one point commented sardonically, “i’ll just hang myself,” to which the CSR allegedly responded, “Right behind you”.  The Consumerist thought this was funny and posted it with the comment, “Morale is low abord the Deathstar.”

This would, perhaps, have been just a bit of harmless fun if it hadn’t turned out that the customer who forwarded the conversation to The Consumerist actually doctored it.  They ran a correction from an AT&T representative in an article entitled “AT&T Says Their Rep Doesn’t Want To Die“, at the bottom of which they said (emphasis added):

PR guy misses the point. The chat transcript was funny. It doesn’t matter if it was “true,” it spoke the truth.

Um, sorry, Consumerist, but it does “matter if it was true.”  With that comment, my subscription to The Consumerist is at an end.  Thanks, guys, for giving me back a little free time in my life.

[Digg] [Facebook] [Email] More »
Powered by Bookmarkify™

Tags:
Posted in Computers, Consumer activism, Internet, Web | No Comments »

WordPress inadvertent disclosure bug

Tuesday, October 6th, 2009

As I previously wrote, I recently had to change my password on over 300 Web sites because my default “medium-security password” was compromised.  The compromise was caused by a bug in the WordPress blogging platform which can result in inadvertent disclosure of information when content is pasted into the WYSIWYG text editor built into WordPress.

In a nutshell, sometimes when you paste text into the editor, the editor inserts an invisible copy of the pasted text.  You won’t see the invisible text at all in the editor; it’s visible in the HTML view, but WordPress users often post without every looking at the HTML view (that is, after all, the whole point of the editor).  Even if you do look at the HTML, you probably won’t notice the hidden text block unless you know to look for it, which most people obviously don’t.  It is not clear whether this invisible copy is inserted in addition to a visible copy of the same text, or whether it’s inserted instead of the visible copy you intended.

Although the text is not visible in the editor, it is in the HTML, which means that when you publish your blog entry, the hidden text goes along with it.  Search engines will happily index it and even show you snippets from it in search results if you search for a keyword that’s found in the hidden text.  Furthermore, syndicators of your blog that strip out HTML style attributes (including, e.g., the feed syndicator at LiveJournal.com) will render the previously invisible text for the world to see.

(more…)

[Digg] [Facebook] [Email] More »
Powered by Bookmarkify™

Tags: , ,
Posted in Blogging, Computer Security, Computers, Internet, Web | 8 Comments »

Password security hall of shame

Tuesday, September 29th, 2009

As I wrote earlier today, I just changed my password on over 300 Web sites. In the process, I encountered a large number of sites which simply don’t know how to do password security properly. Some of these sites are operated by major corporations which are entrusted by their users with confidential and sensitive personal information — names, addresses, telephone numbers, birthdays, credit-card numbers, etc. It is truly frightening that these corporations fail to properly secure their users’ passwords, and therefore fail to properly secure their users’ personal information.

I am posting this article to highlight the weaknesses I discovered, to shame these sites, with the hope that doing so might perhaps push some of them just a little bit closer to doing the right thing. I am also posting this article to let people know of sites they should be careful about using.

If you know of other sites which don’t secure their users’ passwords properly, please post about them in comments here and I’ll add them to the article!

And so, without further ado, I give you… (more…)

[Digg] [Facebook] [Email] More »
Powered by Bookmarkify™

Tags: , ,
Posted in Computer Security, Computers, Consumer activism, Internet, Web | 23 Comments »

Why I just spent three days changing my passwords on over 300 Web sites

Tuesday, September 29th, 2009

“Hi, my name is jik, and I’m a password reuser.”

“Hi, jik!”

If there isn’t a “Password Reusers Anonymous”, there probably should be.

By “password reuse,” I mean using the same password over and over on multiple Web sites.  It’s a really bad idea, and I should know that better than most, since I’ve worked on and off in the field of computer security for over two decades.

It’s a bad idea because lots of Web sites don’t protect passwords like they’re supposed to.  A properly designed Web site doesn’t store your actual password; only a cryptographic hash of the password is kept.  However, there are all too many Web sites which do keep your actual password, and so if you use the same password on multiple sites, you make yourself vulnerable in several ways:
  1. Operators of a bad Web site could use users’ passwords to log on to other sites where the users have accounts.  If you think this would never happen, take a look at how many credit-card skimming operations are perpetrated by store owners, waiters, etc. (including this one, which I personally got snared in through the use of my corporate AmEx card).
  2. An operator of the site could sell its database of email addresses and passwords to hackers, who could then use them to make large-scale attempts to break into accounts on other sites.
  3. Even without the cooperation of the Web site’s operators, a hacker could break into the site, steal the account database, and use it as described above.
  4. Many of these Web sites will email your password to your email account if you tell the site that you’ve forgotten it.  If someone breaks into your email account, they can look at old messages to see what sites you have accounts at, tell one of those sites to email your password, and then use that password to log into the other sites you’ve used.
  5. If you are the kind of person who has to worry about keeping things private from family members, the problem above is even worse, since they can look in your browser history, not just old messages in your mailbox, to find out what sites you’ve visited and may have accounts at.

But the biggest problem by far, which dwarfs all the problems listed above, is: If your password is somehow compromised, then you need to change it on every Web site on which you’ve used it.

If using the same password on multiple Web sites is such a bad idea, then why do so many people do it?  Simply put, because it’s easier to remember one password than it is to create and remember hundreds of them.  And if you can’t remember them, then you need to write them all down on a list somewhere, and find a way to both keep the list secure and make it accessible whenever and wherever you need it.  There are some available tools to make this easier, but the best ones cost money, and not many people are savvy enough to go looking for tools to handle this sort of thing.

I fell into the password reuse trap years ago, when data breach incidents were few and far between and tools for managing passwords didn’t exist.  Old habits die hard, and I never broke this one.  And so, since last week, when the password I’ve been using as my standard third-party Web site password for well over a decade was compromised (I will post later about how it was compromised), I’ve had to spend every available moment changing my password on over 300 Web sites.  Believe me, it took a while.

(more…)

[Digg] [Facebook] [Email] More »
Powered by Bookmarkify™

Tags: , , , , , ,
Posted in Computer Security, Computers, Internet, Web | 8 Comments »

« Older Entries