Why It is Stupid to Buy a SmartTV

There are no regulations concerning what information can & cannot be collected with smart devices, nor how that information is transmitted. This article from the BBC explains how LG’s SmartTV sends the names of his family members in clear text across the internet— something that most people would be uncomfortable having publicly available.

Besides selling your private information to any and all advertisers or 3rd party entities willing to pay for it, none seem to have anyway to prevent those 3rd parties from transferring it to others (aside from legal clauses — which would be hard to prove & a lengthy process to fix). Nor it there anyway to redact information once released to 3rd parties.

But this is only part of the threat to personal security because it would be trivial for a person with the technical ability or a warrant to obtain any and all information collected by such devices. Smart devices — those with convenience features tied to internet connectivity — are trojan horses for violations of privacy far more invasive and covert than anything else and rely of consumer ignorance to operate unfettered:

http://www.bbc.com/news/blogs-echochambers-29826642

The only solution is to either never connect the devices to the internet, block all traffic or not purchase them at all.

Tech Crime & Punishment

In a recent article Sophos had a poll asking what the appropriate sentence for tech related fraud — such as fake “Windows Support” call saying you have a virus and asking for $300 to fix it over the phone. I have covered what to do with any unsolicited phone calls before (The “short” answer: do not believe any claim of identity and ask for proof such as their employee ID#, the company they are representing {which they are often obligated to give you}, the case number for your issue, & a callback number and hang up. Then look up the company contact info — make sure the company is on the up and up {has a physical address, look up consumer complaints about the company, etc.} — and call the official number with your case number if it all checks out. And never be afraid to get a second opinion — if a person tells you not to bother contacting someone else for a 2nd opinion — or worse discourages contacting a 3rd party — it is a huge red flag.) 

Excuse the outlandishness of this idea — it is just an idea that needs further refinement. If you are extremely narrow-minded or think “nothing can change/nothing will help” please stop reading now, to avoid reading something that might upset you. You have been warned…

Continue reading

Email Worst Practices

I had to send this “support request” email today because of some seriously bad error in judgement when someone hit the sent button today. Seriously folks, this is 2014… have web companies and their employees learned nothing?

Hi,

this morning I got an email asking me to click a link embedded in the email to verify my email address as a condition of maintaining my *********

The email is worded exactly like a phishing attack: requiring fast compliance, threatening a disconnection of service, lacking a link to verify this policy anywhere and the email is unsigned by anyone.

Someone in security who works there must be aware most phishing attacks are carried out exactly this way, and that you should NEVER encourage a user to click a link whether it is a legitimate reason or not in an unsolicited email because of the bad precedent it sets.

Instead, you should give the user a one-time unique token to enter and tell them to login into their account, and enter the token on their account page to verify the email was receive and in fact they do own the account. Not doing so would allow anyone with access to a client’s email account to potentially hijack the account with your service.

If you disagree, then I will have to look for a more competent company to *********. Please escalate this email until it gets to a policy-maker that understands the importance of why this is ““worst practice.”” If this does not happen, I might as well cancel my account because it is only a matter of time before your customers or your client-facing DBs are hacked.

Thanks.

Just to clarify, the raw headers show it was sent from their mail server, and the message looks legitimate, but maybe someone hijacked that through completely unrelated blunder. Anyway, the moral of the story is: do not click links in unsolicited emails. If this was a case of a password reset I requested or a two factor auth thing, or even a newsletter I opted-in for, those are totally understandable, but in this case it was probably just bad form. To allow the company time to correct their policy (or regain control of their mail server) I have not mentioned exactly which web services company this is… but this is yet another case of sloppy work in the IT sector. And, as Danny Glover once said in a movie where he co-starred with a crazy guy, “I’m too old for this shit.”*

Thanks for reading.

*luckily this last word is no longer banned from TV, and thus — in this usage — it is appropriate to describe a distinct lack of professional behavior from a commercial company.

Crackers are getting help from sloppy updates to web sites… change your passwords

I was going to push an article about something completely different that has been on the back burner for a good amount of time, but this is more important. Sorry for the lack of detail and my terse tone, but I expect better of large sites making amateur moves. I’m not saying I have never messed up: I have, but I learned from it* (“never push prototypes”) and never at this scale. The basics I sent to the site admins are enough for them to act on.  I sent this out tonight. (Note: this is also why I don’t use email addresses for half of an account’s login credentials.)

Hi,
Upon trying to login today to create a *******, I got a warning that the login page (now a pop-over) is not running through port 443 (SSL encrypted). I have decided to abort the login process because my email and password would be transmitted over the internet in the clear. My previous visits did have encrypted login. So thanks to someone who updated the site without running a regression test nor searching for glaring security hole you guys probably have a some users whose passwords have already been mined and exposed (LPH * HSU to calc how many people have been exposed) to allow crackers to get more pieces of info on account holders in order to steal their identity.

Combined with enough info (such as the recent Chase crack, Yahoo crack, or Sony crack) the crackers can try collected emails and passwords attached to them against known accounts with the same email to see which users use the same password on multiple sites. Then it is a simple matter to just run a script to try to login to all the popular sites — FB, G+, Amazon, Bank sites etc. to get into people’s accounts. Good job ;\
Very sloppy update.

About all I can say is that no matter how good your password is, reusing the same password on multiple sites means if someone else is sloppy with it, as above, you are exposed to having someone take over every account that uses this same password, and any account linked to an email with this recycled password. And since it is difficult to come up with unique passwords and not write them down, using a password manager such as 1Password is recommended (just use a good unique password for your password manager).

Obscurity and Encryption are not the only tools, just a few layers of in-depth defense I myself learn a bit more about every day. If you want to learn more about securing your site, check out SecurityPatterns.org.

(*The mistake I mentioned above didn’t cause a data breach, but still: now even my prototypes sanitize the input because I formalized a utility class with a static input filter method.)

UPDATE: this article published today http://appleinsider.com/articles/14/10/14/hundreds-of-dropbox-credentials-leaked-online-company-denies-breach and my prior article on Dropbox Email Scams could be inter-related as well as the above. Again, this could very well be an example of what happens when you use the same password on multiple accounts. So, be safe and don’t do it. Other than making myself type that a thousand times on a blackboard page of my site, (which would be cool if the Simpson’s opening used this BTW), I can’t emphasize strongly enough how dangerous using the same password (or dictionary words with a few numbers like “protected123”) is.

Oh yeah: I forgot my usual sign off in my haste to post last night: Thanks for reading.

UI Missteps: Form over Function

Don’t get me wrong. The people at MacUpdate usually do a great job of managing and taking user feedback. But even with their careful curation of Mac & iOS apps that receive updates (sometimes numbering close to 100 OS X apps alone in one day), things slip through the cracks. I wasted about 5 minutes trying to figure out why an updated app was not available via one-click update using the built in software updater nor MacUpdate’s Desktop app. After going to MacUpdate, it was only by reading the comment and then hovering above the download link that the answer was clear: the app was a beta, and using the built-in update tools both within the native app & the MacUpdate Desktop App wouldn’t work. Even though I have “show beta/pre-release” unchecked, it still showed up in the MacUpdate Desktop list.

I realized the problem when looking at the comment and the confusion about version numbers used and how Adobe doesn’t distinguish betas with “b” or “(beta).” Then I took a few minutes to write this. The focus is not what MacUpdate did — it is an edge case which reflects more poorly on Adobe. Instead it is a example of what UI designers everywhere are doing to the detriment of both advanced and novice users everywhere.

Making Simplicity Difficult (Form Over Function)

If you accept that the purpose of computers is to make tasks easier to accomplish than doing them without them, then what follows is logical. When the interface gets so polished the labels are rubbed off, advanced features are hidden or removed, and labels are replaced unlabeled/undocumented icons, it leads to problems using an application no matter what type of device the application runs on. Here is my brief comment on that.

I don’t mind clean, nice-looking interface (I strive to balance aesthetics with easy-to-access, powerful features), but don’t let streamlined designs actually slow productivity; whether that productivity is actually getting work done or doing administrative tasks such as updating your software.

This confusion is a clear case of form over function, which is the wrong direction (unless you’re selling soda or commodities…) for computing interfaces to head because it handicaps learning via obscuring helpful, orientating/navigating details and slows advanced users.

If the trend in UIs were to spill over in the real word, we would see street signs replaced with pictures of maps and street addresses removed from the front, and instead only inside each building. Menus boards would have descriptions and prices hidden, until a person opened a flap to read the price and description.

In houses rather than work aesthetics around function, some streamlined houses would only have one control panel that controlled all the lighting, heating, etc. but that panel would be fixed next to the circuit breaker box. If a house had individual light switches, they’d be placed at whim of a designer who never lived or had even been in a house. Some would be oriented at any angle the designer liked and on any surface — some nowhere near the door or on one or both sides of the door. Some switches would glow only when they were off, and not when they are on, and vice versa which is actually happening with electronic switches. All building layouts would depend on the whim of a designer that had no concept of architectural design patterns nor a care about the building’s function.

This current trend toward “flatness” that was a backlash against “skeuomorphic” design of last generation all dance around the real point of GUIs: to make things easier by giving feedback to users that allows them to assess both current application state and orient where they are in the system. The trend is stripping away both of these, making things harder to use, not easier. Sadly, people think simplifying the interface will help users whose learning is being retarded by confusing inconsistent and low-feedback designs. This over-simplification is in fact hurting more than helping. This is because simple is not necessarily a synonym for easy. (Easy things are simple, but simple things are not always easy oddly enough.) Product managers and designers think people want simple, when they really want easy. Making things easy should be the focus. The easier a more complex the task is, the more useful your software.

Making Complexity Easy (Form Follows Function)

Designers should look for the frustrating points and the complex points and make complex tasks as easy as possible — which means removing steps if it can be done without making the user’s knowledge have to ramp up greater than the complex steps.

This is my Menubar. This is easy:

menubar

It is very dense with information. By looking at it you can see with a glance that Bluetooth is on, I’m connected to the network with light traffic, my processor load, my sound volume, the day & date, my current battery level (full) & that I am plugged in, the time, the moon phase, the CPU temperature & CPU voltage draw. I could have the default OS X menubar, but then I wouldn’t be able to see this without opening applications, slowing me down. I often refer to network speeds and CPU load when something seems bogged down. I often check the date and time, and that calendat icon pulls down so I can see my schedule in Fantastical without opening the Calendar App. The functionality is available if I pull down my sound menu is Audio Switcher.

audio-switcher

All these save me time each use. The march of Menu Items and GUI Enhancements I use all take a complex array of data, navigation, and bother of doing complex things and make some of them a click or less away. While this might be ugly to some, it is not distracting and works well. This is my current balance point, but with each stripping down towards “simplicity,” this ease becomes more difficult. Thankfully the developers of iStat Menus, Fantastical, Bartender, Audio Switcher, Moom, TotalFinder, Default Folder X, Alfred and PopCar (among others) see the problem that streamlined interfaces bring. But rather than strip away information, they strive to arrange information in a way that is not overwhelming and give user configurable interfaces to really harness the power of a GUI. These companies (while not all perfect — some have fallen into this hole at least slightly) have UI designers, not artists making flat colorful mystery icons with unpredictable UIs that confuse people calling themselves UX designers.

(I think of myself more as a User/Communication Efficiency type of person, so while the “UX Designer” title sounds fancy, I’d rather be a “User Interface Communication Efficiency Designer” to put the emphasis not of the “experience” of using a product, but on the efficient use of communications media available. Plus, UICED sounds like a term that could be played with. But titles are kind of limiting in a way… so I’ll just be myself. When people ask me my title, I just sum it up to say “IT Consultant” since whenever I actually start to talk tech I notice most people’s eyes glaze over.)

I try to focus on what matters to get work done, so I can get work done with less effort and faster. Anything that gets hinders more than helps my efforts falls out of use. BTW, if you are not familiar with these products, many are mentioned and linked on my Recommended Apps page. You can also check out MacUpdate.com and see the trove of software — most at least decent — that they list. They are good guys, so if you see errors, write them and be nice please. They will get back to you if needed with a personally written reply, which is always worth a star in my book. “When I was a kid several days of Mac SW updates could fit on one page… now several pages might span one day.”

Thanks for reading.