Where did Noivad go?

The Ads really got to me (see prior post). So, after an update with a bad UI, I moved my blog. I really didn’t WANT to host it myself, but if you want something done right…

Anyway, I’ll see anyone that cares to follow me at my ad-free blog http://blog.noivad.net/ now with slick push notifications! :)  Oh, and if you care, I’ll soon have another media outlet, but it will be focusing on a different realm that I have written a bit about here and there. I would announce it now, but we are still setting everything up and I do not want to jinx it. I will say that we are reviving a production I did about 15 years ago that I greatly enjoyed working on. But perhaps I have said too much already?

Thanks for reading.

thanks for all the fish

…the new posting UI is horrid… I moved to http://blog.noivad.net and no longer post here. Why? #1: I really do not like advertising, expecialy when it takes up a lot of screen real estate and clashes with my aesthetic. I was a full time designer last century & aesthetics really do matter for how your writing it received. Search for my post about when they overruled my protest to not sending out the company reports in PDF format. Looks matter, but you must still have the substance to justify the positive attention, BTW. A lot of apps & sites are coming out that add nothing beyond a skin deep rehash of things that have existed in uglier forms for over a decade. I see almost nothing in new UIs that actually make full use of the paradigm they are in to make using them truly efficient and enjoyable, Basically once the focus went from function to aesthetics, the entire industry lost its way and think slick UIs are what makes a product good. Sadly, most people are fooled by this, and now UI/UX has actually regressed to a state that they were in during the mid-90s.

This might sound like a “Trumpism,” but I know I could do a much better job with a team of people who also understood even parts of this philosophy.

Why It is Stupid to Buy a SmartTV

There are no regulations concerning what information can & cannot be collected with smart devices, nor how that information is transmitted. This article from the BBC explains how LG’s SmartTV sends the names of his family members in clear text across the internet— something that most people would be uncomfortable having publicly available.

Besides selling your private information to any and all advertisers or 3rd party entities willing to pay for it, none seem to have anyway to prevent those 3rd parties from transferring it to others (aside from legal clauses — which would be hard to prove & a lengthy process to fix). Nor it there anyway to redact information once released to 3rd parties.

But this is only part of the threat to personal security because it would be trivial for a person with the technical ability or a warrant to obtain any and all information collected by such devices. Smart devices — those with convenience features tied to internet connectivity — are trojan horses for violations of privacy far more invasive and covert than anything else and rely of consumer ignorance to operate unfettered:


The only solution is to either never connect the devices to the internet, block all traffic or not purchase them at all.

Tech Crime & Punishment

In a recent article Sophos had a poll asking what the appropriate sentence for tech related fraud — such as fake “Windows Support” call saying you have a virus and asking for $300 to fix it over the phone. I have covered what to do with any unsolicited phone calls before (The “short” answer: do not believe any claim of identity and ask for proof such as their employee ID#, the company they are representing {which they are often obligated to give you}, the case number for your issue, & a callback number and hang up. Then look up the company contact info — make sure the company is on the up and up {has a physical address, look up consumer complaints about the company, etc.} — and call the official number with your case number if it all checks out. And never be afraid to get a second opinion — if a person tells you not to bother contacting someone else for a 2nd opinion — or worse discourages contacting a 3rd party — it is a huge red flag.) 

Excuse the outlandishness of this idea — it is just an idea that needs further refinement. If you are extremely narrow-minded or think “nothing can change/nothing will help” please stop reading now, to avoid reading something that might upset you. You have been warned…

Continue reading

Email Worst Practices

I had to send this “support request” email today because of some seriously bad error in judgement when someone hit the sent button today. Seriously folks, this is 2014… have web companies and their employees learned nothing?


this morning I got an email asking me to click a link embedded in the email to verify my email address as a condition of maintaining my *********

The email is worded exactly like a phishing attack: requiring fast compliance, threatening a disconnection of service, lacking a link to verify this policy anywhere and the email is unsigned by anyone.

Someone in security who works there must be aware most phishing attacks are carried out exactly this way, and that you should NEVER encourage a user to click a link whether it is a legitimate reason or not in an unsolicited email because of the bad precedent it sets.

Instead, you should give the user a one-time unique token to enter and tell them to login into their account, and enter the token on their account page to verify the email was receive and in fact they do own the account. Not doing so would allow anyone with access to a client’s email account to potentially hijack the account with your service.

If you disagree, then I will have to look for a more competent company to *********. Please escalate this email until it gets to a policy-maker that understands the importance of why this is ““worst practice.”” If this does not happen, I might as well cancel my account because it is only a matter of time before your customers or your client-facing DBs are hacked.


Just to clarify, the raw headers show it was sent from their mail server, and the message looks legitimate, but maybe someone hijacked that through completely unrelated blunder. Anyway, the moral of the story is: do not click links in unsolicited emails. If this was a case of a password reset I requested or a two factor auth thing, or even a newsletter I opted-in for, those are totally understandable, but in this case it was probably just bad form. To allow the company time to correct their policy (or regain control of their mail server) I have not mentioned exactly which web services company this is… but this is yet another case of sloppy work in the IT sector. And, as Danny Glover once said in a movie where he co-starred with a crazy guy, “I’m too old for this shit.”*

Thanks for reading.

*luckily this last word is no longer banned from TV, and thus — in this usage — it is appropriate to describe a distinct lack of professional behavior from a commercial company.

Crackers are getting help from sloppy updates to web sites… change your passwords

I was going to push an article about something completely different that has been on the back burner for a good amount of time, but this is more important. Sorry for the lack of detail and my terse tone, but I expect better of large sites making amateur moves. I’m not saying I have never messed up: I have, but I learned from it* (“never push prototypes”) and never at this scale. The basics I sent to the site admins are enough for them to act on.  I sent this out tonight. (Note: this is also why I don’t use email addresses for half of an account’s login credentials.)

Upon trying to login today to create a *******, I got a warning that the login page (now a pop-over) is not running through port 443 (SSL encrypted). I have decided to abort the login process because my email and password would be transmitted over the internet in the clear. My previous visits did have encrypted login. So thanks to someone who updated the site without running a regression test nor searching for glaring security hole you guys probably have a some users whose passwords have already been mined and exposed (LPH * HSU to calc how many people have been exposed) to allow crackers to get more pieces of info on account holders in order to steal their identity.

Combined with enough info (such as the recent Chase crack, Yahoo crack, or Sony crack) the crackers can try collected emails and passwords attached to them against known accounts with the same email to see which users use the same password on multiple sites. Then it is a simple matter to just run a script to try to login to all the popular sites — FB, G+, Amazon, Bank sites etc. to get into people’s accounts. Good job ;\
Very sloppy update.

About all I can say is that no matter how good your password is, reusing the same password on multiple sites means if someone else is sloppy with it, as above, you are exposed to having someone take over every account that uses this same password, and any account linked to an email with this recycled password. And since it is difficult to come up with unique passwords and not write them down, using a password manager such as 1Password is recommended (just use a good unique password for your password manager).

Obscurity and Encryption are not the only tools, just a few layers of in-depth defense I myself learn a bit more about every day. If you want to learn more about securing your site, check out SecurityPatterns.org.

(*The mistake I mentioned above didn’t cause a data breach, but still: now even my prototypes sanitize the input because I formalized a utility class with a static input filter method.)

UPDATE: this article published today http://appleinsider.com/articles/14/10/14/hundreds-of-dropbox-credentials-leaked-online-company-denies-breach and my prior article on Dropbox Email Scams could be inter-related as well as the above. Again, this could very well be an example of what happens when you use the same password on multiple accounts. So, be safe and don’t do it. Other than making myself type that a thousand times on a blackboard page of my site, (which would be cool if the Simpson’s opening used this BTW), I can’t emphasize strongly enough how dangerous using the same password (or dictionary words with a few numbers like “protected123”) is.

Oh yeah: I forgot my usual sign off in my haste to post last night: Thanks for reading.