“It’s a Feature”

« Posts under “It’s a Feature”

Ad Company Apologises for Justin Bieber Ad

February 3, 2012 / Laslow posted in "It's a Feature", Twitter / No Comments

The other day, I was happily using my free (ad-supported) version of MetroTwit when I noticed this ad:

This prompted me to finally bite the bullet and buy a license for MetroTwit Plus, as well as post the following:

.@metrotwitapp If this was your plan to get me to buy MetroTwit Plus, mission-fucking-accomplished. [link]

A few hours later, I received this reply:

@laslow sorry we don’t review all the ads that are delivered. [link]

I replied again, and then sort of forgot about it. Later, though I was retweeted, and that prompted the following reply (again from the @metrotwitapp account):

@Rob_Aarts @laslow if you guys have feedback about the ads, the guys at @140ProofAds are listening [link]

And indeed they were! A few hours ago, 140 Proof, the ad company themselves tweeted:

@laslow Thanks for the feedback on the ad you saw. Sorry, we never intend to annoy. Will pass along the feedback to the team. @metrotwitapp [link]

Clearly, the lesson to be learned from this is if you want to sell licenses for ad-free versions of your software, sign a contract with Justin Bieber and only push his ads.

Twitter’s #NewLook Bothers Me, So I Fixed It

December 10, 2011 / Laslow posted in "It's a Feature", Twitter / No Comments

I’m not exactly a fan of Twitter’s #NewLook – I like my content on the left, and nav/other crap on the right. Twitter, apparently, doesn’t.

Ugh

So after seeing @Kosh post about a script available on Stylish for Chrome I installed the extension and then loaded the script. Success! But I wasn’t really happy with it.

I actually wanted something that would not only move the dashboard over to the right again, but I wanted the dashboard fixed, so that even if I scroll it stays there. After brushing up on my CSS, I modified the script like this:

Section 1:

.dashboard{
    margin-left:10px !important;
    position: fixed !important;
    right: 28%;
  }

Section 2:

.content-main{
    position:relative !important;
    right: 38%;
}

(Note: You may have to adjust the right: percentages depending on your screen resolution.)

Perfect: Now it's exactly how I like it!

Notice how even though I've scrolled down the page, the dashboard on the right is still visible.

On Labeling

September 21, 2011 / Laslow posted in "It's a Feature", Hardware, Makes Sense, Networking / No Comments

What is this? I don't even...

Followup: Staples.ca and Plain Text Passwords

September 1, 2011 / Laslow posted in "It's a Feature", Makes Sense, Rants / No Comments

I posted an article the other day when I discovered that Staples.ca stores customer passwords in plain text. After a lot of prodding through email, I finally received a reply with some technical detail about how Staples actually stores the passwords:

We do take this issue very seriously. I contacted another department for a technical explanation of the issue.

Staples.ca stores user profile information in a commerce Binary large object that cannot be selected using SQL and cannot be queried without knowing the actual hash key to parse the XML object. When a password is being requested using the ?Forgot password? feature, the email address and the security question is asked to validate the user and then a backend processing is performed on the request to retrieve the password and send it to the email address on file. The site is on a monthly schedule to be scanned by Qualys (a third party security provider that provides on demand vulnerability management and policy compliance solutions to Staples) which scans for SQL injections, security vulnerabilities, firewall issues etc. We are 100% compliant by Qualys and from the RSA PCI standard institute. In no way you can SQL inject to this website and get any data from the database that is not authorized. The underlying architecture is very secured and strict procedures are in place to not compromise PII information.

Please do not hesitate to contact us if you require further assistance.

Joan, E-commerce Communication Specialist
e-mail: bd.support@orders.staples.com
phone : 1-877-360-8500
fax : 1-800-567-2260
url : www.staples.ca/contactus

So there you have it. They are completely convinced that it is impossible for someone to get your plain-text password.

…That is, unless your email account is compromised. Or their server is exploited (Staples.ca runs IIS5 on Windows 2000, according to Netcraft) and someone gains higher-privilege access. Or a staff members rages, dumps the db, then quits.

Unfortunately, I can’t find a way to delete my account, so I’ve nuked all of my personal data (replaced with fake stuff), and then entered a random password. I didn’t bother writing it down, because if I ever do want to get back in to my account, they’ll be more than happy to send it right to me. I don’t even have to choose a new one!

Staples.ca Doesn’t Care About Your Security

August 29, 2011 / Laslow posted in "It's a Feature", Makes Sense / No Comments

I went to make a purchase at Staples.ca today, however I quickly discovered I had forgotten my password. “No big deal,” I said to myself, “I’ll just use their forgotten password feature.” I entered my email address and, sure enough, a few minutes later had a new message. Opening it, my jaw dropped as I read through the message:

From: bd.Support@orders.staples.com [mailto:bd.Support@orders.staples.com]
Sent: Monday, August 29, 2011 3:32 PM
To: ***REDACTED***
Subject: Your Staples.ca password

Hello,

Your login password is: ***REDACTED***

We look forward to receiving your next order.

Thank You - Staples.ca Customer Service Team.

WTF? So, Staples is storing plain-text passwords in their database. Fantastic. Didn’t they learn anything from Sony?

I’ve fired off an email to their support people, and will post any replies they send.

UPDATE: That was fast! Here’s their reply.

We appreciate your inquiry concerning this issue ***,

Staples maintains reasonable and appropriate standards to safeguard your
Personal Information.

When you enter Personal Information that contains a Social Security
Number, driver’s license number, or credit or debit card number at the
designated and secured sections of our Website, the information will be
encrypted or encoded before it is sent over the Internet. Personal
Information that we collect and maintain is subject to physical,
administrative and technical controls that are consistent with
recognized industry standards.

Please do not hesitate to contact us if you require further assistance.

Joan, E-commerce Communication Specialist

e-mail: bd.support@orders.staples.com
phone : 1-877-360-8500
fax : 1-800-567-2260
url : www.staples.ca/contactus

They completely missed the point of the email. I sent them another reply, this time with a helpful link to the Ars Technica article linked above and a basic explanation of SQL Injection/best practices. Hoping for a more reasonable reply later.

Further Edit: After re-reading the email, it sounds like they’re confusing SSL with hashing/storage encryption. Blargh.

Short: Sticky Group Policies That Just Won’t Leave You Alone

July 7, 2011 / Laslow posted in "It's a Feature", Makes Sense, Microsoft, Short, Windows / No Comments

The other day I was testing a Group Policy Object (GPO) on a system and resides in an isolated Organizational Unit (OU) with Block Inheritance set. After I finished testing, I applied the GPO to the production OUs and promptly forgot about it.

Fast forward to today. I was messing around on that system and discovered that I left that one particular GPO in place. I fired up the Group Policy Management tool and removed the link to that GPO, did a gpupdate /force on that system, rebooted and went about my business. A few minutes later, I discovered that GPO was still in effect. I double-checked that the GPO wasn’t linked to that OU anymore, and that inheritance was still blocked, and did another gpupdate /force, but to no avail. A quick check of HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy\History showed that yes, the GPO was still being applied.

I did a little head scratching, and then found the answer. As it turns out, after linking the GPO to the other production OUs, I selected the ‘Enforce’ option. By doing that, even after unlinking a GPO from an OU it will continue to be applied. I simply disabled the ‘Enforce’ option, ran yet another gpupdate /force, and all was well.

TL;DR Version: If you unlink a GPO from an OU, update the system, and the GPO is still being applied, disable the ‘Enforce’ option on that policy and do another gpupdate.

Shaw Cable Pulls a Rogers; Hijacks NX Records

May 1, 2011 / Laslow posted in "It's a Feature", Hack, Networking / 5 Comments

The last time I wrote about NX Domains, it was because I noticed that Rogers wireless was hijacking them on my phone. Now, it appears that Shaw Cable is doing the same.

I use OpenDNS, so I’m used to search pages coming up when I mistype URLs, however that is something I’d opt’ed in to. You can imagine my surprise when, after mistyping a URL, I was directed to this instead:

http://assist.shaw.ca/shawcaassist/dnsassist/main/?domain=www.example.com

(original URL redacted).

It appears that, even if you aren’t using Shaw’s DNS servers they are still checking your DNS requests and, in the case of NX domains (at least – they could technically do this for any traffic), hijacking the result and forwarding your browser to their page instead.

I’ve sent a barrage of messages to Shaw’s PR team on Twitter, but haven’t had a response yet. I’ll update this article when (or if) they reply.

For the time being, though, it appears you can opt-out of the ‘service’ using this page: http://nxr.shaw.ca/optout/

Update: I’ve had a reply from Shaw saying “We do not modify any DNS traffic going to our customers from other sources”. They’re currently looking in to the issue apparently, so another update will be in order when I hear back.

Additional Update: I received a reply from Shaw asking me to do some further troubleshooting, all of which would have been useless (eg, using the ‘dig’ and ‘nslookup’ commands to confirm my DNS settings and what the NX response was), however as I opted out of the ‘service’ I can’t actually complete the steps as everything is working correctly. Additionally, there doesn’t appear to be a way to opt back in to the ‘service’, so that’s also a bust. I guess I won’t be getting an answer as to what happened. Also, I was linked on Reddit Canada.

Google Changing Free Apps Account Limits

April 28, 2011 / Laslow posted in "It's a Feature", Google / No Comments

I just received this message from Google. Good to know I’m safe, but if you were considering signing up for a free Google Apps account, better do it before May 10th, 2011 unless you only need 10 users:

Hello,

We recently announced upcoming changes to the maximum number of users for Google Apps. We want to let you know that, as a current customer, the changes will not affect you.

As of May 10, any organization that signs up for a new account will be required to use the paid Google Apps for Business product in order to create more than 10 users. We honor our commitment to all existing customers and will allow you to add more than 10 users to your account for laslow.net at no additional charge, based on the limit in place when you joined us.

Sincerely,

The Google Apps Team

Rant: Gawker Shows Us How Not To Do It

March 25, 2011 / Laslow posted in "It's a Feature", Rants / No Comments

Update (6/07/2011): Gawker has apparently corrected the problem for both the desktop Canadian sites and the mobile sites! You can now get the link you wanted without having to resort to workarounds!

Update (4/20/2011): See the bottom of the post for Gawker’s response to my inquiry.

When Gawker launched a new layout for their various sites, I said ‘Meh’. When their database was hacked and account details stolen, I said ‘Meh’ again, as I wasn’t an avid reader and didn’t have an account. I’d open the occasional link to an article on Life Hacker, or Gizmondo, but that was it.

Now, I won’t even go that far, mainly because most of the time, the links don’t work.

Let me explain – if you live in the U.S. and/or don’t own a mobile device, you probably won’t notice an issue. However, being from the Great White North and owning an Android phone, getting to a specific article on a Gawker-run site is next to impossible without employing workarounds.

When someone from the U.S. links something from, say Life Hacker, the link will look like this:

http://lifehacker.com/#!5757510/feednu-makes-an-android-app-for-your-blog

However, if you’re in Canada and click on that link, it will take you to this instead:

http://ca.lifehacker.com/

Yes, that’s right. Instead of taking you to the article that you want to read, it says “Oh, hey! You’re Canadian! Look at our other layout. What do you mean you wanted to read a specific article?” (Sometimes it will leave the full URL intact, but still bring you directly to the front page instead of the article you wanted).

And if you use a smart phone, or any other device Gawker things deserves the mobile site, you’ll get this:

http://m.lifehacker.com/#!5757510/feednu-makes-an-android-app-for-your-blog

Which, depending on how the site feels, will either give you their mobile homepage, or just a 404 error.

Kind of reminds me of this XKCD strip. Either way, bye bye Gawker Media. You won’t be missed.

Addendum: After emailing Gawker’s support team a few times, I finally got this reply:

The tech team is still trying to figure out how integrate the hashtags with the redirect– they’re making some progress,but not enough to roll out with the fix just yet. All we can ask is that you continue to be patient until that fix is ready. Sorry for the inconvenience this is causing, but I promise, a fix is coming.

–Steve Climaco

Gawker Media Help Desk

So basically, they’ve over-engineered their post system and have no idea where the screw-up is. Given their overall history, this isn’t surprising.

« Older Posts

LaslowNET