Ad Company Apologises for Justin Bieber Ad

03. February 2012 · Write a comment · Categories: "It's a Feature", Twitter · Tags: , ,

The other day, I was happily using my free (ad-supported) version of MetroTwit when I noticed this ad:

This prompted me to finally bite the bullet and buy a license for MetroTwit Plus, as well as post the following:

.@metrotwitapp If this was your plan to get me to buy MetroTwit Plus, mission-fucking-accomplished.  [link]

A few hours later, I received this reply:

@laslow sorry we don’t review all the ads that are delivered. :(  [link]

I replied again, and then sort of forgot about it. Later, though I was retweeted, and that prompted the following reply (again from the @metrotwitapp account):

@Rob_Aarts @laslow if you guys have feedback about the ads, the guys at @140ProofAds are listening [link]

And indeed they were! A few hours ago, 140 Proof, the ad company themselves tweeted:

@laslow Thanks for the feedback on the ad you saw. Sorry, we never intend to annoy. Will pass along the feedback to the team. @metrotwitapp [link]

 

Clearly, the lesson to be learned from this is if you want to sell licenses for ad-free versions of your software, sign a contract with Justin Bieber and only push his ads.

Followup: Staples.ca and Plain Text Passwords

01. September 2011 · Write a comment · Categories: "It's a Feature", Makes Sense, Rants · Tags: , ,

I posted an article the other day when I discovered that Staples.ca stores customer passwords in plain text. After a lot of prodding through email, I finally received a reply with some technical detail about how Staples actually stores the passwords:

We do take this issue very seriously.  I contacted another department for a technical explanation of the issue.

Staples.ca stores user profile information in a commerce Binary large object that cannot be selected using SQL and cannot be queried without knowing the actual hash key to parse the XML object. When a password is being requested using the ?Forgot password? feature, the email address and the security question is asked to validate the user and then a backend processing is performed on the request to retrieve the password and send it to the email address on file. The site is on a monthly schedule to be scanned by Qualys (a third party security provider that provides on demand vulnerability management and policy compliance solutions to Staples) which scans for SQL injections, security vulnerabilities, firewall issues etc. We are 100% compliant by Qualys and from the RSA PCI standard institute. In no way you can SQL inject to this website and get any data from the database that is not authorized. The underlying architecture is very secured and strict procedures are in place to not compromise PII information.

Please do not hesitate to contact us if you require further assistance.

Joan, E-commerce Communication Specialist
e-mail: bd.support@orders.staples.com
phone : 1-877-360-8500
fax   : 1-800-567-2260
url   : www.staples.ca/contactus

So there you have it. They are completely convinced that it is impossible for someone to get your plain-text password.

…That is, unless your email account is compromised. Or their server is exploited (Staples.ca runs IIS5 on Windows 2000, according to Netcraft) and someone gains higher-privilege access. Or a staff members rages, dumps the db, then quits.

Unfortunately, I can’t find a way to delete my account, so I’ve nuked all of my personal data (replaced with fake stuff), and then entered a random password. I didn’t bother writing it down, because if I ever do want to get back in to my account, they’ll be more than happy to send it right to me. I don’t even have to choose a new one!

Staples.ca Doesn’t Care About Your Security

29. August 2011 · Write a comment · Categories: "It's a Feature", Makes Sense · Tags: ,

I went to make a purchase at Staples.ca today, however I quickly discovered I had forgotten my password. “No big deal,” I said to myself, “I’ll just use their forgotten password feature.” I entered my email address and, sure enough, a few minutes later had a new message. Opening it, my jaw dropped as I read through the message:

From: bd.Support@orders.staples.com [mailto:bd.Support@orders.staples.com]
Sent: Monday, August 29, 2011 3:32 PM
To: ***REDACTED***
Subject: Your Staples.ca password

Hello,

Your login password is: ***REDACTED***

We look forward to receiving your next order.

Thank You - Staples.ca Customer Service Team.

WTF? So, Staples is storing plain-text passwords in their database. Fantastic. Didn’t they learn anything from Sony?

I’ve fired off an email to their support people, and will post any replies they send.

UPDATE: That was fast! Here’s their reply.

We appreciate your inquiry concerning this issue ***,

Staples maintains reasonable and appropriate standards to safeguard your
Personal Information.

When you enter Personal Information that contains a Social Security
Number, driver’s license number, or credit or debit card number at the
designated and secured sections of our Website, the information will be
encrypted or encoded before it is sent over the Internet. Personal
Information that we collect and maintain is subject to physical,
administrative and technical controls that are consistent with
recognized industry standards.

Please do not hesitate to contact us if you require further assistance.

Joan, E-commerce Communication Specialist

e-mail: bd.support@orders.staples.com
phone : 1-877-360-8500
fax : 1-800-567-2260
url : www.staples.ca/contactus

They completely missed the point of the email. I sent them another reply, this time with a helpful link to the Ars Technica article linked above and a basic explanation of SQL Injection/best practices. Hoping for a more reasonable reply later.

Further Edit: After re-reading the email, it sounds like they’re confusing SSL with hashing/storage encryption. Blargh.

Rant: WordPress.com Stats Broken, Makes Me Sad

18. March 2011 · Write a comment · Categories: "It's a Feature", Meta, Rants, Support, Troubleshooting · Tags: , , , ,

Update: WordPress.com finally fixed the Stats issue, however Jetpack (despite the version bump to 1.1.1) still errors out, this time with “register_http_request_failed“.The issue appears to be with LigHTTPD, as if I switch back to Apache everything works. Might finally break down and switch to NGINX, as Apache is too big of a memory hog for my liking.

The other day, the WordPress.com Stats plugin I use to spy on you monitor this blog stopped working. Then I started getting this error from Stats:

Your WordPress.com account [Redacted] is not authorized to view the stats of this blog. Currently access to stats is broken for some users and we are working on fixing this. Your stats are still being counted and will be visible once we restore access for your account.

Fair enough. I waited. And waited. And waited some more. When it became apparent that this wasn’t a temporary problem, I removed and re-added the plugin, and was then greeted with this new, more exciting error:

“The owner of that API Key ([Redacted]) is not on the access list for this blog ([Redacted]). Stats was installed using a different API key. The owner of the original key can add users to the access list, or you can contact WordPress.com support.”

Huh. Well, since that didn’t do it, I did some Google’ing and found out that Automattic just released Jetpack, a collection of plugins that replaces a good chunk of the standalone plugins out there that work with WordPress.com services. People who were getting the above errors reported that the Stats plugin provided with Jetpack worked, so I switched. And immediately received yet another error:

Your Jetpack has a glitch. Connecting this site with WordPress.com is not possible. This usually means your site is not publicly accessible (localhost).

Fantastic. Google once again helped me to find a bunch of other users with the same problem, but sadly, none of the fixes (most of them found in this thread) worked for me. I broke down and contacted Automattic support, and their reply was the following:

It might be the SSL cert that is preventing Jetpack from connecting. Is the site also behind any sort of firewall?

Which, of course, the site is. However, that was the first thing I checked, as my IPTABLES rules are just north of Insanely Restrictive. Sadly, disabling IPTABLES did nothing to help. Additionally, I was able to confirm that outbound SSL access was working by using CURL from an SSH session to grab pages from https://wordpress.com, so that’s not the issue either. I replied back to let him know this, and I’m waiting on a response. Through all of this, the normal WordPress.com Stats Plugin still doesn’t work. So,

WORDPRESS! Y U NO FIX STATS API?

My new favourite meme.

Apple Needs to Attend (to) Bootcamp

15. September 2010 · Write a comment · Categories: Apple, Hardware, Software, Windows · Tags: , ,

My primary workstation at work is an Apple iMac 9,1 (in Apple terms, an ‘early-2009′ model), and spends 99% of its uptime running Windows 7 x64 (which actually isn’t supported on this model – you need to manually run the x64 Bootcamp .msi on the disk to install, as the setup.exe reports that 64-bit Windows isn’t supported).

During the installation of Bootcamp, though I noticed something — Apple although Apple appears to check which model of computer you’re using for compatibility purposes, it doesn’t do the same when determining which drivers to install. As such, the installation take approximately eight-billion times longer to complete than it should (sorry, I’m no good with numbers), and leaves Programs and Features looking like this:

Apple's Leftovers

I mean, really Apple? Is it really that hard to add a simple WMI call (WMIC BIOS Get SMBIOSBIOSVersion, perhaps?) and compare it to a simple CSV-file and only install the drivers required for that system?

It’s a good thing they stopped making the I’m a Mac commercials, or Justin Long would need to put on fifty pounds to account for Apple’s bloat.

An HTC DoA: Part 5

30. August 2010 · 1 comment · Categories: Android, Google, Rants, Support · Tags: , , , , ,

Continued from Part 4 (read from the beginning).

I took a trip to the UK at the beginning of the month, and when I returned on the 13th immediately checked my credit card statement. I wasn’t surprised to see that the refund still hadn’t been processed (now past the 14-business-day cut-off mark for credit card refunds). I called HTC yet again, and after a bit of hold time was given some good-ish news.

The agent confirmed that yes, HTC’s warehouse had received my phone and they had accepted it. However, someone at said-warehouse hadn’t closed the ticket in their system which prevented the refund from being processed. I was promised that the ticket would once again be escalated and that the escalations team would get the warehouse to close the ticket and things would get moving again.

I asked if HTC would compensate me for the interest accrued on my credit card from having this charge sitting on it for nearly two months, but was told they wouldn’t do anything. It was worth asking about, though.

So, on Tuesday the 17th I once again checked my credit card statement and there it was! A line item showing a credit for the DoA Nexus One. Although I wasn’t happy with the time it took to deal with the issue, and the interest charges that built up from it, I was ready to put the issue to bed.

And then I got the following email from HTC:

Dear Laslow,

Thank you for using HTC Customer Service. We want to make your next visit even better and would like your feedback. If you haven’t already done so please help us improve by taking a quick survey on your experience using HTC Customer Service.

Get Started

Thank you very much for your time. Be sure to visit us online at http://www.htc.com to read the latest announcements and check out our newly released products.

We are unable to receive replies to this email account. Please visit us at http://www.htc.com if you have any questions or need further assistance.

Sincerely,

HTC

I couldn’t pass it up. I filled out the survey and was completely honest about the experience I had with trying to get a refund for a DoA unit and how ridiculous that I had to choose that route in the first place, rather than having the option to simply get a new, non-refurbished replacement like American customers. I submitted it, and then completely forgot about it.

This morning, while I was off rebuilding a borked IPCop box, HTC left me a voice mail message that went something like this:

Good morning Mr. Laslow. My name <redacted> from HTC, and I’m just calling to follow up on your return. I am very, very sorry that it took so long to process your refund. I’m also very sorry that you received a DoA unit in the first place. If you need any further assistance with this, please call us at 866-449-8358. Once again, we appreciate your business and are very sorry about this whole thing.

I was stunned; I never expected to hear back from HTC at all. I’m not, however, surprised by the fact that they simply apologized rather than offering some form of compensation (be it an accessory, a t-shirt, anything really). Regardless, I’m happy that this is over and I can finally end the tale of an HTC DoA.

Logon Server Unavailable Error

18. August 2010 · Write a comment · Categories: Microsoft, Servers, Software, Troubleshooting, Windows · Tags: , , ,

I came back from vacation the other day to find that some computers on our primary domain (example.local) were unable to access shares on a secondary domain (test.local) located in another building, accessed via a wireless link). When attempting to open the share (or just browse to the Domain Controller), the following error would appear:

Share Error

"There are currently no logon servers available to service the logon request."

Google’ing did no good, as there were only vague references to DNS issues and WINS servers (the later of which we don’t use). As nothing had changed in the environment recently, I was at a bit of a loss. I could ping the DC (Homer) in question, and even RDP to it, but I couldn’t for the life of me access the share. NSLOOKUP behaved normally, but then I had a thought — the DC that I couldn’t access was also acting as a DNS server (the primary one for test.local) with example.local as a Secondary Zone (which, of course, contained the DNS entries for the computers that were having trouble accessing the secondary domain). When I loaded the DNS manager and clicked on that zone, I was immediately greeted with an error stating the following:

DNS Error

Turns out, there *was* a DNS problem!

The problem was that I had removed a DNS server over a year ago and it was still referenced as the primary DNS server for this zone. For some reason, the Windows DNS service had just now decided this was a problem and stopped grabbing copies of the zone from the functional secondary DNS server.

To fix this, I simply right-clicked on the zone, chose Properties, and then removed the offending server IP from the General tab and updated with the correct servers and order. As soon as I finished, the computers had no trouble accessing that DC again. Magic!

Solution: Mouse Cursor in Windows 7 Disappears

13. August 2010 · 2 comments · Categories: "It's a Feature", Troubleshooting, Windows · Tags: , , ,

I reinstalled Windows 7 on my MSI Wind U123 today because of a number of problems with sound input and PulseAudio on Fedora 13 that I couldn’t be buggered to fix. After the install, I ran Windows Update as normal, rebooted, and then noticed that my mouse cursor was gone. I could still click around and select things, so I knew the mouse was working, however I couldn’t see it.

Searching Google proved worse than useless. The two best solutions listed were to either enable pointer tails (annoying) or lower the hardware acceleration level on your video card. Although true that both of these options will work, they both suck.

The real fix? Install the correct video drivers. As it turns out, when I ran Windows Update I accidentally selected the Intel Graphics driver update, which caused the problem. After downloading and installing the correct driver direct from Intel the cursor suddenly reappeared. Magic!

TL;DR Version: If your mouse cursor disappears, go to your video card manufacturer’s website and get the drivers from them.

Dell Packaging

21. June 2010 · Write a comment · Categories: Hardware, Tomfoolery · Tags: , ,

I ordered  a bunch of new kit last week, and in typical Dell fashion they decided to send the order to me as they get the parts, rather than just send it all at once. This morning, I received the first piece:

Dell Packing
Seriously, Dell? All that for one lousy DVI extension cable? Well, at least they’re still better than HP.

Rogers Marketing: Opt-Out is Hard-ish To Do

07. June 2010 · Write a comment · Categories: "It's a Feature", howto, Rants · Tags: , ,

Rogers LogoIt seems like ages ago I’d gone and opt’ed out of Rogers Marketing ‘services’ – I made sure that I’d chosen opt-out options for email, snail-mail, and SMS, and all was well. However, a few months ago I started receiving telemarketing phone calls on my Rogers-provided cell phone. I did the individual opt-out each time they called, a different company/number would call each time.

While updating other parts of my account today, I decided to double-check the marketing settings, and found this:

Rogers Marketing Opt-Out

Click for the full-sized image

Err, that’s great Rogers – you’re not going to have anyone call my work number, but why isn’t my cell phone in the list, and why can’t I add it?

A quick call to Rogers (meaning twenty minutes of hold time) later and I had an answer (sort of) – the rep that I got instructed me to http://www.rogers.com/optout and enter the relevant details to opt-out of all marketing on that number.

After doing this, my cell number still isn’t listed in the Marketing Opt-Out in my Rogers My Account section, but the site did say that it may take 1-2 weeks for the changes to take effect. Only time will tell, but next time the telemarketers call, there will be a few more questions as to how they got my number.

« Older articles