Felger Sounds Off on Internet Insanity

I plan to improve the password security with the latest and greatest in 5.0, but right now we use the standard Unix crypt() utility program made available by PHP. There's no decryption algorithm for crypt(), but its passwords can be easily broken using programs that are widely available today. For this reason I put EvC Forum passwords through an extra little step that makes it more difficult for users of these programs.Passwords are of course stored in encrypted form. Even if the database is compromised and all the encrypted passwords stolen, hackers will still have a bit of work before them.We had a break-in a few years ago that gave me a crash course in website and database security. We're much more secure than we were, but not as secure as we're going to be.--Percy

I'm going to have to retract one thing: Crypt uses DES (Data Encryption Standard). It was proven it could be broken over 20 years ago. But it apparently takes a great deal of effort and talent to write a DES-breaking program, and I could find none freely available on the Internet. I find this surprising. If anyone finds one let me know.--Percy

Then DES is secure again! Seriously, although some quarters mention the easy availability of such programs, when I actually tried to find one what I found was how incredible an effort it was back in the late 1990's to create demonstration programs, the first one including the use of hardware. From the Electronic Frontier Foundation's Cracking DES webpage:

quote:

---

The whole project was budgeted at about US $210,000. Of this, $80,000 was used to design, integrate, and test the EFF DES Cracker. The other $130,000 was for materials including chips, boards and all other components on the boards, card cages, power supplies, cooling, and a PC. The software for controlling the EFF DES Cracker was written separately as a volunteer project that took 4-5 weeks. The entire project was completed within about eighteen months, with much of that time being used for preliminary research. The core team contained fewer than ten people, none of whom worked full-time on the project. The final cost came in at well under $250,000.

---

Oh, indubitably. As I mentioned in Message 80, security improvements are coming in 5.0.--Percy

People often use the same name and password at sites like this one as they do at other sites, like banks and stores and so forth, so the approach some hackers take is to attack the least secure sites in the hope they'll gain login information that can be used at other sites. The bank and medical websites I use have started detecting when you're using a new device or computer and put you through an additional level of security.When the hackers broke in here back in 2010 they found an old text file from around 2003 that was tucked away in an innocuous subdirectory where I had evidently been doing some debugging, and then I never deleted it afterward. Before I caught up with them they had hacked the EvC Forum Skype account, where I was using the same name and password.--Percy

Call to IRS refund assistance line during their regular business hours:

• Please enter 1 for English, para continuar en...
  *1*
  ​
• For information about your refund, please press 1. If your refund check has been lost or stolen, please press 2. If...
  *2*
  ​
• You will need the return's social security number, the filing status, and the exact dollar refund amount. Please enter the social security number now:
  xxx-xx-xxxx
  ​
• Please enter the number of the correct filing status. Single, press 1. Married filing...
  *1*
  ​
• Please enter the exact dollar refund amount. Do not enter cents. Follow the amount with the pound sign.
  nnnn#
  ​
• We are sorry, due to extremely high call volume, all our representatives are busy now. Regular business hours are from 8 AM to 7 PM. Please call back during regular business hours. Thank you for calling the IRS refund assistance line.
  *click*

--Percy

David Pogue does entertaining TV shows on technology, was the techology columnist for the New York Times, and is currently a columnist for Yahoo and Scientific American. In his Technofiles column titled Dumb Design (sorry if that link doesn't work, sometimes Scientific American locks their stuff up pretty tight) of the April Issue of Scientific American Pogue summarizes a few of his complaints. Here are some excerpts with my comments. Pogue is much more forgiving than me. While I accept that much bad design is not on purpose, the hiding of the "Cancel" option is not one of them. Amazon Prime used to hide it really well, not sure if that's still true. If you sign up for New York Times Premiere using their webpage, do you know where the "Cancel" option is? It doesn't exist. You have to call them, go through their voice menu system, wait on hold for a while, then explain that you'd like to cancel your Premiere subscription. "Can I ask why, sir?" Hey, my time is worth nothing, waste as much of it as you like.To their credit, Netflix makes it really easy to cancel. And their user interface is excellent! Amazon should be ashamed.A common way to get burned on the Internet is to sign up for a free offer with no charge as long as you cancel before the free period ends. Some companies are wonderful, sending you a nice email that the free period is about to end, along with a "Cancel" link. Other companies are not so good, so now before signing up for free offers I make sure I can find the "Cancel" option first.The last free offer I signed up for was Apple Music. It was bad when it was called Apple Beats, and it's still bad, so I'll cancel soon. There's a reminder in my calendar, including a note to myself about where the "Cancel" option is.Apple Music reminds me that I should comment about Pandora. I use Pandora when I'm working, but I had to spend time on other issues for the past month and hadn't listened to Pandora in a while until yesterday. Maybe they've made an improvement, or maybe they changed an algorithm, but the channels now seem to be playing a more accurate *and* larger selection of music. Nice! Very true. I like a big screen and a normal keyboard, so I wait until I get home before checking stuff online. I don't feel the need to be constantly interconnected. Pogue is describing exactly the attitude I opened this thread to combat. People, it is not your fault! These apps (or whatever) suck! Ya think? Sometimes designers *can* be blamed for bad designs, but we can't ignore that bad design is often not the fault of designers. Too often design projects are given too little time and too few resources. Over the years designers eventually become habituated to having only enough time and resources to do a bad job.It makes sense when you think about how often apps are updated. Constant change to keep up with incessantly changing demand is necessary and important and has to be done fast under great time and money constraints. Most software goes out the door with designers and coders crossing their fingers that all the stuff they know is bad or wrong or broken doesn't cause too many problems.Of course many companies have a ready solution for all the problems in their software: they make it near impossible to contact them and complain.Pogue makes four specific suggestions for how design could be improved, but I found them either wishy-washy, too general, or vague, so I won't describe them.But I do see a disturbing trend, and that's the emergence of some user interface standardization. Standardization is great, very welcome, makes it easier to use a new app or website, but some standardization is as bad as the QUERTY keyboard. I'd hate to see some examples of poor interface design become standard.By the way, this standardization isn't happening because of the good graces of the high-tech industry, at least in my opinion. It's happening because underneath the surface they're standardizing on software libraries like AngularJS and Bootstrap and others. User interfaces implemented using the same software libraries will tend to have a certain sameness of structure and behavior.--Percy

My previous post mentioned that I had tried Apple Music, didn't like it, and was planning to cancel as the end of the free trial period approached. Well, I "cancelled" Apple Music, and it wasn't easy. What should have taken at most five minutes took an hour. Here's what happened. Things I think are buggy or wrong or absurd are in bold red.

• Open the email from Apple welcoming me to Apple Music. This email contained a link for cancelling. I clicked on the link to cancel, here it is:
  ​

  quote:

  ---

  To cancel auto-renewal or manage your subscriptions, click below and sign in.

  ​

  View Account Information

  ---

  ​
• In Chrome (my default browser) the wrong webpage opened. I got the Apple download webpage:
  ​
  iTunes - Apple
  ​
• I navigated from the download page to my account page, but there was nothing about subscriptions. I poked determinedly at this for a while, looking everywhere at the Apple website I could think of that might be related to managing a subscription.
  ​
• I contacted Apple using their chat app. It took a while before the Apple person was convinced that I was accurately describing what had happened, and then another while for her to exhaust her ideas.
  ​
• I suggested trying a different browser, she agreed, so I tried Firefox. It worked. Instead of taking me to the Apple download page it transferred control to iTunes, which opened its account page. The Apple Music subscription was listed there and I was able to turn it off.

Why didn't it work in Chrome? Who knows. Was it the popup blocker? The ad blocker? A bug? I don't know, I've wasted too much time on this already to afford the time to investigate, but here are my specific complaints:

1. That "View Account Information" link Apple provided should work in all popular browsers no matter what common extensions they've added.
   ​
2. The Apple account information for iTunes should be available through their webpages. It's nice that it's available through iTunes, but all subscriptions for all Apple apps should be available through their webpages.

The impetus for this post is that it was just announced at Tech Times that "Changes on Apple Music will include a major design overhaul." Geez, like it wasn't obvious that was needed back when Apple Music was called Apple Beats. In fact, this was just a marketing ploy. Apple Music was just Apple Beats with a few superficial changes. The article continues:

quote:

---

According to The Information founder Jessica Lessin and New York Times tech reporter Mike Isaac, the planned revamp for Apple Music is very much needed so that the music streaming service can continue to thrive.

---

If Apple Music is thriving then that is very hard to figure, though I will say it has one very nice feature: You can play any random song any time you like, and you can also build playlists (I assume of any length) from all songs from their library and your own. You can't do that with Pandora, I don't know about Spotify. The article goes on:

quote:

---

Lessin believes that Apple Music could be better integrated with iTunes, and Isaac thinks that Apple should focus on creating a feature that will differentiate Apple Music from rivals such as Spotify.

---

My own opinion is that Apple should first focus on making Apple Music as good and bug-free as Pandora and Spotify. My music app use only takes advantage of the "station" feature. Apple Music stations will just go dead (refuse to play), stations can be seeded with only a single song or group, there's no up/down voting to hone your station, stations cannot be renamed, stations cannot be sorted by name or other criteria, and stations cannot be deleted (they just go to the end of the list). In short Apple Music reflects woefully insufficient attention to design and quality.--Percy

On your PC, go to your Facebook homepage. In the lower right is the chat box. Any dynamic menus that come up display *behind* the chat box. For example, click on your name to go your own info page. Hovering your mouse over "More ▼" will raise a dynamic drop-down. Size your browser window so that "More ▼" is just above the chat box and when you hover over it the dynamic drop-down will be behind the chat box.You can click on the top bar of the chat box to make it collapse into a little box at the bottom of the browser window, but this only makes it less likely the problem will affect you. The chat box cannot be made to completely disappear.This happens because z-index for the chat box is set to 300, while for dynamic menus it is not set (which means "auto"), leaving it at the default level, the same as static content. As a positioned element it will always be displayed above static content, but below any layer with a defined z-index, including 0 (giving a layer no z-index is not the same as giving it a z-index of 0).Good design requires z-index values with good separation. When unspecified with no defined value to inherit z-index will be displayed just above static content, so values for higher layers should be 10, 20, 30 or 100, 200, 300 and so forth.A z-index of "auto" for dynamic content is bad design because it makes it impossible to position new objects like the chat-box above some layers but below others. What Facebook really wants is for the chatbox to be above the static content but below dynamic drop-down menus.This many years along fixing the initial bad design may not be easy. Glancing at their dynamic menu HTML I see they have many layers of HTML and many CSS classes. Figuring out where to make the CSS change for the dynammic menu's z-index could take some time.Of course, Facebook can afford to fix it, so why don't they? I have no idea. A quick Google reveals that Facebook has been having z-index issues for years.--PercyEdited by Percy, : Correct directions in first paragraph.