Monthly Archives: February 2013

New Windows Phone 8. Something to love, something to hate.

Given in to phone envy, Alun?

No, not really – although I will say it was interesting to be around so many Windows Phone 8 users at the Microsoft MVP Summit last week.

But the HTC HD7 I originally bought, which spent a half-hour in a hot-tub (syncing), then a week in a bucket of Damp-Rid, then a year (working) in the hands of my teenaged son, finally bit the dust in the middle of the MVP Summit.

Says the storage card is corrupted.

So, I can’t afford the time to take it apart, mess with the drive and possibly even discover that it is truly dead.

I have to take advantage of the “upgrade” pricing that comes with committing to another year of service from T-Mobile, and upgrade him to a Windows Phone 8 system.

Then my wife gets interested in the phone, and before you know it, we’re all getting new phones.

No problems, then – everything’s good!

Yes and no.

It’s always good to get a new phone, sure, and to enjoy the fun of new features. But you’ve got to reinstall, and in some cases, re-buy (my wife went from a Blackberry to an HTC 8X) all your apps. And the data is all gone. High-scores, messages, settings, there’s no good path to take data from a WP7 to a WP8, let alone from a Blackberry to a WP8.

Some apps, of course, save their data to the cloud – all my OneNote files came with me.

It’s not so bad in the future, because there’s apparently a better upgrade path from WP8 to other WP8 phones. Messages get backed up, as well as your app list and settings.

How’d you get your apps back, then?

The interface to reinstall has improved over the years, from the first version, in which I only found the ability to restore apps installed directly from the Zune software; to a later version, which required a bunch of different click-through pages for each app you want to reinstall. Now, the reinstall interface is so much easier. Just go to the Windows Phone "Purchase History” page, scroll down the list of apps and click “Reinstall” on each app you want to go onto your new phone. No clicking through, no re-checking boxes about allowing location, etc.

Despite the name “Purchase History”, this page lists even those apps which I downloaded for free, whether as Trial software, or because the software was free in the first place.

That’s the good part, and that’s how I got some of my apps back. But the bad part is that this list doesn’t contain all of my free apps, just a limited, and somewhat random, selection. For instance, although it lists Amazon Fresh, the Purchase History page is missing Amazon Kindle, and Amazon Mobile, as well as the majority of my other free apps. This is not good customer experience, and if I was the author of any of the apps that aren’t easily reinstallable, I’d probably raise a big stink.

So now, I have to go one by one through my old phone’s list of apps, finding out which aren’t on my new phone, searching for them in the store, finding them in the search results, clicking on them, then clicking “Reinstall” (the store knows I have already installed them before). This makes me more likely to not reinstall these apps, and since the majority of these are ad-funded apps, whose authors won’t make a dime unless I run them, I think that app developers have a strong incentive to ask Microsoft to fix this behaviour.

And how’s the podcast experience?

Oh, you knew that I’d have something to say about that. Well, this post’s long enough already, so I’ll leave that until next time. For now, I have to say I do like my new phone, but I’m really tired of this whole update process already.

That old “cyber offence” canard again

I’m putting this post in the “Programmer Hubris” section, but it’s really not the programmers this time, it’s the managers. And the lawyers, apparently.

Something set me off again

Well, yeah, it always does, and this time what set me off is an NPR article by Tom Gjelten in a series they’re currently doing on “cybersecurity”.

This article probably had a bunch of men talking to NPR with expressions such as “hell, yeah!” and “it’s about time!”, or even the more balanced “well, the best defence is a good offence”.

Absolute rubbish. Pure codswallop.

But aren’t we being attacked? Shouldn’t we attack back?

Kind of, and no.

We’re certainly not being “attacked” in the means being described by analogy in the article.

"If you’re just standing up taking blows, the adversary will ultimately hit you hard enough that you fall to the ground and lose the match. You need to hit back." [says Dmitri Alperovitch, CrowdStrike's co-founder.]

Yeah, except we’re not taking blows, and this isn’t boxing, and they’re not hitting us hard.

"What we need to do is get rid of the attackers and take away their tools and learn where their hideouts are and flush them out," [says Greg Hoglund, co-founder of HBGary, another firm known for being hacked by a bunch of anonymous nerds that he bragged about being all over]

That’s far closer to reality, but the people whose job it is to do that is the duly appointed law enforcement operatives who are able to enforce law.

"It’s [like] the government sees a missile heading for your company’s headquarters, and the government just yells, ‘Incoming!’ " Alperovitch says. "It’s doing nothing to prevent it, nothing to stop it [and] nothing to retaliate against the adversary." [says Alperovitch again]

No, it’s not really like that at all.

There is no missile. There is no boxer. There’s a guy sending you postcards.

What? Excuse me? Postcards?

Yep, pretty much exactly that.

Every packet that comes at you from the Internet is much like a postcard. It’s got a from address (of sorts) and a to address, and all the information inside the packet is readable. [That’s why encryption is applied to all your important transactions]

So how am I under attack?

There’s a number of ways. You might be receiving far more postcards than you can legitimately handle, making it really difficult to assess which are the good postcards, and which are the bad ones. So, you contact the postman, and let him know this, and he tracks down (with the aid of the postal inspectors) who’s sending them, and stops carrying those postcards to you. In the meantime, you learn how to spot the obvious crappy postcards and throw them away – and when you use a machine to do this, it’s a lot less of a problem. That’s a denial of service attack.

Then there’s an attack against your web site. Pretty much, that equates to the postcard sender learning that there’s someone reading the postcards, whose job it is to do pretty much what the postcards tell them to do. So he sends postcards that say “punch the nearest person to you really hard in the face”. Obviously a few successes of this sort lead you to firing the idiot who’s punching his co-workers, and instead training the next guy as to what jobs he’s supposed to do on behalf of the postcard senders.

I’m sure that my smart readers can think up their own postcard-based analogies of other attacks that go on, now that you’ve seen these two examples.

Well if it’s just postcards, why don’t I send some of my own?

Sure, send postcards, but unless you want the postman to be discarding all your outgoing mail, or the law enforcement types to turn up at your doorstep, those postcards had better not be harassing or inappropriate.

Even if you think you’re limiting your behaviour to that which the postman won’t notice as abusive, there’s the other issue with postcards. There’s no guarantee that they were sent from the address stated, and even if they were sent from there, there is no reason to believe that they were official communications.

All it takes is for some hacker to launch an attack from a hospital’s network space, and you’re now responsible for attacking an innocent target where lives could actually be at risk. [Sure, if that were the case, the hospital has shocking security issues of its own, but can you live with that rationalisation if your response to someone attacking your site winds up killing someone?]

I don’t think that counterattack on the Internet is ethical or appropriate.

That “are you kidding me?” moment in customer support

So, my Sunbeam electric blanket died yesterday. Second one in a year.

As a dutiful consumer, I’d really like to report this to the manufacturer, get a replacement and move on. I fill out the “Contact Us” form. Then I get this ludicrous error:

image

So, you’re going to ask your customers to contact you when they have problems, and then you’re going to actually limit the characters they’re allowed to use in the QUESTION that they’re asking you?

Asking me to avoid using quotes, colons and semicolons in written English is completely ludicrous.

And yes, I know why they do this. It’s because they attended a course on secure programming which told them how to do input validation.

Input validation is not the shizzle

I am constantly amazed as to how frequently I have to ram this point home to developers who have learned one trick to protect against injection attacks.

“Validate ALL input – reject the bad characters!” – I’ve heard this from a number of people, including security professionals.

When you CAN do strict input validation based off a restricted whitelist, of course, that’s great – “input a whole number between one and ten” is good for input validation. “Input your name” generally isn’t, because names have a habit of containing characters that are known to be ‘bad’ characters in a number of cases, such as “O’Donnell”. Apostrophes are bad in numerous cases. “Input your question”, as in this case, is likely to elicit all kinds of funky characters.

And, as I ask the candidates on my phone screen interviews, what do you do in the case when you have a web app which stores to a SQL database, and its task is to store XSS and SQL injection attacks. <sigh> Clearly, you have to use acceptable output encoding. Apparently, Sunbeam’s web developers are not good enough to know when to stop using input validation, and start using output encoding.

Even less smart

My suspicions are confirmed when, after typing in a correctly formed question, the model number of the blanket (which, curiously, isn’t anywhere on the blanket or its controllers), the date code on the plug, and my contact details, the web page unerringly provides me with this as its response:

image

So, I think our next step is to contact Amazon to resolve this customer service issue properly. And not buying from Sunbeam again.