OC1

Storm OC1 with GoPro on the forward iako

Coming up on our first anniversary as Maui residents. We've been getting in a lot of snorkeling, swimming, surfing and paddle boarding, with a little windsurfing as well. Work on our house has finally reached a mostly-completed state, with new roof, paint, gutters and photovoltaics.

With all the water time, I found that while I love surfing, I continued to miss the feel of sitting in a performant boat with paddle in hand. We tried renting some Ocean Kayaks, but found, while definitely stable, they paddled a bit like barges. A local Epic rep let me try an Epic V10, which was like riding a highly-tuned road bicycle: fast, smooth, a crazy cool machine, but so tippy I'd never be able to set down the paddle and take a photo or contemplate the sunset.

All that changed with my new ride, a Storm OC1 (Outrigger Canoe - 1 person). Fabricated in one piece rather than separate glued-together deck and hull. New technology! Carbon boat, ama and iakos. 20.5' long, 15" beam. About 14 pounds fully assembled -- yeah, less than half my standup board. Awesome machine, and paddling an outrigger is quite different from a kayak, which is icing on the cake for me.

Now to get the boat out and learn... 

Bad Form(s): A Brief Rant

A lot of interaction on the web is achieved through the use of forms, panels of text and fields used to input, classify and store data. Forms have been around pretty much since the beginning, and at first were something resembling sorcery: getting a form to look good, fields aligned, was tricky. As HTML and CSS became more sophisticated, along with improved Javascript capabilities, forms have become became both easier to build and more complex to debug. And the temptation to add unnecessary glitz is frequently the culprit behind the worst forms out on the web.

Input Fields are the workhorses of forms. They can restrict the number of characters input and the type of data entered. They can choose to display or mask the input as in the case of passwords. While there are far more options than these, this small set of variables is more than enough for poorly-implemented forms to become nearly unusable, leading to frustration and outright silliness.

Some of this silliness has declined over the decades because developers have gravitated toward some standards of behavior. Sadly, one still to this day encounters forms with some of the same lameness that we saw in the 90's or 00's -- and we can't blame the COGs (Crusty Old Guys) for all of it. Too often, new developers fall into the same traps of bad form design, disregard of user experience, cool-philia, laziness or the "I am IT and I decide" mindset that has consistently been focused on the mechanics of a site even when in opposition to the success of people using a site. For some reason, I encounter these issues most frequently on banking and government sites, where some noob has clearly discovered the modern equivalent of the blink tag and can't resist inflicting their new-found toy on users.

Standard Information

Data like phone numbers, ZIP codes, Social Security numbers are pretty standardized in the US. Phone numbers, for example, are expected to have 10 digits, but they may be formatted in a number of ways:

  • (800) 555-1212 (traditional)
  • 800-555-1212 (business traditional)
  • 800.555.1212 (standard geek)
  • 8005551212 (machine version)

While a company may want to format a phone number in a particular way, all they actually need is those 10 digits -- they shouldn't really be concerned about how a person might format their number since it's so easy to parse out the digits and store just that; storing digits only allows more efficient sorting anyway. A number can then be reformatted as desired on subsequent read and display. Still, I constantly find forms that throw errors if a user includes hyphens, periods or, gasp, spaces in a phone number -- or doesn't include one of those. Some forms simply limit the phone number field to 10 characters and leaving the user to guess what's going on, adding no benefit but inflicting a developer's idea of proper form entry.

ZIP Codes

The US Post Office instituted ZIP (Zone Improvement Plan) codes in 1963, and extended those codes with the "5+4" format in 1983. That's all before forms existed, but the 5+4 format isn't widely used even now. But it still manages to cause some forms (or the developers behind them) indigestion.

Synchronicity is Key

One particularly idiotic situation occurred when I was logging for the first time into an account that had been set up through an separate process. To verify my identity, I was asked to enter my ZIP code, at which time my verification was rejected. Checking back with the administrator, I found that they had my ZIP code had been recorded as a 5+4 value. The web form, however, only allowed 5 digits, making a match impossible unless the developers actually used some common sense. I've seen this occur as well when a form on a web page allows or requires something different than what is allowed on that same form on a mobile app.

The Future is Here (Occasionally)

"The future is already here -- it's just not very evenly distributed." - Michael Gibson

I sometimes run across forms that ask for the ZIP code first, then use that information to automatically populate the fields for city and state. Smart, and rare, a form that actually helps you fill in the blanks. With technology that's been in use since at least 1998 and information that's been available since 1963...

Divertimento: Non-Regional Postal Codes

From Wikipedia:

In Canada the amount of mail sent to Santa Claus increased every Christmas, up to the point that Canada Post decided to start an official Santa Claus letter-response program in 1983. Approximately one million letters come in to Santa Claus each Christmas, including from outside of Canada, and all of them are answered in the same languages in which they are written.[13] Canada Post introduced a special address for mail to Santa Claus, complete with its own postal code:
SANTA CLAUS
NORTH POLE  H0H 0H0

Gotta love Canadians.

Form input and the Database

Nearly all data input through forms ends up in a database. To store data, most databases receive those data in the form of an SQL (Structured Query Language) query. For example:

insert "xyz1234pplr" into table passwords where user = "John Yaya"

[Note to geeks: these examples are simplified for a lay audience; this is not a coding class, so please back off.]

That query is evaluated by a parser and the value is stored. That parser evaluation, however, is were we can get into trouble.

Code Injection

Code injection is one of the oldest, most common and most insidious forms of hacking. Parsers look for meaning as part of their evaluation process, and some characters can cause some really interesting things to happen. Take our example from above, and let's add something destructive:

insert "xyz1234pplr|'/bin/sh unlink /'" into table passwords where user = "John Yaya"

The vertical bar character "|" is used in some systems (like Unix variants) as what's called a "pipe", a way of passing the output from one program to be input into another program. The inserted phrase:

|'/bin/sh unlink /'

Means "pass the command to the main system to unlink the filesystem root."

In times before developers and operating systems were careful about input (actually this is still a problem), this query might have been executed, resulting in the effective deletion of the entire filesystem on the database server. These days, rather than directly destroy a filesystem, someone might try to use injection to give themselves administrative privileges, and from there they can get into all sorts of trouble.

Input Character Restriction

Sadly, some IT groups continue the ancient (by IT standards) and lame (by any standard) practice of trying to protect against injection by restricting what characters can be entered into a form. So things like "|" or ">" might be disallowed. Problem is, good passwords these days make use of all sorts of punctuation.

Institutional Arrogance : Personal Capital IT

Recently, I opened an trial account with Personal Capital (PC), a Mint-like web site where you enter all you financial accounts and it advises you about your investments (I'm intentionally not including a link out here because I can't with good conscience make it easy for anyone to go there). But I was unable to add some of my accounts because the passwords appeared to be getting rejected. After some back and forth, I was informed that the IT staff at PC reads your passwords when you add a financial account and strips out any characters they think are unsafe -- even if those characters are perfectly fine with the financial institution. To be clear: 

  1. You create an account with a bank, establish a login and password.
  2. You create an account with PC and add the bank and login credentials to your PC account.
  3. PC reads your password when you supply it and then strips out any characters they feel are objectionable according to their internal policy. You are never informed about this action, and the now-corrupt password is stored rather than the real password that you and your bank agreed on.
  4. PC uses the corrupt password to attempt to log into your bank.
  5. The bank rejects the corrupt password.
  6. On login rejection, PC displays a message to you indicating that the bank doesn't like your password.
  7. If this happens enough, the bank locks your account. It is then up to you to resolve the mystery with your bank, because at this point neither you nor your bank know why someone has been trying to log into your account with a bad password.
  8. At no time does PC let you know they caused the entire problem.

PC's support personnel were very defensive about their actions, maintaining that they're following OWASP guidelines and are justified in their policy. They informed me that the solution was for me to change all my passwords to my banks to conform to their (PCs) requirements.

One of the most myopic and arrogant IT abuses I've seen in a while. 

Input Escaping

A better method of defending against injection attack is by input escaping. Basically, before you parse any input from a field, you "escape", or defang, any characters you feel are dangerous. Escaping can take a lot of forms, but in essence it means flagging a character in a way that tells the system "this is just a character, don't use it as something else." For example, the vertical bar character "|" in some environments is used as a "pipe", a way of passing data from one program into another program. If that character is treated as a pipe when entered into a database, it might be interpreted as an operation, and text that seemed innocuous might get executed rather than simple entered as text. Our nefarious query from above becomes:

insert "xyz1234pplr\|'/bin/sh unlink /'" into table passwords where user = "John Yaya"

The added backslash "\" tells the parser that the vertical bar is just a vertical bar, and the pipe is neutralized. Smart systems store the escaped string in the database so that later retrievals are safe as well.

It Really Isn't Rocket Science

Finding a well-built form, while not rare, does continue to be uncommon in my experience. As an engineer, I've embraced the rule of parsimony (or Occam's Razor if you prefer) from early in my career, which effectively means "don't make it fancier than it needs to be."

Modern techniques can provide all sorts of functionality to the user experience. The trick is keeping a firm eye on the goal: that technology should be used to enhance the experience, not provide a place to show off at the user's expense.

Dear Mayor Arakawa - One lane bridge on the Haleakala Highway

[Posted to AskTheMayor@mauicounty.gov]

Dear Mr. Arakawa,

The Haleakalā highway winds past Pukalani High School and, before starting up the mountain, passes through a one-lane bridge. There are yield signs for approaching traffic in both directions, but I’ve seen several near-head-on-collisions as someone sails onto the bridge without paying any attention to the yield sign, frequently without slowing down at all. This highway sees a lot of traffic between tourists and those of us who live up the mountain; sooner or later there’s going to be a major wreck on that bridge, which may lead to injuries and will most likely close that road for some amount of time.

Are there any plans to make this part of the road more safe? Perhaps add flashing yellow lights to the yield signs, or better yet widen the bridge to provide for two-way traffic?

Respectfully,

David Phillips
Kula

Dear Mayor Arakawa - Bike Tours on Haleakala

[Posted to AskTheMayor@mauicounty.gov]

Dear Mr. Arakawa,

I’ve managed to find very little documentation of any policy addressing the vendors that run bike tours down Haleakala. There was some mention of requiring a 10-minute spacing between groups, and I found one article that indicated Maui Police had declined to enforce any policies concerning these tours.

The vendors running the bike tours have taken advantage of the lack of regulation, and in doing so they are becoming somewhat of a nuisance on the highway:

  • I’ve encountered, more than a few times, up to five groups forming a near-continuous hazard all the way down the mountain. People become frustrated and pass the bikes, and the vans, at dangerous points in the road. I’ve witnessed this many times.
  • I’ve followed company vans driving down the center line, nearly causing head-on accidents with oncoming traffic.
  • I’ve followed company vans pulling trailers without working tails lights or brake lights.
  • I’ve had to avoid bicyclists riding against traffic in the wrong lane, or weaving all over the road while the company staff ignores them.
  • I’ve come around a corner to find a dozen people, off their bikes, standing in the middle of the highway watching a rainbow as the vendor sits in his van and looks on.

It seems to me some common-sense regulation, and enforcement, would be appropriate here. We’re going to see more tourists rather than fewer. More people will be living upcountry. It’s only a matter of time before we have a major incident with injuries. This shouldn’t be too complicated:

  • Vans and trailers must have current vehicle inspections and be in proper working order.
  • Vans and trailers must be clearly marked with company information on the sides and on the rear, including telephone numbers for reporting complaints.
  • Lead riders must wear clothing and helmets that clearly identify them as the company’s guide.
  • All riders must ride between the leading guide and the following van. No stragglers or racers.
  • A maximum of 5 riders per guide. If the group is larger, more guides must be riding spaced throughout the middle of the group.
  • Tours must allow 15 minutes between departures from the top of the route. 10 minutes is not sufficient, as the groups stack up lower on the mountain. Maui Police should occasionally audit this behavior.
  • There should be a central hotline for reporting incidents, or perhaps a website where people can provide photos of the vendor being reported. Maui Police should review both of these.
  • There should be real penalties for violating regulations - fines, suspension or revocation of tour operator’s license.

I don’t think any of these suggestions would be unreasonable to responsible tour vendors, and it would certainly make things safer for the people on bikes, and less frustrating for those of us who drive that highway every day.

Of course, an alternative solution would be to restrict all such tours to a single company to control the usage, similar to what they did on the Big Island in Kealakekua Bay. This would put other tour companies out of business, but would also provide a more consistent, safer experience for those who take those tours. If the current abuse continues, and traffic increases, I could see us getting to that point.

Respectfully,

David Phillips
Kula

Apple Pay and MCX : It's Not (All) About Interchange Fees

Credit cards get stolen, in one form or another, every day, as do debit cards. For me, one of the fundamental differences between the two, as I’ve unfortunately experienced personally, is this: bogus credit card charges can be disputed, and in the end, you won’t have to pay them if the issue is resolved. Fraudulent debit card charges can also be resolved - but until they are, your bank account is probably empty. It’s one reason we use credit cards far more than debit cards.

Apple Pay makes that even more secure, dramatically reducing the possibility of fraud. And it’s stupidly easy to use. And the way it's implemented, with near-field connections and secure tokens, a merchant never sees your name, never sees your credit card, has no idea who you are or what your spending habits are: it's like using cash at Radio Shack and declining to fill out any personal information.

Think about that.

There’s a lot of buzz generated about the feud developing between Apple Pay and the Merchant Customer Exchange (CTX), a consortium strongly supported by Walmart. Most of the press seems to think this is all about avoiding those fees that MasterCard, Visa and American Express charge for processing purchases through their networks. MCX, with their product, CurrentC, plans to avoid those charges by having customers tie their CurrentC purchases directly to their checking accounts. CurrentC also avoids the necessity of having an iPhone 6 in your pocket by flogging that old mostly-dead horse, QR codes. MCX-loyal merchants like CVS and Rite-Aid have gone so far as disabling their touch-to-pay POS terminals (also disabling Google Wallet), preferring to wait for their own MCX solution, to be launched sometime next year. That's right, these merchants are now preventing you from using certain payment methods in their stores with the idea that this will somehow incline you to be loyal to their own "real soon now" homegrown methods.

While there are a lot of details left to be made public, as someone who’s been in the security business for a long time, the Apple Pay model looks to me like a lot of problems solved elegantly using newer, better tech, while the MCX model looks like someone trying to warm over processes invented almost 20 years go. And personally, I’m not inclined to use a system that requires me to tie my checking account directly into their system; I effectively quit using PayPal years ago for that very reason.

I agree that this is about the money - but not, in fact, about the interchange fees. MCX wants to build a payment network that centers more on a “loyalty program” model, one that allows merchants to “provide valuable messaging” to their customers, based on their intimate understanding of a "customers purchasing history and habits”. In other words, they want to track their customers' every move.

Merchants are used to paying the interchange fees, and long ago built those fees into their pricing structures. I’m sure they’d love to find a way to strip that 2% to 4% off and save that money (although I’m highly skeptical we, the customers, would see those savings should they do that). But in the end, what terrifies the merchants is the specter of their customers becoming truly opaque to them: They are terrified of losing their ability to use us as a marketing channel.

Island Bound 5: Relocated!

It's now the end of May. I arrived here in Kula two months ago, to address some repairs and additions to the house, get an electrician in, get a plumber in. My car arrived a day early, and our shipping pod arrived a week early - so that both arrived on the same day, which was a circus. Getting my car registered was an all-day exercise, but I learned a lot that helped Sarah get the same done for her car in half the time (although DMV at first refused to believe that a VW Golf could be a diesel). Our dog Beast didn't make the trip, as we had to put him down a few weeks before his quarantine period was up. We miss him.

The major and minor construction projects are pretty much finished, and it's time to get down to living the island dream. I plan to keep posting as I learn things about this beautiful place. I must say that both Sarah and I feel blessed in that pretty much everyone we've interacted with here on the island has positively exuded aloha.

Now it's time for us to find some ocean to jump into...

Comcast: a spectacular failure

A year and a half ago, we added Xfinity Home Security to our Comcast subscription. Comcast sent in a guy who installed all the wireless (read: peel and stick) components throughout our house in Issaquah, Washington, installed the control unit and extra router (which killed Back to My Mac until I reconfigured their network components), and of course added a monthly charge to our bill. The system mostly worked, with some odd behaviors from the control unit, an essentially bad systems architecture, and the “security router” that was basically a joke.

A few months ago, we sold our house and moved. Because we were terminating service before our 3-year Xfinity Home Security contract was completed, we found ourselves facing an early termination fee of nearly $500. But since the new owner wanted the same security system, we were told we could transfer our contract to them and avoid the early termination fee. But to do that, I had to reach out to the new owner, and we both had to meet, in person, at the Comcast service center, to present IDs, sign a bunch of forms and officially transfer service. A total pain in the ass, reminiscent of something out of the 1990s.

We canceled our Comcast service on 27 March, 2014,

Two months later, living on Maui, I was surprised to see that we appeared to be continuing to make monthly payments to Comcast. WTF? That’s where the surreal fun began. I called Comcast and chatted with Jose (Note: I am honestly not making this up.) :

“You have to talk to the account owner to stop this.”
“I was the account owner. I don’t live in that house any more.”
“I’m sorry, but the current account owner for that address is the only one who can change this."
“What? You can’t just stop this there?”
“I’m sorry, but only the account owner can change their automatic payment arrangements.”
I was the account owner. I sold the house. Why are you still using my checking account to pay for someone else’s cable service?”
“I’m sorry, but perhaps you can have the account owner add you to the account so that you can log in and change that.”

I demanded to speak with a supervisor, and was connected with Anthony, who informed me that, because we’d transferred the Xfinity Home Security account to a new owner, Comcast apparently transferred all service to the new homeowner, kept my autopay configuration in place, and effectively ignored my service termination request. Anthony also told me there was nothing I could do about it short of begging the current homeowner to stop using my checking account to pay for their service.

I demanded to speak with a manager and Anthony’s response was:

“I can request that you be connected with a manager, and someone should contact you in three to five business days.”

Thats when I went from perplexed to angry, told Anthony he’d better damn well connect me with someone who could fix this now or I’d talk to my bank about rejecting the payments. Anthony put me on hold for 15 minutes and came back, telling me he’d spoken with a manager:

“We have stopped the autopay from your account, but we will not refund money for services rendered.”
“But those services were rendered to someone else. And it was your team that screwed this up when the account changed hands."
“I’m sorry, but we will not refund money for services rendered.”

I then contacted my bank. The representative there informed me that, once you sign up for automatic withdrawal with a company, there is no way you can prevent a company from continuing to extract funds from your account short of closing that account. He said I could report the withdrawals as fraudulent, which is in a sense completely factual, and the bank would take the matter up with Comcast, and possibly the authorities.

Reporting the withdrawals as fraud would put the new owner in an uncomfortable position with Comcast, so I reached out to him, let him know his cable service was no longer being paid for by me, and asked him to send me a check for the payments I’d made for him. He was agreeable to that, and as far as I know, the situation has been resolved.  

We’ll see in another month if Comcast has really truly dissolved our relationship. Their team screwed this up in a spectacular way, and their customer support proved either powerless or apathetic when trying to resolve the situation.

Update

Two months after the above, we heard from the folks who purchased our Issaquah home. They'd just discovered that I was still the registered owner of the security system. They found this out when they pushed "TEST" on the smoke detector, which promptly set off the alarm and called the fire department, who arrived to address the issue. The homeowners were unable to cancel the test because, well, it wasn't technically their system. The only recourse Comcast offered was for them to contact me and ask me to cancel our system. The one we'd transferred nearly three months before.

Beast

20081231_NYE_0019.jpg

If you've been reading my blog, you've been following our preparations for relocation to Maui. Part of that adventure included getting Beast, our Alaskan Malamute, to the island as well. Sadly, those plans have now changed.

Beast had been having some throat issues for a while, and we thought we had it pretty much taken care of. Last week, the coughing became suddenly worse, and he started refusing food. Sarah took him in to the vet, and the X-ray revealed a huge tumor in his throat, distorting his trachea, and putting him at risk of asphyxiation, a horrible way to go. Sarah was with him in Newport with family while I was in Kula setting up the house. I turned off the saw, realized I had a text from Sarah, and called her. Her first words were "he's gone, baby, I'm so sorry." Sarah had been trying to reach me, and I either couldn't hear the phone or wasn't getting reception, so she had to make the hard call by herself, a hellish task. We can only be thankful that the choice was clear.

20140223_Beast_0376.jpg

Change is hard for dogs, and the last month or so had been especially challenging for our boy, with strange people viewing the house, packing, things disappearing into boxes. We set his travel crate up in the living room with us and he really took to it, preferring to stay in there quite a bit, denning. Then out of the house and into a hotel for a week. Sarah was working, so Beast and I were on our own, together constantly, going for walks, exploring the pet store, finding the hotel room, learning about elevators. He was game, curious, playful and, a bit unusual for him, snuggly.

On the 30th, I gave him a hug and a belly rub, and departed for the airport for Maui. I didn't know it was the last time I'd see the dog I'd adopted seven years ago.

Since my departure, Sarah had him roaming the beaches in Oregon, playing with his new dog friend Odie on the ranch in Newport, and seemingly rediscovering some of the puppyhood he'd never had. His last weeks were filled with adventure and he embraced it.

When I first brought Beast home with Belle, he was the troubled one, lacking any sort of confidence, glued to Belle's side. Touching him anywhere back of his shoulder blades caused him to cower and cry in fear. Three years later, I could grab his tail and he'd understand it was play - but that was a long, gentle process to get him to realize he had a place in our home that was his. We watched him blossom, learning it was all right to play, to ask for attention, to demand dinner. When we lost Belle, he became our only child, the sole center of our dog-world. He moved out of her shadow and started expressing himself more than ever before. He watched more television than any dog I've ever known.

Beast was a gentle giant, curious but insecure, loving but only just beginning, really, to understand how to ask for love, fascinated by little children. I like to think he's running with Belle now, free and happy. Our pack is smaller, and we miss him terribly.