"Kill" vs. "No Kill" Shelters: an Ecosystem

My wife and I have owned lots of dogs over the years, and they've all been rescues, either from the pound or some rescue group. We have pretty strong feelings about adopting a dog that needs a home as opposed to going to breeders or such.

This week, there was a Facebook post from Maui Pitbull Rescue (MPR):

https://www.facebook.com/pages/MPR-Maui-Pitbull-Rescue/145160815524156

In their feed, on March 23, 8:46pm, was this statement along with some photos of the dog:

“Alert!!!!! This pit mix is # 55 at MHS. He is to be euthanized. He was found two weeks ago and now no one has claimed him. Can anyone help. We don't have room at MPR at this time. He loves other dogs too.”

"MHS" is Maui Humane Society. What is they doing?

"Kill" Shelters

As it turns out, it's a pretty interesting story. MHS is what’s called in some circles a “kill shelter”, in that they euthanize some animals. So, why do they do that? Well, some facts: MHS is partially funded by Maui County. As such, they operate under some fundamental requirements:

  • They are required to accept all animals that arrive at their door. This includes:
    • mongoose
    • goats
    • chickens
    • wild ducks
    • turtles
    • bunnies
    • mice
    • rats
  • They are required to euthanize animals

Where do all those animals come from? Some are dumped dogs; people get tired of caring for a pet, drive them out to some remote location, kick them out of the car and drive away. Or people are going on vacation and, rather than arrange for someone to take care of their pet, they dump them. Or a dispute with a landlord means someone can no longer keep their pet. Or someone ends up in jail. Or someone gives a child a bunny for Easter, which thrills them only for a short time. There are hundreds of reasons why people dump pets. But the common factor is they're throwing away an animal that has depended on them for care, that has probably bonded with some or all of the household, that cannot understand why, all of a sudden, they are on their own.

A lot of these animals end up at Maui Humane Society. From their Fiscal 2013-2014 Annual Report

  • An average of 23 pets arrived daily
  • 3,000 pets were spayed or neutered
  • The number of feral cats received decreased 64% year over year
  • The number of strays is decreasing year over year

The breakdown:

  • Animals Received:
    • Cats & Kittens: 4,923
    • Dogs & Puppies: 2,308
    • Other Animals: 1,399
    • Total: 8,630
  • Animals Adopted:
    • Cats & Kittens: 769
    • Dogs & Puppies: 723
    • Other Animals: 241
    • Total: 1,733
  • Animals Reunited:
    • Cats & Kittens: 263
    • Dogs & Puppies: 531
    • Other Animals: 8
    • Total: 802
  • Animals Transferred:
    • Cats & Kittens: 1
    • Dogs & Puppies: 242
    • Other Animals: 16
    • Total: 259

What’s not in the Annual Report is some additional math:

  • Total Received: 8,630
  • Total Processed: 2,794
  • Not Accounted For: 5,836 (68%)

And here’s the breakdown of the unaccounted:

  • Cats & Kittens: 3,890
  • Dogs & Puppies: 812
  • Other Animals: 1,134

One has to assume that a significant portion of the unaccounted-for animals are euthanized. Why? Lots of reasons, but the main ones include:

  • Lots and lots of feral cats
  • Terribly injured/sick animals
  •  Malnourished animals; animals with mange
  • Behavior problems / not placeable

“No Kill” Shelters

"No Kill" shelters have no facilities for, or interest in, euthanasia. On Maui, there are a couple of them:

Maui Pitbull Rescue (MPR). Their website states:

"Maui Pitbull Rescue (MPR) is the only no-kill pitbull rescue shelter in the state of Hawaii.”

Hawaii Animal Rescue Foundation (HARF). On their website:

"We are a group of experienced animal welfare people in Hawaii that are buying land and building a NO KILL shelter." [emphasis theirs]

How do they operate without euthanasia? Well, as it turns out, they don’t, actually. These so-called “no kill” shelters are highly selective about what animals they take in. In some cases, they even survey the animals at MHS and take those animals they feel are the most adoptable. There are two holes in that logic, however:

  • The animals they refuse to take on have to go somewhere, namely MHS
  • If they find they can’t get an animal adopted, they take that animal to MHS — even if they “rescued” that animal from MHS in the first place

Holding the Bag

Where does that leave Maui Humane Society? Holding the bag, essentially. They are, as defined by their mission, the dumping ground for unwanted animals — but that includes animals rejected by no kill shelters, too.

There’s also a stigma that gets attached to MHS because they euthanize animals. That stigma is exacerbated when the no kill shelters make a huge deal about their not euthanizing animals, and especially when they send out alerts about an animal that is about to be put down at MHS. Now, that animal mentioned in an alert may just get adopted, but there are other possible outcomes:

  • MHS is negatively portrayed by the groups for whom they’re actually doing the dirty work
  • MHS is further discredited by people that don’t understand the shelter ecosystem
  • The animal may get adopted in a well-intended knee-jerk reaction to the alert, but then that adoption doesn't work out, and the animal finds itself back at MHS

It really is an ecosystem, as the flow of pets from sources to people to shelters to people, or to euthanasia, resembles a closed system: strays and abused animals have to go somewhere.

Some Other Perspectives

A lot of people have done a lot of thinking, and writing about this. People who work within that ecosystem and really know what they're talking about.

From SPCA, Los Angeles

“spcaLA does not euthanize for space or for time. We do not euthanize what we determine are adoptable animals.
"We will euthanize when an animal requires medical treatment that goes beyond our ability to humanely provide, or has a condition that puts other shelter animals or workers at risk.
"We will also choose euthanasia when an animal has negative behaviors, such as unmanageable aggression towards other dogs, or aggression towards people that goes beyond our ability to correct, especially if that behavior presents a safety concern to a potential adopter or to the community.
"We do not feel it is responsible to place a dangerous animal in the community. We also do not feel it is responsible to imply that we would.
"There are few organizations with the money and facilities to keep an animal that is ill or unsafe around people. In fact, keeping such animals while thousands of healthy, adoptable animals are euthanized because there is no place to keep them could be considered an unconscionable decision.
"While “no kill” is a popular phrase in today’s animal welfare environment, we do not find its use responsible. We discourage the use of the phrase “no kill.” It hides the problem. We instead want to be very clear to our community what our choices are and how our decisions are made.”

AHeinz57 Pet Rescue & Transport

“Bridging the Gap Between No Kill vs Traditional
“It’s not fair that our rescue gets to boast that we do not euthanize animals when we have to turn animals away because we don’t have room. The animals we don’t have room for end up at the traditional shelters because they do NOT turn animals away.”

Rescue with Your Eyes Open

So, next time you’re feeling sad or angry about animals getting put down, or better, thinking about finding an animal to rescue you, keep in mind the whole story. And if you do adopt a pet, take that adoption seriously, understanding that you're now, literally, responsible for that animal's life.

Hawaiian Airlines and CheapFlightsFares/Riya Travel: predatory partners

This January, I was asked by a client to fly out to NYC for a meeting. They suggested that I book first class from Kahului, a suggestion I was more than happy to consider. It was pretty last minute, the client request coming on a Monday and my departure being that Saturday, so I figured I should move fast to ensure I’d get seats. But I was also at the beach, so it looked like I’d need to book my flights using Hawaiian Airlines’ app.

Right off, I need to say that I think the Hawaiian Airlines iPhone app is pretty bad. I’ve been a road warrior for the last several years, and watched as the capabilities of apps for carriers like Alaska Airlines and Delta Airlines grew better and better. Hawaiian is, in my opinion, still functioning at a technology level the other airlines were at years ago.

My client suggested specific flights, and who was I to argue, so I wanted to search by flight number. Nope. The flight I was most concerned about was the direct from Honolulu to JFK, but that was the second outgoing leg. On the Hawaiian app, I couldn’t view downstream flights. Giving up, I decided I’d just call Hawaiian and do this the old-fashioned way. I looked up their number on my browser and gave them a call. 

That was my first mistake.

The agent was difficult to understand, something I’ve become more or less accustomed to in these days of call center outsourcing. But he was also inept, botched my request a number of times, gave me incorrect information and then nearly booked my return for April even though I was clear I was coming back in a few days. At the end of all this, I was surprised to hear him ask:  

"I'd like to know why you're booking with Hawaiian because you could save a lot of money booking with Alaska.”

Er, wha? Warning bells started clanging, and so I asked “aren’t you Hawaiian Airlines?” Nope. Turns out he’s with CheapFlightsFares (CFF), a discount aggregator. This was too weird, so I told him to cancel the entire transaction, made him repeat that cancellation back to me (you really need to do that), and hung up.

Less than 90 seconds later, my phone rang. A woman identifying herself as “Miranda” told me she was a customer service manager (she implied she was with Hawaiian Airlines, but that turns out not to be true), that she’d been monitoring the call, and wanted to know why I canceled the transaction. Now, at this point part of my brain was saying “If she really was monitoring the call, she clearly knows how badly things went." She informed me that, when Hawaiian Airlines’ phones are really busy, they automatically transfer calls to CFF so that their customers don’t have to wait a long time to speak to someone. I was still skeptical, but she was able to convince me that she, handling this personally, could get everything straightened out.

That was my second mistake.

Upon giving Miranda my Amex number for the purchase, she informed me that “because of all the fraud going on", I would need to receive and accept a DocuSign transaction. I’ve used DocuSign before. It’s cool, but usually it’s for things like buying a house. When the DocuSign email came through from CFF, I reviewed the document and saw the price: $4,964. Whoa. But I had expected the first class fare to be high, and hadn't been able to view those flights on the Hawaiian app for comparison. I processed the request, and Miranda told me I’d get my confirmation number the next day, which was also very weird. But we ended the call and I returned my attention to jumping in the ocean.

The next morning, I looked at my Amex account online. Three charges had come in: one for $4,054 from Hawaiian Airlines. Another for $1 from “TRAVEL AGENCY SERVICES” in Cleveland (Note: when the transaction went from Pending to Processed, the billing entity magically changed to "RIYA TRAVEL & TOURS IRVING TX". And a third charge for $914 from the same Cleveland outfit, which also changed to Riya Travel. Hmm. I logged onto the Hawaiian Airlines site, and searched for the same flights I’d booked - at least their web site provided sufficient capability to do this. It turns out the fare is, in fact, $4,054. So it looks like CFF booked the flight for me and then tacked on $915 in travel agency fees. Almost a thousand dollars for...what? I’m not as a rule against handling charges, but that is ridiculous.

I take this stuff seriously, and I don’t just roll over. I called Hawaiian Airlines, who basically told me “you booked this with an outside party, sorry can’t help.” Let’s be clear here:

  1. I was connected to CFF by calling the Hawaiian Airlines customer service number listed on the Hawaiian Airlines web site.
  2. The handoff from the Hawaiian Airlines number to a 3rd party was done without any indication that I was no longer actually speaking to Hawaiian Airlines.
  3. The person who answered the phone never at any time identified themselves as a 3rd party representative. Only after I confronted the guy did he admit to the fact.

At this point, as far as I’m concerned, Hawaiian Airlines should demonstrate some integrity if not good management and take responsibility for the system they put in place. When you shovel your customers over to a 3rd party in a way that leads them to believe they are still doing business directly with you, anything that occurs after that is on your plate. Especially when that 3rd party is a predatory loan shark of a business that gouges customers with exorbitant, bogus fees in the name of "service".

Next steps: I went back to my Amex account and marked the agency charges to be monitored for a potential dispute. Then I sent an email to CFF calling out their practices (I used the word “despicable” among others). Finally, I composed, printed and mailed a formal complaint to Hawaiian Airlines’ Consumer Affairs department.

On Wednesday evening I received a call, the a number from Ontario. It’s Chris from CFF, the guy who sent me the DocuSign email. He was a bit upset that I’d started dispute proceedings with Amex. Then he says:

"The $914 is a Hawaiian Airlines charge, not ours.”

I call bullshit and tell him “Well, since I’ve filed a formal complaint with Hawaiian Airlines, they should be able to tell me that themselves.”

Chris gets really flustered and tells me he’s getting his manager. Sure.

Roger, "The Manager", comes on the line and tries to reason with me:

"Those are Hawaiian Airlines charges."
"That's not what the charges on my Amex account look like. I'll take this up with Hawaiian and see what they say."
“But sir, first class is expensive - that’s just how much it costs.”
"Well, then why isn't that the price listed on the Hawaiian Airlines web site?"
"There are always taxes and fees.”
“18% fees? Sorry, I’m not buying it. We’ll see what Hawaiian Airlines says.”
"You contacted Hawaiian Airlines?! What did they say?”
“Nothing yet - but if your claim is correct, that these extra charges are theirs, this whole issue will just go away. If it turns out the extra charges aren’t theirs, I suspect they’re going to want to have a chat with you.”

Roger tells me he’s going to speak to "their accounting department", which appears to be in the office and on duty at 10pm Ontario time. He gets back after a few minutes and says:

“We’re going to refund the $914 charge. You need to drop the dispute immediately.”
“Thanks, but I’ll drop the dispute when I see the credit show up on my Amex.”
“No no, sir, you need to stop that process right now!”
“Well, Roger, that isn’t going to happen. If I see the credit on my Amex, I will then tell Amex to drop the dispute. Until then I'm going to leave the dispute ticket open. If I don't see the refund by tomorrow, I'll process the dispute with Amex and then it's your problem.”

Shortly after my call with CFF, I received an email from Hawaiian Airlines, effectively calling bullshit on CheapFlightsFares', or Riya Travel’s, claim that the extra charges were actually Hawaiian Airlines’ requirement. Unfortunately, Hawaiian Airlines also effectively washed their hands of the matter:

"We apologize for the inconvenience.
However, we need to refer you Cheap Flights where you booked your reservation. As per checking your ticket, it only shows $4,054.00 value.
Please do not hesitate to contact us again for any other concerns."

I particularly like the part "where you booked your reservation", as in "sorry but you're the idiot that didn't book directly with us". Irony appears to be alive and well at Hawaiian Airlines.

As of this update, CFF/Riya has told me it will take at least 5-6 weeks to process a refund for the charge. I've also filed a dispute with Amex, who is looking into it. Amazingly, my letter to Hawaiian Airlines resulted in a canned customer satisfaction survey. You can guess the score they got.

CFF appears to process charges under at least one alias “Travel Agency Services” in Cleveland, which also appears to be Riya Travel in Irving, TX, and their phone calls come from Ontario. I suspect they’re actually part of the global Riya conglomerate, but that’s anybody’s guess. Regardless of whether I get a refund, I think Hawaiian Airlines acted really badly here in a number of ways:

  • They handed off their customer to a 3rd party without telling them about it.
  • They engaged the services of an agency that is clearly shady at best.
  • They shunned their customer rather than taking responsibility for an issue they created.

And if these exorbitant surcharges are common, and people became aware of how they’d been ripped off, I can imagine Hawaiian Airlines and CheapFlightsFares/Riya Travel getting sued. At the very least, Hawaiian Airlines has violated my trust, and I can’t say if I will ever fly with that airline again. Sadly, my experience seems similar to other things I’ve heard and read about Hawaiian Airlines: their service while you're in the air is great, but the way the treat their customers on the ground is terrible. As of this writing, I haven't seen any refund from CheapFlightsFares or Riya Travel. Amex and I will be speaking about this tomorrow.

Hawaiian Airlines, you can do better. You really can. And in any case, thankfully you're not the only carrier I can fly with.

Update: Return Flight Troubles

Just to add insult to injury, Hawaiian Airlines' incompetence didn't end with the above comedy. On checking in for my return flight, I was surprised that my mobile boarding passes were missing the TSA Pre logo. I've been a member of PreCheck, or more precisely GlobalEntry, since the very first days the program was running, and I actually have a pretty solid understanding of how that system is supposed to work. Hawaiian agents at the airport didn't have any interest in the missing endorsement, and I nearly missed my flight because of being stuck in the standard security line. On contacting Hawaiian Airlines' Consumer Relations (that phrase now just makes me chuckle sadly), their response was that I didn't seem to understand that my Trusted Traveler number was not a Hawaiian number, and that I must have made a mistake somewhere. Let's look at the facts:

  1. I booked a single itinerary for round-trip flights from Kahului to JFK. Four flights.
  2. On booking the itinerary, the flights did not appear on my "My Flights" page on the Hawaiian Airlines site even though the flights had been booked using my name and Hawaiian Airlines frequent flyer number. I had to manually add the flights.
  3. Even after adding the flights to "My Trips" in my Hawaiian Airlines account, the corresponding "My Flights" page in their mobile app never showed those flights. Nor was I able to manually add the flights to the mobile page -- I'm not even sure adding flights to the mobile page even works at all.
  4. Using the "Check In" button on the mobile app for the outbound flights, my mobile passes had PreCheck endorsements. Using the same button on the same app for return flights on the same itinerary, the endorsements were omitted. During the check in flow, the Hawaiian mobile app even displayed my Trusted Traveler number correctly. Their system is clearly behaving inconsistently.
  5. Hawaiian Airlines' Customer Service group made it clear they had no interest whatsoever in actually trying to find and fix any problems on their end.

Resolution

As it turns out, Riya Travel doesn't appear to like being called by American Express. Within 48 hours of American Express contacting them with a "please explain this charge" request, they resolved the dispute with Amex and credited back their sleazy service charge. This sort of support is exactly what I should have seen from Hawaiian Airlines, since Riya was at the time masquerading as Hawaiian Airlines, with Hawaiian's blessing, when this whole thing happened. The reality is that Hawaiian Airlines couldn't have cared less about it.

So, in a nutshell:

  1. Hawaiian Airlines' systems and customer support are so bad (not just inept, but actually negligent and even offensively disinterested) they don't deserve anyone's business. Yes, their in-flight experience is lovely and their flight crews are great - but if you have any problems with your booking, you are on your own.
  2. Riya Travel is an opportunistic snake pit of an agency, and you should check your wallet any time you even come close to doing business with them.
  3. American Express is, put simply, awesome.

OC1

Storm OC1 with GoPro on the forward iako

Coming up on our first anniversary as Maui residents. We've been getting in a lot of snorkeling, swimming, surfing and paddle boarding, with a little windsurfing as well. Work on our house has finally reached a mostly-completed state, with new roof, paint, gutters and photovoltaics.

With all the water time, I found that while I love surfing, I continued to miss the feel of sitting in a performant boat with paddle in hand. We tried renting some Ocean Kayaks, but found, while definitely stable, they paddled a bit like barges. A local Epic rep let me try an Epic V10, which was like riding a highly-tuned road bicycle: fast, smooth, a crazy cool machine, but so tippy I'd never be able to set down the paddle and take a photo or contemplate the sunset.

All that changed with my new ride, a Storm OC1 (Outrigger Canoe - 1 person). Fabricated in one piece rather than separate glued-together deck and hull. New technology! Carbon boat, ama and iakos. 20.5' long, 15" beam. About 14 pounds fully assembled -- yeah, less than half my standup board. Awesome machine, and paddling an outrigger is quite different from a kayak, which is icing on the cake for me.

Now to get the boat out and learn... 

Bad Form(s): A Brief Rant

A lot of interaction on the web is achieved through the use of forms, panels of text and fields used to input, classify and store data. Forms have been around pretty much since the beginning, and at first were something resembling sorcery: getting a form to look good, fields aligned, was tricky. As HTML and CSS became more sophisticated, along with improved Javascript capabilities, forms have become became both easier to build and more complex to debug. And the temptation to add unnecessary glitz is frequently the culprit behind the worst forms out on the web.

Input Fields are the workhorses of forms. They can restrict the number of characters input and the type of data entered. They can choose to display or mask the input as in the case of passwords. While there are far more options than these, this small set of variables is more than enough for poorly-implemented forms to become nearly unusable, leading to frustration and outright silliness.

Some of this silliness has declined over the decades because developers have gravitated toward some standards of behavior. Sadly, one still to this day encounters forms with some of the same lameness that we saw in the 90's or 00's -- and we can't blame the COGs (Crusty Old Guys) for all of it. Too often, new developers fall into the same traps of bad form design, disregard of user experience, cool-philia, laziness or the "I am IT and I decide" mindset that has consistently been focused on the mechanics of a site even when in opposition to the success of people using a site. For some reason, I encounter these issues most frequently on banking and government sites, where some noob has clearly discovered the modern equivalent of the blink tag and can't resist inflicting their new-found toy on users.

Standard Information

Data like phone numbers, ZIP codes, Social Security numbers are pretty standardized in the US. Phone numbers, for example, are expected to have 10 digits, but they may be formatted in a number of ways:

  • (800) 555-1212 (traditional)
  • 800-555-1212 (business traditional)
  • 800.555.1212 (standard geek)
  • 8005551212 (machine version)

While a company may want to format a phone number in a particular way, all they actually need is those 10 digits -- they shouldn't really be concerned about how a person might format their number since it's so easy to parse out the digits and store just that; storing digits only allows more efficient sorting anyway. A number can then be reformatted as desired on subsequent read and display. Still, I constantly find forms that throw errors if a user includes hyphens, periods or, gasp, spaces in a phone number -- or doesn't include one of those. Some forms simply limit the phone number field to 10 characters and leaving the user to guess what's going on, adding no benefit but inflicting a developer's idea of proper form entry.

ZIP Codes

The US Post Office instituted ZIP (Zone Improvement Plan) codes in 1963, and extended those codes with the "5+4" format in 1983. That's all before forms existed, but the 5+4 format isn't widely used even now. But it still manages to cause some forms (or the developers behind them) indigestion.

Synchronicity is Key

One particularly idiotic situation occurred when I was logging for the first time into an account that had been set up through an separate process. To verify my identity, I was asked to enter my ZIP code, at which time my verification was rejected. Checking back with the administrator, I found that they had my ZIP code had been recorded as a 5+4 value. The web form, however, only allowed 5 digits, making a match impossible unless the developers actually used some common sense. I've seen this occur as well when a form on a web page allows or requires something different than what is allowed on that same form on a mobile app.

The Future is Here (Occasionally)

"The future is already here -- it's just not very evenly distributed." - Michael Gibson

I sometimes run across forms that ask for the ZIP code first, then use that information to automatically populate the fields for city and state. Smart, and rare, a form that actually helps you fill in the blanks. With technology that's been in use since at least 1998 and information that's been available since 1963...

Divertimento: Non-Regional Postal Codes

From Wikipedia:

In Canada the amount of mail sent to Santa Claus increased every Christmas, up to the point that Canada Post decided to start an official Santa Claus letter-response program in 1983. Approximately one million letters come in to Santa Claus each Christmas, including from outside of Canada, and all of them are answered in the same languages in which they are written.[13] Canada Post introduced a special address for mail to Santa Claus, complete with its own postal code:
SANTA CLAUS
NORTH POLE  H0H 0H0

Gotta love Canadians.

Form input and the Database

Nearly all data input through forms ends up in a database. To store data, most databases receive those data in the form of an SQL (Structured Query Language) query. For example:

insert "xyz1234pplr" into table passwords where user = "John Yaya"

[Note to geeks: these examples are simplified for a lay audience; this is not a coding class, so please back off.]

That query is evaluated by a parser and the value is stored. That parser evaluation, however, is were we can get into trouble.

Code Injection

Code injection is one of the oldest, most common and most insidious forms of hacking. Parsers look for meaning as part of their evaluation process, and some characters can cause some really interesting things to happen. Take our example from above, and let's add something destructive:

insert "xyz1234pplr|'/bin/sh unlink /'" into table passwords where user = "John Yaya"

The vertical bar character "|" is used in some systems (like Unix variants) as what's called a "pipe", a way of passing the output from one program to be input into another program. The inserted phrase:

|'/bin/sh unlink /'

Means "pass the command to the main system to unlink the filesystem root."

In times before developers and operating systems were careful about input (actually this is still a problem), this query might have been executed, resulting in the effective deletion of the entire filesystem on the database server. These days, rather than directly destroy a filesystem, someone might try to use injection to give themselves administrative privileges, and from there they can get into all sorts of trouble.

Input Character Restriction

Sadly, some IT groups continue the ancient (by IT standards) and lame (by any standard) practice of trying to protect against injection by restricting what characters can be entered into a form. So things like "|" or ">" might be disallowed. Problem is, good passwords these days make use of all sorts of punctuation.

Institutional Arrogance : Personal Capital IT

Recently, I opened an trial account with Personal Capital (PC), a Mint-like web site where you enter all you financial accounts and it advises you about your investments (I'm intentionally not including a link out here because I can't with good conscience make it easy for anyone to go there). But I was unable to add some of my accounts because the passwords appeared to be getting rejected. After some back and forth, I was informed that the IT staff at PC reads your passwords when you add a financial account and strips out any characters they think are unsafe -- even if those characters are perfectly fine with the financial institution. To be clear: 

  1. You create an account with a bank, establish a login and password.
  2. You create an account with PC and add the bank and login credentials to your PC account.
  3. PC reads your password when you supply it and then strips out any characters they feel are objectionable according to their internal policy. You are never informed about this action, and the now-corrupt password is stored rather than the real password that you and your bank agreed on.
  4. PC uses the corrupt password to attempt to log into your bank.
  5. The bank rejects the corrupt password.
  6. On login rejection, PC displays a message to you indicating that the bank doesn't like your password.
  7. If this happens enough, the bank locks your account. It is then up to you to resolve the mystery with your bank, because at this point neither you nor your bank know why someone has been trying to log into your account with a bad password.
  8. At no time does PC let you know they caused the entire problem.

PC's support personnel were very defensive about their actions, maintaining that they're following OWASP guidelines and are justified in their policy. They informed me that the solution was for me to change all my passwords to my banks to conform to their (PCs) requirements.

One of the most myopic and arrogant IT abuses I've seen in a while. 

Input Escaping

A better method of defending against injection attack is by input escaping. Basically, before you parse any input from a field, you "escape", or defang, any characters you feel are dangerous. Escaping can take a lot of forms, but in essence it means flagging a character in a way that tells the system "this is just a character, don't use it as something else." For example, the vertical bar character "|" in some environments is used as a "pipe", a way of passing data from one program into another program. If that character is treated as a pipe when entered into a database, it might be interpreted as an operation, and text that seemed innocuous might get executed rather than simple entered as text. Our nefarious query from above becomes:

insert "xyz1234pplr\|'/bin/sh unlink /'" into table passwords where user = "John Yaya"

The added backslash "\" tells the parser that the vertical bar is just a vertical bar, and the pipe is neutralized. Smart systems store the escaped string in the database so that later retrievals are safe as well.

It Really Isn't Rocket Science

Finding a well-built form, while not rare, does continue to be uncommon in my experience. As an engineer, I've embraced the rule of parsimony (or Occam's Razor if you prefer) from early in my career, which effectively means "don't make it fancier than it needs to be."

Modern techniques can provide all sorts of functionality to the user experience. The trick is keeping a firm eye on the goal: that technology should be used to enhance the experience, not provide a place to show off at the user's expense.

Dear Mayor Arakawa - One lane bridge on the Haleakala Highway

[Posted to AskTheMayor@mauicounty.gov]

Dear Mr. Arakawa,

The Haleakalā highway winds past Pukalani High School and, before starting up the mountain, passes through a one-lane bridge. There are yield signs for approaching traffic in both directions, but I’ve seen several near-head-on-collisions as someone sails onto the bridge without paying any attention to the yield sign, frequently without slowing down at all. This highway sees a lot of traffic between tourists and those of us who live up the mountain; sooner or later there’s going to be a major wreck on that bridge, which may lead to injuries and will most likely close that road for some amount of time.

Are there any plans to make this part of the road more safe? Perhaps add flashing yellow lights to the yield signs, or better yet widen the bridge to provide for two-way traffic?

Respectfully,

David Phillips
Kula

Dear Mayor Arakawa - Bike Tours on Haleakala

[Posted to AskTheMayor@mauicounty.gov]

Dear Mr. Arakawa,

I’ve managed to find very little documentation of any policy addressing the vendors that run bike tours down Haleakala. There was some mention of requiring a 10-minute spacing between groups, and I found one article that indicated Maui Police had declined to enforce any policies concerning these tours.

The vendors running the bike tours have taken advantage of the lack of regulation, and in doing so they are becoming somewhat of a nuisance on the highway:

  • I’ve encountered, more than a few times, up to five groups forming a near-continuous hazard all the way down the mountain. People become frustrated and pass the bikes, and the vans, at dangerous points in the road. I’ve witnessed this many times.
  • I’ve followed company vans driving down the center line, nearly causing head-on accidents with oncoming traffic.
  • I’ve followed company vans pulling trailers without working tails lights or brake lights.
  • I’ve had to avoid bicyclists riding against traffic in the wrong lane, or weaving all over the road while the company staff ignores them.
  • I’ve come around a corner to find a dozen people, off their bikes, standing in the middle of the highway watching a rainbow as the vendor sits in his van and looks on.

It seems to me some common-sense regulation, and enforcement, would be appropriate here. We’re going to see more tourists rather than fewer. More people will be living upcountry. It’s only a matter of time before we have a major incident with injuries. This shouldn’t be too complicated:

  • Vans and trailers must have current vehicle inspections and be in proper working order.
  • Vans and trailers must be clearly marked with company information on the sides and on the rear, including telephone numbers for reporting complaints.
  • Lead riders must wear clothing and helmets that clearly identify them as the company’s guide.
  • All riders must ride between the leading guide and the following van. No stragglers or racers.
  • A maximum of 5 riders per guide. If the group is larger, more guides must be riding spaced throughout the middle of the group.
  • Tours must allow 15 minutes between departures from the top of the route. 10 minutes is not sufficient, as the groups stack up lower on the mountain. Maui Police should occasionally audit this behavior.
  • There should be a central hotline for reporting incidents, or perhaps a website where people can provide photos of the vendor being reported. Maui Police should review both of these.
  • There should be real penalties for violating regulations - fines, suspension or revocation of tour operator’s license.

I don’t think any of these suggestions would be unreasonable to responsible tour vendors, and it would certainly make things safer for the people on bikes, and less frustrating for those of us who drive that highway every day.

Of course, an alternative solution would be to restrict all such tours to a single company to control the usage, similar to what they did on the Big Island in Kealakekua Bay. This would put other tour companies out of business, but would also provide a more consistent, safer experience for those who take those tours. If the current abuse continues, and traffic increases, I could see us getting to that point.

Respectfully,

David Phillips
Kula

Apple Pay and MCX : It's Not (All) About Interchange Fees

Credit cards get stolen, in one form or another, every day, as do debit cards. For me, one of the fundamental differences between the two, as I’ve unfortunately experienced personally, is this: bogus credit card charges can be disputed, and in the end, you won’t have to pay them if the issue is resolved. Fraudulent debit card charges can also be resolved - but until they are, your bank account is probably empty. It’s one reason we use credit cards far more than debit cards.

Apple Pay makes that even more secure, dramatically reducing the possibility of fraud. And it’s stupidly easy to use. And the way it's implemented, with near-field connections and secure tokens, a merchant never sees your name, never sees your credit card, has no idea who you are or what your spending habits are: it's like using cash at Radio Shack and declining to fill out any personal information.

Think about that.

There’s a lot of buzz generated about the feud developing between Apple Pay and the Merchant Customer Exchange (CTX), a consortium strongly supported by Walmart. Most of the press seems to think this is all about avoiding those fees that MasterCard, Visa and American Express charge for processing purchases through their networks. MCX, with their product, CurrentC, plans to avoid those charges by having customers tie their CurrentC purchases directly to their checking accounts. CurrentC also avoids the necessity of having an iPhone 6 in your pocket by flogging that old mostly-dead horse, QR codes. MCX-loyal merchants like CVS and Rite-Aid have gone so far as disabling their touch-to-pay POS terminals (also disabling Google Wallet), preferring to wait for their own MCX solution, to be launched sometime next year. That's right, these merchants are now preventing you from using certain payment methods in their stores with the idea that this will somehow incline you to be loyal to their own "real soon now" homegrown methods.

While there are a lot of details left to be made public, as someone who’s been in the security business for a long time, the Apple Pay model looks to me like a lot of problems solved elegantly using newer, better tech, while the MCX model looks like someone trying to warm over processes invented almost 20 years go. And personally, I’m not inclined to use a system that requires me to tie my checking account directly into their system; I effectively quit using PayPal years ago for that very reason.

I agree that this is about the money - but not, in fact, about the interchange fees. MCX wants to build a payment network that centers more on a “loyalty program” model, one that allows merchants to “provide valuable messaging” to their customers, based on their intimate understanding of a "customers purchasing history and habits”. In other words, they want to track their customers' every move.

Merchants are used to paying the interchange fees, and long ago built those fees into their pricing structures. I’m sure they’d love to find a way to strip that 2% to 4% off and save that money (although I’m highly skeptical we, the customers, would see those savings should they do that). But in the end, what terrifies the merchants is the specter of their customers becoming truly opaque to them: They are terrified of losing their ability to use us as a marketing channel.

Island Bound 5: Relocated!

It's now the end of May. I arrived here in Kula two months ago, to address some repairs and additions to the house, get an electrician in, get a plumber in. My car arrived a day early, and our shipping pod arrived a week early - so that both arrived on the same day, which was a circus. Getting my car registered was an all-day exercise, but I learned a lot that helped Sarah get the same done for her car in half the time (although DMV at first refused to believe that a VW Golf could be a diesel). Our dog Beast didn't make the trip, as we had to put him down a few weeks before his quarantine period was up. We miss him.

The major and minor construction projects are pretty much finished, and it's time to get down to living the island dream. I plan to keep posting as I learn things about this beautiful place. I must say that both Sarah and I feel blessed in that pretty much everyone we've interacted with here on the island has positively exuded aloha.

Now it's time for us to find some ocean to jump into...

Comcast: a spectacular failure

A year and a half ago, we added Xfinity Home Security to our Comcast subscription. Comcast sent in a guy who installed all the wireless (read: peel and stick) components throughout our house in Issaquah, Washington, installed the control unit and extra router (which killed Back to My Mac until I reconfigured their network components), and of course added a monthly charge to our bill. The system mostly worked, with some odd behaviors from the control unit, an essentially bad systems architecture, and the “security router” that was basically a joke.

A few months ago, we sold our house and moved. Because we were terminating service before our 3-year Xfinity Home Security contract was completed, we found ourselves facing an early termination fee of nearly $500. But since the new owner wanted the same security system, we were told we could transfer our contract to them and avoid the early termination fee. But to do that, I had to reach out to the new owner, and we both had to meet, in person, at the Comcast service center, to present IDs, sign a bunch of forms and officially transfer service. A total pain in the ass, reminiscent of something out of the 1990s.

We canceled our Comcast service on 27 March, 2014,

Two months later, living on Maui, I was surprised to see that we appeared to be continuing to make monthly payments to Comcast. WTF? That’s where the surreal fun began. I called Comcast and chatted with Jose (Note: I am honestly not making this up.) :

“You have to talk to the account owner to stop this.”
“I was the account owner. I don’t live in that house any more.”
“I’m sorry, but the current account owner for that address is the only one who can change this."
“What? You can’t just stop this there?”
“I’m sorry, but only the account owner can change their automatic payment arrangements.”
I was the account owner. I sold the house. Why are you still using my checking account to pay for someone else’s cable service?”
“I’m sorry, but perhaps you can have the account owner add you to the account so that you can log in and change that.”

I demanded to speak with a supervisor, and was connected with Anthony, who informed me that, because we’d transferred the Xfinity Home Security account to a new owner, Comcast apparently transferred all service to the new homeowner, kept my autopay configuration in place, and effectively ignored my service termination request. Anthony also told me there was nothing I could do about it short of begging the current homeowner to stop using my checking account to pay for their service.

I demanded to speak with a manager and Anthony’s response was:

“I can request that you be connected with a manager, and someone should contact you in three to five business days.”

Thats when I went from perplexed to angry, told Anthony he’d better damn well connect me with someone who could fix this now or I’d talk to my bank about rejecting the payments. Anthony put me on hold for 15 minutes and came back, telling me he’d spoken with a manager:

“We have stopped the autopay from your account, but we will not refund money for services rendered.”
“But those services were rendered to someone else. And it was your team that screwed this up when the account changed hands."
“I’m sorry, but we will not refund money for services rendered.”

I then contacted my bank. The representative there informed me that, once you sign up for automatic withdrawal with a company, there is no way you can prevent a company from continuing to extract funds from your account short of closing that account. He said I could report the withdrawals as fraudulent, which is in a sense completely factual, and the bank would take the matter up with Comcast, and possibly the authorities.

Reporting the withdrawals as fraud would put the new owner in an uncomfortable position with Comcast, so I reached out to him, let him know his cable service was no longer being paid for by me, and asked him to send me a check for the payments I’d made for him. He was agreeable to that, and as far as I know, the situation has been resolved.  

We’ll see in another month if Comcast has really truly dissolved our relationship. Their team screwed this up in a spectacular way, and their customer support proved either powerless or apathetic when trying to resolve the situation.

Update

Two months after the above, we heard from the folks who purchased our Issaquah home. They'd just discovered that I was still the registered owner of the security system. They found this out when they pushed "TEST" on the smoke detector, which promptly set off the alarm and called the fire department, who arrived to address the issue. The homeowners were unable to cancel the test because, well, it wasn't technically their system. The only recourse Comcast offered was for them to contact me and ask me to cancel our system. The one we'd transferred nearly three months before.

Beast

20081231_NYE_0019.jpg

If you've been reading my blog, you've been following our preparations for relocation to Maui. Part of that adventure included getting Beast, our Alaskan Malamute, to the island as well. Sadly, those plans have now changed.

Beast had been having some throat issues for a while, and we thought we had it pretty much taken care of. Last week, the coughing became suddenly worse, and he started refusing food. Sarah took him in to the vet, and the X-ray revealed a huge tumor in his throat, distorting his trachea, and putting him at risk of asphyxiation, a horrible way to go. Sarah was with him in Newport with family while I was in Kula setting up the house. I turned off the saw, realized I had a text from Sarah, and called her. Her first words were "he's gone, baby, I'm so sorry." Sarah had been trying to reach me, and I either couldn't hear the phone or wasn't getting reception, so she had to make the hard call by herself, a hellish task. We can only be thankful that the choice was clear.

20140223_Beast_0376.jpg

Change is hard for dogs, and the last month or so had been especially challenging for our boy, with strange people viewing the house, packing, things disappearing into boxes. We set his travel crate up in the living room with us and he really took to it, preferring to stay in there quite a bit, denning. Then out of the house and into a hotel for a week. Sarah was working, so Beast and I were on our own, together constantly, going for walks, exploring the pet store, finding the hotel room, learning about elevators. He was game, curious, playful and, a bit unusual for him, snuggly.

On the 30th, I gave him a hug and a belly rub, and departed for the airport for Maui. I didn't know it was the last time I'd see the dog I'd adopted seven years ago.

Since my departure, Sarah had him roaming the beaches in Oregon, playing with his new dog friend Odie on the ranch in Newport, and seemingly rediscovering some of the puppyhood he'd never had. His last weeks were filled with adventure and he embraced it.

When I first brought Beast home with Belle, he was the troubled one, lacking any sort of confidence, glued to Belle's side. Touching him anywhere back of his shoulder blades caused him to cower and cry in fear. Three years later, I could grab his tail and he'd understand it was play - but that was a long, gentle process to get him to realize he had a place in our home that was his. We watched him blossom, learning it was all right to play, to ask for attention, to demand dinner. When we lost Belle, he became our only child, the sole center of our dog-world. He moved out of her shadow and started expressing himself more than ever before. He watched more television than any dog I've ever known.

Beast was a gentle giant, curious but insecure, loving but only just beginning, really, to understand how to ask for love, fascinated by little children. I like to think he's running with Belle now, free and happy. Our pack is smaller, and we miss him terribly.