Responsible Disclosure

Posted by – January 31, 2015

disclosureGoogle has been in the news recently, for their public shaming of Microsoft.

Ninety-days after a disclosed release from Google, the vulnerability is made public. This is meant to provide a bit extra motivation for vendors to fix reported issues. And, for most companies, it’s probably more than enough time to resolve the issue.

Since it doesn’t necessarily align with Microsoft’s current “Patch Tuesday” approach, I can understand why MS is not a big fan of it, though. Maybe this will lead to a more frequent release of patches, which could be good or bad, really…

All in all, I think responsibly disclosing of issues is important. Nothing (ethically) is gained by publicizing an exploit prior to it being fixed by the vendor, so full-disclosures probably aren’t often needed. But I do think putting some external pressure on vendors is sometimes necessary. Especially if the vendor isn’t all that communicative or open with the people who discover the issues.

Naturalized C#-itizen

Posted by – December 13, 2014

fizzbuzzIt seems like the more I’ve been working in C#, the less I notice the differences between it and VB.NET

The case-sensitivity and needing to put semi-colons pretty much everywhere is a bit annoying, but other than that, I can’t really recall what my big gripe was with it the last time I started messing with it.

I think part of the issue for me is I don’t get enough day-to-day exposure to it. It’s like taking a course in a secondary language, but you only get to actually hear or speak that language once a month…

Until that changes, I suppose I’ll just need to work on more side projects written in C# to keep up my fluency.

“Protect ALL the things!”

Posted by – November 23, 2014

USPS has been in the news recently. Roughly 750,000 employees, both former and current, had their private data stolen.

usps_fire

Hopefully this will be a bit of a wake-up call for companies, so they’ll put just as much effort into securing their employee data as they do for their customer data… It seems like everyone is getting breached these days…

I’m a bit more paranoid about this sort of thing than most, though. Whenever filling out paperwork or online forms, I tend to wonder a bit (and sometimes ask) how they are keeping my information secure.

[UPDATE 11/24/2014 — Sony Pictures was apparently breached. Not only did their internal files and emails get leaked, but I guess their information is being held for ransom. Ouch!]

Robots.txt

Posted by – October 18, 2014

robots-txt

A friend of mine was doing some web development for a company in a fairly tightly regulated industry and wanted me to do some testing of it, to see if I could spot anything he had missed.

I did the usual stuff — changing URL parameters, putting letters and negative numbers into amount fields, etc. Everything seemed to check out.

At one point, though, I decided to check the site’s robot.txt file to see if there was anything interesting. Most of it was pretty mundane CMS-related stuff. I had almost given up on finding anything interesting when I went to the last directory mentioned in the robots.txt file that I hadn’t been to yet — the Images directory.

Though there were a few folders that seemed admin-related, they were either empty or I didn’t have permissions. Dang.

I did, however, find a subdirectory called “Orders” (or something similar)…

The folder contained a massive amount of PDFs and images, with full order details and customer data. It had name, address, DOB, SSN, and other sensitive of information. There weren’t any payment details, from what I saw, but it was still more than enough for identity theft.

Apparently, no one at the company thought to secure that folder because it wasn’t referenced anywhere directly by the website or app. It had been forgotten about. But, hey, who’s going to manually browse through a site’s directories, right…?

It was good that the robots.txt was there to make sure (or at least politely request) that search engines do not included that directory in their indexes, anyone who spent a few minutes poking around the site like I did could’ve found the same information.

Shortly after this was discovered and reported, the company revamped the way they handle storage of order information and made it completely unavailable to the webserver. They also apparently took my suggestion to no longer allow directory listings.

Crunchyroll

Posted by – September 6, 2014

Crunchyroll is, according to their About page, “the leading global video service for Japanese Anime and Asian media.”

Their content is great and they have made some nice deals with the various big-name media companies, giving them the ability to simulcast content and make it available earlier than anyone else.

With that in mind, you’d think they would put some of their money into usability testing…

I’ve been using CR for a few years now now, both via the web and their Roku channel. While the Roku experience, especially, has never been very fluid, the latest changes have been absolutely insane.

Since CR is available on so many different platforms, they are trying to consolidate it all into a single experience. I get that. I don’t agree with it, but I get that. Still, you can’t simply take away features and impose non-intuitive design choices simply because you don’t want to hire the development talent needed to manage multiple code paths…

There are standard ways to make an interface on Roku (see also: Hulu, Netflix, Amazon, etc.) Unless you are somehow in contact with the spirit of Steve Jobs, don’t try to come up with your own standards.

Here are just a few examples of what I mean:

Old Layout:
* Queue
* History
* Browse Anime
* Browse Drama

Pretty straight-forward.

Once in the Queue, the show’s thumbnail image is displayed along with a symbol denoting if it’s a new episode. Clicking into a show displays all of the available episodes, with the selection defaulted to your next available episode in that series. Once the show starts playing, fast-forwarding shows scene thumbnails so you can easily see how far you are, which allows conveniently skipping the intro theme, recaps, etc.

New Layout:
* Queue
* History

Even more simplified. I’m not sure why History was kept instead of Browse, though. Queue has shows I’m currently watching. Browse lets me find new ones. I can’t think of a single time I’ve needed to go back to an episode I’ve watched months ago, so I could watch it again. But whatever…

Once in the Queue, the thumbnail of the current episode is display, along with a symbol designating it as the latest episode (this is one of the only improvements I’ve noticed). Clicking into the show immediately starts playing the current episode. There is NO option to view the next episode in the series once you’ve finished the one you are on, without closing and reopening the entire app. Fast-forwarding requires holding down the button and only a progress bar is displayed… and since getting it to stop at just the right point is quite difficult, I end up needing to wait for a segment to buffer and start playing before I can decide if I went too far or didn’t go far enough.

The Browse option which was previously part of the main menu has now been tucked away in a hidden menu (why?). The menu choices are listed at the top of the screen, but the Up arrow doesn’t go to it. Instead, you must press the Play button on the remote. Think about that for a moment. You are on an episode. And you hit Play… which doesn’t play the episode. It opens a menu. ….wow. Anyhow, that brings up an on-screen menu giving you a choice between browsing anime, browsing drama, or going back to the main menu. I can’t even begin to fathom why they arranged things like this. Could you imagine Amazon, Netflix, or any of the other streaming video providers not wanting to make it easy to find additional content…?

Lastly, and this is sort of a minor gripe, the Back button works as expected everywhere in the CR channel except on the Home screen. Normally, it would exit the channel and return to the Home screen on Roku. Instead, it does nothing. It doesn’t even tell you that you must hit a separate button to go back to the Roku Home screen. Ugh.

Having to exit and relaunch the app or manually search for a show by name using all sorts of convoluted key-presses just to see more than one episode in my list completely defeats the entire purpose of a Queue. (CR calling it a ‘Queue’ rather than what it really is, ‘Favorites’, is a rant for an entirely different time). I live out of the queue. I almost never browse for new shows until the ones I’ve been watching end. I prefer new simulcasts rather than old shows from the early 90’s. If they at least fix the horrible user-experience for the Queue, I might not be completely satisfied with CR on Roku but at least I won’t be disgusted with it.

Do. Not. Like.

I’m not alone, either. There are around 40-pages worth of user complaints on CR’s forum post about the latest update. And it sure was nice of them to ask for feedback after rolling it out to everyone…

I have cancelled my subscription to their service for now. If the Roku app hasn’t had the major issues fixed by renewal time, I guess I’ll just be spending a bit more time catching up on my Amazon and Hulu episodes instead.

I’m happy to throw money at quality products and services. To have a frustrating experience, though — especially when the previous version of the product was fine — I refuse to spend a single penny on that.