Rants and Raves

O2, please train your store employees

Colin Angus Mackay — Sat, 06 Mar 2010 11:31:56 GMT

Last week I changed the tariff on my phone to better suit my usage. However, it turns out that by changing the tariff I also needed to change some settings on my phone. So, when the old tariff cut out, so did my 3G connectivity and I lost internet on my phone for a couple of days until a friend of a friend who happens to work for O2 explained what I needed to do to get it to work. Up until then, since I had made no modifications to my phone, I had be blaming O2’s network infrastructure.

Here is a summary of the tweets I made about it:

4/March:

Don't have a data network available. Most irritating @o2. Where's my 3G network?
Still no data network. @o2 what are you doing. All the way from Glasgow to Edinburgh an no data network.
Made it all the way back to glasgow. Still no data network. @o2 get your shit together!
Woohoo! I have data back on my iPhone. But then I'm now at home connected to my wifi network. @o2 thanks for nothing!

5/March:

Still no data network. @o2 you #FAIL big time! I'm moving to orange when I get a chance.
@kstenson No data network in Glasgow, in Edinburgh or points in between. Phone signal only. @o2 #FAIL
Got a data network back! One of @chriscanal's friends works for @o2 and fixed it for me
Turns out because I changed my tariff my connections settings also changed. But no one told me that!

O2 could have saved themselves a lot of frustration from me if their store employee had been told that the tariff also required a change in phone settings.

Follow up on what not to develop

Colin Angus Mackay — Sat, 22 Aug 2009 16:31:35 GMT

Back in May I wrote about a substandard website I attempted to use in an article entitled “What not to Develop”. I also sent the hotel an email at the same time telling them of the failing of their website, however, I never got a response.

When the post went live initially, I got asked on twitter to name and shame the company in question. I suppose publically decrying a company has the effect that if people start doing that then companies will be pressurised in to providing a better service or product. These days I do not to put in a blog post the name of the company in question until I’ve given them a chance to respond to any email I might have sent. I sent the email on 16 May 2009 at 17:21 (BST), I think that’s quite enough time for a response.

I’ve decided to publish some more details so that people can at least learn from the mistake and not repeat them elsewhere. Essentially, this is an extract of the email (slightly reformatted to fit this blog)

Hello,

I tried to book on your website last night and it didn't work - it advertised a rate to me then refused to book it. I then tried to use your Contact Us page to send you a message and that also broke and said "The web site you are accessing has experienced an unexpected error. Please contact the website administrator. "

I don't know who the web site administrator is, but I can guess it is someone employed by TIG Global given this news story: http://www.hospitalitynet.org/news/4036652.search. Personally, if that is the quality they are delivering I wouldn't use them again as they are not very good and are at best turning away potential customers and at worst exposing you to needless risk.

In order to [help you to] track down the errors I've gone back and replicated the initial problem annotating the pages as I go. You will find a number of graphics files attached.

In [the above image] I show the initial details of my availability search. Check in Friday 31st July, check out Sunday 2nd Aug. 1 adult, 0 children.

In [the above image] I show the next page. This was a pop-up, so opened a new window. The details at the top are correct and match what I'd previously entered. The description of the "Weekend Advanced Purchase" sounds perfect "Valid Friday-Sunday throughout 2009". I see that it is £150 for the "Total price of the stay". I press the book button.

In [the above image] I show the next page. This was another pop-up, so opened a second window. I now have 3 windows open just for your hotel. (Is this really necessary?). I spot that the number of nights has increased to 3, so I go to change it back to two. I then get an unhelpfully terse error message that says "Minimum stay: 3" [See the next image]

At this point I'm some what irritated by the experience so go hunting for your contact us page. I see that it is a form only without an email address. I fill in the form and when I'm ready I press the "Submit" button. At this point I get an error page back that includes the message "The following information is meant for the website developer for debugging purposes." You might want to tell those developers that this information is also useful for attackers and they shouldn't be displaying it to the public. If the developers were any good what they would have done is get the website to log the information internally and display a general message to the user. If they wanted to tie up a user's experiences with what is in the log then they might also include a randomly generated (say a GUID - globally unique identifier) identifier that is put in the log and displayed so a user can refer to when explaining what problems they were having at the time.

The error message that should have never been displayed is [as follows].

The details in the error page also contain my original complaint. I think I now understand where the American formatting of culture specific information (e.g. dates) is coming from.The company that produced your website was American and in their arrogance just assumed everyone else was just as comfortable using MONTH/DAY/year. I suspect that same arrogance was also responsible for the other failings I've pointed out here.

Regards,

Colin.

So, there you are. The hotel is the Southwark Rose Hotel, and their website was produced by TIG Global. (I’ve recently noticed it actually says that at the bottom of the web pages and I need not have searched for relevant press releases!). Incidentally, you can click on any of the graphics to be taken to my Flickr account to see the full sized version.

What were they thinking?

Colin Angus Mackay — Sun, 12 Jul 2009 00:57:30 GMT

I just spotted the following advert on StackOverflow:

I have to say that I really don't know what they were thinking when they thought up that advert. I especially wouldn’t know how to interpret this advert if I was a developer working at VSoft Technologies (the company that make FinalBuilder) and I’d just been described as a “chimp”!

It is also generally disparaging towards the people that are actually employed to write build scripts. I’ve had to write build scripts and while it isn’t exactly at the most glamorous end of software development it isn’t necessarily something you could hand over to a random person to do which is surely the implication if you believe that a trained chimp could do it.

If VSoft are hiring people that are at the level of trained chimps then I really don’t want to go anywhere near their products. I have enough trouble dealing with flaky software without adding more uncertainty to the mix.

Obviously the advert was meant to be amusing and funny. The only people I would expect to be genuinely amused by it are dimwits who are dismissive towards those that actually get stuff done by making flippant comments that trivialise the hard work needed to make the software that drives much of the devices used in the modern world.

Rant of the Day: Marketers bending the facts

Colin Angus Mackay — Thu, 21 May 2009 08:29:07 GMT

I’ve just read a press release by Telerik claiming that their tools are the “preferred” choice among asp.netPRO readers. The rest of the blurb is about winning awards. True, they won awards. But it is the claim that “Telerik products are their [asp.netPRO readers] preferred choice when it comes to web development” that irritates me.

In fact, it all comes down to the word “preferred”, because when you see the actual awards you’ll see that Telerik didn’t actually come first (a prerequisite to being “preferred” I’d have thought) in many of those awards. And going by the way one of my colleagues rants about his use of Telerik products and the performance issues incurred in a previous job, I have to wonder about some things.

Marketing people will milk any public compliment for everything they can, and that is fine. But I don’t like it when they push the bounds.

So, lets look at the evidence. Here are the results of the asp.netPRO 2009 Readers’ Choice Awards.

Incidentally, none of the categories are called “Best…” anything that I could see. That is more spinning of the facts in my book.

Charting and Graphics Tool: Winner (and therefore the actual “preferred” choice) is Developer Express XtraCharts Suite. Telerik were a runner up.
Component Set: Winner (and therefore the actual “preferred” choice) is Developer Express DXexperience ASP.NET. Telerik were a runner up.
Content Management System: Winner (and therefore the actual “preferred” choice) is Microsoft Office SharePoint Server 2007 – Web Content Management. Telerik were an honourable mention.
Grid: Winner (and therefore the actual “preferred” choice) is Developer Express ASPxGridView. Telerik were a runner up.
Navigation Control: Winner (and therefore the actual “preferred” choice) is Developer Express ASPxNavBar. Telerik were runner up.
Online Editor: Winner (and therefore the actual “preferred” choice) is Developer Express ASPxHTML Editor. Telerik were runner up.
Printing/Reporting tool: Winner (and therefore the actual “preferred” choice) is Developer Express XtraReports Suite. Telerik were runner up.
Scheduling/Calendar Tool: Winner (and therefore the actual “preferred” choice) is Developer Express ASPxScheduler. Telerik were runner up.
Testing/QA Tool: Finally, Telerik are a winner! But what is this “Powered by ArtOfTest” all about? Call me cynical, but it seems it wasn’t all Telerik’s own work.
Training: Winner (and therefore the actual “preferred” choice) is ASPSmith.com’s ASP.NET Training. Telerik were once again a runner up.
Utility: Winner (and therefore the actual “preferred” choice) is Developer Express ASPxSpellChecker. Telerik were a runner up.
Silverlight: Winner (and therefore the actual “preferred” choice) is Developer Express AgDataGrid Suite. Telerik were runner up.

So, to summarise. Yes, Telerik did very well, but they were the “preferred” choice in just one category by my reckoning.

What not to develop

Colin Angus Mackay — Sat, 16 May 2009 14:20:57 GMT

I was recently looking to book a hotel in Southwark in London. I thought I’d found the perfect hotel, it was inexpensive (by London standards) and close to where I would be visiting. They also had availability on an offer for £75 per night, so long as you checked in and out on specific days, which I happened to be doing. It looked perfect.

But then things started to go wrong.

I selected the rate from the availability page and clicked the “Book” button. The next page popped up (it opened a new window) and the details were pre-populated. However, it had changed the number of nights from 2 to 3. I didn’t want 3 nights, so I changed it back to 2 and I got a rather terse message saying “Minimum Stay: 3”. I’m happy to accept that style of message from a compiler, but not from a public facing website.

I went back and repeated the process wondering if I’d somehow clicked on the wrong rate. I double checked everything this time. Date is correct (but in an American format on a .co.uk website), number of people (1), number of nights (2), number of rooms (1), the room description explicitly gives the rules for the stay conditions for the rate. I meet all the conditions that are presented to me. I press “Book” again…

And it has pre-populated everything again and added an extra night on. I don’t want an extra night! Why even present me with a rate that I can’t have because it doesn't meet my needs.

By this point I’m more than a wee bit frustrated. So I take off to the website’s contact us page. Instead of providing an email address there is a form to fill in. So, I write a description of the issues I was seeing on their site at which point the site fails again. It failed spectacularly badly. If it had taken me to an error page I would have just shrugged my shoulders and gone off elsewhere. But no, it decided to throw up its internals at me. It vomited details of the SQL Statement that failed, stack traces and so on.

It even had the audacity to tell me that “The following information is meant for the website developer for debugging purposes.” It might have well have said “The following information is meant for an attacker so they can destroy our server.”

So, back to my title, what not to develop. There were many failings on this website that I could see. The user experience was poor to start with and it then descended in to abject failure when it vomited its guts up at me.

1. Don’t use pop-up windows; browsers may block them; they cause confusion for some users. Absolutely do not have a pop-up out of a pop-up; it clutters my screen with needless windows.

2. Don’t have a disconnect between the display locale on the site and the TLD. If you have a geographic TLD then display information in a way that consistent with the culture of that location. e.g. Do not display dates in Month/Day/Year format when you are serving pages on a .co.uk domain. If you have customers from overseas and want to localise content for them then offer that ability, but default to your own locale if you don’t know their preference. Some websites try to be clever and will detect based on the IP of the user but even this isn’t 100% accurate. I’m located in Glasgow, but if you use a IP geo location service it shows me in Greater Manchester.

3. If a user has told you their needs do not present rates that do not meet those needs. If you do want to show near alternatives then make it clear that the details entered do not match the rate displayed, but some minor changes will get the user the rate. Put this information at the bottom or in a different colour. Anything that makes it easily distinguishable.

4. Don’t allow a business rule to mismatch the user friendly description. Make sure that the description of the rate actually matches the business rules that will be used to enforce the rate. If you have a rate that is described to the user as from X to Y don’t have the underlying business rules enforce a stay from X to Z. That will just irritate people.

5. Don’t give users terse error messages; it is unpleasant and unfriendly. If a user has made a mistake then gently point it out.

6. Don’t just send data to the database without validating it first. If a user has typed something that is too long for the column in the database for which it is destined then the software controlling the website should never have attempted to send it to the database in the first place.

7. Don’t display information that could be useful to an attacker. Don’t display stack traces, SQL Statements, system generated error messages, code snippets, etc.

Technorati Tags: fail,website,software development,sql,debug,attack,stack trace,business rules

Rant of the day: Learn to frickin’ count!

Colin Angus Mackay — Sun, 10 May 2009 11:20:42 GMT

I was in a shop recently and I bought 6 items at £5 each. A total price of £30, even I can manage that mental arithmetic without resorting to a calculator. However, the till decided that the total price was £30.01. For a penny I really can’t be bothered to argue, but it got me thinking about code quality and wondering about what awfulness must be sitting in that system to create such a simple basic mistake.

My colleagues are probably all aware of my views on code quality. I rant daily whenever I see examples on ineptitude by people that are paid money to write code. I read and respond on forums in order to help others learn their craft, or just get unstuck when they accidentally dig themselves in a hole. However, I see on an almost daily basis these days people posting their homework questions with no apparent attempt to at least try to work it out from themselves.

Take this example I found on Code Project a while ago:

I need to know how to do some simple things with arrays please help with any!
1.Find largest or smallest value
2.Count how many times a given value is in the array
3.Count the number of even or odd integers in the array
4.Add up the sum and compute the mean
5.Create another array of the same size containing the same values in reverse order
Thanks!

This is very obviously an exercise from an introductory course on the language they were studying. They just want someone to give them an answer that they can copy and paste. If this is what they are like now, imagine what they will be like years down the road writing commercial software.

I’ve seen lots of evidence over the years of people writing software by copy and pasting examples from the internet without thought of what is actually going on. This results in slow, bloated, inefficient code that is integrated very badly with the rest of the system, hard to read, hard to debug, and is just generally a complete mess.

If you are tempted to copy and paste some code snippet from the internet for your application then stop and think first. Do you actually understand the code? If not, then don’t copy and paste it. If you don’t understand it, how will you debug it?

I would say that if you are tempted to copy and paste from the internet that you create a very small test application first, paste it in to that and learn how it works. Once you understand how it all fits together and how it works you can then write a version that will integrate in to your application.

While you are at it, write some unit tests to go with it. Make sure you test for edge cases, make sure you test for some normal cases too. If you ever get a bug, then add a test that replicates the bug. So if someone suddenly discovers your software things that 5 times 6 equals 30.01 you can add a test for it, fix the bug and redeploy the system. Hopefully, this would have been caught before the public get a chance to see the glaring error and write blog posts about it.

Rant of the Day: I hate low fares airlines.

Colin Angus Mackay — Wed, 06 May 2009 21:40:26 GMT

And that is me being diplomatic! There is no point in me naming the airline because, quite frankly, they are all at it. They are all as bad as each other as far as I can see.

Why do they insist on displaying the fare sans taxes and charges. If they are not optional then they need to be included in the fare. I can’t NOT pay taxes. I can’t NOT pay the airport charge.

If it is an optional element then allow that to be added, if the item must be paid in order for me to simply board the plane and get to my destination then roll it into the flight price. If they want to show how “unfair” the tax or airport charges are then split it up on the final confirmation page. I do not, repeat NOT, like being told £30 for the fare and discover another £28 of hidden mandatory extra charges later on.

I hate them all!

Rant of the day: IDisposable

Colin Angus Mackay — Tue, 28 Apr 2009 18:35:30 GMT

My colleagues are probably used to the fact that I rant about code quality frequently. I take code quality very seriously. Not because I'm especially expert in it, but because features of basic code quality make it easier for other people to read and maintain the code.

Today's irritation comes from some code (replicated in a number of classes I might add) that implements IDisposable. It is a fine interface and by implementing it you are telling the rest of the world that you have some stuff that can't just be left to the garbage collector to clean up. These are things like file streams, database connections, etc. Any type of scarce resource that you want to hand back as soon as you are finished with it rather than leave it up to the garbage collector.

However, I came across this "gem" in some code today where the class, basically a utility class, contained no fields (so it wasn't holding on to anything at all, let alone anything that might be a scarce resource). Yet, for some reason it implemented IDisposable. What was it going to dispose? What could it dispose?

The answer was in the code:

public void Dispose()
{
    // Nothing to dispose of.
}

Quite!

Banking Scams

Colin Angus Mackay — Thu, 17 Jul 2008 21:16:51 GMT

Just now I got a spam email purporting to be from my bank. In fact, I get lots of these because I obviously have accounts with Barclays, NatWest, HSBC, HBOS, RBS, CitiBank, WellsFargo, Clydesdale, Caja Madrid, ING, and a whole host of others.

Obviously some people are still fooled by them, otherwise they wouldn't still be sending them out after all those years. In fact, the mails do look like they could be authentic. The from address appears to be from the right place, the wording looks like it could be from my bank, and it gives me a link that looks like the one I log on with. However, it is still a scam.

I'm guessing the normal readership of my blog, mostly software developers, would be able to spot a scam like this fairly easily, but for anyone arriving via Google direct to this page and are looking for some tips for spotting a scam here goes:

Here is the body of a scam email I received:

Dear Customer,
Royal Bank. always look forward for the high security of our clients. During our regularly scheduled account maintenance and verification procedures, we have detected a slight error in your account information.This might be due to either of the following reasons:
1. A recent change in your personal information.
2. Submitting invalid information during the initial sign in process.
Due to this, you are requested to please update and verify your information by clicking the link below:

https://www.rbsdigital.com/default.aspx?

*Important*
We have asked few additional information which is going to be the part of secure login process. These additional information will be asked during your future login security so, please provide all these info completely and correctly otherwise due to security reasons we may have to close your account temporarily.
We thank you for your prompt attention to this matter. Please understand that this is a security measure intended to help protect you and your account. We apologize for any inconvenience.

Security Advisor
Royal Bank Of Scotland.

Please do not reply to this e-mail. Mail sent to this address cannot be answered.
For assistance, log in to your Royal Online Bank account and choose the "Help" link on any page.
Royal Bank Email ID # 1009

I've highlighted some of the text in red, as I'm going to talk about it.

First off, "Dear Customer", really?! - how impersonal, surely you already know who I am? If the email is so general that they've used "Dear Customer" then they've obviously sent it to everyone and they really haven't a clue what there systems are doing. No bank should be that clueless.

Next is the dot after "Royal Bank". That's not the end of a sentence. It isn't even a sentence (it contains no verb). Perhaps they are using the "." to signify an abbreviation of sorts, but I've never seen any Royal Bank communication do that. In fact, I've never seen anybody do that for "Royal Bank".

"Look forward for" is grammatically incorrect, you look forward to things, not "for" them. And why would they be looking forward to the high security of their customers. Surely that already exists. The bank has been around for about 300 years, I imagine after all that time they must be doing something right with regards to security.

You also have to ask yourself, why would the banks processes be so bad as to cause an error for the reasons stated?

Next is the URL (the web address) given to you in order to log in. Hover over it and look in your browser's status bar. Did you notice that the status bar says something different to what you see on the page? I've altered the real address so people don't inadvertently use it, but you can see it doesn't match the bank's real address.

Now, they are asking for additional security information during the log in process. Many banks only ask for random bits of information during the log in process. Like one time they'll ask for your mother's name, the next they'll ask what the first school you went to was, and so on. The spammers obviously need to know all the information so that when they get presented with the real random question they'll be able to answer correctly.

Finally, why would they close your account temporarily? A bank would never actually close an account for a potential security violation. They may suspend it, or remove access to it, but never actually close it.

So, here are some tips:

If you receive an email purporting to be from your bank, don't click on any links in it.
If your banks log on procedure appears to be different from the previous time, check with the bank themselves. They may have updated their website, or it may be a scam, best to check.
When you log in, ensure that the address in your address bar is the one you expect, and that it is a properly secure connection. There will be a padlock on the address bar or in the status bar (depending on which browser you have)
Banks are generally fastidious about grammar and spelling in any communication they send out. It makes them look highly unprofessional if they weren't. So check any emails for grammatical or spelling errors.

Technorati Tags: scam,spam,bank,security

Data Protection Muppets

Colin Angus Mackay — Sat, 05 Apr 2008 22:43:32 GMT

I've mentioned this topic on my blog before with regard to the Royal Bank of Scotland and Intelligent Finance but this time it was related to an insurance claim. The insurance company put me in contact with a company that would do the repairs and all they had to do was arrange a time and date. However, it wasn't that simple.

Initially things seemed to be going well until the company in question phoned me to change the date because they wouldn't have the materials in time. However, first they wanted to go through security screening.

Now, the conversation to this point had gone something like this:

Me: Hello
Them: Hello, is that Colin Mackay [pronounced kae - I HATE that!]
Me: Mackay [pronounced correctly - its a diphthong, a sliding or gliding vowel that goes from 'ah' to 'ee'] Yes.
Them: This is Martindales. We just need to ask you some security questions before we proceed.
Me: How do I know you are who you say you are?
Them: We are Martindales, your insurance company has appointed us...

The conversation went from bad to worse as I tried to explain that what they are doing is socially conditioning people to hand out sensitive information and was then told that they "had to" ask these questions because of the data protection act. The act makes no such requirement. What they have to do is ensure that they are speaking to the correct person so they don't divulge potentially sensitive information to the wrong person. However, the way they are going about it, while technically in line with the act, is most certainly not within the spirit of the act.

What made it worst was that when I was asked how they could continue the conversation and I gave the solution they had to ask me no fewer than 3 times how they were going to continue the conversation even although I had given them a solution. After that incident they decided they must not have like my simple solution and refused to communicate with me at all for a while.

My solution, incidentally, was this. They would phone me and indicate that they need to speak to me. I would then get the phone number from existing documentation (i.e. a trusted source) and phone their switchboard and ask to be put through to the person that needed to talk to me. They can then go through the security questions as I will then know I am talking to the correct party. When they phone me I have no way of knowing who I am talking to. They could be making it up. If they give me a phone number to use I won't use it. I will only use trusted sources like documentation from my insurance company, or from the booklet that the insurance assessor left me.

Anyway, Martindales eventually decided that they did need to communicate with me about yet another change in date and sent me a letter. Pity it didn't arrive until two days after the guy was supposed to show up. In fact he did almost arrive, and I only knew about it because they phoned me just to say that he was running a little late. Muppets!

Technorati Tags: identity theft,fraud,data protection act