Saturday, December 13, 2014

More Bell Canada Madness

As people know, I'm not Bell Canada's biggest fan.  If there's a right way and a wrong way to accomplish something, my opinion is Bell Canada normally takes the wrong way.

This past week, my elderly in-laws moved into their new home.  The day came for Bell to hook up their new phone line, and the technician left with the phone not working.  After a complaint was put in that the first guy had just one job to do and hadn't done it, a second technician came the next day to visit and he also left with the phone not working.  This repeats until we escalated complaints, got stuff in writing in emails (this was highly useful when the next technician failed to appear on the promised day) and eventually after hang-ups by incompetent operators and support staff, escalation and further escalation, we found a manager who called a technician and got him to drop everything on his list and deal with the matter immediately.

This is just to hook up a home phone.

Last night, my wife's iPhone 4 finally gave up and stopped charging.  After speaking to Bell, we find out that given it's age, she's eligible for a free replacement if she goes to a Bell store.  By "free replacement", what they meant was that it's not free as the store wanted $49.  Not a problem, the $49 will be paid.  Except the Bell Store doesn't take cash or a debit card, only a credit card.  The wife doesn't have that on her.

Now, when I say the store doesn't take cash or debit cards, what this really means is they do, because you can buy a phone case, or any other product and pay cash or debit, but not for the $49 for an iPhone.  The suggestion from Bell is to go to Shoppers Drug Mart and purchase a $50 preloaded credit card, come back and then all is well.

The icing on this idiotically bureaucratic cake is the laughable logic that the store staff member then tries to "inform" my wife with...  Apparently, this rule exists because if you pay by debit card, they won't get the money for three days.

I don't know why Bell would train their store staff to tell lies, but for anyone that doesn't understand how a debit card and a credit card works, here's a quick primer:

  • When you pay by credit card, first the issuing bank issues an authorisation on the spot.  Second, when the bank is ready to settle the payment (in this case, being a Saturday, we're looking at Monday night), the money that is forwarded to the merchant. So in Bell's case, they're getting the money three days later.
  • When you pay by debit card, first the issuing bank withdraws the money from your account on the spot.  Second, when the bank is ready to settle the payment (in this case, being a Saturday, we're looking at Monday night), that money is forwarded to the merchant. So in Bell's case, they're getting the money three days later.
Yes, if you're sharp eyed and have a brain, you'll have noticed it's actually the same delay regardless of what you used, and Bell Canada was being incredibly stupid by arbitrarily blocking one method and accepting another.

So what is the difference in payment methods?  

Quite simply that when you pay by debit, that settlement process comes straight out of your account, into a pool at the bank and then from there into the merchants, whereas with a credit card, that settlement comes out of the credit card issuers account and into the merchants, which then creates a debt on your behalf that you must repay when you get your credit card bill.

Now, if we were to be really picky about Bell's ridiculous red tape, we can accurately postulate that Bell Canada has actually enforced the worst possible payment rule out of the available options because we can challenge the items on the credit card statement easier than we can on a debit transaction or using cash. 

Obviously, my wife left the store without a working phone, so naturally Bell is now losing further money from having another phone not working on their network.


Saturday, November 22, 2014

Making Yogurt From Whey

Quite some time ago, I posted an entry on this blog about making homemade yogurt.  Given that we get through a lot of yogurt in our house, what with it being added to cooking or the twins having it for many of their desserts, it made sense for me to look into making our own.  It's now been a few years and obviously, I've had some ideas in my head that I wanted to try and experiment with.

The first was really simple:  Would microwaving the milk make any difference to the yogurt I make?  In short, the answer is it made no difference.  On the plus side, I didn't have to stir it to stop it burning the pan.  On the bad side, I had to put up with the noise of the microwave going for about 10 minutes.

The second idea was to see if the whey that I always strain off my yogurt could be used to create more yogurt?  More often than not, we just throw our whey down the sink.  We just don't use it that often, and this was something I want to change.  

I see whey as another one of those subjects where if you go back 100 years, everyone had common knowledge of what it is, where it comes from and what it's good for.  The problem, as I quickly found out is that just like straight razors where the knowledge died out in the general population since the introduction of disposable blades (most people wouldn't know a "strop" from a "fools pass"), the same can be said of whey since the invention of the refrigerator.

If you've never seen whey before, here is a pint glass filled with the stuff:

Whey
To bring you up to speed, this liquid is one of the major portions of milk.  You pretty much have three big things in milk:  Fat, Casein and Whey.  The fat is often removed out of milk for health reasons (skimmed, semi-skimmed, etc), leaving casein (the calcium, proteins, carbs and phosphorous) and then there's the whey.  

In the case of yogurt making, you can take none of it out (runny yogurt), some of it out (normal yogurt) or lots of it out (greek style yogurt), but then you have the problem of what to do with it next?

In Australia they call whey "Milk Permeate", and because whey has so much good stuff in it like probiotics (the good bacteria for your gut), vitamins and proteins, the Australians actually hold on to it, then add it back into the milk at certain times of the year to keep it consistent throughout the year.  This is known as "Milk Standardization".  Of course, a few companies were then accused of adding in too much, causing the watering down of milk.

Scams will always appear where food can be adulterated.  
The whole yogurt industry to me seems like a scam, too, that plays on the ignorance of the masses though, as you're about to see.  When I make my yogurt, it costs about 1/3rd the price of store yogurt, is fresher, and has no additives.

So, as you can probably guess by now, given I remove a lot of whey, I'd been wondering for some time if I could just add some whey from one of my previous yogurt batches to some milk and get yogurt from that too.  

It turned out that, yes, you can make yogurt from whey, as equally well as from the previous yogurt. For me this is good news as we sometimes accidentally eat all the yogurt and have to go and buy some Activia or similar brand to get things going again.

Now here's where I start to get a bit annoyed.  To make yogurt, you need to ferment milk with the lactobacilli (the milk bacteria we hear now as "probiotics" or "live cultures"), then it's all taken out (probably to stop people making more yogurt from it).  Then sometime in the past ten years, someone marketing person thought "hey, lets leave some bacteria in and charge a premium for it and create an ad campaign where you have to eat it for 7 days straight to see if your digestive system improves", and now we have yogurt that you can make more yogurt with again... except everyone has forgotten about that as the knowledge has died out.

So, how did I do it?  Simple:

  • Heat a litre of milk to 180F.
  • Let it cool it to 120F.
  • Pour in about 1/4 cup of whey from a previous yogurt batch.
  • Leave it somewhere warm for 10 hours for the cultures to multiply and chew through the lactose. (I just pop mine in the oven and leave it overnight with just the light on to keep things "warm").

That gives me about $4 of yogurt for about $1.25.

Now, going back to that "milk standardization" procedure... Have you ever wondered where the recent proliferation of "Yogurt Drinks" came from?  

As a refresher, I'm talking about this expensive stuff.  You may have noticed that this is also probiotic, and by now starting to be suspicious about how these types of drinks suddenly sprang up?  Well, you too can make them:  

Yogurt Drink = 1 Part Yogurt + 1 Part Whey.

That's it.  That's all they did - take that whey that previously was thrown out, and add it to normal yogurt (then, obviously charge a premium for it).  

The final point I want to make is about this "L. Casei Danone" trademark and advertising (they all do this, I'm just using Danone as an example).

L. Casei refers to "Lactobacilli" (so, lactose chewing bacteria) and the "Casei" refers to "Casein", which is the milk protein.   The interesting thing is the "DN-114001"...  this is the normal yogurt bacteria and is a marketing stunt like selling an empty bottle with "Breathable Gas Danone" (Air) in it.

Now you see why I just think the whole yogurt thing just plays on people's ignorance. 


Saturday, November 15, 2014

Industry Standards

As you might guess, I spend a lot of time looking at specifications and requirements.  A phrase I see very frequently in these is "industry standards" - usually attached to requirements in sentences like "We would like security to meet industry standards" or "this widget needs to behave according to whatever the industry standards are".

There's something that bothers me about this:  People often think that Industry Standards are a good thing or that Industry Standards mean high quality.  I think this is actually a bad thing, and here's why... When we think of industry names that we can set the quality bar by, we think of the likes of big banks, big retail names and so on.  For instance, Home Depot, JP Morgan Chase, Ebay, Yahoo!, Sony, Apple, Dun & Bradstreet, TK Maxx, etc.

The astute readers will realise that I've just rattled off a quick list of organisations that have all suffered major data breaches.  To see a truly terrifying list, have a look at something like this...

Is that what people aspire to when they say they want something to be following "industry standards"?  If anything, "industry standards" are a minimum level of effort that has been proven to likely to leave millions of people as victims of data breaches, privacy scandals or worse.

That's not a good thing to aspire to.

Monday, October 6, 2014

Personal Change

People have a habit of pigeon-holing others.  When you meet someone, they will quantify and classify you.  Sometimes it's good as you're pigeon-holed as:

  • A good person.
  • Fun
  • Intelligent
Other times, you may find yourself being pigeon-holed by others as:
  • Boring
  • Too loud
  • Unprofessional
This pigeon-holing is usually done very early on, and once a box has been put around you, it takes a lot of effort to get people to change their perception of it.  This then leads to a blurring that can be equally hard to shake - for instance if a good, reliable, person makes a monumental mistake once, people will forever think "He's a good guy, and usually reliable, but..."  Sometimes, however, new classifications override older ones to the point that people totally forget the previous classification.  This happened to me in my last job where having programmed Windows for 20 years, just 5 years of iOS programming got me pigeon-holed as "the Apple guy" and so 80% of my previous skills went unused.

Another problem with boxes is that some people, myself included, have a habit of learning new things and self improving. Unhappy with just remaining static, we accumulate new skills and new knowledge that goes equally unused.  Like all years in my life, in the past year I've added multiple new strings to my bow, including learning two musical instruments, improving my electronics knowledge, improving my knowledge of physics, banking processes, perfecting how to bake biscuits (the American kind, that is), cook rice properly, and taken on the new programming language, Swift.  Some of this is applicable to my work as a programmer - knowing how banks work, or knowing how electronics work, or a new language makes a programmer like me become more desirable.  

This means you end up being in the wrong box.  If the box remains unchanged despite these changes, then something is going to break to make you get into a more suitable box.

The two things that can break are:
  1. You stop learning new things and you stagnate because it's not applicable to your job, or your employer doesn't reward self-improvement.
  2. Your current employment stops and you find somewhere that will reward your new found skills.
When personal change means you no longer fit the box that you were comfortable being in, changes and decisions normally follow to correct this.  Being aware of the boxes you operate in and how you influence them is likely the most important thing you can be aware of about yourself.


Wednesday, September 10, 2014

Apple Watch Haters

It doesn't take a genius to work out now that there's a phenomenon where normal, rational, human beings suddenly lose their minds every September.  This is the month that Apple unveils it's new iPhone, but it's also the month when Apple's new products are unveiled to the public.

With these new iterations of phones or new products, we expect to see a cacophony of haters, naysayers and what have you, who prognosticate that Apple is failing to innovate if they don't release a new category product every other year, or that the latest iPhone is only an improvement on an old model instead of a completely new one, and there are those that outright say that a new device is just plain bad.

Even though we know that Apple has pretty much hit each record selling quarter with an even bigger quarter for the past few years, the Internet has a habit of keeping stuff around for long periods of time, so we can see examples of what I mean by these haters who contradict it...

The iPod (the iPod classic got killed off yesterday).
In 2007, the iPhone came out...  Just incase you've forgotten, this was the competition then...
Yes, the Motorola Razr2 was released in 2007, the same year that the first iPhone was released.  So, how was the iPhone with it's touch screen received?
"iPhone doesn't support 3G, it doesn't support multitasking, it doesn't support 3rd party apps, you cannot copy or paste text, you cannot attach arbitrary files to emails." 
Then there was Palm CEO Ed Colligan on Apple's iPhone:
“We’ve learned and struggled for a few years here figuring out how to make a decent phone,” he said. “PC guys are not going to just figure this out. They’re not going to just walk in.”
Or how about this all-out failure prognostication?


Next came the iPad...  We've all heard the "But it doesn't run Flash" argument, or the "It's just a big iPhone... but without the phone functionality" tirades.  Very quickly, though, the device was shifting a million units a month.  5 generations and 2 mini's later, it's still selling very well.  

However, it's very apparent when cheap copies of Apple's design is being ripped off - but then again, some people are happy with a lookalike product if it means they pay less.  Then when the bar is raised again by a new iPhone iOS version, instead of just installing the update so that your hardware lasts two or three years, you need to buy a whole new phone.


Yes, people don't want to upgrade their entire Android phone, but because of carriers and OS fragmentation, they usually have to.

So what about the new Apple Watch?   There are already a few watches in the market.  Let's take a look at them.  

First, there is the Pebble.
This is a low-cost watch that looks very 1990s in it's heritage.  You could easily imagine the name Casio stamped across the top.


Then there is the Samsung Galaxy Gear S watch.
This is an improvement on the Pebble, but it's largely just an iPhone UI shrunk onto the wrist.  You can change the colour of the strap to suit your style.


And there's the Sony one...
Sony have made watches for a long time, but they also went for the "shrunken" PDA kind of UI.  Again, you can change the strap colour.

Then Apple comes along with the Apple Watch.
This is a marked departure from the "PDA" interface.  The fact it has a crown (knob) too is a reminder that this is not a 1980s inspired "digital" design.  I won't go through the list of features as that's been done elsewhere, but I do want to turn to the naysayers.

Wearable tech is something I'm familiar with.  Go back to 2001 and I basically wore a "bat-belt" where I had my GPS, my phone, and my Palm PDA.  Now it's all in one device and there's still something else I wear - my fitbit.  However, some people still don't like the idea that people are already wearing Nike Fuelbands, Fitbits and other health related products.

So it begins with the watch.
All I know is that above the cacophony of naysayers, there will be a slew of developers such as myself who know that many people will buy this device, and it will likely sell lots of them.  Apple is rarely first into any market, be it computers, media players, phones or watches - but when it does go in, it generally raises the bar and disrupts things.

I'll put my money on the Apple Watch nailing it, not failing it.




Friday, September 5, 2014

Ontario Smart Meters and Security

Sometimes, I see something that doesn't seem right to me, and internally I begin questioning it or trying to work out if it's deliberately not right for some other reason.  In Ontario, our Smart Meters are one such item that perplexes me because for all the hay-making in the media about security, it's actually wide open.

In Ontario, places such as Ottawa and Toronto have this meter.

As meters go, it's pretty standard.  There's an ID plate, an LCD screen that gives you basic information, then there's an IR port on the right (it's the dot in the left hand part of that enclave on the right).  Internally, there's a transmitter that sends your home's data to a designated neighbouring smart meter that acts as a master and aggregates and sends on the data from it's neighbouring slave meters.

The government and other electricity bodies went to great pains to point out that this data is secure and the remote meter repository where the data goes is secure, and the transmission is secure, and ... well, you get the picture.  

But...

There's that little IR port on the front.  It's just spilling live data onto your driveway or beaming it your next door neighbours wall...

And that is a problem.

As with many attacks on your privacy, 9 out of 10 require little more than access to the hardware itself.  There's no reason someone can't slide an IR receiver (about $2) over the port, connect it to an Arduino Mini Pro ($13) and wire the input to output to a pen-laser ($5) and now for $20 they've extended your private data to across the street, where it's picked up by a solar cell and decoded.  Now, that neighbour knows when you come and go, your habits and other patterns, etc.

The simple solution is just stick some black electrical tape over the port.  A better solution is use a Blueline Powercost monitor on it - not only do you get informative information from it, but there's an added security angle in that you're blocking the port from prying eyes (and you get the added warning that it's being tampered with if you stop seeing data).

Now you understand this simple flaw in logic, go and have a chuckle as you look through this FAQ document from the IPC.

  

Thursday, September 4, 2014

CIBC Customer Communications Fails After Data Breaches

The news over recent years has become increasingly peppered with stories about large scale data breaches.  Notable examples include:

  • Adobe - 152,000,000 records.
  • EBay - 145,000,000 records.
  • Target - 70,000,000 records.
  • JCPenny/Dow Jones/JeyBlue/etc - 160,000 records.
  • Sony PSN - 77,000,000 records.
  • Heartland Payments - 130,000,000 records.
  • TJ / TK Maxx - 94,000,000 records.
  • AOL (2014) - 2,400,000 records.
  • AOL (2006) - 20,000,000 records.
  • AOL (2005) - 92,000,000 records.


As you can see, these aren't small numbers.  

The latest breach appeared this week and it points to Home Depot.  Now, Home Depot operates in Canada as well as the USA, Guam, Mexico and Puerto Rico, and much hay has been made over the issue in the media.  Home Depot themselves put out a statement on the matter, and many security experts are looking at the issue.


Neal O’Farrell, an identity theft and security analyst for credit monitoring site Credit Sesame recommends consumers use the breach as “an earthquake drill” and go through the “security routines you’ve been putting off.”...   

I had a quick think and knowing that I use the Home Depot regularly, I know there's a fair chance I could be caught up in this one if Canada is part of the breach.  Whilst I can look at my statements after a breach, I've no idea about one key aspect of my financial protection:  One way I may be protected is if they geo-fence transactions and can flag a transaction that's trying to go through outside of some safety area.

It turns out I'm not the only one thinking about this.  A Krebs report on the matter (source) even says this: 

The ZIP code data allows crooks who buy these cards to create counterfeit copies of the credit and debit cards, and use them to buy gift cards and high-priced merchandise from big box retail stores. This information is extremely valuable to the crooks who are purchasing the stolen cards, for one simple reason: Banks will often block in-store card transactions on purchases that occur outside of the legitimate cardholder’s geographic region (particularly in the wake of a major breach).

Thus, experienced crooks prefer to purchase cards that were stolen from stores near them, because they know that using the cards for fraudulent purchases in the same geographic area as the legitimate cardholder is less likely to trigger alerts about suspicious transactions — alerts that could render the stolen card data worthless for the thieves.

So, I did the sensible thing and asked my bank to clarify what, if anything, exists to protect me:


I thought this was a straight-forward question to ask a financial institution...  So, you can imagine the face-palm I did when I read the response pointing me to a T&C page that makes no mention of geographic protection radii.

Needless to say, I had to point out that they've not answered the question... Then I re-asked the same question, but using a different wording.




At this point, it should be pretty clear to the bank a) what I'm asking, and b) why I'm asking it.  So having not answered the question, it tries to obfuscate the issue.

Now, anyone that's followed my previous gripes with this bank will know what I think about their relaxed security policies, history of foul-ups and bad communication will know I was getting suspicious that such a number doesn't exist.

So, I changed the question to see if this reveals any security context, or if it generates blow-back:


The following answer came back...

This was the most telling response of all.

In a simple enquiry to the bank to understand how/if I'm protected on a geographical basis, the bank had first actively failed to answer the question, then tried to obfuscate the issue, then finally fell back to an "argument from ignorance" stance and tried to draw a line.

Last time that CIBC drew a line like this, the wager was made where I had to try and extract credit card information from CIBC using a labrador retriever's nose.

Now, "absence of evidence" does not imply "evidence of absence", but as a customer this is highly worrying when the "burden of proof" is on the bank and they can't explain it.

Conclusion:
To add to the litany of other security issues I know about, I don't think CIBC has me covered on this one either.  My guess is it's not geofenced and probably not even geocoded from an address of banks, shops, or ATM's, where cards are used.

I can test this pretty easily too.  Thankfully, this time it doesn't require a dog.

Thursday, July 31, 2014

Technology and Waves

The technology landscape changes quickly, and nearly everyone knows that already.  However, the types of changes that occur fluctuate in waves; such as a hardware innovation like we saw in 2007 where Apple comes out with a touchscreen phone, so then by 2008 everyone else has a touchscreen phone.  Other times it's software, like we saw with digital assistant services such as Apple's Siri, Googles' Google Now or the new Cortana from Microsoft.

Cortana
Microsoft Cortana In Action...


These waves are analogous to ocean waves in more ways than you would think.  Much like the ocean that has small waves that under normal circumstances will produce a predictable wave frequency (x waves per year, often being annual product refreshes), these smaller waves sometimes combine to create a bigger wave.  Examples of this include faster networking, mobile file access, and better data centres combine to give us Cloud-computing, which generates massive upheaval as mobile and desktop operating systems, developer applications, office suites and everything else gets cleavered to hack in this new technology.

So what waves are we seeing right now?  In short, things are coming to a head in two areas:

  • Power
  • Security
Power is an issue because we are on the move so much and whilst CPU's are getting faster, phones do more and data and display requirements go through the roof, the underlying battery technology hasn't exactly changed much in decades.

Security is an issue due to two factors; first the NSA snooping fiasco has gotten everyone from the general public to governments [such as Germany] up tight, then secondly the amount of cyber-crime and cyber-terrorism is going through the roof.  I've said in the past that people will be waking up to what's really going on for a few years, but it seems like this year it finally happened.  Again, some of the reasons behind this being a problem is the underlying technology hasn't changed in a long time, meaning anyone with a nefarious agenda can sit and pore over the code to see how it works and where it's weaknesses are.

This brings us nicely to this week's unveiling of seL4.  After cyber-terrorists hacked into key infrastructure, a new kernel was created, which you can run drones and other complex systems on. Each component in the system is fire-walled off from other parts, and the security professionals who built it claim that in theory the new system can't be hacked.  Putting aside thoughts that shipping professionals built the "unsinkable" Titanic which still sank, I was somewhat concerned when they then Open-Sourced the code.

Yes, the kernel that is currently unhackable can be pored over by cyber-terrorists or cyber-criminals.  To put the icing on this cake, they can now compile this unhackable kernel and pop it into their own missiles, tanks, drones, etc.

Maybe it's just me, but I don't think that was a good idea.





Thursday, July 24, 2014

Why I think CNN is clueless on Technology

Apologies: This Is A Moderately Technical Post


It's not very often that a news article makes me angry, but last night I read this CNN article on Microsoft stopping it's Windows RT product;
Microsoft's most boneheaded product is about to be killed off

The morning has come around, and it's still aggravating me because it's wrong, so I'm going to try and lay out why here, because when you understand what most don't (including the people at CNN) you'll see how wrong it is.

As we all know, computer technology has for decades remained somewhat mystical to the consumer.  Most have no idea about Von Neumann architecture, endian problems, stacks, and such because outside of computing, these things are not used much.  Whilst the recent (past decade) operating systems have become infinitely easier to use, the media is now showing it's ignorance when trying to educate consumers and is actually muddying the same waters that have recently been cleared.

So, let's dive in as to what's wrong, starting with a little history.

Traditionally, the Windows architecture has been successful because of it's open architecture where peripherals is concerned.  By moving core pieces of the OS to drivers that plug-in, the details of these peripherals is shielded from the OS.  This means the OS can accommodate new things as they arrive.  Ironically, however, the core part of the OS is optimized for the Intel x86 instruction set.  This means you need an Intel processor, or Intel clone (AMD, etc) to run it.

Digging further into Windows, we see that it is comprised mainly of DLLs.  
Under 16bit windows, everything sat in C:\Windows\System.
Under 32bit windows, everything sat in C:\Windows\System32.
Under 64bit windows, everything sits in C:\Windows\System32, for compatibility reasons.  

Yes, System32 holds the 64 bit DLLs on 64 bit systems.  Obviously, to be able to thunk down the pointer instructions and run unmodified 32-bit programs seamlessly, you need to ship the 32-bit DLL's, so these reside in C:\Windows\SysWoW64.  Yes, the 32-bit stuff is in the directory ending in 64, and the 64-bit stuff is in the directory ending in 32.  

If you've no idea what WOW64 (the latest incarnation of Windows on Windows) is, read this.  

Remembering that all the peripheral drivers have to talk to these DLL's, you can appreciate that they need to also be compiled to only run on Intel processors, because when a DLL is loaded and wired up, the VTable needs to point to the function at the correct address, or you'll get a blue screen.

So, lets revisit the "Vista" debacle for a second...

Up until Windows Vista was conceived, the driver architecture had not changed since Windows was first introduced.  If you printed, you still had brushes, canvases and such, but the printer hardware was moving to capabilities far beyond what the OS was aware of.  Same thing for cameras - what started off as a picture device was now turning into a combined picture and video capture device.  Throw in VPN's, smartphones and other new technologies, and it was clear that the driver interface of Windows needed to be updated.

Unfortunately, an update of this magnitude requires breaking changes.  So, Microsoft tore down the driver architecture and brought it up to date.  Then, due to market pressures, they forced this new architecture out of the door before everyone had a chance to rewrite their drivers to use the new specification.  As history shows, what happened technically and what the media and public saw are two different things:
  • Technically, the OS just got future proofed.
  • Consumers thought the OS was broken as their printer/camera/etc stopped working.
This wasn't the OS's fault - though it was certainly Microsoft's fault for pushing it out of the door too quickly.  Today, Windows still uses the same driver architecture, only now the device manufacturers have had time to update their drivers and iron out the kinks.  However, everything was still only compiled to run on Intel instructions.  After Vista was pushed, Windows 7 came out.  Windows 7 was effectively Vista with fixes in place, and some new features.  

The public and the media committed Vista to their collective memory as a total failure, for all the wrong reasons.  Even the media reported Windows 7 as "going back to the old Windows", when in fact it was just Vista fixed and moving forward with the same old plan...  There was no "going back".

The next problem to address was mobile devices.  Intel chips are known to be fast, power-hungry and hot.  If you're going to make Windows a truly mobile operating system, you're going to have to face the fact that the successful devices all run on ARM processors, not Intel.

At this point, it shouldn't take a genius to understand that if you're going to run Windows on an ARM processor, all those Intel optimized DLL's will have to go.  The problem here is that some of the routines in these DLL's are so crucial to the running of the operating system in terms of speed and bottlenecks, they've been tweaked over the decades to include manually written assembly code.  

This is therefore no small undertaking.  

What Microsoft did was rewrite nearly everything - and thus the WinRT (Windows RunTime) was born.  The WinRT component can target both the ARM and Intel processors, and acts as a broker between your app and the hardware underneath.  In a loose sense, this is like putting Windows services into a driver all of it's own.

The next piece of the puzzle was to rewrite the desktop and everything else to sit on top of the WinRT foundation.  This was done, and hence "Windows RT" was born.  So, now you have an RT-ready desktop sitting on an ARM capable runtime.  If you write a managed app to run on the new managed architecture that targets WinRT, you're app will run on desktop, ARM and Windows phones.  This is primarily where "apps" come in, but it's not exclusive to the Metro app style.

So, Windows RT is now created and works.  So what did Microsoft do?  They pushed it out the door too early, again.  They hadn't even finished writing Office when Windows RT was released.  Major software manufacturers like Adobe hadn't had time to go through the WinRT architecture to begin thinking about a migration process...

So, the media deems this marvel of engineering as a piece of crap and then Microsoft puts the icing on this cake by confusing the public as to what Windows RT really is, as well as simultaneously bandying about the WinRT term.

Fast forward, and Microsoft is now killing off RT.  You can bet your bottom dollar this is in name only - after all, we can't make all this progress of finally having a Windows OS and universal apps that run on your desktop and XBox, only to take this away.

Having a thorough understanding of the monumental engineering that happened, lets go back to the CNN article where we see stuff like this:
  • "Windows RT was supposed to usher in the tablet era for Microsoft. But Windows RT has two fatal flaws: it's missing crucial apps, and it's poorly designed."
  • "The biggest failure of Windows RT was that it took away the single best part of Windows -- the fact that it can run just about every app ever created."
  • "Still, you can't run iTunes. There's no Chrome or Firefox browser. You likely can't run your company's custom-built software. Pretty much anything that requires a desktop is a no-go."
Yes, these people probably complained that they can't put diesel in their petrol consuming car... This is the same problem - it's not the OS's fault that 3rd parties haven't yet ported their apps to the WinRT platform.  

Another point that also got my goat was this:
"Microsoft didn't take away the desktop in Windows RT. No, no, no. Curiously, Microsoft kept the desktop around so you can run a separate, more robust version of Internet Explorer."

They missed the point again.  The "desktop" version of IE is the WinRT ported version of IE that will get reused on other platforms.  The core components of that desktop version (such as the rendering engine) are shared with the metro version which is designed for fat-fingered use on smartphones and tablets, not mouse/trackpad with precision.

To drive the penultimate nail in the coffin on this CNN article, we can use the article against itself.  On the one hand, it says this:
"You likely can't run your company's custom-built software."

And on the other hand, it says this:
"But Microsoft never made a compelling case for why you should buy a Windows RT tablet over a rival tablet except for the fact that it runs Office. And that argument just went out the window when Microsoft brought Office to the iPad earlier this year."

The simple answer to this is you open up your custom software that you likely spent a lot of money on in the latest version of Visual Studio and you port it (something you generally have to do every 5 years or so anyway, unless you want to be stuck only working on Windows NT 3.51 forever).  Once you port it, you have a lower learning curve for the users, lower cost devices (ARM is cheaper than Intel) and so the list goes on.

But I said that was the "penultimate"nail in the coffin...  So what's the final nail?

Simply that regardless of what happens to Windows RT in name, it has no bearing on it's technology - the guts of RT will proliferate.  That RT desktop that currently has few apps will be the same WinRT-based desktop you're running in a few years on your shiny new laptop.  Yes, the RT-debacle will clear up in exactly the same way that the Vista one did - it's an adoption/timing issue.  

The catalysts for this move though will be the Windows Phone and XBox.  Microsoft is moving it's "Universal Apps" to more devices, and what this means is that if companies want you to run their software on those devices, they'll be porting it over to the new architecture.  

The irony of this, of course, is that whilst the media no doubt fawns over Windows 9 and it's ability to write once, run everywhere, they will simultaneously forget that we were already there with Windows RT and yet whilst they stand on the shoulders of this huge endeavour, they will likely be mocking it in ignorance.

I hope that now you understand why the ignorance of the CNN article makes me so mad.



Tuesday, July 22, 2014

Thoughts On The 2014 Bell Canada Hack

In Canada, a large portion of our news comes from two monopolies - Rogers or Bell Canada.  They own the phone lines, the cable/satellite broadcast systems, the news desks, the sports channels, the sports teams and the sports venues (that latter chunk of sports is part of the next decade’s fight to keep TV subscriptions going - because you’re forced to not cut the cable if they’ve the monopoly on live sports).

Last month, there was a story (http://www.theglobeandmail.com/news/national/mounties-charge-quebec-teen-for-hacking-bell-customer-data-posting-it-online/article19156480/) about a teen being charged for hacking into Bell Canada and posting lots of small businesses information online.  If you don’t know this story, here’s the crux of it as far as it’s generally told:

  • About 20,000 records were leaked.
  • It was done by a hacking crew.
  • Only five valid credit cards were in the data.
  • The blame lies with a third party that had Bell’s data, but all Bell’s residential customers are safe.


Now, apart from the odd math indicating that bell would have thousands of invalid credit cards on file and only 5 valid ones in a dump of 20,000 accounts, everything seems fairly cut and dry.  And that is how the news is delivered to the public.

What you don’t hear is how this is allowed to happen.

Five whole months before this breach took place, I was already on my second major pow-wow with Bell over exactly this type of third party runaway data (http://coulls.blogspot.ca/2013/09/bell-canada-and-yellow-pages-data-issue.html).  Now, whilst the Bell breach has been dissected and explained (basic ASP site + SQL Injection) in detail at third party security blogs, the problem remains that Bell has major security flaws. 

It’s been some years since I first raised the flag with Bell’s Privacy Office about compromised accounts, and how I found them.  Bell hasn’t fixed the issue, so there’s a number of people out there who are at risk of identity theft.  Just recently, I reported another issue to Bell, where they’re allowing people to share private credentials - seeing that Bell didn’t look for this is indicative of what’s on their “security” radar as far as I’m concerned - and that radar doesn’t look far from head office. 

Looking at what Bell Canada can see and can’t see, we can infer three fatal flaws:
  • The internal culture of thinking they’re more secure than they are is breeding opportunities for hackers.
  • The misunderstanding of the security risks means that hackers can target Bell Canada who won't see what they’re doing until it’s too late.
  • Bell Canada is clearly none the wiser about where things are heading;  They’re too focused on routers, encryption and technology to see how policy and mismanagement is counteracting that same technology.


So, the next time you hear about hackers taking Bell customer information, remember that the stable doors have been open for a while.

Monday, July 21, 2014

I just tried to give Microsoft more money.

As regular readers of my blog or people that know me well will know, I sit in both the Microsoft camp and the Apple camp.  

  • I program in both .Net and Objective-C (and lately, Swift too). 
  • I have an iPhone and a Windows Phone.
  • I have a Mac and a PC.
  • My Mac has Windows on it too.
  • I have an iPad and a Surface RT.
I like to think that I'm fair and knowledgeable about both sides of the camp.  I really like the effort both teams are putting into technology.  I also really like the ease of use for the cloud offerings.  Aaand I'm also getting really tired of Microsoft's inability to deal with me as a consumer in a reliable way.  (We've been here before - see here)  

As a programmer, things are great.  You set things up in Windows Azure and things just work...  

"You want Visual Studio 2013 Pro? No problem, we'll just tack on the subscription to your Azure account." - and shazam - you got a valid copy of it up and running.

 As a consumer, I have to fight tooth and nail...  
"You want Windows 8 to run under Parallels?  Sorry, we don't sell Windows for Mac"...
... and when you do finally get it...
"OK, we'll sell you the full copy of Windows, but you can only download an install stub that runs under Windows, which we understand you don't have yet".
...or even this...
"You can't order a Windows Kinect device to be picked up and paid for at the store".

So this week, it was time to update my Surface RT.  I've had a good time with the device, and it has served me well, but I can't run on old tech forever - especially in my line of work.

First I took a trip to Toronto's Eaton Centre, where Microsoft has a retail space.  I spoke to the people there who told me if I bring in the old device, I was eligible to get about $200 for the old device to put towards the new one.  This sounded reasonable.  Over the weekend, I had to go to Toronto's Yorkdale Shopping Centre, and Microsoft has a big store there, so I brought along my decommissioned Surface RT.

I knew something was going wrong the moment I walked through the door and said "Hi! I'd like to trade in my Surface RT and upgrade to a Surface Pro 3".  The assistant looked at me for about three seconds and replied that there is no program that uses old devices as part of the purchasing process for new devices.  

Rather than get into a long-winded argument, I pointed out what the other Microsoft store had said and then asked him if they had lied to me?  He said he'd go speak to his manager (a tall blonde guy that was parading around with his arms in a "Y" shape as he'd just scored a goal on the XBox One soccer game).  A few minutes later, he came back and said that yes, there was actually a program for this - and promptly delivered me to the back desk.

At the back desk, I was told there was three options to choose from (Cheap, middle & expensive).  I opted for the cheapest one.  The guy went out the back of the store for five minutes and came back saying the option I'd chosen wasn't in stock - and really there was only two options.  So, I chose the cheapest of the two (the middle one).  He disappeared again to confirm they had that one.

Next came the trading in of the old device.  I was looking forward to my $200 credit being put on a device that was now already more expensive than I'd planned, so you can imagine my disappointment when the new valuation came in at $92.  I'm not kidding.

I left the Microsoft Store with the more-expensive-than-planned device, minus $100 worth of planned discounts, and just as peeved as I always do when I have to do something with Microsoft that involves me being a customer.

Having said that, the device is as nice as I'd expected it to be... It's just a shame that every time I look at the device, I'm miffed by the memory of the purchase experience (again!).  


Wednesday, July 16, 2014

Review: A Year With The Fitbit Flex

Over a year ago, I started wearing a fitbit flex.  I said on twitter that at some point I'd write a review on it, and now I've had sufficient time with it, here goes.

What is it?  
This is a fitness tracker/pedometer that encompasses a battery, accelerometer, LED display and bluetooth antenna in a wristband and looks like this:


The Fitbit Flex

How good is it?
Depending on what you want to get out of it, it's going to be either a hit or a miss.  When I bought mine, I bought an identical one for my significant other. If she recharged her device twice that may be overstating it. Why? Simply that wearing it doesn't make you slimmer, faster, fitter - it tracks the work you still need to do yourself - and for most people that's still not fun.

Personally, I'm a partial practitioner of the Quantified Self movement - whilst I'm not "all in", I can't help being driven by data about myself and my own habits.  That alone makes this device a hit for me, whether I opted to be a couch-potato or an athlete. 

For Example:
Me: "Oh, that's interesting:  I just learned that if I sit on the couch all day and watch movies, I still get in 500 steps a day."

Next day... 
Me: "Oh, that's interesting:  I just learned that if I track a normal working day, I get in 9,000 steps a day."

Yes, this was going to be a hit for me as long as I can understand the data.  For someone like my partner, it was not likely to be as enthusiastically received.


What does it record?
This has two modes; During daytime mode, it's tracking steps (so it's a pedometer). During nighttime mode, it tracks the duration of your sleep and how restless you are.  The sleep-tracking part was a big factor for me as I wanted to find out why I was so tired in the mornings. 

The data is then uploaded to an app that runs on your smartphone or tablet.  Personally, I run it on my iPad.  I then enter manual weight information from my scales to the same app, this then allows the app to calculate your calories expended throughout the day.  Combined with a food log (also in the app), you can work out if you're eating too little or too much.  The app is then tied as a feed provider to my www.tictrac.com account and everything is dashboard-presented there alongside my runkeeper data and other apps.

Issues
There's two flaws with the fitbit flex:
  • The rubber they use for the band splits. The flex comes with a large and a small bracelet band. Only the large one fit me - and it split in four places.  Luckily, I had a spare band (see unused purchase at top of article) to fall back on.  The band scuffs and scratches easily too.
  • There was a period where it stopped syncing.  Support to get this working again wasn't exactly good.  A hard reset (put it in the charger and drive a paperclip into a hole) in addition to an app update seemed to fix all of these issues, but for the month of problems I had to endure waiting for a fix still nags in my mind.
Power
Battery life is good.  It generally runs for about 9 days - and I recharge it every weekend, so it never runs out.  You get a warning via iOS notification when the batteries are getting low if you sync every day, however, if you skip a day of sync'ing and the battery is low, it does have a habit of just dying on you.  After a year though, it does not show any sign of capacity shrinkage.

Switching Modes
Switching modes is done by repeatedly tapping on it a few times for about a second.  It's actually fairly sensitive - and this means it often goes into night mode when doing things like pushing a supermarket trolley over 12 inch ceramic tiles.  (The "ka-chunk ka-chunk ka-chunk" of the wheels will send vibrations through the handle into your wrist and put the device into sleep mode).  

Alarm
A handy feature is the alarm - you can set it to buzz in the morning at a set time and it'll quietly wake you up, without disturbing others.  The only gripe have with it is I can sleep through it some times as it doesn't vibrate very long. 

Conclusion
All in all, it does what it's supposed to do, and it does it well.  The $99 price tag is a little steep for some, especially if you find out you don't like it.  The wrist band could do with some updating to a more durable material because it didn't last as long as I'd expect (being someone with a desk job, I'd expect more than 9 months out of it).  The fact the data is open to services like tictrac is a big bonus, and the battery life is quite amazing.  

In short, I don't regret buying it.




Tuesday, July 15, 2014

How to resync Toronto Hydro's PeakSaver Plus Meter

I hit a problem last night which I've never experienced before and the manuals were not entirely accurate, where the PeakSaver Plus Meter stopped talking to the transmitter.  No matter what I tried for about half an hour, nothing would get the two devices to pair-up and start talking again.  I even looked up the manual at Toronto Hydro, which stated this:


Naturally, I followed the instructions, but was confused because if I "press PROG/SYNC unil [sic] you hear two beeps to put the Display Unit in ID mode", it would only give me a single beep and put the unit into programming mode.

After about ten minutes of trying to work out if this only happens when you first fire up the unit (so I hard reset it, took out batteries, reset the transmitter, etc), it then dawned on me what they really want you to do:


  • Press the PROG/SYNC for about a second or so, and you'll hear a single beep.  You're now in programming mode.
  • Press and hold the PROG/SYNC button for another 5 seconds in programming mode and you'll go into ID mode.
Now you can hit "reset" on the transmitter outside and things will beep on the device and transmitter - and after a minute or so, things will start to work as normal again.

Hopefully this bit of clarity will save someone else from wasting time like I did.

Monday, June 9, 2014

CIBC Security vs A Labrador Dog

Updated - January 2015 - See bottom of article

Anyone that follows me will know that I have some long running gripes with one of my banks, CIBC.  Normally, I'm just complaining about run-of-the-mill stuff at CIBC, like bad customer service, the odd occasion of lying software, or people at the bank doing stuff they shouldn't with my records (that spawned an investigation, so details are not being made public).  All of that stuff, though, pales in comparison to security.  

I take my security rather seriously.  I definitely approach it more aggressively than my banks do.  Given how low the customer/bank trust has fallen in the Coulls/CIBC relationship, I do things like give the bank a unique email address on file, and this serves as a basic breach or data sharing warning if I get an email from a third party company other than the bank.  

I also raise security issues with the bank like this one recently when their security policies meant that they failed to proactively block their domains from credentials sharing sites (in comparison, my other bank ScotiaBank had proactively sought this out and blocked it before I even discovered it).


May 23 2014's Twitter DM to CIBC to raise the alarm.

Now, to bring in the dog in the title...

Back in April, I asked CIBC about a security hole in their Credit Card IVR system.  In short, the hole looks like this:
  • The bank's computer calls the phone number on file.  
  • You're asked to press 1 for English.
  • You're asked to press 1 if you are the person they want to talk to.
  • The computer relays sensitive balance information over the phone.
It doesn't take a genius to spot that CIBC has no idea if you are the nanny, the cleaner, or just the thief that took possession of your handbag five minutes earlier from just pressing the "1" key.  In my books, that's not a valid measure of security.  If CIBC was to concur that this is not a good bit of security, that's as good as an admission that they deployed a customer facing system that gives out private balance info without any security.  

That's probably worse than thinking that pressing "1" will keep out imposters.

Either way the bank just blindly spills out information without properly verifying who it's talking to.  Here's the conversation thread on Twitter with CIBC where this was first raised...

Twitter Conversation With CIBC

As you can see, the people at CIBC dropped the conversation there and then... They never responded and never followed up.

However, I did speak with someone who works as a consultant at a rival bank about this over beers, so the CIBC security hole didn't go away just because CIBC wasn't taking it seriously.

A challenge was then laid down to see if we can train a dog to press the "1" key on a telephone every time it hears "Press One" on the speakerphone.  If we can train a dog to do that, we can prove the current security measure can be breached at the bank.

Before I started training a dog to do this, a seed of doubt had been sown in my mind by "EH" above...  What if my memory was incorrect and it had asked for a password, or some other code and I'd just entered it without thinking?  We would have to wait until CIBC's computer called again to double-check this...

Tonight, it called.  It didn't ask for anything, and the above script of pressing the "one" key twice will get the details spilled, just as I thought.

This mean's it's game on... the challenge has been accepted and I will now attempt to train a labrador dog to show it can circumvent CIBC's security.

Update - January 6th, 2015

It's been nine months since this was raised with CIBC.  I never did get the dog to trigger the bank to give out information and so I lost the wager - not because CIBC is particularly "dog secure" but because it's simply too damn hard for my dog training "skills" to get a Labrador Retriever to reliably use a touch tone phone.  However, today their system got triggered again and it called me.  Amazingly, this security hole is still there - they haven't addressed it in over nine months.

I think it's time to go double-or-quits on the original wager and see if I can breach CIBC using one of my 2yr old twins in place of the dog.