Restricting Password Characters - For Security?

Recently went to create an account on name withheld web-site. During the process we needed to create an password. Then we got an error message:

The '#' character is not allowed for security purposes.

What is that? A joke? Restricting characters for security how?.

Most reasonable web-applications do not and should not care. When a password is submitted, regardless of the exotic characters, it should be immediately hashed! Then the hash is compared to the stored hash on file. And hash sums (md5, sha1, etc) don't have any "exotic" characters.

Seems that places that restrict these characters are likely not hashing the password - because why else would they care?

Note: - to confirm this we asked the site for help recovering our password. Rather than send a reset form they sent an email with our password - proving they are not using the best practice of password hashing.

Passwords Can Rot

Passwords are a very standard method of authenticating users. Password authentication is subject to loss or disclosure as well as loads of different types of attacks. See you in hell password based authentication, it's 2009 and better methods have been known for years. What's the hold up to using certificates for positive authentication and identification?

Many of today's Internet services are offered over SSL or TLS secured connections. Using these methods the server side (HTTPS, SMTPS, IMAPS, etc) can request a certificate from the client for authentication. Simply give a client a certificate and there it is. If the certificate is lost or otherwise disclosed simply add to CRL and issue a new certificate.

Heres's an example of securing a web-application on Apache with mod_ssl, our local certificate authority and a few simple configuration options. This same method can apply to many web-services such as on-line banking, web-based email. Most email clients support SSL/TLS for SMTP, POP3 and IMAP services allowing certificate usage as well.

There is a minor data and service management overhead but it makes the Internet a safer place.

Google Apps + Google Accounts

This appears to be a confusing topic. Why when I have a Google Apps (Enterprise no less) do I not get a standard Google Account with it? Just to use iGoogle we have to create an additional account (and sign in) then it's a silly process to get the iGoogle home page to respect the mail and calendar services from my Google Apps accounts. Google: Sort this out! Just make Apps users have accounts for all the other Google Apps. This duplicated account scenario is just silly from an organization your size.

Google Calendar Quick Add Broke Again

Google QuickAdd used to support entries like '1000h Meeting in Renton' and would correctly add that event at 10:00 AM on the given day. This feature broke a while ago, then was fixed and now appears broken again.

The first time it broke the time wasn't parsed at all and the event was added as an 'All Day' thing. Now when it breaks the time is shifted, bad. '1000h' becomes 03:00 AM. Thinking it may be timezone to UTC thing I tried different selected timezones - time is still interpreted same shift.

Unlike last time this broke however the pattern '19:00 Dinner' is still correctly interpreted as 07:00 PM. So still got that going for me.

Google: Would be nice for you to publish interface changes/upgrades or something.

Windows 2000 + Kaspersky + Frozen/Locked Desktop Icons, etc

Recently we were called to a clients site to fix a very broken Windows 2000 system. The issues started after Kaspersky was force-installed. Kaspersky says not to do that but oops!

Symptoms included:

• Frozen/Locked Icons on the Desktop and other Explorer windows
• Corrupted display of Add/Remove Programs
• Event Viewer wouldn't show any property pages
• Many services failed to start (such as Windows Installer)

Windows Repair was not helpful, it usually isn't. Windows 2000 was required due to other software limitations on this hardware. Upgrade to XP was not an option.

After many hours of digging around the web to no avail (Suggestions to toggle various checkbox settings were not helpful) we discovered the answer with hail Mary pass.

Using Windows 2000 disc's we had from the past (about 10 years ago) we re-installed using a VirtualBox instance. This instance was upgraded to all the latest stuff (SP4, etc). Then the HKLM\Software\CurrentControlSet registry key was dumped from the good machine and imported into the failing system. Success!

Many services had been deleted by Kaspersky, including RPC which is required for Windows to do anything more than play Minesweeper. The files were there but the registry entries were not. After this massive import and a reboot the system was fixed.

Took a lot of hunting in a buried system (Registry) and deciphering unhelpful error messages from the Windows sub-systems. Even more difficult given the fact that Event Viewer wouldn't show any property pages so details were not very forthcoming. That's why Linux systems keep configuration and logs in plain text - can read from any system and easy to switch, not recursively-interdependent components that are all to easy to disable.

Comcat Violates Laws when Porting Numbers Out

Watchout when porting your number out of Comcast! We recently ported two numbers out of Comcast service. Imagine our surprise when we were still billed for telephone services. When we called the Comcast support line to question what the issue was we were informed: "Oh! Looks like the porting department really screwed up, this is ridiculous".

Moral of the story: double check Comcast's work

Comcast DTA Conversion - Epic Fail!

This has to be the poorest planning of a technology roll-out we have seen in the last 10 years. This posted is dedicated to Brian L. Roberts CEO of Comcast who let this fiasco happen on his watch. For the record Edoceo holds no shares of Comcast and David Busby (our owner and author of this post) has sold any/all of his.

First Fail

Folks from Comcast show up at our building (5 unit walk-up) just before noon to drop off the new DTA boxes. No announcement, no pre-notice was given.

Was given two boxes for my unit. I told the Comcast guy that I could take the devices for the other units - he refused. I informed him that I own two units in this building and needed at least four devices - two for me and two for the tenant I lease to. He flatly refused. The devices need to be set for the tenant account. Apparently this Comcast ass-clown could not get it through his thick skull that as land-lord of the unit I'm providing them service and that when my tenant moves out the Comcast service will remain and I will continue to pay for it.

Summary of Issue One: Comcast will not give devices to the person who pays-the-bills only to the person that some dip-shit delivery boy thinks pays the bills cause his instructions are to give the devices to "the tenant". Be-dammed that when the tenant moves they'll have to come deliver more boxes for my new tenants or that the existing tenant currently has no obligations to Comcast what-so-ever. Stupid!

Now we have these devices - each of which consumes 24W (120V * 0.2A) - at total of about 210kWh per year. In Seattle this will cost roughly $12/yr per device ( 24W * 24h * 365.25d / 1000 = 210.385kWh/yr * $0.05844/kWh = $12.30/yr) - price per kWh is yearly average. That's $12/yr for each device - our building has (at this time) four devices - once properly squared away we will have 10 devices. As these devices are constantly on we will be drawing an additional, constant 2A and have a total yearly increase in power consumption of 2103kWh. Let's save the conversation of the environmental cost of >2000kWh for another time. Either way - each device now costs us, the consumer, and additional $12/yr.

Second: When we call in the system asks for a 16 digit number on the front of the box. Both of our boxes are missing this number. We enter our phone number - but Comcast cannot find my account.

On to activation of said devices. Did I mention that before calling we had to have all devices plugged in, connected to the TV and powered-on? Well it's true. After completely setting up the hardware it's time to call the activation line (888-634-4434). Our first call was a 1316h and took 17 minutes. They couldn't find our account - because our building has one account (for bulk TV) and each tenant has their own accounts for Internet and Voice (to re-cap: bulk-TV in the building for 5 units, 2 sepearte accounts for Internet (me and one other) and one for Voice (me, but not for long)). So then they found us by address, and I had to call a different line. Then my damn iPhone ran out of battery.

Third Fail: Cannot find account, cannot properly sort these devices when given to individuals who have service on bulk account. CSRs not properly trained for this circumstance.

I waited to charge the phone, then called back at 1607h - waited 7 minutes for a person to get on the phone who I could not understand so I had to hang-up and call again. Now Marcy is helping me. Oh! She cannot find my account - so I explain to her how the "bulk services" work and ask her to connect me. ( I cannot connect myself because I don't know the account number or phone number the account was setup on as it was done by our HOA more than 10 years ago ( Comcast will also not share that information with us ) ).

Ok, now time to wait. Disconnect the DTA from power while waiting with crummy (and very static-y) MoH. Can't we get Mozart, Brahms or Bach - why this crappy "new age" shit?

This time on hold - six minutes. Ends with with us having to start all over! So, we enter our phone number. Then the system asks if we are a customer (shouldn't you already know? - my IVR is that smart). When prompted about new DTA activation we are taken back to the system from part one (above) to start process again. Then the system told us they were overloaded and we had to try again.

Fourth call to Comcast regarding the same issue. As soon as our call was answered we ask for supervisor - not playing around this time. 31 minutes on hold to find I have to call back into the bulk/commercial department (800 316 1619)

So we called that number, which again couldn't find us because the original phone number for the account had been lost. Couldn't find us by address but this CSR was very helpful in trying to find our account.

Now, finally we have an intelligent tenacious person to deal with. She attempts to signal our DTA boxes with no success. Still a dead box, still no TV activity. Our options conclude with trading in the boxes for new ones at the service center on Monday or waiting for a Tech to come to us on Wednesday. We chose the Tech.

Check back here in four days to find out the results!

Here is a summary of what Comcast did wrong and how most technology providers do it right

1) Unannounced technology upgrade? Epic Fail. Users like to be told a well ahead of time about change.

2) Couldn't give me devices for all units I own and pay for service on - poor decisions on management let to failed execution by staff.

3) CSRs poorly trained to handle bulk-account situation.

4) IVR and PBX system did not have sufficient capacity to handle the flood of calls from the roll-out. Everyone knows that change brings in phone calls - lots of them.

5) Process and IVR system poorly designed which frustrates clients dealing with issues from parts 1 through 4.