Thursday, February 27, 2014

Security Theater

There’s this website I have to access occasionally for work, but the account password expires after a fixed period of time (a few months).

Fair enough. For security reasons, passwords should be changed periodically. Having them expire is a straightforward method to force users to comply with this policy. You log in, receive a notification that your password has expired, enter your old password once, your new password twice, and voila, your password is changed. All that's left to do is write it down on a sticky note and affix it to the front of your monitor.

The problem I’ve had with the way passwords expire for this particular account is that there’s no indication that the password has expired. If my password doesn’t work, I have no idea whether I just mistyped my password or it’s actually expired. As a result, if I enter the previously valid password too many times, I’m locked out of the account. Again there's no indication that this has happened. Wrong password. Expired password. Too many attempts. Bzzzzt! Try again. Fail.

What a great idea: a password policy that’s completely opaque to the people forced to use it. To change your password, you actually have to visit a separate website and, of course, none of the websites where you use your password link to it.

If you haven’t figured out yet where I’m heading with this story, it’s that I’ve been locked out of this account more than once. When that happens, I have to call the help desk to have my password reset.

Given the hostile design of the login process, I half expected my reset password to be a long string of Ms and Ns, all recited to me over a bad phone connection. Sorry, for security reasons, we can’t email it to you.

Fortunately it was surprisingly user friendly, but I immediately recognized the new password as one I was given previously: the six character company name plus three sequential digits.

The new password worked on the first try, but I wasn't forced to immediately change it, so it was obviously not temporary. That seems like a big pile of security stupid, but it’s their policy, so whatever. To my credit, I immediately headed over to the site I bookmarked to change it, but that option was nowhere to be found.

So now I have a password that’s easy to remember.

Security theater, adopting an ineffective or poorly implemented policy just to have a policy is worse than no policy at all; it consumes resources that could be more effectively allocated and gives a false belief that risk has been reduced.

Put more succinctly, the only security worse than no security is false security.

Friday, February 14, 2014

Valentine’s Day Candy

The month of February brings two seasonal candies of note. One is Conversation Hearts, the crack cocaine of the candy world. The box is labeled as a single serving, but you can buy them in packages of eight and that’s typically the amount you’ll eat in a single sitting. Just make sure they’re Brach’s Classic Flavors—The Necco brand isn’t as tasty and the tart varieties of the hearts are just plain wrong.



SweeTARTS Hearts also become available this time of year and like traditional conversation hearts have messages on them. However if you think all SweeTARTS are the same, think again. These aren’t just SweeTARTS pressed into a different shape—Bite into these and they crumble apart into a powder that melts away in your mouth. Mmmmm. It’s a welcome change from the SweeTARTs that come in rolls; those require some serious mastication to get at their sugary treasures.



And while we’re on the subject of SweeTARTS, when I’m Earth Overlord the production of blue raspberry and green apple SweeTARTS will be prohibited. The usurpers will be replaced with the original rightful flavors of lemon and lime.

Sunday, February 9, 2014

Friday, February 7, 2014

People Who Live in Glass Houses

Watching the Star Trek reboot last night, a question came up: who’s won more well-known awards for acting, William Shatner or Leonard Nimoy? Turns out it’s Shatner; he’s won two Emmys out of seven nominations. Nimoy has been nominated for four Emmys (three for Star Trek), but never won.

On the flip side, Shatner’s penchant for overacting has won him two Razzies out of five nominations. One of the nominations he didn’t win was for Worst Actor of the Century. Intrigued, I headed over to The Razzies website:



As soon as my eyes stopped bleeding, I began to wonder: Is this a joke? If I wait long enough will a popup appear saying “Ha! Ha! Just Kidding! Click here to go to our real website.”? Did they actually pay someone for building this website? Was the intent to make the content and ads indistinguishable? Was the person who approved the design both color- and clutter-blind?

For comparison, here’s the stylish website for the The Oscars:



The delicious irony here is the complete lack of taste shown by The Razzies, an organization whose purpose is to point out other people’s complete lack of taste.

This isn’t surprising. A key aspect of incompetence is a lack of awareness of one’s own ability (something known as the Dunning-Kruger effect). The truly worst movies are made by people who think they’ve created a masterpiece.

So here’s to you Razzies, for being the butt of your own joke.

And if you want to add more total awesomeness to your website, head over to The World’s Worst Web Site Ever for some ideas.

Saturday, February 1, 2014

Targeted Advertising



The ads on the left were served to one Facebook user; the ads on the right to another. Guess which one is a man and which one is a woman.