Monday, September 26, 2016

Web designers need to follow standards

Web designers need to learn web standards and design their pages to respect them.  Too often it appears the pages are designed for Windows and IE using cookie cutter templates.  The world has evolved and people are using Linux, OS/X, Android and other operating systems with different browsers and the pages work poorly if at all.

These are the web sites of major companies like Best Buy, Staples, Walmart and Canadian Tire.  They have the money to invest in a well designed site, but, many choices they made in their web design break expected functionality of various web elements or have serious errors in their JavaScript code.

Examples:

Check boxes

Just about all of the sites refresh the page when you click on a box even if you want to click several they force a refresh after each click.  Wait until the user picks all of the options and then have a refresh button when they are done.  Best Buy is the worst when I am looking for an item there are refreshes every time I select a box.  this is time consuming as something that takes me several minutes to do should take only seconds.  One other thought on this.  Every time you do a page refresh your server gets hammered multiple times along with the database.  That time used to service every little check box could be used servicing another client.  Throwing more hardware, software and communication pipes only serve to enrich the providers of the same.

Product availability

Best Buy I am looking at you here!  When I finally get through check box hell I see a lot of products are 'not available'.  If it isn't available then don't show it, or, have a checkbox for 'Available locally' or 'Can be shipped to your location'.  Also, allow a check box to remove 'ONLINE ONLY'.  When I am looking I want to know if it is in stock and I can go later to pick it up at the store.
 

Forced page refreshes

Canadian Tire I don't know if you are aware, but, when I select a product it refreshes itself about every 30 seconds and there is nothing I can do to stop that behaviour.  It is highly annoying as I am trying to read product information or reviews and after the refresh I am back up at the top of the page again. This was on my Windows box and Linux box using Firefox and Chrome.  I didn't try IE as that is Windows only.

Forced to provide a location

Look, I am just wanting to check out the product, features and reviews.  If I am interested then I will let you know roughly where I am.  There are sites that ask me to provide a location every time I change a page.  Ask once then remember my choice!

Auto-play videos

Come on, enough already.  I don't need loud commercials that I have to turn off (sometimes they can't be turned off).  I am paying for the bandwidth usage not you and sometimes I am on my tablet or cell phone and those ads brings them to their knees for minutes at a time while trying to play those videos.  If I am interested I will click on it.  Can't take the hint?  Well that is why I am running various blocking ad-ones in my browser and I suspect that is the reason why so many others do so too.  Sites that respect me I turn off the blockers.

Massive scripts

Now and then I look at the code for a given web page and over 80% of it is for scripts and images and very little is for text.  That is a massive overhead for stuff that most of the time isn't needed.  This takes time to download and storage on the servers. Have the developers review the code and if they don't understand what is being done then pull the code until they know what it does.

Review your page before releasing to the public 

Staples is at fault here.  To often the page has issues rendering (sometimes it is a blank page).  Sometimes it is IE that has issues others it is either Firefox or Chrome that have issues.  How about testing your pages before they are released in multiple operating systems and browsers.  Check for error messages!  I checked several times and I had page after page of errors in JavaScript.  Really? A client facing page and you have that many pages of errors?  

What I would like?

Well, how about learning what web standards are?  Learn some of the basics of HTML, forms and other design elements rather than letting the web page designer do the work.  The software may help, but, you really need to know the basics of good page design.  It is like giving a grade one student a calculator to help them learn math.  They may know enough to punch the buttons, but, they don't really learn how to do it and will never know if there is a mistake and if they don't have a calculator they can't do math.

Have ordinary people test out and review your site (or updates).  Ask them to do specific tasks and watch what they do and then ask them what they liked and disliked and what caused them problems.  To keep it real world make sure the machines are not the fastest up-to-date machines and have a slower network connection.  Use multiple operating systems, browsers and devices to make it more like how your customers access your web site.

Where you have feedback pages make sure that the feedback is reviewed and acted upon.  I don't know if senior management is even aware of what feedback is given, but, I suspect it may be just the positive feedback and most of the critical comments are not sent up the food chain.

Finally, KEEP IT SIMPLE.  You are trying to sell a product not fluff web pages.  All of the pretty images, sound, colours are a distraction most of the time and most consumers are tuning it out or using software to shut it down.  Make it 'How may I help you' and steer the consumer to your products, product information and reviews, pricing and availability.

Sunday, September 25, 2016

IoT now being used for DDOS

It was a matter of time before this happened.  With the various manufacturers of IoT devices worried more about being first, market share or making money (or all three) they have left device security as an afterthought.  Brian Krebs is one of the first that I know of where those not happy about what he does tried to silence him using a massive DDOS attack that appears to be using IoT devices.  In the past he has been a target for swatting.  At this time his site Krebs on Security isn't back up  at the time of this blog being written and that is a shame.  Ars Technica has a good article on this subject that you can read.  I agree with the article that this is troubling development.

The problem is that it is like the wild west with IoT devices.  If manufacturers don't do something about security and upgrades soon web providers and/or the government will do something about it and the potential will be stifled.

I see this as an opportunity for Anti-virus makers and software developers.  If they can develop a simple application to
  1. Scan your network for IoT devices and present you with their findings;
  2. Make it extensible to allow us to manually identify and flag IoT devices that were not detected and send feedback to the developer about the new devices;
  3. Identify potential security holes and list options the user can make to secure their devices;
  4. Automate the fixing of holes and changing settings to make the devices more secure.
Developers who can do the above will have an opportunity to make money while helping secure the newest set of toys on the internet.
In the long term manufacturers need to put security and the ability to upgrade at the top of the list and to firmly step on the neck of marketers and tell them NO, security comes first, not market share or money.  That is hard as they will tell everyone that a company is in the business of making money.  That is fair, but, they should be reminded that if people cannot trust their product that they will not be making any money!

I may be an exception to many people looking at IoT products for the home (or office) as I look at:
  1. Can it be patched when security holes are identified and fixed?
  2. Does it ask out of the box for the user to create an admin account and passwords and does not have default?
  3. Good documentation on the production and configuration.  A simple user guide will suffice and then point the user to a web site with more detailed documentation;
  4. Certificates can be added/changed/deleted so that one default certificate isn't used on every device made by that manufacturer?  I do this for my browsers and Linux boxes.  There are certain countries (like China and soon Russia) where I disable ALL their certificates as I don't trust them, may be wrong or paranoid, but, my machines my rules;
  5. A tool to manage the IoT device and the ability to log all actions to a write only area by the IoT device.  The reasons for Write-Only is that if hackers do get in we want to make it a bit harder to alter the logs;
  6. What is the support policy and expected life for support?
  7. If it requires using the cloud to do its work
    • Is the communication encrypted end-to-end?
    • Can the end user create their own local server?  The reason is that the manufacturer will eventually stop supporting the product or go out of business.  When that happens we are left with a working product, but, non-functional.

At this time hackers can (and are) using the weaknesses in IoT devices to create massive bot nets and disrupt access for individuals and companies (like battlenet and Runescape) and shut down access until they cave to their demands or spend a massive amount of money to mitigate future DDOS attacks.  Hackers are not stupid and realize that this is a ripe area to exploit as there isn't much in the way to detect and stop them.  The individuals behind the DDOS are bullies and need to be recognized as such and treated as such.  Krebs and battlenet are the most recent victims, but, will not be the last.  The question is how many more times and how many people will be impacted before action is taken?

Update 2016/09/25:

Looks like Krebs site is back up.  Good to know that he is back and the DDOS bullies didn't win this time.

Sunday, September 18, 2016

A new tool for my wife

Yesterday I picked up a new tool for my wife.  She does have a laptop and it is in our office.  The problem is that she has had a stroke a year ago and it is much too large and heavy for her to carry it downstairs and use it while sitting on her lap.  Factory Direct up the street had refurbished models of the Acer Chromebook for $129 (Canadian) that looked like it could do what she wanted and is light enough she can carry it around with one hand.  Her needs were simple, web browsing (news, weather and a few other sites), email and Facebook.  She has a tablet for her gaming and Facebook that she uses daily.

The Chromebook did it all right from the start without issues.  I made a minor tweak to turn off the touch-pad as I installed a wireless mouse.  It took only a minute to find how to do that on the web (I bookmarked that for future reference on the Chromebook).  The only minor quibble I have is that 16 gigs isn't enough (and I am not spending more money to install a new larger SSD).  It appears that the O/S takes up a fair bit of space and leaves 1 gig for the user.  I can live with that as she is using it only for light weight web work and does not need a huge amount of drive space.  I did format in Linux a SD card (16 gigs) and inserted it in the slot and pointed the downloads to that so we don't use valuable drive space for when she downloads files.  I don't see how to change the directory for the cache (yet) to point it there.  I did try to install our wireless printer, but, we have an older model and isn't supported by Cloud Print.

I did set up links at the bottom of the screen to email, browser, Facebook, Google drive so most of her normal tasks are one click away.  Next up is to see how the battery life is for her without it being plugged in.  If you are looking for a lightweight machine for simple tasks that don't depend on local storage the Chromebooks are an option to look at.

Sunday, September 11, 2016

IoT - Do it better?

I am reading and hearing more and more about 'hacks' on IoT devices and other network connected devices (like cars).  Security must be the first thing a maker has in mind and not money or being able to brag that they are first to market.  The makers of IoT need to get together and define a number of things, if they don't do this then I will not be surprised when (not if) the government gets involved and imposes a solution.

Common API.

  •  suspect a lot of functions could be described by a common, free to use API.  The GPL worked well for Linux and maybe it could be the model here too.
  • Open it up so the end user can also tinker with the device.  Look at what has happened and is still happening to Linux over 25 years.
  • With a common API you can present to the users a consistent front-end for setting values, reviewing settings over a number of products in your IoT product offerings.  When there is a new product it would simplify the development work on building a front end as code for common functions are already there.


Security.

  • Too often there is a security hole and there is no way for the end-user to fix or for the manufacturer. Many times the users don't know there is a hole until news about the issue hits mainstream media, or, hobbyist friends send them a note.
  • What would it cost to allow the user to get patches and updates?
  • For certificates there MUST be a way to update the certificates when they are compromised.  Right now we either live with compromised devices or trash the devices.
  • Default settings, allow the user to modify what goes out over the network.
  • Makers claim their devices are secure, but, without being able to inspect how they implemented their security we don't know for sure.

Life of device.

  • Define what the process is, what will be patched and for how long and when it will not be supported.  Dropping support and killing the servers that result in the device being a paper weight isn't acceptable.

Communication. 

  • Be up-front on what is captured, why and the frequency it is sent.  Allow the end-user to select the level of information sent out and explain why it is needed and functionality lost by opting out.
  • When the device gets hacked (not if) be up-front to the community on what happened, what was taken and the steps being taken to close the problem and fix so that it won't happen in the future.