Could have been worse
https://xkcd.com/327/
An iCloud customer says she spent more than six hours on the phone to Apple after being locked out of the service because her name is apparently incompatible with the application code. "Actor, author, artist" Rachel True posted on Twitter about an error with the iCloud application, an unhandled exception with "Type error: …
Just write HTML.
<a href="https://google.com/little bobby tables">You know how to do that off the top of your head right?</a>
Oh, looks like our fair vulture's sanitizer doesn't properly escape HTML inside pre
tags, so I had to use fancy unicode brackets. They're a bit shouty.
I actually used that, well the nuclear option, DROP DATABASE, when testing an online shop.
I reported a bunch of SQL Injection vulnerabilities in their shopping system. They weren't interested. I escalated it. Nobody understood... I asked them if they had a backup, they said yes, so I SQL-injected DROP DATABASE as the password. Woomph, the whole test environment ceased to be!
The management and devs certainly sat up after that eye opening moment. They went back through my report, which listed over 2 dozen instances in the system, where they weren't sanitizing the data. 2 days later, the problem had been removed, and the data restored.
This post has been deleted by its author
From the look of things they're using poorly formatted JSON in their API requests, setting "true" or "false" as a string values instead of a boolean, then "fixing" that by explicitly re-casting any string with the value of "true" or "false" as a boolean value. This is bad for a lot of reasons.
In proper JSON, a customer with named James True would have his name stored like "firstName": "James", "lastName": "True". If it was store incorrectly without quotes, "lastName": True would be invalid JSON, while "lastName": true would be valid JSON with a boolean value as lastName.
It looks like they have code that expects boolean values in JSON to be stored incorrectly as strings, that is "true" or "false" instead of true and false. If that is the case, and something automatically "corrects" "true" to true, then you would have this problem.
Can't help but think that my old primary school teacher (who hated both children and spelling mistakes, but children more) may have had a point when she said that the laziness of phone and web text communication would come back to bite us one day.
c ya l8tr dudes
Agree - people who can't even be arsed to press shift when writing their own name, how much pride and effort is that person going to take in anything else they do?
I used to make a point of whenever somebody bought something off me on eBay who'd entered their entire name, address and postcode completely in lower case, I'd delay sending the item for a day.
I have however finally come to terms with the fact that my eldest daughter (who's a computer-literate student) insists on Caps Lock On X Caps Lock Off rather than just hold down shift to capitalise a single letter.
I used to make a point of whenever somebody bought something off me on eBay who'd entered their entire name, address and postcode completely in lower case, I'd delay sending the item for a day.
Did you tell them you'd done this?? If you don't tell them, they'll never learn.
Ironically, the opposite may well be the case.
There are however people who just speak bad, always have been. Always will been.
Tesco self service tills had another problem a few years ago. Suppose you'd scanned some of your shopping in and wanted to check that the 3 for 2, BOGOF's etc. had been applied. Well you just pressed the "subtotal" on screen button to do this. When you did the machine would reboot. After it happened to me twice I spoke to the manager to point out the issue. She was slightly sceptical and wanted to watch me do a demonstration. So I scanned in a few items and then hit subtotal as normal. Then it rebooted as I'd promised to her utter amazement. I did it again on another till with different items to prove it wasn't just that till etc. She thanked me for bringing it to her attention and said she'd pass it on to head office. Then I had my shopping scanned in at a manned till and some or all of it (can't remember now) free to say thank you. The issue was fixed not long after that.
I had something similar in Sainsbury’s. I’d scanned my shopping, hit “pay” and the machine rebooted. Did it again, and the machine rebooted. Thankfully, the supervisor was able to look at what was going on in the system, then go to a manned till, recall my last transaction and let me pay. This was a weeks shopping. I didn’t want to hang around to scan it a third time.
Tesco's brought all IT back in house a few years ago, and pretty much all their software is written in house using open source stuff where possible. It seems to mean they can fix stuff much more quickly when bugs are found. I guess they'd had enough of the awful quality and slow turnaround with more off the shelf and consultancy written stuff.
Tesco, Sainsbury, etc. count as Critical National Infrastructure: we are only 3 sheets of toilet paper* away from riots in the streets.
So their IT systems which are integrated to ensure that deliveries and ordering are as efficient as possible have to run effectively and robustly. Apple's iCloud, MS Network, Hotmail etc. are not CNI so can, sort of 'afford' to be not so robust, as it is only reputational and financial damage to a commercial organisation that is incurred.
*Actually I think it was meals, but you get the idea.
Upon visiting Argos one dark and stormy night, I discovered entering one particular product code caused the tablet to crash. The store was quiet and I entered that product code into all the store's tablets.
(And before anyone complains, the tablets auto-rebooted after a few minutes so the store wasn't stuffed)
Other than some childish glee, I left the store empty handed.
I once had a client with an internal application where a user told me that the reason they didn't trust the developers is that they just blindly implemented what they were asked for. He illustrated it with a story. His surname was Li, and in common with many organizations, the system used a username scheme of first initial followed by surname. When the application was rolled out he was unable to log in and would be faced with an ugly NullPointerException stack trace in his browser. He raised it with the developers, and 6 months later was told it would be fixed in the next release. After the release, he eagerly entered his username and password, and was presented with a login error page with the error "Username must be at least 4 characters long". The developers had fixed the ugly stack trace, but not the underlying problem that users with three character usernames could not log in.
Went to college with an Indonesian girl that only had one name - you don't get a surname until you're married, the offspring of a Sri-Lankan and an Italian who had a double barralled surname that broke both the length limits of any name field and the tongue of anyone attempting to pronounce it and a Korean guy with a 3 x 2 letter names who seemed to treat their ordering totally randomly on different systems.
Would only have needed Prince in his Artist-Formerly-Known-As days to reduce the college admin to gibbering wrecks
I thoroughly recommend that any programmer who has to deal with names should read this article on Falsehoods Programmers Believe About Names.
Even today, developers fall foul of name/password length limits.
I've just encountered this with an EV charger. The WiFi SSID password field that you need to use to setup the device is hardcoded to have a max length of 16 characters. My home network has a password that in 32 Hex characters. The WiFi standard allows up to 64 characters.
Impasse. Luckily I had an old Access Point that I reconfigured to connect the charger.
Doh!
Once had to deal with a clients app that sent email. I wanted to use a custom SMTP connector on the mail server and set the port to 60025. Didn't work. The vendor had no idea why it wasn't working, but I got the impression most of their clients just used default SMTP port 25.
After much trial and error, finally worked out that although the field in the apps mail config would accept 5 character input, it would only use 4. Set the port to 6025 and it worked.
I had worse... a rather badly coded (OK, very badly coded) and barely stable field management system crapped itself because I insisted on deploying the system using HTTPS only and did not even route incoming HTTP to the web server. Idiot developers couldn't cope with just using the damn URI parts as presented and hard coded bits in, which on an insecure system that allowed HTTP through would work. The suggested that we make our system insecure to allow their poorly coded application to work (not quite their request, but how I reframed it when I denied the request). They then fixed their code but, of course, being low skill coders had embedded crappy third party components into their web application and, guess, what? They couldn't cope with HTTPS either... Numpties.
When ICL (bonus point if you remember them) developed their mini desktop computer (the DRS if I recall correctly) in the late 1980s, they got a prestigious contract with a German state government. Except the thing kept on crashing when the head entered his job title. Much escalation to board level directors, much gnashing of teeth etc. It seems that the developers had not taken not account the German language love for compound nouns and only allowed a mere 32 characters for the job title field.
I think Welsh has the highest consonant density in a language; perhaps the vowels migrated as the corollary to the law of conservation of consonants.
In Welsh "y" is a vowel (and I recall that "w" can be at times too). So what might look like a bunch of constanants to a monoglot probably isn't. e.g. The Welsh for "hospital" is "Ysbytwy". No English vowels but plenty of Welsh ones.
Remember kids, there is more than one language & alphabet out there.
UK passport office insists that all names must be on a passport. So my son with 39 characters wouldn't fit into their 30 character field. In best tradition of the civil service this was made my problem by phoning me up and asking me to help.
So his last forename is officially Athe.
That will screw up automated tracking systems. Particularly if he occasionally changes the order of his forenames. Now would I suggest that?
One of the lecturers at Leeds University wrote a very good algebra book: "Rings, Fields and Groups"*, by
R B J T Allenby (Reginald ... )
His full name spelled out might just squeeze into 32 characters, but it would be tight.
* Get the second edition, as it ends with a chapter on Galois Theory. The style challenges you to remember and understand the maths, rather than just let it wash over you.
Reminds me of Santander's terrible systems. I don't know if they've fixed it now, but when entering street address it asks for a prefix (free text field) and a mandatory suffix from a drop-down. So you can live on Tollington Street, or Tollington Lane, but not just Tollington. As I lived on the latter, whoever entered my details selected Lane as the suffix and all post about my mortgage went to that address round the corner even though the postcodes differed. I saw this quality bit of design in practice when I went into a Santander branch to get the address corrected.
That is even more true when you contract out development to a sweat shop. They will write literally whatever you spec and hardly ever question what you have told them.
I ALWAYS question any requirement to make sure i understand what they are trying to do. Not what they say.
PlusNet did something really stupid a while back where they changed the password requirements. I don't know when it happened but I fell over this at the beginning of lockdown last March. The Internet router at a small business a occasionally support stopped working and needed restarting. At that point it refused to then log back into the ISP. This was great, limited access, trying to get some people home working.
Log into the account, WTF, cannot log in "your password is incorrect". Go back and check, no it is not incorrect so now we have no Internet & cannot login to create a call. I phoned business support and they were adamant the password was correct so what the hell was going on?
Reset the password (of course this now requires access to the business) having had various complex passwords rejected, login to the account. As a test I reset the password with a different combination of the same characters as the "incorrect password" and it will not let you set it. Bloody hell, this is ridiculous. Eventually I find a link that states there are now illegal characters in passwords. What it did not point out was that if you had one of these characters and the router rebooted then it would never log back in again.
"Eventually I find a link that states there are now illegal characters in passwords."
I remember an article two weeks ago that told you you are racist for using the word "illegal characters". It needs to be more inclusive, like "special characters".
But you're right, that _is_ stupid. The requirements should be checked when a password is created. Once it's created it should stay valid forever, even if it doesn't conform to the current rules.
I just had the same thing with the Washington Post. A while back it stopped letting me log in; the form would say “invalid password.” I figured out that my throw-away password didn’t meet their new length rules, and it wouldn’t even let me in to change it.
P.S. I love “drop table witch”
NAB bank only used to use 8 character passwords, but they didn't actually tell you that and the field would accept more. It just silently discarded everything from 9 onwards.
Only came to light when they finally updated to allow longer passwords and then had to sheepishly ask users who had previously used more than 8 characters to only use the first 8 now.
If a site has a maximum on password strength, assume that it is being stored in the clear. There is literally no other reason I can imaging for doing that.
If it has "illegal characters", it means that they are executing the string in some environment.
I trust that you will use this information only for good. I'm pretty sure 80% of script kiddles already know this. I am certain that 100% of active hackers of any color know it.
Six years ago I made the mistake of trying to make the move from Windows to Apple.
Booted up the MacBook Pro and it was asking this question and that question. A good friend was with me who has used Mac's for decades and helped me answer the questions as some of the terminology was new to me (no explanations or help available, you are supposed to know it!!).
We got to one point where it went off to 'Updating iCloud & something else. This will not take long'. Well some 26 minutes later the screen allowed us to move on.
Then my iPhone started pinging and vibrating My Contacts were randomly increasing sometimes a Contact would be repeated 5 times while other Contacts only twice.
That was just the start of six months of daily wrestling just to get the machine to boot and join iCloud or some days to even get it to connect wirelessly. The list of woes is very long, which I won't bore you with. None of which Apple were ever able to fix and eventually gave me my money back. I'm still left with iPhone and iPad issues due to their inability to fix their own environment!!
After 40 years in the Digital Sector I have never experienced such appalling Customer Service.
So am I surprised to read this article; No.
GMD: "no explanations or help available, you are supposed to know it!!"
Of course there is no explanation, it's intuitive, innit? It is WTFYSIWYGUIRTFMPEBCAK.
GMD: "After 40 years in the Digital Sector I have never experienced such appalling Customer Service"
Not been 'on hold' to MS Visual C++ support much then?
After 40 years in the Digital Sector I have never experienced such appalling Customer Service.
If you think Apple Customer Service is the worst, you must have had a very sheltered life in IT.
(I'm not saying Apple Customer Service is great - but it's a heck of a lot better than many other vendors)
Many moons gone, I did the old skool version of that.
I used to hang around on a list server (think Tw@ter, only without the bullshit and arseholes) dedicated to IBM midrange stuff. After a while we started to see some very odd messages about attempting to traverse the wormhole and such (yes, DS9 was current then). Turned out that the IBM Rochester AS/400 development team had aquired an internet connection, had found our friendly list server and were attempting to get access through their firewalls. They succeeded.
A while later I ran into an odd comms problem on the AS/400. Hardly surprising, doing weird things with midrange comms was my thing at the time and this was a very early version of OS/400, but this was throwing errors that, in theory, didn't exist. I chucked the details at the list to see if anyone bit. I got a quick reply from one of the IBM lads saying that he'd written the microcode for the x86 processor on the comms controller card and I'd just found the bug in it. Anyhow, if I waited a couple of weeks and asked for PTF number nnnn, it would fix the problem. This led to the following exchange with IBM Software Services South in Basingstoke:
Me: "I need PTFnnnn."
IBM: "That's not the way it works. You describe the problem, I feed it into the system and it suggests possible fixes, if there are any."
Me: "OK" (detailed problem description with relevant SNA sense data).
IBM: "Ah. Right. Yes there is a fix for that......what was that number you said?"
Me: "nnnn".
IBM: "Yes, that's the one.....hang on.....you said you were TeeCee?"
Me: "Yes".
IBM: "The customer number you gave me is for XYZ company though."
Me: "Yes, that's us."
IBM: "Could you tell me why your name is down as the requestor for an internal development fix from IBM Rochester?".
Me: "Yes, but I'm not going to."