Secure website, lazy website developers

Kalahari.com logoAre South African online retailers exempt from consumer security issues? It seems like some of them just don’t care, most notably, Kalahari.com.

Last week Friday I noticed an item appear in my basket on the site, a soft cover technical book. I was quite surprised and equally quite concerned as I never added it to the basket. So immediately I generated a new complex password for my account and proceeded to change my account password.

I followed up by emailing the Customer Service Manager with my concerns, as we’ve been in contact recently about some failed orders – a long story worthy of a series of blog posts! I don’t hear back from her and later I attempt to sign-in to my account once more only to be greeted with a sign-in failure dialog. So I try my previous password and it doesn’t work either.

Ok no worries, I use the password reset feature. About 10-15 minutes later I get an email with a new 5 character random password. I find it quite odd that the system generates such simple passwords, but at least its random I reckon. So I follow the instructions in the email and attempt to sign-in and change it to another suitably long and complex password. Alas their site doesn’t allow me to sign-in.

Dismayed I file off an email as per their instructions to their Support department, seeing as their Customer Service Manager at this point can’t be bothered to answer her phone or reply to my emails from earlier that morning. I get no response so I call the Customer Care line. The senior agent I get put through to explains that it takes about 30 minutes AFTER the new password is sent for the password to be reflected on the profile. So I wait another hour or so and try again. No joy. I give up.

On Saturday around lunchtime I get an email back from the support department telling me to sign-in with the following password and notice that it is indeed my password, not a new one, but my password is there in the email in clear-text!

Appalled by this I email the Customer Service Manager and explain how its not cool for Kalahari to store passwords in clear-text or even using reversible encryption, to which I get the following befuddled response clearly showing that the management doesn’t understand technology or how to read emails properly:

The support desk sign into your profile via our internal system called KMS, that enables us to do this without seeing / using your password.

What she failed to understand is that their Support staff managed to extract my password as clear-text and email it to me.

So now for the non-technical of you out there, let me put this in simple terms. Kalahari states in their Terms & Conditions:

You allow Kalahari to take all reasonable steps to ensure the integrity and security of the Website and back-office applications.

However it doesn’t appear that they implement the most common website security namely securing passwords. A common and recommended practice is for the website to store a one-way/non-reversible hash of your password. This means that if a hacker gets hold of their database or possibly even a disgruntled employee, they have no way other than brute-force to figure out your password.

But surely that shouldn’t be a problem as we all follow best practices and secure every site with a different password. Yeah right, not many people could be bothered. After all how dangerous is it if your Kalahari account is hacked ? Well What if you Kalahari password is the same as your company email account password or your online banking password? The risks are present, just not always clear to all.

My lesson out of this post is as follows, ensure every site and/or service you use has a unique and complex password. Use phrases, include spaces, include punctuation. Worried you will forget them, encrypt them using a master password in a password manager like 1Password (it syncs over DropBox onto all your devices). Just don’t be caught off-guard because sites like Kalahari don’t take all reasonable measures to ensure your data is safe.

Sandton retailers that irk me

What’s the story with retailers that think the consumer must be honoured to be their customer? This weekend it really got to me, both times at Sandton City.

On Saturday night I tried to take two of my ex-pat friends to my favourite Thai restaurant, namely Wang Thai above the Nelson Mandela Square. We got there just after 9pm only to be chased away as their kitchen was closed for stock take. You gotta be kidding me! A stock take on a Saturday evening at the end of the month? That’s what Sunday morning is for damnit. Anyway Pappas on the Square next door was more than happy to feed us and the live entertainment was great too.

Now Sunday I found myself back at Sandton Shitty to watch Inception with friends – a great movie by the way – and found myself amidst the Sandton Winter Sale. Ok I’m not such a fan of the crowds but I love to shop, especially for tech. First stop, the Apple iStore for a wireless keyboard. Not a single salesperson offered assistance nor did they seemingly have any wireless keyboards on display or in stock. Useless!

Next stop, Incredible Connection – a trusted tech haven. Oh wait, it appears the store has moved from one side of the mall to the complete opposite side. No fear, brisk walk and lo and behold what do I find? A pathetic excuse for a tech store and not even the Incredible Connection store name to be seen – more HP and Vodacom signage than anything. A complete waste of my time!

My conclusion is to steer clear of the excuse that is Sandton Shitty.

Travel Diary – Getting to Seattle (Part 2)

So its a little after 6am UTC+1 as we touch down in Paris, the city of love and classical romance. It was a pleasure to finally be off the plane as I was seated next to this really big dude that managed to encroach on the personal space of both me and the dude on the other side of him. He also took the cake for wearing his team colours as he was dressed from head to foot in ANC party colours. If he wasn’t taking up my sleeping space then he spent the rest of the time waxing lyrical about how he has a US tertiary education and that the whites just don’t get the whole affirmative action thing and why its so good for the country. Also something about the ANC just not explaining it all properly. At least he was flying economy not business class!

The Charles de Gaulle airport has changed considerably since my last transit in 2001. Its odd, I’ve flown through Paris about 29 times now and not once have I had time or a visa to visit the Eiffel Tower and see the rest of the city. I have been outside the airport but that was on a temporary visa that was arranged for me and my colleagues when our Air France flight from Paris to Johannesburg was delayed 12 hours due to a technical fault. So alas I only got to see the inside of the Hilton at the airport.

One thing I found really impressive in CDG airport was the laptop power jacks and tables outside the boarding gates. Coupled with fast wireless Internet access at 10 Euros an hour made the 4 hour long wait between flights a bit more pleasant. To top it off, they even have these really comfy chair type beds littered around the terminal which are surprisingly comfortable when you have a while to wait for your next flight. Quite a few people were actually catching a few minutes of sleep – as a South African I’d be too afraid of my hand luggage getting nicked from next to me to be able to fall asleep. For the life of me I can’t seem to find a photo of them on the Internet but I’ll be sure to take a photo on my way back through next week.

The flight from Paris to Seattle was pleasant even though it was a daytime flight. I left at 10h30 Paris time and got to Seattle the same day at 11h55 Seattle time. Very odd as I think I had 5 meals on Friday and I even skipped supper in Seattle. Its odd but every flight I’ve had to Seattle I’ve always sat next to an MVP. Yeah last year it was a fellow Xbox MVP and this year it was a French Office Groove MVP.

Landing in Seattle I was quite surprised to see sunshine as the weather forecast predicted wet weather. Immigration was an absolute dream this time as there were practically no queues and the officers on duty were extremely friendly and pleasant to deal with. Customs followed suit and the one dude even asked me if I had biltong on me. LOL.

As the 2009 Global MVP Summit only technically starts on Sunday the 1st of March I decided to book myself into the cheaper 3 star Sixth Avenue Inn in downtown Seattle for the first two nights. I must say its quite comfortable for overnight stay but I wouldn’t stay here unless I was trying to save some money. Everything is acceptable except for the bloody shower. I’m a person who likes to shower and this shower just doesn’t cut it. At least it has free high-speed Internet access although I’ve been hooking onto the Westin Hotel over the roads wireless network as well.

Here are a few photos of the Sixth Avenue Inn:

Sixth Avenue Inn sign from my room Sixth Avenue Inn room View of the Westin Hotel from my window Sixth Avenue Inn view at night

Sixth Avenue Inn wired Westin Hotel wireless
Sixth Avenue Inn wired connection. Westin Hotel wireless network I’ve been testing.

Travel Diary – Getting to Seattle (Part 1)

Air France Boeing 777-300ER I don’t really know why but travelling has become a chore for me. As much as I love to go new places and meet new faces, I dread the actual travel bit. Whether its driving to Durban for the Christmas holidays or going overseas for business, its stressful but the stress begins a good while before the travelling actually begins.

It all starts with getting a visa. This can be an absolute schlep for us South Africans but fortunately for me, I still have a valid US visa from my trip to the 2008 Global MVP Summit. This afforded me a little less stress too early, however I still suffer from the day before stress. You know the kind, when you need to pack your suitcase and hope you don’t forget something in the process. This year I planned to pack for the trip the night before, but alas my car decided to give me grief, so all plans went out the window and things went adhoc from there.

Getting to the airport is always something that needs planning, especially if you don’t have family nearby. Yep, most people don’t realize how lucky they are to have a family member drop and collect them at a whims notice. I’d decided to take a shuttle to the airport to reduce the stress, a decision compounded by a faulty car. So I booked a shuttle through the EZShuttle service that numerous people have recommended. Unfortunately they were 1 hour and 15 minutes late for the pickup from my office resulting in me basically flipping out. Yeah I was this close to cancelling my entire trip and going to fetch Data, my cat, from the cattery.

The trip to the airport found me getting car sick due to the stop start nature of the traffic through Alexandria township and the driver continuously applying and releasing the accelerator. The last time I felt like that was being driven around in Sao Paulo, Brazil in 2002 but I’d rather forget that stressful trip.

Arriving at the airport exactly two hours before my international flight put me into mission mode. I systematically and logically proceeded to eliminate the hurdles. First lets get checked in, Air France staff point me to the new electronic check-in machines and whoops, problem, I need to see a check-in counter agent. Apparently it’s because I’m travelling to the US. That done, visit customs for a DA-65 form – can’t leave SA with a laptop and camera without one as it will result in too much stress on the way back in.

Besides for the long queues at the security checkpoint and at passport control, the rest of the experience was quite pleasant. The Air France flight was jam packed aboard a Boeing 777-300 and left soon after the scheduled time. Food on the flight was excellent and the staff were friendly and cheerful as I remember them to be.

Next stop, Paris.

Buying an Apple the hard way

Apple logo No I’m not talking about the fruit although I do find similarities between the fruit and the people who represent Apple in South Africa. The first thing to note is that Apple products have one authorised distributor in South Africa and they are the Core Group. The same company that distributes the Nintendo products at such a ridiculous mark-up.

However it seems that there are plenty of non-authorised resellers in South Africa, but the Core Group can’t seem to decide who is who. They have a local site addressing the grey product issues and they even provide a form for validating your product serial number, albeit a non-automated process. If you compare the following two pages (page 1 and page 2) you will notice that they don’t agree on who the non-authorised resellers are. I think this is ridiculous, how is the consumer supposed to know which list is correct?

Regardless, I decided I wanted a new 15” MacBook Pro 2.8 Ghz,4GB of RAM and 320GB 7200 RPM drive. Yeah I wanted the fastest processor and hard drive that the Apple store in the US offers. I proceeded to call a few of the local resellers seeing as the local online store called the Za Store provided zero customisation options.

Authorised reseller #1: Questek Broadcast Technology

I started by calling local authorised reseller Questek Broadcast Technology for a quotation on the custom configuration I wanted. After numerous unreturned calls on Wednesday and Thursday, I finally managed to speak to the one person that seems to do quotes. She promised me a quotation on email before the end of Friday. To her credit she did call me later in the day and inform me that her email was down and she’d send it when it was up again. On Tuesday I got an email stating:

I do apologise for the inconvenience, however our systems have not been working.

Please be advised that you will be getting your quote today, I just need to finalise a few prices for you once that has been done you will be getting your quote.

So much for Friday’s excuse about the email being down, she doesn’t even have the pricing on Tuesday. Mind you, I never got the quotation on Tuesday either.

Authorised reseller #2: iStore in Clearwater Mall

I called the iStore in Cresta on Wednesday and was told to email Dimitri and he’d get me a quotation by the end of the day. I’m still waiting.

Authorised reseller #3: Digicape store in The Wedge

A few friends recommended dealing with the company DigiCape. So I called their Johannesburg store on Saturday late afternoon and my details were taken for a quotation on Monday. Once again, no quotation was received.

Non-authorised reseller #1: CAB Platinum Store in Sandton City

On Saturday I visited the slick looking CAB Platinum Store in Sandton City after being advised by friends that they are useless. The first thing I noticed was that all of the standard configurations were priced around R4000 more for the exact same box product. Ridiculous. I approached the so-called Knowledge Bar to find out about a custom configuration and was delegated to a back office woman who proceeded to quote me on a standard configuration machine with an additional 320GB 5400 RPM drive. Hmmm, useful, NOT! After I reiterated my requirements my details were taken down and a quotation was promised on Monday. To date, no quotation has been received.

After much frustration and irritation I realised that in South Africa, if you wish to buy and Apple product, you need to simply accept that the distributor, Core Group, knows what you want and its one of the standard configurations. However a few friends did suggest that I go to the USA and buy one there. My problem with this would be the warranty although I’ve heard that local warranty support has much to be desired.

Determined to get myself a Mac in time for Christmas, I called up Incredible Connection in Sandton City on Sunday afternoon and purchased a new 15” MacBook Pro with 2.53GHz processor, 4GB of RAM and 320GB 5400 RPM hard drive.

My advice to anyone considering buying a Mac, go for it, and hopefully the Core Group sorts their reseller channel out so you have a better experience that I did.

The Mac adventure begins

MacBook Pro Recently I decided that I needed wanted a new laptop computer. Being the tech-savvy geek I am, I naturally started looking at beefy machine specifications from Dell like the M6400 range. I almost fell off my chair at the price of these new powerhouse beasts.

Then at the recent Scott Hanselman talk I saw his new Dell Mini 9 up close and it triggered a new investigation into the NetBook form factor. However that was a short-lived investigation as there are hardly any decent models available on the local market to choose from and quite frankly, the cost of solid state storage (SSD) is a little too exorbitant at the moment.

I’ve often pondered the idea of owning a Mac due to the simplicity of it all, just open the box, plug it in and you’re done. Over the years I’ve built up clone PCs using the best highest spec components I could find but in the end the machines have always had some irritating problems that just bug the crap out of me. This is when I realised that quality of the individual components is the key factor and if I could find a pre-built machine that doesn’t come at too much of a premium, then I’d be more than prepared to spend the few extra bucks. So building my home desktop PC resulted in choosing a quality Intel motherboard and Core 2 Duo processor with 4GB of high-performance Transcend memory. Similarly my Windows Home Server was built using an Intel motherboard rather than a motherboard that has more bells and whistles coming from a ludicrous number of individual component vendors. Both machines to this day have not given a single headache.

Over the next few blog posts I’ll share my experiences with Mac OS/X and getting everything setup the way I imagine it.

Windows Live ID to finally support OpenID

It looks like the Windows Live team is at it again. They’ve taken the plunge at PDC 2008 and committed to supporting the OpenID initiative.

All Windows Live product teams are committed to supporting open standards where such standards are relevant to our work and when they reach a sufficient level of maturity, and the Windows Live ID Team is no exception. We have been tracking the evolution of the OpenID specification, from its birth as just a dream and a vision through its development into a mature, de facto standard with terms that make it viable for us to implement it now.

We look forward to making it easier for our users to access the Web sites they use, by reducing their need to create additional identity accounts. That is the promise of OpenID. We are happy to support that goal by providing OpenID-based sign-in functionality to Windows Live ID account holders.

This may not seem like much but its Microsoft validating an open standard and making every one of their Hotmail and Passport users have ubiquitous access to a growing number of OpenID-enabled websites.

Well done to the Windows Live team.

I’m the Rosetta@home user of the day

Rosetta@home I just got an email notification from the Rosetta@home project that I’ve been featured as the user of the day.

Congratulations!
You’ve been chosen as the Rosetta@home user of the day!
       Your profile will be featured on the Rosetta@home website for the next 24 hours.

Its just a pity that I haven’t really been able to commit CPU cycles to the project lately. Why? Well my work PC is suffering and needs a reinstall and my home PC is not running on ADSL and I’ve been too lazy to re-enable the BOINC to run while on 3G.

image

If you decide to join up I’d recommend joining team South Africa.

[tags]Rosetta@home[/tags]

I’m here, really I am

Sad face smiley Its been a while since I made a post here and its all a result of not having an ADSL line at home. Why? Well I moved house at the beginning of December and got the phone line installed as soon as possible. Unfortunately our dear incumbent operator Telkom has decided that ADSL will not be possible on my new line even although the exchange is ADSL enabled and I live less than 500m from the DSLAM. Apparently there is some infrastructure issue which prevents them enabling the ADSL service.

What saddens me even more is that I’ve been on the Neotel consumer test trial waiting list since April this year. I’ve followed up with them but it appears they just don’t want my constructive feedback.

[tags]ADSL,Telkom,Neotel[/tags]

Traffic conspiracy

traffic jam Its a conspiracy I tell you. I’m sure that the mobile phone networks are in some way in on it. What am I talking about, well bear with me a moment while I explain.

I was reading this post from my good friend Tim about how he sat in traffic on Hans Strydom for two hours the other day using the time to observe the people around him. Then all of a sudden it dawned on me, the mobile networks must be to blame for all of the traffic problems in our country. Yes they are definitely the ones that benefit from the painfully slow traffic conditions on our major roads, so surely they must be the ones causing them. Personally I find the most convenient time to be on my mobile phone is during the daily commute to and from work. The time is otherwise pretty much wasted unless I’m listening to a podcast although I occasionally crank up my sound system and listen to some angry music to get me into the mood for work, but most of the time I’m on my mobile phone.

So my theory now is that the mobile phone companies are doing something to make these traffic jams. It can’t be those pesky “stationary trucks” that Highveld keeps blaming in their traffic reports; why on earth would Waltons and other stationary suppliers be delivering stationary during rush hour traffic eh? 😉

On a serious note, when traffic lights are out I wish people wouldn’t stick to this one car and then the next car principle as its just so inefficient. If only two or more cars would go at a time the traffic would flow so much more efficiently. But I suppose we can’t expect people to be able to count and drive.

[tags]thoughts,traffic[/tags]