Secure website, lazy website developers

Kalahari.com logoAre South African online retailers exempt from consumer security issues? It seems like some of them just don’t care, most notably, Kalahari.com.

Last week Friday I noticed an item appear in my basket on the site, a soft cover technical book. I was quite surprised and equally quite concerned as I never added it to the basket. So immediately I generated a new complex password for my account and proceeded to change my account password.

I followed up by emailing the Customer Service Manager with my concerns, as we’ve been in contact recently about some failed orders – a long story worthy of a series of blog posts! I don’t hear back from her and later I attempt to sign-in to my account once more only to be greeted with a sign-in failure dialog. So I try my previous password and it doesn’t work either.

Ok no worries, I use the password reset feature. About 10-15 minutes later I get an email with a new 5 character random password. I find it quite odd that the system generates such simple passwords, but at least its random I reckon. So I follow the instructions in the email and attempt to sign-in and change it to another suitably long and complex password. Alas their site doesn’t allow me to sign-in.

Dismayed I file off an email as per their instructions to their Support department, seeing as their Customer Service Manager at this point can’t be bothered to answer her phone or reply to my emails from earlier that morning. I get no response so I call the Customer Care line. The senior agent I get put through to explains that it takes about 30 minutes AFTER the new password is sent for the password to be reflected on the profile. So I wait another hour or so and try again. No joy. I give up.

On Saturday around lunchtime I get an email back from the support department telling me to sign-in with the following password and notice that it is indeed my password, not a new one, but my password is there in the email in clear-text!

Appalled by this I email the Customer Service Manager and explain how its not cool for Kalahari to store passwords in clear-text or even using reversible encryption, to which I get the following befuddled response clearly showing that the management doesn’t understand technology or how to read emails properly:

The support desk sign into your profile via our internal system called KMS, that enables us to do this without seeing / using your password.

What she failed to understand is that their Support staff managed to extract my password as clear-text and email it to me.

So now for the non-technical of you out there, let me put this in simple terms. Kalahari states in their Terms & Conditions:

You allow Kalahari to take all reasonable steps to ensure the integrity and security of the Website and back-office applications.

However it doesn’t appear that they implement the most common website security namely securing passwords. A common and recommended practice is for the website to store a one-way/non-reversible hash of your password. This means that if a hacker gets hold of their database or possibly even a disgruntled employee, they have no way other than brute-force to figure out your password.

But surely that shouldn’t be a problem as we all follow best practices and secure every site with a different password. Yeah right, not many people could be bothered. After all how dangerous is it if your Kalahari account is hacked ? Well What if you Kalahari password is the same as your company email account password or your online banking password? The risks are present, just not always clear to all.

My lesson out of this post is as follows, ensure every site and/or service you use has a unique and complex password. Use phrases, include spaces, include punctuation. Worried you will forget them, encrypt them using a master password in a password manager like 1Password (it syncs over DropBox onto all your devices). Just don’t be caught off-guard because sites like Kalahari don’t take all reasonable measures to ensure your data is safe.

Madiba Day Clean Up

On Sunday a bunch of us got together to celebrate Madiba Day at Zoo Lake as part of the 67 Minutes for Mandela campaign:

Mr Mandela has spent 67 years making the world a better place. We’re asking you for 67 minutes." Nelson Mandela turns 91 on 18 July, and the call has gone out for people everywhere to celebrate his birthday – and the global launch of Mandela Day – by acting on the idea that each person has the power to change the world.

The plan, inspired by David Alves, was to spend 67 minutes cleaning up around the lake and giving back. This isn’t the first time Dave has arranged such a venture and I seriously doubt it will be the last either. Next time I’m going to surely rope in a whole bunch of my friends as I’m sure a lot of them will want to give back.


Photo of Zoo LakeFor me this was actually the first time I’ve actually walked around Zoo Lake – yes yes shocking I know! It truly is a beautiful open space even during the middle of winter. There is an abundance of life ranging from duck through to lots of bird life. I was quite surprised to see so many families out spending the day in the sun and I’m definitely sure I’ll be returning for a picnic and to walk around.


IMG_3865Thanks to the Megan and the dancers from The Duncan Studio of Celtic Dancing who wore the Guerrillas Gone Green jumpsuits proudly and collected oodles of trash. They were literally diving into the bushes to find and remove the trash.

Later we were joined by a family that expressed interest in what we were doing and even brought a refuse trailer along to assist with the refuse removal. Great one guys!

Here are a few photos from the day. Be sure to check out the complete album of photos over here.

IMG_3815IMG_3885

Glow in the Dark?

What is the deal with the South African government? Am I becoming an alarmist by writing this post and expressing my opinion? I honestly don’t know but I just feel the need to write my thoughts down.

Last week the country, who had power, watched Derek Watts and the Carte Blanche team try to get to the bottom of the electricity supply issues currently being experienced by ESKOM. The viewers were polled asking whether they had confidence in ESKOM being able to sort out the problems; the answer was a 99% vote against them. That was over 100,000 people that each incurred a R1.50 charge to tell Carte Blanche how upset they are – I wonder how many people didn’t bother to vote or didn’t have power to watch the show?

So now I’m reading my feeds today and I notice the latest – radioactive vegetables have been discovered. Yes we’re taking about a report on vegetables being 150 times more radioactive than permissible levels. Oh great! What next? Am I eating radioactive fresh produce now? Maybe that Big Mac and Cheese should be my staple diet for the next few weeks until this crap gets sorted out.

Oh and then there is more to put the cherry on the top. Apparently 43% of dams in the country are in dire straits and are needing repairs to the tune of 180 billion Rand. Wow, how did that one slip by? Were the government officials so busy doing something else other than running the bloody country?!

Maybe there is at least a solution to the ESKOM issues – we’re all likely to be glowing in the dark in the near future.

[tags]South Africa,ESKOM,radioactive,food,water,electricity[/tags]

Power to the people

I suppose its to be expected that an emerging country such as South Africa has to face so many challenges on its path forward but the recent power outages which Eskom, the national power utility, calls “load shedding” is actually just plain ridiculous. A while back Eskom implemented a load schedding schedule to reduce the strain on the national power grid as maintenance work needed to be done and there wasn’t enough power to go around. Either the planned summer maintenance was guise or we really are in trouble.

EskomLightEndOfTheTunnel

The power outages have been getting worse and worse and according to recent reports it is estimated that up to R2 billion is being lost on a daily basis due to the unexpected power outages. Most businesses would be able to plan around the supposed schedules but when they hit randomly its just not acceptable. As usual some people have injected a little humour.

 

EskomVsBush1

EskomVsBush2

EskomVsBush3

When will it end? Who knows! But I know that I’m doing my little bit to save on power consumption. I’m switching all my incandescent lighting to the longer lasting and more efficient energy saving globes and keeping lights off at home when not needed. I wonder what difference it would make if companies took the initiative and got rid of CRT monitors in favour of LCD monitors. Possibly government could provide some form of incentive in this regard.

[tags]Eskom,power,electricity,South Africa[/tags]

It’s plane stupid

What’s up with the South African airline industry lately? All I see lately are reports of problems and I’m considering staying on the ground for the near future. Just take a look at the following headlines taken from The Times over the last couple of days:

Looking a few months back there seems to be at most one incident reported in South Africa per month, oh and one in Thailand which had some major fatalities.

So how come have we had four incidents in November alone? It doesn’t make me feel too good when the Civil Aviation Authority (CAA) reports in their annual report for 2006/2007 that there were 174 aviation incidents resulting in 50 fatalities – an average of over 14 incidents per month.

I must say that I’m not surprised that there are so many air incidents when you consider how the airports and airlines are run. Have you ever caught a Kulula flight that wasn’t delayed? I haven’t. Every time I climb onboard a local flight I wonder when last the plane was serviced and how many flights its flown since.

I suppose the air fatalities are nothing compared to the road fatalities but come on, what’s going on here?

[tags]South Africa,airline[/tags]

Uncapped local ADSL, not lekker

Sometimes I wonder whether our local communications regulatory body has a clue or a backbone at all. When the Independent Communications Authority of South Africa (ICASA) eventually released their ADSL Regulations last year there was a requirement on local bandwidth which stated:

Local bandwidth usage shall not be subject to the cap.

According to a recent article our incumbent fixed line operator, Telkom, has taken the liberty to reinterpret the intention of the requirement to their own benefit. According to a supposed recent communication from Telkom to their reseller ISPs they state:

It is recommended that service providers allow local only access to continue even after the blended CAP was consumed by the customer.

What concerns me about a comment like that is the interpretation of a blended cap. I can only assume it means that the cap will be enforced based on both local and international bandwidth usage and thereafter their new product offerings can kick in whereby users will have to pay for usage of local bandwidth. The way I understood the ICASA requirement was that local bandwidth usage will not contribute to any cap on the service at all. So none of this blended cap rubbish, just the ability to use as much or as little local bandwidth for a fixed fee per month.

As some of the major ISPs have pointed out, Telkom’s proposed solution to the ICASA regulation is currently what most service providers are offering through alternate mechanisms. I also know a lot of home users that use seperate local and international ADSL accounts and route local network traffic through relatively inexpensive local accounts to avoid accumulating local usage against an expensive international bandwidth cap.

I can understand that international bandwidth is expensive so lets try and keep as many resources as possible local. The major ISPs already implement transparent HTTP proxy servers and some even offer relatively up-to-date mirror servers, but at the end of the day we need to do more to promote the saying that local is lekker.

I think Telkom has once again missed the boat.

[tags]Telkom,ADSL,broadband,South Africa[/tags]

TWiT-or-tweet

Halloween pumpkinOh well it should really be called Trick-or-Treat but I couldn’t resist the play on words and the completely unrelated reference to the weekly tech podcast and Twitter.

I’m not sure if I can relate to what Halloween really is about. As South Africans we don’t really celebrate Halloween. So much so I had to search the web to find out what its all about and I was quite intrigued by its origin as a Pagan celebration of the end of the harvest season in Gaelic culture.

It all hit me on Saturday when I was in the check-out queue of my local grocery store and the woman behind me was telling her kid that this is South Africa and that means there is no Halloween like he was used to back home. I couldn’t resist asking her where they were from and she confirmed that they were Americans now living in South Africa and her son of about eight was confused as to why Halloween was not as important here as it was back in the States.

When I was a kid growing up in Durban I don’t believe that I ever went door to door trick-or-treating. The only way I can relate to Halloween is through the television sitcoms and movies that have portrayed the Halloween festivities. I didn’t really regard Halloween as a holiday suitable for Christians but apparently its accepted by most religions of the western world. I need to ask my various friends how well accepted it is by the Jewish and Islamic faiths.

Besides the entertainment industry’s attempts to associate Halloween with horror and scary movies, I believe that in general there is a common feeling of goodwill that is introduced by bringing family and friends together to celebrate. Why don’t we celebrate Halloween? It could be a great way to meet our neighbours in the modern day. Although I see news reports of measures that parents are taking to attach tracking devices to their kids so that they don’t go missing over Halloween.

Happy Halloween to all!

[tags]Halloween,holiday,South Africa[/tags]

Tech-Ed 2007 day 3

Tech-Ed South Africa 2007Its honestly amazing how time flies when you are at Tech-Ed. I found that day three just flew past in comparison to day two; I suppose it has to do with the sheer number of sessions I attended.

The first talk worth mentioning today was one by Angus Logan where he shared information about the Windows Live technologies currently available for integration by developers. I never realised that Windows Live ID was recently made available as a single sign on solution for end-user applications coupled with the various other services likes Virtual Earth, Live Contacts, Silverlight Streaming and numerous other cool services. They are all covered under one “no lawyer required” terms of use and unless your web site has more than about a million users, its free to use. For more information on the APIs, code samples for .NET, Java, Python, Ruby and many more take a moment and check out dev.live.com and there is even a .NET wrapper library for the REST APIs on CodePlex. Don’t forget to attend Angus’ talk for SA Developer .NET this Thursday, you won’t be disappointed.

Chris, some other dude, Hilton, Nicolas and Ronald Hilton Giesenow, SA Developer Lead and MVP, gave an awesome talk on the hidden gems of ASP.NET 2.0 where he shared some very cool but lesser known features of the ASP.NET. One of them that comes to mind is the SessionPageStatePersister class that provides a simple means of reducing the viewstate of each page in a site with no changes to the actual pages themselves.

Chris Auld from New Zealand was highly entertaining to experience. He was wearing a Sprinkbok rugby jersey after he lost a bet. He is genuinely a unique character and showed us all how to implement and use WCF (Windows Communication Foundation) for various connection endpoints including TCP, SOAP, JSON and even RSS. Unfortunately his demos were plagued with exception pop-up dialogs due to the Visual Studio 2008 beta quirks but seemed to work nonetheless. I found his “go go gadget stack trace” comment quite amusing.

Just to make sure we didn’t have a dull day, we got Nicolas Blank to interview Hilton Giesenow, Willie Roberts and myself about the technical communities in South Africa. I’ll make a post here when the video has been edited and posted on the international Virtual Tech-Ed site.

Laser finger-tipped skeleton dancerAs day four is a half day it is customary to have the closing party the evening before. The theme was CSI and we were treated to an awesome buffet in the Sun City Superbowl followed by local band Springbok Nude Girls on stage and then lots of dancing and partying.

[tags]Tech-Ed 2007,Windows Live,ASP.NET,WCF,Virtual Tech-Ed,Springbok Nude Girls[/tags]

Tech-Ed 2007 day 2

Tech-Ed South Africa 2007Today the sessions started bright and early at 08h00 which is way too early if it was work but strangely enough I found myself downstairs devouring the buffet breakfast just after 07h00. I missed attending a few sessions that I would have liked to have attended purely due to logistical issues. I didn’t know where the bloody session rooms were and I left my map in the room and was too lazy to go back and fetch it.

Pieter Germishysen's XNA talk I would have to say that the best session I attended today must have been Pieter’s chalk ‘n talk session on XNA. He spent the morning in the Community Lounge writing a remake of the classic Space Invaders game. Willy-Peter and I however started making a few suggestions and before long the game became BokInvaders with the enemies appearing as English Roses and the ship becoming a Springbok. Oh and to top it all off, the South African national anthem became the theme music. The chalk ‘n talk room had seating for about 30 delegates and was overflowing with delegates sitting on the floor and standing at the back. I believe the talk went down extremely well and garnered a considerable amount of interest in hobbyist game development using XNA Framework targeting Windows PCs and Xbox 360 consoles.

For those that have been to Tech-Ed you will be familiar with the MultiNets. For those that haven’t they are essentially PCs distributed throughout the venue where delegates can logon for free and either plan their schedule, provide session feedback or browse the web. I have got to say that I am not impressed impressed with the Internet access that is provided. I managed to access my Gmail account once throughout the entire day as most of the time it was simply just timing out. I believe that Internet Solutions is providing the outside connectivity and I can only wonder what connection they are running. It feels worse than accessing over a shoddy dial-up. One good thing was that they provided free WiFi access as well, however my mobile phone can’t even connect to the access point as it doesn’t stay up for long enough. C’mon guys, get with it.

In general the day was awesome and I really enjoyed Louis de Klerk’s talk on the new features of SQL Server 2008, code-named Katmai. I have been playing around with CTP4 and I can’t wait to get hold of the new CTP5 that adds spatial support. Its rumoured that CTP5 might drop before the end of next week. I can’t wait.

[tags]Tech-Ed 2007,XNA,Katmai,SQL Server 2008,spatial,rant[/tags]

Tech-Ed 2007 day 1

Its the end of day 1 of Tech-Ed 2007 South Africa and I must say it is what I expected it to be. Apparently there are almost 2000 delegates here this year which is an impressive improvement over the 1600 delegates last year and the most delegates at any Tech-Ed event in Africa ever. Are there any other Tech-Ed events held elsewhere in Africa, I’m not sure. Strangely the male to female ratio is still sitting at 10:1 which doesn’t surprise me at all considering women are generally illogical. (I’m going to suffer for that comment, I just know it, but its true.)

This is my first Tech-Ed event as I finally decided to take leave from work and cough up the cash to see what its all about. I haven’t bumped into too many people that I know as of yet although the first person that Willie and I happened to stumble upon was Angus Logan. Angus is an Australian now living in Redmond and on the Windows Live team. The great thing is that Angus will be giving a talk for SA Developer .NET in Bryanston just after Tech-Ed and you are all invited to come and hear about the cool stuff happening in the Windows Live realm. Take a moment and RSVP over here.

I must say that the keynote speech was a bit too long; two hours and my butt was asleep and I was surprised that I wasn’t as well. Thankfully it was followed by a Lost themed opening party at the Valley of the Waves. The food was ample, hot and delicious. The pudding afterward was even more delicious with the bread and butter pudding disappearing moments after new trays were put out. Naturally the free beer flowed happily and there was an awesome fireworks and laser presentation. Some random band named Voodoo Child or something to that effect was on the stage for most of the evening thumping out popular covers that really set the mood for a chilled out evening under the stars on the fake beach. All in all, a great start to what hopes to be an awesome 3 day event.

[tags]Tech-Ed 2007,South Africa,SA Developer .NET[/tags]