How not to code your bank website

When is a number not a number? When it is a PIN. Backstory: recently my bank overhauled its website. On the whole, it’s an improvement, but it hasn’t been entirely awesome. One of the changes was that special characters were no longer allowed in the security questions. As it turns out, that’s a good way to lock your users out. Me included.

Helpfully, if you lock yourself out, there’s a self-service unlock feature. You just need your Social Security Number and your PIN (and something else that I don’t recall at the moment). Like any good form, it validates the fields before proceeding. Except holy crap, if your PIN begins with 0, pressing “Submit” means the PIN field becomes three characters and you can never proceed. That’s right: it treats the PIN as an integer when really it should be a string.

I’ve made my share of dumb mistakes, so I try to be pretty forgiving. But bank websites need to be held to a very high standard, and this one clearly misses the mark. Breaking existing functionality and mistreating PINs are bad enough, but the final part that lead me to a polite-but-stern phone call was the fact that special characters are not allowed in the password field. This is 2016 and if your website can’t handle special characters, I have to assume you’re doing something terribly, terribly wrong.

In the meantime, I’ve changed my PIN.

Snapchat sunglasses? Why they could be successful

Snapchat’s founder announced on Friday that the company is working on a new, non-software product: sunglasses. Set to go on sale this fall, these sunglasses will include a camera that, when activated, will record 10 seconds of video. Presumably, this video will be posted to Snapchat by way of the user’s phone.

Some of the reaction I’ve seen so far is pretty predictable: “it’s like Google Glass, but less featured!” and “what a great way to announce that you’re a d-bag.” Haters gonna hate, as they say, and I’ll admit that the design is not my style. Still, there are reasons to believe Snapchat’s Spectacles will have the sort of wide consumer adoption that Google Glass never did:

  • Price. At less than one-tenth the price of Google Glass, it’s much more affordable. The price is in line with normal sunglasses, for those of us who don’t buy our sunglasses off the spinny rack at the drug store (full disclosure: I buy my sunglasses off the spinny rack at the drug store).
  • Branding. Oh sure, Google had great brand recognition when Glass launched. But Google’s brand is more about utility. Snapchat is about social. And this lines up well with the respective eyewear, but I think the fact that Snapchat is a social media platform, not a “know everything” platform helps in this case.
  • Obviousness. Both Google Glass and Spectacles are pretty obvious externally, but Spectacles will apparently have an LED light to indicate when it was recording. The fact that Spectacles are sunglasses, not a fixture on general-purpose glasses, means that some of the more obvious privacy concerns (particularly bathrooms) are avoided because people probably won’t be wearing them inside. Plus the limited duration shortens the window for privacy violations. It’s more “I have my camera ready to go” and less “I am recording your every move.”
  • Simplicity. Yes, Spectacles have very limited use, but that also means they’re really easy to use. I haven’t used Glass, so I can’t speak for the ease of use, but it’s hard to beat “push this button.”

None of this is any guarantee that Spectacles will be a success, of course. It will be interesting to see how this affects Snapchat usage. Anecdotally, while I have many friends of a variety of genders, ages, and interests on Snapchat, it’s a small group of mostly twenty-something women that post stories (perhaps there’s greater usage 1:1?). There’s a lot to be said for being able to share your experiences from your own point-of-view, so now we’ll have to see what Evan Spiegel and company can do.

Thoughts on the Wunderlist outage

For most of Wednesday and Thursday, the to-do list management service Wunderlist was unavailable. They haven’t published a public post mortem, though I’ve asked if they plan on it. It has to be a hell of a problem since it resulted in such a long outage.

I think they handled it fairly well, though. Logins were disabled in order to prevent further problems and regular updates were posted to the status page. I’d have preferred that the login page were redirected to the status site. I took a guess at the address and it was right, but I’m not sure all users would have done that. It might have saved their support team some effort.

The status page promised updates in various non-specific time frames. I’d have liked “we’ll provide another update at $specific_time”. When the specified time rolls around, if there’s nothing to say, just say “no new updates, we’ll update again at $blah”. And speaking of times, having the current time on the page is helpful for a global service, since not all users know what your time zone offset is.

On a more personal note, I was pleasantly surprised with how well I managed without my outsourced brain. Wunderlist has become a critical extension of my brain. Fortunately, I didn’t have much pressing due during the outage. But it did make me miss my old days of using TuDu running in a screen session.

Come see me at these conferences in the next few months

I thought I should share some upcoming conference where I will be speaking or in attendance.

  • 9/16 — Indy DevOps Meetup (Indianapolis, IN) — It’s an informal meetup, but I’m speaking about how Cycle Computing does DevOps in cloud HPC
  • 10/1 — HackLafayette Thunder Talks (Lafayette, IN) — I organize this event, so I’ll be there. There are some great talks lined up.
  • 10/26-27 — All Things Open (Raleigh, NC) — I’m presenting the results of my M.S. thesis. This is a really great conference for open source, so if you can make it, you really should.
  • 11/14-18 — Supercomputing (Salt Lake City, UT) — I’ll be working the Cycle Computing booth most of the week.
  • 12/4-9 — LISA (Boston, MA) — The 30th version of the premier sysadmin conference looks to be a good one. I’m co-chairing the Invited Talks track, and we have a pretty awesome schedule put together if I do say so myself.

Twitter doesn’t need read receipts

Not content to leave the potentially user-hostile decisions to Apple, Twitter announced last week that they were adding read receipts (among other features) to direct messages. Annoyingly, this is an opt-out feature. Twitter is once again adding a feature no one wants while ignoring the real problems of abuse on the platform.

I’m no product management expert, but I know there are times when you listen to your users and times when you don’t. “I want this thing” is a good time to not listen to your users. That’s not to say you ignore their wishes entirely, but you can build a product that people like even if they don’t realize that’s what they want at the time. Apple has had a fair amount of success with this approach.

“This thing is a problem” is absolutely something you listen to your users about. Particularly when prominent people end up abandoning the product. While Twitter has given lip service to the harassment problem, it does not appear to have taken any meaningful steps to address it. In fact, the read receipts can bolster harassment.

Before the addition of read receipts, harassers would have to guess if a direct message was read or not. With read receipts on, there’s the immediate satisfaction of knowing your message got through. Even setting harassment aside, read receipts just reinforce the cultural demand for immediacy. I’m fairly connected digitally, but I don’t see a benefit to read receipts. I’ll probably respond to a message quickly, but if I don’t then that’s my decision. I don’t need the platform insinuating that I’m ignoring someone when I’m really just trying to keep my children from tearing the house apart.

Instructions for disabling read receipts came out almost as quickly as the announcement.

Full disclosure: I own a small number of Twitter shares.

Will Apple get tangled up in wireless headphones?

Last week, Apple announced the latest version of their flagship product. The iPhone 7 will begin shipping to customers on Friday and it will be the first to not have a headphone jack. The 3.5mm jack, which has been around since at least 1964, is the standard appearing on computers, music players, phones, some airline seats, and more. The standardized technology means you can use one set of headphones in any of those places without hassle (except for detangling the cords, of course).

But no more, says Apple. They used “courage” to describe this decision, a phrasing that has been soundly mocked. Courage probably isn’t the right word, but it’s certainly bold. This is a big risk that Apple hopes lays the foundation for additional changes that will lead to an inarguably better product. Of course, it might serve to further put the brakes on plateauing sales and a growing sense of meh.

Apple supporters are quick to point out that the doomsayers were wrong about Apple’s decision to remove floppy drives, CD drives, and ethernet ports. This feels like a different scenario, though. In previous cases, there was always something better to use instead (though I still wish the MacBook Pro I use at work had a wired ethernet port). Particularly by the time the optical drive was killed, USB drives and network services met the needs of the average consumer much better.

What’s the better option for the iPhone 7? Purchasing headphones that can only be used with Apple products, that require charging every few hours, that can’t be used while the phone is charging without an additional adapter? Will the technology used by these wireless headphones avoid the lag and disconnection issues that can frustrate Bluetooth device usage? Will noisy spectrum become an issue in crowded spaces like buses and subways? Will people be able to avoid losing them?

Apple’s previous removals proved to be successful enough that other manufacturers followed suit. But that success was possible in part because better standard solutions were available. This time, there’s no standard; it’s Apple or nothing. I don’t see that there’s a compelling enough story for the average consumer to support this as a long-term change. I’m no soothsayer, and I could end up complete wrong. But I bet Samsung really wishes they could have a do-over on the Galaxy Note 7’s battery: it could have been a great chance for them to take some of Apple’s market share.

Slack and abuse

Recently, Sara Mauskopf asked how to block a user on Slack, the popular chat platform. Slack’s social media team replied: 


The response is not helpful. As Mauskopf pointed out, Slack is used in many environments. Communities have adopted Slack as an easy, cross-platform communication tool. Some may have governing bodies, and they should all have a code of conduct, but there’s often only an informal power structure. This means that abusers can go unchecked (and there’s no guarantee that a corporate HR department would be quick to act).

Slack’s self-reported diversity numbers are not as bad as many tech companies. Nonetheless, this strikes me as a failure to empathize with people who face abuse online. I don’t understand how a communication platform in 2016 can not have some kind of block feature. Even Twitter, which has a pretty lousy track record of dealing with abuse, has the ability to block users.

I can understand how some organizations might not want to allow users to block others, but that’s not a good reason to forego the feature entirely. Giving site administrators the option to allow blocking would be a big improvement. Until then, it’s hard to suggest Slack to open communities.

The Local Storm Report product still has value

Several tornadoes hit central Indiana last month. During the event, a tornado warning was issued for Indianapolis. I saw several local media people tweeting that police had reported a tornado but no Local Storm Report (LSR) had been issued by the National Weather Service. I thought that was rather odd, and mentioned this incongruity in a tweet. It didn’t seem right to me that a tornado could be reported in the 14th-largest city in the United States but have no LSR issued.

Several people replied to tell me that the police report was included in the text of the warning. I did not take kindly to that. While including such information in a warning is great, that’s not what I was after. I specifically wanted an LSR. I was asked if it’s still a relevant product,  so here’s this post.

The Local Storm Report is still a distinctly useful product because it has a defined format. While most people do not consume LSRs directly, the rigid format allows it to be used in a variety of useful ways. For example, a media outlet can parse the incoming LSRs and use the coordinates and type to make a map for TV or web viewing. This can help the audience better understand the type and location of a threat.

Additionally, they’re helpful for downstream experts (other forecast offices, emergency managers, etc.) to know what a storm has produced. I often watch the LSRs issued by the Lincoln, IL or Chicago offices when severe weather is approaching my area to see the ground truth to go along with the warning. Knowing that a storm has (or hasn’t)  produced what the warning advertised can be very helpful in formulating a response to an approaching weather threat.

Apart from the warnings, timely and frequent LSR issuance is one of the most valuable functions of a National Weather Service office during a severe weather event.

But what about social media?

I’m glad you asked. Someone suggested that social media is a better avenue for communicating storm reports, in part because a picture is worth a thousand words. I agree to a point. Seeing a picture of the tornado heading for you is more powerful than words or a radar image. In that sense, social media is better.

But Facebook is awful for real-time information. Twitter is limited in the amount of detail you can include and has a relatively small audience. Plus, social media is hard to automatically parse to reuse the data, unless every forecaster tweets in a prescribed format.

The ideal scenario would be to tie social media into the process of issuing LSRs. As an LSR is generated, the forecaster would have the option of posting the information to the office’s social media accounts (perhaps with a link to the LSR) . If we’re granting wishes, the posting process would also allow for the inclusion of external images.

Until that day comes, I’m going to keep looking to LSRs for verification during severe weather events. And I’ll keep being disappointed when they’re not issued. 

New entry in the Forecast Discussion Hall of Fame

Most entries in the Forecast Discussion Hall of Fame earn the honor with a consistent excellency throughout the entire work. As Hurricane Hermine approached the Florida coast earlier this week, forecasters at the Tallahassee forecast office were focused on the effects of that storm. The fire weather discussion contained a single word, and that’s what landed it as the most recent entry.

It’s worth noting, too, that several subsequent updates to the Area Forecast Discussion left the fire weather section unchanged. I’m glad to see Southern Region Headquarters did not immediately rain bureaucratic hell upon the office. I’m not sure that would be the case in other regions.

August Opensource.com articles

It was another great month for Opensource.com. We had our second most page views and while I’m not saying it’s because I published three articles (after a nearly three-month hiatus), I’m just saying. 😀

Speaking of writing for Opensource.com, October is our “Most Open Month”, when we try extra hard to feature new writers. Visit https://opensource.com/story and tell us your open source story.

Anyway, here are the articles I wrote last month: