If you tell enough stories, perhaps the moral will show up.


Desperate for a Wii

(This is my entrant for "most peurile reference to a Nintendo gaming console 2007".)

Now that the less mad son's eagerly desired birthday present has arrived from a reputable supplier (gamestation) I feel that it won't be tempting fate to describe what happens when you try and order from some other suppliers.

About ten days ago, Mrs U was desperately looking for a Wii. It launched months ago -- how could it possibly be in short supply now? The LMS was on a promise but there were none to be found with a fixed delivery date anywhere in the UK. Until she came across a site that magically was promising a five day delivery. Just time! So she shopped, waved her credit card, and waited.

No confirmation email: that's odd. Five days later, no Wii: that's a nightmare. Check the bank account: £2,500 debited by a restaurant in Surrey. Oooh.

Now I'm not naming the site because it's just possible that the cause of the trouble is actually this. But I don't think so.

The point to this sad story is that Mrs U is a competent shopper and competent security consumer. She declines to speak to the bank when they ring her up and ask her to confirm her identity. She knows what the padlock means. But as soon as she was a little bit needy, she was willing to deal with a site she'd never used before, without doing research that could have shown the slagging it got on Yahoo answers, she was willing to ignore the absence of a phone number, and she clicked straight through the warning from the self-signed certificate that was pointing to a "commerce" site hosted the Dear knows where. Education and common sense swept aside by need and "experience" of good shopping outcomes in the past.

It's worse for the restaurant: they've accepted a bad card without a PIN and that'll mean a monster charge back straight off their margin. Grief all round.

Education is supposed to be the key security tool, but it seems to me that the only education that works is to screw up.


Going to Work in the Dark Again

You don't have to work with audit logs to be a GMT bigot. But it helps.


Limited User? Limited programmer if you ask me.

Less mad son's birthday and the Wii hasn't turned up, so I had to fall back on an old promise to install Steam and pay for a copy of Garry's Mod. Whatever that is.

What it is, is an easy install, together with -- in Steam -- the crappiest LUA bug ever. Obviously it needs to be installed as an admin, and equally obviously, after a deplorable spyware incident, the less mad son is not an admin. So I installed it myself, tested, and then we flipped over to his account to run it there. Well, to cut a long story short, to run Steam as a non admin, all you have to do is make sure that BUILTIN\Users have read-write permission from the install directory (\Program Files\Steam) on down. That's a bit of a palaver on XP Home, as it's hard to get the security tab to show, and I ended up going nuclear with a copy of subinacl, but conceptually it's the simplest possible LUA bug -- the installer doesn't bother to set the right permissions.

I'm not a bigot. Steam runs on Linux as well, so I can see that creating local application settings might not be the right thing to do. But I don't think it was too much to ask the testers to check that files shared among users were permissioned to BUILTIN\Users. Not to BUILTIN\Administrators.

In my opinion, programmers who test code using administrator accounts should never be admins again.

Still, at least Steam is free. Matlab costs £2-12K depending on what you buy, and our unfortunate application packager is going to have to spend days figuring out what part of the machine registry it's writing user settings to before I will sign it off for use in the firm. Slimy negligent gouging incompetents.