Friday, November 21, 2008

As predicted: Google "Lively" dies!

The official Google blog confirms that "Lively" wont make it to 2009.

I can't really say I am surprised, as I predicted this months ago. Instead of trying to make a list "what did they do wrong?", just ask: "What did they do right?".

Thursday, July 10, 2008

Darn! I got ripped off!

Yesterday night, a shy looking teenage girl rang my door.
According to her, she was collecting donations for a childrens's hospital, any donation that I could make would help her school out and would be well appreciated.

Somehow, the professionally amateurish "pitch" made me cave in. I donated $40 cash. She asked if I would like a receipt for tax purposes. I said "Yes".

Later, I took a closer look at the "tax receipt" she gave me.

Wait a minute!

That's right folks, the old saying "no good deed goes unpunished" still holds true.
Apparently, somehow, I was signed up for a "magazine subscription". Lord knows which one, as the girl never mentioned the word "magazine" to me.

The "receipt" itself showed very little detail, except for a "customer support" number, which I promptly called. Which did not work.

My next action was searching for that number on google, which turned out a multitude of complaints and "scam warnings".

Luckily, I donated in cash, not by cheque. I know perfectly well that the $40 is gone forever, my only concern is the sleazy company trying to imply that I somehow subscribed to their magazine, and this $40 was registered as $48 (see picture) "first installment" payment.

Then again... let them come! With no signature on file and my name spelled incorrectly on a barely readable scrap I suspect that they will have a hard time holding it up in court.

Side note: she promised to come by in a few days to drop off a "thank you" note. I doubt that she will, but if it happens I will post updates (and hopefully pictures) of our "animated" conversation.

Moral of the story:
Be very careful when somebody comes to your door. Always ask for documentation, and tell them you will get back to them. Most legit companies will be happy to comply.

Needless to say, I won't be donating anything to anybody any time soon any more.

Wednesday, July 9, 2008

Google "Lively" reviewed by a Second Lifer

After seeing the news of the beta release hit the net this morning, I just had to check out the new Lively service.

Installation consist of downloading an "Installer" program that downloads another installer, which then open a web page, which references an iframe which references an ActiveX-like object which actually launches the application.

Here's an example of what you get:

I'm the redneck pig.
Out of the dozen available avatars, that one was the least creepy.

The chat bar says: "Go ahead, say something!", so that's what I will do. Here are my impressions so far.

  • It's slow. Slow, slow, slooooooooooow. Really. After 15 minutes of waiting, the "Room Materializing" meter was at about 60%

  • Movement controls work backwards. Left, right, forward and backward are inverted. Or do random stuff

  • Camera controls are so bizarre that you need a degree in advanced mathematics (and perfect motor control) to even look at something.

  • There is no "building" areas. You can select from a couple dozens of pre-baked "rooms" and .. that's it.

  • The general feel is overly "cartoonish".

  • Head-to-body proportions range from "dangerously unhealthy looking" to "absurd". Would it be sexist of me to say that I'm freaked out by girls who's eyeballs are bigger than their boobs?

  • You can "buy" stuff in the "catalog". Seems like the "e-commerce" part of the system got the most attention.

  • For the life of me, I could not figure out how to get to my "inventory" of items that I bought.

  • No user-generated content. Nada. Move along.

  • The messed-up-skeleton-look of the the figure on the left is not a fashion statement. It's a "ruthed" avatar.

  • The "animation" part works only in "couples". You click on a person to harass, then choose anything from "kiss", "propose" to "kick" or "bodyslam".

  • No "teleporting". You log out one room and log in to another. No communication between rooms exist (that I could find)

  • Did I mention it was slow? Even in an area with only a dozen of avatars and a handfull of "objects", the load times are nerve-wrecking! Yes, I understand that there is a traffic spike because of the launch. But I expected the Googleplex to be able to withstand way more that a few thousand teenagers trying to chat.

In short: For the time being, it seems like Linden Labs has little to fear from Lively.

Friday, May 9, 2008

On the security of credit card signature verification

I just rediscover this very entertaining post about a man's quest to have his signature verified when making a purchase.

So when does anybody look at the signature on the back of your card.
The short answer: Almost never.

Automated systems don't read it.
Humans never look at the paper receipt.
Most waiters only pick up the signed statement after you left the building.

And don't get me started on these "electronic signature" pads at grocery stores:

At first, I (quite naively) expected them to do a fancy AI signature comparison on the fly. That would be logical, since most of the time, the cashier does not even see what you wrote on her own screen.

After a lot of experimentation, I have reverse engineered the complex algorithms in these machines that decide on whether a signature is accepted or not.

It goes something like this:

10 DRAW(Blank_Rectangle, Buttons)
20 WAITFOR(Ok_Button_Pressed)
30 IF (NumPixelOnScreen < 20) THEN
60 PROCESS(Transaction)

That's it. So a blank screen or a single dot wont be accepted. A straight line or any drawing that you can come up will.

Again, that's regardless of what is on the back of your card. Even if it says "SEE ID".

Side note: The whole idea behind "SEE ID" is that is would somehow be harder to fake a driver's license than a signature. If that is true, how come all those teenagers are using fake licenses to get alcohol?

So should you or should you not sign your real signature?

Let's run the scenarios:

When you sign your real signature:
- The shop has proof you made the purchase, can hold you liable.

When you don't sign your real signature:
- You gain time, since a quick swipe of the pen to draw a line goes a lot faster.
- The shop can never prove you made the purchase. If the purchase ever gets contested, their "image proof" will be laughed out of court.

I'll let you decide on this one...

Sunday, May 4, 2008

American warning labels

Saw the label when packing stuff up:

What do mean I can't pack up my toddlers in these? I want to keep them organized and quiet!

Monday, April 21, 2008

"Faxing for security"

In this weeks episode, the alien tries to get his credit report from Transunion. (For the non US natives out there: You don't exist without a credit report. That high-tech visa may be good enough for DHS, but not for your landlord!)

I went through the entire online sign up process (did I mention that you need to pay to give them information on yourself, so that they can sell that information to others?). As expected, the online system freaked out and insisted that I call customer support to "confirm my identity". So I called the give number and got on the phone with "Michael", (who's accent I would place somewhere in the Southwest... of Bangelore!) who, in a calm and friendly voice, explained what I needed to do.

It went something like this:

- Please send a copy of your drivers license and proof of address to this fax number...
- I don't have a US drivers license. Would a passport work?
- Eh... Okay... We can accept any government issued ID.
- Any government? Or "US government"?
- Eh....
- Never mind. What's this about proof of address?
- We need a "recent utility bill" to prove your address.
- Ok... Right. I have all that online, available right now. Can I just email it to you?
- No! For your security, you need to fax it to our customer support fax!
- (Sigh) All right then....

Let me re-state some of the background issues here:

  • Companies trust a "utility provider" as legal proof of residence. That includes the phone company, the water, sewage, cable, .... etc... These are the same guys that can't even get my bills right!
  • Most of these providers allow you to sign up online, without any validation.
  • Most of these can be paid and managed completely online, without ever seeing any paper. Which means... there is no address verification!
  • All of them allow you to view and print your bill online, either from a web page or a PDF. This means that if you can hit the "Edit page" button before printing, you can make up your own address!
  • For "my security", I need to login, download a PDF, print it, then stick it into the fax. Not only does this process eat a severe chunk of the quality of the documents (making any supposed verification even harder), it also means that I now have a paper copy of the (supposedly sensitive) documents, that I need to get rid of securely.

Now I know why Skype has the (banghead) emoticon.

Thursday, April 3, 2008

I'm really hot on Myspace!

Just look at my "friend request" page....

If I am being stalked by hordes of sexy looking girls, I must be doing something right, right? Right? And they happen to all have their own webcam service!

But I wonder why they don't ever want to give me their phone number? :(


It seems like profile spammers are getting more and more desperate every day. Other food for thought: On myspace, I receive dozens of spam requests every week. On facebook, I have received... zero! Is the facebook system so much more resilient to spam? Or is their demographic much less gullible?

Monday, March 31, 2008

ObiJan Bio Page

I haven't risen (steeped) to the vanity level of blasting people with "About Me" pages (yet), but the geek in me wanted to play with the (now extinct) Google Social API. The OCD-based organizer inside me agreed that it would be neat to have a central page to list all my various "profiles". Even the slob in me liked that, because he keeps forgetting all those links themselves. The other voices in my head were talking about things involving cheesewire and an electric bushcutter, but I kept them sedated.

So here goes...
"About me" on various sites:

You may find my main "real" experimental site at

2014 Update: Removed all the extinct links. 

Monday, February 25, 2008

Ponderings on "multi factor authentication" sillyness...

It seems like a disturbing trend:
Banks adding "more security" by adding extra "security questions"...

In short, the alleged idea is make your account more secure then just using your password (which is normally only known by you) by asking "personal trivia questions" related to high school mascots, car brands, maiden names,...

Whats wrong with that?

  • It's insecure by design. Most of this information is public! A potential attacker can guess or google this information. Different sites are also using the same questions.

  • It's extremely error-prone. What was that pet's name again?

  • It adds no extra phishing protection. A fake site can just as easily ask these questions together with your password.

  • Better solutions such as openid are publicly available, and allow the user to choose the level of security they prefer. Which can range from basic user-name password logins, over https client certificates to secure one-time key token-devices.

This (fairly cynical) post explains what I have been trying to get across way better that I did.

What to do when your bank forces you into this "Mickey mouse" scheme?
- Come up with a secondary password (preferable 2 "words")
- Fill it in as the "answer" to each question

This way, you are at least not decreasing the level of security provided.