Friday, October 12, 2012

Accessibility: Not Just For People with Disabilities

This is an old post from my old blog. It belongs here.

How many accounts do you have?
  • Banks (savings, checking, ATM, etc.)
  • Credit cards (more than one? More than four?)
  • Car care clubs
  • Insurance companies (multiple?)
  • Mortgage(s)
  • Maintenance service contracts (car, home, appliances, etc)
  • Doctors (yours, your kids' and your pets')...
What other items have i missed here?
Do you access these services on-line for bill paying and general management and tracking purposes? What about other on-line accounts?
  • Special interest forums.
  • Registration and licensing accounts (for multiple product vendors).
  • Technical support (for multiple product vendors).
(Some companies that make you register your product purchase on-line will force you to use a totally different user name and password for the registration system AND their on-line forums. Let's ignore the technical reasons (differing systems that are not in any way integrated) and just say that this is simply dumb)
i have so many accounts to keep track of, with different on-line URLs and different user name and password combinations, that i cannot remember more than a couple of them. My web browsers automatically fill in the fields for me. When that fails, i have a note with each account and its specific details and passwords on my Tapwave Zodiac (my choice of PDA, still, despite Tapwave ceasing to exist).
Yes, not using the information from my head makes it easier to forget. Maybe you would do better, if you didn't grow up with learning disabilities... but would you be able to remember 46 accounts and their associated passwords and IDs? That's how many i currently track on my Zodiac.
Points of interest:
  • Security pundits of the world will tell you not to use the same password for every account. Apparently these pundits are of super-human ability, able to remember more than 7 (plus or minus two) unique identifiers and which accounts they go to. i may have some autistic genius traits, but keeping track of 46 accounts with only my brain is far and away beyond my abilities. Maybe if the information was meaningful to me, but...
  • There is a set of determining factors devised to inform users of the strength of their password. It usually goes by number of characters used, mixed case (yes, capitals and lower case letters are DIFFERENT things in computer land, folks... this is called "case sensitivity"), use of numeric and special characters.
  • Those super human security pundits recommend 8 characters or more... with mixed case... and numbers... and, yeah, don't forget the special characters, too.
  • Security pundits also tell you not to use a real word that exists in a dictionary, especially in your native language, or to intermix numbers and special characters among the letters of a word, at the very least.
  • Certainly you should never use a word that people who know anything about you might be able to guess, even if THAT word is not in an official dictionary.
So, to sum up the requirements:
  • The real recommendation is that you use nonsense passwords...
  • With mixed case letters
  • And numbers
  • And special characters
  • At least 8 characters, but "more is better"...
  • Hell, you better make that 14 characters, just to be safe.
  • And never, ever use the same password more than once.
To make security pundits, network administrators and *nix geeks around the world gasp in disgust, i proudly admit that i use the same six character password for each account, wherever possible. "Wherever possible" is a mighty big variable here...
At least 65% of my accounts demand a password format which my favourite standby password fails to accommodate. About 50% of those accounts will not allow me to make the same generic modification to my standby password. Still other accounts require me to regularly enter personal information, just so they can be sure it's really me. (don't forget your dead parrot's middle name, kids)
One company, astoundingly, and quite opposed to the beliefs of super human security pundits, limits the user's log-in name to eight characters. This is because they are still living in the past. The 8-bit past. The *nix past. The real point, though, is that this leaves me with one single account that does not accept my first initial and last name, nor my email address, in completeness as a user ID (the two most common account name types for a person to use, based on current web standards that none of us voted for).
So, let me get this straight... in order to have "respectable" security in place with your accounts (unless you're using a card swiping mechanism for an ATM which only demands FOUR digit "PINs")... You have two options:
  1. Be super human
  2. Write them all down somewhere
i don't think that many of us fit into category one, above. Yet, the pundits, network admins and the geeks damn we mere mortals for all the security risks and breaches of the world. "Problem Exists Between Computer And Chair" they say. How many of those "experts" follow their own rules, i wonder?
To those same pundits, admins and geeks, i go so far as to declare (not suggest, but DECLARE):
Your security demands CAUSE security breaches by REQUIRING human beings to write things down!!

The goal: Secure Computing.
Where is humane computing?

Back in the day, you know, when everything was limited to 8 characters (and PINs of four numbers were not marks of shame) there were no raging disputes about these things. Mostly because:
  1. The systems were few and far between
  2. The technology did not exist for 256-bit encryption of 14-character passwords with mixed content
  3. No one had yet decided to sponge their fortune from "clients" who needed "Security Advisors," or other such titles, to solve a problem not yet invented
  4. "Hackers" were programmers and "Crackers" were busting copy protection on 8-bit games.
  5. People didn't really care (largely because of points one and three).
These days, though... it's all about security. i mean, we have EVERYTHING on-line! "On-line" used to mean "on computer" but now it means "The Internet." That must also mean that any "hacker" with access to a networked computer (or not, if you believe the crap you see on The X-Files) must also be able to get at your data whenever he (or, sigh, she) feels particularly evil. Ooooo, HACKERS... that sounds so... evil!
Yes, we must make it all secure, now. It didn't matter before (except to some crazy wingnuts playing with something called the "CLI" and something called "ARPANET" on some archaic computer systems created in the 60's), but there is nothing more important today than security. Ask anyone who recently moved to Windows Vista and they will tell you just how much they like the new security features of their computer's latest operating system. Yes, yes, it's all about SECURITY!
(Oh, and privacy. How many dead trees do your service providers mail to you and make you read at the office, defining their privacy policies, again and again... and again, despite the fact that pretty much nothing has changed since the laws they must follow were established in the first place. It's all about covering corporate butt. Take a look at my recent set of articles on flickr and ask me how many of those complaints are "covered" by flickr's claim of protecting users' privacy... not MY privacy, per se... just... users in general)

Hell, screw reason, sensibility and rationality. Screw the human beings trying to use these systems!
  • It's not about you.
  • It's not about service.
  • It's all about "SECURITY!"
  • It's all about "PRIVACY!"
  • It's all about Covering Corporate Ass! (and making money doing it)

If you are actually able to get to your data, it's just not secure enough!

Full Disclosure:
i'm a former computer geek. Or so said the flame to which- i mean -the standards to which i was held way back in middle school. i was a computer geek when it was uncool and could get you a punch in the gut, just for fun. Today, thanks to people at advertising agencies working for Apple and several other technology companies who are constantly desperate to widen their market and user-base, computers and geekery is somehow "cool."
Now that it's kool to be a computer geek and "hot" girls wear tiny t-shirts with "i love nerds" on them... i've given it all up (as much as i can, given that i cannot hire my own technical support geeknerd to fix things for me while i go outside and enjoy the sunshine).
i worked in "the industry" for almost two decades (almost). i did pretty much a little of everything at one point or another. Programming, customer service, technical support, network management, etc. (not that the network managers i was filling in for would admit that, as i have no magical certificate that declares me a "specialist").
i even crusaded (rather intensely) for an "alternative operating system" called BeOS. i briefly crusaded for Haiku. During my BeOS/Haiku crusades, i started to recognize that computers are really just junk, made by geeks, for geeks. The attitude of most programmers (not all) and companies (not all) was "RTFM." (wiki that one)
i discovered that this was not at all about making good stuff that would solve problems and make life easier for everyone. It was an elite club and normal people were not allowed (but they were expected to buy the stuff and shut up when it didn't work, because it must be the user's fault).
The computer industry used to be a fascination to me, but now i just want the tools to do what it says on the tin. If it's broke, out of the box, i shouldn't have to fix it. It should have a warranty. Not a statement in the "End User License Agreement" (which you never read, let alone agree to) saying "The entire risk of the purchase is on you. No warranty is expressed or implied, including fitness for a particular purpose."
i call myself a "born again USER." i used to have a career making the lives of other users easier when they came to me saying "I just don't get this computer stuff." i loved to tell them that it wasn't their fault.
This article is probably like walking through a room full of ex-cons with all of my personal information printed, legibly, on my t-shirt, while giving them the finger(s) and calling their mums whores. But, you know what?
A computer is supposed to be a tool, people.
Make it work,
use it,

Wednesday, August 8, 2012

Still No Accountability In the Computer Industry?

i'm not going to rant on about EULAs (which deserve many rants). Instead, i direct you to a paper written by someone with more credibility than myself, who has written a well-thought argument for why there ought be accountability in the computer industry.

"Accountability In a Computerized Society," By Helen Nissenbaum.

It's not the easy read of your c|nets and Foxes, and it was published in 1996, an eternity in computer industry time. Yet, it's thoughtful and all the more relevant today, especially as online security violations make software bugs look passé. But why should any of this ever become passé? To quote Nissenbaum:
"...if experts in the field deny that such a distinction can be drawn, in view of the inevitability of bugs and their potential hazard, it is reasonable to think that the field of computing is not yet ready for the various uses to which it is being put."
Well said.

...and here's a cartoon (click for original):

Wednesday, August 1, 2012

Websites Should Behave Like Websites

I don't do much with this blog because, being a GUI perfectionist, I would rant all day about things no one seems to care about. But, well, maybe some people DO care:

Pretenders: Why mobile web apps should stop trying to act like native apps