Mitre10 web site dark patterns

Dear Mitre10

I have bought many useful tools in your shop, and got very good service every time. But today I got a nasty surprise. I bought a Fuller Revolving Punch 200mm in order to punch some holes in some nylon fabric. Maybe the cutting tubes are made of “strong carbon steel” as you advertise, but the rest of the tool seems to be made of wet paper. I was able to bend it out of shape, squeezing the handles together until the metal bulged at the joint. On the very first go. With one hand. And I’m a software developer, not a body builder. The tool was unusable after literally 10 seconds.

Anyway, I was very annoyed at the quality, and wanted to post a review. And this was where I got really very annoyed, for two reasons:

  • Your review form displays a warning to “disable any ad blockers, which can prevent successful review submission.” No, that’s not how computers work. And if for some bizarre reason you’re submitting reviews through one of your ad providers you probably want to review your review code. And as warned, yes, indeed, I was not able to submit my one star review.
  • Your web site does not display product details, including reviews and their submission button, when viewing in Tor Browser. Not even after logging in and disabling all JavaScript blocking.

If you can’t support your users, tell them!

Most free and open source projects these days have plenty of documentation for producing a good bug report. This is really helpful, and we should continue improving our reporting tools and documentation. There’s a special warm feeling following the submission of a bug report with exact version numbers (of course the most recent stable), idiot-proof steps to reproduce, anything relevant from /etc, /proc and env and maybe even a core dump. Many projects will answer these quickly and either repair the defect or explain where you went wrong in assuming how the program should work. FOSS at its finest, and respect all round.

There is a different sort of warm feeling when you slowly realize that the hours you spent figuring out how to reproduce, collecting all the relevant data, and writing the bug report were wasted. Because nobody is ever going to fix it except by accident, and you are left with the choice between a) spending days, weeks or months accumulating enough context to fix it yourself, b) spending days, weeks or months replacing it with something different which has other, unknown, trade-offs or c) give up and do something else.

It’s important that we as a community come up with ways around this. Respect needs to go both ways – if you expect your users to follow procedure, don’t waste their time when they do. If bug reports are left unanswered, please let users know why before they waste time.

Nobody is interested in the printing subsystem? Ask for someone to take over, and let people know when reporting that such and such issues are unlikely to be solved any time soon. You’ve moved on and don’t actually want to work on the project anymore? Mark it as abandoned. You’re overworked? Recruit some help. Or if none of these sound attractive, you could charge for support or simply close the reporting system. Really. A strong community will find a way, but having a communications black hole is a recipe for a lot of bad blood and unnecessary negativity to enter into it.

Other than this, what can we do? Some automation might help. Bug reporting tools can easily produce statistics about the mean time before getting an answer, for example. Some tools encourage feedback about whether the answer was useful. How about displaying a summary of the responses? In what other ways could we save everybody time when handling bug reports?

Stop asking your students to write command line UIs

How often have you used a UI like this?

| 1. List files            |
| 2. Show the current time |
| 3. Show Top              |
| 4. Quit                  |

Enter your selection: 

Even if you are a banker, travel agent or a medical doctor I would argue never. These groups are unfortunate enough to still have to use arcane command line interfaces to do unspeakably complex things like recording last week’s hours or reserve a ticket to your home town. But none of these systems are razor thin wrappers for simple shell tools – they are that way because they are really hard to replace. And more importantly, no employer is ever going to ask anyone to make a menu based command line UI for their shell script. It just doesn’t happen anymore. It is not a valuable skill. ASCII art is recreation, not work. So the time spent fiddling with echo and read is wasted, and could be put to better use.

There are many generally applicable skills you can teach shell newbies:

  • The Unix philosophy: writing programs that do one thing, that work with other programs, and that handle text streams. An hour of cobbling together a pipeline of grep, cut and a light sprinkling of sed can save days or weeks of data processing which might take a week to write in Python or six months in a spreadsheet.
  • On the flip side, they should know the limitations of the shell. Why while read is several orders of magnitude slower than other language equivalents. Why writing secure shell scripts is basically impossible. Or why big shell scripts are a maintenance nightmare compared to other languages.
  • Which tools are available to do what. There are so many useful tools you could probably spend a week full time just touching briefly on each of them. Check out for example BusyBox for a set of generally available tools.
  • Where to look for answers and how to ask good questions.

Firefox add-on to highlight insecure links

Insecure Links Highlighter does what it says on the tin. On a web page like

it adds a bright red border around any insecure links, turning it into

It supports HTTP, FTP and (by default) links with event handlers which may or may not be doing bad things. Useful for security and privacy-oriented users and web devs alike.

How to recover password after shortening

Writing secure software is hard. At the same time, some things are so fundamental that failing to implement them is just inexcusable. One of these is that you must not limit the password length. (At least below some crazy limit like a thousand characters. Long before that your password is no longer the weakest link in even the most secure systems in the world.) Enter my new router, ironically named the Orcon Genius. It’s a bog standard consumer router, and like most routers it came with an insecure admin password. I promptly replaced it with a long, generated password, but afterwards I could no longer log in. I suspected a shoddy implementation, so I cobbled together a script to try logging in using every substring of the password. After about half a second it spat out the correct password, verifying that this router only saves the first 15 characters of the password. The script is very simple:

 password='your_secure_password' # the line starts with a space
for start in $(seq 0 $password_length)
    for length in $(seq 1 $(($password_length - start)))
        if curl --basic --fail --silent --user "admin:${substring}" > /dev/null
            echo "$substring"
            break 2

The space before the variable assignment is to avoid storing the password in the shell history. Your shell may not support this feature, in which case you need to figure out how to securely erase the password from your history. Consider yourself warned.

I’ve reported this issue to Orcon. Hopefully they will fix the firmware.

These companies work against your freedom

Most companies have never done anything sufficiently evil to deserve going on this list. This list is reserved for companies which have done at least one thing that was so bad they should not be forgiven for it. I will try my very best never to do anything benefiting them economically, and I hope you will too.

How broken is Samsung UK support?

This is how broken:

  • There are two “types” of requests, both of which link to the same page. This wastes customers’ time.
  • Can’t find my hardware by browsing or searching for the model. I tried three different ones – the long name from the order, the short name from the shop, and the name that shows up in the “about” screen on the device itself.
  • After continuing with the wrong model, I had to fill in my contact details even though I had already registered them.
  • When I tried to submit the form I got a “Tried to send data without session.” error. Resubmitting didn’t work.
  • Intermission: at this point I tried to use the built-in support request functionality on the device itself. After filling in the forms using arrow keys (and reminiscing about the NES days), I was simply told that all available support slots were taken. At this point I could no longer progress in the form. Fuck.
  • Re-opening the form in another tab did work. The experience so far did not exactly inspire confidence, but I still hope someone will reply.