Monday, January 30, 2012

Oracle Support portal: HTML 5 replaces Flash

Oracle Support is upgrading their web interface from Flash to HTML5. I’m happy. I no longer have to twiddle my thumbs waiting for Flash to load:

Oracle-Flash

That was really annoying.  The consolation prize was that the Flash UI was still two orders of magnitude faster than the call back from support on a Sev 1, so the Flash interface really didn’t affect MTTR.

My major complaints about the Flash interface were: 

Managing Flash plugins on critical data center servers & management infrastructure. Adobe simply has not been able to keep Flash from being exploited, so having to rely on an exploitable plugin for daily operations never made me comfortable. It is really nice to be able to gather data on an incident and upload it directly to Oracle but that meant that the database management infrastructure had to have Flash plugins along with the associated risk/cost of an exploitable plugin.

Slow and unreliable. When I log into the Flash based support site, I typically need to reload the Flash app at least once, usually at the 90% marker. The new HTML5 interface is faster than Flash and doesn’t hang on startup.

Not tab aware. What could be more natural than opening up multiple SRs at once, each in their own tab? How about being able to search & opening up each result in a separate tab? Or being able to put an SR and its associated bugs side by side? The Flash UI couldn’t handle more than one tab. It excelled at making every interaction with the interface strictly linear.

Unfortunately what’s out there today still isn’t tab-aware. In IE I don’t get a right-mouse menu at all and if I try opening up new tabs on Firefox, I end up with:

Oracle-403

However – if I’m viewing an SR and I right-click on the printer icon, I can display the SR in a standalone tab. That helps. I still can’t open up an SR alongside it’s associated bugs though.
I suspect that Oracles lead UI designers are constrained by strict linear thinking. It probably never occurs to them that a user might work on more than one problem at a time or that a user might want to view both SRs an bugs at the same time. Or maybe Oracle has a corporate policy that prohibits two-button mice and browsers with tabs.

FWIW - In the process of playing with tabs, I also ended up here:

Oracle-NullPointer

Amusing.

50 million Megaupload users…

… have data in danger of being erased.

From Daniel Wagner’s AP story, is looks like:

  • The Feds are done cloning servers. They have what they need. They don’t care.
  • Megaupload assets are frozen. They might care, but are helpless.
  • The hosting companies for Megaupload [Cogent|Carpathia] [don’t have access|can’t comment].

Presumably there are legitimate customers of Megaupload who stored stuff that did not stomp all over other peoples copyrights. If so, it sounds like those customers are screwed.

Update Feb 02 2012: Maybe not. Carpathia Hosting and the EFF are stepping up to the plate.

Sunday, January 29, 2012

Secret question fail

My credit union switched to a new service provider for online banking and bill paying. The good news is that they’ve chosen a service provider that has a fairly modern looking interface, unlike the 1990s interface of their old provider. Among other things, they no longer use a captcha as a security factor and they now require “the latest versions of Internet Explorer and Firefox […] SSL compliant with 128 bit encryption” instead of IE5 and Netscape 6.2.  I keep thinking that old interface was screen scraping TN3270 session in the background. The new interface at least gives the appearance of having been written this century.

They did not set the world on fire with their state of the art authentication though. As far as I can tell, they still think that a secret question is a second authentication factor, and they regressed significantly by prohibiting me from creating my own questions. I used to have a secret question like ‘Who is Z's5.'vYCf!.v/Zu31wkJYjR’ with an answer something like ‘y=t0FgZtH+CMPS-!tjLB_Cac’.

Now I’m stuck with:

Bank-questions

This is really unfortunate. Of the 20-odd questions, at least 11 of them are available via ordinary public record searches, searchable ancestry records or social networks, and some of the remaining questions have limited entropy. In my case, various relatives of mine have published enough family history that all of the ancestry related questions are unusable for identity verification. The selection of questions is really poor.

I certainly hope that the credit union customers are smarter than the service providers and take it upon themselves to compensate for the service providers incompetence by fabricating nonsensical answers to the questions.

I also hope my long gone grandfather isn’t too put off by my assertion that his occupation was ‘.oUDq9%Y^yP7dRJoM9TTSG’ .

Thursday, January 26, 2012

“We keep logs as far back, as long as we have had software to keep logs.”

If I’m reading this right, Symantec had a breech in 2006 but didn’t think that the breech was significant. After learning that older versions or their source code was stolen, they re-analyzed the 2006 event from 6 year old logs (!) and determined that the source was stolen during that incident.

The interesting bits:

Nobody that was involved at the 2006 breech is still at the company, but the logs still existed and were sufficiently detailed to reconstruct the event. That’s really impressive.

Presumably whomever stole the source could have been busy writing bots that were undetected by Symantec AV. I don’t know that to be the case, but it certainly is possible. Owning the source code for an AV product would certainly be a competitive advantage for a bot-maker.

Symantec’s advice to shut off pcAnywhere is interesting. I’s not the usual advice you get from companies with exploitable software. Oracle has never asked us to shut off their unbreakable databases.

It’s broken, shut it off.