Well, I answered my own question: Apple *does not* learn. The update: Apple sent out my machine for repair to address the screen issue and to repair some cosmetic damage for free, in exchange for my time and trouble with the machine thus far.

Today, I tracked the status of my repair with Apple’s repair status page, and noticed my machine was delivered at ~10 AM to the Apple Store. I went there at ~1:30 PM, and asked if I could pick it up. The person at the Apple store said they hadn’t unpacked it yet, and that they would call me when it’s ready. “Probably today, maybe tomorrow”. I told them it had to be today.

I went home, and just as I was walking up the stairs, I get a call. The machine is ready. I could have waited in the store if I had known they would be that quick, but I dutifully went back to pick it up–I want my computer back!

When I finally got it back, (to my horror) I found they replaced the logic board. For the second time. No joke. And, to top it off, they didn’t repair any of the cosmetic damage, as John and I agreed. WTF Apple?

Apple has now agreed to give me a new machine. But seriously, did it have to be this painful? What’s going on at Apple? Will they learn from *this* experience? Maybe the price of the new laptop will open their ears… I doubt it.

I think the letter copied below explains the situation better than I can repeat it here, but during a recent interaction with UPMC Health Systems, I was surprised to find a lack of good security practice. How many more security breaches or information leaks need to happen before somebody starts auditing these systems for security issues?

Edward McCallister
UPMC Health Systems
200 Lothrop Street
Forbes Tower, Suite 10072
Pittsburgh, PA 15213

Dear Mr. McCallister,

I’m writing you as an information security professional because, during a recent interaction with your organization, I encountered behavior that could possibly lead to a breach of confidentiality.

Recently, I had trouble logging into the “MyHealth” portal to complete the necessary steps to receive my “Health Reward” offered through the University of Pittsburgh (where I work) and UPMC. I called the help desk, and was told that my account was locked. The operator (who was very nice, by the way) then confirmed my password with me. By confirming my password, I mean she read what I had originally entered as a password back to me over the telephone.

What is troubling is that she (or anybody) has access to my plain text password. This is not standard industry procedure. In this circumstance, operators can typically reset passwords to something known; the end-user is then usually forced to change passwords upon login. My point is that telephone operators (and anybody else) cannot see what the password is currently set to. This type of handling of passwords is even reflected in many operating systems’ password entry fields; the fields show asterisks instead of the actual characters as you type into them.

What makes this particular problem worth your attention? Passwords are usually authentication tokens tied to individual people; only I know my password. Administrators, for instance, may have access to my data under their own “administrator” credentials (accesses that are probably logged with their username for auditing purposes), but with the system as you currently have it set up, anybody can pose as what the system thinks is (and therefore logs as) “me”. It would be impossible for anybody to prove who “me” really was; it could be anyone that knows (or can find out) my password—me, any telephone operator or a system administrator.

What makes this even more dangerous? If a malicious individual were to gain access to your database, he or she could potentially have a list of plain text passwords. This would make it trivial for them to login using any of the compromised credentials, without the difficulty of having to “crack” a hashed password.

I take the confidentiality of my health information seriously and, as a steward of health information, I’m sure UPMC does, too. Part of enterprise security processes (and auditing), as I know from my education, is knowing who accesses what information when (and perhaps from where). Your system has security lapses of a type that prevent a reliable “mapping” of accesses back to the who I describe (assuming your system is secure otherwise).

I hope that you find time to discuss this issue with your information security team, and at least let me know that you received this letter and are working on resolving the issue.

Sincerely yours,

Jeffrey Maki

I recently ran into a friend of mine I hadn’t seen in awhile. Among other things, I noticed she had a new tattoo. I honestly didn’t care for it much, and it made me want to say, “you do know that’s permanent, right?” But it also got me thinking what I would want, if anything, on my body.

So far, I don’t have anything, and don’t really have plans on putting anything there, either. But if I *had* to get something, it’d be the symbol for “double insulated“–used on electrical appliances and tools. It’s simple, technical, related to standards, and a pun of sorts. Hey man, it’s cool!

I finally figured out how the various bank/credit card company “point” systems work. Not the systems themselves, but how the companies economically justify continuing the programs. So most (all?) bank-branded point programs, such as National City’s “Points” system, are actually managed by a credit card company (e.g. Visa). That same company also handles the debiting of your bank account when you use your ATM card as a credit card. Pretty straight forward.

It’s also common knowledge that credit card companies such as Visa and MasterCard charge merchants a percent of the amount of charged transactions they accept. Probably something around 3 or 4 percent; the number is irrelevant. It’s also pretty common knowledge that more and more retail outlets are accepting debit cards. Not only does this give the customer an opportunity to get “cash back” (a convenience, especially with ATM transaction fees), but then the customer doesn’t have to sign a receipt. Handy.

Also notice that credit card companies are in the process of changing their “signing policy” to only require a signature on purchases over $25 (or some set amount). Clearly, this is to put credit card use on-par usability-wise with debit cards. Easier in fact–there’s no PIN with a credit card, as there is with a debit card.

Okay, that’s all fine, but where am I going with this? Where does the point system come in? It’s a tool for the credit card companies to “incentivize” you to hit “credit” instead of “debit” (which is the default choice, mind you) when you swipe your combo debit/credit ATM card at a POS. Why? Because if you don’t, the credit card companies don’t get a processing fee. The credit card companies figure if you think you’re getting something for every dollar you spend, you’re more likely to “remember” to hit “credit”, as you are told when you enroll in the points program.

If you’ve actually looked at the “rewards” in these point systems, they can be pretty lame. Usually pretty cheap, too, given the amount you have to spend to get them. But remember they are giving these out to millions of cardholders, and that adds up quickly. That should prove to you how much money they really make from processing fees… the same fees they can keep raising with the explanation, “fraud is higher due to Internet transactions” or the like.

Credit cards: now there’s a racket–on so many levels, too.

I’m not sure if I’m the only one who finds this funny, but Cisco’s VoIP phones (at least the ones in Banff), say “Are you there?” instead of ringing. I’m not sure if this is a coincidence or intentional, but I read somewhere that “Are you there?” was a common way to answer phones in Victorian days. Along with, “What is wanted?” or “Ahoy, hoy!” But why is Cisco trying to bring those back? What’s wrong with a regular ring?