Well, I answered my own question: Apple *does not* learn. The update: Apple sent out my machine for repair to address the screen issue and to repair some cosmetic damage for free, in exchange for my time and trouble with the machine thus far.

Today, I tracked the status of my repair with Apple’s repair status page, and noticed my machine was delivered at ~10 AM to the Apple Store. I went there at ~1:30 PM, and asked if I could pick it up. The person at the Apple store said they hadn’t unpacked it yet, and that they would call me when it’s ready. “Probably today, maybe tomorrow”. I told them it had to be today.

I went home, and just as I was walking up the stairs, I get a call. The machine is ready. I could have waited in the store if I had known they would be that quick, but I dutifully went back to pick it up–I want my computer back!

When I finally got it back, (to my horror) I found they replaced the logic board. For the second time. No joke. And, to top it off, they didn’t repair any of the cosmetic damage, as John and I agreed. WTF Apple?

Apple has now agreed to give me a new machine. But seriously, did it have to be this painful? What’s going on at Apple? Will they learn from *this* experience? Maybe the price of the new laptop will open their ears… I doubt it.

This past holiday, I’ve been computer-less: my (first generation) MacBook Pro has been in for repair at Apple, making this repair #5 for the machine. My experience this time around started at the “genius bar”, and that experience left much to be desired. After being passed around a few times, the staff finally took in my machine only to call me two days later asking if they could send it out for repair. This delay, along with the holiday, created a situation where my machine was out of my hands for about a full week. But that’s not all…

When I finally received the machine back, I found that only the “logic board” was replaced–even though my screen (or its cabling) was the defective component. I thought they knew what they were doing, and proceeded to use the machine hoping never to see the screen problem crop up again. Well, sure enough–it came back. Exactly as before.

I took the machine back to the Apple Store, and they said the same thing the first two “geniuses” did: it was probably a display cabling issue. “Why wasn’t the display cable replaced, then?” I asked. They couldn’t be sure; the repairs are done in Texas at the “depot”.

My machine has been anything but reliable, with multiple independent components failing. Obviously, the machine (and the plant it was made in) has quality problems–especially with ribbon cables. I asked what they could do for me to ensure this was one of the last times I showed up here for repairs. They told me, until my machine kept coming in for the same issue, nothing; I’d be sent out for repair this time (free of charge, “of course”), but no new machine for me. The “genius” even had the audacity to tell me, “this type of thing is to be expected with first generation products”. Gee, thanks. I didn’t know the “geniuses” served as gatekeepers for Apple repair service. I thought they were my advocate? I did pay for AppleCare, right?

I balked, and asked to speak to John, the manager at Apple Store Shadyside. He was really understanding, and listened to me politely, and then agreed to fix some cosmetic damage on my machine free of charge (a $500 value) in exchange for my time and trouble. By now I’ve literally gotten a new machine piece by piece, but why Apple couldn’t just cut their losses, and please me as a customer the first time, by replacing the defective machine, I’m not sure.

I think the real mark of a good organization, however, is to find out if they “learn”. Standards that indicate a “learning organization” come in many forms: the Capability Maturity Model (CMM) from CMU, ISO’s 9000 series standards and others. Essentially I want to know, if somebody comes in with the same issue as me, will Apple take what they found out from my machine and apply it to that case?

If somebody comes in with a machine that turns off randomly, will they check the battery cable instead of making the customer come back multiple times for diagnosis (as they did with me)? Will Apple change their store policies to ensure machines don’t stay in the store for two days to be “rediagnosed”, only to eventually be sent out for a non-relevant repair? Is it typical for Apple to replace non-relevant parts? Are these repairs even tracked?

I’m not sure if Apple has any internal knowledge sharing system or analysis procedures, but if there are any Apple techs reading this, please chime in with some answers. Is Apple a “learning organization?”

A few weeks ago, Alex and I found a Dyson DC-07 in the trash in Squirrel Hill. We, of course, picked it up–it’s a $400 vacuum! It smelled rather musty, and it was caked with mud in a few places; it was also missing the footplate, the hose on the bottom, and the attachments. But it started–and it sucked. So far, so good, I thought.

I took it completely apart (you need a Torx driver to do so), soaked any plastic pieces I could in vinegar water and wiped the rest with the same. I ordered the two replacement parts for ~$30, and put the thing back together. It ran! Sure enough, the canister fulled with hair and dirt as I moved it around the floor. What do you know? Resurrected from the trash to achieve vacuuming greatness once again…

But one question remained: is the Dyson really better than any other “standard” vacuum? Consumer Reports says “no.” But I wanted to try a simple experiment myself. If I vacuum the floor with my regular vacuum, a Sharp “Twin Power” vacuum, and then vacuum with the “much better” Dyson, will I get a significant amount of additional dirt that the Sharp missed?

The results: not really. The Dyson did pick up an additional amount of hair, but I’m not sure it’s enough to warrant spending $400. Consumer Reports says to buy a Kenmore–it’s the best value for the money, according to them. Frankly, I was appalled at how flimsy the Dyson was. Everything on it is plastic. For $400, I wanted to see at least some cheap metal. On top of that, it has *stickers* on it for various notices/warnings. Stickers? Come on, Dyson. I thought the construction left much to be desired. The only innovation I see on the Dyson is the clear dust bin. It’s surely been imitated by every other manufacturer, and it gives you the thought of, “Wow, that was in my carpet?” Previous vacuums assumed you didn’t want to see the dirt, and hid it in a disposable bag. Props to Dyson for figuring out that a clear dust bin sells millions of vacuums.

Back to the test, look at the pictures for yourself, then look at YouTube and Google for others who debate the matter. If it doesn’t help you buy a better vacuum, at least it’s good for a laugh…

This past weekend, I created a map of one of the sensor rides I made this past summer. The tool I used was OpenLayers, a full WMS mapping client written in JavaScript(!). Let me repeat that: the whole thing is written in JavaScript–there are no server dependencies, besides the WMS servers. It’s really amazing, actually.

I started creating my map by modifying an example I found on the OpenLayers site. It had a reference to TIGER data already in it, so I could see the streets of Pittsburgh. TIGER data is the stuff from the Census Bureau. It’s free, since it’s US Government created, but it’s also horribly out of date–Three Rivers Stadium is still in there; it was demolished in February of 2001. Many streets were also labeled incorrectly.

I continued by adding a layer from Pennsylvania’s PAMAP program; satellite imagery that is much more current. I found this data through PASDA, an excellent resource for Pennsylvania spatial data, by the way. Kudos to Pennsylvania for releasing this imagery (I guess they have to?)–it’s “Google Maps quality” (i.e. the high-resolution stuff you used to pay big money for), but free of watermarks and free to access via WMS. They even have the entire state covered.

One caveat I ran into while adding the data to my OpenLayers map was finding the “layer name”. I didn’t specify this correctly at first, and instead of satellite tiles, I got a stretched image that said “bad layer name” or some such thing. The solution was to get the WMS metadata and look at it to find the layer name. In my case, the WMS service was at this URL, so I needed to request this URL (note the extra parameters at the end), and look at the resulting XML for the “Layer” elements. In each of those there is a name attribute–that is the name you need to use when initializing WMS object. Considering all this, my call to the constructor ended up being (all one line):

var wms_pamap = new OpenLayers.Layer.WMS( “PAMAP High-Res Imagery”, “http://maps.pasda.psu.edu/wmsconnector/com.esri.wms.Esrimap?Servicename=PAMAP_AerialPhotography”, {layers: ‘2545811822′ }, {numZoomLevels: 16});

Getting the satellite data on there, I had a pretty full-featured map. Next was to add the path of my ride. I had this in KML already, since I had previously visualized this data in Google Earth. I added the layer with OpenLayers’ KML support, but I found a problem–a bug in OpenLayers prevented KML data from displaying correctly when the files were large. The issue had been partially addressed by somebody else–I finished the job, and submitted a patch (still needs unit tests).

I finished up the map by writing a simple JavaScript function to take data from a static data structure I hand-populated, and create markers from them on the map. Each marker annotated a point where I saw a spike in the recorded gas or noise levels along my ride.

The final map’s files are available here for you to download and see. In the end, I think the map came out nicely–given more time and more familiarity with the framework, I hope to make the line representing my ride vary in color or size to indicate the level of gas or noise present there. But it’s a prototype.

The promise of OpenLayers seems really great–a portable, open source, client-side, web-based spatial data viewer. Given the increasing popularity of spatial data and mapping in general, I think this will be very useful for those wishing to provide or collect data to/from the public. You could use Google Maps to do this, yes, but who knows when Google might start putting strategic ads on your maps? Besides, it’s Google. Don’t they control enough information already?

The only caveats with OpenLayers I ran into were the complexity of OpenLayers and its API (it’s *really* full-featured), and the variability in the quality of WMS servers. OpenLayers delivers on its end of the bargain–it visualizes data available through a WMS. Unfortunately, however, WMS servers have no such uniform code of good behavior. The PAMAP data, for instance, kept going in and out on a Friday night. Perhaps I was accessing it during the server’s maintenance window? I also tried to add a layer of projected ozone concentrations from the NOAA, but that WMS didn’t respond at all. This sort of issue brings up an important caveat in the age of distributed computing: differences in the availability of resources, bandwidth and care taken when managing the machines that serve you implies risk if you begin to rely upon them for your operations. At least Google has an incentive (a financial one) to keep their machines running; the state of Pennsylvania? Well, I don’t know… they do try, I guess.

I think the letter copied below explains the situation better than I can repeat it here, but during a recent interaction with UPMC Health Systems, I was surprised to find a lack of good security practice. How many more security breaches or information leaks need to happen before somebody starts auditing these systems for security issues?

Edward McCallister
UPMC Health Systems
200 Lothrop Street
Forbes Tower, Suite 10072
Pittsburgh, PA 15213

Dear Mr. McCallister,

I’m writing you as an information security professional because, during a recent interaction with your organization, I encountered behavior that could possibly lead to a breach of confidentiality.

Recently, I had trouble logging into the “MyHealth” portal to complete the necessary steps to receive my “Health Reward” offered through the University of Pittsburgh (where I work) and UPMC. I called the help desk, and was told that my account was locked. The operator (who was very nice, by the way) then confirmed my password with me. By confirming my password, I mean she read what I had originally entered as a password back to me over the telephone.

What is troubling is that she (or anybody) has access to my plain text password. This is not standard industry procedure. In this circumstance, operators can typically reset passwords to something known; the end-user is then usually forced to change passwords upon login. My point is that telephone operators (and anybody else) cannot see what the password is currently set to. This type of handling of passwords is even reflected in many operating systems’ password entry fields; the fields show asterisks instead of the actual characters as you type into them.

What makes this particular problem worth your attention? Passwords are usually authentication tokens tied to individual people; only I know my password. Administrators, for instance, may have access to my data under their own “administrator” credentials (accesses that are probably logged with their username for auditing purposes), but with the system as you currently have it set up, anybody can pose as what the system thinks is (and therefore logs as) “me”. It would be impossible for anybody to prove who “me” really was; it could be anyone that knows (or can find out) my password—me, any telephone operator or a system administrator.

What makes this even more dangerous? If a malicious individual were to gain access to your database, he or she could potentially have a list of plain text passwords. This would make it trivial for them to login using any of the compromised credentials, without the difficulty of having to “crack” a hashed password.

I take the confidentiality of my health information seriously and, as a steward of health information, I’m sure UPMC does, too. Part of enterprise security processes (and auditing), as I know from my education, is knowing who accesses what information when (and perhaps from where). Your system has security lapses of a type that prevent a reliable “mapping” of accesses back to the who I describe (assuming your system is secure otherwise).

I hope that you find time to discuss this issue with your information security team, and at least let me know that you received this letter and are working on resolving the issue.

Sincerely yours,

Jeffrey Maki