Monday, November 26, 2012

More Silly UX

Searching for "Humphrys Entwistle interview" (OK, full disclosure.  I actually searched for "Humphreys ...") to see one of the BBC's own interviewers "shred" its director general on air, I ran across this page from the Grauniad.  It's a fine example of why web pages should not try to re-invent features, in this case displaying text, that are already widely implemented.

The text transcript of the interview, set in a typewriter font presumably so you can pretend that the Grauniad's staff of crack transcribers just typed it up fresh for you, was a little small for me to read comfortably.  Not to worry, though.  There's a zoom slider.

Slide the slider and the whole document gets bigger within the fixed-sized window on the page.  On the plus side, the text is now easily legible.  On the not-so-much side, half of it is now hidden.  Not to worry, though.  There's a horizontal scroll bar so you can scoot back and forth for every single line in order to read what's there.

Sorry, no, thanks.  Life is too short for horizontal scroll bars on text.  You'd think an organization with its roots in printing text in narrow, readable columns would get that.  I can't think of any situations where, if the idea is just to get the content of the text across, the right answer is anything other than formatting it into whatever column is available.  If the reader wants larger text, then make the words bigger and wrap the text -- like you would anyway -- with fewer words per line.

Or you could spend a fair bit of effort implementing a clever-looking but near-useless solution to a simple non-problem.

Wednesday, November 14, 2012

Getting Smart with email

It appears that two participants in a prominent scandal -- if you're reading this now, you know which one, and if you're reading this later, it won't really matter -- tried to cover their email tracks by not actually sending email at all.  Instead, they shared an email account and would write messages but save them to the Drafts folder for the other to read.

I'm a bit unclear on how this helps significantly, particularly since it doesn't seem to have worked all that well in this case.

The act of sending email itself is reasonably secure.  If you and your recipient are both using one of the major providers (the same provider, that is), then sending email just means copying some bits, if that.  Nothing need go out over the public internet.  Likewise, reading that email just means logging in and viewing it.  You are using HTTPS, aren't you? Probably, even if you don't know it, but it's worth checking your email settings just in case.

If you're up to no good and storing email on an unencrypted local drive, you deserve to lose.

So it really comes down to how many passwords you would have to crack to get at the messages.  Consider two scenarios:

  1. Alice and Bob have separate accounts with MyEmail.com, which supports two-factor authentication.  That means that it's not enough just to know the password.  When you log in, you give not just the password, but a magic number from a text message sent to your phone, or from some other kind of device that produces single-use magic numbers.
  2. Alice and Bob share a TOP SEEKRIT "drop box" account with just a password.
In scenario 2, if I can crack that one password, I can see the whole correspondence, so long as I think to check the Drafts folder.  Alice and Bob basically have a password plus a bit of security through obscurity, otherwise known as "no additional security".

In scenario 1, I have two passwords to try to guess, which means two chances at success instead of one.  So far, so good. I crack one of the passwords and log in.  The login screen then says "enter the magic number we just sent to your phone".  Oops.  Not only do I not have the magic number to log in with, Alice (or Bob, as the case may be) now knows that someone is trying to log in.

I suppose it would be possible for Alice could set her phone to forward magic number messages to Bob (or vice versa, but not both!) and use two-factor authentication that way, assuming no one will ask why Bob is getting strange texts with random numbers in them for no apparent reason.  I'd then have to crack the shared password and steal a phone, more or less what I'd have to do in scenario 1, except instead of having a choice of passwords to crack, I have a choice of phones to steal.

Note that some two-factor authentication schemes use a cryptocard or something similar as a second factor.  That would make sharing the account physically impossible, unless Alice and Bob are in the same room, in which case the Cone of Silence is probably the better option.

All bets are off if The Man is able to force MyEmail.com to give up access to the account, but that applies equally well in either scenario.

Tuesday, November 13, 2012

How to tell the web has really, truly woven itself into our lives

The cashier at the pizza place today had tattooed on her wrists:

<love>
</hate>

It hardly seems fair to point out that that's not valid XML (or HTML).