Archive for the ‘Random Ramblings’ Category

Kubra / BC Hydro – How NOT to Do Online Payments

Monday, June 18th, 2012

Kudos to Kubra and BC Hydro – they fixed this problem within 8 hours of receiving my report and are reviewing some of their practices as well. If you’re a BC Hydro customer and have made online payments in the past, you still need to make sure to clean any of the old URLs out of your browser history.

Notice anything disconcerting about this URL?

https://secure3.i-doxs.net/BCHydro/OneTime_PayProcess.asp?PaymentDate=6%2F6%2F2012&AccountNumber=1234567&InvoiceNumber=&PayAmount=38.05& Description=&CustomerEmail=jon%40email.net&CustomerName=Jon+Gotow&PaymentType=CC& State=&ConvenienceFee=2&CCCardName=VISA&CCHolderName=Jon+Gotow& CCNumber=4123456789012345&CCCVV2=123&CCMonth=1&CCYear=15&AVSname=& AVSphone=&AVSaddress1=&AVSaddress2=&AVScity=& AVSstate=&AVSzip=

I found it in my browser history after making an online payment for a BC Hydro electricity bill. And yes, you’re not mistaken. That URL has my account number, name, email address, credit card number, credit card expiration date and CVV number all embedded in it. (Yes, I did change them before blogging about this 🙂

Really?

Honestly, this has got to be one of the biggest, dumbest security mistakes I’ve seen in ages. I mean, really? Just toss all my credit card information into my browser history in clear text? Then let Google, Apple, or Mozilla sync it to all my devices and to the Cloud – so anyone can access it anywhere – brilliant!

What’s more, clicking on that URL submits another payment directly to their system. Go ahead – click on it! You know you want to! If the numbers were still correct, you’d rack up hundreds of dollars in charges to my credit card with just a few clicks of your mouse. How do I know? Because I mistakenly did that.

The Bottom Line

Kubra, the company behind this ridiculous little payment gateway, was absolutely no help when I called. They can’t refund the payments, including their own $2 “convenience fee” – they told me to dispute the charges with my credit card company instead. And when I asked them to address the underlying security flaw, they said they couldn’t do anything without a request from BC Hydro. So I’ve contacted BC Hydro through their web site. If you’re a BC Hydro customer, I encourage you to complain to them too – and NOT pay your power bill online until they get this resolved.

And if you’ve paid a bill via Kubra in the past, go check your browser history and see if your credit card or bank information is conveniently stored there for you (and everyone else). If it is, it might be a good idea to delete it 😉

That’s Cool! How Do I Get an URL Like That?

If you’ve got a BC Hydro account, you can see this for yourself. Go to http://www.bchydro.com/ and log into your account. Click on “Ways to Pay,” then “Online banking or credit card payment,” then “Kubra” as shown below.

You’ll get a data entry screen like this. Just fill in your credit card data, click “Submit”, and then confirm your payment on the next page. Then copy the URL in your browser’s address bar or from your browser history. There you go!

* Unfortunately, you do have to enter valid credit card and account information into this window to get back a valid URL. Otherwise you just get an URL filled with error message information – not nearly as fun.

Update #1

I just got a call from BC Hydro – kudos to them for moving so quickly! It’s been a mere few hours since they read the email I sent them over the weekend and they’re already moving on it.

Update #2

Impressive! Kubra just called and they’ve plugged the hole on their end (it looks like the switched from HTTP GET requests to HTTP POST) so the data no longer ends up in the URL. They’re also refunding the erroneous charges caused by me going to those URLs in the first place.

So the problem is fixed! The only issue that remains: If you’re a BCHydro customer and have paid your bill online in the past, search your browser history for “BCHydro” and delete any history items that match. (That’s something that you have to fix – BCHydro and Kubra can’t erase data that’s already on your computer).

Get your permissions right!

Wednesday, March 30th, 2011

Thought I’d post about this little developer experience because it was incredibly frustrating and not at all obvious. Maybe this will save someone else the headache that I’ve been through.

Background: When preparing an application for release on the Mac App Store, you code sign your application, then bundle it into an installer pkg which is also code signed (using either Xcode organizer or the productbuild command line tool). When the application is installed, it gets extracted from that .pkg file, the user runs it, and it checks for a Mac App Store receipt. If there’s no receipt, OS X checks to make sure that the application is signed correctly, then contacts the Mac App Store to get your receipt.

Problem: This would all work for me as advertised except that when the receipt check failed, OS X would complain that my application wasn’t code signed, and therefore wouldn’t contact the App Store to get the receipt. From a user’s perspective, the app would just fail to launch.

I’d followed all the instructions. I double- and triple-checked to make sure the application was signed before I built the .pkg file. I tried building the .pkg using both the Xcode organizer and productbuild – they both worked with no problems or error messages. Yet when the application came out of the .pkg file on the other end, it was always unsigned! I deleted all of my certificates, regenerated them, and redownloaded them from Apple’s developer site (several times). I checked every step along the way in my build process – they were all working. It was incredibly frustrating because the signed app went into the ‘black box’ of the .pkg file just fine, but came out on the other end without its code signature.

Solution: After tearing my hear out for a while, googling for answers, and checking the developer forums, I finally tracked down the solution. I had a single image file in my application’s resources that had its permissions set to 640 instead of 644, meaning that it was not readable by everyone. That threw the entire game off – apparently when the installer unpacked the .pkg file, it ran into this problem file and either stopped short of installing the code signature, or invalidated the signature.  Either way, the application it installed was useless.  Simply changing the permissions on that one tiff file fixed the problem I’d been fighting with for days.

Soooo….  If your app builds and runs fine UNTIL you package it, and then comes out unsigned on the other end, check the permissions on the resources in your application.  And Apple, please emit some kind of warning when hapless developers feed productbuild a file with the wrong permissions that’s gonna screw up the whole process.

Tip: There’s a really cool developer utility called Cong, written by Stephane Sudre.  It checks your application for all kinds of minor errors, from localization goofs in .strings files to incorrect Info.plist entries to missing files in your package.  I’ve contacted Stephane and checking file permissions is now on his To-Do list for Cong.  If you’re a developer, get a copy of Cong – a simple drag-and-drop could save you a lot of time and trouble!

Replacing Apple Downloads with the Mac App Store

Tuesday, December 21st, 2010

Apple has long had Apple Downloads, a section of Apple.com that lists third-party software.  It’s been a popular place for users to browse and sample the wealth of Mac software available from both large and small developers, including St. Clair Software. We get a significant amount of web traffic from Apple Downloads.

I recently received an email from Ron Okamoto, Vice President of Worldwide Developer Relations at Apple, notifying developers that Apple Downloads will be going away, replaced by the new Mac App Store. Because both Default Folder X and App Tamer do not meet the Mac App Store guidelines, this is a big cause of concern for us. We’ll lose a lot of customer visibility, and won’t be able to replace it by putting our apps in the Mac App Store.

I wrote Ron this reply:

Thanks for your notification – I can’t say that I’m surprised as Apple’s support for the Downloads section of Apple.com has been waning for quite a while.  I fully expected Apple Downloads to just go away without even getting a notification, so I applaud your professionalism in actually letting us know.
As a long-time Apple developer (I’ve been doing this since 1988) I’ve become accustomed to changes in direction, forced rewrites as Apple has adopted or invented new technologies, and sometimes capricious decision making on Apple’s part. As in the past, I’ll deal with what comes my way and work to keep my business healthy, but shutting down a primary traffic source for our web site is going to make things quite a bit more difficult.
In your letter, you say “the Mac App Store will be the best destination for users to discover, purchase, and download your apps,” but that doesn’t apply to my two best-selling applications, nor to those of many other developers.  The guidelines put in place for the Mac App Store disqualify Default Folder X and App Tamer from inclusion in the App Store, despite their popularity and utility.  I’m left to reinvent my products and company (again) as they don’t fit Apple’s vision of what a Mac application should be.  There are numerous developers in my position. We make useful – some would say essential – products that users will now have a more difficult time finding as Apple drives customers and market focus to the Mac App Store.
For small developers with applications that don’t fit the guidelines, is there some avenue that we can pursue for getting exposure on the new Mac App Store?  Some kind of advertising / comarketing that we can participate in to get into an “other great apps” section where users can at least see that our products are available?  If such an “Apple Downloads for the App Store” were an option, I certainly wouldn’t argue with giving Apple a percentage in return for what I anticipate will be a lot of traffic.
I’m running a business, and I understand that you’re running yours.  I know that you need to have restrictions for apps in the Mac App Store in order to ensure that users have a seamless, trouble-free experience and I respect that. It’s what will ultimately make it a big success. But as a developer of applications that won’t be allowed in the store, I’d like to see alternatives that would let me focus on keeping those applications alive and vibrant.
Thanks
– Jon Gotow, President, St. Clair Software
Quick follow-up: It looks like I need to address a few questions based on the tweets I’ve been been getting:
Default Folder X and App Tamer aren’t going away – this affects how much time we spend developing vs. marketing. The more we have to work at getting users to see our products the less time we have to develop them.
Why can’t Default Folder X and App Tamer be in the App Store? In the Mac App Store guidelines, Default Folder X fails to meet item 2.15 (it installs a Scripting Addition) and may also violate item 6.5, since it creates floating windows around file dialogs that could be construed as “changing native user interface elements.” App Tamer violates 2.27 because it asks for your admin password (and needs to).

Indie+Relief: Help Haiti AND Get Great Software

Wednesday, January 20th, 2010

The earthquake in Haiti has nearly destroyed what was already a fragile country. Please join us in assisting in the relief effort.

On Wednesday, January 20 St. Clair Software and 100+ other developers are donating all sales to help provide medical care and supplies for Haitian earthquake victims. Please visit the Indie+Relief web site and purchase any products you need, think you might need or have even considered buying. All revenue will be donated to charities that benefit Haitian earthquake relief.

Even if you don’t purchase anything, donate to the charity of your choice.  Skip that latte and send water to people that desperately need it.  Skip that dessert and provide food or medicine. Or keep your lifestyle exactly the same and just donate a few dollars – it all adds up.  If you’re unsure which charity to give to, visit Charity Navigator, which breaks down the benefits (and costs incurred) for most major charitable organizations.

Default Folder X 4.3 Is Available!

Monday, August 17th, 2009

Default Folder X 4.3 sports Snow Leopard compatibility and a number of other enhancements and fixes.  You can get it from the Default Folder X release page.

IMPORTANT: There’s a bug in older versions of Default Folder X that can cause crashes while you’re using the hierarchical path menu if you’re running Mac OS 10.6.  Make sure to install this update before you upgrade to Snow Leopard!

And now that we’ve got that dire warning out of the way, there are a couple of geeky little additions in this release that I’m partial to:

  • You can globally set a minimum file dialog size and column width. Use these commands in terminal to set the values:

    defaults write com.stclairsoft.DefaultFolderX minimumSize.width 800

    defaults write com.stclairsoft.DefaultFolderX minimumSize.height 600

    defaults write com.stclairsoft.DefaultFolderX minimumSize.columnWidth 250

    Change the numbers at the end of the commands to the sizes you want to use (in pixels).

  • You can list items in hierarchical menus chronologically rather than alphabetically by holding down the Control key.

Take a look at the release page for details about all of the changes.

BikeTown Africa Spin-a-thon

Friday, March 27th, 2009


And now for something completely different…

Some of you may already know that I’m an avid mountain biker – I have almost as many bikes as I do Macintoshes (which is a little scary).  Well, the gym I belong to is sponsoring a spin-a-thon to support the BikeTown Africa Project.  On Sunday, we’ll have a gym full of people pedaling like mad on stationary bikes for four hours to raise awareness and money for BikeTown Africa.

What’s BikeTown Africa?

Founded in 2005 by the Kona Bicycle Co., the Bristol Myers-Squibb Secure the Future Foundation, and Bicycling Magazine, the BikeTown Africa Project provides new, well-built, low-maintenance Kona AfricaBikes to home health care workers in sub-Saharan Africa to facilitate the treatment of HIV/AIDS patients.  Just $100 covers the cost of donating one bike, including training its user on maintenance and repair.  Using a bike, a health care worker can visit eight or more patients per day instead of one!

What can you do?

The Weight Club and Virginia Tech University Honors are holding the spin-a-thon on Sunday.  I’m participating and raising money from sponsors because I think this is a very worthwhile cause – it’s putting long-term, practical resources on the ground to help combat a huge health issue.

I’ve set up a page so you can sponsor me for the spin-a-thon here:

http://store.eSellerate.net/stclairsoft/biketown

You can give as little as $5, or as much as you want in $5 increments by buying more than one of the ‘donations’.  I’m personally covering the payment processing cost, so your entire donation will be given to the BikeTown Africa Project.  The spin-a-thon is this Sunday, so please make your donation before noon on Sunday.

Update: Well, the spin-a-thon is over (hence the crossed out donation link) but thanks to readers here and to the dedication of a a lot of folks at the Weight Club and VT University Honors, we raised $7440 for BikeTown Africa!  Thank you!!

– Jon

Mathomatic for iPhone

Friday, January 23rd, 2009


Yes, I’ve been a negligent father – I didn’t blog about Ben’s release of Mathomatic for iPhone.  It’s a very cool port of Mathomatic, an open source symbolic algebra engine that’s been around on the desktop for quite a while.  Ben’s integrated it into a very slick package, and the equation formatting and display is really top notch.

Yeah, it’s pretty geeky, but I have to say it’s also VERY cool!  Whether you’re doing homework, simplifying some equations for use in your own development work, or just want to be amazed at what you can do on an iPhone these days, it’s worth playing with – check it out!

NetSketch 1.0.1

Wednesday, July 23rd, 2008

Yes, my son is now officially kicking his dad’s butt on the iPhone side of the business.  Ben had NetSketch ready at the launch of the app store, and even as an impartial observer (as much as I can be, anyway), it’s an impressive piece of software.

NetSketch brings collaborative drawing to the iPhone and iPod Touch.  You can draw on the iPhone’s screen in full color and share your work with others over WiFi – pretty cool!  If you collaborate with your friends, everyone’s changes are shown in the drawing in real-time.  And NetSketch is vector-based and offers infinite pan and zoom – so it’s easy to add detail to your work and you never run out of room.

Here are some drawings made with NetSketch:

 

I have to say it’s darn nice for $5.99, and the networking capabilities really set it apart. I can see this taking over in classrooms and meeting rooms this fall 🙂

Take a look at http://www.netsketchapp.com/

Jon on MacJury

Thursday, June 5th, 2008

I had MacJury duty Tuesday on Chuck Joiner’s MacJury show, contributing to a discussion on stolen Macs and the hilarious Back to My Mac recovery of a stolen laptop. We also talked about Starbucks’ new WiFi rollout and speculated on their possible plans as a “media hub cafe”. Check out our random ramblings 🙂

MacFixit Marks Default Folder’s 20th Anniversary

Saturday, February 16th, 2008

Ted Landau at MacFixit has posted a column celebrating Default Folder’s 20th anniversary.  Ted’s a long-time Default Folder fan and one of the most knowledgeable guys around when it comes to troubleshooting Macs.  It was a real honor to get to sit down with him for a virtual interview 🙂  And embarrassingly, I hadn’t actually realized that this year marks Default Folder’s 20th anniversary until Ted actually asked me when the first version shipped.  We’ve gotta plan a party and a big sale or something!