Revoking Access

 Technology  No Responses »
Jun 042013
 

Not long ago, after a tir­ing busi­ness trip, I left my knit­ting bag with my Nex­us 7″ tab­let on the plane. I real­ised it was gone before my con­nect­ing flight left, and thanks to some help­ful United Air­lines people, got it back in time to make that flight home. I did have a few pan­icked minutes though, won­der­ing where it was, wheth­er someone had it, and what to do about the data on it. Since then I’ve imple­men­ted more secur­ity meas­ures, espe­cially when travelling.

Of course, the first thing to do is make sure there’s a PIN or pat­tern or oth­er lock on the screen. I don’t usu­ally both­er with this at home, but when I travel I do.

Top of my list for the sec­ond­ary lay­er, after the pass­word for the entire device, are passcodes for both Drop­box and Ever­note; I keep per­son­al inform­a­tion in one and cli­ent inform­a­tion in the oth­er. You can unlink a giv­en device from Drop­box and revoke access to Ever­note from anoth­er machine, but that won’t neces­sar­ily stop someone read­ing the inform­a­tion already on the device. Secur­ity or passcodes solve the idle curi­os­ity prob­lem, at least to some extent (this is a premi­um, i.e. pay-for fea­ture on Ever­note). Drop­box also gives you the option of two-factor authen­tic­a­tion, and of course you can encrypt the files that you store.

For actu­al pass­words and smal­ler items of inform­a­tion, I use LinkeSoft Secret!, although I may move away from it since it does­n’t sync the Android pass­word store to the Mac. I’m para­noid enough that I don’t do online bank­ing on my phone or tab­let; I have my bank’s app on my phone but only to find the nearest loc­a­tion of a cash machine or branch.

I already have a PIN required for any­one to buy an app on the device; this also stops my daugh­ter buy­ing games or in-app pur­chases. (In the Google PlayStore, under Set­tings, it’s the ‘Use pass­word to restrict pur­chases’ setting.)

I have Lookout installed, which has options to find your phone, then lock it, and even remotely wipe your phone’s data; for­tu­nately I did­n’t need to try it out but there is a cer­tain peace of mind in know­ing that nuc­le­ar option is available.

What all of these apps have in com­mon is the assump­tion that you may have more than one device run­ning Android, which is more than I can say for Google accounts. If you go into your account set­tings, secur­ity, man­age access, you are con­fron­ted with some­thing that looks like this: 

Google access to sites and apps

Google access to sites and apps

which does­n’t give me any clues as to which of the many ‘revoke access’ but­tons I should push to revoke access to a spe­cif­ic device. Surely Google could have figured out that some people might have more than one Android device, or more than one applic­a­tion or web site want­ing access?

Shopping UX

 Identity and Privacy  No Responses »
May 012013
 

I just bought some­thing on the Cana­dian Lowes site and it struck me how much time and thought they obvi­ously put into the UX. The item pages con­tained the usu­al recom­men­ded oth­er items, reviews, etc, that you can see every­where. It was the oth­er inform­a­tion on the item page that caught my attention.

I found the item through online search, but it was easy, with obvi­ous bread­crumbs, to find related items. The ‘ship­ping included’ was prom­in­ent but not over­power­ing (for a large item, I prefer it to be shipped to me but don’t want to pay a for­tune for ship­ping). The page included links, near the ‘Add to Cart’ but­ton, to both the ship­ping and return policies, and the estim­ated ship­ping date was easy to see, even before adding the item to the shop­ping cart.

The big changes that I noticed came next. Where so many shop­ping sites ask you to cre­ate an account, login, etc, this one simply re-con­figured the check­out work­flow. After the usu­al steps (fill out ship­ping address, pay through paypal/credit cards) there were two things I noticed. First, the return page gave the option of adding anoth­er email address to have the noti­fic­a­tion sent there as well, sug­gest­ing I not close the page until the email noti­fic­a­tion arrived (which it did, promptly). And second, it was only after the trans­ac­tion was com­pleted that the site asked me if I wanted to add a pass­word so I could track the status of the ship­ment. I can track the status using a link in the noti­fic­a­tion email but I added a pass­word any­way. So now I also have a Lowes account, cre­ated with very little friction.

This seems a sens­ible time to encour­age the site vis­it­or to cre­ate an account. I’d already bought some­thing, it’s quite likely I’ll buy oth­er large items in the same way, and it did­n’t take much time or decision-mak­ing. Kudos to Lowes for listen­ing to their UX people.

Tracking down decimal 146

 XML  1 Response »
Feb 062013
 

This goes into the ‘saves time’ cat­egory and is slightly too long to fit into 140 characters.

If you’re using XSLT on some XML file that has had a mis­cel­laneous his­tory and you see the error Illegal HTML character: decimal 146 (or some­thing sim­il­ar), don’t pan­ic or break out your hex view­er to try to find the ran­dom char­ac­ter that’s caus­ing the problem.

Get jEd­it instead. Open the file in jEd­it, and go to the menu Util­it­ies -> Buf­fer Options. In the char­ac­ter encod­ing drop-down, choose Win­dows-1252. The error message(s) will point you right at the offend­ing character(s). For added fun, repeat with ISO-8859–1 to flush out oth­er odd char­ac­ters that aren’t illeg­al, but may not show up cor­rectly depend­ing on your down-stream pro­cessing (lig­at­ures, etc.). Then switch back to UTF‑8 or whatever you need, save, and you’re done!

JEd­it also has decent XML fea­tures if you install the plu­gins, an added bonus.

Passwords and Tokens

 Identity and Privacy  No Responses »
Feb 052013
 

The latest Twit­ter pass­word hack did affect me, but for­tu­nately I had already switched to the one pass­word per site philo­sophy. I store all my pass­words in LinkeSoft’s Secret!, along with oth­er inform­a­tion that I want to keep on my com­puter and on my phone in an encryp­ted form. I just wish the Mac ver­sion synced with Android.

One bright spot in the issue was the fact that I did­n’t have to change any­thing in all my apps that use my twit­ter account, since they all have their own tokens, inde­pend­ent of my twit­ter pass­word. OAu­th is usu­ally said to be good since you can revoke access for any applic­a­tion at any time; this was the first time it became obvi­ous to me that the oth­er advant­age is that you can change your main pass­word at any time without need­ing to update any oth­er cli­ent. Can oth­er applic­a­tions that have web access and smart­phone app access please take note?

OAu­th is not neces­sar­ily the easi­est of pro­to­cols to under­stand, or imple­ment, but these days there are lots of lib­rar­ies out there that do imple­ment it. When I teach OAu­th at the XML Sum­mer School, I always recom­mend people use exist­ing lib­rar­ies if pos­sible, to let oth­ers do the hard work of debug­ging all the little details. Anoth­er thing I recom­mend is to get the O’Reilly book “Get­ting Star­ted with OAu­th 2.0” (full dis­clos­ure: they sent me a review copy) to under­stand the con­cepts. You need to know about vari­ous types of tokens and cre­den­tials, and how they fit into the multi-layered authentication/authorization pro­tocol dance for the dif­fer­ent use cases. Once you have a decent under­stand­ing of the con­cepts, then go and read the actu­al spe­cific­a­tion for the details. The spe­cific­a­tion has lots of inform­a­tion in it, but it’s immensely easi­er to under­stand if you already know how the pieces fit togeth­er, and that’s where the O’Reilly book is well worth reading. 

Delete Evernote Note Location

 Identity and Privacy, Technology  1 Response »
Nov 202012
 

I’m sure there are people who like hav­ing Ever­note track where they recor­ded some note, but there are also some of us who don’t. Yes, I tend to be slightly pri­vacy-ori­ented, or even more than slightly at times. If you’re in that cat­egory, here’s one way to delete the locations.

First off, they often come in when you have the Ever­note app on your phone. On Android, to turn off the auto-loc­a­tion, you need to go to the Ever­note app on your phone, go into set­tings, and click on “Oth­er Options”. You should see some­thing that says “Loc­a­tion for new notes” with two pos­sible options under­neath, one for GPS, and one for wire­less net­works. Make sure they’re both turned off. You might like to turn off Auto-title while you’re there, espe­cially if you don’t like Ever­note read­ing your cal­en­dar to find an appoint­ment or date to write in that title. Yes, I know, I’m sure there are people who find this use­ful. I don’t.

Hav­ing done your best to ensure loc­a­tions aren’t added to future posts, let’s get rid of the already-exist­ing ones. These instruc­tions are for Ever­note 5.0 on the Mac. Find the note, and double-click on it to open it in the edit­ing win­dow. Click on the ital­ic ‘i’ in the top right corner. Then click on the arrow head next to the loc­a­tion field. That gets rid of the loc­a­tion. You may be asked to update the loc­a­tion to your cur­rent loc­a­tion; I only needed to say ‘no’ once. Close the edit­ing win­dow and you’re done! Yes, this does reset the updated date, so if that mat­ters, copy it before mak­ing your changes so you can change it back again.

There may be a pro­gram­mat­ic way to do this, but I only had 5 notes with loc­a­tion inform­a­tion on them, so I did­n’t need it.

Pidgin and XMPP

 Technology  No Responses »
Oct 222012
 

I’m fil­ing this away in the ‘finally tracked down why’ buck­et. In case any­one else spends time on Pidgin won­der­ing why some of their con­tacts have lots of “Status” lines, here’s the reas­on. In par­tic­u­lar, I’ve noticed that when I chat to Tim using Pidgin and Google Talk (which is based on Jabber/XMPP), he has approx­im­ately 10 “Status” lines when I mouse-over the name (the num­ber var­ies, but not by much). It turns out it’s a simple explan­a­tion — Google Talk allows you to log in from mul­tiple cli­ents on mul­tiple devices (this is part of the XMPP pro­tocol), and Pidgin sup­ports that. 

Hence the mul­tiple Status lines, one for each device that’s logged in to the XMPP serv­er. The whole thing seems to be clev­er about send­ing the mes­sages to the appro­pri­ate device, it all some­how just works. The oth­er sys­tems I use to chat with people via Pidgin (AIM or Yahoo!) don’t sup­port log­ging in from mul­tiple com­puters (although it looks like the AIM pro­tocol itself does, but they don’t sup­port it with most cli­ents).

I guess this is gen­er­ally a fea­ture, but it does mean people need to be fairly care­ful about fig­ur­ing out which chat cli­ent they want to use when they have mul­tiple cli­ents on mul­tiple devices (and since ‘cli­ents’ includes GMail, one for each Google account, they can eas­ily add up). Still, Pidgin/XMPP seems good at fig­ur­ing out when someone really is ‘Avail­able’ rather than ‘Away’ and rout­ing the mes­sage to the right place so it’s prob­ably not as much of an issue as it could be.

 Older Entries  Newer Entries
/* ]]> */