Category Archives: Corporate Insanity

Password Rules Are Bullshit

Jeff Atwood makes the obvious point that the worst, of many bad things, about passwords is password rules:

Password rules are bullshit

  • They don’t work.
  • They heavily penalize your ideal audience, people that use real random password generators. Hey guess what, that password randomly didn’t have a number or symbol in it. I just double checked my math textbook, and yep, it’s possible. I’m pretty sure.
  • They frustrate average users, who then become uncooperative and use “creative” workarounds that make their passwords less secure.
  • They are often wrong, in the sense that the rules chosen are grossly incomplete and/or insane, per the many shaming links I’ve shared above.
  • Seriously, for the love of God, stop with this arbitrary password rule nonsense already. If you won’t take my word for it, read this 2016 NIST password rules recommendation. It’s right there, “no composition rules”. However, I do see one error, it should have said “no bullshit composition rules”.

I would add that possibly the worst password rule is the one that demands you change your password on a regular basis. Either people will start writing down their passwords, or come up with a pattern that ensures their passwords are always easy to guess.

Password rules aren’t just bullshit, they are actively counter-productive.

Flattr this!

Stupid never learns

From the terms of use of the London 2012 Olympic website (handily archived for posterity by Index on Censorship):

Links to the Site. You may create your own link to the Site, provided that your link is in a text-only format. You may not use any link to the Site as a method of creating an unauthorised association between an organisation, business, goods or services and London 2012, and agree that no such link shall portray us or any other official London 2012 organisations (or our or their activities, products or services) in a false, misleading, derogatory or otherwise objectionable manner. The use of our logo or any other Olympic or London 2012 Mark(s) as a link to the Site is not permitted. View our guidelines on Use of the Games’ Marks.

In other words, they didn’t want anyone linking to them unless they were going to say something nice.

This time around, ESPN (via Gizmodo) reports that it’s the turn of the United States Olympic Committee to fire up the stupid with a letter to companies that sponsor athlete but don’t have a commercial relationship with the USOC or International Olympic Committee.

“Commercial entities may not post about the Trials or Games on their corporate social media accounts,” reads the letter written by USOC chief marketing officer Lisa Baird. “This restriction includes the use of USOC’s trademarks in hashtags such as #Rio2016 or #TeamUSA.”

The USOC owns the trademarks to “Olympic,” “Olympian” and “Go For The Gold,” among many other words and phrases.

No-one has claimed a trademark for the hashtag #Facepalm2016 or the phrase “Grab for Cash”.

The letter further stipulates that a company whose primary mission is not media-related cannot reference any Olympic results, cannot share or repost anything from the official Olympic account and cannot use any pictures taken at the Olympics.

At this rate, the 2020 Olympics are going to be remarkably quiet when someone tries to prevent any coverage of the event by anyone.

Flattr this!

Bad Facebook. No Cookie.

Facebook’s ongoing attempt to get around EU privacy legislation in Belgium has taken a turn for the semantic:

Facebook has appealed a ruling from the Court of First Instance that supported the Belgian data authority’s demand that the social media network stop tracking users.

The court’s ruling contained some English words — like cookie, homepage and browser — which could violate a Belgian law that says all rulings must be in the official languages of the country: French, Dutch and German. Facebook has said this means the whole ruling must be annulled.

Facebook’s lawyers need to get out more. They’re not fooling anyone with this.

Privacy lawyers not associated with the case told POLITICO this is a “desperate, petty and last-ditch” attempt to avoid Belgian justice.

And that’s putting it mildly.

Flattr this!

Facebook and the droppings of a male cow

A couple of weeks ago, I mentioned that Facebook had reacted to a Belgian privacy ruling by blocking access to any Facebook page to anyone in Belgium who isn’t signed in to their Facebook account. And now I have actually been affected by this.

We decided, for various reasons, that a takeaway would be a good idea and agreed on which takeaway to go to. Not being particularly familliar with the restaurant in question, I looked them up on Resto and clicked through to their website to see if I could find a menu.

Their “website” turned out to be a Facebook page, so what I was presented with was this.

Sorry, this content isn’t available right now. We have implemented additional security features that require you to log in to Facebook to view this page from Belgium. Learn why.

Being curious, I clicked on the Learn Why link. And here’s what I learned:

Keeping your account secure is extremely important to us.

But I don’t have a Facebook account. And the reason my access is blocked is because I don’t have a Facebook account. So to claim that this is to keep my account secure seems disingenuous at best.

Because of demands made by the Belgian Privacy Commission, we recently had to limit our use of one important security tool, the datr cookie. Please read on to learn how this tool works and why we’re no longer showing public Facebook pages and other content in Belgium to people who don’t have Facebook accounts.

I’m reading…

This cookie is a security tool we’ve used for more than 5 years around the world to help us tell the difference between legitimate visits to Facebook by real people and illegitimate ones (by spammers, hackers trying to access other people’s accounts, or other bad actors).

This cookie can help us secure Facebook by providing statistical information about a web browser’s activities, such as the volume and frequency of requests. Our security systems analyze this browser data to help us tell the difference between regular people logging into their accounts and potential attackers.

So what Facebook appears to be telling me is that they need to suck up my browser history in order to work out whether or not I’m a legitimate visitor.

And, it turns out that this is exactly what they are saying.

The Belgian Privacy Commission, however, has required that we stop using the datr cookie when people without Facebook accounts in Belgium interact with Facebook. In the absence of this tool, we have to treat any visit to our service from an unrecognized browser in Belgium as potentially dangerous and take additional steps to help keep you and other people secure on Facebook.

Really? You can’t just serve up a static page?

I believe that Facebook is written in PHP, in which case the pages are generated on the server and served as HTML. If I’m not logged in, I can’t — and wouldn’t expect to be able to — access any dynamic content and a plain old HTML file is about as secure as you can get.

We recognize that these measures unfortunately may limit and interrupt your experience on Facebook.

I’m sure you do.

Flattr this!

Facebook: No access if we can’t spy on you

Back in November, a Belgian court ruled that Facebook should stop tracking Belgians who are not signed up to the site or pay a daily penalty of €250,000. This is on the basis that, if you are not signed up to Facebook, and have not given them explicit permission to track you, then they are not allowed to just assume that it’s okay to start monitoring your online activities.

The company failed to reach an agreement with the authorities and announced last Tuesday (1st December) that that they would comply with the ruling. Their idea of complying is to deny access to any Facebook pages to anyone in Belgium who isn’t logged on. This applies to personal web pages, businesses, charities, and any other activity organised through the Zuckernet.

Privacy secretary Bart Tommelein is not happy:

They’re a major player, and the impact of their decision is major, but we are not giving in to blackmail. Everyone has to abide by the privacy laws. Without privacy, there can be no freedom.

I have a couple of thoughts about this. The first is that Facebook needs to understand that they are not above the law. If not being allowed to spy on random individuals harms Facebook’s business model, then it’s the business model that needs to change. On a related note, it’s worth remembering that data protection laws exist at the EU level, so similar privacy cases can be brought in any other EU country.

The other point to bear in mind applies to the businesses, charities and other organisations that depend on Facebook for their online presence. Proprietary networks may look like a quick and convenient way to get online, but you are entirely dependent on an organisation that has absolutely no interest in your business, your revenue or your activities. These organisations really should take control of their own online presence.

Flattr this!

Misused English Words and Expressions in EU Publications

I am indebted to The Antihippy for pointing me in the direction of Misused English Words and Expressions in EU Publications, a weirdly fascinating and often amusing report that attempts to document the ways in which EU jargon obscures rather than illuminates. You know that feeling when you understand all of the words in a sentence but none of the paragraphs make any sense? This report goes a long way towards explaining that.

I would also like to take the opportunity to reiterate the fact, which I seem not to have made sufficiently clear, that the aim of this document is neither to criticize the work of other EU employees, particularly those who are not native speakers of English, nor to dictate how people should speak or write in the privacy of their own Directorates-General. In addition to providing guidance to readers outside the EU institutions, my comments are mainly designed either for those who, for reasons of character or personal taste, would like their English to be as correct as possible or those who need, or want, their output to be understood by people outside the European institutions, particularly in our two English-speaking member states. This takes up a principle that is clearly set out in the Court of Auditor’s performance audit manual:

‘In order to meet the addressees’ requirements, reports should be drafted for the attention of an interested but non-expert reader who is not necessarily familiar with the detailed EU [or audit] context’.

This means not only that we should not be too technical, but also that we should do our best to avoid assuming that our readers will necessarily be able to decipher our in-house jargon.

Some of the highlights so far include:

ACTORNESS

Explanation

This word is an extraordinary creation that manages to combine a noun of dubious pedigree (see ‘actor’ above) with a suffix (-ness), which, elsewhere in the English language, is only applied to adjectives and participles, producing a result that is both quite impenetrable and slightly childish. Even more unusually, although it is perhaps not actually an EU word as such, because it is not often found in EU publications themselves, it is used almost exclusively in publications about the EU in an attempt to express the concept of ‘the quality of being an actor’. The association between this word and the EU is so strong that, at the time of writing, if we google say ‘US actorness’, we still get a list of entries concerning the EU. Curiously, if we look up ‘Russian actorness’ or ‘French actorness’, Google thinks that we might have just misspelt ‘actress’.

Example

‘EU Actorness in International Affairs: The Case of EULEX Mission in Kosovo, Perspectives onEuropean Politics and Society11.’

Alternatives

participation, involvement, active participation, active involvement.

ANGLO-SAXON

Explanation

In English, the term ‘Anglo-Saxon’ is generally used to describe ‘a member of any of the West Germanic tribes (Angles, Saxons, and Jutes) that settled in Britain from the 5th century AD’. Also, particularly in America, it is used to denominate white people, usually of the Protestant faith (‘WASPS’), thus excluding large swathes of the population of that country. It follows that there is no such thing as an Anglo-Saxon country, or, as in the example below, an Anglo-Saxon agency or Anglo-Saxon capitalism. Furthermore, the Anglo-Saxon language ceased to exist in the 12th century (I am ill-informed about Brussels, but the last known speaker in Luxembourg was St Willibrord, 658-73919). This term is particularly inapplicable (and, I gather, irritating for those concerned) when used to describe the Irish, Scots and Welsh, who partly base their national identities on not being Anglo-Saxons, and verges on the ridiculous when used to include West Indians.

Example

‘The Anglo-Saxon group of agencies reflect (sic) the previous dominance of Anglo-Saxon capitalism which was not disrupted by two world wars and the specific operational issues relating to Asian economies.’

Alternatives

‘English-speaking’ when referring to the countries or the people, ‘British’ and ‘American’ (‘Australian’ or whatever) when referring to agencies, capitalism etc. The term may, however, be used if you are talking about something like the (presumed) ‘Anglo-Saxon conspiracy’ and you will often find it used ironically in this way in the British press (usually in inverted commas). However, it has negative connotations and should be avoided.

BOVINE, OVINE, CAPRINE AND PORCINE ANIMALS

Explanation

Bovine animals are ‘any of various chiefly domesticated mammals of the genus Bos, including cows, steers, bulls, and oxen, often raised for meat and dairy products’. They are normally called ‘cattle’ in English. However, whereas the word ‘bovine’ may be recognised by English speakers (often with the meaning ‘sluggish, dull and stolid’), the terms ‘ovine’, ‘caprine’ and ‘porcine’ would only be known to specialists.

Example

‘Commission Decision of 26 July 2004 amending Annexes I and II to Council Decision 79/542/ EEC as regards model certificates relating to the importation of bovine animals for slaughter and bovine, ovine and caprine fresh meat’.

Alternatives

cattle, sheep, goats and pigs respectively.

And I haven’t reached the letter C yet.

There is, of course, a serious point to all this:

[I]nternally, it may often be easier to communicate with these terms than with the correct ones (it is reasonable to suppose that fewer EU officials know ‘outsource’ than ‘externalise’, for example). However, the European institutions also need to communicate with the outside world and our documents need to be translated – both tasks that are not facilitated by the use of terminology that is unknown to native speakers and either does not appear in dictionaries or is shown in them with a different meaning. Finally, it is worth remembering that, whereas EU staff should be able to understand ‘real’ English, we cannot expect the general public to be au fait with the EU variety.

The report is well worth reading and the associated website tells me that a 2015 version is on the way.

Flattr this!

Someone Ate The Candle

Contractors.

Not all contractors. But some contractors.

Those contractors that turn up on a project, full of enthusiasm and utterly unable to understand why those damn data integration folks insist on things like frameworks, coding conventions and change management. Those contractors who cut corners and fudge their data so that they can roll out their project according to whatever arbitrary deadline they have been told to meet.

Inspired by this post on DevOps Reactions, I would like to propose a new term to be used when referring to the results of these contractors efforts: Someone ate the candle.

Someone ate the candle

Someone ate the candle

It would work something like this:

Financial Analyst: All the invoices for the pilot store are doubled. What is going on?
Contractor: …
Data Integration Person1: Looks like someone ate the candle.

I’m not bitter, just very disappointed.

1After four hours of digging through data and loudly wondering why none of this was set up in the test environment.

Flattr this!