Pop-up windows that manifest without a user-initiating action and grab user-input focus do not merely present a severe nuisance that can manifest in unintended system actions but also by consequence increase the attack surface by providing an avenue to subvert sandboxing and configuration management faculties. Modern operating systems should phase out this faculty and replace it with a more friendly and secure one.
In lieu of unpredictable pop-ups, operating systems should gather user input requests from system processes and applications into a shared queue of action requests, require a GUI context-switch for users to operate on them, and provide an inobtrusive alert faculty that announces the presence of input requests without hijacking input focus.
I have been thinking of this for years but only just now found myself angry (and perhaps time-rich) enough to write something when I was typing something into Safari on my Mac Air when Flux contrived to pop an update request dialog box that my in-flight fingers accepted without my having any opportunity to know what was happening until it was too late. Decidedly not cool…
Microsoft Windows has made some useful inroads into security by requiring more explicit user decisions when applications attempt to gain execution, but even that falls somewhat short by manifesting as a focus-grabbing pop-up that could fall prey to the above-described problems.
We can do better.
Every time I swipe my American Express Blue Cash Preferred card at the pump of a nearby gas station the in-pump TV runs a commercial that encourages me to apply for that very same credit card. I wonder whether the swiped credit card has absolutely zero input into the displayed ads or if the decision logic is totally blowing an opportunity to perform meaningful targeting. Certainly AmEx is not getting the best of their advertising dollars in this exchange.
I just wanted to run the angular-cli on a recently built Fedora 24 box. Unfortunately getting it installed was an exercise in coaxing along a poorly coordinated collection of package management software. Ultimately what works is…
sudo dnf install git
sudo dnf install fedora-repos-rawhide
sudo dnf install --enablerepo rawhide nodejs libuv --best --allowerasing
sudo npm install -g angular-cli
… which provides the grounding for a successful run of…
ng new angular2-fundamentals
… but getting there meant slogging through angular-cli first blowing up because it assumed that Git would already be installed and then blowing up again because the version of NodeJS installed to support NPM’s own dependency was not adequate for angular-cli’s requirements. Ugh. This is the manner of hazing inflicted on you to make sure that you really want to use the software. And even now, having superficially seemed to succeed, I’m not even sure I really did, as the install of angular-cli itself threw some “errors” that maybe were just warnings. Who knows…
Brand awareness requires readily identifiable trademarks. And yet there exists a challenge in rendering a trademark visible without making it gaudy. The symbols of car manufacturers capture that balance perfectly. The crass advertising of car dealerships, meanwhile, tends toward the gaudy. But perhaps international car manufacturers have an unfair advantage because a high extant brand awareness makes their flag require nothing more than symbology whereas local entities have to carry more information on their signal.
A related challenge consists of documenting the identity of a given artifact so that one might purchase a duplicate. Perhaps you bought something years ago for your home and would like another. Or maybe you’ve seen something in a friend’s house and would like one of the same. How maddening it is, then, not to be able to find any manner of key with which to look up the product’s identity. Thus sales are lost.
My cats… They’re lovable. They’re also assholes who delight in chewing through electronics cabling of a particular size. Generally optical audio cables and Apple chargers suffer the greatest casualties.
This led me to buy some handily configurable cable sleeves from Baltic Living. You can get a pack of five sleeves that you can either chain together mooshing one’s end inside another before zipping it up or zip together side-by-side to “trunk” them into a higher capacity sleeve. Simple. Elegant. Solid.
Very sensibly they put their company’s name on the product.
A more difficult decision was perhaps deciding where to put it.
They opted to make it visible when the product is in the process of being assembled but not when it is in what will be its long-term state. This has the trade-off of rendering the product more tastefully “quiet” in its ongoing state of use but at the cost of making the trademark invisible at most times. One wonders how conscious a decision this was. Would it have been obnoxious to put the company’s name on the outside of the sleeve? Maybe so… Was there a compromise to be had? Perhaps… What if they had embossed the trademark in the same color as the sleeve? That seems like it might have worked well but would it have been cost prohibitive to perform the five embossings for the five-pack that only retails for $15? Maybe… And meanwhile there is no product identifier, a matter of perhaps little importance for a company that sells so few product types, but something that could become a larger issue if they expand their line.
The other day when returning to my hotel room from near-100F heat I found myself willing to spring the $2.50 the vending machine wanted for a Vitaminwater. I lacked the paper or metal currency to complete the transaction but thankfully the machine accepted plastic. Or at least appeared to. Except someone botched designing fault tolerance into the system.
I swiped my Visa but after the system hung with the text “authorizing transaction” for a minute it barfed with “communication error”. So I tried my AmEx instead in the vain hope that the networking failure was not at the last hop. Alas, no dice. Here I was, willing to pay retail++ for a Vitaminwater but the system did not want to take my money. Because it couldn’t talk to the mothership and maybe I wasn’t good for the $2.50.
Now, I’m pretty sure that when a credit card authorization service gets interrogated its implementation is to default to authorizing the transaction (as long as it is reasonably small) if a non-confirmation of the transaction does not come back within a few seconds because the wheels of commerce as a whole need to keep turning regardless of whether some pissant network service feels like being helpful at a given moment. The vending machine’s own architecture would have done well to draw inspiration from the larger system’s design choices.
It seems entirely reasonable that the vending machine instead might have handled an inability to reach the authorization service by letting the sale complete and caching the transaction for later transmittal. To deal with an attacker it might cap a given card to a single cached transaction so that someone cannot simply disconnect the machine and then use a single bad card to clean out the machine without paying. And maybe to thwart a really determined attacker who is carrying a wad of bad cards and for some reason is willing to squander one card per stolen beverage you could cap the total number of system-wide cached transactions. And, hey, don’t a lot of vending machines these days come equipped with cameras that could be retroactively used to nail a really determined attacker (as well as deter shenanigans in the first place)? Surely such a simple arrangement would have sufficiently contained the attendant threats to make the operator willing to complete a transaction that would net him $2 at risk.
To be fair, though, I have no experience in the vending machine business, except that sometimes I just want a cold beverage but the machine doesn’t want to play.
I am grateful I was not too thoroughly immersed in my phone when I encountered this on the sidewalk in Baltimore near the intersection of Eastern Ave and S Chester St @1030EDT on 2016-07-08.
I stopped and spoke with a member of the BGE crew and suggested that this was probably not an adequate setup in a 2016 world where distracted walking is the norm. He politely thanked me for my input and said they did not have enough gear to do any better. I suggested that they reallocate one of the several cones they had placed in other locations of much less obvious utility. He seemed disinterested and when I looked back two blocks later it was clear they were not going to improve the situation. The fact that this was not merely an oversight but rather an intentional act of disregard for safety makes it especially troubling.
What I would really love to know is… If someone fell down this shaft, how long might it be before someone even realized?
Edit @1130EDT: This has become Baltimore City 311 issue #16-00496948.