A site devoted to discussing techniques that promote quality and ethical practices in software development.

Tuesday, December 15, 2015

Is building a better mouse trap (Signal Private Messenger) enough to win market shares?

I am please to see the release of Signal Private Messenger for Android and iOS, a messaging application that has earned full marks in the EFF security score sheet. I am a fan of this product and I like it very much for the following reasons:
  • It is an open-source project offering the service for free. WhatsApp is not a free.
  • As a result, it can be reviewed by anyone capable of doing it while WhatsApp is proprietary, even though it claims to be underpinning by Open Whisper Systems but no one has reviewed that. Recent event has indicated that WhatsApp messages have been intercepted and decoded.
  • It is not owned by any company while WhatsApp is owned by Facebook, Skype by Microsoft. Thus all metadata in WhatsApp and Skype belongs to Facebook or Microsoft respectively.

According to well-known security researchers, Bruce Schneier and Matt Green, Signal is developed to a very high quality to provide end-to-end encryption (E2E) not only for messaging but also for voice and their endorsement must mean something.

I am not here to raise doubt of this product which I am using admittedly with very limited users to interact with and I have great trust. I hope it will do well.

But I am here to question whether it is enough to rely on technical superiority which is so well hidden from the users to induce them to switch to Signal and to grow its market shares. That's is: is building a smarter (more secure) mouse trap enough to win market shares? Other class of software such as web browser, anti-virus, media player, or mail client can draw people to switch based of superiority of features.

Looking at the landscape of messaging applications it is difficult to see how Signal can rely on security implementation, so out of sight of the user, to win market shares. Will this become a replay of VHS (WhatsApp, Skype, etc) vs BetaMax (Signal) of the 21st Century?

Messaging applications are like clubs or cults in which they only allow club members to interact and go to great length to discourage inducement to leave and definitely providing no facility to support inter-club interaction. This produces network effect to draw people in and that also becomes disincentive to leave and its nurture of human social interaction provides a positive feedback to increase the network effect.

Looking at the EFF Security score card, most of the popular messaging applications do not use security best practices and their inferiorities do not seem to matter to the users. The anecdotal conclusion one can draw is that users do not care with online privacy and security despite well publicised massive surveillance activities. Unlike other type of application, such as web browser, there is no report of people deserting one messaging application to another, despite vulnerabilities and caught not using secure messaging mechanism when they claim to use. For those entrenched players, they must feel like in a no-loss situation. The only way they can lose to a competitor is by a total annihilation of the enterprise.

Messaging applications have another unique characteristics that it is not the features that draw users to choose a particular application; there is a great degree of peer pressure exerted by those early adapters unwittingly forcing people to form that circle of friends. This peer pressure then forms a vortex to draw more and more people in. Their only concern is to be able to communicate with the club members.

Because of the lack support for inter-application interaction, the application through using proprietary communication protocol forms a natural barrier for their user to leave. Apart from that, the user does not see any benefit for using a different application that essentially providing the same things - messaging and may be voice - and having to desert their friends. So why leave? What is the benefit to them?

Many users of messaging applications also form the mistaken belief that they can only use one messaging application in their device. Perhaps it is this mistaken belief or blind fanaticism to their favourite application they are also reluctant to install other messaging applications to increase their reach to their friends. Since Signal is so similar to WhatsApp, it is simply a matter of installing and waiting for others in the contact to install their copy of Signal to re-establish communication. Even that simple is not enticing.

I have spoken to several users of messaging applications as well as non-users and recommending to switch over to a more secure application called Signal. But telling them the benefits of Signal is like talking about wine apprecThis is particularly difficult when Signal is so similar to the operations of WhatsApp separated by a thin veneer of technical features. In view of this, users of WhatsApp (or other app) are unwilling to desert their circle of friends to use something that to them is almost the same thing with minute user base, by comparison. iation to a group of teetotalers. To them the improve security and end-to-end encryption (E2E) are not enough to sway them. Even people that has not used messaging application seems to be reluctant to get onboard with Signal because they have not heard of it being mentioned by their friends.

So I wonder how a late comer like Signal can overcome these barriers to increase its market shares? How it can base on technical superiority to entice users who are disinterested of them that Signal relies on to distinguish it from others? What is the future of Signal apart from being a niche player at best? Clearly Signal needs to improve its image and marketing.

From the analysis, users of messaging applications place extremely high premium on their ability to reach their circle of friends and ignore other issues like security and privacy. Therefore if the new comer, like Signal, wanting to rise up, it must give their users a transparent way to interact with their circle of friends without requiring them to switch en masse like the present situation. How to achieve that is the real challenge in messaging application development in view of no standard communication protocol?

Monday, December 7, 2015

Comments on using e-mail address as username for online services

I have encountered more and more online facilities using e-mail address as the user name. In my mind, this is a lazy way for the service to check or to provide a unique user name when creating an account. In some rare usage, this may be fine but generally this is a very restrictive form and the reasons are given below.

Using e-mail address has the following problems:
1) While it is unique in the universe of the Internet it does not uniquely identify a user of the service, thus unsuitable as a user name unless the service has other facility to deal with one e-mail address for multiple users.

For example if one manages several properties or funds belonging to different entities under some management agreement, it is often convenient to use one e-mail address for all these properties or funds. It is also possible that the e-mail owner owns all those properties or funds, it is unreasonable to base that identifier on an e-mail address which does not map to a unique entity; e-mail address is for correspondence - like a house address.

Who would then use a house address to identify a person living there when it can house several persons?


I have seen one service that uses the user name (aka e-mail address) as a proxy to a fund account. This then assume the owner of that e-mail address cannot have more than one funds - one may be for him and another for some other ownership arrangement with correspondence being sent to the same address. Clearly the developers have not model the usage requirement well.

This silly design is like the above house number analogy requiring a house to house just one person.

The assumption that an e-mail address uniquely maps to a particular person or entity is unsound. Don't do it. It is far better and more secure if your system generates a unique number, a la, account number, for the user.

2) The use of e-mail address as a user name can confuse user in that he/she has to supply to the online service the same password for e-mail account. This can lead to an increase (or subliminally encouraging) reuse of password, a dangerous practice.

To a less technically savvy person, he/she may be misled into believing that the e-mail provider now have access or linked to whatever materials available in the online service.

3) While it is infrequent, though not impossible or improbable, for people to change e-mail address, services that uses e-mail address for correspondence as well as for user identification inevitably prevent user from changing e-mail address. This is because it is using a very poor design pattern - one piece of data to serve two distinctly different and diverse purposes. The user name is to identify a user which an e-mail address does not and the e-mail address is for correspondence, like a house address which can be used by anyone living there to receive correspondence.

If you ask correspondence sender to simply put the address on the envelope no one in the household will know to whom is that letter addressed; you need to put the addressee's name (the user name). A person could one day moves out of that address; he/she retains the same name (user name) but simply changing the delivery address (changing the e-mail address). This happening may not be frequent but not improbable or impossible.

No right minded person would combine the two (addressee's name and the delivery address) but why do that in the computer system?

To address this kind of short coming, they then have to provide a means for the user to define an e-mail address for correspondence. In this situation which one should the system uses during account set up and validation purpose?

How to overcome this poor design as a user?

If you, as a user, are confronted with this problem - how to use one e-mail address for more than one users of the service - you may try this solution provided that:
  • Your e-mail provider supports e-mail alias. GMail and Hotmail support them. If you provider does not supports this, set up a GMail account as a mail redirector.
  • Your online service's user name (aka e-mail address) validation knows about RFC 822 - Section 6 Address specification. Those failing to parse this properly would reject your e-mail address with alias.
Then use e-mail alias (like Somebody+Property1@GMail.com or Somebody+Property1@Hotmail.com) to allow one e-mail address to be used for several entities. The '+' character in the local part of the e-mail address is valid and permitted under the RFC. If their developers tell you that it is an incorrect address, point them to the RFC.

Those thinking of using e-mail address as a user name to relieve them the task to validate its uniqueness needs to validate the e-mail address to conform to the RFC.

To me, the task of validating and ensuring a user name is unique within the system is far easier than validating the e-mail address because the latter needs to check:
  • conformance to RFC
  • that the e-mail provider supports the e-mail alias that the user enters, as the service has to make sure it is a reachable address to receive correspondence. If that alias syntax is not supported by the mail provider, conforming to RFC does not guarantee it can be used for correspondence.  
Here lies the danger of tying the two purposes to one piece of data, that is using an inappropriate design pattern.

Sunday, October 11, 2015

To install or not install an application - what are the pros and cons?

With the advent of USB devices, many applications that once require an installation process for deployment have been converted to run without one so that the user can use that program directly from the USB device on any machine and a large collection of them can be found here mostly utilizing their portable application framework.

Other program, such as TrueCrypt or its replacement VeraCrypt offers a much simpler model; it simply offers you a way to extract the files into a directory and one can execute the program from there.

I have been a fan of this convenient deployment model for a long time and in particular of avoiding any impact on the underlying operating system. It is particularly helpful in troubleshooting without the need to install anything. Just run!

However, recently I have been having second thoughts whether the benefits of this model is worth the risk of allowing malicious attacker to contaminate the program to do harm? When needing to a USB device in an environment that I do not know its sanity, I always probe it using tools carried by locked SD-Card. In this way, I am protected from being a carrier of attacks or being attacked.

Going back to the history of Windows beginning in Windows 2000 (aka NT5), Microsoft has been using the profile to define a set of file and registry security templates to protect executables and key information, although much of the good intention was discarded in favour of convenience and ignorance. Microsoft had to do something to rein in the unruly behaviour by introducing the UAC in Vista to the dismay of large unappreciative community.

Apart from other benefits, the main aim of the file system security is to protect key files from bring modify by user without administrative privilege. From Vista onwards, all applications run by default with standard user privilege and that means that they cannot make changes to program files or protected areas. This is a good thing and has improved the security of Windows a lot.

Now if instead of installing a program that requires administrative rights to carry out and deployed into designated protected areas, we modify the deployment model of the program to allow it to run from anywhere, doesn't such a practice is a throwback to the good old days of NT4/5/XP (run everything in admin account) style? Aren't we then essentially turning the file system protection off for these programs? Aren't we making our programs more vulnerable to attacks?

What caused me to ponder is my latest installation of VeraCrypt 1.16 that has fixed a couple of recently discovered critical vulnerabilities. In the past I have been using TrueCrypt in portable mode without installation. Then I wonder: wouldn't this mode of deployment makes it easier for others to attack the program or to use this program or this type of program, running at elevated privilege, to launch attacks?

In the end, I decided to install the program. What is your opinion on this issues?

In Linux, by default it does not allow programs to run from removable devices.

Wednesday, July 29, 2015

Caveat for Link Market Services Registry users using Password Manager

This is a note to any users of Link Market Services Share Registry service that use Password Manager to manage their password.

It seems Link Market Services discourages people using password manager, a practice that is recommended by security experts, and it expects the users to have some sort of psychic power to know why.

Recently, I have encountered an operation that requires me to supply the Transaction Password. Since I used a password manager to generate and record passwords, I simply asked the password manager to transfer the transaction password to the field in the Link Market Services web page. The transfer happened flawlessly but the confirm button remained disabled as if I had not type anything. That's strange. There was no textual guidance and no pop up message box to tell the user what to do.

Not deterred by this, I did some experiments and this is what you have to do if you want to use password manager:
1) Transfer the Transaction password to the field in the normal way your password manager offers.
2) Click on the field and press End key to force the cursor to be positioned to the end of your password. (Or enter a character to the end of the password and immediately removing it from the field)

The minute you have completed step 2, the confirm button is enabled! The web page at that stage does not have a clue if what you have entered a valid  transaction password.

It seems the web page has a user-interface bug failing to recognise the field change event.

This kind of bad user interface design makes your software sucks. If you do not want user to transfer data say via the clipboard, disable the paste operation and offer the users some form of guidance. If your web site does not have a general purpose help e-mail address, you need to make sure the user-interface of your web site to be perfect and idiot-proof.

On the subject of Transaction password, this is their mandated rule:

When you use the settings facility to change the Transaction password and if you use a password manager to generate the new password (highly recommended), after you have transferred the new password to the respective field, execute Step 2 mentioned above. Such action will trigger the script on that page to evaluate the supplied password. It seems the program has a bug similar to that mentioned above.

One wonders if the Link Market's mandated rule can encourage users to choose strong password. If Link Market discourages their users from using password manager, then the users will undoubtedly choose an easy to remember password (that will also ended up to be easily guessed by hacker).

For example the following passwords Pauline1, Password1 or Ab1234567 comply with the rule but according to Microsoft's password checker or Kaspersky's checker,  there are weak passwords. It is therefore better to encourage your users to use password manager rather than forcing them to choose easy to remember one.

Wednesday, July 15, 2015

A tale of two share registries

Every year around this time, the end of the financial year, I, like others, have to prepare share holding statements of my share portfolio for my accountants and this exercise takes me into close contact with the share registries managing the shares in the listed companies.

There are several registries in Australia and some companies use one while the others use a different one. It is not uncommon for a share holder having to deal with multiple registries.

The two largest ones are the ComputerShare and Link Market Services. Both have the facilities to generate holding statement document but they are vastly different in their implementation and this blog post documents my experience showing how one can be so badly designed to meet user's requirement while other is a joy to use.

Both systems offer several log in facilities to access the holding or holdings. Both allow a user to become a registered user and in so doing can let the user to define the collection of shares of interest. They also offer a user a single holding access to just one share's detail using the share identification number called the SRN and other details.

For people with a large share portfolio it is much more convenient to become a registered user. However as to be revealed, it is not always the case when dealing with ComputerShare.

ComputerShare has longer history than Link Market Services but the latter has a far user-friendly user interface that the former.

ComputerShare once had a very functional, though less colourful, system and had served it well. In that system, one could expand the particular share holding and could then enquire the holding at a particular date right there. Several years' ago, ComputerShare decided the functional system needed freshen up and decided to splatter the web site with eye-candy features and introduced an amateurish help system that is actually an insult to the intelligent of its users. More on this later on.

The eye-candy effect caused minimal changes to how holding details are shown to the user and the shares in the portfolio are listed alphabetically, just like the less colourful previous system. As a comparison to Link Market Services the eye-candy effect has not improved the usability one bit as compared to Link Market Service, speaking from someone with a long history of using both.

However, the most radical change in ComputerShare is in the way of generating holding statement  at a particular date. It is not about relocating the access of a feature from one user-interface to another location that is so unusable but the implementation behind that makes this so frustrating to use.

The 'Export Balance Letter' has the following user-interface design:

to let the user to generate the balance statement. For some strange or mismanagement reason, the designer of this piece of user-interface changes the terminology from 'holding' to 'account' in the 'Select Account'. In the opening statement of this user-interface, the designer is still referring them as holdings. The rest of the web site all uses holding to refer to a particular share holding. 'Select Account' should be corrected to 'Select holding' for consistence.

It is not the eye-candy stuff that makes this piece of user-interface totally unhelpful and unusable. It is what lies behind the combo box for the list of holdings (I will refrain from calling them accounts because they are not) that are irritating (and dare I say any users bar the designer).

This piece of implementation is a prime candidate for the book "Why software sucks". If you drop that combo down, any sane person would expect ComputerShare designer to show the share holdings in alphabetical sort order, just like in the Portfolio page.

But surprisingly or rather shockingly, the order seems to be rather random without seeing the code. In my access, the list box in the combo box shows the companies in the list starting with A, C, W, W, A, C, A, P, A, .... S, L. What kind of sort order is that? I managed to talk with someone from ComputerShare about what kind of collating sequence they are using to generate this. The answer, from someone without much conviction, suggested that it might be the order I acquired the share. Even if that is the case, what good does that sort sequence do to the users?

Having worked with many developers in my life I have never seen something as bizarre as this. It is a sloppy piece of work and how hard it is to add an ORDER BY clause on ASXCode column in your SQL statement?

Needless to say the person I talked with from ComputerShare is rather defensive (a trait I have commonly found in some development companies) giving me all other irrelevant excuses like the software has to work in different countries. I am not inexperience in I18n.

If the caller wanted to solicit user feedback to help them with their design, he had used the wrong tactic. No where in my Facebook (borrowing someone's access) message did I say anything about having the ability to download them to a spreadsheet. And yet, this person kept drumming into me of the ability to download into spreadsheet and that features might take some time. I told him all I wanted was for ComputerShare to list the holdings in the list box in alphabetical order - a much easier undertaking that will bring huge benefit. He certainly has failed the user-requirement solicitation process.

Now let's consider how Link Market Service handles this that makes ComputerShare looking like an amateur. Link does not use the algorithmic way of pulling in the share holding relevant for the registered user. Link allows user to pull in holdings of totally different owners as long as one has the SRN and it also allows user to group these holdings, a useful feature not available in ComputerShare.

Hence in Link, one can have BHP, for example, owned by Albert, Mary, Jack and Tom, each with distinct SRN of course.

In Link, the balance statement is located in the 'Balance History' page which contains a similar user-inferface

Once again it is not what hits your eyes that matter but it is in the implementation of that list box in the combo box for the holdings. Link sorts the holdings alphabetically and a sort order I challenge ComputerShare to show me that is less useful.

Rather than to torture myself with the ComputerShare's illogical sort order when I came to compiling the end of the year holding statement for shares managed by ComputerShare, I did not use my registered log in detail. Instead I used the single holding access which seems irrational. Even with having to provide log in details and entering the CAPTCHA for each holding, it is still the quickest and less stressful way to get the job done. This is still might quicker than to navigate through poorly arranged list of holding in ComputerShare.

Not contented with driving their users crazy with their idiotic design, they try to pretend to provide some 'human' assistance; they introduced the 'Ask Penny' which must be built with a penny as it lacks any form of intelligence or  knowledge. If you can't provide an AI assistance, perhaps a general helpdesk e-mail facility is more useful and more capable of giving that human touch. Their 'Contact us' facility is equally useless because it is share-centric.

In sharp contrast, it is a joy to use Link to compile that end of the year holding statements. Thanks for a job well done.

Tuesday, June 23, 2015

Rare to see an anti-virus/malware protector not having automatic updates

It is extremely rare to find an anti-virus/malware protector not having an automatic update facility to its engine and database. Windows Defender running in Windows 8.x is one such rare species.

This happens if the user chooses the option in Windows Update not to use automatic updates, a choice giving the user better control which upgrades should be applied.

In that case, Microsoft acknowledges that it is a design decision that the user is not given the normal Windows Update notification, except in the log in screen. While I accept, only reluctantly, that there is a shred of logic in this, albeit very draconian one, why does that affect the important updates to a protection software which depends on timely update of its database/engine?

I have used a variety of AV and this has to be the first one that fails to update automatically or tell me an update pending when I choose not to use automatic Windows update option. Most of them has automatic update by default and is not under the influence of Windows Update.

This situation is a good example of Golden-Hamer anti-pattern resulting in leaving its Windows user vulnerable to attacks. So if you want more controls on your Windows' updates, don't use Windows Defender. Furthermore, another case of don't believe everything you read (on Microsoft product) and here is one taken from the Windows Defender's Update page for Win8.1:

It only updates automatically if Windows update is set to automatic. That "Did you know" message needs to be clearly qualified to avoid misunderstanding.

Windows has all sorts of detections and options, surely in the Windows update control panel applet Microsoft can add a check box there to let the user to choose if one wants to receive notification, including Windows Defender update notification. Or in Windows Defender to have a check box to remove automatic updates if the update notification is so distractive; it could and should update silently. Cutting that out altogether is just plainly a bad design decision. I suspect that is other sinister motive than what has been revealed.

I am wondering if this draconian approach will be addressed in the upcoming Windows 10?

If you persist to support Windows Defender with your choice of Windows updates option, the other option is to use a Task Scheduler to register the Defender updates periodically. It is a choice to ditch Windows Update or to use the Task Scheduler.

I will now experiment with some of the Windows Update Notification tools to address the Windows 8.x deficiency.



Thursday, May 14, 2015

My experience in using one2free prepaid Mobile Broadband SIM in Hong Kong

I am a regular visitor to Hong Kong and in every visit, I purchase a prepaid mobile broadband data SIM for my Huawei pocket modem to provide Internet service to me. I am no stranger to this kind of SIM as I have used in the past various types of 3HK Data SIM. So after reading so many glowing remarks about the one2free's prepaid mobile broadband SIM, I have decided to give it a test ride this time.

I did some preliminary investigation prior to the visit via their e-mail customer service which I may say is rather responsive by comparison. It would be nicer if they have 3HK's online chat service.

On the whole, I am rather pleased with the performance, the cost, the responsiveness of the customer service which I had to use quite a lot, as you will see, during my stay. Unfortunately, their responsiveness is tarnished somewhat by their answers which clearly indicate that they are let down by their organisation.

Now, with the good bits out of the way, let's go through the bad bits.

Foremost is their web site which is devoid of any useful and helpful information. It would be more helpful if their web site provides some form of instructions in using their services. Such as what happen if you buy the $100 starter kit, what rate will you be charged at. What about the steps to buy the 30-Day Pass with 3GB quota for someone what has not used your product before? What happen when one uses up the quota but still within the 30 days? Will the connection speed be shaped?

In my case, I want to use the 3GB 30-day pass, which according to the published information will cost me HK$148.00. To subscribe to that, one needs to load the prepaid SIM with at least (preferably more) that that amount. At the shop where I purchased the kit, they did not have $50 top up voucher instead they only had $100 voucher which means my SIM card is loaded with $200 and after paying for the 30-Day pass, it has a balance of $52.00.

No where in their web site explaining this and what happens to that balance. For those wanting to go down this path, here is the treatment of the balance.

The 30-Day pass expires after 30 days from the day of subscription. CSL will immediately deduced that amount from your card on subscription. Hence you must load your card up with sufficient amount before you can punch in the code to select the day pass. The amount remaining can be use for other purposes such as making calls or to contribute towards next day pass purchase. It does not expire until 6 months after the activation or from your last top up. In other words, your prepaid SIM card is valid for 6 months as long as there is sufficient fund to pay for the monthly government charges, which is HK$2.

Unless you do not have other SIM to make voice call, this SIM charges (HK$0.3/min) 3 times as much as other CSL SIM ($0.1/min).

The next area of great disappointment is how to monitor the data usage. Their web site for the prepaid starter kit contains wrong and misleading information.

While that site is for the Prepaid Mobile Broadband SIM, the login button is not intended for Prepaid mobile and I only found this out after the event.

This web site expects the user to possess certain degree of psychic to realise that. I was misled by this page and unsuccessfully to get a password or to reset it by following the online link. Out of desperation, I inserted the data SIM into a mobile phone and used the *777 code to successfully reset the 6-digit password for my SIM. The system acknowledges the request and echoes back the password (very security conscious).

Next, armed with my SIM's mobile number and the password, I pressed the login button on that web page. Rather than telling me that my SIM cannot use 'My Account' to manage my usage, it throws a Java Exception message:
type Exception report

message

description The server encountered an internal error () that prevented it from fulfilling this request.

exception

java.lang.IllegalStateException
 org.apache.coyote.tomcat5.CoyoteResponseFacade.sendRedirect(CoyoteResponseFacade.java:418)
 LoginRedirect.doPost(Unknown Source)
 javax.servlet.http.HttpServlet.service(HttpServlet.java:767)
 javax.servlet.http.HttpServlet.service(HttpServlet.java:860)
 sun.reflect.GeneratedMethodAccessor57.invoke(Unknown Source)
 sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
 java.lang.reflect.Method.invoke(Method.java:585)
 org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:249)
 java.security.AccessController.doPrivileged(Native Method)
 javax.security.auth.Subject.doAsPrivileged(Subject.java:517)
 org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:282)
 org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:165)

note The full stack trace of the root cause is available in the Sun-Java-System/Application-Server logs.

Nice? Have they ever tested their program? Why doesn't the web page inform their user that the login page is not for Prepaid user? Surely, they have all the information to tell if the caller's SIM is a prepaid or not.

I raised this issue with the online support as well as visiting one of their customer service centres and was then told that that login button on the web page and "My Account" facility are not for Prepaid users. Surely their web designer can put that few words into their page to warn their user and even better, their program tests and traps that kind of exception and to inform their users in a more meaningful manner. It is not a big ask isn't it. More disturbingly, if that facility is not for prepaid user, why does *777 allows a number belonging to a prepaid SIM to reset password? So amateurish!

So after the visit, I discovered that as a NextG-Prepaid user, I should use this URL http://www.one2free.com/nextg-prepaid while connecting to the CSL using the one2free SIM. Using this URL, I have managed for the next 3 days to make a daily enquiry of my usage.


On the 4th day, when I used that URL, I was confronted with this web page:

Notice that the left hand pane tells me that this is a "My Account" facility, the very facility that I was told that it was not for me.

Not deterred and with a sense of adventure, I pressed the login link which sent me to https://prepaid.hkcsl.com/login with the following login page

The login page asks for the mobile number of the SIM and a password, which I duly use the one that I used the *777 code to reset. The system accepts my inputs and provides me access to my SIM's data. The data usage can be retrieved by pressing the "Promotional Bonus Details" link.


Notice this is a different web page as compared to the previous one via the NextG-Prepaid link.

I sought the customer service for an explanation of how I could access "My Account" when they told me that it is not for me to no avail. We ended up going around and around in circle. The customer service refuses to acknowledge that the URL https://prepaid.hkcsl.com/login is right for me despite being pointed out that the URL containing the word 'prepaid' to indicate that it is for prepaid users.

Even more interestingly is that I can access my prepaid SIM card detail using this URL without having to use a connection provided by CSL SIM while I need to use the one2free SIM in order to use the http://www.one2free.com/nextg-prepaid regardless successful or not. As an experiment, I have just connected to this https://prepaid.hkcsl.com/login some thousands miles away from Hong Kong.

After discovering that I can use this URL to monitor my data usage, I continue to use it ignoring any contradictory comments from the customer service. Incidentally this URL is not disclosed on any of the CSL web pages. It seems that there is a communication problem within the CSL on this issue.

Whatever it is, it is CSL's problem and they need to deal with it. I have supplied all the information, such as SIM card number, mobile number, and modem model. They need to improve their web site to make it more useful and helpful. Don't just throw figures and data on it. Test it with someone who is not a user of your system or product.

Teach your front line support personnel to slow down and take time to explain the various facets of your products. I know you know your products very well but your potential customers DON'T.

Test your web site with any non-sensible data and don't let your Java exception message leak out to the users. That is not an acceptable way to tell your user that they have entered something wrong.

To date, I still have not been offered a logical explanation why the link http://www.one2free.com/nextg-prepaid, I was instructed by the customer service to use, failed after 3 days. And that why I should not use https://prepaid.hkcsl.com/login which works but the customer service next acknowledges that I should use that.

Thankfully, I have a wonderful Internet service and despite all the above mentioned issues, it is still cheaper than 3HK's offering and I still will recommend it to other travelers. Just be prepared for some rough edges.

Saturday, March 28, 2015

Installation recommendation for PDFCreator 2.1.0

For those intend on installing PDF 2.1.0, you are recommended
  1. to download it, 
  2. turn off your network connectivity, 
  3. before running the installation package. 

This is because the installation script produces very much the same undesirable behaviour. Turning off the network connective during installation prevents it from calling home to download other crapware.

If you are running AVG 2015, it will pick up the presence of OpenCandy, "Adware AdLoad.OpenCandy", since it is a crapware, it is best to let AVG's residence shield to toss it away - no loss at all.

Below is the brief outline of what happen to the installation process with no network connectivity (assuming no AV to intercept the presence of OpenCandy crapware).

In fairness, I do not believe PDFCreator intends on planting OpenCandy into your machine. Detail probing of the installation process seems to indicate that some programming error is responsible for the left over of "OpenCandy's recommendation engine p101, version 2.0.0.156" (OCSetupHlp.dll) in the temporary directory. The presence of this file can cause your AV to report the presence of OpenCandy threat during routine scanning.

PDFCreator installation script also generates a copy of the set up log in "c:\Program Files\PDFCreator\SetupLog.txt". There also seems to be a programming error that left the temporary copy (original copy) of this file of the format "Setup Log yyyy-mm-dd #xxx.txt" in your temporary directory.

When one initiates the set up program, it creates two temporary directories of the format is-XXXXX.tmp. One is to hold the actual installation program PDFCreator-2_1_0-Setup.tmp and the other is to hold various files that it needs during the installation program. You can find the list in the Set up log. One of them is the "OpenCandy recommendation engine p101" OCSetupHlp.dll version 2.0.0.156.

At the early stage of installation process, this DLL is not used, see comment below, and if you hate OpenCandy, delete it now and in fact that is what AVG did when it picks up the presence of OpenCandy and that you instruct it to remove the threat.

After you have selected the options to install, the program will run smoothly to completion. In my execution (not installing "PDF Architect") I never allow the last dialog box to launch PDFCreator.

Investigation using ProcMon on the interaction of the PDFCreator setup program with OpenCandy records the following observations:
  1. Towards the end of the installation phrase, the installation script launches RunDll32.exe to invoke OCSetupHlp.dll with the entry point using exported function 16 and the optional parameter seems to indicate an intention to perform IPC with the parent process. The purpose of this is still a mystery.
  2. The installation script's clean up process then deletes the files such as InstallCheck.exe, etc in the temporary directory
  3. It fails to delete OCSetupHlp.dll because RunDll32.exe is still running using it. The installation program attempts to delete this file 31 times before giving up.
  4. Once all the files are 'deleted', including the failed one, it tries to delete the directory but fails.
  5. At the end it simply ignores those failures and completes the installation.
The presence of the installation program trying numerous attempt to delete OpenCandy crapware only to be faulted by their programming error and the lack of sign of it trying to plant this engine elsewhere suggest to me that PDFCreator does not have any intention of using OpenCandy in the execution of the program.

You cannot delete OCSetupHlp.dll at the completion of the installation program until you have terminated the RunDll32.exe process holding this DLL. The best way to find the process holding onto this DLL is to run ProcExp and then search for the OCSetupHlp.dll. Alternately, log off and log back on and you can delete this file. It is highly recommended that you delete OCSetupHlp.dll to avoid your AV finding it in routine scanning.

Once RunDll32.exe is terminated you can delete OCSetupHlp.dll and to satisfy your concern, run your AV scanner over your system or use something like MalwareBytes.

Thursday, January 8, 2015

A solution to my problem of unduly long time to connect to the WiFi network when waking Windows up from sleep

I have encountered a problem that has also been reported by many Netizens that they have experienced an annoyingly (some called it obscenely) long time to connect to their WiFi network when their Windows is woken from sleep. My laptop is running Windows 7 with all drivers up to date.

In my case, all WiFi connections are flagged 'Automatically Connect' and that the WiFi adapter did not have the "Allow the computer to turn off to save power" in the power management section selected.

When I wake my laptop up from sleep, the machine responses very swiftly and my desktop is restored. However, it frequently fails to automatically connected to the strongest signal WiFi nor initiates any attempt to connect; I have to manually press the connect button.

I have tested my machine with two distinctively different Wireless networks - different modems/routers and networking technologies and I have observed the same problem. Hence it is clearly the problem is in my laptop.

Prior to last month, my laptop's WiFi adapter connects to the network the moment I sign in after waking my machine up (< 10 seconds). Then suddenly the about mentioned problem occurs.

After some soul searching and searching the Internet, I have managed to rid this problem restoring it to its former glory. I am not suggestion nor recommending my way of solving my problem as a solution to deal with all long connection problems but you many review the materials to see if it can apply to your situation. It does not involve some drastic proposal found on the Net. IPv6 has nothing to do with this sluggish behaviour.

So what is the possible cause then? After some soul searching of what I did to my machine, I vaguely remember one evening I was investigating the Virtual WiFi Router that turns your laptop's WiFi Adapter into a wireless access point and that to understand the underlying mechanism, I was using the command line technique. In that experiment, I vaguely remember that I did not complete the whole process as I do not have a real need of it and that I might even have gotten the command sequence out of whack.

That experiment caused the "Microsoft Virtual WiFi Miniport Adapter" to appear in my Device Manager, albeit with a yellow triangle with an exclamation mark in it.

This gives me a clue that it might (just a might) be the cause of my problem - I therefore may have to disable or remove the miniport. So after some research, I have found the following instructions to disable the "Microsoft Virtual WiFi Miniport Adapter" and here are the steps (must be executed in a command prompt with Administrative rights):

1) To stop the hosted network
netsh wlan stop hostednetwork

2) To disable the WiFi Virtual Adapter
netsh wlan set hostednetwork mode=disallow

I throw in a Windows restart just for the safe measure. After that the long process connecting to the WiFi network is gone and the machine is restored to its former behaviour on waking from sleep; no longer do I need to manually click on a Wireless network to connect to it.

You can find more information on the netsh command to deal with the wireless hosted network on the Microsoft's site here.

Once I have executed the above mentioned commands, the "Microsoft Virtual WiFi miniport adapter" disappears from the Device Manager.

If you have used or experimenting with the Microsoft's virtual wifi hotspot (or router), a good sign is the presence of this adapter in the Device Manager, give this a try and see if it helps.


Blog Archive