At Least They Got The “Dong” Part Right

I’ve owned my Raspberry Pi for some time now, and struggled to find any useful application for it. Recently, however, I did come across a project worth investing time and money into (more on that another time), but this meant ordering some components from various Chinese suppliers.

One of those products was a USB wifi dongle.

A parcel arrived yesterday, but it didn’t contain a USB wifi dongle. Instead it contained this:

WifiDong

So, it’s going to fun getting this to work with the Raspberry Pi.

EFTPOS Rounding: My 2 Cents

A few days before New Year’s Eve I made my weekly trip to the local chemist – Pharmacy Select – to pick up what I needed. These are the same products I buy every week, and have done so for the last 4 years or so.

As is the norm at most retail outlets these days, cashiers will announce the total rounded to the nearest 5 cents. In this case, as it is every week, the tally came to $23.03. She asked for $23.05, which is fair enough. Everyone was going smoothly at this stage, but it wasn’t until after I had touched my credit card against the reader that I noticed she had processed the electronic transaction for $23.05. This was not computer error, as the EFTPOS terminal was separate to the computer-based till and sale amounts were entered manually.

At this point you’re probably saying “so what?”.

1 and 2 cent coins were withdrawn from circulation in 1992. This necessitated some changes to the way cash-based transactions were processed. It was generally accepted that where an amount payable was not equal to .00 or .x5 cents, the 1 & 2 and 3 & 4 cent remainders would be rounded downwards and upwards respectively. This policy is in effect across all retailers still, although some automatically round upwards or downwards regardless.

8 years after the withdrawal of these coins, the ACCC released a statement reminding retailers of their obligations. In part, it reads:

“However the Guideline clearly stated that where a consumer elected to pay by way of cheque, credit card or EFTPOS it was unnecessary for businesses to round the total value of the transaction.

It goes on to suggest that retailers who round up electronic transactions may be in breach of the now-superseded Trade Practices Act.

Now that the backstory is out of the way, let’s get back to the chemist.

After I’d realised my card had been processed for $23.05, I queried the staff member as to why this had occurred. This led to her looking at me like I was some kind of idiot; and an expression suggesting “because you round up, duh!”. It was pointed out to her that it’s not necessary to round up electronic transactions, which resulted in the response “Well, that’s the way it is, sorry”.

No. That isn’t the way it is.

As I said, I’d been visiting this pharmacy for 4 years, almost every week. Having never paid cash there, it was quite easy to log on to my internet banking service and filter the purchases made at their store. Roughly 80% of the transactions had been incorrectly rounded up. A couple had even been rounded down. All-in-all, I was down about $3. Which really doesn’t bother me that much, but when you consider this is probably happening to hundreds of other customers each week, it would add up to a tidy profit for the pharmacy.

Now, I’m sure it isn’t an intentional practice on their part. If anything it probably comes down to ignorance and a lack of training. But that isn’t an excuse. A polite – yet firm – letter to the pharmacy manager detailed my concerns, for both the ongoing practice and the attitude of the staff member concerned. Although it took them 3 weeks to respond, I did check my post office box to find this:

20140127-145058.jpg

While I applaud the pharmacy for doing the right thing here (and thank them for the voucher, a nice gesture), it does make me wonder just how widespread this practice is. I do shoulder some of the blame here, as I probably should have paid more attention to the EFTPOS terminal. But, as far as I see it, ultimately the responsibility lies with the retailer to do the right thing. My advice? Keep an eye on the terminal and make sure your card is being processed correctly.

That’s just my two cents on the matter.

Parents: Take Some Damn Responsibility For Your Brats

Several days ago it was announced that Apple had entered into an agreement with the Federal Trade Commission to refund $32.5 million to customers who had been billed for “unauthorised” in-app purchases. I put the word unauthorised in quotes as that aspect is open to loose interpretation.

Apple to refund $32.5m to parents whose kids made in-app purchases

Apple will refund customers at least $32.5m (£19.9m) after a settlement with the US Federal Trade Commission (FTC).

The refund agreement settles long-standing complaints over in-app purchases made by children without their parents’ consent.

Apple will also be required to change its billing procedures to make sure customers have given consent before they are charged for in-app purchases.

When I first read this story, I was surprised that Apple had rolled over so easily. My conclusion was that, as far as Apple were concerned, $32.5m was nothing, and it was just easier to take this path than drag it through the courts.

What really bothers me here, and focusing on the main issue, is the complete lack of parental responsibility shown.

Before I come to that, a quick explanation if you’re not really up to speed: parents own an iDevice of some type, which has their iTunes account linked. These parents have then handed the device to their (usually) young children, who have gone on to install a game. These games are usually free to download and install, but allow “in-app purchases”, usually to unlock extra features or to enhance game play in some way.

What a lot of parents have failed to realise is that these games allow in-app purchases, and it’s quite easy for children to unknowingly incur large bills if left unchecked. In some cases parent’s credit cards have been billed $100′s or $1000′s for these purchases.

So, that explained, I re-iterate: where is the parental responsibility?

For a number of years Apple has included the option in iOS to restrict purchases. This can be done several ways: either requiring a password for purchases, or just for in-app purchases. It can be taken to the next level by removing access to the iTunes or App Store altogether. Many of the articles I’ve read about this situation all say the same thing: parents willingly gave children access to the ability to install and/or make these in-app purchases. And it’s all the fault of Apple for being sneaky and devious.

Apps that allow in-app purchases have this stated quite clearly in App Store listings:

20140118-142217.jpg

20140118-142237.jpg

So again, where is the parental responsibility? Ultimately, Apple have no obligation here: a purchase was requested, the correct password was supplied and the purchase was billed accordingly. I see no basis for argument here. This is why I laugh at the statement in the article: “Apple will also be required to change its billing procedures to make sure customers have given consent before they are charged for in-app purchases.”. Haven’t they done that by providing the account password?

What’s more worrying is that the FTC and everyone else involved in the matter are pointing fingers wrongly, and showing a complete lack of understanding of how the system operates. This even extends to Australia, where the ACCC have spoken of taking legal action against Apple for the same matter.

It all comes down to one thing: parents, take some damn responsibility for your brats, and don’t blame others for your own stupidity. Unfortunately Apple agreeing to this refund sends the wrong message: remain ignorant, don’t take the correct steps to prevent this happening again, and bleat when your credit card is charged for ridiculous amounts of money.

For great justice, here’s an article from Lifehacker covering how to lock down the device.

The Public Transport Victoria “Hack”

Several days ago Fairfax published an article about Joshua Rogers – a 16-year-old self-described “white hat hacker” – and his alleged discovery of a security flaw on the Public Transport Victoria servers:

Schoolboy hacks Public Transport Victoria website

Personal information about public transport users in Victoria has been exposed to potential identity theft because government authority Public Transport Victoria failed to secure its website.

The security flaw in the PTV website was discovered by schoolboy Joshua Rogers, 16, who used a simple hacking technique to unearth a database containing the personal records of customers of the former Metlink online store.

If you ignore the misleading headline and ill-informed comments from those not familiar with aspects of IT security matters, there are two camps: those who think Rogers did the wrong thing, and those who believe that the PTV are completely at fault. After a few days of thought I’m sitting somewhere in the middle.

The original Fairfax article doesn’t go into a lot of detail on the matter. It does describe that a database was accessed, along with the type of information that was contained within. What it doesn’t do is discuss how that database was accessed or the nature of the security flaw (I have a few ideas myself, but I won’t go into them). The article doesn’t give a great amount of technical detail, and no disrespect to Adam Carey, but he’s a transport reporter, not an IT reporter.

A later article published on TechGeek says that Rogers stumbled across a potential vulnerability, and tested the waters to see what he could uncover. It turns out he got lucky.

Before they go pointing fingers at teenagers, PTV should be having questions asked of them. Why was a database with personal information of over 600,000 customers so easily accessible? If this particular flaw was easy enough for a teenager to uncover, what other weaknesses exist on their servers? Let’s keep in mind that Myki has now been absorbed into PTV, and there’s no doubt a hell of a lot more than 600,000 Myki users out there. I do know that Myki contracted a number of off-shore programmers to code parts of their website, most of which had no prior experience working on large scale projects.

Personally, I don’t think Rogers set out to act nefariously. He just had the know-how to interpret the error message thrown at him and ran with that. However, depending on how this pans out, that may be his downfall. But would PTV respond to an email that said “Hey guys, I think you have a problem…”? Probably not, and if they did, it wouldn’t be in a timely manner. What’s the other option here? Say nothing and leave a door open for someone else to exploit?

That said, good intentions or not, Rogers probably took it too far, which is why it’s become such a shitstorm. Regardless of that, as the authority responsible for holding and ultimately protecting personal data, I put more weight on the shoulders of PTV than anyone else, and referring the matter to police straight out says to me that they’re more worried about damage control and deflecting blame than actually employing proper security measures.

The final word goes to Phil Kernick, a security consultant quoted by Fairfax:

“[Rogers] wasn’t authorised by Public Transport Victoria to do this testing, but he didn’t make the data of all of the users of PTV available, they did,” Mr Kernick said.

“Everyone is being attacked all the time, so if your website is not going to survive this level of attack you’re going to get owned.”

iOS App Review: Lapse The World

One of the benefits of no work over the Christmas period means more time to actually sit down and write some words on the Internet. As it’s been a long time since I’ve done an app review I figured now is a good a time as any. So, let’s take a look at Lapse The World.

CategoryPhoto & Video
PriceFree, with in-app purchase
Free/Trial version availableNo
Size30.8Mb
DeveloperJS Apps
Other platformsNone
DevicesiPhone, iPad and iPod Touch
CompatabilityRequires iOS 7.0 or higher

iTunes Store Link

Tested using an iPhone 5 32Gb running iOS 7.0.4 on the Telstra network.

The app

Lapse The World is a time lapse creation app. It records video in real time and converts it into a time lapse sequence, which can then be saved or shared.

What’s good

This app does what it says: it creates time lapse videos, and it does it well. The interface is simple and elegant, is easy enough to use and isn’t complex to navigate. It’s simply a matter of selecting a time lapse speed, recording a video and saving it to the internal gallery.

What’s not

It’s made clear in the App Store that this app has an in-app purchase option called “Unlock all features”, priced at $2.99. This is fair enough as developers have a right to earn money from their work. What’s not made clear is the app is basically useless unless you pay $2.99. Time lapse videos are essentially jailed inside the app unless the feature is unlocked, meaning they cannot be saved to the camera roll or shared with others.

Final comments

What starts as a great idea is ruined by the developer crippling the app beyond usability without paying. It is up to the developer as to the price they charge and how it is collected, but in this case it’s not made clear that the app is next to useless otherwise, effectively making this app ransomware.

While the “unlock all features” option is featured prominently in the app, the limitations are not really apparent until one attempts to share or export a video. The iTunes description doesn’t really mention this, instead making it sound like the app will perform out of the box. I can’t help but feel that it does seem to be questionable behaviour on the part of the developer.

My rating: 1 hidden surveillance camera (out of 5)
Average user rating: 0 (as of date of this post)

Screenshots (click for bigger)