A Samsung Galaxy 8, Phantom Notifications, and @Tmobile’s Dreadful Support

This is a blog of two topics. The first, a brief technical explanation of a problem with my Samsung phone after an upgrade to Android 8.0 (Oreo) pushed by T-Mobile, the subsequent debugging, and hopefully help for anyone else experiencing the issue. The second, my horrible experience with T-Mobile Twitter-based tech support.


On April 2, T-Mobile pushed an over-the-air update for my Samsung Galaxy 8 (G8) phone. In addition to a routine Android security patch level update, it also upgraded the phone to Android version 8, code-named Oreo. Shortly after the update, I started getting what I called ‘phantom notifications’, between one and six of them every hour or less. These were audible notifications that didn’t correspond with any discernible event on the phone, sometimes in quick succession. Over the course of a week, there were a few times where an icon would appear in the notification bar for a split second, making me think it was related to a specific event, but I couldn’t figure out what. I engaged with T-Mobile on Twitter, and they offered some ideas. Here is everything I did to debug and figure this out, based on their questions and my own ideas.

  • T-Mobile: SMS App Clear Data/Cache (I suspected it may be related to SMS)
  • Me: Full power cycle
  • Me: Changed default notification to determine if the phantoms are using system notification preferences (they are)
  • T-Mobile: Verify Notification Reminder functionality = OFF
  • T-Mobile: Verify no wireless/bluetooth/NFC turned on during phantoms
  • T-Mobile: Clear cache partition on phone via Debug menu
  • Verified software versions for all functionality (‘About Device’)
  • T-Mobile: Verify all apps are updated via play store
  • T-Mobile: Verify no apps from unknown sources
  • T-Mobile: Enable Developer options (did not change anything)
  • T-Mobile: Device Maintenance showed no app crashes, no hint of a problem
  • T-Mobile / Me: Phantom notifications do NOT vibrate, while SMS is configured to (so not SMS)
  • T-Mobile: No SD card in phone
  • T-Mobile: Uninstall Samsung Health (they suspected app causing this, that app isn’t on the phone)
  • T-Mobile: Backup SMS and clear all of the messages
  • Me: DND mode suppresses the phantom notifications (observation)
  • T-Mobile: Confirm I did not download ANY new apps on Sunday (day before update), Monday (day of update), or Tue – Thur (after update)
  • T-Mobile: Confirm the last time my phone worked w/o phantom notifications was Sunday and Monday before the patch (and every day prior since buying the phone)
  • Me: twice out of hundreds of times, i have seen a ‘health monitor’ type icon appear in notifications for a split second when it happens
  • Me: One-by-one disable app notifications, wait for phantom. process of elimination = found the offending app = PROBLEM SOLVED

Naturally, it was the last app on the list I had notifications enabled for. “Weather & Clock Widget for Android” by Devexpert.NET, which worked fine on Android 7.x, started causing these phantom notifications on Android 8.0. Uninstalling and re-installing did not fix it. The only reason I had allowed notifications from this app, is it would put the current temperature in the notification bar at all times. Blocking notifications for this app didn’t allow this behavior, but also stopped the phantom notifications. No factory reset needed.


Part 2; My dreadful experience with @Tmobile tech support via Twitter DM.

First, this isn’t the first time I have Tweeted and had them reach out via DM, offering support. I don’t recall having a good experience with them before, and this time certainly takes the cake on a poor experience. I am writing this up as a warning to others who might go this route, and as feedback to T-Mobile so they better understand what it is like on the customer side, and offer some tips for improving.

Perhaps the biggest problem with T-Mobile Twitter support, is their system for interacting with customers appears to be designed to resolve issues very quickly. I can’t speak to their workload, average customer engagement time, etc. But for a case like mine? I went through 22 different people over the course of seven days. On April 8, there were nine different people that cycled through to ‘help’ me. On April 7, while working with Reggie (who happened to be the only one out of 21 that I felt was truly helpful), he said he needed to AFK for 15 minutes for break, implying that someone else would take over. By that point, I knew I had already gone through seven others, so I told him I would happily wait until he returned. This high turnover rate on support staff worked against the process entirely for my case. Each time, the new person had to try to read the thread and figure out what was going on, and they rarely skimmed the thread it seemed. When I was offered a summary of my problem by the new person, it was typically wrong or left out important bits. T-Mobile needs to better identify problems that can’t be solved in ten minutes, and keep one or a few people on the case for consistency. When a customer repeatedly asks for a specific support person to re-engage, listen to them. Here is the list of people I dealt with:

  • Apr 3 – Joel Bannister
  • Apr 3 – Harley Sumida
  • Apr 3 – Ruben Hernandez
  • Apr 3 – Dee Medina
  • Apr 3 – Zach Ricketts
  • Apr 3 – Kimmi Smith
  • Apr 3 – Victor Loya
  • Apr 7 – Reggie Reese
  • Apr 7 – Harley Sumida
  • Apr 8 – Lauren Chan
  • Apr 8 – Pete Harman
  • Apr 8 – Marva Biggar
  • Apr 8 – Sora Yi
  • Apr 8 – Marva Biggar
  • Apr 8 – Kate Tomallo
  • Apr 8 – Lauren Chan
  • Apr 8 – Meghan Parks
  • Apr 8 – Eddie Gough
  • Apr 8 – Scott Degelman
  • Apr 8 – Ray Butler
  • Apr 9 – Dee Medina
  • Apr 9 – Mike Perez
  • Apr 9 – Alex Kimbrell
  • Apr 9 – Zach Ricketts
  • Apr 10 – PoxMaphixat [1]
  • Apr 10 – Kyle Saragosa
  • Apr 10 – Scott Degelman

[1] This was the only person that didn’t appear in Twitter DMs with a real name shown by Twitter:


The next bigger problem I faced, is that T-Mobile’s documentation for their support staff is out of date. It’s as if they had never debugged an issue on a Galaxy 8, despite them selling it for half a year. During the ordeal of figuring out my problem, I ran into several times where support failed related to this:

  • Apr 3 – Document for changing SMS message sounds is outdated, not correct for G8 (you apparently can’t on this model)
  • Apr 3 – T-Mobile said to set up a notification log for debugging purposes, yet G8 removed that functionality (ridiculous)
  • Apr 7 – The location of the ‘build number’ to enter developer mode is different on the G8 than previous models
  • Apr 7 – They asked me to go to the ‘Security’ screen in options, yet on the G8 that is ‘Lock Screen and Security’
  • Apr 7 – T-Mobile diagnostic data said ‘apps from unknown sources’ was enabled, my screen said it was disabled
  • Apr 8 – They asked me to check the ‘Samsung Health’ app (there is none, apparently part of the ‘Activity Zone’ app, but that function is disabled)
  • Apr 9 – T-Mobile kept telling me a factory reset is the way to fix this, despite it not necessarily working
  • Apr 10 – T-Mobile told me a factory reset is the way to go AFTER I solved the problem (WTF?!)

After having to correct the T-Mobile support staff this many times, and figure out how to find what they were looking for, it shows an obvious gap in their support ability. As someone who wrote my fair share of technical documentation, I cannot stress how important this is.

As mentioned above, when a new support person steps in, they have to skim the thread to catch up. One person told me that they take extensive notes to alleviate that problem, but after most of the new people offering me a summary got major parts wrong, I don’t think that is the case. Even if they do take notes, I think they are not consolidated, not done in a way for easy transition of the case, and generally convoluted. This causes the support staff to repeat the same things, ask the same questions, and waste customer time.

Next, T-Mobile needs to make sure their employees understand policy. Compare:

  • Apr 3 (Vinny) – “Thanks a bunch for remaining engaged with us at T-Force today, my name is Vinny and I’ll be taking over from here, as Krystn, as she had to step away.”
  • Apr 3 (Joel) – “Thank you so much for reaching out to T-Force! My name is Joel and I will be your #MagentaExpert!”
  • Apr 3 (Ruben) – “I hope you are having an amazing day. My name is Ruben and I will be taking excellent care of you and all of your concerns/questions today.”
  • Apr 3 (Zach) – “Thanks for sticking with us here. My name is Zach, and I’ll be taking over from here.”
  • Apr 7 (Reggie) – “I do want to introduce myself, my name is Reggie and I will be your #MagentaExpert today.”
  • Apr 8 (Meghan) – “My teammate had to step out for a quick meeting but my name is Meghan and I’ll be taking over to provide you with excellent service!”
  • Apr 8 (Eddie) – “Fun fact, Since T-Force is a team and constantly changes to ensure that customers always have support 24/7 we are not supposed to share our name since it already shows on the message.”

After support staff introduced themselves by name six times, Eddie came along and said they aren’t supposed to share their name. He further points out that Twitter shows their name (in the native web interface, not in Tweetdeck BTW), and yet that isn’t the case either as seen by “PoxMaphixat” above.

While some that interact with T-Mobile may say they are really ‘nice’, to me, that isn’t the case. Their overboard attempts to portray a fun and friendly atmosphere are insulting and a waste of time. Throughout the week, I was assured that they were there to help and resolve my issue, while not reading the prior messages, not understanding the issue, and bouncing in and out of my ticket to the point it was difficult keeping up with them. The phrase they loved to over-use, “I will be your #MagentaExpert!” is a joke. Seven days to figure out my problem, and they never did, I had to. Other phrases they love to say, adding fluff and not actual support, while not reading the thread and repeating the same things over and over:

  • I absolutely want to be able to help you in any way that I can!
  • It’s great seeing you here today. I hope you are having an amazing day.
  • That is an awesome question and definitely not something I am familiar with, but we can definitely work together to look into it!
  • I honestly want the best and fastest resolution for you!
  • Thank you for taking time out of your day on this!
  • Here at T-Force, we value customers time and always want to get them the best resolution possible without wasting their time.
  • We’ve got your back! (T-Mobile needs to remove this from their playbook, it is insulting.)
  • I really appreciate you reaching out and working with T-Force today.

Overall, I need a lot less of this fluffy wording, and a lot more I didn’t quote, and more actual support. If you have to keep telling me you “have my back” and want to give me the “best resolution possible”, you are convincing me you aren’t good at your job. We expect customer support to do that already.

Apr 3 (Joel) – “If you prefer to not do that, then you always have the option to back up the device and reset the software completely.”
Apr 3 (Zach) – “Can you please tell me if you’ve completed a master reset on the device since the update?”
Apr 3 (me) – “If a ‘master rest’ means a ‘factory reset’, that may be a deal breaker.”
Apr 3 (Zach) – “Typically, if there are any bugs that come across after an update, which this one may just be, a factory reset would be the best possible solution, as inconvenient as it can be to set everything up again.”
Apr 3 (Kimmi) – “In those instances the only fix I’ve been able to locate based on user feedback is a factory reset of the device.”
Apr 3 (Kimmi) – “Unfortunately the only option we have at this time is to complete the reset.”
Apr 3 (Victor) – “The master reset would be a great way to fix the issue in case it’s just some sort of temporary issue. ”
Apr 7 (Reggie) – “By no means do I want to tell you that you absolutely must do this, but in the end I want to respect your time and I feel like at this point the Master reset might fix the issue permanently whereas what we have done has demonstrably had no effect on the issue at hand.”
Apr 7 (me) – “If a factory reset is the answer, then I walk from Tmobile and go on a social media campaign to dissuade people from using Tmobile, because that is just sloppy programming and a complete breakdown of tech / customer support.”
Apr 8 (Marva) – “I know Reggie mentioned a master reset and that seems to be the only thing we haven’t tried up until this point, is that correct?”
Apr 8 (me) – “Safe mode has not been tried, and a reset, the nuclear option, is out of the question.”
Apr 8 (Sora) – ” I know that you do not want to do a master reset … I totally follow your logic; I do want to mention that if the software update is giving this error, then a master reset does allow the software to be restored on your phone properly.”
Apr 8 (Marva) – “The next step in troubleshooting is to complete that master reset.”
Apr 8 (Kate) – “The Master Reset sounds nuclear, but truly is the faster and cleanest resolution available.”
Apr 8 (me) – “As I said earlier this week, a factory reset means I will no longer be a T-Mobile customer, and will blog about this entire mess, that T-Mobile sent faulty software and could not debug it, and now is pressuring me to go that route while ignoring my direct questions about Samsung Health buginess, that icon that shows sometimes, and my desire to explore that route. That said, do you still think a factory reset is the right option instead of pursuing valid leads that may fix this without a reset?”
Apr 8 (me) – “From there, process of elimination can tell likely tell us which app is causing them. No safe mode, no factory reset. Please add this to your CS playbook.”
Apr 8 (Eddie) – “With the awesome software that we have nowadays, a master reset is the best option since there’s a high chance the bug will be deleted, and your information will be downloaded onto your phone within less than one hour if it’s backed up”
Apr 8 (me) – “Ugh, STOP. Do not recommend a factory reset to me again. I just gave a viable option to better figure this out that will take a few hours, and you go back to factory reset, after I have REPEATEDLY said that is a nuclear option and I a) will not do it OR b) do it and no longer be a tmobile customer.”
Apr 8 (Eddie) – “I just wanted to assure you that we are going to be here for you until we get a resolution. Never wanted to tell you that you should do a master reset.”
Apr 8 (me) – “I mentioned I found a new solution to this kind of problem, to add to your play book. And you immediately recommend a factory reset despite me REPEATEDLY saying ‘no’. You understand no means no right? I am tired of being told why a master reset is the option, and I am *more* tired of Tmobile reps not reading why it is NOT necessarily the right option, why it is NOT a guarantee it will fix anything.”
Apr 9 (Alex) – “If so, have you installed them and reinstalled them? Those are the first two steps, so let me know how that goes!”
Apr 9 (me) – “Two? There were *19* people on the Tmobile side during the course of this investigation, all of who gave up and told me to factory reset.”
Apr 9 (Alex) – “Now, I know we mentioned a master reset was something we should try.”
Apr 9 (me) – “Pretty much confirmed, “Weather & Clock Widget for Android” by http://Devexpert.NET is the one causing the phantom notifications. Uninstalling and re-installing it to start.”
Apr 9 (me) – “Uninstall & Reinstall did not fix it. So there is some weird issue between the app and the Oreo update. I can get around this by disabling notifications for that app, which only makes it so I don’t get the temperature in my notification bar. With that, I have figured it out after 6 days, and without a factory reset, which half a dozen or more of your agents kept telling me to do, over and over and over…”
Apr 9 (me) – “I also explicitly said last night to STOP telling me to factory reset.”
Apr 9 (me) – “I have asked half a dozen times and every single one of you jerks ignore me. Focus on THAT problem instead of a factory reset.”
Apr 9 (me) – “With that, I have figured it out after 6 days, and without a factory reset, which half a dozen or more of your agents kept telling me to do, over and over and over…”
Apr 9 (me) – “At this point i am 99.99% sure I have this resolved, again, without a factory reset.”
Apr 10 (PoxMaphixat) – “Resetting the device and processing a warranty exchange is our last resort. Which would result in a device that is fully reset as well. This might be the thing we would need to do since we’re not able to resolve this phantom issue.”
Apr 10 (me) – “Not only have i solved the issue, I have said repeatedly NOT to recommend a factory reset to me, and you assholes keep doing it. NO MEANS NO.”
Apr 10 (Kyle) – “We can see that you’ve invested a lot of time with these issues on your phone and wanted to avoid going through the previous steps that’s you’ve already done, which is why we were looking at the master reset as a last resort … So our troubleshooting steps would basically be the master reset as well though I Samsung may have more support on what’s going on with this app.”
Apr 10 (me) – “Seriously? You suggest a master reset AGAIN when I have said over and over NOT to tell me that? I solved the phantom notification issue without a reset,”
Apr 10 (Kyle) – “I would reach out to Samsung as I completely understand your concern regarding the reset and they would be able to support the app even further. Does this make sense, Brian?”
Apr 10 (me) – “You said ‘reset’ again. How can I be any more clear here? Never, EVER, not a single time, EVER tell me to factory reset my device. Don’t even mention the word ‘reset’, let alone ‘master reset’ or ‘factory reset’. I honestly feel like there is a den of rapists and molesters working at Tmobile, who don’t understand what the word ‘NO’ means. Does this make sense, Joel / Harley / Ruben / Dee / Zach / Kimmi / Victor / Lauren / Pete / Marva / Kate / Meghan / Eddie / Scott / Ray / Mike / Alex / Zach / PoxMaphixat / Kyle?”

After this? Scott said ‘reset’ once more shortly after my last message. This is the text-book definition of the worst customer support that can be offered. A customer specifically says, over and over, not to recommend a bad support option (the factory reset). Yet, T-Mobile kept recommending it every single time. It gets to the point where it is a trigger word for me, because it clearly shows the support person didn’t read the prior messages. It means that the support staff didn’t leave a message for the next person not to bring up a factory reset. Worse? I SOLVED the technical issue, without a factory reset, and said as much. T-Mobile’s solution? Keep recommending a factory reset anyway, when it was clearly not needed. This is hands-down the worst customer service you could possibly offer, and completely insensitive to a customer. I don’t really care where the breakdown happened, other than it happened half a dozen times, but when a customer says “do not do $thing“, you should NOT do $thing. No questions, no arguments, no equivocation. Yet T-Mobile ignored that basic point, that basic understanding of the tenets of customer support. 18 separate times, reset was their answer, three times after resolving my issue.

My next advice for T-Mobile is to embrace an old classic of customer service. Over six days, interacting with 21 different support people, after repeated complaints about many of them, no manager stepped in. At least, no one identified themselves as a manager, no one exhibited any signs they were a manager, and absolutely no one made it a point to get me a resolution other than the empty “we’ve got your back” lies. Imagine going into a Taco Bell and talking with 21 employees trying to resolve a problem, that your Mexican Pizza was missing ingredients or not cooked, and that entire time no manager stepping in to ensure you got a properly prepared and cooked food item. To me, the customer, those scenarios are no different.

Finally, the bigger picture. I engaged support for one problem, the phantom notifications, which I eventually resolved myself. During the process, T-Mobile asked me questions that highlighted other problems. Despite figuring out the original, I left the engagement with two additional problems that they did not resolve. First, I asked how to disabled ‘Bixby’ completely, and they couldn’t help. Like so many other things, they didn’t understand the software, and/or their documentation wasn’t updated. I had to tell them to disable it per their instructions, it required creating a Samsung account. You actually can’t access the real settings of that malware without creating an account. That is atrocious and just bad design. Second, when we went down the road of the occasional phantom notification icon that I saw, it led us to the ‘Samsung Health’ feature within ‘Activity Zone’. On my phone, it says “tap here to get started” and tapping there does nothing. T-Mobile never helped with that, and after specifically asking them to half a dozen times, they told me to talk to Samsung.

Two more bonus observations, that came up during this ordeal. First, the T-Mobile software update downloaded over 4G, not WiFi. It used to prompt you if you wanted to wait for WiFi and this time it did not. Second, I mentioned that T-Mobile was still sending SMS notifications to me before 9 AM, and one of the support people were gung-ho saying that was not right, they would take my complaint to the top! Well, good luck there, since the last time I brought that issue up on Twitter it did go to the top, all the way to the office of the executives. Nothing ever came of it and I still get text messages from them before 9 AM. If you are going to grab that flag and head on a crusade on my behalf? Maybe consider better helping fix my original problem first.

So, T-Mobile, I have given you a wide variety of ideas for improving customer support. It is in the context of a support case you can easily reference. These ideas are very much in line with many other support services offered by similar services and companies. It’s time for you to up your game.

Advertisements

It’s 2016, why is rotating a video such a pain?

How many times have you quickly shot a video on your phone and not rotated it for landscape? It happens too often and we see these videos all over social media. I sometimes forget to do it as well, or portrait is more in line with what I am shooting. So, I want to quickly rotate a video 90 degrees sometimes. Should be easy, right?

I’ve asked friends and social media before, but I asked again last night and got a lot of great input. My criteria were very simple, but I did not specify platform; I want to load an MP4 video, rotate it 90 degrees, and save it. I didn’t qualify it, but my expectations are that it would not lose quality, it would keep the original MP4 format, and that the process was “one-click” (or close). While I have plenty of history using Linux, going back to CLI graphics tools to do this is not ideal for me, but I considered those options.

  • @cl suggested Windows Movie Maker – It will rotate trivially, but saves your MP4 as WMV and the quality drops noticeably.
  • @TCMBC suggested mencoder – A command line utility, part of MPlayer. So it is not trivial (download, configure, compile, figure out CLI syntax), but it does rotate. Yet, the quality drops noticeably.
  • @viss suggested ffmpeg – A command line utility and graphics library, not so trivial. It did rotate, but the quality drops noticeably.
  • @viss suggested The ‘Rotate My Video‘ web site – It is a bit slow for file upload and conversion, but very easy to use. It played the video correctly in my browser, but when I saved the video the final copy was not rotated.
  • @DeviantOllam suggested (in DM) the Rotate Video FX app for Android – I thought the UX wasn’t intuitive for starters. It did rotate the video for immediate playback, but no apparently way to save the new video back to the device. Sharing it brings up the usual Android options, but uploading the video to google drive and the video was not rotated.
  • @elkentaro suggested Apple’s QuickTime Player – Even with his reference which is outdated, there is no apparent rotation function. Even the ability to save a file is now ‘Pro’ only.
  • MegaManSec suggested ImageMagick ‘convert’ utility – this didn’t work and gave me a nice reminder of the old ‘terminal flash attacks’ from the early 90s.
  • @DeviantOllum suggested Virtual Dub but warned me that some versions handle MP4 and some don’t. Thus, I didn’t try it.
  • @Grifter801 suggested VLC but qualified it “just for viewing”.
  • @mehebner suggested Open Shot Video Player but said it is Linux only, which isn’t convenient.
  • @cl suggested iMovie but it is Mac OS X only, which isn’t convenient.
  • @cl suggested Facebook but he isn’t sure you can save after. I am fairly sure you lose quality though.

The final recommendation, and the one that worked the best for me, is Handbrake suggested by @bmirvine. The upside is I had it installed (but an old version) and am familiar with it to a degree. The best part about conversion is that the video does not lose any quality. The downside is trying to figure out the ‘Extra Option’ argument to rotate is a raging mess, as seen on this thread. I found that using “, –rotate=4” as the extra option worked for version 0.10.5.0 64-bit (latest as of this blog). The only other annoyance is that Windows won’t show a thumbnail of the newly saved video for some reason. [Update: with a newer version of the K-Lite codec pack, the thumbnails render fine.]

There are my quick testing results. I hope it helps. I’d like to give a big round of thanks to all who contributed ideas late night. Reminds me that Twitter has some value and isn’t a cesspool of insipid political tripe. =)

The Problem with Facebook…

Maybe that was a bit of a ‘clickbait’ title, since the list of problems with Facebook is epic, tragic, and depressing. So let’s go with, “tonight’s example of an ongoing problem with Facebook”.

One of my biggest gripes about the social media platform is that after all this time, they still do not give us a simple way to view posts chronologically. At some point in the past, they introduced an option to supposedly to that, but it was done via a URL argument and not a user-friendly GUI widget. I’ve used that option to view Facebook to this day, and it is still horrible. Why? Because as you think you finally get the holy grail of simplicity, it is still weighted… just less so. Meaning you are more annoyed when some crappy post pops up four times that day.

OK, so they want weighting and control to deliver the posts your friends make, as they see fit. That means you never see some posts you absolutely want to see, while seeing other posts multiple times a day. Their algorithm has nothing to do with standard weighting, and everything to do with their weird formula that no one can seem to figure out. OK, fine…

Facebook has also been on a tear about ‘honesty’ in the form of user profiles. The last few years have seen nothing but drama and turmoil as Facebook tries to enforce their ‘real name’ policy. A policy that the Chief Product Officer at Facebook apologized for, ensnared a former employee or seven, unfairly targets the LGBT community, and has caused enough headache to warrant a Wikipedia entry. Oh, of course, that the “noble and charitableMark Zuckerberg defends. So… integrity and honesty and clarity is important, right?

That sets up the easiest of questions. Why is Facebook targeting their user base, who they profit off, regardless of a real name attached? Sure, they may make a few more pennies on the dollar if a real name is attached over a pseudonym, but still profitable. For years, it let them defend their absurdly high user count on top of the obvious ploys of ignoring idle accounts and such. Now, jump to tonight, which set up a perfect example of where Facebook shows they don’t care. A rather simple example, but one that should be trivial for them to programatically notice and warn against, in a variety of methods. If a single user is posting something that may be fraudulent, contradictory, or a basic scam (e.g. how many times have you been tagged in an image for Oakley sunglasses, even in 2016), why isn’t there a warning? Even when the account isn’t compromised, the user isn’t warned. When the same image of knock-off sunglasses is posted to hundreds of ‘friends’ from a compromised account, it comes with no warning, either from the subject matter, or the break from the normal behavior (e.g. that user with 87 friends tags one photo with 87 names, when never tagging more than 2 people the last 5 years). We’re not talking AlphaGo or Microsoft Tay, we’re talking a couple decades behind them as far as computer intelligence goes. The fact that one was an amazing success while the other was an amazing failure, speaks to my point. They are cutting edge, trying to solve ‘problems’ that are are incredibly complicated. Meanwhile, Facebook can’t figure out what boils down to mid 1990’s email spam patterns, implementing the most basic of statistical filtering.

That said, I would love to see Facebook answer how the following two posts, from the same user, within 40 minutes of each other, could be posted without a warning to them AND me. Compare them posts carefully, not that there is much to go on as far as the end-user sees. At some level, this is stupidly trivial and any half-assed program should notice. No, it isn’t trivial or worth ignoring, that such articles get posted with such discrepancy. That is how we end up with stupid rumors and lies spread around as if they are fact, and fundamentally why our political climate is like it is. When you stop ignoring the details, especially the obvious contradictions, you are buying into a system that doesn’t serve you; rather, one that only exploits you.

sf-box-2

sf-box-1

The Charity Snail Mail Burden

If you have ever donated to a charity, you likely received something in the mail from them down the road. A thank you note (and request for more money), a new fundraising initiative where they would like you to donate again, or general information (and request for more money). What happens when you donate to a dozen or more charities over the years? The amount of snail mail you get from those charities, and many others you have never donated to, gets out of hand. At the start of 2015, I decided to keep all of the snail mail I received from charities for the entire year. How much would it be? What kind of ‘gifts’ would add up over the year?

Before the fun bits and pictures, a quick background on this. Charities have three primary categories for spending money: administrative (e.g. salaries, office supplies), fundraising, and program expenses (i.e. what their cause is). Charities are rated based on that breakdown, among other things, by the excellent CharityNavigator web site (a 501c3 not-for-profit themselves). As an example, let’s look at the breakdown for Paralyzed Veterans of America, who spends almost two thirds of the money it brings in trying to raise more money. They only spend 33% of their money on the intended cause; helping paralyzed military veterans. That is an absolutely horrible ratio and not a charity anyone should support. They are essentially in the business of raising money. All of the snail mail you get from charities falls under that ‘fundraising’ category. If a given charity sends what seems to be an obnoxious amount, that is money they could be better spent on the program expenses.

20160103_141807  20160103_141953
20160103_143928  20160103_144238

In one year, I ended up receiving 351 pieces of mail from charities, that weighed 26.6 pounds. It’s hard to say if this is truly a lot, and what led to this. I donated to 32 different charities in 2014, some in a manner that would not have led to any snail mail (e.g. “would you like to donate a dollar to..” during grocery store checkout). A few were local charities that do not maintain mail lists and would not have generated any mail. Other bigger charities though, certainly took the opportunity to solicit me for additional money. And at least one of those charities sold or shared my information with other charities that I never donated to, and in some cases would not. To offer a bit of perspective, the 26.6 pounds of charity mail can be contrasted with the 10.8 pounds of ‘commercial’ snail mail I received.

20160103_202512  20160103_203008

Back to charities! Who were the worst offenders? The top six charities by snail mail volume are as follows, with links to pictures of their offering, and what percentage of their money they spend on fundraising:

Charity Fundraising
Humane Society (31 pieces) 19.1%
World Wildlife Fund (21 pieces) 18.9%
American Red Cross (21 pieces) 6.0%
USO (16 pieces) 26.5%
JDRF (13 pieces) 12.8%
Doctors Without Borders (11 pieces) 10.3%

Note that I have donated to the top five charities on that list, but never donated to Doctors Without Borders. Considering that I received snail mail from around 75 different charities, almost three times as many as I donated to in 2014, that is certainly interesting. Also note that many charities were right on the heels of 11 pieces, but I had to pick an arbitrary amount to highlight above. Charities should note something very important! This level of snail mail is a waste of money, and does not encourage some contributors to keep donating. I understand that direct mail campaigns are a huge source of revenue, but finding a happy medium for the amount of requests versus the expected income would be appreciated. Someone donating $25 to a charity and receiving 30 pieces of mail, is watching $14.70 of that money go to postage alone (for charities that are paying full price, which some do). That money should be spent on program causes, not soliciting for more money that will likely be wasted.

Now the fun bits. Which charities sent me money? Yes… a long-standing gimmick of some charities is to send some level of money, typically under a dollar, and ask that you send them more back. They usually want 25 – 1000% more of course. This gimmick is frowned upon by many people, and for good reason. First, it is just that, a gimmick. Second, for charities that put a nickel, dime, or quarter in the envelope, they are quite literally throwing money away. Many people are tired of receiving the snail mail spam and quickly throw it away, coin or not. Even March of Dimes no longer sends a token dime in the mail. In 2015, Paralyzed Veterans of America sent $0.15 (3 nickels), FINCA sent $0.10 (2 nickels), Unicef sent $0.10 (2 nickels), Sierra Club sent $0.30 (6 nickels), National Law Enforcement Officers Memorial Fund sent $1.50 (6 quarters), Keepers of the Wild sent $0.50 (1 half dollar), Leukemia & Lymphoma Society sent $0.05 (1 nickel), and CARE.org sent $0.05 (1 nickel). All said and done, I cleared $2.75!

20160103_coins

Next, what is it about mailing address labels and charities? I mean seriously… almost every single one thinks that sending me such labels is a ‘gift’. Do these people not understand that the average adult in 2015 does not send that many written letters? Even people who send in checks to pay bills don’t generate too much snail mail. Yet, the National Wildlife Federation sent me enough address labels to mail a letter a day, every day of the year. Amnesty International sent 96 mailing labels in a single piece of snail mail… and sent three of those mails. USO sent 81 address labels in a single envelope. I didn’t have the patience to try to count them all individually, but I did take the time to count 154 sheets of address labels, weighing 558 grams, or 1.23 pounds.

20160103_labels1  20160103_labels2

Membership cards are another popular thing to send, because membership apparently has its privileges? By privileges, I mean it grants you absolutely nothing. Yet, dozens of charities want you to carry that card around… yet none of them send you a new, bigger wallet. National Wildlife Federation sent me four membership cards in a single year, and Sierra Club sent me six. I have not donated to either.

20160103_membership_cards

If that isn’t odd enough, the support stickers that are sent out are certainly interesting! In addition to the usual “Don’t give me a speeding ticket” stickers, that you receive from supporting law enforcement organizations, I received a NRA 2015 member sticker! Despite never donating to the NRA, or contacting them. It makes me wonder if that is how the NRA claims such high membership numbers. Is it based on who is on their mail list?

20160103_stickers_blurry_oops

Moving on to stamps! Yes, postage stamps. A few charities will include a stamp in their offering, with the intent that you use it to mail them more money. While this is a variation of the ‘coin’ gimmick, the real tragedy is that some nonprofits have figured out the USPS offers special rates for charity-related mail, and others have not. The USO understands this, as their Self-addressed Stamped Envelopes (SASE) include five 1-cent stamps on them, while the Human Society of America sends a SASE with a forever stamp. Regardless, all of the stamps included, on an envelope or not, can be re-purposed since they have not been used to send mail yet! In 2015, I received two Forever stamps, one Postcard stamp, nine 10-cent stamps, one 4-cent stamp, seven 3-cent stamps, three 2-cent stamps, and 85 1-cent stamps. That is $3.39 in stamps! If they came in a sealed roll, I could return them to the post office for cash per old hacker legend. Alas, I can just tape them onto an envelope as needed, and they are still valid stamps.

20160103_stamps

To wrap this up, what else did I get? Nine calendars and 26 writing pads, apparently for the silly number of letters these charities think I write, that demand thousands of mailing address labels.

20160103_calendars  20160103_paper_pads

I also got card sets (again, maybe explains the address label flood?), magnets, random swag, calendars and paperwork, as well as X-mas specific gifts:

20160103_cards  20160103_magnets  20160103_paperwork  20160103_swag  20160103_xmas

And finally, two bits of pure amusement. First, ‘Doctors Without Borders’ seems to be fond of sending us Americans world maps. Yes, yes.. I know, Americans suck at Geography. But sending us world maps that we’re to hang up on our wall, of our first-world decorated establishments where style and the artist’s name matters more than actual living enjoyment? Please. But I get you, send the maps, rub it in that we’re a nation of stupid.

20160103_maps

Second, all of this snail mail spam… can you opt out of it? Nope. At least, none of it includes any wording or forms or telephone numbers to remove yourself from the snail mail lists. For the charities that call as often as they send snail mail? If you complain enough, and trust me, ‘enough’ is relative… they will eventually opt you out. But then? They send you a not-so-form letter. In the case of March of Dimes, they write:

“… we are writing to you because of your request not to be contacted by telephone… please donate $25 to us”

I donated $5 to them on 2014-06-04, meaning it was “target of opportunity” (e.g. grocery store, or some case where someone asked me to donate). This was not a yearly contribution I make to half a dozen or more charities that I feel are making a difference. In the span of half a year, March of Dimes called me enough that I got fed up with them and specifically asked to be removed from their spam call list. They did as I asked! But then… reverted to snail mail to ask me for more money.

In summary, U.S.-based charities are living in the 80’s. They send pads of paper and mail address labels, on the heels of you telling them “quit harassing me”. They send stamps and currency in a desperate attempt to guilt you into donations. Some send you as many as 30 pieces of snail mail in a calendar year, on the back of a $50 donation given to a specific sub-group of their organization (e.g. in my case the Prairie Dog Coalition, a part of the Humane Society). If I want to find out if the Prairie Dog Coalition printed a new token adoption certificate, I e-mail the director. And Lindsey responds to me personally every single time. That is what I want to support… both prairie dogs in jeopardy, and the director of a non-profit group who takes the time to respond to my emails, helping me to support their cause in the specific way I want to. This is a model for how charities should work in 2015/2016. Instead, most are still stuck in the early ’80s, sending me dead trees that I don’t need or want.

If the director of a non-profit can’t reply to you, or even sign that Christmas card they sent, while asking for more money? That is bad. They should task their staff to send personal replies and sign such cards. It doesn’t matter what name ends up on it; it matters that someone on the other side appreciates my contribution, and takes the 30 seconds to read and reply to me or scribble their mark. In fact, I think that might be a great criteria for charities I support in 2016. No personal contact? Then maybe the charity is too big and has plenty of money coming in. Maybe they don’t need my donation. Instead, I can give to local charities, which I have started focusing on, where I can see exactly how my money is used, and even stop by and talk to the ‘director’ or staff when I want. I put that term in quotes because it is a misleading title for small local charities, for someone who is often knee-deep in mud or animal poo, doing their best to make the charity work. With that personal connection, especially when I find myself volunteering or visiting, then I feel very comfortable telling friends, family, or social media about their cause and encourage them to donate as well.

What the Harlem Globetrotters Really Teach Kids

A couple weeks ago, friends and I attended a Harlem Globetrotters game. It started out as a joke over football about underdog teams, when my friend Amanda reminded me of the poor Washington Generals. If that name rings a bell but you can’t quite place it, they are the go-to team that plays the Harlem Globetrotters. From their web page: “The Washington Generals are the most well known and recognized opponents of the World Famous Harlem Globetrotters.” The header graphic even shows a chalkboard and their amazing number of losses, with a single win. We figured it would be fun to attend a Globetrotters game and root for the Generals.

This began the descent into the ego and madness that is the Harlem Globetrotters. As a kid, you only remember black basketball players doing tricks, spinning balls, doing fancy dunks, and always winning. Yes, I used “black” as an an adjective. Show me a “white” Globetrotter. This exclusion actually carries forward to present day. There are still no white Harlem Globetrotters, despite white people living in Harlem. In 2014, they still proudly boast about their ninth black female Globetrotter taking the court several times throughout the game, turning her into a feature. But no whites. We’ll get back to that in a bit.

The Generals’ web site ‘Player Opportunities‘ page has an important reminder, and why we showed up to root for them. “The Generals serve an important role in the Globetrotters tours and realize the final score does not always define winners.” That is awesome, and really sums up what kids sports should be about. While I don’t think every player in a league deserves a trophy, I think that kids should be reminded that effort matters, even if they didn’t win.

But now, we have to back up again. I went to order the tickets for the three of us and noticed something. The Harlem Globetrotters were playing! Err, OK I got that. But who were they playing? It wasn’t listed. I checked the Harlem Globetrotter page hoping their line-up would have it. Nope. I Tweeted to them asking who they were playing, asking they bring the Generals. To this day, the assholes never answered. That level of disrespect is very telling about the organization. So I did what any logical fan would do, I called the ticket-seller and asked. I spoke with a nice young lady who checked her information and was surprised to find she couldn’t answer my question. She took down my information and said she would get to the bottom of it by calling the Globetrotter organization to find out. Hours later she called back and reported that the Globetrotters would be facing the “World All Stars”. Hrm, never heard of them, so Google their name. I don’t see anything front page indicating that is a viable option. Tack on the word “basketball” and they only show up as the 5th result in a loss to the Globetrotters. What kind of shitty game is this where the opponents aren’t even mentioned anywhere? Where I can’t easily find out they are playing their almost 100-year rival?

The All Stars don’t have a web site. I can’t order a jersey to wear to support them. Other than “lost to the Globetrotters”, they are nothing. “What the shit is that?!

So we did what any fan would do. We ordered and wore our Washington Generals clothing to the game, and we made signs to support the All Stars. To be effective, we had to make sure they would see us, so we got court-side seats.

20140330_140659

Granted, being the cheapskate I am, there was one row of people before us. But at a Globetrotter game, that is actually a layer of protection from being drug on the court and embarrassed by them. From courtside, we were in a position to support our team.

20140330_141613

Wow, they didn’t look thrilled to be here. The game started out all about the Globetrotters. They did their warm up, their comedy banter, got introduced one-by-one. When it came time for the All Stars to come in, they barely got their name mentioned. Both teams warmed up to get ready for the game. Just before the game started, Big Easy, with a microphone pinned to his jersey so the entire stadium could hear him, taunted the All Stars. The only taunt I remember was him pointing out that one of the five All Stars on the court was white, mocked him for it, and ended by laughing at him. The other nine players on the court were black. Do I need to remind anyone the definition of racism and that it goes every direction?

The game proceeded, now with ‘fan voted rules’ that were put into effect each quarter. This included a “trick shot challenge” and a “special jersey double point” benefit. So on top of the four point rings (yes, these games have four-point shots), the player wearing the red jersey could do a four-point shot and gain eight points for it. The All Stars tried several times but only made one of them. As best I recall, that was one more than the ‘talented’ Globetrotters. Speaking of, the world famous Globetrotters have a second career as brick layers if it comes down to it. Those dumbasses threw up more bricks and missed more dunks than I have seen in my life. Yes, they missed set-up dunks where the other team wasn’t defending. Absolutely pathetic.

Halftime rolls around and the Globetrotter mascot, Globie, comes out. He did his little dance routine and entertained the crowd.

20140330_143616

As he left the court, he pointed at Amanda and my Generals’ attire and shook his head. For a brief moment I thought he might take a diving leap and try to tackle us. He seemed pretty pissed we were there supporting the opposite team. That said, during the “trick shot challenge” quarter, the coach of the All Stars noticed us and pointed to us twice smiling. At least someone recognized our efforts and appreciated some support from the crowd.

During the game, we also got to witness a variety of things that ranged from “what…” to “oh jesus avert your eyes”. It started with an All Star going to make a slam dunk, only to find the Globetrotters stripped him of his shorts and jersey in the process. Leaving him in his underwear to scream out loud and run in a panicked manner toward the locker room. The Globetrotters followed this up with their “slow-mo replay” gag that not only had them reaching between an All Star’s legs and sexually assaulting him, but doing it repeatedly in slow motion. But that was absolutely nothing compared to the half-time show.

I honestly could not watch a majority of the show because of social “norms”. Seriously. They had four local dance troupes doing their dance routines to music. Each wave was full of underage girls wearing revealing skin-tight outfits, doing sexually suggestive dances. Some of their moves and gestures I have seen in strip clubs. I feared that if I watched them like any other person, someone might think me a sexual deviant in all the wrong ways. That was the most uncomfortable 20 minutes I have suffered in years. Back to basketball…

While the All Stars did their share of missing shots, like the Globetrotters, I started to take notice of the scoreboard more often in hopes they would catch up. That is when I noticed that the rigged game is more rigged than I realized. Sure, we know they are told to lose the game and that is expected. The ego-filled Globetrotters have to win, except that one time where the Generals beat them (and we’d love to know the story behind that!). Yes, the Generals’ sweatshirt I wear proudly displays their motto, “Over 12,000 losses since 1926!” Remember the four-point shots, and the bonus with the red jersey due to the special per-quarter rule announced shortly before? At least one time when the All Stars scored an eight-point shot, they were only credited with four. Because the Globetrotters were throwing up so many bricks, and missing so many set-up dunks, the score-man had to further help throw the game.

What does that leave us with?

20140330_151454

The Harlem Globetrotters holding the bag. Kids show up and have a fun time. In reality, they leave with a long list of subtle messages driven into their head. That racism is OK because it is humorous. That the underdog can’t win, and that the name-brand will cheat in multiple ways to win. That being a female in this sport is a ‘rare thing’ and makes you a two-minute highlight during the game. That physically and sexually assaulting the opposing team is humor, not a bad thing. Is that really what our kids should be learning growing up? I don’t think so. If anyone else did this on the school playground, they might face being expelled.

That is why I proudly show up and support the opponents. I even retained the serves of a local artist to make sure my signs were high-quality, because I care. Washington Generals or All Stars, doesn’t matter. They need our support to help them win their second game in almost one-hundred years. I encourage you to attend your next Globetrotter game, wave signs, and proudly support the other team.

IMG_0493

IMG_0494

An Open Letter to @Twitter

Dear Twitter,

You run one of the largest and most visible social network sites on the Internet, highly visible to millions that don’t even have Internet access due to media saturation and today’s lexicon. And you suck at it. Despite your recent IPO and suggestions that you finally figured out how to make money off this beast you have created, you still don’t seem to understand the first thing about the monster you created. Namely, how your users actually use the service. Your overall user experience (UX) is horrible. In no particular order, a few of the incidents and poor decisions that support my case:

  • The dreaded “Twitter unfollow bug“. This has been plaguing your platform for many years, and you still have yet to solve it. Worse, you default to sending us junk mail asking if we know people, trying to get us to follow more people. These two things are at odds with each other.
  • When you finally made it easy for a user to download an archive of their tweets, you sent a URL that was broken. Only a fraction of your users could see that you were HTML encoding an & sign in one place, and manually fixing it would allow the download. The fact you missed this shows that you essentially have no Quality Assurance (QA) testing in house.
  • Your emails are annoying. I specifically opted not to receive them in the past, only to have you revert my decision, the subjects are laughable. Not only are they written with no thought to how they appear outside your world, you seemingly can’t figure out the purpose of a profile or make brain-dead assumptions about all users.
  • Subject: Do you know cyberwar on Twitter? <– errr…
    Subject: Twitter followers want to purchase from your business! <– hot damn. now I need a business plan…

  • Twitter on a Tab? No thanks. When opting not to receive audible notifications, your software ignored that and kept dinging at me happily. No means no. Again, in your attempt to get more people using your service, you completely forget the basics of the UX and that all software should receive some QA time.
  • One of the most frustrating problems recently, is your constantly changing decision on how to handle URLs in direct messages. One day, they aren’t allowed without warning. The next day they work again. Days later, now I can’t send the same URL to the same person because I have “already said that”, even when the accompanying text is different. News flash: some web sites do not have static content on their front page. If you need an example, check out this web page: twitter.com. If you can’t figure out that I am friends with someone via the mutual follow, or the fact we have conversed via DM for months (or years in some cases) and that we may want to send URLs to each other, just get out of this business.
  • Your inability to fight spam on your service has moved beyond a running joke and on to the “sad” category. You still cannot detect profiles that are obviously spam and have every indication of being easily pegged by a half-way intelligent algorithm. At least twice, you have identified Twitpic as a “hostile” service, calling it “malware” once. All the while allowing these spam profiles to send sketchy links.

I fully understand that the size of your network makes some of this challenging. But this is also on you, because you opted not to address these problems years ago when it was more manageable. Instead of fixing these recurring nuisances with a solution that scales, you let them languish until they are beasts that are more difficult to vanquish. The list above is just the ones that come to mind quickly this morning.

In summary, you suck as social media. You don’t care about your users beyond figuring a way to profit directly off of them. In case it has slipped your mind, you need us. We are your business foundation. Figure a way to profit off of us! Just do so while occasionally paying attention to your user base please.

Sincerely,
@attritionorg

Quit volunteering my time.

Every week someone, or several people, think their 140 characters is worth me spending an hour+ writing an article for them. They noticed some plagiarized text or think someone is a fraud, and they turn around and expect me to research and document it. For years now, I get mail to Errata with a single link or a couple lines of commentary, along with the expectation that is all that is needed. Voila! An article will magically appear. These days, I don’t even get an email, just a Tweet or two.

I’ve said it before, many times. I’ve given an entire presentation on the project twice. I’ve told people in person, in email, and on Twitter. For the last time:

Errata was designed to be a community project. That’s “crowd-sourced” for you new people. A couple people serve as a clearinghouse for well-written, well-documented articles. No names on the articles because if they are properly referenced then attribution is not an issue. Then the clearinghouse stands up to defend the work as needed. Simple concept.

If you are in the security industry and cannot write an Errata article, get the fuck out now. You are simply too stupid and too dangerous to be advising anyone on something so important as security. Sure the articles take a little time because they have to be solid on making logical points, being organized, and citing public information that justifies any accusations or conclusions. But anyone that does penetration testing or auditing or system maintenance should be familiar with documentation along these lines. They are not difficult to write, they are time consuming.

If it bothers you that someone plagiarized or is selling snake oil, and it should, then take the time to write your own blog. Enough of us have stood up and defended our work. We’ve shown that you can do it, quite safely, if you are responsible in your work. If you still feel it risky, write the article and send it over. Do the leg work, we’ll provide the safety net.

Until you send such articles, don’t volunteer me to write them.

Any wonder why people use images without attribution?

Found the perfect image for my @BSidesDE talk. Noticed in the corner a tiny ‘GettyImages’ watermark, so I went to their site to see how much it would cost to license. Because I happen to know they require a license… which I imagine 99.9% of the modern Internet world does not. The auto-pricing options did not seem to match my intended use, a regional talk to maybe 75 people. I chatted with a rep to ask if there was a better price than $495 quoted by the web site.

Welcome! A representative will be with you shortly. For your security, do not give out your credit card number or other sensitive personal data during a Live Chat session.
You are now chatting with Andy.
Andy: Hello! How can I help you today?
Brian Martin: When selecting the pricing options, the drop down listing possible uses does not include anything close to what I want to use the image for.
Andy: How do you plan to use the image?
Brian Martin: For a regional public conference (free to attend), I am not being compensated for the talk.
Andy: Okay, will it be in a presentation?
Brian Martin: Correct
Andy: Okay, we do have a license for that. What image were you interested in?
Brian Martin: http://www.gettyimages.com/detail/photo/woman-at-computer-control-panel-1960-high-res-stock-photography/10153785#
Brian Martin: That is an IBM 7094 if you would like to update the information =)
Andy: Michelle Williams at Beyonce’s bday party?
Brian Martin: No…
Andy: Okay, I must have pulled up the wrong image
Brian Martin: http://www.gettyimages.com/detail/photo/woman-at-computer-control-panel-1960-high-res-stock-photography/10153785#
Brian Martin: “woman at computer control panel 1960 high res”
Andy: Okay, woman at her computer panel?
Brian Martin: yes
Andy: yes, I see it.
Andy: Okay, so this usage will fall under our External Presentation license
Andy: You can find that under our Marketing Use category
Brian Martin: OK, that was not on the drop down list. How much is it to use the image for such a purpose?
Brian Martin: OK, but this is not marketing at all. Just a talk about the history of software vulnerabilities. I am with a 501c3
Andy: How many people do you think will be ata this conference?
Andy: Right, but it’s a public conference right? Not just your company?
Brian Martin: think they are expecting 150 max across two days, maybe 75 max in my presentation
Brian Martin: Correct
Andy: Okay. Even though it isn’t marketing, that is the correct license for this use.
Brian Martin: OK, how much is that?
Andy: Pricing for that license comes out to be $685
Brian Martin: Unbelievable
Andy: Is that anywhere near your budget for this project?
Brian Martin: Since GettyImages hates 501c3 non-profit work for the advocacy of better computer security, I will have to find an alternate image. Thank you for your time.
Andy: No problem. Enjoy the rest of your evening!
Andy: Thank you for chatting today. We value your feedback. Please click the “Close” button at top right to answer a few questions about your experience with us today.
Thank you for chatting with us. Please click the “Close” button on the top right of the chat window to tell us how we did today.

I understand they want to make a profit, but without more granular licensing, do they have any doubt people freely use their images in presentations or web sites, simply cropping out the watermark?

If I had used GettyImages for each image in my presentation, I would be looking at a convenient rate of about $34,250.

Android & Granular Permissions

For Android-based phone owners, you are no doubt passingly familiar with the permission system that governs applications and what they can do. Every time you install an application, the device will ask you if you accept a list of permissions that it says are required for it to run. If you want the app, you must accept the permissions no matter what they are.

In theory, users can simply decline an app that requires excessive permissions and find an alternative. After all, there are over 1 million apps available right? Many won’t even read the permissions, while others may casually dismiss them because they are clearly stated, and any app in the Google Play store has to be legitimate!

The problem is that even the most simple and legitimate apps may request a variety of permissions that are not needed to make the program run:

Screenshot_2013-08-22-19-09-55   Screenshot_2013-08-23-19-12-04

A classic example of an application requesting permissions that aren’t required can be seen in the T-Mobile MyAccount app. The app is designed to give a user information about their T-Mobile cellular account, nothing else. This should take nothing more than permission to send and receive network data from their servers. Instead, the app has traditionally wanted extra permissions that are excessive. Worse, the latest version wants more, including “System tools” that give the app even more control over the phone. As T-Mobile is my provider and I don’t want to call them to find out account information, I have to accept their overly broad permissions. There is no alternative application in this case.

The second example is Avast Mobile Security & Antivirus that expects keys to the kingdome. There is a bit of irony that a security app wants enough permissions to completely own your phone, the same threat it claims to protect you from.

The Alternative

The obvious solution to this problem is setting it up so permissions are granular. This would allow a user to deny a specific permission while allowing others. If denying a specific permission causes the application to stop functioning, the user could enable it again if desired.

How hard is it to implement this for Google and Android? Trivial. This is readily apparent in that phones that have been jailbroken already allow it. Android users have requested this feature from Google via Ticket 3778. If you are an Android user and want to see this implemented, load the ticket and ‘star it’ (click the star on the upper left) to indicate you want it. If Google opts not to implement that one, there is a similar feature request (Ticket 6266) that would give a set of optional permissions an app wants, but are not required to function.

Until we get granular permissions, the concept of security in the context of applications will be a lost cause.

T-Mobile’s Poor Implementation Works Against Amber Alerts

Just over a month ago, I received a pop-up alert on my Samsung Galaxy 3 (via T-Mobile) with a standard, and persistent, emergency broadcast noise…

Emergency alert
Longmont, CO AMBER Alert: LIC/245FLJ (CO) 2001 Blue Ford F350 Pickup truck
Type: AMBER Alert

The noise stopped briefly, then picked back up again until I tapped “OK”. This is a radical departure from the previous product behavior and service provided. Presumably this came with the latest Android update T-Mobile pushed shortly before (May 13).

No warning about this change, no indication where the alerts are coming from, no explanation on criteria for receiving (Longmont is almost 40 miles north of me, outside a metropolis of ~ 4.5 million), no indication of how often we receive them, a repeating noise that we have to acknowledge (as opposed to SMS that gives a noise/vibration one time only), etc. I’m not opposed to getting such warnings but I should be able to opt in and control the settings for how it is displayed.

One hour later, I received the same alert. That is intrusive and annoying. When it happened, I thought “if this shit happened at night, it would wake me up and force me to get up to ack the alert and turn off the phone” and just that happened. Wednesday early morning, at 5:20AM I received another. As I thought, it woke me, given the emergency sound and vibrating on my desk.

amber_alert

Looking at the SMS options that control this is also interesting. I now have to receive “Presidential Alerts” and cannot opt out of them. There are also Imminent Extreme alerts, Imminent Serious alerts, and the Amber alerts that I have received twice now. What are the others, and what differentiates them? When was the last time a Presidential broadcast was sent to everyone’s email address or home phone number? Absurd you say, why is it all of a sudden OK to send them to every subscriber’s cell phone?

What bothers me the most is that the Amber alerts, and presumably the others, do not adhere to the rest of my SMS settings. When I get an SMS, it vibrates once, makes an audible noise of my choice once, and sits idle until I check the phone. Amber alerts come up with a different sound; one that repeats until I acknowledge it.

Screenshot_2013-05-25-17-28-55

This is ridiculous. I want to receive them, but on my terms. The current setup and being woken at five in the morning forced me to disable the Amber alerts. T-mobile’s crappy technical implementation has worked contrary to their intentions by annoying customers into disabling them. This works against the entire purpose of having the alerts pushed via cell phones.