Be careful with authorization servers

These days people are accustomed to logging in to various Web sites using third-party authorization services. Do you want to login using your Facebook or Twitter account? In technical terms, this means that you are being offered to delegate the process of authorization to a third-party service offered by Facebook, Twitter or other big guys.

You’re sick and tired of creating and remembering dozens of IDs/passwords for all theses online services. Please, please login me quickly using whatever service you want. Most of such services are implemented with OAuth protocol, which allows to use the user’s account on some other servers to authorize you for accessing someone’s Web site. The good part is that OAuth servers do not reveal your id/password, but perform the authorization returning a special encoded token that will be used as you temporary passcard. The access to your Facebook or Twitter account will be limited.

1

The concept of giving a limited access to a resource is easily explained to rich people, who have these fancy cars with the ignition key that includes a removable small key so you can lock the glove compartment (full of diamonds) while giving a large key to a valet parking attendant. If you’re not that rich yet, take a look at this image:

2

Say you are visiting a Web site xyz.com, with offers you login with one of your social networks’ account. Creators of xyz.com must reveal what exactly they will be able to do with your credentials. It’s great that they won’t be able to login to your Twitter account, but will they be able to tweet on your behalf or start following people? Always read text on such login windows before clicking on that easy-to-login button.

I’ll give you a couple of examples. Here’s how Right Relevance offers you to login to their site:

3

With all my respect to Right Relevance for their good technical content, I wouldn’t want them to post tweets for me. Thanks, but no thanks.

Here’s another one. In April I was speaking on OAuth authorization at a Java conference in Moscow, Russia. In the evening I went to see a show in a popular theatre, which offered a free Wi-Fi hotspot. Nice! When I tried to connect to this spot from my phone I got this message:

4

Thank you, Hot Wi-Fi, but you’re not that hot for letting you tweet for me. Besides, it’s not polite to browse the Internet while watching a play with famous actors.

One more example, and I’ll let you go. This morning I’ve received an email that someone I know sent me a private message via a social network called Zorpia. I don’t know where are these people learning about such services, really. Anyway, you don’t have to be a rocket scientist to guess what Zorpia wants for showing me that private massage:

5

No, for some reason I don’t want you to manage my contacts. I frequently get emails that start like this: “John Smith is updating his contact information at the social network xxx.com and asks you to login and update your cell phone number there”. Needless to say that xxx.com starts with offering me to login with one of the popular OAuth servers, and I’d say “No”.

Don’t blame the OAuth protocol, which has all provisions for restricting the access for these third-party applications. There is a special scope parameter that allows to specify what a third-party app can do on your behalf. For example, here’s the description of the scope parameters for the developers who want to delegate authorization to Google’s OAuth servers.

Here’s my message to you: “Think twice before letting some Web application to delegate the authorization process to someone else.” Read the fine print!

How to move from Yahoo! mail to GMail

First, there was no GMail.  There were Yahoo!, hotmail, aol, and other OK email services.  At work, we were forced to use Microsoft Outlook. I happened to select Yahoo!. It had simple to use interface and it worked. Then Google created an exemplary GMail single-page Web client plus smart spam filtering on the server.

I opened an email account yakovfain@gmail.com. I’m not afraid of spam otherwise I would have written a naive yakovfain at gmail dot com. Yeah, right!  Now I got two email accounts.

Yahoo! looked at GMail, and decided: “Me too”.  But it’s easily said than done. It looks like their engineering team that works on Yahoo! email client had no budget to hire people with the right skills, and over the last several years their Web interface was steadily changing from bad to worst.

If there was a world competition for the Worst Rich Internet Application, Yahoo! mail client would have easily won the gold medal. Everything is inconvenient and non-intuitive there. Scrollbars barely work.  You can’t simply highlight and copy the email of a recipient – need to go through a popup menu that will work every other time. You can’t create a filter to put messages on a particular folder. It simply feels bad.

I did’t want to close my Yahoo! mail account because lots of people have it in their Contacts.  Finally they got me today. After complaining about it to my younger son, he just asked, why won’t you just forward all of Yahoo! emails to your Gmail account?  And why wouldn’t I?

For years my GMail client is pulling all my work emails for our company’s mail server. I could have set Yahoo! the same way.  But I didn’t want my Yahoo account to accumulate any emails sent to me. After quick search I found an easy way to set up the mail forwarding without storing.  This is how I did it:

1. Click on the Gears icon on top right, and select Settings.

2. Select the Viewing Email on the left and then switch from Full Featured (tecommended by them) to Basic (recommended by me).

3. Select Option in the dropdown on the top right.

4. On the left hand side select Pop & Forwarding.

5. Enter your gmail address on the right and Forward only in the dropbox.

yahoo

This way you still can keep your Yahoo! mail account, but all new emails will be forwarded to your gmail account. In the Mail Accounts section you can set your email address in the the Reply To  box, so gradually, your contacts will get used to the fact that you’re using gmail now.

Hope this helps… for most of the messages. But Yahoo! can’t even forward the email properly. Sometimes it can blame your external accounts and even steal messages from it. Oh, this Yahoo!

 

yahoo

 

Java Swing Has to be Deprecated

Every time I start teaching my new Java class I’m looking at the Swing units in the manual asking myself, “Why my students need to know Swing framework?” Well, I need to teach them how to program GUI, event listeners, asynchronous worker threads and event loop that are pretty much the same in every programming language that deals with UI. My students create applets and test them in appletviewer, then they are going through hard times trying to run them in Web browsers… In the end, I tell them that they won’t be going doing Swing programming in the real world projects. I also tell them that if Amazon.com would decide to re-write their UI in Java they’d be out of business in no time.

If not with Swing framework, how should my Java students learn GUI programming? There is another Oracle product called JavaFX. It’s a better looking wrapper for Swing. It still runs on JVM, so Amazon would go out of business as quickly as with Swing, but at least with a better looking UI.

Java developers look down at the HTML/JavaScript crowd. Yes, programming in JavaScript is not as productive as in Java, but HTML5 applications usually look nice. HTML5 developers know that having a Web designer producing professionally looking CSS is a must. Whereas Swing components are ugly by default. They are so last century.

Recently I was attending a presentation on a particular Eclipse plugin that could produce Web reports. The speaker was using Twitter API to demonstrate how easy it was to generate a report finding tweets based on a certain hashtag. Tada….Report is generated, the Web browser opens the report’s URL and pops up the modal dialog asking to enter the search parameter. What an ugly dialog box that was! Eclipse grey style, 90% of its real estate was empty with an input field on top prompting to enter the parameter’s value. No one in the audience (all Java developers) seemed to care. They are all used to ugly GUI in enterprise applications. OK, this product was using RCP UI components, but the Swing ones are definitely not better.

The sooner Swing is deprecated the better. Even if JavaFX has no future in the Web or mobile applications, it has to become a mandatory replacement for Swing. Just because it promotes a better looking UI. Just because it promotes better taste among Java developers, who live in two different realities: the ugly depressive GUI at work and the eye candy world of iOS or Android applications. Let’s make a first step toward merging these worlds by killing Java Swing framework.

Healthcare.gov: Who Crafted the Suit?

I’m sure every person who is involved with development of commercial Web application knows about this huge failure – release of the healthcare.gov. I’ve been following this story too, because it’s about the software development – my bread and butter.

I don’t have experience of building Web applications that have to serve tens of millions of customers. I’m just a co-founder of two IT companies: one created software product that’s by more than 100K insurance agents, and the other one is an IT consultancy that helps customers in creating large online stores. But when it was reported that people can’t even login to the system, it was clear to me that the application would require some serious redesign. It’s not just about applying some patches here and there.

People who developed this site made their mistakes, but let’s not simply badmouth them – based on bits and pieces of information we’re getting, the roots of the problem are in the product owner – the government. The product requirements kept changing as recent as six months ago. Initially, the healthcare.gov was supposed to allow browsing insurance marketplace anonymously. WSJ wrote that the requirement to force people login just to enter the application was given only a month(!) ago, which required a very serious change in the application architecture. Now the IT contractors were tasked to introduce the infrastructure of authentication servers capable of processing millions of people.

The fact that this was a pet project of Barak Obama put tremendous pressure on people who were building this system. All these fanfares about October 1st opening were not credible as many other speeches by the President of the USA. CNN reports that the Web site was crushing during the tests with several hundred users, but the administration decided to go live anyway. WAT? Did they expect a miracle? A couple of years ago a prospective client called us for help stating that they’ve developed an online casino, which was supposed to go live in a month, but worked fine only if… there was a single user.

The statement that “our team is bringing some the best” and the brightest minds to fix the issue is promising, but it’ll take time to not fix, but redesign the system. I’m not the best and brightest mind, but I know how the best and brightest started working on this issue. They need time to learn the current version of the system, which some people say is a half-million lines of code. Three weeks after healthcare.gov went live it’s still not working. If a system can’t be fixed in three weeks, it has very serious design flaws. Sending navy seals won’t help here.

It’s funny to hear from people who were developing different component of the system statements like “We’ve developed only the UI portion of the system. After the user hits the button Apply Now, it’s not our code”. Other people happily report that the data hub is operational.

kostym
Forty years there was a popular Russian-speaking comedian Arkady Raikin. He had a sketch appearing in a very poorly crafted suit. He came to this made-to-measure suit store asking, “Who crafted this suit?” One of the craftsmen shows up asking “Do you have problems with the buttons?” “No, the buttons are sewn really well, but who crafted this suit?”

Computer World magazine wrote an article stating that healthcare.gov “didn’t have a chance in hell“. 94% of projects that cost $10M or more fail(!). The author of this article writes, “The healthcare.gov contractor was initially awarded more than $93 million for the project, but costs have been soaring above that.” OK. Was this a typical situation when the salesman of this IT firm was tasked to win this project at any cost, and later on “our guys would figure out how to deliver”? Or the IT firm signed off on a project scope that was substantially increased later on? This is a super high-visibility project, so there is a hope that we’ll find out who did the initial estimate of the job, and who changed the scope. Interestingly enough, at this point nobody remembers who and when introduced the requirement to force people to create an account first and then browse the insurance marketplace? Was it even in writing? Maybe an email? No? Nada? Nyet?

Recently Barak Obama said that the good part of being a president is that people always return your phone calls. There is another advantage of being president. When your subordinates deliver really bad software, you get to simply say “Nobody’s madder than me about the website not working as well as it should”. What do you thing would happen if I’d deliver to the client a non-working Web application and said, “Nobody’s madder than me?” Who am I. Definitely not the president of the USA. Sometime people don’t return my calls too. Oh well.

Actually it’s not that bad. You need to give credit to the administration that was able to quickly put together a team of people who take people’s insurance applications over the phone, and the wait time is not more than one minute. Another help is on the way too. According to a reputable online publication The Onion, the new and improved Obamacare program released on 35 floppy disks.

Something’s gotta give. But what’s going to happen with this nice looking girl from the Web site? Is she even married?

girl

Update. I was trying to give a benefit of a doubt to the team developed healtcare.gov site, but when a congressman said this morning that he couldn’t enter the date because the Web site was constantly complaining about the wrong date format, it clearly shows me that healthcare.gov was developed by a bunch of rookies that either have no clue (or don’t care) about how to do a basic validation. In this case the Web site should be redesigned from scratch.

Audible.com: a Poor Example of Usability

I’m a subscriber of Audible, an Amazon company, where you pay monthly fee in exchange for a pleasant purchasing experience of audio books. I like listening to the audio books while on the go or lying in bed. My smartphone is always by my side, and Audible created a free application for downloading and listening.

As an extra free bonus, Audible’s subscribers can download morning editions of The Wall Street Journal – listen to the latest news and editorials while commuting to/from work or getting to sleep. Nice! This is how the UI looks on my iPhone.

photo (5)

What would you do if today’s edition of WSJ is not shown in this list? The first reflex should be to refresh the list. Any truck driver from Alabama knows that applications that get content from servers should have this curved arrow to refresh the screen. I thought so too. But the Refresh button was nowhere in the vicinities. After multiple clicks I found the Settings screen, where UI designers have hidden the Refresh button. Why on earth would they do this? There were plenty of real estate on the main view toolbars!

photo (3)

Don’t get me wrong. Audible’s UI designers are not hopeless. They knew that many people would be having troubles finding the Refresh button, so they came up with an unusual solution. They’ve added an explanation of where the Refresh button is in the FAQ section of the app.
Needless to say, that the FAQ itself is hidden under the Settings icon. Well, as Sheryl Crow sang, “No one said it would be easy But no one said it’d be this hard”. But if you’ll find the FAQ, the first item there is “How do I Refresh Library” (ignore the fact that it reads “How to I” – this blog is not about QA). Well, if I get to this screen, the FAQ is sitting right under the “Refresh Library” anyway.

photo (4)

Hopefully, our Alabama truck driver won’t get into an accident while trying to find this well hidden feature. Anyway, as of October of 2013, the iPhone’s version of Audible app leads in my unofficial competition for the worst UI decision.

P.S. See that “Download All” button on the top image? Good luck on canceling dozens of downloads after clicking on it!

What Gas Stations and Yoga Schools Have in Common

In the past two days I attended a party with Gas Station owners, and then a Yoga school. These two events gave me the material for this blog. So what do a gas station and a yoga school have in common? Both types of small businesses use software. What a revelation! To be more specific, in both cases I saw the room for improvements in software.

Actually, I started writing about gas stations eight years ago. Senior (literally) Java developers may remember the times when reading printed glossy magazines on software development was a norm of life. Eight years ago I wrote a series of articles under the category “Yakov’s Gas Station”, which was printed in Java Developers Journal. You can still find them online.

Anyway, during the party conversation my wife mentioned an episode at a gas station that happened a couple of years back. We live in New Jersey, which is one of two privileged states where people are not allowed to fill gas tanks themselves. You pull down to the pump and keep sitting in a car like a tsar. The gas attendent will come over and will do the rest. He started filling my wife’s car at one price, then changed the price (increased) on their large billboard, then came back to the car trying to charge this transaction at a new price. My wife didn’t agree, and after a short and colorful conversation she won (what’s new?).

Our friends (gas stations’ owners) told us that in New Jersey it’s illegal to continue pumping gas if the the gas station owner needs to change the price. The owner should stop operating all pumps, change the price, and then resume work. This is how it should work in theory. But in the real life, you may lose customers if they’d be asked to wait. I was surprised that the gas station owners didn’t see it as a big deal.

I started to tell them that there is a better software solution, which could be implemented allowing continue pumping gas and changing the price without affecting the customers who are in the process of getting filled. Software developers know that I was thinking of implementing proper synchronization locks that would freeze the price that was in effect when the pumping started. Why it was not done? Software architects didn’t care about these small business owners, which would accept that “This is how the system is set up and we’ll use it this way“.

Now the Yoga school. They sell various types of monthly and yearly memberships that would allow attending unlimited classes – as many as you want. The problem is that I don’t need this all-you-can-eat option. Going there twice a week it more than enough for me. Any other options available? Yes, you can purchase 10 sessions at a discount price and attend them on an a la cart basis.

Now we are talking! Can I buy these 10 tickets and share them with my wife? No, the system is not set up this way. Sure, they’ve designed the database linking these tickets to the members’s ID. It’s a wrong software solution again. Why not keep things simple? A ten-session ticket is supported by a single database table with two columns: tktID and RemainingSessionsCounter? The customer comes in, hands the ticket to the girl who scans or enters the ticket number into that computa, and the program decreases the counter. Simple? Yes. Good for the business? Yes. Good for the customers? You bet!

The problem is that software creators have to build their systems based on what the customers needs. Yes, the customer may not know any better, but what about you?

Four years ago I was a part of a small group of people who created a startup for automating small-scale insurance business – the agencies. Back then agents were using a mediocre software that was available. We had almost no knowledge about how the small insurance businesses operate. But we didn’t like what we saw. Insurance agents also didn’t know any better. Today, more than a 100000 agents across the country are using our software called SureLC. They are happy, we are happy.

Steve Job once said, “People don’t know what they want until you show it to them.” So if you are about to automate a business, don’t just have write software implementing existing workflows. Think about the customers, and when your next system will go in production, people will say, “Wow, we didn’t know it was possible!”

PRISM, Government, and Software Developers

In 2013 having a landline phone number is bad. It doesn’t give anything but these annoying calls from telemarketers. The only reason I keep it is that it’s a part of the internet-phone-tv package provided by a phone company for cheap.

During the last week I started getting about 10 marketing calls a day, which I don’t pick, but they interrupt whatever else I do. So I decided to visit the National Don’t Call Registry, register my phone number online, and if after 31 day after registration someone still calls me, I have a right to complain to the government. Cause my government cares about me!

I have even a better idea. Since the government records all the phone numbers and the lengths of calls of businesses, why won’t they simply disconnect the numbers after say a thousand people picked their calls and hung up within 5 seconds? Hey government, get the PRISM program a real assignment!

Actually, I decided to write this blog for a different reason. Every time I run into an idiotic Web design, I want to share this with as many people as possible. Now take a look at this registration form, where I was supposed to enter my phone number.

dontcall

This is one of my favorites. The goverment has enough money for the PRISM program, but not enough for hiring decent Web developers. How should I enter the phone number? You pick:

1-212-333-5555
(212) 333-5555
2123335555
12123335555

In 2013 you can’t ask people to worry about the phone input format! If you are really smart and a detail-oriented person, you’ll read the small print in red “Please enter only numbers in Phone Number Field”. Not only that dumb Web developer knew how to strip away the dashes, spaces, and parens from the HTML form field, he doesn’t even not how to display that message in red in larger font and before the field itself!

No biggies. American citizens have time. They can experiment and somehow figure out the right format.I can tell you even more. That dummmy government employee didn’t even care about validating the input! You know these red borders that may appear in the fields with invalid entries? I’ve seen those too.

But this coder did not bother. Guess what he did? In the page markup he just specified that the length of the field has to be 10 characters. As simple as that. I’ll show you the code fragment from that page (no worries, you’ll get it even if you have no clue about Web programming). Check this out:

dontcall3

Any characters the user enters after the first ten will be quietly cut off. If the server-side code was written by the programmers of the same quality, the crippled phone number will be entered into the database.

I request the US Government to reveal the whereabouts of this software developer, the QA tester, and his manager. If any of them is a US Citizen, their passports have to be revoked forever and they should be sent to Cuba by the Aeroflot flight #150.