What's new?

Finished a long pending task of adding copyright notices to the photos. Turned out to be a simple task for ImageMagick. All it took was:

mogrify -border 6x12 -bordercolor black -fill white -gravity SouthEast -pointsize 11 -font Verdana -draw 'text 6,14 "copyright text"' filename.jpg

Inevitable turn of events: Dell tries to fix customer support!

Dell is moving its technical support center from Bangalore to US. Surprising it took so long for them to notice the support problems, while they've been around for so long.

The current news places an undue amount of stress on the reason for the failure of their Bangalore operation on accent related problems. I believe accent would not have been considered a problem if customers were only able to get their problems solved, and the real problems were more operational.

I myself had a chance to deal with Dell recently and came away a little disappointed, but mostly surprised, that this supposedly path breaking company has so many operational issues and still continues to be number one. Although I'm now happy with my notebook, at that time, in exasperation, I blogged Dude, why did I ever choose Dell!?. Plus, I also did a quick usability review of their order status reporting.

FREE money transfer to India: It doesn't exist!

Go to any "desi" website and you are bombarded with flashing ads touting FREE money transfer to India, and chances are, if you are a desi you are using such a service. Flash news: You are being duped! Of course, you knew that already, but it won't hurt to read about it again.

Don't expect to get anything for free from corporations that exist solely for commercial purposes. Money transfer services depend on the foreign exchange rate to generate a substantial part or all of the profit they expect to make on the service.

Most free services, including some of the top banks, won't tell you upfront, at what rate your money is going to be converted. This is what Citibank says about the exchange rate it uses. ICICI does a better job and has the guts to quote their daily rate (incidentally, I've used both and Citibank's USD to INR rate is about 1 rupee less than ICICI's). Nevertheless, the cost of the service and expected profit are built into the rate. A quoted rate only helps you in deciding the best deal.

Paid services, such as Western Union, also depend on the exchange rate uncertainty to subsidise their quoted fees. Your true cost is the sum of the fee paid and the loss due to an unfavourable exchange rate.

Live news reports without a live event!

Ever wonder why so many local TV news programs in the US have "live" reports "on location" and there is no live event happening at that time? I don't watch too much news on TV, but the rare times I do, I come across this practice so often, I'm compelled to ask aloud.

Routinely the news channels do a live report on location about an event that has already transpired. It could very well have been a "recorded on location" news; there is absolutely no need to do it live. It looks so silly to see a reporter standing on a freeway shoulder at 10pm on a cold night to report that CHP is stepping up seat belt enforcement.

I wonder why they are doing this. Is it just simple competition and each channel has decided to make a certain percentage of their reporting live, no matter what?

Updates coming in Dec/Jan

I still have to scan a major portion of my photo collection. Hope to get that done towards the end of December or early January.

Also, it's time to get my own blogging system and move away from blogger.com. Sorely need a commenting and trackback feature and also be able to make customizations. Movable Type looks good.

Enforcing password quality does not improve security

There are a large number of web sites and applications that enforce varying degrees of password quality, all with the sincere intent to improve security. Do they really succeed? I believe they don't, and here's my take on it.

Password quality policies are designed with the objective of forcing the user to select sufficiently complex passwords or passphrases that makes breaking it much harder. Such policies fail to take into consideration that passwords also need to be easy to remember. They tread a delicate balance of complexity versus ease of retention, and invariably prefer to lean towards complexity and end up making it harder on the user.

Passwords that are chosen with complete freedom are easier to remember. I tend to think of such passwords as being made up from a namespace of the user's choice. The namespace can be anything from which the user can pick passwords that are complex enough but easy to remember. Even within this comfort zone, there is a limit on the number of passwords that can be generated from a given namespace and retained in the user's memory. Beyond this limit, the passwords need to be persisted, like for instance on that yellow stickit attached to your computer.

Password quality policies harshly switch the user from his preferred namespace to the designer's namespace. That special character that the designer insists that you use is not in your namespace. You can't remember anything you make up in that namespace. Like many users, you are forced to write it down and have it within easy reach. The intended security benefit is never achieved.

Designer's defend their password quality policies on the premise that weak passwords are the weak points in the system. So is having to write down a complex password. In any case, assuming that the transport and server side storage are secured, the user himself is the weak link, and whether you enforce password quality or not, he has the ultimate responsibility to ensure his passwords are secure enough.

Look at this problem from the perspective of the hundreds of web sites and applications where you have an user account and the dozens of sites that decided to implement a password quality policy. Of course, I have to write down every password I made up to satisy a password policy, and you will be surprised to know how I store it.

We need to consider alternative approaches to improve security. Solving the problem of having to maintain an user account at each site is a good place to start. Lesser accounts means lesser passwords to deal with, and possibly doing a better job at it.

Thing before you blog!

This full-time temp worker lost his job at Microsoft for what he blogged! He inadvertently wrote something that was considered by Microsoft as a security violation and so he got the marching order. Sad and scary!

Got to watch out...