Category Archives: Rants

Rants

On Overbookings

Leave a comment

“I never understood how overbooking is legal. (I know this wasn’t really an overbooking incident, and I know about the no-show excuse. But if you buy tickets for a cinema, or a theatre, or book a place in a restaurant, or whatever, they never tell you “Sorry, but we gave your place to someone else. Here’s a cookie.”)”
— Myself in a Facebook comment, 12th April 2017

The recent incident where a passenger was violently removed from a United flight to make room for United employees reopened an old argument about overbookings on flights. While this wasn’t in itself an overbooking incident (even though some airlines like to treat “overbooking” as an umbrella term encompassing even incidents like this), it reminded me of the intentional practice of overbooking, which is not just a desperate measure by abysmal airlines like Air Malta, but indeed a blight that plagues the greater majority of the airline industry.

Image credit: here

It is well-known that most airlines intentionally allow their flights to be overbooked due to statistics that state that on average, some 10-15% of booked seats result in no-shows. The excuse is that the seat left empty could instead be used to transport a passenger who does show up. This is obviously a slap in the face of the people who, conversely, do show up for their seat and are denied boarding because the flight was overbooked, and offered measly compensation for it.

If you make a booking at a restaurant, cinema, theatre, etc, they never tell you “Sorry, but we gave your place to someone else. Here’s a cookie.” You booked a place, and they are supposed to respect it. Of course, you might not show up, and that’s a risk on them.

But in the case of flights, you pay for them in advance. Whether you show up or not, you actually paid for that seat. It’s yours. How is it even legal to sell that same seat a second time to someone else? It’s like selling the same item at a store to two different people, have both pay for it, expect the losing party to actually ask for his money back (and keep it if they don’t), and let them just live with the disappointment.

I am really furious not only that airlines carry out this sleazy practice, but also that the authorities allow it to happen. Even worse, the compensation (at least here in Europe) is pathetic. It barely makes up for lost time at work, and has absolutely no consideration about stress and hassles that take place as a result, including the eventuality of having to cancel holiday plans, miss connecting flights, and run after airlines for compensation. As I had already noted in my article about when Air Malta left us stranded, not only is the compensation not enough disincentive to leave passengers at the airport, but it actually makes it worth the risk for the airlines.

I’m sorry, but you just cannot justify this sort of gross mistreatment of customers by quoting passenger statistics and airline profits.

Rants, Software development

The Broken Web of March 2017

3 Comments

This article is the March 2017 issue of the monthly series that started with “The Sorry State of the Web in 2016“, showing all kinds of blunders on websites ranging from the silly to the insecure and illegal. While I spot a good number of these myself, many are brought to my attention by contributors, and I would like to thank them all.

JobsPlus

JobsPlus, which is the ridiculous new name for what used to be ETC, had launched a new website as part of their rebranding.

Despite that, their content still can’t handle apostrophes, not to mention basic formatting such as bulleted lists:

At least, it was built with internationalisation in mind. In fact, you can choose a language…

…with a single selection of English. That’s very useful indeed!

JobsPlus also have a service where they send a daily email with all new vacancies. Typically there are no new vacancies during weekends, but they still send an empty email. This has been going on for around 10 years if not more (formerly as ETC, of course).

Henley Malta

The Henley MBA might teach you many useful things, but building a basic website is definitely not one of these!

In fact, here are two basic things you should never have on your website:

  1. Broken images
  2. Misleading links that unexpectedly open your email application.

Just Some Coding

The only thing worse than a misleading link is something that looks like a link but is not, as you can see on Just Some Coding Ltd‘s website.

There are many ways to emphasise text on the web, but underlining is not a good one. Underlining is usually associated with a link, so when you see big green underlined text like “art” or “functional”, the typical user might try to click on it, only to realise that it’s not actually a link.

Maypole

Maypole is yet another website insecurely accepting credit card information:

Secured by Thawte indeed, but there’s no padlock. We’ve been through this several times before and I won’t bore you by repeating the details, but refer back to “The Sorry State of the Web in 2016” if you don’t understand why this is bad.

MFSA Registry

Let’s also welcome the MFSA Registry into the the realm of oft-repeated security issues, in this case that of having an untrusted SSL certificate:

As if that wasn’t enough, the same website also accepts login details over an insecure connection:

Bank Cross-Origin Issue

I recently caught some functionality in a local bank’s webite that was completely broken because of this cross-origin problem:

That’s not nice to have in a production environment.

Owner’s Best

Owner’s Best recently launched a new website, and not without issues. Until the time of writing this article, you can still see “Error: Rows Not Set” at the bottom of the page:

At one time, I was checking out a particular property, and they have these buttons on the side where you can see the floor plan and other details:

When clicking one of these buttons, however, I was taken to this contact form:

I was really confused by the fact that this contact form came up instead of the floor plan I was expecting, and the back button wasn’t working either.

What actually happened was this: the contact form is actually right below the property detail shown in the earlier screenshot, so properties that don’t have additional info will cause those buttons to link to an empty anchor, which has the side effect of bringing the contact form to the top of the page. The least they could have done is hide the buttons if the relevant detail is not there for the current property.

Roller Blades Malta

There’s one important lesson we can take away from Roller Blades Malta: don’t enter website content when you’re drunk.

Star Web Malta

Woe be upon thee, if thou hast an invalid WoeID:

Transport Malta

We all love Transport Malta, and for those who want to actually communicate their love, they have a contact form (note also the messed up action / social media list on the side):

Unfortunately, however, they don’t want to receive your love. The contact form goes to this page:

Transport Malta also joins the list of websites that accept login details on an insecure channel:

TVM

TVM‘s website, unlike that of JobsPlus, is in both English and Maltese. However, they forgot to translate “Sign In / Register” in the Maltese version:

WhatsOn

whatson.com.mt is another website accepting login details over an insecure channel:

Before you can login or register, though, you have to get past the cookie-acceptance text that comes up in front of the login/register form. This text tells you that you have to accept cookie usage to proceed, but the site has already set cookies regardless of your acceptance.

Xamarin University

When you sign up for Xamarin University, you have to consent to Microsoft to spam you.

While they say that you can unsubscribe at any time, I don’t want Microsoft sending me trash in the first place.

I also was unable to access some of the site’s functionality, because their JavaScript was broken:

Summary

We’ve seen quite a few bad things in this article, and I have even more lined up for the April issue. As always, feel free to bring to my attention any blunders you have experienced and feel should be included.

I have summarised various points to improve upon in earlier articles, and feel there would be little benefit by repeating them in this one.

However, I just want to remind everyone why I am writing these articles: it’s not to put shame on any particular website, but to learn about the bad things on the web today and avoid repeating them in the future. These experiences are painful to visitors of such websites, and embarrassing for the website developers and the companies commissioning them. Let’s all learn from our mistakes and create a better web for all!

Rants

How To Be An Asshole, By Example

1 Comment

Denis Leary came up with some really creative ways to be an asshole back in 1993. However, nowadays we have more modern ways to piss people off, as I discovered from some recent encounters. I bet Denis wasn’t expecting any of these when he wrote that song.

LA Metro

It’s not enough for the Los Angeles Metro system to be completely unreliable in terms of punctuality or operation. They even have to confuse people by having trains appear on the wrong track. In the photo above, the train to Union Station should be on the track to the left, but it just arrived on the track on the right, which is supposed to be destined for North Hollywood.

“Microsoft Edge is faster than Chrome”

Long after Microsoft was forced to give Windows users a decent choice of browsers (because shipping Internet Explorer with Windows is the only thing that gave such a hopeless browser a leading position in the market for so many years), it is still pulling dirty tricks to try and promote adoption of its web browsers. In this screenshot sent in by a friend, we can see how Windows 10 pathetically tries to win Chrome users over to Microsoft’s more recent Edge browser, saying that “Microsoft Edge is faster than Chrome”.

Similar popups include “Microsoft Edge is safer than Firefox” and “Chrome is draining your battery faster”.

I’ve seen these kinds of filthy tactics carried out by politicians for years, but never thought they would be used between web browsers.

Universal Studios Hollywood WiFi

At the time of writing this article, it costs at least $105 to get into the Universal Studios Hollywood theme park. So it is really shameless to put a condition like “Your information will be shared with Comcast XFINITY and Universal Theme Parks for promotional purposes” in order to use free WiFi. Just give them a fake email address, and you can use WiFi without being spammed.

Feedback Touchscreen in Restroom

In recent years, a lot of our digital interactions have been revolutionised by simple touch gestures. However, having a touchscreen for feedback at the Malta International Airport’s restrooms is probably taking this too far. I mean it’s ok if you assume everybody washes their hands. But can you really assume that?

The way they ask is also very awkward at best:

“How was your experience at this washroom today?”

Uhhh, do you really want the details?

Stone from the Azure Window

Just a day after the collapse of the Azure Window in Gozo (Malta), with many people mourning the loss of a national icon, an opportunist is selling what he claims to be “original stone from the collapsed Azure Window Gozo (Malta)”:

This person gives a bit more detail in the item description:

“Item specifications : Piece of Azure Window rock approx 100g

“Many are asking how can they be sure that the rock is from the mentioned area? Well all I can say is that I am a local and have access to location in less than 10 min drive. I plan to dive in the area and maybe even collect pieces from the sea bed 😉

“Thanks”

I guess this one needs no further comment.

Rants, Software development

The Weeping Web of January 2017 (Part 2)

1 Comment

This is a continuation of my previous article, “The Weeping Web of January 2017 (Part 1)“.  It describes more frustrating experiences with websites in 2017, a time when websites and web developers should have supposedly reached a certain level of maturity. Some of the entries here were contributed by other people, and others are from my own experiences.

EA Origin Store

When resetting your password on the EA Origin Store, the new password you choose has a maximum length validation. In this particular case, your password cannot be longer than 16 characters.

This is an incredibly stupid practice, for two reasons. First, we should be encouraging people to use longer passwords, because that makes them harder to brute force. Secondly, any system that is properly hashing its passwords (or, even better, using a hash algorithm plus work factor) will know that the result of a hashed password is a fixed length string (regardless of original input length), so this is not subject to any maximum column length in a database.

Untangled Media

If you scroll through the pictures of the team at Untangled Media, you’ll see that the last one is broken. Ironically, it seems that that person is responsible for content.

Needless to say, broken images give a feeling of neglect that is reminiscent of the mythical broken window from The Pragmatic Programmer.

Outlyer on Eventbrite

Another thing that makes sites (and any written content, for that matter) look unprofessional is typos. If you’re sending an SMS to a friend, a typo might be acceptable. If you’re organising an event to launch a product, three typos in the same sentence don’t give a very good impression.

BRND WGN

The first thing you see on the BRND WGN website is an animation taking up the whole screen, switching around frantically like it’s on drugs:

There are only three things you can do to learn more about what the site has to offer: play a video, click on (literally) a hamburger menu, or scroll down.

While I’m not sure this can be reasonably classified as mystery meat navigation, it does no favours to the visitor who has to take additional actions to navigate the site. While the hamburger icon looks like a cutesy joke, it looks silly on what is supposed to be a professional branding website, and hides the site’s navigation behind an additional layer of indirection.

This is a real pity, because if you scroll to the bottom, the site actually does have well laid out navigation links you can use to get around the site! These should really be the first thing a visitor sees; it makes no sense that they are hidden at the bottom of the page.

I also noticed that if you click on that hand in the bottom-right, you get this creepy overlay:

The only reasonable reaction to this is:

Image credit: taken from here.

Daphne Caruana Galizia

The controversial journalist and blogger who frequently clashes with public figures would probably have a bone to pick with her webmaster if she knew that the dashboard header for her WordPress site was visible for not-logged-in users while she was logged in last week:

While this won’t let anyone into the actual administrative facilities (because a login is still requested), there’s no denying that something went horribly wrong to make all this visible, including Daphne’s own username (not shown here for security reasons).

Identity Malta

The Identity Malta website has some real problems with its HTTPS configuration. In fact, Firefox is quick to complain:

This analysis from Chrome, sent in by a friend, shows why:

Ouch. It defeats the whole point of using SSL certificates if they are not trusted. But that’s not all. Running a security scan against the site reveals the following:

Not only is the certificate chain incomplete, but the scan identified a more serious vulnerability (obfuscated here). An institution dealing with identity should be a little more up to speed with modern security requirements than this.

Another (less important) issue is with the site’s rendering. As you load the page the first time or navigate from one page to another, you’ll notice something happening during the refresh, which is pretty much this:

There’s a list of items that gets rendered into a horizontally scrolling marquee-like section:

Unfortunately, this transformation is so slow that it is noticeable, making the page load look jerky at best.

Battle.net

I personally hate ‘security’ questions, because they’re insecure (see OWASP page, engadget summary of Google study, and Wired article). Nowadays, there’s the additional trend of making them mandatory for a password reset, so if you forget the answer (or intentionally provide a bogus one), you’re screwed and have to contact support.

If you don’t know the answer to the silly question, you can use a game’s activation code (haven’t tried that, might work) or contact support. Let’s see what happens when we choose the latter route.

Eventually you end up in a form where you have to fill in the details of your problem, and have to provide a government-issued photo ID (!). If you don’t do that, your ticket gets logged anyway, but ends up in a status of “Need Info”:

The idea is that you need to attach your photo ID to the ticket. However, when you click on the link, you are asked to login:

…and that doesn’t help when the problem was to login in the first place.

It’s really a pain to have to go through all this crap when it’s usually enough to just hit a “Reset Password” button that sends you an email with a time-limited reset link. Your email is something that only you (supposedly) have access to, so it identifies you. If someone else tried to reset your password, you just ignore the email, and your account is still fine. In case your email gets compromised, you typically can use a backup email address or two-factor authentication involving a mobile device to prove it’s really you.

Security questions are bullshit; they provide a weak link in the security chain and screw up user experience. Let’s get rid of them sooner rather than later.

Malta Health Department

It is a real pity when a government department’s website loses the trust supposedly provided by HTTPS just because it uses a few silly images that are delivered over HTTP.

The Economist

Remember how you could read any premium article on The Times of Malta by just going incognito in your browser (see “The Sorry State of the Web in 2016“)? Seems The Economist has the same problem.

Article limit…

…no article limit…

Remember, client-side validation is not enough!

On a Positive Note, Mystery Meat Navigation

I’m quite happy to see that mystery meat navigation (MMN) seems to be on its way out, no doubt due to the relatively recent trend of modern webites with simple and clear navigation. I haven’t been able to find any current examples of MMN in the first five pages of Google results when searching for local web design companies, so it’s clear that the local web design industry has made great strides compared to when I wrote the original MMN article.

Summary

This is the third article in which I’ve been pointing out problems in various websites, both local and international. After so many years of web development, designs might have become prettier but lots of websites are still struggling with fundamental issues that make them look amateurish, dysfunctional or even illegal.

Here are some tips to do things properly:

  • If you’re accepting sensitive data such as credit cards of passwords as input, you have to have fully-functional HTTPS.
  • Protect yourself against SQL injection by using parameterised queries or a proper ORM.
  • Test your website. Check various kinds of inputs, links, and images. Don’t waste people’s time or piss them off.
  • Use server-side validation as well as client-side validation.
  • Ensure you have proper backup mechanisms. Shit happens.
Rants

The Weeping Web of January 2017 (Part 1)

1 Comment

Not even a month has passed since I wrote “The Sorry State of the Web in 2016“, yet I already find myself having to follow up with new material detailing things that should be things of the past. Because in 2017, we really should know better. Some of the entries here were contributed by other people, and others are from my own experiences.

[Credit: image taken from here]

GitLab

You might have heard a few times how a company did something really stupid that messed up its business and reputation, like the Patreon Security Breach. Well, just today, GitLab went down with a bang:

How did that happen?

Ouch. But everyone makes mistakes, right? Let’s see the incident report (emphasis mine):

  1. “LVM snapshots are by default only taken once every 24 hours. YP happened to run one manually about 6 hours prior to the outage
  2. Regular backups seem to also only be taken once per 24 hours, though YP has not yet been able to figure out where they are stored. According to JN these don’t appear to be working, producing files only a few bytes in size.
  3. Disk snapshots in Azure are enabled for the NFS server, but not for the DB servers.
  4. The synchronisation process removes webhooks once it has synchronised data to staging. Unless we can pull these from a regular backup from the past 24 hours they will be lost
  5. The replication procedure is super fragile, prone to error, relies on a handful of random shell scripts, and is badly documented […]
  6. Our backups to S3 apparently don’t work either: the bucket is empty
  7. We don’t have solid alerting/paging for when backups fails, we are seeing this in the dev host too now.

“So in other words, out of 5 backup/replication techniques deployed none are working reliably or set up in the first place. => we’re now restoring a backup from 6 hours ago that worked”

This explains where the name “GitLab” came from: it is a lab run by gits. Honestly, what is the point of having backup procedures if they don’t work, and were never even tested? You might as well save the time spent on setting them up and instead use it for something more useful… like slapping yourself in the face.

Booking.com

Like its airline cousins, booking.com is a bit touchy when it comes to input data. In fact, if you’ve got something like a forward slash or quotes in your address, it will regurgitate some nice HTML entities in the relevant field:

Smart Destinations

The problems I’ve had with my European credit card not being accepted by American websites (usually due to some validation in the billing address) apparently aren’t limited to US airlines. Just yesterday, while trying to pay for a Go Los Angeles card, I got this:

Hoping to sort out the issue, I went to their contact form to get in touch. After taking the time to fill in the required fields:

…I found to my dismay that it doesn’t actually go anywhere:

So much for the response within 24 hours. The destinations may be smart, but the developers not so much.

Ryanair

I’ve been using Ryanair for a while, so I recently thought: why not register an account, to be able to check in faster? So I did that.

Last week, I opted to do my online check-in as a Logged In User™. When I logged in, I got this:

I found out from experience that you’re better off checking in the usual way (e.g. with email address and reservation number). At least it works.

Super Shuttle

Booking with Super Shuttle involves a number of steps, and between each one, you get a brief “loading”-style image:

As you would expect, it sits on top of an overlay that blurs the rest of the page and prevents interaction with it. Unfortunately, this has a bad habit of randomly getting stuck in this situation, forcing you to restart the whole process.

Another thing about Super Shuttle is that you can actually include a tip while you’re booking:

Wait. Why would anyone in his right state of mind want to tip the driver before he has been given a good service? What if the service actually sucks?

Malta VAT Department

If you go to VAT Online Services, and try to login at the “Assigned or Delegated Services” section…

…you see an error page that seems like it survived both World Wars.

Well, at least it’s secure!

To Be Continued…

Adding all the entries for January 2017 into this article would make it too long, so stay tuned for Part 2!

If you have any similar bad experiences with websites, send them in!