Sunday, June 03, 2018

Transacting business over unverified email addresses = Not Smart

On April 21, I recieved an email from 'SGW Payroll' [ and]:

Welcome to the SGW Payroll Portal [Redacted First Name]
A new employer admin account has been created for you, either by one of your colleagues or by us at SGW Payroll Ltd.
Please click on the following link to choose a password and sign in to your account. [Redacted Link]
You are receiving this email as your employer uses PayDashboard to deliver your payslip. Click here to manage your email preferences.
This welcome email looked phishy, so I checked the headers, then the payroll site, and it looked legitimate. I'm in the US, this company is in the UK. It is pretty obvious this was a mistake - likely bad entry of email address, but note the lack of any method for me to indicate there was an error. Therefore I ignored the email hoping that the intended recipient would realize they did not get the expected welcome email and correct the problem.

On April 25, I get another email:
SGW Payroll Ltd has published new documents for [Redacted - Name of Business] within your document storage hub. Log in to view or download the documents.

This was bad.  Looks like there is now an active account - mind you, an 'employer admin account', that somehow, without clicking the link, they started to use.  I also now have the name of the business.  At this point, I decide this could be a real problem, so I forward the email to with the message "I did not request this, it is likely someone mistyping their email address."  I get an automated response, then a reply from "Paul Gibbons" from their support: "Thank you for your email. We have started an invesitigation [sic] to have this removed. Thank you for bringing this to our attention." Awesome. Case closed.

On May 21, almost one month later, I get yet another email - same template as the prior one.  I respond back to the support request as follows:
I received another email today. Please resolve this. I am not the intended recipient.  There is no 'investigation' required. You are in the UK. I am in the USA. I do not work for this [Busness type redacted].  At this point I consider this to be:
  1. Horrendous security on your part.  Any email address entered into your system should have a 'confirm' step where you send an email to test the ability of the recipient to receive an email. They click on a link and log into your system. Only then should you consider the email address 'worthy' of use for anything sensitive.
  2. Even MORE Horrendous security on your part. Someone sending you a reply saying they are NOT the intended recipient should IMMEDIATELY result in removal of the address, flagging it as suspect.
Please have a supervisor/manager contact me immediately. I really do not wish to engage in a public humiliation campaign against your company. You are sending someone else payroll information!!!!!!!!!!!!!!!  This is crazy!!!!!!!!!!
I get a response, again from Paul Gibbons: "You [sic] ticket has been escalated to myself to review. I will speak with the agent populating our software to establish what is happening and will revert back."  That's awesome. I ask for elevation, and the SAME GUY elevates the issue to HIMSELF.

I decide to take a closer look at the company's website to find contact information for someone outside of support. No luck.  I now have a name of their CISO but am unable to find an email address at the corporate level or via linked in.  I reply to Paul: "Paul, you 'reviewed' it the first time, and did not correct the issue. Please have Jeremy Lloyd contact me, ASAP." To which I received the reply from Paul: 'We will respond once the investigation has been completed.' I give Paul one more chance to fix this.

On June 1, I recieved another email:
There are a couple of things you might want to take a look at
Hi [Redacted - First Name]

As we are able to compare data based on your employees payslips, we want to let you know when we spot something we think you should take a quick look at.

When you log in to your Employer Dashboard you will see "Notifications" at the top right of your dashboard. Click on the link to view the latest notifications for your company. [Redacted - Name of Business, links, rest of email, etc]
In response, I will send Mr. Gibbons a link to this post.

Since this saga began, I have received several other emails obviously intended for a person in the UK with a similar email address to mine.  From the information in these emails, I can tell you full names, address, purchases, restaurant reservations, bed and breakfasts where they spent their holiday, etc. I can also tell you that no entry point into various systems required even a simple 'click to confirm this is you' email address confirmation. I could have cancelled a dinner reservation with a simple click.  It sounds a bit scary, but I have to believe most people would do the right thing. 

Advice to developers and analysts, especially with GDPR:

  1. At a minimum, you need a business process to handle a 'I got this email by mistake, it is not intended for me' response from a user. Always. It could be completely manual. But this DOES HAPPEN.
  2. At any entry point into your system - a welcome email or similar - provide a link to initiate that 'incorrect email' business process. Every email from that first contact until the email address is determined to be valid should have a similar link, and NOT disclose personal information. Only consider an address to account valid when a link clicked from an email (or a code sent only via email) is authenticated as being from that user.  This does not need to be a login per-se, but a text message from a registered phone, etc. could all be valid. 
  3. An unconfirmed email address should never be the sole means by which you reset a password or create an account. [NOTE: I did not try to see if I could do this with PayDashboard, as I consider that to be fraud. I would be surprised if I couldn't reset the password].
  4. Some email providers ignore punctuation, like gmail.  Others also allow automatic aliasing, such as gmail, where you can add a "+" with other text and the plus and text are ignored.  This is great for users, as I can filter emails based on this. However, accidental creation or intentional creation of multiple accounts is possible based on wont of a period.  This is something to be aware of, I'm not sure how actionable it is.
  5. You should publish an email address or a method of contact for the executive team of your company. It should be monitored and legit messages forwarded. Sometimes through poor training, incompetence, or merely one person having a bad day, an interaction with your company WILL go poorly. You should give a method to reach the executive team so that these can get handled sooner rather than later.

Wednesday, January 18, 2012

SOPA, PROTECT-IP, and Legislative Position Statements

At the end of December 2011, I wrote to my federal representatives regarding my opposition to SOPA (US House) and PROTECT-IP (US Senate) legislation that portends to reduce piracy and theft of intellectual property.

Today, many websites are protesting these bills. Wikipedia and others have decided to shut down for the day (or part of the day).  Google and others have decided to alter their homepages.

I encourage you to view the legislation via the links above for a Wikipedia summary, then follow the 'External Links' to the text of the bill and develop your own opinions.  If you wish to oppose it, Google has a petition online that you can sign.  In either case, you should also write your representatives directly.  Hopefully, you will get a useful response.

Senator Toomey (R-PA) only responded to me with a confirmation that the legislation does, in fact, exist.  I did make specific references to provisions in the bill, so it is obvious that I already knew this. A follow-up did not result in an actual reply regarding the Senator's thoughts on this bill.  Senator Casey (D-PA) and Representative Altmire (D-PA) both failed to respond to my email.  I only give minor props to Toomey for responding at all, however, all three of my representatives get failing grades for their lack of adequate response.  

Even if my representative has opposing viewpoints or is projecting a vote contrary to my opinion, I believe it is their responsibility to have and disseminate intelligent position statements on each piece of legislation pending in their chamber and inside any committee that they are a member of.  An intelligent position statement is one that is published within 48 hours of the bill successfully leaving the committee and would include all of the following elements:
  • A link to the full text of the bill, including chronological history of successful amendments with time stamps.
  • If the vote were held today, based on version at timestamp ???, I would vote (yea/nay/uncommitted)
  • In the words of the representative, a summary of the intention of the bill.
  • List of elements that the representative supports and believes critical to the success of the bill.
  • List of elements that the representative opposes.
  • List of elements that require additional flushing out or personal research.  This list would be required if 'uncommitted'.
  • List of bills pending in committee or in the queue for a floor vote that portend to address the same concerns.
  • List of existing legislation on this topic and established case law that covers (or fails to cover) the subject matter of the new bill.
  • Media reports, studies, corporate statements, lobbyist groups, etc. that advocate for the need of the new law.
Update 1/18/2012: Sen Toomey released a statement that he does not support SOPA or PROTECTIP "in their current forms", yet he fails to make any statement as to what specific portions of it he takes issue with.  This statement is clouded in doublespeak.  Please keep the pressure up to get him to explain his position.

Tuesday, March 15, 2011

Wix, Votive, and Semicolons...

If you are using the Wix in Visual Studio (known as 'Votive') and need to set one or more preprocessor variables, it is rather simple. If you right-click on the Wix project, select 'Properties', then the 'Build' tab, you simply populate the 'Define preprocessor variables:' text box like so:

If you are using MSBuild, or editing the .wixproj file itself, this translates to the contents of the 'DefineConstants' element, which is where Votive stores what you put in that text box.

Things, however, are not really clear (or documented) if you need to set Name1 in the example above equal to a semicolon delimited list - for example "one;two;three" - so lets try it this way:
Candle.exe is passed (which is obviously incorrect based on our intentions):
-dName1=one -dtwo -dthree -dName2=Value2
The solution is NOT to put quotes around the list (my first guess), but to replace the semicolons that break up the list (and only the ones in the list) with '%3b', like so:

Candle.exe is now correctly passed:
-dName1=one;two;three -dName2=Value2
I do not know if this is way you would handle this situation in anything newer than Wix 3.0 - I haven't updated to 3.5 yet.

Friday, March 04, 2011

Electric Power Generation Choice in Pennsylvania

This post is centered around the deregulation of electricity generation in Pennsylvania, why you get to shop for an electricity generator (the history lesson), the factors to consider (the practical lesson), and ultimately how to save real money (the lesson in pragmatism).  I'm sure that the general advice applies to other states that have started 'deregulation' of the electricity market.

Let me provide some quick background on the process by which electricity gets to your home.  There is, of course, a power plant that makes electricity - this is called a 'generator'. There are several 'generators' that are connected with each other at multiple points - this is known as the power 'grid'.  The purpose of the grid is to assure service in the event that one or more of these 'generators' is turned off or disconnected that power can still be supplied from other generators.  It made sense for generators on many levels to interconnect with other generators owned by different companies into the same grid.  Meters indicating how much power each generator supplied into the grid allowed for proper bookkeeping.  Then you have the 'transmission and distribution' part - which is the lines connecting the generators to the grid, and the grid to your home and meter how much power is consumed.  This is a very simple model of something much more complex.

The way electric power was implemented, one company was responsible for dealing with all parts of the process - even if the company that billed you had no actual generation capabilities.  You were charged one rate based on how much power you consumed.  These companies are a 'natural monopoly' - mostly because it doesn't make sense, economically, to run multiple power lines from several companies in parallel. Because of this competition does not exist.  This is a similar situation to gas and water companies today.  Over a decade ago cable and telephone companies were in the same boat, but technology advanced to the point that both wiring systems can carry signals that allow for a limited amount of competition.

In 1997, a PA state law "Electricity Generation Choice and Competition Act" was passed (Regulations covering this law at 52 Pa. Code § 54 - pdf).  The links provided are to the text of the current law and rules and regulations pertaining to it, as amended.  The intent of the law was to deregulate the electricity generation market.  Since any generator in close physical proximity to a consumer can apply power to the grid, and the amount each one applies can be controlled, why should the consumer be stuck with buying power from one specific generator?  The direct impact of the law to the consumer consists of a few major points: (1) The costs of generating power were separated from the costs of delivering the power from the grid and itemized on your bill.  (2) All of these rates were temporarily capped and tightly controlled, until (3) These caps expired on Dec. 31, 2010. The very first part of the law, Declaration of policy, describing its complete intent, is a good read that is easy to understand.

The law attempted to take into account consumer protections and industry protections during the transition period to an unregulated market. If we look at the old regulated market, the supplier either engaged in long term contracts with a generator or generated the power themselves.  Unless you (the consumer) were willing to build your own power grid, you were at the mercy of their business decisions. These decisions were based on the monopolistic system of the time, industrial/residential growth projections, understated nuclear power costs and growth, and should be viewed in that light. Some were good, some not so good.  The not-so-good decisions resulted in what was called 'stranded costs' in that if the market was opened up and the utilities were forced to sell power for their cost of generation no one would buy power at that price.  After the law took effect, the generators were able to recoup these 'stranded costs' but under a capped price system - essentially meant to prepare the generators to compete in a free market. A whole book could be written explaining the theory of how this works. In the end, it sort of worked out - the 2008 national cost of electricity was 9.83 cents per kWh and PA was 9.60 so the 'capped' numbers were not far off in the end.

What the law didn't take into consideration is that deregulation does not and can not do anything for supply capacity and demand in this particular market. There has been very little supply capacity added to the market since the death of domestic nuclear power.  This law did nothing to make it easier to add generating capacity. Government projections show little growth in capacity. Power generated by your former monopolistic provider can now be sold to other distributors both in and out of state at competitive rates further reducing local supply by filling demand elsewhere.

Electricity, like oil, is a 'source unknown' commodity.  An electron is an electron regardless if it came from solar, wind, oil, coal, gas, or some guy on a treadmill.  The true difficulty in the marketplace now is figuring out who owes whom what... The whole concept of the electric grid is that it gets fed (hopefully) at the same rate it is drained - figuring out who owes who for the times you over or underfed the grid sounds like an added task  (and challenge) for your local utility.

By making your selection of generator, you are telling your utility to buy the same number of kWh that you use from the generator you selected at the price you are contracted for.  There are several selection criteria that you may want to consider aside from the current price: (1) Environmental reasons such as how that generator produces power, (2) Rate terms - how long you wish to 'lock in' a specific rate, (3) Usage patterns - can you or are you willing to juggle your energy use to minimize peak load or consumption based on time of day.  Make sure the 'price to compare' you are quoted from various suppliers includes all fees and taxes. The Gross Receipts tax is complex to calculate yourself if not included, and a really stupid tax for more than just that reason.

Environmental concerns is a tough one to compare.  If this is a concern for you I'd suggest rating each generator on a four star system based on their byproducts of generation (coal, gas, oil, nuclear, or renewable) and your personal belief system. I'd personally favor nuclear and renewable equally - but to each his or her own. This information is difficult to obtain from most providers.  Be aware that at times your generator may need to buy extra power on the spot market - exactly how much and from whom and how are all something to concern yourself with.  They could 'trade' power (best) by taking some extra now and paying it back when production peaks - wind and solar is very inconsistent.  They could buy on the spot market for demand peaks (medium). They could be oversubscribed (bad) where they are never producing as much as their customers are buying so a portion of the 'clean' energy you are purchasing is really quite dirty but you are paying much more for it - if those profits are 100% dedicated to expanding their production capabilities and are NOT considered profit then that may be OK.  Environmentally sensitive folks are likely better off conserving and selecting the cheapest provider while investing the difference in for-profit companies researching commercially viable clean energy production.  Funneling money into the current non-viable technologies only slows the progress in developing truly groundbreaking and cost-effective solutions that will truly benefit us all. If you really do the math on what goes into manufacturing (inputs and byproducts) and transporting solar, wind, and battery systems required to support them and amortize that environmental cost over its lifespan they are not as attractive as many believe them to be compared with other options - especially modern nuclear technologies with near-zero waste.

Some suppliers have a contract term where the rate is held constant for a period of 1, 2, or 3 years. These providers may or may not have incentives for signing (gift card, airline miles, etc.) and termination fees if you quit early.  Be sure to add in the costs and benefits from those deals as well in your calculations.  Should you do a 3 year lock in?  The government is predicting generation prices drop from current levels and bottom out in 2012 then begins to rise again, yet historical price data shows steady climb in the 'real' column so you can bet either way here.

There are other ways that you can change your usage behaviors to save more money. Can you go to load based pricing to save money (running dryer, dishwasher, A/C, and stove/oven at separate times to minimize the simultaneous current draw)?  Is there a time based rate plan where you concentrate your power use to off-peak times and pay less for it?

All that stuff mentioned above is rather difficult for the average person to understand and digest.  What happens if you DON'T choose a specific generator? If you don't you will be the sucker that will end up subsidizing the prices that allows your default generator to sell power cheaper to other utilities.  The 'default' generator is assigned based on contract with your utility - when your contract expires with your current generator, they close or get shut down, or you go into financial default you get that one.  There is no incentive for them to charge the lowest rates, since a good number of people won't choose and they are allowed to recoup fees and costs associated with being a default generator.  Based on a brief survey of default vs. cheapest alternative the 'idiot tax' on people that don't pick a provider is 5-10%.  Oh, and the default generator is not allowed to provide a usage based discount but other generators can so not picking can cost you even more than that.

There is a case where you may not want to switch... at least today... so just skip the next three paragraphs. If you have an all-electric home and are under 'Residential Heating' billing codes (stated on your bill as 'RH' - 'Rate RH' and 'Penn Power RH') you are probably charged different rates at different times in the year. This rate system was developed years ago to encourage all-electric homes.  Electric only homes are interesting, because their usage is much greater in the winter than summer - the exact opposite demand cycle of a gas heated home. Electricity generators need to have the capacity to handle peak loads or you have brownouts/blackouts and since the all-electric home is in the minority that occurs in the summer.  In this peak usage time, smaller power plants get taken online or offline based on demand (which correlates with temperature) - these are generally the most inefficient and costliest ones to run like coal, oil, and gas fired plants.  When they are turned off or down you save a bundle as you are burning less fuel. When you have a nuclear plant, it does not saves much money when production is less than the maximum capacity.  With the advent of cheap excess power in the winter, you now want to encourage usage spikes in the winter to get the best rate of return on your nuclear power plant investment.  Enter the all-electric home, which is only cost effective comparable to gas (in our climate) if the cost of electric power is cheaper in the winter.  Deals made with developers to offer a special rate plan where this dream can be fulfilled.  This was a mutual win for homeowners and power generation plants.  People built their homes, chose their appliances, and chose their heating system based on these rate promises.  The history lesson is now over - lets look at what this means.

As of Feb 28, 2011, Penn Power's Residential Heating rates for June-Sept were 6.44 cents/kWh and for Oct-May were 4.50 cents/kWh straight up.  This means no kWh minimums before the discount was applied - just a seasonally adjusted generation rate. According to a phone call I had with Penn Power on 3/4/2011 there is no plans to change their existing program, although no new subscribers can be added to it.  Also of this date there is no competitor for this pricing plan.  If you fall into this boat, as I do, you shouldn't do anything.

PECO Energy has a slightly different program which is being phased out (more discussion on that topic here).  I'd call your provider to get the details and figure out your own cost structure.  Through 3/31/2011 their prices were 9.74 cents/kWh for the first 600 kWh then 5.35 cents/kWh for any usage above that with no mention of summer prices.  Pennsylvania's consumer advocate, Irwin A. "Sonny" Popowski, states: "The commission regulations essentially require the elimination of the special winter heating rates, though we have tried to do this over a multi-year period." I fail to find supporting evidence of this statement in the Rules and Regulations. Since the context of the quote is PECO specific, and their RH rates are discounted only after a kWh minimum is reached, the reference may be to that specific implementation of the winter heating rates by a default provider.  Personally, I call bullshit on this rate change being from the legislation or Rules and Regulations since PECO's price to compare for non RH codes varies in June 2011 (9.99 cents/kWh for the first 500 and 11.20 thereafter). I'd call your legislator and 'Sonny' and get the specific portions of the law/regs I linked to above that he is using to support his assertion. It's PECO's game, anyhow, and yeah - you folks in Philly are probably screwed regardless of what the law says.

After looking at the options across the Commonwealth, I conclude that you could probably save more money by conserving than switching.  Remember that if you save 10% by switching that is only saving the generation charge - not 10% of your total bill.  To learn how to conserve, you need to know your baseline usages, and understand where the power is being consumed then reduce it. This site explains what a kWh is and how to save energy. There are also some simple techniques to check basic insulation effectiveness - like seeing if the snow melts off your roof faster than all your neighbors (that would be bad). Other such tips can be found in the two books I recommend at the end of this post.  If you have electric heat the book on insulation is excellent and a must read.

Good luck in selecting a provider - you will need it.  I found that trying to figure out all the nuances of selecting a provider is way too specific to your particular needs and usage patterns to offer any sort of general advice.

More Information:
PA Office of Consumer Advocate Shopping Guide
PA Public Utility Commission 'PAPowerSwitch' Site

Recommended conservation books:

Thursday, August 27, 2009

Wix way should you go?

Now that I know Rob still reads my mostly stagnant blog, I guess it is the appropriate time to write a long-overdue post.

When I started working with Windows Installer technology, back when it was first introduced with Office 2000, I played around with customizing the package for the IT department to push out a customized version. The tools were quite primitive, the technology was new and largely unknown, and the concept of having blogs, yet alone Microsoft folks blogging, seemed completely foreign. Support was pretty much nonexistent, and much of the documentation was unintelligible. Fast-forward 10 years, and what a difference that makes! Today there are several free and low-cost repackaging tools for transitioning non-Windows Installer based setups to the MSI format, authoring tools, and lots of community support.

Most setup authoring tools have significant issues. Non-MSI or script based installations have issues because they encourage hacks - I can't tell you how many installations I encountered that install services by writing keys to the CurrentControlSet hive and forcing you to reboot merely so the Service Control Manager can pick up that addition. Furthermore, if you are targeting any sort of enterprise where more than one of your setups will be installed IT departments want MSI deployments for very good reasons. GUI based Windows Installer tools fail to do a good job of grouping related things into the same component, and dynamically adding a directory of files at build time breaks patching semantics horribly. Another big disadvantage to these tools lie in the setup author because he or she does not need to understand the underlying technology and can get away with "programming by coincidence" (as described in The Pragmatic Programmer).

I remember several paradigm shifts throughout my experiences with setup technology - nested MSIs, merge module distribution, and chaining installations. During this time the stock price of Rolaids likely skyrocketed. The biggest challenge was attempting to get developers to take a more proactive approach to deployment considerations as they were writing their code. One approach that I took was the use of merge modules - developers of feature-units would package their build output in an MSM that was consumed when building the final product. Using Visual Studio 2005+ with their deployment projects was not only difficult, but downright impossible because of how limited, shortsighted, and buggy deployment projects are. Adding custom actions to these modules involved a complex and convoluted post-build scripting process that nobody understood, but it DID move teams towards the direction of thinking of deployment while coding.

These days, the tag-team of MSBuild plus Wix 3.0 is THE enabler to accomplishing those goals and largely eliminating the disadvantages of the GUI-based tools. Since there is close to a one-to-one correlation of XML elements to the Windows Installer tables, it is quite simple to follow if you understand the underlying Windows Installer engine. To use WiX to author a complete installation, you MUST have an understanding of the Windows Installer engine. To make a few tweaks or additions once the basic skeleton of the installer is laid out, just about any developer can do it provided access to the WiX documentation. I have team members that are NOT setup developers add services, event log sources, and more with no official training.

Some of the more compelling points in favor of WiX is how you can use it to easily and properly make multiple product editions which share components, separate units of related components into their own WXS file(s) for easier understanding and maintenance, and integrate it easily as a first-class citizen into an MSBuild project. No other product is available to my knowledge that accomplishes those goals. Best of all - WiX is free, fast, and easily installable onto any developer machine.

If you are looking to switch authoring tools, take WiX for a test run by using the dark.exe decompiler to convert your existing MSIs and play around with it a bit. Subscribe to the WiX mailing list and ask a few questions. You just might like it.

Congratulations to Rob and the entire team and individuals who have contributed to it, as well as the community of developers who support it via the mailing list on a daily basis. If you are ever in Pittsburgh, let me know. I'll buy you a beer.