Blockchain RSS

January 28th, 2018 No comments

I created an RSS for cryptocurrency prices. It list the 10 that I am interested in, but I can certainly add more. Let me know if you want to add one to the list.

https://blog.tinle.org/blockchain/

Site instabilities due to Meltdown and Spectre (indirectly)

January 9th, 2018 No comments

You may have notice that this blog is mostly unavailable or showing 5xx lately. It’s because I am on AWS and the recent Intel vulns has all the cloud vendors patching and rebooting their hypervisors. It’s causing various issues with my infrastructure.

I don’t blame the vendors, they are doing what they are supposed to be doing :-). I am waiting for my turn…. when the clouds are done with their patching, then I have to patch my instances and reboot them too. Ugh, joy….

Categories: Cloud, EC2 Tags: , , ,

Optimizing webservers

September 7th, 2017 No comments

This is an awesome article from Alexy Ivanov on tuning your web servers.

https://blogs.dropbox.com/tech/2017/09/optimizing-web-servers-for-high-throughput-and-low-latency/

Categories: Tech Tags: , ,

Bye bye Sun and Solaris :-(

September 7th, 2017 No comments

So sad… but it’s inevitable, Oracle killing Solaris and Sun.

Oracle Finally Killed Sun

Categories: Java, Tech Tags: , , ,

Fair use of web content

August 11th, 2017 1 comment

This news was buried among many other news, but I felt that it deserves more people knowing about it.

It is about “fair use” of publicly available web content. What is “fair use” and when can content be restricted.

The original article is here.

A small company called hiQ is locked in a high-stakes battle over Web scraping with LinkedIn. It’s a fight that could determine whether an anti-hacking law can be used to curtail the use of scraping tools across the Web.

HiQ scrapes data about thousands of employees from public LinkedIn profiles, then packages the data for sale to employers worried about their employees quitting. LinkedIn, which was acquired by Microsoft last year, sent hiQ a cease-and-desist letter warning that this scraping violated the Computer Fraud and Abuse Act, the controversial 1986 law that makes computer hacking a crime. HiQ sued, asking courts to rule that its activities did not, in fact, violate the CFAA.

James Grimmelmann, a professor at Cornell Law School, told Ars that the stakes here go well beyond the fate of one little-known company.

I will leave it up to you to read and make up your own opinion about it.

Warranty service for Enphase converter

May 26th, 2017 No comments

Anyone having issue getting warranty service for their solar panel converter? Enphase claimed 15 years warranty. My system was installed in mid 2010, and one of the converter had failed. It’s the only one reporting low/no voltage for the past 4 weeks. The rest of my 20+ panels and converters are fine.

It look like Enphase is not geared to support home end users. They kept re-directing me to my “installer”. Unfortunately, my installer had gone out of business a few years ago. Yes, live and learn for me. Next time I’ll use a more reputable company.

In any case, Enphase is giving me the run around. Sounds like time to complain to Consumer Protection Agency and local state agency.

Amazon customer service fails

April 29th, 2017 No comments

Amazon customer service reps reaction after answering a call.

I feel like I am caught in an episode of bad customer service TV show, except this is real and it’s from Amazon.

Hello customer. I’ll be glad to help you, but first, please verify you are a customer.

But, but, that’s the reason I am calling….

I am sorry, I can’t help you if you can not prove you are a customer.

As a long time Amazon Prime customer, I have 2FA turns on. It’s the usual send a code to my phone, with the fall back is to run an authenticator app on the phone and enter code from that app. All well and good, works well for some time now. Except that phone happens to be my work phone, and now that I am no longer working there, I do not have the phone anymore. Oops!

In my defense, I did remember to update all other online accounts to use my personal phone. The only one I forgot was my Amazon account.

Last night, Friday, after coming home from my last day at $WORK. I tried updating my Amazon account and immediately run into problems. I can’t login since Amazon want to send code to my work phone, which I do not have any longer. I can not use code from authenticator app (Google Authenticator), since it’s also tied to that phone. I contacted Amazon customer service via the phone number that popped up when I was having problem login.

Cue dramatic music. The customer service rep was courteous and nice, but could not help me because I could not tell him the code that he sent to my phone…. LOL. I tried explaining that I no longer have that phone. This person did not know what to do, put me on hold for 10 minutes and come back online to tell me he can’t help me. I asked to escalate to his manager, his answer was because he could not verify that I am who I said I am, he can not escalate and can not help me…. I hang up and sent an email to Amazon support asking for help, explaining my problem and ask them to call my house phone number to verify (my house number is in my account settings).

I got an email reply from Amazon support telling me that they can not call me, but they gave me a number to call for help. I called the number and run into the same problem. The service rep can not verify me by sending a code to “my phone”. After explaining again the issue, the rep said that he will check with someone. I was put on hold for more than 10 minutes, and got disconnected while waiting.

By this point, I was not happy, so I clicked on the support email feedback which takes me to an Amazon web page. After giving the lowest rating and clicking submit, right away I got a popup that ask for my current phone number (so Amazon can call you back). After entering my home number, I immediately got a call from Amazon support. We went through the same process as before, where we got to the verification point and the customer service rep realized I do not have phone to receive verification code and I can not run authenticator app on that phone. This rep also asked to put me on hold so he can consult with someone. After a long 15 minutes or so wait, he came back and said someone will email me with instruction on how to resolve this.

That conversation was around noon today (Saturday 4/29/2017). It is now almost 6pm, I still have not seen any email from Amazon support.

It’s hard to believe that I am the first Amazon customer to run into this issue. This over reliance on using a phone as the proof of identity is single point of failure. What about all the other information? Such as my home phone? Obviously they can and do call my home phone as my earlier support call from them show. They could and did ask about other information in my account to verify, why is that not enough?

I have shot off another email to Amazon support asking for escalation. Funny thing, while trying to send this email to support, Amazon wants me to login to my account…. arrrgggg!

I’ll just post this experience here as a tale of how not to design your 2FA without adequate fall back. Problems happen and you need to have another method to reset login that does not depends on the very device that is used for 2FA. Most importantly, you need to give your customer service personnel ways to deal with unexpected circumstances, beyond just reading from scripts. My experiences with Amazon customer service was terrible! Refusing to help me because they can’t verify me? Will not escalate until I can prove I am a customer? Seriously?

Update 2017/04/30 Sun – Amazon service responded to my last email asking for help with the response that they are going to reset my password. That’s not going to help. I know my password, I don’t have my phone so I can’t login. This reminds me of another person’s trouble trying to get help from Amazon customer service.

Bad Amazon customer service

Update 2017/04/30 Sun – once more, I clicked on the feedback button in the support email, and gave a 1 star review. Got a popup to enter my phone number so Amazon can call me. This time, I got someone calling from state of Washington (last 3 times were from non-US support centers). Fourth time was the charm. This service rep had run into another customer with similar problem as mine before and she knew what was needed. She had to pass me over to the 2FA customer service team (hmmm). They sent me an email with link to: Amazon 2FA recovery web page.

Essentially, I have to verify my identity by uploading a picture (scan or photo) of government-issued identity document. It will take 1-2 days after that for Amazon to do what they need and remove the 2FA from my account.

Took a picture of my driver license, blacked out sensitive data, leaving only my name and home address and submitted it to the recovery page. I find it amusing that Amazon think this is more secure. With today’s graphic editors, I could have easily created a fake photo ID claiming to be me.

Update 2017/05/01 Mon – I received an email from Amazon support saying that they have disabled my 2FA. I tested it and was able to login to my account. I went to reset 2FA to my new personal phone and tested it again. Finally! Everything is working again.

Conclusion

Terrible customer experience. Bad security theater. I understand the need to verify users and protect their data, but the methods for doing so and the training Amazon provide to their customer service personnel is very lacking.

Customer Service training

Amazon need to train service reps on how to deal with the unexpected, beyond their scripted responses. They should enable their reps to escalate to higher level of support as needed. The big fail was refusing to help because a user can not provide proof of their identity. Imagine you just got robbed and now the police refused to help you because you can not prove your identity.

Bad security

Requiring additional verification when the primary method failed or not available is fine. But making users jump through hoop based on perceived security is not. Requiring users to send in photos or scans of government issued IDs is security theater. With modern graphic editing tools, and so many scanned pictures already available on the internet, it is easy to create spoofed IDs and submitting them. Especially when the only requirement was the name and home address on the ID has to match what Amazon has about user.

Since Amazon already have shared information about the users, why not query the user on that as proof of identity? If there are concern about access to personal data, then have dedicated support team that is only for this identity verification task. This team can only access a particular user’s data when that user need to be verified. The access is logged and documented.

Categories: misc Tags: ,

LinkedIn Celebrate 500M members April, 2017

April 28th, 2017 No comments

LinkedIn 500M members celabratory picture.

Big celebration for LinkedIn as the company hits 500M + members.

This picture was at LinkedIn HQ in Sunnyvale.  I am the guy in the middle of that red circle.

The picture was taken by a mavic pro drone, flying above the building.  The drone belongs to one of my colleague.

 

 

Courier Fetch Error: unhandled courier request error: Authorization Exception in Chrome/Safari on Kibana 4.5.0

August 22nd, 2016 No comments

Getting this error in your Kibana?

You need to increase your max header size as default netty is only 8KB.   You can change the value in your elasticsearch.yml file.

Add the following line (or uncomment it if it is already there).

http.max_header_size: 32kb

 

Moving or copying files from one Google drive account to another

July 20th, 2016 No comments

I have seen questions on the web about how to migrate (copy/move) files from one GDrive account to another. There are many reasons, such as migrating from one Google account (such as company) to your personal account, etc.

WARNING: you may be violating your company policy by moving/copying files from your company Google account to a personal. I advise you to consult your company security officer or equivalent before doing this.

There are other reasons for wanting to copy or moving large number of files from one GDrive to another. Such as for me. I shared a folder in my GDrive with my family for putting our family photos in a central location. My family have G account, and there own GDrive. It seem that Google make it painful to copy files from one GDrive to another. Their suggestions is some form of downloading the files to your local drive first, and then uploading it to the other GDrive that you want.

This is painful!!! There are so many reasons why it’s painful…. 😉

The solution I’ve used is to install Google Drive app (supports OSX, Windows, Linux, Android and IOS).

Link Google Drive app to one Google account, and now you can treat the files in it as on your local drive and drag from there to the GDrive account you want to copy to.