Terminally Incoherent

Happy Independence Day everyone! Have fun, stay safe and avoid blowing yourself up with fireworks! Don’t forget what this day is really about. It is about commemorating the bravery of the two great men who saved our planet.

If I remember the history lessons correctly, one of these men was a Fresh Prince of an ancient wealthy kingdom known only as Bel-Air. The other one was actually half fly, half Jewish. Together they developed a computer virus so awesome it disabled the whole alien invading fleet. We commemorate their bravery by shooting fireworks into the air, which remind us how we defeated the space invaders.

I will make this joke every year until it becomes funny again.

I previously ranted about strange password restrictions that disallow usage of special characters such as spaces or alphanumerics. This time I want to complain about another boneheaded security feature out there - word length restrictions on your “secret” password recovery question. I was recently creating a Microsoft Live Passport account to register Visual Studio Express 2008 copy. Yeah, laugh all you want but PerfMonG is written in C# and it won’t maintain itself no matter how hard I try to ignore it. At some point during registration I saw this:

click on the image to embiggen

Don’t get me wrong. I’m all for keeping things more secure, but restricting the secret answer to strings of more than 5 characters is a bit silly. For starters, let’s consider pet names. I don’t know about you, but I find that most of them are relatively short. For example I did a quick google search of most popular dog names and I stumbled upon this ranking:

It turns out that half of the top 10 most popular dog names are shorter than 5 characters. If you look down that list, this trend continues. So roughly half the people won’t be able to use their pet name as their secret question, or will have to figure out a way to make it longer (for example by adding their last name) by simply adding confusion. Same goes for the childhood friend option. You may remember that your best buddy from the playground was named Bob, but will you always remember his last name was Szczebrzeszyński? Will you remember how you spell it? Hell, if on top of all this the place of your birth is Ido, Japan then you are totally fucked.

Now you are forced to make up answers - ones that you won’t remember 3 years from now when you need to recover your password making them absolutely useless. This minimum length limit is silly, because these hints are not really designed to be secure. Anyone can find out the name of my first pet, or the birthplace of my mother. It’s really not a secret, and it can easily come up in a casual conversation. The whole point of them is to provide another layer of protection for your account so that the attacker has to have both the secret answer, and access to the email account you used to open the service. Brute forcing the secret answer should not be a concern, because they’d be incredibly vulnerable to dictionary attacks anyway.

So why won’t you let us to use answers that are as short, or as long as we like or stop using them altogether. Otherwise it is just counter productive as people won’t be able to remember what they typed in to pad their answers to meet your arbitrary minimum length limit.

Back in the day I did my 10 day World of Warcraft trial and blogged about it. If you recall, I was able to convince myself that WoW was not for me in the end.

Then recently I started having these urges - I wanted to go back and play it again. The fact that Shamus can’t shut up about it didn’t help either. So I decided to see if my trial account still exists. It did. It also had a tantalizing new button in the middle of the interface. It said “upgrade your trial account”. Tempting… Oh so tempting. Why did they do this to me. For 2 days straight I was fighting with myself, and going back to that page. I was hovering my mouse pointer over that button. Clicking it… Hitting back button. Do I really want it? Won’t I get sick of it after few weeks? Do I really have time for this now?

Time I had. There is the long 4th of July weekend coming up, and I also had few day vacation lining up in a few days - I could spend mornings on the beach, and evenings playing WoW. So I said, what the hell. I whipped out my credit card, and upgraded.

My character was still there, intact. So I picked up right where I left of. I started running quests in the Barrens, got my cooking and first aid skills up. I was mining things, smelting copper, fishing. I gave up on running around and looking at stuff and getting killed by high level beasts in areas where i was not supposed to be, and concentrated on my quests, and fun things to do in the game. And it was fun - tons of fun. But I noticed that I still had trial account restrictions. I couldn’t trade items in an auction house, invite people to my party and etc.

I sent them an email about it via the form on their website. Didn’t even feel like calling about this - after all there was no rush. As long as they got it fixed in a day or two I would be perfectly happy. Next day I got this in my email:

This notice is being sent to inform you that we are unable to successfully process the recently requested electronic upgrade for World of Warcraft account [my user name]. As such, this account will remain at the current account level and no charges have been processed for this upgrade. In addition, in order to protect the security of both this World of Warcraft account and your payment method we have disabled access to this account to prevent potential abuse. Please contact the Blizzard Billing and Account Services department via telephone at (800)-59-BLIZZ (1-800-592-5499). Please note that due to security concerns we will be unable to assist you via email.

We apologize for the inconvenience this may cause and thank you for your patience in this matter.

Regards,

Blizzard Entertainment

WTF? They completely locked me out of my account. Fine. Maybe they had some issue with the credit card. Maybe I typed it in wrong. Perhaps the credit card put a stop on my payment for some reason. I figured out that I’ll probably need to give them a different credit card number in order to unlock my account. Whatever. It’s fine. No problem. Minor inconvenience but nothing I haven’t seen before.

After getting home from work I called them up. After 20 minutes of waiting on hold (listening to Diablo music streaming from the headphone) I finally got a live person on the line. The customer service lady who introduced herself as Samantha explained to me that for some unknown reason Blizzard considered my online upgrade as highly suspicious. Furthermore the only way for me to unlock my account was to go to a store and purchase an actual physical copy of the game and call them back with a CD key. In fact, she suggested that if I run out now, and call back right away I may still catch her as she will still be there for another hour.

Yeah, I’m going to drop everything, skip dinner and run to the store in the pouring rain because Blizzard wants to sell more retail copies of the fucking game. I’m sorry, but I’m not that fanatical about this game. If the online upgrade is so insecure and suspicious, why do they even offer it?

Samantha gave me this weird vibe. I don’t think that I ever spoke to anyone who was both so incredibly polite and so overwhelmingly condescending in that weird intangible way - both at the same time. She didn’t really try to troubleshoot the problem, didn’t ask for my account information and refused to try to reactivate the account. Just go buy the game - she was adamant about it.

I politely told her that I’m actually very quite disappointed with my WoW customer service experience so far, and that I likely won’t be buying the box or calling back and thanked for her time. I really wanted to give her some choice words but I’m a nice guy so I simply flipped a middle finger into the handset before hanging up.

Once I cooled down a bit I gave them another call. I figured that maybe Samantha was just being a pain in the ass. Perhaps I could get someone more sensible on the phone. This time around I got Steve and he was super nice and extremely helpful. He actually tried reactivating my account using 2 different credit cards but unfortunately it didn’t work. Finally he recommended buying a retail copy of the game, create a new account and then shoot him an email to see if my characters can be transferred to it.

Neither Steve nor Samantha could tell me why my account was locked, and why the credit card payments were being rejected. This information was simply not in the system, and they had no means of finding out what was going on.

In the end I really have two options. Option A is to:

1. Buy a retail copy of the game
2. Create a new account
3. Email Steve and beg him for help
4. Keep my fingers crossed
5. Find out that trial characters are probably not transferable
6. Start over

Option B is:

1. Not to buy a retail copy of WoW
2. Forget about the damn game
3. Save $15/mo
4. ???
5. Profit

Right now I’m leaning towards option B. In general, any list that contains ??? and Profit is inherently more attractive to me. Besides, perhaps this is a sign from the above that I was not meant to play this game. Call it fate, destiny or divine intervention. Perhaps there is something to it.

In fact, I don’t even feel like playing this game anymore. I don’t want to give them my money. This lousy customer experience left a bad taste in my mouth. All I really wanted is to give them some of my money - but apparently they don’t really give a flying fuck if they loose a customer. They can afford to lock your account on a whim, and don’t give their billing support tools to properly troubleshoot these sort of problems. I’m not going to encourage that behavior by giving them my money. Not that this actually means anything since the have like a bazzilion subscribers but it makes me feel better.

I’m not sure if this is a common thing with these trial accounts. Anyone else ever had issues upgrading from them? Perhaps I’m just lucky. My advice for anyone who wants to do the trial would be not to get attached to their characters too much because this sort of thing may happen.

For a while now we knew that CAPTCHA’s were becoming irrelevant. There were a great solution when they were first introduced, but I think that everyone knew that they are not going to be around for a long time. The tend in technology is always constant improvement - so OCR engines will continuously improve each passing year. CAPTCHA strength on the other hand has an upper bound because it needs to be human readable. You can continue making the pictures more complex and tricky to solve but at some point they become as incomprehensible to a human being, as they are to some random bot. For example, how do you guys like the rapidshare dog/cat CAPTCHA?

I personally hate that one. Yes, you can sort of figure it out but you actually have to put some effort into it, and sometimes it’s just pure guesswork. Does it help against the automated scripts? I don’t know - I guess this is a question we should direct at Rapidshare. But it sure is annoying to regular users.

The OCR technology is not there yet - it’s getting better, but I presume that we could still get few years out of our CAPTCHA’s if their effectiveness boiled down to complexity of design vs. character recognition arms race. But we all know there is a growing cottage industry out there which uses real people to solve CAPTCHA’s by either tricking them into doing it or paying them per solved puzzle. I always imagined this to be rather shady business conducted in private spammer forums and via private channels. But it is not. They are actually doing this out in the open, as a legitimate paid service:

Here is a screenshot of imagetotext.com - a company which specializes in solving CAPTCHAS. They of course don’t say it like that, but I think the blurbs on their site make it pretty clear that they are not really interested in doing any sort of data entry tasks or into transcribing free hand text into digital format. They are interested in receiving a small image, and shooting back the text at $.02 a pop bought in “packages” of 500 images or more. With a narrow focus like that, what else could they be doing?

Note that I’m not linking to them, because sure as hell they don’t need any Google juice from me. The ubiquity of CAPTCHA basically created a new niche industry. All you need now is some clever script that will harvest CAPTCHAS, send them to Image to Text, receive responses and create accounts on popular online services. Thank god these sort of scripts are shady, and probably hard to get, right? You either have to make them yourself, or know where to find them, or who to ask for them. It’s not like anyone can just go to a website and buy, for example, an automated Myspace account creator? Right?

This one is from allbots.info - a website that seems to be selling precisely that: account generation scripts that create random profiles, and simply need a human being solving CAPTCHA’s really fast for them. So you buy one of these apps, then purchase a big ass package with ImageToText you can start building your brand new spam empire. All it takes is some cash - you can even be borderline retarded. It won’t slow you down.

Combine the two services, and you have yourself a deadly combo with no programing, and no thinking required. A bit scary if you think about it. I’m not sure how profitable are these two companies, but the fact that they exist indicates that there is demand for these type of services out there.

CAPTCHA’s may be effective in stopping your average home grown spammer, but they are actually creating a whole micro-industry revolving around circumventing them. In other words, they are actually performing natural selection - weeding out the week players with few resources, and leaving only the biggest, baddest and most determined in the game. They are the catalyst, helping to evolve bigger and better bad guys.

Public Turing tests may be doomed and I suspect they might get completely phased out from use on the web in next 5-10 years. And it’s not just CAPTCHA’s - all public Turing tests. After all, it doesn’t matter if you are interpreting an image, solving an equation, or answering a question - it doesn’t really matter if there is a low wage human worker solving it on the other end, and then handing control over to a script.

Google has an interesting idea going on with their text message based application. If you haven’t seen it, try signing up for one of their services such as Gmail or Google App Engine. Instead of using a CAPTCHA they send a text message with an activation code to your cell phone. At least for the time being this system remains much harder to game - which means we might see it being used more and more often by popular online services. Of course it does have serious downsides as not everyone with an internet connection may have a cell phone (think less developed countries) and not all cell carriers may be supported. We will need something else - but what?

It will be interesting to observe where will the anti-bot technology will go in the next few years.

I like to use this example to totally freak out Java people. Cool dynamic languages such as Python or Ruby allow you to modify the definition of any class on the fly. Javascript let’s you do that too, but then again Javascript does not really have classes right now. It’s a prototype based language - at least until ECMAScript 4 descends from heavens in a beam of heavenly light and will bring forth much awesomeness. Here is how you do it in Python:

Observe:

>>> class Person:
...     def __init__(self, fname, lname):
...             self.fname=fname
...             self.lname=lname
...
>>> john = Person("John", "Smith")
>>>
>>> Person.whatisyourname = lambda p: "My name is " \
...     + p.fname + " " + p.lname
>>>
>>> john.whatisyourname()
'My name is John Smith'

Every new instance of Person will now have a whatisyourname() method. C and Java people are probably sneering right now, at how insecure this is, how it breaks encapsulation and etc. I used to be like that too, but I reformed. What I see here is raw power.

I’m putting this here because I was trying to do closures in Python but found out you can’t really do them. Python has lambda functions instead which are really a lisp concept. The only difference between a Python lambda function and a closure is that lambda must evaluate to something. In other words, it’s body must be an expression rather than a statement. Which makes perfect sense in Lisp because it has no statements. In Lisp everything is an expression - and frankly, that is not a bad idea. Lets you chain stuff pretty nicely.

If you need to use Python statements however, you can’t use lambda. You just have to use regular assignment:

>>> def foo(self):
...     if(self.fname < self.lname):
...             print "foo"
...     else:
...             print "bar"
...
>>> Person.foo = foo
>>> john.foo()
foo
>>> zack = Person("Zack", "Abrams")
>>> zack.foo()
bar

Of course the downside here is that this is not a closure, and that the method definition exists outside the class on its own which can contribute to clutter in your code. Then on the other hand, perhaps this isn’t so bad as it allows you to do stuff like:

>>> foo(john)
foo
>>> foo(zack)
bar
>>> foo = Person.whatisyourname
>>> foo(john)
'My name is John Smith'

I guess that’s part of Python’s charm that standalone functions can easily become instance methods and instance methods can be easily used as standalone functions.