What users say versus what they mean
-
@Unperverted-Vixen said in What users say versus what they mean:
"The password for the entered username is wrong"
"Username or password is incorrect"
I don't see a substantive difference between those error messages. They tell you that one of the two is wrong; they don't tell you which one."The username is not known" is the one you're missing. And is the one (including at least one you did mention) that shouldn't be displayed.
-
@PJH said in What users say versus what they mean:
"The username is not known" is the one you're missing. And is the one (including at least one you did mention) that shouldn't be displayed.
That was on purpose, since I was arguing against that concept separately.
-
@Tsaukpaetra said in What users say versus what they mean:
Guess telling them that "That username is invalid" really didn't help security none, did it?
Nor did trying the same username multiple times. Your point?
-
@pie_flavor
What, how, why? One of my gripes has been the exact opposite. Yes, I know null values in maps are considered harmful, but three nines haven't got that memo (and I don't entirely agree with it either, but that's another story). How does it help in any way? Not having the key is a screw-up. So instead ofTryGetValue()
I mustcontainsKey()
andget()
if it does, doing the lookup twice? Tell me, does IndexOutOfBounds also bother you then?
...
You know what, maybe I actually don't want to know.@levicki said in What users say versus what they mean:
"Object reference not set to an instance of an object" at line of code which looks like ref1.ref2.ref3.member -- which fucking object?
Apparently CLR does not know. Jon Skeet said it, so it must be true. Visual Studio, however, does display which fucking object it was while debugging. I had to be told that to even notice.
-
@Polygeekery said in What users say versus what they mean:
@dkf said in What users say versus what they mean:
@Polygeekery said in What users say versus what they mean:
"Some of my emails aren't going through" which 99% of the time means "I am getting grief for not doing something, so I am going to blame it on email as to why it was not sent out on time"
Either that or they forgot to press Send.
I forgot about that one. That is probably the most common cause of "My emails aren't going out/getting to who I send them to".
I am guilty of that one, but I know the cause. Anytime someone says something about how I promised to send them something and I know I sent it I check my drafts folder. I can usually trace it back to the email being done and everything except me hitting "Send" and then
the phone rang**SQUIRREL**. That causes my CRS to kick in.FTFM
-
@levicki said in What users say versus what they mean:
like that is the which leads to spending hours trying to figure out what exactly is going on.
You cannot possibly write error messages for every possible thing. You write them to get you in the ballpark and give you some idea where to look. If you write them for every possible thing then you might as well look for bugs and fix them.
-
Less than 50 posts and the thread went to shit.
Not too bad considering the crowd.
-
@PJH said in What users say versus what they mean:
@levicki said in What users say versus what they mean:
Try what? Username? Or password? Or both? Don't you fucking know which one is wrong?
Yes.
Giving hints in this situation is wrong™.
"It looks like you're having trouble logging in. In your last attempt, 4 characters were right, and 2 of them were in the right position!"
-
@PJH said in What users say versus what they mean:
@Tsaukpaetra said in What users say versus what they mean:
Guess telling them that "That username is invalid" really didn't help security none, did it?
Nor did trying the same username multiple times. Your point?
I don't understand the question.
-
@Applied-Mediocrity said in What users say versus what they mean:
Visual Studio, however, does display which fucking object it was while debugging. I had to be told that to even notice.
SHOW ME THIS MAGIC!
Um... If you want to....
-
@pie_flavor said in What users say versus what they mean:
Not in the fucking slightest. Absolutely nobody reads the error boxes unless someone tells them to.
Unless it states to contact your IT department. Then they create a ticket at the software manufacturer ...
-
@Tsaukpaetra said in What users say versus what they mean:
That's why we have one account in this company.
Don't you only have one developer or something?
-
@dkf said in What users say versus what they mean:
@Tsaukpaetra said in What users say versus what they mean:
That's why we have one account in this company.
Don't you only have one developer or something?
In the place I'm talking about? There are no developers. Just a bunch of moderately hot chicks and a doctor.
But at the place I'm at at the moment? I'm literally the only active guy, everyone else was laid off.... and there's an account for everyone. So, yeah.
-
@Tsaukpaetra said in What users say versus what they mean:
a bunch of moderately hot chicks
The chicken farm needs better AC then. That's going to be really important in AZ…
-
@pie_flavor said in What users say versus what they mean:
Absolutely nobody reads the error boxes unless someone tells them to.
QFT
One of my coworkers used to maintain a system that actually produced good error messages. He would have conversations like this with a particular one of his users multiple times a day…
The service isn't working.
What did the error message say?
Oh. Thank you. I see what I did wrong.Yes, that user was definitely smarter than average.
-
@dkf said in What users say versus what they mean:
@Tsaukpaetra said in What users say versus what they mean:
a bunch of moderately hot chicks
The chicken farm needs better AC then. That's going to be really important in AZ…
Most of the time swamp coolers are enough, but when they're not...
-
@Polygeekery said in What users say versus what they mean:
Less than 50 posts and the thread went to shit.
More than 1 is better than a lot of topics here.
-
@loopback0 in a topic started by @Polygeekery to boot!
-
@Tsaukpaetra said in What users say versus what they mean:
"It looks like you're having trouble logging in. In your last attempt, 4 characters were right, and 2 of them were in the right position!"
-
@Polygeekery said in What users say versus what they mean:
Less than 50 posts and the thread went to shit.
Not too bad considering the crowd.
Needs more Wharrgarbl.
-
-
@Zerosquare said in What users say versus what they mean:
X doesn't work.
means
I may not even have actually started doing X. I'm just angry and need someone to take the blame for it.
Corollary:
NOTHING WORKS!
means
One very specific thing does not work, but I'm not gonna bother telling you what that is before you giving me a 3rd degree for 15 minutes wasting both your time and mine.
Paradoxically, it was said because
If I tell them NOTHING works they will consider it more important and hence fix it faster!
-
@kazitor said in What users say versus what they mean:
@loopback0 in a topic started by @Polygeekery to boot!
-
@levicki said in What users say versus what they mean:
"You must complete all fields before clicking Submit" almost every web form -- why not just tell me which ones I missed in order?
I tried to register for a website and I got an error that my email address was invalid.
Since it was something I needed I emailed them from my invalid email address with a screenshot quoting my email address (which I did double check and triple check to make sure it wasn't a typo).
-
@Karla said in What users say versus what they mean:
@levicki said in What users say versus what they mean:
"You must complete all fields before clicking Submit" almost every web form -- why not just tell me which ones I missed in order?
I tried to register for a website and I got an error that my email address was invalid.
Since it was something I needed I emailed them from my invalid email address with a screenshot quoting my email address (which I did double check and triple check to make sure it wasn't a typo).
I wonder if you'll ever hear back... Since it's "invalid", can they email you back?
-
@levicki said in What users say versus what they mean:
It's Game Over man.
So, no passwords for anyone, then? It's not Game Over at that point and you still do want to limit how much information you give an attacker. Can you? Not really, the user name is probably obvious if they're trying to do a console login. But is it Game Over and should we discard the practice of giving minimal information to attackers? No, not that either.
-
@levicki Mm, I think most people here understand that and you're pitching a bitch for fun.
-
Many moons ago, I was tasked with writing diagnostic tools for the in-house product assembler-testers. Their job was to take the various parts (cases, motherboards, pressure sensors, and so on) and put them together, then put them into a test harness to make sure they were working. My task in this instance was to write programs to help them do their jobs, including the one that ran the test harness.
I put more-than-adequate error messages in there to handle some weird cases that normally meant they hadn't plugged the frobulator into the dizwaz, but occasionally they cropped up anyway (usually, it indicated a bug, but once in a while it meant that the cable that connected the frobulator to the dizwaz was faulty), and young master Dougal would come round to see me, saying, "The test program has put up an error message." Universally, I asked him, "What did it say?" at which point he would go away to find out.
To his credit, he did eventually develop the habit of noting the message on a piece of paper to save himself the extra trip...
-
@Polygeekery said in What users say versus what they mean:
@Benjamin-Hall said in What users say versus what they mean:
"I'm so bad at this" =>"I made a mistake."
You are in teaching. When you are in IT support it means something different:
"I'm so bad at this" => "I just broke it really badly. You're going to be here for a while. I hope you brought a USB installer because you might have to pave over and reinstall to fix this one."
Some screwups cannot be paved over. Like a virus that updates some firmware. You might have to nuke it from orbit.
-
@levicki said in What users say versus what they mean:
@Gribnit said in What users say versus what they mean:
But is it Game Over and should we discard the practice of giving minimal information to attackers?
What I am saying is that we should never rely on "giving minimal information to attackers" as a security measure.
If it's a sole security measure, then you're right, but it never is a sole security measure. That said, giving non-minimal information to attackers is a form of information disclosure weakness.
Consider two consoles with a prompt that says, "Login:" and has a blinky cursor afterwards.
Console 1 is polite and tells you that the user name you entered is wrong, or it asks you for a password. Immediately, you know something about the list of usable user names.
Console 2 is grumpy and asks you for a password regardless, then tells you that what you typed was not valid (and no more information than that). You have learned nothing about the list of user names.
It may be that the attacker just wants to be able to find which machine allows user "glibf" to log in (so he can install his logging keyboard on the right machine). Console 1 allows him to do this, while Console 2 does not.
-
@levicki said in What users say versus what they mean:
"The user name or password is incorrect. Try again." -- Try what? Username? Or password? Or both? Don't you fucking know which one is wrong?
Well to be fair, not only is this good for security, but most likely backed by a query like
select * from users where username=%1 and password=%2.
It really doesn't know (without doing more work) which one was wrong.
-
@Steve_The_Cynic said in What users say versus what they mean:
@levicki said in What users say versus what they mean:
@Gribnit said in What users say versus what they mean:
But is it Game Over and should we discard the practice of giving minimal information to attackers?
What I am saying is that we should never rely on "giving minimal information to attackers" as a security measure.
If it's a sole security measure, then you're right, but it never is a sole security measure. That said, giving non-minimal information to attackers is a form of information disclosure weakness.
Consider two consoles with a prompt that says, "Login:" and has a blinky cursor afterwards.
Console 1 is polite and tells you that the user name you entered is wrong, or it asks you for a password. Immediately, you know something about the list of usable user names.
Console 2 is grumpy and asks you for a password regardless, then tells you that what you typed was not valid (and no more information than that). You have learned nothing about the list of user names.
It may be that the attacker just wants to be able to find which machine allows user "glibf" to log in (so he can install his logging keyboard on the right machine). Console 1 allows him to do this, while Console 2 does not.
Speaking of information disclosure, an attacker can guess the password using a timing attack by calculating how long it takes you to answer with a no.
So try not to give attackers any edge.
-
@dcon said in What users say versus what they mean:
@Karla said in What users say versus what they mean:
@levicki said in What users say versus what they mean:
"You must complete all fields before clicking Submit" almost every web form -- why not just tell me which ones I missed in order?
I tried to register for a website and I got an error that my email address was invalid.
Since it was something I needed I emailed them from my invalid email address with a screenshot quoting my email address (which I did double check and triple check to make sure it wasn't a typo).
I wonder if you'll ever hear back... Since it's "invalid", can they email you back?
To their credit, they responded in less than 24 hours. They created the account and I was able to log in.
-
@Karla said in What users say versus what they mean:
@dcon said in What users say versus what they mean:
@Karla said in What users say versus what they mean:
@levicki said in What users say versus what they mean:
"You must complete all fields before clicking Submit" almost every web form -- why not just tell me which ones I missed in order?
I tried to register for a website and I got an error that my email address was invalid.
Since it was something I needed I emailed them from my invalid email address with a screenshot quoting my email address (which I did double check and triple check to make sure it wasn't a typo).
I wonder if you'll ever hear back... Since it's "invalid", can they email you back?
To their credit, they responded in less than 24 hours. They created the account and I was able to log in.
Samsung products will say your email is invalid if it has the word samsung in it. Apparently samsung@mydomain.com is not valid email.
Sam.Sung@mydomain.com is all good though.
-
I got a specific example from many years ago. I was new to a job where we built ecommerce sites, so they gave me Jira tickets that were basically direct quotes from our clients without interpretation from a PM or support. So I learned later on to take all of these with a grain of salt. This particular ticket was painful to interpret, much less diagnose.
When I go to the contact page and submit, it gives me bugs. It doesn't matter if I submit it with valid data or not, it's just bugs. I submit it with a short description, bugs... Long description, bugs... No description, bugs.
Before asking the client to be more descriptive, I figured things would be apparent if I just went in and tried it out for myself. I went to the page in question and submitted it... Was fine. I tried all kinds of methods to reproduce and it worked fine. No bugs. I got them to verify that they did indeed get the submission in their CRM. Then before I got the chance to ask them to be more fucking descriptive in their report, they give me this critical piece of info: They were on mobile.
I try it on my phone, and sure enough when I submitted the form it went to a custom 404 page. This page had these two crudely drawn cartoon anthromophic house flies. One was sneezing and the other told him, "gadhunzeit." I spent several seconds just staring at my phone in deep reflection. They indeed were bugs. The client was speaking both figuratively and literally.
-
@Applied-Mediocrity said in What users say versus what they mean:
Must be new. I've yet to see that...
-
@levicki said in What users say versus what they mean:
was specifically talking about Windows logon but sure be a dick and bring in password managers.
Really? When? You never specifically said that ever. Tucker.
-
@levicki said in What users say versus what they mean:
What I am saying is that we should never rely on "giving minimal information to attackers" as a security measure.
Who claimed that that was the first last and only security measure being relied on? I wanna know, I'm profiling your
-
@levicki said in What users say versus what they mean:
@Gribnit said in What users say versus what they mean:
@levicki Mm, I think most people here understand that and you're pitching a bitch for fun.
Are you implying I am having a good time?
You wouldn't respond if you weren't. Who repeatedly comes back to have a bad time? Wait, don't answer that, I'll just keep that in my notes....
-
@Tsaukpaetra said in What users say versus what they mean:
@levicki said in What users say versus what they mean:
@Gribnit said in What users say versus what they mean:
@levicki Mm, I think most people here understand that and you're pitching a bitch for fun.
Are you implying I am having a good time?
You wouldn't respond if you weren't. Who repeatedly comes back to have a bad time? Wait, don't answer that, I'll just keep that in my notes....
Where do you all keep getting these notebooks? Has one of the nurses left a supply closet unlocked?
-
@Gribnit said in What users say versus what they mean:
@Tsaukpaetra said in What users say versus what they mean:
@levicki said in What users say versus what they mean:
@Gribnit said in What users say versus what they mean:
@levicki Mm, I think most people here understand that and you're pitching a bitch for fun.
Are you implying I am having a good time?
You wouldn't respond if you weren't. Who repeatedly comes back to have a bad time? Wait, don't answer that, I'll just keep that in my notes....
Where do you all keep getting these notebooks? Has one of the nurses left a supply closet unlocked?
When you're digital making copies is basically free.
-
@Tsaukpaetra said in What users say versus what they mean:
@Gribnit said in What users say versus what they mean:
@Tsaukpaetra said in What users say versus what they mean:
@levicki said in What users say versus what they mean:
@Gribnit said in What users say versus what they mean:
@levicki Mm, I think most people here understand that and you're pitching a bitch for fun.
Are you implying I am having a good time?
You wouldn't respond if you weren't. Who repeatedly comes back to have a bad time? Wait, don't answer that, I'll just keep that in my notes....
Where do you all keep getting these notebooks? Has one of the nurses left a supply closet unlocked?
When you're digital making copies is basically free.
Aren't you in the EU? Did you get all the permissions necessary?
-
@Gribnit said in What users say versus what they mean:
@Tsaukpaetra said in What users say versus what they mean:
@Gribnit said in What users say versus what they mean:
@Tsaukpaetra said in What users say versus what they mean:
@levicki said in What users say versus what they mean:
@Gribnit said in What users say versus what they mean:
@levicki Mm, I think most people here understand that and you're pitching a bitch for fun.
Are you implying I am having a good time?
You wouldn't respond if you weren't. Who repeatedly comes back to have a bad time? Wait, don't answer that, I'll just keep that in my notes....
Where do you all keep getting these notebooks? Has one of the nurses left a supply closet unlocked?
When you're digital making copies is basically free.
Aren't you in the EU? Did you get all the permissions necessary?
No, I just asked them to get a permit to check.
-
@Steve_The_Cynic said in What users say versus what they mean:
To his credit, he did eventually develop the habit of noting the message on a piece of paper to save himself the extra trip...
And then he cursed you because he couldn't slack off as much?
-
@Steve_The_Cynic said in What users say versus what they mean:
To his credit, he did eventually develop the habit of noting the message on a piece of paper
Did you eventually print out a cardboard cutout of yourself with a speech bubble and clip so he could thence attach the message into the speech bubble and save himself time coming over you?
-
@Tsaukpaetra said in What users say versus what they mean:
@Steve_The_Cynic said in What users say versus what they mean:
To his credit, he did eventually develop the habit of noting the message on a piece of paper
Did you eventually print out a cardboard cutout of yourself with a speech bubble and clip so he could thence attach the message into the speech bubble and save himself time coming over you?
I think you may have got confused here - to clarify, the message written down was the message which was not about any other message in the set of messages discussing the message under discussion.
-
@Gribnit said in What users say versus what they mean:
@Tsaukpaetra said in What users say versus what they mean:
@Steve_The_Cynic said in What users say versus what they mean:
To his credit, he did eventually develop the habit of noting the message on a piece of paper
Did you eventually print out a cardboard cutout of yourself with a speech bubble and clip so he could thence attach the message into the speech bubble and save himself time coming over you?
I think you may have got confused here - to clarify, the message written down was the message which was not about any other message in the set of messages discussing the message under discussion.
In other words... A paper trail?
-
@dangeRuss said in What users say versus what they mean:
@Karla said in What users say versus what they mean:
@dcon said in What users say versus what they mean:
@Karla said in What users say versus what they mean:
@levicki said in What users say versus what they mean:
"You must complete all fields before clicking Submit" almost every web form -- why not just tell me which ones I missed in order?
I tried to register for a website and I got an error that my email address was invalid.
Since it was something I needed I emailed them from my invalid email address with a screenshot quoting my email address (which I did double check and triple check to make sure it wasn't a typo).
I wonder if you'll ever hear back... Since it's "invalid", can they email you back?
To their credit, they responded in less than 24 hours. They created the account and I was able to log in.
Samsung products will say your email is invalid if it has the word samsung in it. Apparently samsung@mydomain.com is not valid email.
Sam.Sung@mydomain.com is all good though.
Butbutbut - I want SamSungMeASong@gmail!
-
@Tsaukpaetra said in What users say versus what they mean:
Who repeatedly comes back to have a bad time?
I believe the answer starts with "Blakey" and ends with "Rat".
-
@Zerosquare said in What users say versus what they mean:
@Tsaukpaetra said in What users say versus what they mean:
Who repeatedly comes back to have a bad time?
I believe the answer starts with "Blakey" and ends with "Rat".
Not lately. Seems lessons can be learned.