What users say versus what they mean
-
@levicki said in What users say versus what they mean:
"The user name or password is incorrect. Try again." -- Try what? Username? Or password? Or both? Don't you fucking know which one is wrong?
"Incorrect username. Password is correct"
-
@levicki said in What users say versus what they mean:
That is not a security measure -- that is security through obscurity. Security measure are failure audit logs and computer refusing further login attempts after N unsuccessful attempts.
It absolutely is. There is no reason to allow user enumeration vulnerabilities (yes, vulnerability - look up OWASP-AT-002) when the user experience is not enhanced by providing that information. Stop advocating for bad security just because you are mildly inconvenienced by not knowing what you typoed.
-
@Steve_The_Cynic said in What users say versus what they mean:
Many moons ago, I was tasked with writing diagnostic tools for the in-house product assembler-testers. [...]
Y'know, that's where I thought: "Oh god, who actually wants to test assembler?'
Then I read on.
-
@Karla said in What users say versus what they mean:
I tried to register for a website and I got an error that my email address was invalid.
Since it was something I needed I emailed themBack in the day, before they were bought by Oracle, Sun refused to accept an address containing a hyphen in either the user or domain parts of the address. I didn't need to register the account enough to bother emailing them, though.
-
@dangeRuss said in What users say versus what they mean:
@Karla said in What users say versus what they mean:
@dcon said in What users say versus what they mean:
@Karla said in What users say versus what they mean:
@levicki said in What users say versus what they mean:
"You must complete all fields before clicking Submit" almost every web form -- why not just tell me which ones I missed in order?
I tried to register for a website and I got an error that my email address was invalid.
Since it was something I needed I emailed them from my invalid email address with a screenshot quoting my email address (which I did double check and triple check to make sure it wasn't a typo).
I wonder if you'll ever hear back... Since it's "invalid", can they email you back?
To their credit, they responded in less than 24 hours. They created the account and I was able to log in.
Samsung products will say your email is invalid if it has the word samsung in it. Apparently samsung@mydomain.com is not valid email.
Sam.Sung@mydomain.com is all good though.
I can't register for a certain PCB fabricator because my email address has
cursor
in it. On a hunch, I then testedupdate
,drop
,select
and it's quite obviously some pants-on-head SQL-injection prevention.
-
@Cursorkeys did I ever tell you about the guy named Grant that couldn't register?
-
@Tsaukpaetra said in What users say versus what they mean:
Not lately. Seems lessons can be learned.
I'm sure that like a certain Austrian actor, he'll be back one day or another.
-
@Gribnit said in What users say versus what they mean:
@Cursorkeys did I ever tell you about the guy named Grant that couldn't register?
I don't think you have, and this may be the only time I ever tell you this, but please tell us more.
-
@Rhywden said in What users say versus what they mean:
@Steve_The_Cynic said in What users say versus what they mean:
Many moons ago, I was tasked with writing diagnostic tools for the in-house product assembler-testers. [...]
Y'know, that's where I thought: "Oh god, who actually wants to test assembler?'
Then I read on.
Yeah, I thought long and hard about how I could express that without introducing that sort of ambiguity, and without using a metric crap-ton of words to express a fairly simple idea. He was one of the crew in the back of the building that assembled the product and then tested the results of their labour.
That said, testing (from the outside) code written in assembler should be just like testing code written in any other language.
-
@topspin said in What users say versus what they mean:
@levicki I’m sure there’s lots of terribly written error messages out there (that’s the UI bites thread), but
: “What did the message say?”
: “I don’t know.”
: “Did you click yes or no?”
: “I don’t know.”can hardly be blamed on it.
Doesn’t matter how well or badly written the error message is when the user doesn’t read it.That reminds me of a technical support conversation I had with my dad:
: , help, some message appeared!
: What does the message say?
: I don't know.
: Please go read it and tell me.
: It's asking if I want to deletefile.txt
.
: Do you?
: No.
: ...
-
@Deadfast I have this feeling this is a fairly common occurrence with older people who’ve only started using computers later in life, not just your father. My mother asks me questions like your father’s, while my father has no problems with this level of computer operation at all (yet he’s only been working with them for about forty years …) but sometimes gets confused by current ways of doing things that are different from how they were done ten or twenty years ago.
-
@Tsaukpaetra said in What users say versus what they mean:
@Zerosquare said in What users say versus what they mean:
@Tsaukpaetra said in What users say versus what they mean:
Who repeatedly comes back to have a bad time?
I believe the answer starts with "Blakey" and ends with "Rat".
Not lately. Seems lessons can be learned.
"Instead of interacting with users here, stay on the forum's Discord server and bitch about people you don't interact with anymore there."
-
@Gurth said in What users say versus what they mean:
gets confused by current ways of doing things
I know that feel.
-
@Gurth said in What users say versus what they mean:
but sometimes gets confused by current ways of doing things that are different from how they were done ten or twenty years ago.
I'm just 23 and I do this too.
-
@Zecc @Gąska I don’t get confused, I just wish things were the way they used to be back then :nostalgia:
-
@Gurth it always takes me 2 minutes to remember how you mute channel in Slack. Right mouse button isn't a thing in 2019, apparently.
-
@Gąska Phones (and trendy macs) don't have one, which means we have to drag everything else down to their level.
-
@kazitor said in What users say versus what they mean:
@Gąska Phones (and trendy macs) don't have one, which means we have to drag everything else down to their level.
We used to joke
"What can your PC do my Mac can't, huh?"
"Right click!".
But itdoesn't seem to work anymore.
-
"Windows / $application suddenly stopped working" => "I changed something but conveniently forgot what, and now I need you to hunt down what I did"
Bonus points if you point the change out to them and they remember it like "Oh yes, of course, I did that."
-
@AgentDenton said in What users say versus what they mean:
"Windows / $application suddenly stopped working" => "I changed something but conveniently forgot what, and now I need you to hunt down what I did"
Double so if the message comes from someone with 'IT' in their job description.
-
@dcon said in What users say versus what they mean:
@topspin said in What users say versus what they mean:
@levicki I’m sure there’s lots of terribly written error messages out there (that’s the UI bites thread), but
: “What did the message say?”
: “I don’t know.”
: “Did you click yes or no?”
: “I don’t know.”can hardly be blamed on it.
Doesn’t matter how well or badly written the error message is when the user doesn’t read it.Ok. Then I don't know how to help you. Case closed.
-
@Luhmann you just reminded me of this, since I've mostly seen this with our IT dept's manager
-
@levicki said in What users say versus what they mean:
@Gribnit said in What users say versus what they mean:
But is it Game Over and should we discard the practice of giving minimal information to attackers?
What I am saying is that we should never rely on "giving minimal information to attackers" as a security measure.
Defense in depth is not the same thing as relying on one of the particular things.
However, it seems hard for some of you to understand that.
No, the problem is that you're imagining things that people didn't say and not saying all of the things you're thinking, like that you were discussing Windows login and not logins in general, or this new canard that everyone was relying on not indicating which was incorrect.
-
@Zerosquare said in What users say versus what they mean:
@Tsaukpaetra said in What users say versus what they mean:
Who repeatedly comes back to have a bad time?
I believe the answer starts with "Blakey" and ends with "Rat".
I made that joke once, but he didn't seem amused.
-
@Gąska said in What users say versus what they mean:
@Tsaukpaetra said in What users say versus what they mean:
@Zerosquare said in What users say versus what they mean:
@Tsaukpaetra said in What users say versus what they mean:
Who repeatedly comes back to have a bad time?
I believe the answer starts with "Blakey" and ends with "Rat".
Not lately. Seems lessons can be learned.
"Instead of interacting with users here, stay on the forum's Discord server and bitch about people you don't interact with anymore there."
This is almost enough to motivate me to start using Discord.
-
@levicki said in What users say versus what they mean:
@Steve_The_Cynic said in What users say versus what they mean:
It may be that the attacker just wants to be able to find which machine allows user "glibf" to log in (so he can install his logging keyboard on the right machine). Console 1 allows him to do this, while Console 2 does not.
As I said, at that point you have already failed at physical security and you have a much bigger problem.
Do they not have networks where you live?
The tradeoff between being hostile to intended users of the system and the security gained from being hostile to potential attackers should be much higher to be acceptable.
Yes, it's a trade off. You're just too narrowly focused on one particular use case and are ignoring a lot of other trade offs.
-
@boomzilla said in What users say versus what they mean:
@Gąska said in What users say versus what they mean:
@Tsaukpaetra said in What users say versus what they mean:
@Zerosquare said in What users say versus what they mean:
@Tsaukpaetra said in What users say versus what they mean:
Who repeatedly comes back to have a bad time?
I believe the answer starts with "Blakey" and ends with "Rat".
Not lately. Seems lessons can be learned.
"Instead of interacting with users here, stay on the forum's Discord server and bitch about people you don't interact with anymore there."
This is almost enough to motivate me to start using Discord.
Annoying Blakey with your presence?
-
@Gąska sometimes, late at night...I miss him.
-
@boomzilla said in What users say versus what they mean:
@Gąska sometimes, late at night...I miss him.
I wish that sentence ended with "when the moon is full and I've mistaken the floor polish for cheap scotch again"
-
@DogsB said in What users say versus what they mean:
@boomzilla said in What users say versus what they mean:
@Gąska sometimes, late at night...I miss him.
I wish that sentence ended with "when the moon is full and I've mistaken the floor polish for cheap scotch again"
I considered more humorous elaboration but .
-
@dcon said in What users say versus what they mean:
@topspin said in What users say versus what they mean:
@levicki I’m sure there’s lots of terribly written error messages out there (that’s the UI bites thread), but
: “What did the message say?”
: “I don’t know.”
: “Did you click yes or no?”
: “I don’t know.”can hardly be blamed on it.
Doesn’t matter how well or badly written the error message is when the user doesn’t read it.Ok. Then I don't know how to help you. Case closed.
Oh, that's easy: get better users.
-
@Luhmann said in What users say versus what they mean:
@pie_flavor said in What users say versus what they mean:
Not in the fucking slightest. Absolutely nobody reads the error boxes unless someone tells them to.
Unless it states to contact your IT department. Then they create a ticket at the software manufacturer ...
Whoever approved regular users being able to create a ticket directly against the software vendor instead of having to go through their own IT department first (who could then escalate it to them if deemed appropriate) is just begging for an application of a clue-bat.
-
@Gąska said in What users say versus what they mean:
@Gurth it always takes me 2 minutes to remember how you mute channel in Slack. Right mouse button isn't a thing in 2019, apparently.
Everything is mobile!
-
Wrong password! Did you mean: hunter2?
-
@topspin said in What users say versus what they mean:
We used to joke
"What can your PC do my Mac can't, huh?"
"Right click!".
But itdoesn't seem to work anymore.No, we can now joke:
“What can your Mac do that my PC can’t, huh?”
“Scroll sideways with the mouse!” (and I don’t mean by clicking in the scroll bar).
-
@Gurth said in What users say versus what they mean:
No, we can now joke:
“What can your Mac do that my PC can’t, huh?”
“Scroll sideways with the mouse!” (and I don’t mean by clicking in the scroll bar).PAH!
EDIT: StupidBox gonna stupid: it's about tilt wheels. Probably a better site around but clicking anything past first search result is
-
And it existed long before Apple's implementation. I have an old PS/2 mouse with two scroll wheels, built in ~1998.
-
@djls45
Last hold out of the days we used to be the it department and not a software vendor
-
@Gąska said in What users say versus what they mean:
@Gurth it always takes me 2 minutes to remember how you mute channel in Slack. Right mouse button isn't a thing in 2019, apparently.
No, most web-thingys seem to try and suppress the existence of a r-click.
-
@Polygeekery said in What users say versus what they mean:
@Gribnit said in What users say versus what they mean:
@Cursorkeys did I ever tell you about the guy named Grant that couldn't register?
I don't think you have, and this may be the only time I ever tell you this, but please tell us more.
GRANT
is a SQL reserved keyword.
-
@Gąska said in What users say versus what they mean:
@Gurth it always takes me 2 minutes to remember how you mute channel in Slack. Right mouse button isn't a thing in 2019, apparently.
Do these icons occur somewhere in the UI?
-
@djls45 said in What users say versus what they mean:
@Polygeekery said in What users say versus what they mean:
@Gribnit said in What users say versus what they mean:
@Cursorkeys did I ever tell you about the guy named Grant that couldn't register?
I don't think you have, and this may be the only time I ever tell you this, but please tell us more.
GRANT
is a SQL reserved keyword.Yes, and I assumed there was an actual story behind it.
-
@levicki said in What users say versus what they mean:
An example of hosting / email account protection -- after 10 incorrect login attempts your IP is banned for 1 hour, after 5 more such attempts your IP is permanently banned and requires a call to the hosting provider support to unblock.
You claim the other ways of handling things are iser hostile but you think this is a good idea??
-
@levicki said in What users say versus what they mean:
An example of hosting / email account protection -- after 10 incorrect login attempts your IP is banned for 1 hour, after 5 more such attempts your IP is permanently banned and requires a call to the hosting provider support to unblock.
In what universe is that EVER handled by a firewall and not by the login handler? I've never seen that anywhere, ever.
Edit: For that matter, how the hell would the firewall even KNOW that you failed to log in? All the firewall should see is "Data on port X from IP X to destination X"
-
@Polygeekery It's Gribnit. You should know the likelihood of there actually being a story. :P
-
@djls45 said in What users say versus what they mean:
@Polygeekery It's Gribnit. You should know the likelihood of there actually being a story. :P
A man can dream.
-
@Polygeekery said in What users say versus what they mean:
@djls45 said in What users say versus what they mean:
@Polygeekery It's Gribnit. You should know the likelihood of there actually being a story. :P
A man can dream.
I suppose it's like the old adage: you miss all of the shots you never take. In this case, you'll never get the story if you don't ask.
-
@levicki that is especially user hostile. You are potentially blocking users and making them call in to have the block removed. Which, if it happens on Friday at 5PM they might be screwed until Monday.
-
@levicki said in What users say versus what they mean:
They need to make 10 wrong attempts to get blocked for an hour. That alone is higly unlikely to happen to legitimate users.
Kids. You forgot about kids. My kids once got me locked out of a client's system with my login. I then had to dig through documentation to find another login and a way to get in remotely to unlock the account I had setup for RDP. It was a pain.
-
@levicki said in What users say versus what they mean:
@Polygeekery said in What users say versus what they mean:
Kids. You forgot about kids. My kids once got me locked out of a client's system with my login.
Dude, who in their right mind is trusting his own credentials for ANYTHING to kids?
....
My laptop was unlocked. My kid starts banging keys. Next thing I know he had tried to log me in to something enough times to get my account locked.
Shit happens.