Nightmare client



  • omfg you would not belive the clients we have at the moment.  Our clients create industry best  practice auditing manuals for large organisations in the health sector.  These manual are quite expensive and important they're up to date so they got us to write a web portal with controlled access to these manuals.  You know the kind of thing, they can create a user and then assign manuals to them and then when the user logs in they only have access to the assigned manuals.  The manuals are in a database and an be searched for keywords blah blah blah.

    Anyway we get a call the other day they have just figured out the File->Save As when viewing a stuff in their browser.  They rang us up for an emergency phone meeting claiming that this is unacceptable as it would allow users to save the manuals to their hard drive and therefore could redistribute the manuals to other people who are not subscribed or to simply save them once and keep using them when they are out of date.  We spent two hours trying to explain to them that to deliver content to the browser the information has to be sent to the user and that we can't control tightly what happens to that information once it reaches the users computer.  We also tried explaining that this is an issue that all companies who distribute their product digitally face and the way to handle this is to have a licence agreement with the user and that in terms of using outdated manuals it has to be made clear to the user they need to check the website for the latest version(just like every other similar system in the world).  We also pointed out that their users are large health corporations with turnovers probably in the hundreds of millions and aren't going to risk being sued to save a few thousand dollars on policy manuals anyway.  We also pointed out repeatedly that the issue that the user saving the manuals and using an outdated one is the problem of the user not of the system or the client just the same as software updates work, you can get the updates but if you don't install them then there is little the vendor can do about it. 

    they then asked "what is the point of having the computerised system"

     To which we pointed out that it was to provide a central location which would always contain the latest copy of the manual with security and permission on access to those manuals.  To whcih they then replied " but if they can just save it to their hard drive what's the point?"  At this point my boss and i were fighting hard to keep our cool so we again explained that it is up to the user to get the latest copy from the website and we can't force them to do this.  We then asked how the manuals were previously distributed which turned out to be this.  They would burn a copy of the appropriate manuals to a cd and then mail it to the user, and when updates came out they would burn another cd and mail that.  When we pointed out that a user could simply burn the cd they told us that "your average user isn't going to know how to do that" so it didn't matter and when we told them that the user could easily copy the files to their computer anyway.  We then pointed out that even if we could stop the "save as" thing then they could print the manuals and still be using an old copy, or print many and give them to other people and if worst comes to worst do a screen grab and ocr it.

    They then accused us of never telling them that this was how the system would work when i can clearly remeber me and others explaining this in meetings before coding even started but these people are so computer illiterate that i don't think they could even comprehend what we were telling them and just did the "smile and nod" thing.

    So anyway the phone conference ended with them "being very unhappy" and us telling them to hire a consultant to get a second opinion.  The irritatiing thing is we never metioned the "Save As" thing in the functional spec because it's just something that's in the browser and not something we would specifically be doing.  The problem is with these clients is that they have absolutely so idea about computers they don't  even really understand what a browser is and couldn't understand without significant explanations why the information had to actually be downloaded to the users computer for them to view it and how the copying of files on a computer was something controlled by the operating system and not by us.

    Anyway i'll leave you to ponder this, this is just one of many of the wtfs we have had from these clients but its certainly the biggest so far.  i think in the next few days i'll post up the stories of the incredible length we had to go to for these people to understand the idea of the temporary password and why you can't find out a users password once it has been securely stored.




     



  • The real WTF is that I didn't even read that.



  • [quote user="Isuwen"]The real WTF is that I didn't even read that.
    [/quote]

     Lol.

    I started to, but three words into it I realized I don't have the focus right now to read such a dense story.
     



  • I think I just got a headache reading that.

    Anyway.. don't forget to tell your clients they could use some kind of rootkit/DRM thingy to protect their work.



  • I see some sort of encrypted ebook reader in your future.



  • you need to fire the client lolz

    how can anyone be that stupid! 



  • You could turn this all around and sell them a new AJAX based framework! You can defeat the "Save As..." problem and also rack up a bunch of money in training and support ^_^



  • [quote user="element[0]"]

    We spent two hours trying to explain to them that to deliver content to the browser the information has to be sent to the user and that we can't control tightly what happens to that information once it reaches the users computer

    [/quote]

    I guess you never heard about digital restrictions features, like the one PDF offers (you can restrict printing and/or saving for example). Too bad, you can learn about this in less than it took to write this rant 😉

    [quote user="element[0]"]

    these people are so computer illiterate that i don't think they could even comprehend what we were telling them and just did the "smile and nod" thing.

    [...] The irritatiing thing is we never metioned the "Save As" thing in the functional spec because it's just something that's in the browser and not something we would specifically be doing. 

    [/quote]

    Isn't it your job to teach those people what can and cannot be done with computers? If they knew it all, do you think they would still need you?
     



  • I guess you never heard about digital restrictions features, like the one PDF offers (you can restrict printing and/or saving for example). Too bad, you can learn about this in less than it took to write this rant 😉

    "The restrictions on copying, editing, or printing depend on the reader
    software to obey them, so the security they provide is very limited."
    oops

    I don't get this saving restriction. You can always copy the file. It's not preventing anything.

    But you can always get user a system with one application running and stripped down access rights. You can even get ie/gecko engine in there to view the document storage place, and remove all options for saving / printing. I'd say it's simply not true, that you can't control it. I know, that another thing is size and needs of that "one application". Maybe it's impossible to build such app for your place. Maybe not.

    PS. Now, that I know it's guarded that much, I'm browsing p2p networks to get one of those manuals... If it exists, it's in the internet 🙂 



  • [quote user="clem"]

     

    [quote user="element[0]"]

    these people are so computer illiterate that i don't think they could even comprehend what we were telling them and just did the "smile and nod" thing.

    [...] The irritatiing thing is we never metioned the "Save As" thing in the functional spec because it's just something that's in the browser and not something we would specifically be doing. 

    [/quote]

    Isn't it your job to teach those people what can and cannot be done with computers? If they knew it all, do you think they would still need you?
     

    [/quote]

     

    No actually it's not my job to teach these people and besides it was explained to them beforehand.  if they don't understand at the time then they need to ask for clarification.  Plus i kind of assume that people are familiar with a browser or at least checked it earlier, it's been live for 3 months.  plus we did investigate the pdf stuff initially but there about a hundred ways to get around the drm which is pretty much adobe reader specific.

     



  • [quote user="clem"]Isn't it your job to teach those people what can and cannot be done with computers? If they knew it all, do you think they would still need you?[/quote]

    That just great.  So the next time I get a speeding ticket, I can claim that there was nothing in the manual about it and so it must be the salesmen's fault.



  • [quote user="viraptor"]

    But you can always get user a system with one application running and stripped down access rights. You can even get ie/gecko engine in there to view the document storage place, and remove all options for saving / printing. I'd say it's simply not true, that you can't control it. I know, that another thing is size and needs of that "one application". Maybe it's impossible to build such app for your place. Maybe not.

    PS. Now, that I know it's guarded that much, I'm browsing p2p networks to get one of those manuals... If it exists, it's in the internet 🙂 

    [/quote]

    sorry, i should have been clearer about the copyingfile thing, it is possible to stop it with a customised system but the specs to support win 98 up ie 5.5 up and firefox given that it has to be accessed from company intranets running all kinds of old pcs.  and given the price they were wanting to pay a full on drm system was out of the question.  Also the drm stuff in word docs and pdf is so easy to get around it's not really worht the price and effort.



  • [quote user="clem"]

    I guess you never heard about digital restrictions features, like the one PDF offers (you can restrict printing and/or saving for example). Too bad, you can learn about this in less than it took to write this rant 😉

    [/quote]

    PDF's so-called 'restrictions' feature does not actually do anything - only Adobe Reader implements the restrictions (none of the other PDF renderers bother, why would any user want this feature implemented?), and Adobe Reader will not even run on my desktop system.



  • You could always just meet the client halfway, there are plenty of services out there already that implement this kind of system, especially in the education industry. Using security features such as requiring their clients to provide a fixed IP address or range of IP addresses that they will be a accessing their system from, DRM, individual/group accounts.

    All you should really offer your client is not absolute security, but that you've made it as difficult as possible for someone to rip the manuals from the clients site.

    The end user will probably be accessing these manuals from a restricted access workstation where they will not have the privilege of installing their own software and as we all know Adobe Acrobat Reader is probably the most popular PDF reader in the world so chances are - the Admins setting up these workstations have installed Adobe Acrobat Reader as the default PDF reader.

    Dont store the manuals Book by book, or even chapter by chapter, store it page by page. It takes very little effort to download a manual if its stored as just 1, or even 25 PDF file, however if a 500 page manual is stored as 500 individual PDF files, then someone has an alful lotta work to go thru to save all 500 pages.

    I think your client is right on one note, his product, on the majority, is being viewed by "your average user", and as one person who deals with the average user on a daily basis, i can for one tell you that they know jack sh*t. (Ever try to explian to the average user why their printouts are blank when they print from a website that implemets frames, or even something as silly as why they have to click "Print View" in hotmail so that its not just the ad banner that gets printed, they just stare back at you with a blank look of complete stupidity, and thats only after the first sentence)

    A few minor defences is enough to put an end to the majority of your clients worries. You might think that some of these defences are trivial but the average user will just get stumpt by them.



  • The real WTF is that you missinterpreted the "smile and nod" thing: Your customer just did it, because he was very pleased to hear about this "Save As" loophole which would help him to avoid paying you... 😉



  • [quote user="viraptor"]

    But you can always get user a system with one application running and stripped down access rights. You can even get ie/gecko engine in there to view the document storage place, and remove all options for saving / printing. I'd say it's simply not true, that you can't control it...

    [/quote]

    1) Sometimes, "We can't do x" really means "We can't do given the budget and requirements available."  In this case, it seems pretty clear that this site is for external customers of the customer.  So you can't require that the end user run a special build of mozilla; on the contrary, there's a requirement that the site be as compatible with as many clients as possible.

     2) All the locked down clients in the world won't save you from a copy of telnet/netcat.

    bash$ telnet example.com 80

    GET / HTTP 1.1

     So much for all your client-side security!

     

    However, when dealing with incompetents of this variety, it is sometimes best to lay out exactly which requirements conflict (e.g. "Must work on every browser" and "No file -> save as") and give examples/estimates of what removing a requirement would imply (e.g. removing the "Must work in every browser" requirement alows developing a custom locked-down client app, which would cost and additional X man hours)

     



  • You could just build a windows app in .Net which just consists of an imbedded internet explorer control. That won't have the save as option, but it will show webpages like ie and you can put in your own url bar and forward/back buttons if needed (I doubt they need much other than a viewer it sounds like). Your post suggests that they would accept this solution...



  • Worthy of http://www.clientcopia.com .

    3 month after you implement the DRM functionnality they gonna ask an emergency phone meeting because users can use the print screen key, print the image, put in on a wooden table, scan it and send it to unregistred people.



  • [quote user="merreborn"]

    1) Sometimes, "We can't do x" really means "We can't do given the budget and requirements available."  In this case, it seems pretty clear that this site is for external customers of the customer.  So you can't require that the end user run a special build of mozilla; on the contrary, there's a requirement that the site be as compatible with as many clients as possible.

    [/quote]

    I didn't get that one from the text. But as previously said - maybe it's impossible to build such app for this project. I thought about it at company's own isolated thing.

    [quote user="merreborn"]

    2) All the locked down clients in the world won't save you from a copy of telnet/netcat.

    [/quote]

    If it's internal thing, why would anyone be able to run telnet? External -> It's also not that hard to force adding some specific header to request, that can be used for auth and pass it through ssl. Unless you inject your own ssl wrapper, you can't see what's happening.

    Another idea, would be to build a java applet for browsing docs, without possibility to save the file. Maybe flash. You can show it in a way, that will not allow saving, printing, selecting and copying, you can transmit it to user in whatever way you want. As a bonus, you can force viewing latest version always. Screenshots are basically == writing it down with pen and paper, so it's not an issue. Once you start thinking how to do it, there are many posiibilities. Some not that hard to implement.



  • I didn't have a problem reading it at all... I guess it's worded the way I think or something. Anyways what a bunch of bullshit. Dumbass computer illiterate clients. Ubertarded. Not surprised though.

    Will anything ever make them happy? I doubt it... Some people just don't understand technology.

    If the average user doesn't know how to copy a cd, or how to copy files from a cd, then they probaly wouldn't know how to save a webpage. Really, is there such a level difference? Someone saving a webpage has a notion of files, and must be able to navigate a filesystem at lease SOMEWHAT. So what's to say that they can't drag files from the cdrom drive to where they would've hit the ok on the save... Stupid...

    It is impossible to create "Hack-free" anything. It's always possible to copy the data. It's always possible to circumvent copy protection. The nature of computers prevents anyone from making anything 100% hack free. Encryption is nice, but if there exists a method do decryption (which is a requirement, because no one wants data that can't be decrypted - it's useless that way), then the data be retrieved. The only thing you can do is make it harder for that to happen.

    I really get upset when I see big corporations making large technology decisions based upon the understanding and the ability of a bunch of buisness school grads who don't know the difference between a bit and a byte. (is that an overused expression?)
     



  • [quote user="clem"]

    [quote user="element[0]"]

    these people are so computer illiterate that i don't think they could even comprehend what we were telling them and just did the "smile and nod" thing.

    [...] The irritatiing thing is we never metioned the "Save As" thing in the functional spec because it's just something that's in the browser and not something we would specifically be doing. 

    [/quote]

    Isn't it your job to teach those people what can and cannot be done with computers? If they knew it all, do you think they would still need you?

    [/quote]

    I hope not. Do you realize how long it would take to give them a broad enough understanding? I don't think they want to spend months or years in a classroom just so that some execs can understand what can and cannot be done in the digital world 



  • [quote user="GoatCheez"]

    who don't know the difference between a bit and a byte. (is that an overused expression?)
     

    [/quote]

    I haven't heard that expression, but you may want to ask around to find out whether you can expect a visit from the Cliche Police.



  • I hear this one every so often from my clients.  "We want to make sure that only the people who are supposed to see it can see it.  No copies!"

    I always want to tell them the real solution:  Keep only one hardcopy of the document locked in a room.  If someone wants to read it, they must come to your office, you let them in the room, show them the document, then kill them.

     It's the only way to make it copy-proof.
     



  • I've got a solution. Instead of sending out PDFs, print it out once, bind it and then place a webcam aimed at the printout. Pay somebody $6 / hour to change the page once per minute. Publish the webcam address. Voila



  • So, you "clearly remember" needing to explain to the clients, that "this is how the works"?  And still, you didn't bother mentioning this in your functional specs?  You fucked up.

    Your code doesn't do what the client wanted.  Whether that's because you failed to gather requirements properly, or you failed to code properly, it's still your fault.   You can complain all you want about your client's stupidity, but, you were the one who brought computer "expertise" to the table.  And, it's the computer part that got fucked up. 

    So, quit crying about how stupid your client is, and try to learn something from this, so that maybe, someday, you can do something right.



  • Sounds like all you really needed was to pop open a new window for access (no menu), and disable right-clicking with JavaScript (to the best of your ability - it may even be possible to disable cut-n-paste here, I'm not sure). Of course, that would not stop anyone with a clue. But from the sound of things, it might have satisfied your client.



  • X-man hours...sounds like fun!



  • [quote user="Cap'n Steve"]I see some sort of encrypted ebook reader in your future.[/quote]

     

    I was going to suggest adobe acrobat.  You can prevent the user from saving, copying or printing the data. DeVry does this for their online classes. 



  • [quote user="huh"]

    So, you "clearly remember" needing to explain to the clients, that "this is how the works"?  And still, you didn't bother mentioning this in your functional specs?  You fucked up.

    Your code doesn't do what the client wanted.  Whether that's because you failed to gather requirements properly, or you failed to code properly, it's still your fault.   You can complain all you want about your client's stupidity, but, you were the one who brought computer "expertise" to the table.  And, it's the computer part that got fucked up. 

    So, quit crying about how stupid your client is, and try to learn something from this, so that maybe, someday, you can do something right.

    [/quote]

     

    This is unreasonable.  Most likely, the client didn't even consider the "end user uses a saved copy past its expiration date" issue until they actually encountered it in the field, so no amount of gathering requirements could have come up with it; nor is the code at fault, since it does what the client asked for.  A really thorough QA department might have anticipated the problem before it went live, but a client like this is (1) unlikely to hire such a thorough department, and (2) unlikely to listen to it even if they do.  ("Are you daft?  Of course our users will know better than to do that!")

     



  • [quote user="codemoose"]

    I hear this one every so often from my clients.  "We want to make sure that only the people who are supposed to see it can see it.  No copies!"

    I always want to tell them the real solution:  Keep only one hardcopy of the document locked in a room.  If someone wants to read it, they must come to your office, you let them in the room, show them the document, then kill them.

     It's the only way to make it copy-proof.
     

    [/quote]

    Until one day when a savant comes to see it...

    http://www.youtube.com/watch?v=a8YXZTlwTAU



  • Anyway, the proper response to this type of problem (once it comes to light) is to discuss options with the client - both technical (e.g. disable right-click via JavaScript) and social (e.g. "Use of this manual by unauthorized personnel and/or past its expiration date will result in our army of lawyers suing your ass into oblivion") - and settle on the cheapest solution they feel is acceptable, based on the technical and social savvy of their end-user population.

     



  • element[0] try having government employees as your customers - they make those people look intelligent  



  • [quote user="Kazan"]element[0] try having government employees as your customers - they make those people look intelligent  
    [/quote]

    It's very true. Near where I live, there was a news piece done on one of the local city government organizations. They were explaining how C average high school grads with very little hope for college or vocational school and no criminal record where their prime candidates for new hires. I had no idea.



  • [quote user="Pap"][quote user="codemoose"]

    I hear this one every so often from my clients.  "We want to make sure that only the people who are supposed to see it can see it.  No copies!"

    I always want to tell them the real solution:  Keep only one hardcopy of the document locked in a room.  If someone wants to read it, they must come to your office, you let them in the room, show them the document, then kill them.

     It's the only way to make it copy-proof.
     

    [/quote]

    Until one day when a savant comes to see it...

    http://www.youtube.com/watch?v=a8YXZTlwTAU
    [/quote]

    Hmmm... A savant can be a problem even after you've killed them? I never knew that. 😉


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.