UI? What's UI?

[kickaha]

What do you get when you have a major, huge company who has traditionally done enterprise Windows apps, with a smidgen of Linux?

SUCKTACULAR UI!

Take Eclipse. (No, really, please. Take it, beat it into submission, strip off the laughable UI and make something worthwhile. Really. It's embarrassing, it's so bad.)

Or Lotus, well, anything. It's even worse.

But tonight... tonight I hit the nadir. I use an internal proprietary (Standards? What, those things we convince our customers they need? Pah, we don't need them... they're too expensive.) VPN solution to hook into the company intranet. The guts of it are pretty solid, as far as I can tell. It's yet to fail me. The UI though?

Go to connect tonight "Cannot connect." Well gee, that's helpful. Try again. "Cannot connect." Hmm. Once more time, with feeling. "Cannot connect." How odd. One last time...

"Your account has been locked, possibly due to multiple logon attempts with an incorrect password."

Right, I changed my intranet password yesterday.

And... that's it. I have no indication of how to contact anyone to find out how to 'unlock' my damned account, it never gave me a hint that perhaps it was a password problem (which would have jogged my memory immediately), and of course to get any useful information, I need to be... you guessed it... on the intranet.

SOL, up shit creek, humped, boned, dry fucked and left hanging... pick your phrasing.

Unbelievable.

Saddest part? Five gets you twenty, when I bring this up with the VPN client team, I'll get utterly blown off, because this is how they think software is supposed to work. Or not.

Comments

[babbleon1.livejournal.com]

What I love is that to fix it, you have to call 888-IBM-HELP and get a person to reset it. A superb waste of time.

[kickaha.livejournal.com]

THANK YOU! That's the magic phone number they elected not to include in the "You're screwed" message.

[kickaha.livejournal.com]

Wow, that was further illuminating... I call them, they didn't verify my identity[1], but they 'submitted the request' anyway... and it will take 30-60 minutes for it to propagate. If it does. If not, then I get to try again.

[1] What the *hell*? Seriously, I entered one piece of information that is less private than my SS#, and had access, no double-checking from them.

[georgmi.livejournal.com]

They're not resetting your password, they're just turning off the bit you flipped that locked the account. Account locking is intended to prevent dictionary attacks by increasing the amount of time it takes to try a statistically useful number of passwords to the point where it's not worth attacking. In other words, the system is working exactly as designed, *including* the 30-60 minute delay in the human interface, it's *supposed* to be a pain, and there's no reason to worry whether you are who you say you are, at least on your first request to unlock the account. You call back three or four times in a day, though, and they're going to start taking a closer look.

You probably didn't notice this, but the response time for each failed auth attempt probably increased by a significant percentage, another standard ploy for slowing down dictionary attacks.

It's also standard practice to provide minimal information when an auth attempt fails--if you return one message when the account name is wrong, and a different one when the name is right but the password is wrong, that tells the bad guy when he's found a valid login name.

In short, security procedures are not about making it easy for the user, but about making it a pain in the ass for the bad guy.

Not telling you your connection failed because of auth failure is taking that a bit far, though. :)

And not providing you with the number you need to call to reset your account is something they should probably be able and willing to fix. Unless they think that they provided you with that information and it should be easily accessible to you from your home, without access to the intranet. Didja RTF VPN M?

[kickaha.livejournal.com]

Manual? *MANUAL*?!? BWAHAHHAHAHHA

The included app help didn't even include the keywords 'incorrect' 'locked' or 'failure'.

"In short, security procedures are not about making it easy for the user, but about making it a pain in the ass for the bad guy."

Unfortunately, defining 'bad guy' to include 'user who slips up' just results in making it a pain for the user. :P

We've got a battle going on right now concerning the internal IM system I should tell you about offline sometime. It's... insane.

[georgmi.livejournal.com]

You guys have time your spring trip to come out Bremerton way for dinner?

[kickaha.livejournal.com]

We can probably work that in... hell, we haven't even scheduled the days yet. :P

[gwyneira.livejournal.com]

We're probably going to be in San Francisco for the weekend in mid-April (like the 11th-14th or something like that), but other than that, boy is our schedule free. :)

[babbleon1.livejournal.com]

Yeah - manual? PUH-LEAZE.

Work is hugely (overly?) security conscious, though I guess it could be a popular hacking target. But it adds a huge cost to our work. And the business controls, to make sure we're not embezzling or sneaking spare parts out of the factory - BLEAH! We once counted seven distinct audit layers...

[georgmi.livejournal.com]

Ah, but security folks *do* define 'users who slip up' as bad guys--the potential effect on the system is often the same, or even worse.

Security guys only trust their users as far as management forces them to, and they're not happy about even that much.

[kickaha.livejournal.com]

Wait... management has power over IT security direction?

Dude, pass me some of what you're smoking.

[georgmi.livejournal.com]

To the extent that management can say, "Let the damn users connect to the damn network or you're fired", yeah.

IT will then do the absolute minimum necessary toward clause A that allows them to avoid execution of clause B. :)