In-App Shenanigans, an iOS Story

This is not a judgment on Apple (or other platforms). This is not a judgment on this particular app, either, even though I think it’s scummy. Let’s get this out of the way right off the top.

Earlier this week I received an email from Apple, as usual, notifying me of an in-app purchase (IAP) made by a member of the family.

Our family consists of me as the primary credit card holder, my husband, and my mother-in-law. This is important because we’re all over the age of 18.

My husband and I live in Canada, and my mother-in-law lives in South Africa. The Canadian iTunes and App Store offerings are much better than South Africa, for myriad reasons, which is why we added her. She gains access to our purchases and Apple Music. It’s a win-win.

Here’s the email I received.

A word about how I read emails: FAST. I use a system of pattern recognition developed over many years, and when an email looks fine, I file and ignore it. This is why I spot spam and malware very quickly, when shapes of words look “wrong”.

So this was a legitimate email, but what struck me was the amount. I usually ignore purchases under $20–$30, but that number looked big.

What was also interesting in this case was the app. I’d seen this before, so I looked in my email archive. Sure enough, there have been several in-app purchases from the same device since the app was downloaded (free of charge, of course) on 31 March 2016.

Problem 1: Inaccessible IAP for Family Members

I clicked on “Report a Problem”, and that’s where I noticed a significant flaw in the Family Sharing feature. If you did not make the in-app purchase yourself, you cannot see the details. The page returns no results.

After a frenzied iMessage conversation with my mother-in-law in another timezone, she was able to send me her password, and once I logged into iTunes with her account details, I could review her in-app purchases.

Problem 2: Email Notifications

This is where I discovered another issue, one I’ve maintained is problematic with email itself. Not every in-app purchase generated a receipt email. Email is broken. It does not guarantee delivery. Apple can’t fix this. I don’t know how to solve it.

According to the account details, a few more in-app purchases were made from the same device. This is not all of them.

Since 31 March 2016, the in-app purchases from the device totalled a few pennies under $390 (three hundred and ninety dollars).

Problem 3: Scummy Developers

I decided to install the app to find out how this happened. My mother-in-law is smart. She’s been using iOS since almost the start. She understands IAP, and she asks before doing an in-app purchase on games she likes. Until April 2016, she had spent under $200 on the App Store in six years.

It did not take me long to figure it out.

The game, like any other free-to-play game, will prompt you to buy extra plays. Because it’s a slot machine game, this is sold as extra spins on the slot machine.

I spun the wheels about twenty or thirty times. There were the usual flashes of light and colours and shiny things game developers know to put into a game to keep you playing.

And then this is where it all broke down.

If I tap in the open areas, nothing happens (thank goodness). If I tap on one of the three options, I’ll be prompted to spend money. No thanks. So I hit the X on the top right to cancel out of this madness.

And this is what greeted me, even after reinstalling the game.

Anyone want to tell me how to continue? Anyone? Bueller?

Using my 33 years of computer experience, I’ve decided that to continue with the slot machine game, without buying coins, I’d need to tap on the face of Venus. How Freudian. I deduce that there are puzzles I’d have to complete to unlock the other machines.

Since I’m twice shy, I decided to quit the game and delete it once and for all, without risking anything else.

No wonder I’ve got almost $400 worth of IAP on my credit card. This confused me, and I’ve been working with software for over three decades. And I got maybe 30 spins on the wheel.

Problem 4: Reporting IAP Doesn’t Work

Now that I was able to log in as the purchaser on iTunes, I could click the link (in the same receipt email, mind you) and was able to report an issue with the latest purchase.

I understand economics and cooling off periods and contracts. If we couldn’t get some money back from the older purchases, at least $69.99 could be returned. It was in the last week, after all.

I selected the option “Didn’t mean to purchase this item” from the dropdown. After filling in a comment, I submitted and got back the following reply:

This purchase is not eligible for a refund.

Alrighty then.

Taking a look through the other options, I declined choosing “I didn’t authorize this purchase” because, frankly, I did. A court would look at the reasonable man argument, and a reasonable man would say “the purchase happened” because the user (my mother-in-law) entered her password or touched a fingerprint reader, and the receipt was processed by Apple.

Problem 5: Daylight Robbery

I have been writing software since 1983, and I did it for a living for a number of years. I understand that software developers need to eat. However, a mainstream game on a console system, PC or Mac platform, even with DLC (downloadable content) that is charged for in addition to the game, won’t cost me $390. The Sims 4, part of the most popular franchise ever, costs $60 with DLC. If someone is spending over $100 on a game, I want to know about it.

This is not a problem specific to this game, I’m simply using it as an example.

Problem 6: Inconsistent Password Prompts

I get asked to enter my Apple Account password so many times these days on my devices. Imagine this happening when you’re trying to dismiss a “BUY” button in a slot machine game. You click cancel, your finger slips and you accidentally tap the expensive option on the right. Flustered because that stupid password box came up again, you sigh and enter your password anyway.

Problems that Apple Should Address

I identified two main problems through this experience that I would like Apple to address.

Firstly, please let me turn on approvals for any purchases, for any family member, regardless of age.

Secondly, please let me review purchases for all family members from my own account. If it’s good enough for someone to use my credit card, I’d like to be able to report an issue.

Conclusion

There was one time my mother-in-law did want to buy coins, for $39.99. She even texted my husband at the time and said she’d pay him back. So for every other purchase on that game, I submitted a request under “Problem is not listed here” and said none of these purchases was expected except for the one for $39.99.

If Apple responds favourably, I’ll be surprised. This is a major revenue stream for them. No wonder developers are excited about IAP and upcoming Subscriptions.

In the meantime, please be wary of IAP. It’s not a bad thing if used appropriately.

Statement from Pulse, Orlando

Statement from Pulse - Like everyone in the country, I am devastated about the horrific events that have taken place today. Pulse, and the men and women who work there, have been my family for nearly 15 years. From the beginning, Pulse has served as a place of love and acceptance for the LGBTQ community. I want to express my profound sadness and condolences to all who have lost loved ones. Please know that my grief and heart are with you. – Barbara Poma, Owner
Pulse statement

Like everyone in the country, I am devastated about the horrific events that have taken place today. Pulse, and the men and women who work there, have been my family for nearly 15 years. From the beginning, Pulse has served as a place of love and acceptance for the LGBTQ community. I want to express my profound sadness and condolences to all who have lost loved ones. Please know that my grief and heart are with you. – Barbara Poma, Owner

Professionalism doesn’t mean a collared shirt and tie

(Originally published on my SQL Server blog.)

Working from home, consulting with companies all over the world, has changed how I interact with customers. The last time I was physically on site was seven months ago.

We deal almost exclusively with each other via conference call and video using Skype, LogMeIn or GoToMeeting, juggling webcams, headphones, microphones, email, text messages, phone calls, instant messaging, and so on and so forth …

Scott Hanselman wrote on Twitter recently about spending more than 20 minutes of a one-hour meeting getting microphones working for all meeting attendees, and this is in 2016!

 

Being professional means treating your customers and colleagues with the respect you think you deserve in return.

Put another way, if you treat other people with contempt, you can’t expect to be taken seriously.

Missing meetings, not having your equipment set up correctly, not wearing camera-friendly clothing (or any clothing at all!), having an inappropriate backdrop, or having an inappropriate desktop background if you’re sharing your screen, all amount to contempt.

Take the time to set up your work space correctly by keeping the webcam-visible area behind you friendly to anyone watching you on video.

Learn how to use your webcam or microphone or headphones correctly. If you have to share your computer screen, make sure you have turned off notifications. Even better, try to keep to one virtual desktop away from email, web browsers and social media.

Do you use a Mac? Did you know that there’s a way for you to set up your microphone to send clear and crisp audio through Skype or other tools? It’s called Loopback.

All that money you’re saving on gas? Buy a decent condenser microphone, over-ear headphones, and a high-definition webcam. Don’t rely on your laptop’s built-in speakers. You know what microphone feedback sounds like, and wearing headphones is a great way to avoid it.

Don’t pick your nose. Don’t get too close to the camera. Someone might have you on a giant television screen with lots of people in the room. Because you’re not physically in the room, perception is everything. Even I make some of these mistakes, which means I’m also guilty of behaving in an unprofessional manner.

This post is not only to let you know how to behave, but to remind me how I should behave. We’re in this together.

Gender Identity Diversity in Alberta Schools

Last week, the Alberta, Canada, Government released a document called Guidelines for Best Practices: Creating Learning Environments that Respect Diverse Sexual Orientations, Gender Identities and Gender Expressions.

You can download the document here in PDF format.

As I read through this document, I wished I would be going to school in this kind of open, accepting environment.

Imagine:

Schools and school authorities [should] proactively review existing dress codes to ensure they are respectful and inclusive of the gender identities and gender expressions of all members of the school community (e.g., rules apply equally and fairly to all students and are not gender-exclusive, such as implying that a certain type of clothing, such as skirts, will be worn by one gender only).

Or how about this:

All students, regardless of their sexual orientation, gender identity or gender expression, have the right to participate in all curricular and extra-curricular activities. These learning and recreational activities need to occur within inclusive and respectful environments, and in ways that are safe, comfortable and supportive of students’ sexual orientations, gender identities and gender expressions.

I wanted to spend time with the girls at school, playing their sports and doing the same classes as them. I remember a large number of girls wanting to wear pants instead of skirts. This was at primary school already.

This kind of inclusivity and openness towards a diverse identity of self is incredible.

Thinking about the implications makes me wonder why it took so long to come about. Not only that, but what might have been possible for everyone who has attended school up to now, forced to fit into a certain role according to the genitals they were born with?

This will fundamentally change society.

School is where we learned that girls and boys were different, that girls were delicate and boys were rough and played harder sports. Girls learned how to cook, clean, sew, and boys were taught … I don’t even remember. Was it how to program computers? Kick a ball?

Imagine instead a formative environment where you are encouraged to do whatever you want, physical gender aside.

I should also note that this has nothing to do with sexual orientation or romantic attraction. The guidelines specifically reference that fact, which in itself is remarkable.

This will allow people to embrace the idea that not all effeminate men are gay, that not all butch women are lesbian, and that perhaps a gender binary is an old-fashioned idea that should go away.

Look at this footnote regarding human sexuality:

If a human sexuality class is organized by gender, students are able to choose which class they participate in.

This is blowing my mind, and I’ve been an activist for queer rights for nearly two decades.

For all its wondrousness, these guidelines will not be implemented overnight. Each school and district will have to create and adopt its own policies, and some parents and school boards, particularly in religious-based schools, will refuse.

That is to be expected, and those schools will be left behind, in the past, where they belong.

I cannot express how grateful I am to the province of Alberta, in the country of Canada, my new home, for making inclusion a priority at the school level. I cannot wait for these kids to grow up with tolerance and acceptance as a guiding principle.

Clipboards, Rednex, and being German

I’ve had an interesting weekend.

On Friday night, we hosted nearly fifty people in our house, for the year-end function for some of the hospitalists in town. The hardwood floors took some damage.

On Saturday night, I performed at another private year-end function, for actual money.

My role in Friday night’s affair was to be affable and humorous, based on my real self. I think I succeeded.

My role in Saturday night’s affair was to be a German ski instructor, with flashbacks to the 1980s. I was one of four performers in total, and each of us had a character and had to arrange a dance for the attendees to perform.

I coloured my hair with chalk spray. There were three colours to choose from: blue, pink and green, so I chose all three.

I walked around with a clipboard, a measuring tape, and a giant pink pen. The clipboard had black letter writing on the front page, where I’d written the German word for “clipboard”. It looked menacing.

Klaus Wunderlift

When introducing myself to attendees, I wrote name tags for them with my giant pen, and a pad of yellow sticky notes. For some reason, these were a huge hit. I naturally didn’t use their real names, preferring to make them up as I went along. Some of the more popular names were Loud, Cute Smile, Tall, Awesome and Fab.

I had to call a square dance. Because I’ve never called a square dance in my life, I searched through (many) YouTube clips, and finally settled on a circle dance (as opposed to a square dance), set to the Rednex version of Cotton Eye Joe. Before the dance, I gave a dramatic reading of the chorus, which a friend had translated into “the original” German, about Baumwollaugen-Johannes*.

My German accent has been used in many performances, including as Hubert Gruber from the stage production of ‘Allo! ‘Allo!, to a rewrite of the stage play Night Call, where I play a socialist librarian. Most recently, I’ve been cast in a voice role as a German scientist for an independent game. I’d stop using it if people stopped wanting to hear it. If only I could do an American accent as convincingly.

One thing I’ve learned as a live performer (which includes teaching and presenting, for what it’s worth), is that it doesn’t matter if you don’t know what you’re doing, as long as you can fake it or make it at least look like your ineptitude is intentional.


  • If you’re curious, this is how Cotton Eye Joe looks in German:

Wär’ Baumwollaugen-Johannes nicht gewesen,
wär’ ich schon lang verheiratet.
Wo bist du hergekommen?
Wo bist du hingegangen?
Wo bist du hergekommen, Baumwollaugen-Johannes?

Filmmaking as a Metaphor for the DBA

This post was originally published on my SQL Server blog.

I worked on four films in 2015, three shorts and one feature-length movie, all shot in Calgary where I live. That has resulted in seven IMDb credits for me, someone who earns a living as a DBA.

If nothing else, that experience has scratched an itch I’ve had since I was old enough to wonder what it would be like to act in a movie.

But acting isn’t filmmaking. It’s a very small part of the big picture, along with directing, producing, set building, makeup, lights, cameras, craft services, animal trainers, and so on.

DBAs also do a lot of work behind the scenes to make sure everything works the way it should. The sign of a good DBA is a system that works as expected. The sign of an excellent DBA is recovering from failure, affecting anyone else as little as possible.

Like being an excellent DBA, making films is hard work. Purely from an acting perspective, there are lots of lines to learn, repeating them over and over again, and then having to wait for someone to reset the camera, move some lights or the boom mic, and then do it all over again.

Exactly the same way.

Acting is the antithesis of automation. For example, it can take nine hours to film five pages of a script. Each page in a screenplay equates roughly to one minute of screen time. When I directed our last short, we shot eighteen pages in seven hours. That’s almost unheard of.

In information technology, we are encouraged to automate any repetitive task.

In front of the camera, we can’t automate our lines. Continuity is critical, so that the cup you’re holding at 8:15am during the master shot, is in the same hand at the same line, with the same level of liquid, as the close-up shot at 11pm.

I have also done a little bit of voice acting. Have you seen the film Singin’ in the Rain, starring Gene Kelly and Debbie Reynolds? She plays a voice-over actor who must redo all the voice parts for Jean Hagen’s character, in a process called ADR (automated dialogue replacement) or Looping.

There’s nothing automated about it. You see the scene and the current audio, and get a metronome counting you in for two or three beats, then you record your dialogue, trying to match against the picture. It’s expensive and time-consuming, and never quite matches.

Sometimes you have to do it in voice acting too. Except, excluding some very minor exceptions, there’s no picture to watch yet. You are in a booth, with headphones, a microphone, and pop filter in front of you. In my case, there’s also an HD web cam in there so that the outside world can see in. In other studios, the booth may be soundproof glass and have the recording equipment and director in view. It’s a very lonely space.

Either way, if I have to do ADR for a movie like Debbie Reynolds did, she’d have a picture to lip sync with. In voice acting, if you have to do ADR, there’s no picture. You hear the original track, you get counted in, and then you do your line while the old one is playing in your headphones.

Try recording yourself, playing it back, and then saying the same line over again, exactly the same way.

Being a DBA has a lot of similarities:

  1. Repetitive tasks
  2. Attention to detail
  3. Troubleshooting with no visual guides
  4. Trying to do something complicated while someone is talking in your ear
  5. Someone is always judging you
  6. You have to go with your instincts sometimes.

Someone asked me recently whether I would choose between being a SQL Server professional, or a filmmaker. I answered that I couldn’t choose. They complement each other and keep me sane.

Thanks for reading. If you’d like to comment on Twitter, find me under @bornsql or @rabryst.

Defensive SSL security in Windows and IIS

In my previous post, I wrote about how SSLMate has made my life easier.

I also mentioned how SSL-based attacks like POODLE and Heartbleed have forced us into using TLS.

Which is all very well, except that Microsoft’s whole premise in their product line is backward compatibility.

This means that a lot of older security protocols are on by default in Internet Information Service, even on Windows Server 2012 R2. As demonstrated by the recent vulnerabilities in the SSL protocol, this is not a good thing.

The recommended solution is to manually disable each of the older protocols using the registry editor.

IIS Crypto

Instead of this risky method, I discovered a free tool called IIS Crypto, by Nartac Software.

And so too, apparently, did @SwiftOnSecurity.

IIS Crypto is a free tool that allows configuring TLS protocols, ciphers, hashes and key exchange algos on WinServer https://www.nartac.com/Products/IISCrypto

This is how it looks:

iiscrypto

My recommended settings

I installed the .NET 4.0 GUI version. You can install the command-line version instead, but given that you’ll only run this application once or twice in the lifetime of the server, and you need to deselect some items, the GUI is easier to navigate.

Once you’ve installed IIS Crypto on your web server, run it and choose the Best Practices option (located under the Templates section).

You will then need to uncheck the Diffie-Hellman Key Exchange, on the top right, like so:

iiscryptodh(Click to enlarge)

Now you can click the Apply button, which will prompt you to restart your server.

In my own experimentation, I just issued an iisreset command to restart IIS, but it’s probably a good idea to restart the server anyway, as this tool makes changes to the Windows Registry.

Warning

According to the Qualys SSL Labs Test (which you can access from IIS Crypto in the URL field at the bottom of the screen), you will get a best score of an A-minus with these settings.

To achieve an A or higher, follow the instructions from the test result.

Coincidentally, because my company has more than one website served on the same IP address (common with virtual hosts), I achieved an A score by enabling SNI (Server Name Indication) on my website’s SSL bindings.

By default, this forces incompatibility with older browsers, who will be served a default SSL/TLS certificate, so keep this in mind.

Summary

I hope that this tool will make your life easier, by keeping only the most secure protocols and cyphers active on IIS.

This is just one aspect of security in depth. You should also look at the rest of the top 10 vulnerabilities, as collated by OWASP, to see how else you can protect your web applications.

SSLMate and IIS – a love story

I am a part-owner in a company based in South Africa. Our headline act, if you will, is a website that customers log into to manage certain aspects of their business.

This website needs to be secure for obvious reasons. The most basic requirement for a secure website is an SSL certificate (Secure Sockets Layer), or more accurately, TLS (Transport Layer Security). This is the padlock in the address bar of your browser, next to the https: the s means secure.

If you feel like exploding your brain, check the Wikipedia article about TLS and SSL.

For a number of reasons, which Troy Hunt is vastly more qualified to explain to you, we have to ensure that only the most recent browsers are supported by our website and its SSL/TLS certificate.

Older software was not designed with security in mind. The early Internet was about sharing information as easily as possible. Only with Microsoft’s security drive in the early 2000s did we start to see software becoming secure by default. Most recently, news about POODLE and Heartbleed means that even SSL isn’t secure anymore. That is why we have to focus on TLS instead.

It is therefore imperative that we at my company inconvenience users of older software in the best interest of keeping our website as secure as we can. Our SLA (Service Level Agreement) states a minimum version for operating system and web browser.

To this end, I will talk about my new favourite SSL/TLS certificate provider, SSLMate. They allow you to order and renew SSL/TLS certificates from the command line. Even better, unlike most other providers, they tell you when an SSL/TLS certificate is about to expire and renew it for you. I cannot even begin to tell you how convenient this is.

Last year I was travelling out of the country when one of my websites’ certificates expired. The issuer did not warn me (their position is that it’s not their responsibility, and I have to take blame). But, as evidenced by Apple, and Microsoft, and Google, we ALL make this mistake.

SSLmate takes the hassle out of remembering. I of course have created a new workflow to remind me a month before each of my certificates expires, but now that they are all managed by SSLmate, I know they have my back as well.

This all sounds great. I open up a command line prompt and type:

computer~$ sslmate buy example.com

That’s it. After an exchange of email to the appropriate approved address and a confirmation link, I can download four files:

  • example.com.chained.crt — Domain and Intermediate Certificate
  • example.com.chain.crt — Intermediate Certificate
  • example.com.crt — Domain Certificate
  • example.com.key — Private Key

Now comes the tricky part. Internet Information Server, or IIS, needs to import a PFX file. PFX stands for Personal Information Exchange Format and is also known as PKCS #12.

None of these files from SSLMate is in the right format. In fact, if you try importing one of the *.crt files, it will vanish from inside IIS. It needs to be signed by the Private Key.

Confused yet?

On my Mac (or on Windows), I need to use OpenSSL to sign the certificate with the private key, to generate a PFX file that I can import into IIS.

computer~$ openssl pkcs12 -export -out iis_cert.pfx -inkey example.com.key -in example.com.crt -certfile example.com.chain.crt

The output will be iis_cert.pfx, which I can then import into IIS and bind to the website I want to secure. In this example, there are two input files because SSLMate uses intermediate certificates in the chain.

Next time, I will tell you about an easy way to make sure IIS is the most secure it can be.