How not to send a security alert

Today at around 5:30 pm, I received an email from one of our software vendors (I won't mention their name so that their other customers can apply the software patch) notifying us of a critical security vulnerability. The message looked very official from their support department. It was quite detailed about how to patch it and described the different versions that are still being used. As I'm a bit paranoid about security, I checked the email headers and then became quite concerned about the message.

The vendor made the following mistakes in sending out this vulnerability:

• The message was sent from a third party mailing list provider so the return address couldn't be verified.
• There was a direct download link in the email message; since the message was sent through the third party provider, the link was actually back to the mailing list provider so that it could be tracked. I did click the link and downloaded the file, but didn't run it. It did come from the vendor.
• There was no link to a support site to directly download the patch.
• There was no mention of the vulnerability on the web or in their support forums.

After a frantic message to their support folks, I was advised that it was legitimate and was able to verify that the message came from the vendor. In addition, I was told I could download the patch from the support site (I had never logged into the site before). At the same time that I sent a message to their support, I posted a message on their forums asking about this and before they deleted my message, I received a response with the same concern.

I chatted with the person that sold us the software (a reseller for the vendor) and he indicated that I should apply the patch ASAP which I did. He agreed that this could have been better handled.

I hope in the future, this vendor learns a lesson about how to notify its customers. I'm probably one of handful of people that didn't just click the link and apply the patch; I guess it's part of my job to be paranoid about security.

All I can say is wow!

Looking for organization

I've been looking for a way to keep everything I have to do organized for years. I flip flop between systems, sometimes online, sometimes paper, sometimes just desktop based. Unfortunately I never use a system for more than a few weeks before I forget about it. I'm taking another stab at this and have started using a program called The Hit List which I got as part of the MacHeist bundle I bought. It's simple to use, lets me have multiple lists, organize my lists into folders, and syncs with iCal. The thing about syncing with iCal, in theory, is that I could sync my tasks from my Pre to our Zimbra server and then to iCal which would dump them in my Inbox in The Hit List. If I was not home, I'd enter a task and it would appear in The Hit List; that could work. However, the Pre doesn't seem to want to sync Tasks with our Zimbra server.

Let's see if I can stick with this for awhile; it definitely won't be a shortcoming of the program if I can't stick with it as it has all the features needed for a good task management program.

On a side note, Andy Kim, the author of The Hit List, created the Potion Store application that I used to sell ReceiptWallet for about 2 years. It had such a great, simple interface that I instantly fell in love with it. Within about 2 days of finding it, I learned enough Ruby on Rails to modify the application, integrate my registration system, and had it running for sales. Thanks, Andy, without Potion Store, I don't think ReceiptWallet would have been so successful!

Sucked into Twitter

I'm not much of a social networking kind of person, but signed up for Twitter in October of 2007 to get the updates that KPBS was putting out for the fires. Since then my account has been pretty idle, except for the few "tweets" I posted to get free software (some call it spamming, but for my 1 or 2 followers, no one really cared).

I asked a friend of mine the other day how to officially report Palm bugs and he said to post on PreCentral or Twitter to @palm and I might get a response (turns out the correct way seems to be to post on the Palm forums). So now that I've posted a few "tweets", I'm kind of drawn into reading some of the quick things that a few people have to say. It kind of seems like a waste of time to use Twitter, but it's providing me with some useful information about the Pre and Google Voice (2 of the topics I follow).

Will I start using Twitter instead of blogging? Unlikely as my blog serves as a journal for me and I'm not usually that concise that I can put my whole though in 140 characters.

I still haven't been sucked into Facebook, but the Pre's Synergy could make it interesting. Just what I need, something to make me spend more time on the computer!

More pricing inaccuracies

Almost 2 years ago, I wrote about price scanner inaccuracies at Target. Well, I was a victim of pricing inaccuracies again. This time, it was at one of my least favorite stores, Fry's Electronics. I try to avoid Fry's, but sometimes they have decent deals and have some things that it is easiest to get there. A few weeks ago, I need some CD-Rs and Fry's had them on sale. While I was getting the CD-Rs, I saw some DVD-R DLs for a really good price. The shelf tag said $17.95, so I picked them up.

When we got to the checkout, it rang up as $24.95. I ran back and brought the tag back. The tag actually said the deal had expired, but the cashier said they'd honor it. The cashier asked for our name and had to get it approved by a manager. After waiting around for more than 5 minutes, we just left without the DVDs.

I contacted the San Diego County Agriculture/Weights & Measures department. I was told that Fry's had to honor the price on the shelf tag no matter what the expiration date said on the tag; California Business and Professions Code Section 12024.2 (a) (2) "notwithstanding any limitation of the time period for which the posted price is in effect". The department contacted Fry's and Fry's said that they'd make things right for me. I contacted Fry's and was told to come in, speak with the manager, and get the DVD-R DLs for the $17.95 price. To me, this doesn't quite seem like making it right. I'd have to go in and wait around for the manager to fix the price. This is precisely the reason why I left; it took too much time to correct the matter!

From what I've read, it's probably good that I didn't get these as the reviews on this particular media are pretty poor.