Adam Rice

My life and the world around me

Tag: web

.Mac—a missed opportunity

A post on oreillynet got me thinking about .Mac, Apple’s online thingy for mac users. Apple recently updated it, and while the updates are nice enough, I think Apple is missing an opportunity.

I don’t know how many people use .Mac. I get the impression that not many do. It seems overpriced for what you get. So what do you get? An e-mail address and web mail. Online photo galleries and web pages. Remote backup, storage and (for some apps) syncing. Apple just increased the available storage from one gig to ten, and added some other features—”groups” (sort of like Yahoo Groups or Google Groups), domain-name hosting, and upgrades to the existing features (the photo album is pretty slick).

All this for the not-very-low cost of $100/yr. Apple is competing with two other alternatives here: free and generic.

There are free groups, free photo hosts, free mail services, free blog hosts, and so on. Of course, these are all ad-supported. And they’re good: Gmail’s webmail is considered by some to be the best mail client out there—web-based or local. It’s hard to compete with free, especially when it’s as good as it is. Admittedly, a lot of people get a little creeped out by having their data mined by Google, and putting their entire digital lives in Google’s hands.

On the generic side, for the price of a .Mac subscription or less, you can get a web-hosting account that gives you access to a Unix shell, more storage space (at Dreamhost, which notoriously oversells, I’m getting something like 250 GB of storage, of which I barely use 1%), web-based management tools, and access to the whole panoply of web-side apps, like WordPress, Drupal, Gallery, and so on. So it is possible to duplicate most or all of what .Mac does using open-source software that gives you more control and potentially broader functionality. Not everyone wants that level of control or needs all those features, but there are a lot of WordPress and Movable Type blogs out there, a lot of bulletin-boards and community sites, and so on. Clearly it’s not a small market, and I’d bet it’s a lot bigger than .Mac.

So, given that .Mac is not free and does not offer the same level of functionality as the other options, what does it offer? I see two things: All the templates for information hosted on .Mac look great (although the underlying HTML can be scary), and it has good integration with the client. Pretty much what you’d expect from Apple.

.Mac has been around in some form since the Internet first caught fire, and at that time, the kinds of things that regular folks would want to do online were not well-established. .Mac (originally “iTools”) was speculative in that sense. Some things, like photo galleries, turned out to be correct. (Although even there, flickr has shown us how photographs can be the nexus for communities, in a way .Mac can’t approximate.) Others, like remote backup, haven’t really panned out yet because A) the service doesn’t offer a meaningful amount of storage, and B) most of us don’t have a sufficiently fast upstream connection to make it practical. .Mac has changed and expanded its services, but hasn’t always kept pace with trends in Internet usage.

The recent updates to .Mac seem nice, but do not tempt me. What would tempt me would be if Apple offered the same slick client-side integration, but tied into a more generic hosting service—one where I can install a WordPress blog or a Drupal CMS.

Security hole at my mortgage holder

I was just paying my mortgage online, at the website of my note-holder. Their online-payment system is set up so that once you log in, you are presented with an on-screen facsimile of a check, where you fill in the amount, routing number, and account number of the paying bank. Below that is a field for the last four digits of your SSN and an e-mail address to send a confirmation notice to.

Well, I actually fat-fingered my SSN today, and the page immediately popped up an alert that I had entered my SSN wrong. It seemed that there had been no round-trip to the server to check that, so I checked the page’s source code. Sure enough, I saw this:
function validateSSN1()
{
if (document.Form1.txtssn.value != "the actual last four digits of my SSN here" && document.Form1.txtssn.value != "the actual last four digits of Gwen's SSN here" )
{
document.Form1.txtssn.value = ""
document.Form1.txtssn.focus();
alert("Your entry did not match our records. Please enter the last four digits of your social security number.");
return false;
}
else
{
return true;
}
}

Embedded right there in the page asking my for the information is the very information it is asking me for. That’s just a bad security practice in general, but it’s especially bad considering the information in question. Now, admittedly, nobody should be able to get access to my account in the first place, but if they do, the damage they should be able to do should be limited to that website. But the last four digits of the SSN are so widely used as a shorthand identifier these days that the potential for mischief is much more widespread.

I have notified the bank, and will not mention their name just yet.

© 2017 Adam Rice

Theme by Anders NorenUp ↑