Staying the Course

Every so often–especially when I’m having trouble coming up with something to post about–I’ll read through some of the blog’s archives. And, yes, today was one of those times. I spent an hour or so browsing through the posts from mid-2017 and, geez, not much has changed.

I mean, yes, there were some highlights: getting my author’s copies of The RagTime Traveler, Rufus integrating himself with the rest of our menagerie, watching the Mariners come from behind to beat the As in extra innings (with no Manfred Man!).

Some lowlights as well, naturally. Valerian and the City of a Thousand Planets, Senator McCain leaving the hospital to vote against making medical care more widely available, and the reminder of how little time we would have with Rufus.

But there’s a lot that I could have written in the past couple of months. The public’s increasing willingness to rush to judgement without evidence. The Mariners flirting with .500 (though this July, it’s Baltimore instead of Seattle). Apple trying to pass of incremental changes as revolutionary. Illegal fireworks. People claiming the inclusion of women in significant roles destroys their childhood memories.

Does this mean I’m stuck in a rut, or that everyone else is?

But all that aside, one post caught my attention. No, not the thing about the Project Fi Travel Socks (though, in keeping with the theme here, I’ll note that I still have ’em and wore ’em on last month’s trip to Sedalia). No, it’s the part about the Sedalia Holiday Inn Express’ horrid approach to computers and computer security.

Because five years after I wrote that post, the situation is even worse.

The Wi-Fi still offers the same three choices for signing on. Only now the HIE Club members’ method explicitly states that no password is needed. And you still need to log on multiple times over the course of your stay–though to be totally fair, the frequency has dropped to daily, rather than “every time you leave and come back”.

But the worst was that “Business Center” in the lobby. During our entire stay, I never saw anyone using them. Not once. And I don’t blame my travelers a bit. The only reason I tried them was to print boarding passes for our flight home*. And I mean “them” literally: I tried both computers.

* Yes, I know one can check in via smartphone and get the boarding pass there, too. I’m sure that’s what everyone else staying at the HIE did. But I needed paper passes. For reasons.

One of them wouldn’t turn on. At least that one’s not going to be giving away anyone’s credit card information. The other had a distinctly green screen, suggesting either an about-to-die video card or a really, really bad VGA cable. Either way, annoying but ignorable for my purposes. However, five minutes after I turned it on, I was still waiting for it to load the Windows desktop. And I mean literally five minutes, which means either a failing hard drive, a full-to-the-point-of-explosion hard drive, or an operating system crammed full of malware and harmless-but-unnecessary software. Or all three.

At that point, the helpful woman behind the registration desk offered to let me use her computer. Yes, the one that gives full access to HIE’s reservation system and all of that lovely customer data–including credit card numbers. Oy.

I didn’t lecture her. I thanked her profusely and tried to use the browser tab she helpfully opened for me before she turned away to talk to my mother. Oy, again.

Alaska Airlines refused to let me check in. Why? Because that browser was Internet Explorer, which is now officially unsupported by Microsoft and about to be removed from millions of Windows computers around the world. Oy, a third time.

Add a fourth “oy”, because there was nothing–including the helpful woman–stopping me from opening Edge to, you know, actually do what I needed to do. I could have opened any other program on that machine, or gone to any website in the world, and installed anything I wanted to.

I still didn’t lecture her. I checked in, printed our boarding passes*, thanked the helpful woman again, and went up to the room.

* By the way, there’s still no printer in that so-called Business Center. I suspect those machines are still network-connected to the printer I used under the front desk. Which implies that those printers are on the same network as every other computer in the hotel. So all of the malware on the Business Center computers has completely unimpeded access to the reservation system.

Ethically, I probably should have said something about the hotel’s inexcusable laxity, but what could she have done? She’s only a pawn in HIE’s corporate structure. Not that she would have understood why any of the issues were issues; in the few words we exchanged, it was clear that her computer knowledge is limited to turning on the computer she let me use and using HIE’s reservation system. I couldn’t spend the necessary hours to explain the basic concepts of access control, hardened perimeters, and software vulnerabilities, even if I thought she’d sit still for it.

Oh, and that green-screened “Business” computer? I checked on it as I went past. It had finally brought up the desktop, but was still struggling to open Microsoft Teams, Skype, and–I kid you not–Steam. Wait, it gets even worse. There was a Minecraft icon on the desktop and a recovered Chrome tab for a bank–with a user name and password prefilled in the Login fields, thanks to Chrome’s ever-helpful password manager.

Change. Who needs it, right?

WQTS 11

Would you believe there’s a WQTS (Who QAed This Shit) story with a happy ending?

I’ll get there. But first, a tale that’s not so much WQTS as WTTWAGI (Who Thought This Was a Good Idea).

I’m calling out the Holiday Inn Express in Sedalia for gross violations of common sense in their handling of technology. And, just to be perfectly clear, I’m not talking about HIE hotels in general. As far as I know, these problems are unique to that particular location.

Let’s start with the hotel Wi-Fi. Finding good Wi-Fi in a hotel is a rare event, one that should be celebrated with parades and (hopefully brief) speeches by elected dignitaries. The Sedalia Holiday Inn Express’ Wi-Fi is not that sort. To be fair, once you get connected, it’s no worse than many other hotels’. It’s just that getting to that point is by far the worst experience I’ve had with, not just hotel wireless, but any public wireless.

Like most such, the SHIE uses a “captive portal” setup: once you connect, a web page launches, allowing you to enter whatever login credentials are needed. Many hotels either ask for your name and room number or a global password which changes periodically. The page is generally simple so it can display cleanly on anything from an old phone to a modern laptop.

SHIE has a huge page filled with text. That’s necessary because it offers three different ways to log in. Three.

There’s the traditional “last name and room number”.

There’s a numeric code. The web page calls it a PIN, but the envelope your room key comes in calls it an “Internet Access Code”. Calling the same thing by different names is just asking for trouble.

And there’s the third method, which requires half-again as much screen space as the other two combined. That’s because it’s only available to Holiday Inn Express Club members, and the portal login page has to explain all of the benefits of club membership, only one of which the ability connect to the Wi-Fi in any HIE hotel with your email address*.

* No password, at least not on the login page–I’m not a HIE Club Member, so I didn’t try to go any further–but the text strongly implied that all you need is your email address. Which means that if you know an HIE Club member’s email address, you can get all the free Wi-Fi you want in Sedalia. Assuming you want hotel-quality Wi-Fi. I wouldn’t want to download illegal images on something that slow, but if I wanted to launch a virus, how better than to do it through a hotel using someone else’s email address?

The login methods, all crammed onto the one login page. Any half-way competent user interface developer or QA engineer will tell you that having multiple methods of doing the same thing risks confusing your users. And indeed, while I was checking in, there was a couple at the front desk asking for help connecting their laptop to the wireless*.

* They were looking for where to enter that Internet Access Code. Remember, the page calls it a PIN. At least on a laptop they could see the whole page. Imagine how much zooming and scrolling they would have had to do on a phone before they even arrived at that level of confusion.

For the record, the desk clerk couldn’t help them. She had to call the “technical expert”. I left before I got to overhear that conversation. Must have been a doozy.

And don’t forget, by the way, that the portal was set up so you had to re-enter your login information every time you reconnected to the Wi-Fi. Go to dinner? Re-enter. Lose signal? Re-enter.

But enough about the wireless. Let’s move on to the computers in the so-called “Business Center” in the lobby. The hotel is very proud to have Microsoft Office on the computers. So proud, they put up a sign advertising it. And, to be fair, it’s a big step up from last year, when the only software on those machines was Windows itself. But let’s face it: Office is the least you can expect to find on the computers in anything that calls itself a Business Center.

I was impressed to see that the computers were running Windows 10. I was rather less impressed to see that they needed a password to use. Why bother? It’s not like the hotel was exercising any control over who uses the machines. I asked for the password at the desk–and note, by the way, that there were no signs telling would-be users how to get the password. Amazingly, the clerk knew it. It’s all lower-case, with no digits or punctuation, and it’s one of the first three words anyone of even moderate intelligence would try–and it’s not “password” or “guest”. I don’t know if they’re supposed to confirm that users are staying in the hotel, but if so, she didn’t.

So if you’re not limiting usage, why put passwords on them? If you want to exercise enough control to keep kids from tying the up all day playing games, just have the clerks glance in that direction occasionally. The computers sit in the lobby, no more than ten feet away from the front desk.

And it’s not like the password prevents people from mistreating the machines. I couldn’t use the first one I tried because some prankster had changed the password and locked everyone out of the machine. On the other machine, someone had created his own account, presumably so he wouldn’t have to remember the hotel’s password.

On many public computers, the USB ports are disabled to keep people from installing malware. Well-designed Business Centers have heavy-duty virus protection, but allow you to use the USB ports to transfer your work from your laptop to the computer. SHIE found a different security method: they put the computers under the desk, forcing users to crawl around on the floor to plug in a thumb drive. OK, so it’s not totally effective security, but it’s better than nothing.

The final blow? There’s no printer in the Business Center. Instead, there’s a networked printer hidden somewhere behind the front desk. Can you imagine what your corporate information security team is going to say about you using that printer to run off last-second changes to your presentation about buying the Holiday Inn chain?

sigh

OK, ready for that happy ending? This one really is a WQTS story.

This time last year, I wrote about Project Fi and how pleased I was with it.

I’m still happy with Project Fi, and when I heard about the Project Fi Travel Trolley shortly before my Sedalia trip I was totally charmed.

The Trolley, in case you haven’t already heard about it, is a glorified vending machine set up in several major airports around the US. It’s stocked with small items that might be of use to travelers: USB cables, luggage tags, sleep kits, playing cards, and–the real prize–fuzzy travel socks. Project Fi customers can get a free goody just by tapping their phone against the kiosk. The kiosk and your phone use NFC to validate your Fi account and generate a QR code. The kiosk then scans the code and dispenses the prize you wanted.

That’s the theory. In practice, somebody missed a bug.

Either there’s a hidden problem in the kiosk’s NFC reader, or nobody thought to test the scenario where a customer has more than one account on their phone.

Maggie and I both have two accounts on our phones. When we tried to use the Trolley, instead of getting QR codes, we got an endless series of browser windows opening, each of which informed us that we were logged into the wrong account. Logging into Google with the correct account did no good. Neither did any of several other methods we tried to convince the system we were Project Fi customers.

No fuzzy travel socks for us.

Our trip wasn’t ruined. Somehow we soldiered onward, cold toes notwithstanding. (For the record, temperatures in Sedalia were in the high eighties. Frostbite was not a significant concern.)

The happy ending?

I reported the problem to Project Fi support, who referred me to Swyft, the company that manufacturers and supports the Travel Trolley kiosks. Within minutes, I received an apology for the “bad experience,” an assurance that the issue will be investigated, and a promise to send us socks.

Now, it might just have been a bedbug letter. We’ll find out next time I fly through an airport with a Travel Trolley–I fully intend to see if they’ve come up with a fix. One can never have too many sleep masks and earplugs, after all.

But I’ll take a Happy Ending For Now–as long as I really do get my socks.