Home+Power

pcAnywhere Source From 2006 Still Alive and Kicking

2012-01-25T17:43:00.000-08:00

Today, Symatec announced that users should stop using pcAnywhere until a patch is released. Lisa Vaas summarized the risks from the white paper in this "Naked Security" post. A few weeks back there we learned that parts of the sourcecode for Symatec’s Norton Anti-virus, and pcAnywhere, were leaked out by a group called Lords of Dharmaraja. They claim that they took the source from India’s Military intelligence servers.

I'm not going to rehash what she wrote here because that's not what I want to focus on. Instead, I want to focus on the lifetime of certain chunks of source code--particularly to enterprise-class source code. The second paragraph of the white paper is the key here:

We believe that source code for the 2006-era versions of the following products was exposed: Norton Antivirus Corporate Edition; Norton Internet Security; Norton SystemWorks (Norton Utilities and Norton GoBack); and pcAnywhere.

With this incident pcAnywhere customers have increased risk. Malicious users with access to the source code have an increased ability to identify vulnerabilities and build new exploits.

Admittedly, I think the first sentence of this paper wasn't worded correctly because it gave the impression that the source was stolen way back in 2006; honestly, highly doubtful or I wouldn't be discussing this on my blog today.

Here's the real hard truth about software: the source code evolves, as long as that software is being developed. A software is being developed as long as new versions are being released--whether it be to add or remove features (well, mostly add), or to patch bugs in them. However, the core functionality will never change. Even if a complete software rewrite is done, it's not really a complete rewrite. Someone in the development team--usually the person who was working on the last version before the so-called rewrite--will copy parts of code from the old source code.

The issue with pcAnywhere is "the encoding and encryption elements within pcAnywhere are vulnerable." This shows that the encryption system within pcAnywhere is pretty solid since what finally broke it is when the code was released. The pcAnywhere team has been using the same encoding and encryption source code for 6 years. Not only that, it went along when pcAnywhere was integrated to three other products. Whoever designed and coded those did a really good job.

So, what is the lesson learned here: First, core functionalities rarely ever change. The implementation may change, but the logic flow will pretty much be the same especially if it's optimized. Second, code reuse done right is a good thing; even if it leads to a security risk. In this case, this is counter-intuitive; however, once the encoding and encryption module is redone (I think they'll be switching to a different algorithm for this one) all supported versions of pcAnywhere, included the bundled ones, are fixed too.

As for the encoding and encryption modules from 2006: well the final curtain has finally come down on it. I think it's safe to say that Symatec is proud of them and they have left a lasting legacy in the revision history of pcAnywhere.

Alternative to SOPA/PIPA

2012-01-18T16:08:00.000-08:00

It's beginning to look like the politicians in Washington are hearing the people and are backing away from supporting SOPA/PIPA. The law is not completely dead yet, it may be stumbling around like a drunk but it's still breathing. What I haven't heard from those who are opposing these 2 bills are alternatives. What are Google, Microsoft, Facebook, Twitter, and others willing to do to help curb piracy? What are the public in general willing to do to help curb piracy?

Piracy is robbery, whether you're robbing the RIAA, MPAA, CCLI, or the independent artist selling his work on iTunes or Amazon (I'm not saying that these groups are necessarily supporting SOPA/PIPA; I'm just saying these are the groups that will benefit from it). Sure the members of RIAA, and MPAA may have more money than the other 2 but that's not an excuse to rob them. How would you like it if you were being robbed by someone who earns less per hour than you do?

I think the only real way to fix this is if everyone pitches in. That means the entertainment industry needs to be willing to sell their products at a price that the general public can generally afford. In turn, the public should go ahead and patronize these artists.

Here's my personal take on it from my perspective: I'm okay buying a single for $0.99 and an album for $10.00. As long as I can use it according on the provision of the Sony v Universal case. If I go to a concert I'm okay paying about $40.00 a person for a mid-level seating--but please put cushioned seats. I want the food at the concession stand to be at the same price as it would cost me if I bought it at a comparable fast food facility (in short, if I buy a burger, fries, and drink combo it shouldn't cost me more than $8). Oh, and one more thing, I don't want to have to pay for parking unless you'll be providing Disneyland-style shuttles from the parking lot to the ticket booth.

Is It Really the Norton AV Source?

2012-01-05T20:50:00.001-08:00

As stated in this article Symantec has confirmed that the source code that Yama Tough provided to Infosec Island what is indeed a portion of Norton Anti-virus source code. Yama Tough also posted on Google+ a link to what they claim to be a portion of NAV source code (since I didn't see the contents of the file(s) provided to Infosec Island I cannot confirm whether the code I have is identical to what Symatec confirmed to be the code).
I have done some analysis of that code and it would appear to be from Symantec based on the copyright information posted at the top of the files. Due to the sensitivity of this nature, I will not provide detailed information to back up my observation of the floated code. Please note that this is not a detailed analysis of the source code.

First, the code appears to be from an antique version of NAV running on an antique Windows version. If this OS is running in your organization you deserve to get your servers broken into. Second, and this is the best part, the archive file that Yama Tough floated does not contain any code that does the actual scanning for viruses. That's the good news, now for the part that would keep me awake tonight if I were a developer in the Norton Anti-virus team.

The archive file contains enough code that would make certain parts of Norton Anti-virus, not necessarily downright not work, but send it into a "fat, dumb, and happy" state of operation. What I mean is NAV could be put in a state where it believes that it did certain actions; but, in reality it was either looking at something else or things not really happening as it thought it should. This would be like a parent trying to divert their child's attention so they don't start doing things you don't want them to (like my oldest son insisting that he sits on my lap while I was reading the NAV source code).

There's a rather interesting behavior that I'm seeing Yama Tough exhibiting. They seem to be going out of their way to gain publicity. Anonymous may have started this whole trend, but they pretty much did a dump and run. They never really went out of their way to offer "right of primma notte" or go on publicly posting to sites like Infosec Island. I have two questions about Yama Tough: First, did they stumble on a honeypot and have realized their mistake, so now they are making lots of noise in the hope that the Indian military intelligence will be careful not to harm them? Or, is this really an Indian government operation in retaliation to US companies slowly moving to China and leaving India?

Free From Defect Software License

2011-11-21T16:20:00.001-08:00

I have been writing open-source software on the side for quite some time now (see my github profile). I've used both GPL and the Apache licenses for my work. The flip-flopping between the licenses is mainly caused by me feeling that a particular license meets my target audience. The one item that bothers me--in fact all software licenses carry this--is the "no warranty" clause. I personally thing that it's high time that the software developers take on the challenge of providing a guarantee that their software will work as designed.
That all necessary due diligence have been done to make sure that the software does not contain bugs that could lead to loss of data or a security breach. Back in the days of card punches software was written once and basically worked. As storage got cheaper, everyone got reckless and quality basically went down the drain as more development framework started providing the proverbial kitchen sinks.

I've began work on a JavaScript-based web application framework that I've called Flat8 and I'm going to take the moral high ground by licensing it in a way that basically says "I've done my best to test and secure the software that I'm writing. If a bug/defect is found, that I intend to fix it after so many days." Why am I doing this? Because I feel that software developers are capable of doing this; so I'm going to be the first to do it and I hope that others will follow. If I actually pull it off, I hope that others will see that it indeed can be done; if I fail, then I hope that others will learn from my mistake.

This is a question that I would like to pose to the open-source software community in general: Assuming that we can ignore the lawyers for a second, what amount of effort would you be willing to put to produce software that is free of defect from workmanship? How will you go about making sure that your software is indeed free from defect? Here is my list that I came up with:

A clear list of requirements will be produced, documented, and agreed on. Any assumptions taken will be documented.
Thorough development documentation will be produced. Basically the architecture, detailed design, testing, and source code documentation will be produced.
Complete operating manual will be produced.
Software is thoroughly tested to make sure that all requirements and assumptions are tested; and the results are published to provide a benchmark for proper operation.
Secure coding standards will be adhered to, and source code will go through code scan to make sure that the code is as clean as possible.
SCM practices will be followed.

These are conditions that I would put in place to keep the software under warrantee:

Software is not used in a way outside of the given requirements.
User followed all user documentation and have referenced the test result to confirm that their input fall within the published parameters.
The provided unit and functional tests actually passed on the platform where the software is running.

I would like to hear your thoughts on this. What would you add/remove from the list? I strongly believe that if the software industry as a whole takes on a "we'll stand by our software" attitude that information security issues will go down significantly. At the end of the day everything from the BIOS, to the kernel, to the services, are all software.

Not all landings are created equal

2011-10-06T23:18:00.001-07:00

So last Monday I was in the pattern at KSNA with a CFI to work on an issue with my landings. Lately my landings have not been as well as I wanted it to be. Somehow between the last few seconds during the flare and when the noise comes down, the aircraft tends to end up pointing either slightly to the left or right of centerline. Since I couldn't really figure our what I'm doing--or whether I'm seeing something that's not really there--I sought the help of my CFI.
My landing issues were caused by 3 things: first, I was using the same landing technique that I got used to when I used to fly C172's; second, I was getting distracted by the G1000 PFD.
A DA40 and C172 are different in many ways. The DA40 is a low-wing aircraft, the other a high-wing. One has a body of a glider, the other is practically a box with wings. These differences means a difference in sight picture, how it responds to control input, and how it responds to the wind. I had to be reminded that I have to wait a little longer before I roll out because the DA40 actually rides closer to the ground. This solved the problem of me being at an angle relative to center-line when the noise wheel touches down because I'm now actually able to see over the noise through the landing flare.
Being a more aerodynamic airplane means that the DA40 is actually more responsive to control input. I truly appreciated this when my CFI pointed or how he only held the tip of the control stick when I asked him to do one landing so I can focus on seeing the sought picture; and I was holding it like a baseball bat. Given that I'm not in a flying brick anymore means that the wings can move my aircraft easier. This means that I have to our more thought into anticipating what the wind will do to the aircraft. One example of this is actually leveling off on final before I'm completely parallel to the centerline, since there was a right crosswind, and already putting in crosswind correction.
The G1000 distraction was harder to catch. It took a few times of my CFI pointing out that the aircraft is drifting off-center before I realized that I was being distracted by the airspeed indicator. In a six-pack instrument (read old) you can't really tell the needle moved unless the speed changes by 5 knots our the altitude changes by at least 10, and you can't rely on the vertical-speed indicator to show you a change in vertical speed because of the delay. In a glass cockpit it will show a 1-digit difference. The changing of the number that I see in my periphery is what would get me looking down for no reason. During a landing the altitude should be dropping constantly once you cross the numbers on downwind. The speed may fluctuate a little, but once you have a reference on the ground it's a matter of using the sight-picture to keep your glide path.

Where Are They Now?

2011-09-07T05:52:00.003-07:00

So the tenth year of my elementary and high school graduations have both passed a few years back. Thanks to social media I'm able to have a glimpse at the lives of the people that I literally grew up with. Some are moving along in their careers, some are getting by, some are in the process of a do-over, some have young families, while some seem to have stopped growing up after high school. One thing is for sure: I've grown apart from all of these people.

At the time we all committed to stay in touch with each other; but as the days and years went on, I drifted apart from them. Our lives moved on in many different directions. New people came into my life and these relationships were put aside to make room for new ones. Some turned out to be temporary, some will definitely be there--thanks to Jesus' sacrifice on the cross--even after we all get to Heaven and forever be with our Father God who created everything, the God of Abraham, Isaac, and Jacob (thought I'd make that clear).

Although I have drifted apart from many of these people, I occasionally look once in a while and simply see "where are they now?" I really don't know why I do. Maybe it's because I've been up since o'Dark 30 for no good reason. Maybe it's the same curiosity that makes reality tv such a big hit. Maybe it's just to make sure that everyone is indeed still okay.

Look Boss, The Airport, The Airport

2011-07-13T11:55:00.000-07:00

I took my cousin from North Carolina, my sister, and my older son flying yesterday. On our way back, the marine layer was not playing nice and was giving me a hard time by blanketing most of Orange County with clouds.

This flight is a dual-purpose flight: to take my cousin, and to have pictures to enter for Sunrise Aviation's photo contest (please like my pictures here and here). The original plan was to simply go to Fullerton Municipal, take the pictures and head back. When we took off, a marine layer was already forming along the Orange County coast; so I tell everyone "I think we'll just fly around and sight see". Considering that there's a marine layer means that it's pretty clear down below. We got to about 3500' MSL and I was able to see over the clouds, it appeared that the cloud mass was still pretty small, the it was pretty to the east. Change of plan, I decided to head to French Valley and take the pictures there (mountains makes for nicer backdrop than double-stacked trains anyway). We get there and my cousin's stomach is holding on, despite misunderstanding my sister's advice not to eat 2 hours before the flight (side note: it's actually better to eat saltine crackers since at the minimum something will absorb your stomach fluids; and if you end up getting sick, you have something to regurgitate). He asked to get a snack, and I agreed; so it was fries, onion rings, and drinks.

We take our pictures, and it was time to leave. As we were crossing Saddleback Mountain, we see an "interesting" picture: clouds from the coastline to the west-side of the mountain. I was in contact with ATC already since I wanted to take advantage of the fact that March Air Force base is generally quiet, and in turn March Approach Control is not busy. March Approach handed me over to SoCal Approach, and I had an interesting conversation with the controller:

SoCal: "What's your plan to get to Santa Ana"
Me: "I'm trying to figure that out now. How far does the cloud cover extend to Orange County?
SoCal: "As far north and out to the coast. Santa Ana is using ILS"

At this point, I'm thinking either request SVFR which I doubt he'll grant me, turn back around to French Valley and stay the night--not sure where I'll be staying, or try for Fullerton. The best option was to go to Fullerton.

Me: "SoCal is Fullerton still VFR"
SoCal: "They were clear and 10 miles visibility 40 minutes ago; let me call them and ask."

After a few minutes, SoCal informs me that Fullerton has clear skies.

Me: "I'm diverting to Fullerton."
SoCal: "Roger that. If you manage to find a path under the clouds to John Wayne when you get to Fullerton you can always head back"

We fly along, and I'm talking with my sister on how exactly we're going to get from Fullerton to our parent's house. She said we can have her boyfriend pick us up, but we'll need a car seat. We decided that we're going to get a car seat so my parents can have one. We end up in a step-down decent towards Fullerton to make way for the IFR traffic heading to John Wayne.

After we have passed the ILS approach path, the controller gives me unrestricted altitude and to contact SoCal on 121.3. I find a hole going parallel to John Wayne's runways. Looks like we're just going to have to fly abut 2000' MSL from wherever we were. I see the ground, and I see the Santa Ana river; I know where I am now I just need to look and see if I can see John Wayne airport. And like an Oasis in the dessert (for those who don't know Orange County is technically a dessert region, so the analogy is quite fitting) I see John Wayne airport to my left, and Mile Square part right under me.

Me: "SoCal, I see Santa Ana and I would like to head there" (At this point I'm not exactly sure if John Wayne is still marginal VFR or if they've gone full IFR)
SoCal: "Proceed to Mile Square park"

We get to Mile Square park and I report in, and SoCal doesn't respond, he's just rapidly vectoring aircraft going to John Wayne. I ask if I should switch to John Wayne tower, to which SoCal reponse "2 lima sierra, sorry contact John Wayne tower on 126.8". Alright, we're almost home.

I contact John Wayne tower who informs me to proceed for a right downwind to runway 19R. 19L is already closed, now we're really going to mix it with the big jets. As I was heading in:

John Wayne tower: "Please make left turns over South Coast Plaza"

Oh no, this is not going to be good for my motion-sickness prone cousin.

Me: "Get your zip lock bag out!"
My cousin: (regurgitating noise)

Now I regret warning him, he claims he got really sick when he looked down to get his sick sac. I'm flying 1000' MSL, and being more than 1 mile away doesn't appeal to me. On the other, hand I have passenger who'se not comfortable doing 30-degree bank turns. I opted to go to oval turns around the mall. After 2 turns, I let John Wayne tower know of my cousin's situation:

Me: "John Wayne tower, be advised I have a sick passenger so if you can expedite me in I would appreciate it." (Wonder how many airline pilots got a smile to end their day out of that?)
Tower: "Is it motion sickness or something else?"
Me: "Just motion sickness"
Tower: "You will be following an airbus on final"
Me: "Did that airbus just cross the old military base?" (I saw a plane not sure what it was)
Tower: "He's about 5 miles out, his landing lights are just becoming visible"

Now at least I can go on a straight line, but with the clouds looming right above I can't exactly climb, so this'll have to be a slow flight on downwind. It appeared that the 5-degree nose-up attitude was more pleasant than the turns. Good some relief, because he's about to max out the 1-gallon zip lock bag on his hand. No time to make the landing pretty, the goal at this point is to get down ASAP. I land the airplane about half-way down the runway to avoid the Airbus' wake turbulence rather firmly and exited the runway. (Here's a link of our flight route from Flight Aware).

Some lessons learned from this flight:

It's not the end of the world if things don't go as planned; keep your wits about you.
The weather forecast, what you saw, and what ends up happening may not always agree.
Use whatever tools you have in front of you; GPS, maps, ATC, passengers, etc.
Be willing to take action on the alternative route.
Let your passengers take care of their personal needs, this could be an opportunity for them to resolve a long-term issue.

The Kiddies Versus the Adults

2011-06-23T11:08:00.000-07:00

So it appears that lulzsec and anonymous have gained themselves a few more enemies than just law enforcement. It's starting to look like Ocean's 11 going after the shoplifters.
But what does this mean to infosec in general? It means that everyone better shape up or ship out. If these juveniles are able to hit high-profile targets, we can only imagine how bad things are. Then again, major retailers beefed up their loss prevention strategies after they were repeatedly hit by juveniles who didn't know that trying to get the job at that retailer would only require them a few hours work to get their wardrobe upgraded to the latest fashion thanks to the discount that they could have taken advantage of.

The true hackers are indeed not happy with what these juvenile delinquents are doing and they're doing something about it. The question is who will get caught in the cross-fire while the adults work on corralling these kids? I for one hope that the true hackers will finally come into the mainstream. That the true underground will start opening the potholes and start mentoring those newbies who are willing to put the time and energy to learn and hone their skills. I don't know, maybe this is the father in me coming out. Maybe I should refrain from writing while I'm rocking my newborn to sleep so I don't show too much sympathy for these delinquents

The newborn I was rocking as I wrote this post

Will Google App Engine Win The Cloud Service War?

2011-06-21T18:03:00.000-07:00

I started playing with Google App Engine a few weeks ago. I'm generally happy with the service. You can write your application using Java or Python; and provides JSP and Django as the template engine exclusively. It provides a number of "services" API that would make developing web applications very easy.
If you're writing applications that needs user authentication you can either authenticate against all Google accounts, or a Google Apps domain. There is also an emulator environment that would allow development without needing a network connection. I'm not going to rehash all the features of Google App Engine; Google does a good job of that in their documentation.

What I want to address are some glaring shortcomings in my opinion. First is the inability to modify the authentication method after application creation (issue #483). This is obviously not an issue for internal applications; however, this will be an issue for consultants whom you may not necessarily want to give an account in your domain. Google Apps Engine lets you add any Google user as administrator; however, if you selected to authenticate to a Google App domain all administrators must belong to that domain. You may think of deleting the app and then recreating it. The problem is an app-id may be on hold by Google App Engine "possibly forever."

The second issue I see is HTTPS does not work on Google App domain, if you configure your app to use HTTPS you have to use the <app-id>.appspot.com URL This has been filed under issue #792. Some posters to the issue has even offered to pay for the ability to use their Google App domain with HTTPS.

Looking at how long these two shortcomings have been around gives on a feeling that this product is on the lowest end of Google's priority list. I think this service works best for organizations that uses Google Apps. Will we see the next big web service? I would say not until Google resolves these issues.

Vupen Security: The first Pwn Troll Business?

2011-05-16T12:20:00.000-07:00

A few days ago Vupen released a video purportedly claiming that they finally pwn3d Google Chrome; followed by the ensuing back-and-forth between Vupen and Google engineers on twitter. Vupen refuses to share their findings to Google, but have instead shared it to their customers. At this point, Google has only stated that the attack vector appears to involve flash; which, if it's true would mean that it's not Chrome that got pwn3d but the Flash plugin yet again.

I don't know what credibility Vupen has left as a company in the eyes of the information security industry. They're actions are no different from patent trolls or the many script kiddies who troll around the web showing their half-baked warez. I don't know how it benefits their customers to point out that a software has a security hole if they don't let the developer know what the hole is. I hope that their customers see the error of Vupen's ways and stop using their services so they can be forced to close shop and make way for other legitimate security vendors.

If Vupen is successful in extorting money from Google, I have a feeling that we might see a breed of trolling which I will call "pwn trolling". These will be purported security organizations who will find software bugs that they can exploit and ask money from the developers or be left alone to figure out what the hole is. As the Vupen-v-Google Chrome incident has shows, the issue is not whether Vupen found something legit, the publicity is enough to cause a company to have to spend resources in having to figure out whether there is a real hole and then having to turn around to dispel the bad publicity.

Another Facebook Phishing

2011-05-11T16:37:00.000-07:00

Okay, seems like there's another phishing scam going through facebook. The scam basically works like this: One of your friends posts a comment on your post and contains a link.
When you click on the link you get a warning message that the app cannot be accessed via HTTPS, and asks if you want to access it via HTTP, first red flag. Considering that Facebook now gives you the option to browse facebook using HTTPS, not just your login, it's rather strange that this one app cannot. You are asked to login to facebook again. Red flag 2, especially if you are clicking from within facebook already.

If you look at the screenshot, it looks just like the official Facebok login page; however, if you look at your address bar you're not on facebook.com anymore. you are now in some website based in Russia.

I simply entered a random email address and random characters in the boxes, and what do you know it let me in. So either I'm really lucky that I got some random person's email and password combo correctly (in which case I should run to Vegas now), or they're a phishing site. As of this writing, Chrome is reporting this as a phishing site already.

Once you enter your login info, this pop-up comes up:

Click okay, you get this page:

If you click the "Claim Now" links, you get sent to a page where you can enter your email address; now you see the website that's running this phishing scam: freebieape.com. Here's a screenshot of the page.

Here's a screenshot of the disclaimer information:

Attempting to leave the page gives you a few of these alert boxes

From what it looks like they don't install any malware on your computer, well at least I didn't get an alert from my anti-virus. However, they are obviously stealing

Proposal for an All-or-Nothing Secure Software Standard

2011-05-10T18:02:00.000-07:00

The 2010 Nall Report (PDF) shows that 70% of non-commercial and 60% of commercial accidents are caused by human error. This is because of the strict standards placed on certifying aircraft, and aircraft component. When an airworthiness certificate is issued to an aircraft, the aircraft manufacturer provides a parts list of the components that makes up that aircraft; if there are any components in that aircraft that is not in the parts list, the particular aircraft could be declared not airworthy (there are some circumstances when an aircraft can be flown with missing/broken parts for the purpose of getting it to a repair shop). For example, Diamond DA40's have two Garmin G1000 panels (display screen); if for example you replace one of the panels with the same display screen used in a Boeing 787 that aircraft is not airworthy. Is the other panel capable if displaying the same screen? I'm sure it can, but the point is a DA40 is certified to have G1000 panels. It can be flown with the 787 panel, but it will be considered experimental.

I propose that secure software standards should be all-or-nothing. Either the software--and all of its dependencies--are compliant or the software is not compliant.
Not owning the library, or database, will not be an excuse to meet the standards. The application developer must specify the specific dependency versions that will be used with the application to make sure that no new security holes are introduced because a newer version of some dependency was installed.

I would even go further as to require that software running in the same environment--starting from the OS and device drivers, all the way to things like ssh, the shell, netstat, ntpd, etc--as the application must also be standards compliant. If software that is not standards-compliant is installed in that same environment, then every application will be considered as non-compliant anymore.

I know that existing security standards such as PCI and OWASP do require that all security patches be installed on the system, and if potential security holes with third-party software are found during the audit that a bug report is filed; however, I feel this is the biggest shortcoming of these standards.

This gives the application owner an out and they are allowed to wait on the third-party to plug the security hole. For open-source software I think it is unacceptable for the user community (well the application developers to be exact) to just essentially do nothing. If you are benefitting from that free software, do your share and contribute some fixes. Isn't having many more eyes looking at the code one of the biggest thing open-source advocates tout? So why bring that third-party software open-source compliant, and provide your changes upstream for inclusion in the main release? I think it would be best for commercial software to have their software be standards-compliant so people will pay them for their software.

Many will argue that this bar very high. There are people out there who write software that has to be absolutely bullet-proof everyday. They do it because they know that someone will literally loose their life if their code is not solid. I say its about time that software developers as a whole should write code knowing that lives will be ruined if they don't. Whether we like to admit it or not but when people's personal information are stolen it ruins their lives.

Getting Configuration Values From A Symfony Task

2011-05-02T15:10:00.000-07:00

In Chapter 13 of "The More with Symfony book" the section "Special Options" shows what to do so that the task is able to access values in the configuration files. What I got confused over was how to do I get the value in my code. After a few days of poking through the Symfony source code, I realized that sfConfig::get() works just as well. Being that my class inherits from sfBaseTask sent me on a bit of a loop, totally forgetting that sfConfig is a static class.

After I got my head all unwound, I realized that my task doesn't have to rely on setting the 'application' and 'env' command-line parameters. sfBaseTask::createConfiguration() will allow me to specify the application and environment values. This helps me since I need to get some variable in the 'prod' and 'env' environments so I can transfer data from one database to another. This is what the code looks like to get the value from different environments, assuming that you have a 'someconfig' configuration item in your app.yml and their values are different in the production and development environments:

//Get dev configuration
$this->createConfiguration('frontend', 'dev');
$devValue = sfConfig::get('someconfig');

//Get production configuration
$this->createConfiguration('fronend', 'prod');
$prodValue = sfConfig::get('someconfig');

Basic Secure Coding Practices for C or C++

2011-05-02T13:30:00.000-07:00

These tips are not, I repeat, not intended to be a complete list of tips on writing secure code in C or C++. These are things that, I believe, should be practiced by anyone who writes program in C or C++ no matter how low the security risk. I also believe that these same principles can be used in any programming languages.

Use Comments Wisely
I had a professor who once said "it's better to over-comment and make sure that everyone understands why your code is the way it is than to not put comment and annoy everyone that has to read your code." Use comments to help "document" what your code is actually doing. Open-source software are notorious for not having any comments in their code. Many would argue that good code will explain what is happening, I agree to an extent. The "why's" should be put as comment to explain why certain sections of code are the way they are.

Obviously, over-commenting is just as bad since it clutters up the source code making things harder to read. Balance is needed to make comments useful.

Heed the warning messages

When a compiler gives a warning message it's for a good reason. Compiler warnings typically deal with your code's structure that could lead to potential problem with how your code is either executed or how data is presented to your code for processing. If you are using a compiler that has an option to have all warnings on, you should do so. Make modifications to your code so that the warning message goes away; if at all possible don't simply do an explicit typecast (more on this in the next sections). If for some reason, you have a compelling reason to leave your code in a way that the compiler gives a warning, make sure to put a comment in your source as to why the warning can be ignored.

Use the right data type for the data being handled
Don't use an int data type to store a char data; or use a float when you are only dealing with whole numbers; and use the right data type for the range of values that your variable will be holding. Here's the deal: when you use a certain data type, that's memory being allocated for your application, and chances are this memory allocation is sandwiched between 2 code segments. At the minimum this is extra memory that you are using needlessly and could affect either your application or the system's performance as a whole (think pagination). At the worst case, that could be an area that an attacker could write execution code in the stack that they can come back to at a later time.

Granted that most privilege escalations take advantage of being able to modify the code being executed because the application will write to memory locations past what it allocated; however, if you have a variable that uses up more space than the amount of data that you really care for that's extra space for an attacker to use. I think it's worth pointing out that the early computer viruses didn't target buffer overruns, they appended themselves to executables. The virus code executed along with the original executable; not like most of today's attack code where they left the executing application to crash when they're done.

Be wary of typecasts--especially implicit ones
Whenever you have to typecast from one data type to another you should check carefully what your typecasting and why. If you're using a method that either takes in or returns a certain data type, it would be best to find out why why they it returns that data type. We are going for ease of readability here.

Yes, I know that standard C functions like fgetc(), getc(), and getchar() returns int when they really only deal with character data. Well, there was a time in Windows when getc() can be used to read strings that are 4-characters long. It really irks me that C and C++ textbooks still provides examples where the return of these functions are stored in an int variable. My point is, not just because the standards allows it--or even requires it--doesn't make it any less correct. I've seen this lead to all sort of confusion with people who first learn to program in the newer languages like Java or Python.

If for some reason that you are left with no recourse but to typecast, make sure to make it explicit. Not just because an int data can conveniently convert to a char data doesn't mean you should just use implicit typecasting.

Use the right data structure methods
Understand when to use a union, enum, or struct to define your data type, and know the implications of each. Figure out what the data structure will be used for.

Enums work great for defining "one of these things" items and they can be used in switch-case statements and assigned unique values relative to members in the enum definition.

Unions work great for "can be a.." items; they amount of memory used is for the biggest "member". However, you have to be careful not to inadvertently use the wrong member and inadvertently typecast the data (compiler warnings will not help here at all).

Structures are probably the least confusing of them all. However, this bears repeating: make sure that all it's members actually belongs there. Don't simply create a struct type to save you from having to type a 20 parameters to your functions; to be honest there's probably something really wrong with your design.

Information System Security: Is Too Much Focus Put on the Application Layer?

2011-04-22T10:58:00.000-07:00

Anyone who follows the tech world knows that information system security is now a big thing; to the point that companies like IBM are putting a lot of effort to promote their security services, and start-ups are getting lots of funding and growing. Information system security is really nothing new, its just that no one has paid attention to it until recently; and the focus seem to mostly be on securing the application. My question is: who will make sure that the attack vector will not come from the hardware layer?

I feel that it's a matter of time that someone will formulate a way to send data packet where the network device driver will cause some sort of buffer overflow. Device drivers have the same privileges as the OS itself; get in that way and you already got all the privileges you can ever want. You are free to do whatever you want to do at that end.

Maybe I just haven't seen it yet, so I thought I'd ask. Who'se reviewing the device drivers and making sure that it's not vulnerable to the same vulnerabilities that browsers, PDF readers, web servers, and any other applications are plagued with? Granted, that going this way is very hard; but, I feel it's a matter of time. Sooner or later, privilege escalation by generating specially-crafted javascript code or jpegs, pdf, mp3 files, whatever, becomes so easy that someone out there will look for the new way to one-up everyone else. I feel at that point the target will be the hardware itself. To be honest, we've seen it with the Stuxnet virus. This virus didn't only search for specific industrial hardware, it modifies the PLC of its target hardware.

A common thief will break into a home that they can break into easily; however, a sophisticated cat burglar will break into a museum. Currently, the easiest way to break into a system is through the software layer; however, I feel that sooner or later someone will figure out a way to formulate an attack using the hardware layer. I hope that the information security industry has a way to mitigate this when it happens.

National Strategy on Trusted Identities in Cyberspace: Questions I'd be Asking

2011-04-18T23:07:00.000-07:00

The heading on the home page of the National Strategy on Trusted Identities in Cyberspace is "Making Online Transactions Safer, Faster, and More Private". When I heard of this, I got very curious, so I read the "Full NSTIC Strategy Document" (PDF). The White House--under a newly form bureaucracy under the Department of Commerce National Program Office--proposes to create an "Identity Ecosystem". The proposal is essentially a single sign-on system that will be ran under a private-public organization. I'm not going to rehash anything in the document already, but I want to raise a few questions:

How voluntary is voluntary?
This is the last paragraph of the section titled "Identity Solutions will be Privacy-Enhancing and Voluntary":

Finally, participation in the Identity Ecosystem will be voluntary: the government will neither mandate that individuals obtain an Identity Ecosystem credential nor that companies require Identity Ecosystem credentials from consumers as the only means to interact with them Individuals shall be free to use an Identity Ecosystem credential of their choice, provided the credential meets the minimum risk requirements of the relying party, or to use any non-Identity Ecosystem mechanism provided by the relying party Individuals’ participation in the Identity Ecosystem will be a day-to-day—or even a transaction-to-transaction—choice.

As the document states, these are "guiding principles" and not requirements. In short, this "guideline" would require that websites that need to identify users would have two method of authentication: the one based on the Identity Ecosystem, and the second one most likely based on how user authentication is done currently. I just see that at some point in the future website developers, and the internet community at large, will push for removal of the non-Identity Ecosystem all together. So, sooner or later, using the Identity Ecosystem stops being voluntary but mandatory.

Who controls all the data?

This is from the first paragraph of the same section above:

For example, consider a driver’s license: an individual can use a driver’s license to open a bank account, board an airplane, or view an age-restricted movie at the cinema, but the Department of Motor Vehicles does not know every place that accepts driver’s licenses as identification It is also difficult for the bank, the airport, and the movie theater to collaborate and link the transactions together At the same time, there are aspects of these offline transactions that are not privacy-protective. The movie theater attendant who checks an individual’s driver’s license needs to know only that the individual is over age 17. But looking at the driver’s license reveals extraneous information, such as the individual’s address and full date of birth.

So in this example the state DMV is the identity and attribute provider, and the bank, airport, movie theater are the service providers that wishes to validate a user's identity. In our current ecosystem it's true that there's no way for the DMV to track where have you used your driver's license to identify yourself.

Let's go back to some examples used as identity and attribute providers: bank, cell phone providers, and state DMV to name a few. Google, Amazon, Apple, Microsoft, Facebook, and Twitter would most likely become identity providers themselves. Google has gained the public's trust by being more open in how they collect and use the data. Facebook simply pushed the envelope on what they can get away with when it came to user's privacy. Apple wants to lock users into their hardware, and Microsoft wants to lock users into their software (I personally think the i4I lawsuit worked in Microsoft's favor in keeping users to their software, but I digress). Amazon will want to get to the point that you will not only buy the item you are really interested in, but also in every item the "Customers Who Bought This Item Also Bought" list. You can only imagine what some identity providers will do with the information that they can gather whenever you want to authenticate yourself. This is not only limited to identity providers, in fact, every participant in the Identity Ecosystem can collect information about a user based on who is requesting to authenticate and who is this person using to authenticate themselves.

What about the rest of the world?

As it stands, this is a US government initiative, and according to the NSTIC there are other countries doing similar efforts. In the past year, we have witnessed how social media's capabilities in helping overthrow oppressive regimes. Just think about if oppressive governments are the identity and attribute providers for these citizens. The police and military will know who exactly to target and where they are. Even worst, they would have probably used the identity of the revolutionary leaders to post information that would lead to squashing these rebellions.

Would everyone in the Identity Ecosystem truly and completely trust all the attributes and identity provided? Who will determine which provider can be trusted and which can't, and when can they be trusted or ignored?

Conclusion

Is there a major issue with verifying if a person providing login credentials to a website who they really are? You bet there is. At the end of the day, there's no way to know if a person's login credential has been compromised until it's too late. However, I don't think this strategy is the correct solution. I feel that as it stands there are ways for users to produce unique and hard to guess passwords. There are already strategies to verify that a user registering to a website is who they claim they are if that's indeed critical. Would I join the Identity Ecosystem when it becomes available in 3 to 5 years? Not if it's implemented the way it's presented.

The NSTIC is quite obviously still in its infancy. However, the White House is aggressively pushing for its implementation, and as such would mean that we will be seeing the Identity Ecosystem pretty soon. I just hope that these questions--which I feel are very basic--are answered in a convincing way when that time comes.

To Drawable or to Canvas draw

2011-04-11T15:53:00.001-07:00

So Nearby Metars 01.01--01.01.0.2 to be exact--is out the door. This release modifies the icons drawn from the shades of grey to the actual symbols used in the ADDS METAR graphic.In working on this release, I had a choice to go between creating bitmap images or drawing the icon directly on the Canvas. I decided to go by drawing the icon directly on the Canvas using the Canvas::draw* functions.

Most people will probably say that it would have been easier for me to just create a bunch of bitmaps, or Drawable resources. True, but I find it easier to simply use the Canvas::draw* functions to handle the resize issue as the user zooms in on the map view. Now, I'm considering keeping the icon size fixed regardless of zoom level just to help things look clean. If I end up doing that, then Drawable resources becomes viable.

It's a Race... It's a Race.. It's a Force Close Race Condition

2011-03-22T22:06:00.000-07:00

In order for the rest of this post to make sense, you'll have to have the Nearby Metars source code handy; this source is for version 01.00.0.2, which this post is based on. If you're not familiar with the Android Map API, here's the API reference.

Anyone who's worked in multi-threaded system has dreaded these two words: Race Condition. For the most part, this can be solved by locks or semaphores. However, what do you do when the race condition is caused by an API that you have to use? Where do you put the lock or the semaphore to protect the data? This is the dilemma I currently have with Nearby Metars. I have to use the ItemizedOverlay class of the Android Map API to draw on the map an icon for the METAR conditions. Unfortunately, there is an instance where I can cause the application to force close while the map is being rendered on screen, and here's how:

Retrieve the METAR data for reporting points around the center of the map
Pan the map to some location
Repeat step 1 and 2
Repeat steps 1-3 as quickly as you can so that the map is always being rendered until you get to a location where the are less reporting points around than where you were on the map previously. This will eventually cause ItemizedOverlay::maskHelper() to encounter an ArrayOutOfBoundsExcept.

Granted, that this is not how users will be using Nearby Metars. Most users will wait for the METAR data to be retrieved, and select locations of interest and read the raw METAR text. In that case, the application is operating linearly for all intents and purposes.

Here are the possible solutions to my problem: First, have a second array to store the newly retrieved METAR data; and then swap that in after the data has been parsed. Second, modify mOverlays to be a Map<> where the key is the station ID, and the value is MetarItem. Third, call ItemizedOverlay::populate() at the start and end of METAR data parsing.

have a second array to store the newly retrieved METAR data; and then swap that in after the data has been parsed means more memory used. If Nearby Metars starts to force close on devices, that'll be much harder to debug because of memory issues, that'll be harder to debug later on.

Modifying mOverlays to be a Map<> where the key is the station ID and the value is a MetarItem object is something I've been thinking about. Aside from not having to worry about the list size shrinking, this will also add a feature to pan through a route of flight and then retrieve the METARS at random points. When the user zooms out, they can see what they weather is currently like in their route of flight. Then again, sooner or later the user will want to clear out all of the data to start all over again.

Calling ItemizedOverlay::populate() at the start and end of METAR data parsing is possibly the most plausible. The "Hello, MapView" tutorial calls ItemizedOverlay::populate() at the end of HelloItemizedOverlay::addOverlay(). However, not just because they do it doesn't mean it's the right thing to do. According to the the documentation for ItemizedOverlay::size() and ItemizedOverlay::createItem() these two functions are called after the ItemizedOverlay subclass calls populate(). So, in essence while the the METAR data is being parsed, as far as the Map API is concerned there are no overlays to the map. When the parsing is done, the Map can then redraw the new data. This is what I'm going with.

I also filed an issue about this in the Android project page because in the end this is an issue with the Maps API. Poking around the issues, you'll see there are a number of issue about the documentation and the tutorial for the Maps API.

Whether the solution I choose to implement will solve my issue, at this point is anyone's guess. The fact that race conditions are very hard to replicate, makes it hard to fix also. Hopefully, the Android Map API gets fixed to protect itself from exceptions. Until then, it's up to the API users to protect their own application.

Update:
After writing this post, I implemented the changes that I said I would do. During my testing, the force close happened again. After reviewing the output of "adb bugreport" it appears that this force close happened after tapping on one of the reporting points. That throws out the theory that the issue is with the change to the size of MetarList::mOverlay. Guess we'll just have to wait on Google.

My First Android App on Market

2011-03-16T11:26:00.000-07:00

Yes, that's right. I finally bit the bullet, gave Google $25 and published Nearby Metars. Here's what the application does:

Nearby Metars retrieves METAR data from reporting locations within a 50 nautical mile radius of your current location.

The application is still in its infancy, but the functionalities that I want are already there. In the process of developing this app, I learned to use the Android Maps API; it's a nifty straight-forward API with enough support for common Map operation (i.e. putting markers to certain locations, and have those markers respond to user taps).

The app is pretty straight-forward: fire it up, wait for the phone to figure out where it is, download the latest METAR data from ADDS, and display the largest cloud coverage condition over the airport. You can also pan the map and request METAR data for airports within 50 miles of the center of the map.

There are a few things that I have planned for future versions of this app, in particular:

Provide TAF data with the METAR. Possibly animate the TAF data to "visualize" cloud development
Provide the wind bars with the cloud display

Flight Checklist for Android

2011-03-02T09:12:00.000-08:00

Ever since I got my first Android phone--the G1--I've been wanting to write applications geared towards GA pilots. Well, 2 years later I finally got it going. No, it didn't take me 2 years to learn the Android API--that I've known even before the first Android-based phone was announced. What took me awhile was time to sit down and figure out what exactly to do. So, finally, Flight Checklist was born. As the name suggests, it's a checklist geared for pilots. The app is still in it's gestational stage, and you can find the latest version here. This is still in Alpha stage, so you are on your own if you use it. Go to the Flight Checklist wiki for more information.

The Superior Father

2011-01-16T16:14:00.000-08:00

In the past few days, there has been a "debate" raging between whose the better mother: the Chinese/Asian or the American/Western one? After reading the articles, I came to the conclusion that it's an issue of parenting style. Since I'm a dad, I'm going to say the father who can meld both parenting styles is the best. I'll call it the "Pacific Ocean" parenting model.

Before we move on, let me address the dads. Our society have painted us as a bunch Homer Simpson; that we are a bunch of clueless buffoons who simply work all day and slog around the house and be generally useless. You already worked all day, why do you have to deal with the kids too? Except you now put your wife--that you worked so hard to convince that she should have children with you--in a position she shouldn't have been in the first place. God didn't design them to be the one in charge of the house, God designed them to help you out. They are not second-class citizens, they are designed to help you out. This doesn't mean you're the boss and they're the worker. No! They're job is to be your partner. Most dads have watched some form of cop show (or at a minimum have read a detective story or two) in their lives. Do you know why cops usually have a partner? To make sure someone can drag them out of the line of fire if they get shot at. Now picture you and your wife as the cops, and your kids as the bad guys. I'm not saying that your kids are bad, I'm just drawing an analogy here. Here's my challenge to my fellow dads: Do your job and help your wife raise kids in the "Pacific Ocean" parenting model.

With that out of the way, let's now go back to the original topic here: the parenting style. As I stated, I believe the "Pacific Ocean" model is best. This is the premise of this model: Believe that your child was created by God to be an individual who is capable of self-control and manage his relationship with God and others (this one I actually got from Danny Silk's "Loving Our Children on Purpose" series). That they are capable of being the best at what they choose if they are willing to put the work into it, and to lavishly praise their accomplishments. Now I dropped a heavy bomb on your head, shake yourself from the shock and hear me out.

My wife and I always give our son choices. Yes, that's right we let give him choices choose. Here's an example scenario:

I ask my son "do you want to have dinner, or sit in your room? You choose or I choose."

He answered "No, I just want to play with my cars." He didn't choose from the four choices we gave him, he actually told us what he wants to do. Granted I would have preferred "can I play with my cars instead?" but in this scenario that wasn't the underlying issue. The issue was really more a disobedience issue

"Okay, you may play; but when mommy and daddy finishes eating dinner time is over and we're taking away your food."

"Okay"

At about half-way through our meal my wife said "are you ready to have dinner yet? Mommy and daddy are almost done."

"I just want to play"

Before I took my last bite I said "I'm about to take my last bite, are you sure you don't want to eat?"

"No, I want to play."

I took my last bite, and I started stacking the dishes to carry to the kitchen and I have my son's plate at the top of the stack. At this point, my son got up and ran to the dining table, sits down and says "I'm ready to eat...hey, that's my food."

To which I reply "sorry bud, but you missed dinner time. We called you a couple of times and you chose to play instead of join us for dinner. So now no dinner"

He responded, "but I'm ready to eat now." I just repeated what I just told him. His last words was a slow "aw" and with a sullen look he left the dining table and went back to his toys.

Did he get dinner? No. Did he ask for food that night? No. Would we have given him something if he said he was hungry? Yes. In fact he didn't ask for food the next morning, but he was quick to get to the breakfast table. More importantly, he's never had to be told twice that its meal time. I could have grabbed him from the floor and forced him to sit in his chair to have dinner with us. Anyone who has seen a child forced to do something they don't want can figure out what the next scene would have been.

Few things that I want to point out in this picture. First off, we set up the environment for him on the choices he gets to make. It's always about getting him to do what we want by either giving him two ways to accomplish the same thing or giving him an option with a consequence that he fully understands and doesn't want. Second, we have established that he is in a relationship with his parents. Hence, why he replied by giving an alternative option. Third, when he made a choice he was allowed to be fully responsible for it. There was no out, there was no begging and pleading on either me, or my wife and my part. He chose not to join us for dinner he doesn't get dinner.

As you see, my son is still allowed to do what he wants to do but as his parents we still control where he gets to do it and what the consequences are. This is one example of teaching our child to have self-control. We let him control his destiny based on the choices he makes and to see the consequences of his actions.

So, how does believing that they are capable of being the best and to lavishly praise them for it looks like? In short, if your child says they want to do something let them try it but at the same time don't let them just quit. They can take a break, but never let them forget about it. This is the biggest confidence booster they'll ever get. Knowing that at the end of the day no one will accomplish things for them, they'll have to be responsible for their own accomplishments.

Here's a scene from a few days ago when I took my son to the park. In this particular park, the jungle gym has steps for the toddlers and a ladder that is clearly designed for the bigger kids (the steps are just spaced wide apart). For the longest time, my son would try to climb the ladder and give up because he can't get his feet to reach the next step. So he'd use the "stairs" to get to the slide. Well last week, he finally managed to get up on the ladder until he got to the top. His problem was finding something to hold on to as he put his foot at the top of the ladder. He wanted me to get him off, but I said "You can either figure out how you're going to get up there, or I can show you how to get up there." He stood there trying to see how he can get his foot up without toppling backwards. He would try to reach his leg up, then take one hand of the last step to see if he can grab on the platform. After about a minute he said he wanted to get down. I reminded him that he made it all the way to the top and he just needed to get to the platform. He tried again a few times, then he said "can you show me how to get all the way to the top?" So, I told him that he'll have to take one hand off and reach for the handle on the side, then take his other hand out then he'll be able to move his feet up. After about 3 minutes, he finally made it to the top. I was cheering him and he was very happy. Did he try climbing the ladder again? No, but he wanted to try to go down on that spiral thing. I know he won't be able to reach, so I told him that if he can reach over then he can slide down on it. I saw the look on his face that he's ready to go for that next time.

Granted that at this age, we pretty much have a lot of say on what he can and cannot do. However, when he gets to the age that he can go on sleepovers, play sports, or other extracurricular activities my hope is this: that we have taught him enough that he can decide for himself whether what he wants to do is good--not only for him--but to everyone in the family. For example if he choose to play sports, will he commit to do the work so that he becomes good at it so that the time and effort that he and his family will commit to it will not be in vain. Will I expect nothing less than be on the fast track to pro football? No. However, I will expect him to commit to doing the best he can at it; that quitting because you failed will not be acceptable.

Travelocity misadventure (part 3): US Airways Saves the Day

2011-01-15T15:07:00.000-08:00

Now I'm a happy person, not because of Travelocity, but because of US Airways. Sometime last week, I went to usairways.com/feedback just to see if they are willing help out. Since it wasn't their fault I wasn't expecting them to do anything at all. In the first email I got back from their customer service department, they said that they couldn't get to my blog with the links I gave them. So, I sent them the links again, and I included most of part 1. The rep's reply was that since it's Travelocity's fault there's not much they are able to do from their end. No harm, no foul; I wasn't expecting them to shoulder someone else's fault--then I get a call from them about an hour ago.

The customer representative I talked to said she did some more looking into what happened and she understands our frustration with Travelocity. She first told me that since Travelocity gave us the wrong information that she's going to go ahead and waive the rebooking fee. I'm a happy clam at this point since they are honoring what we were told by Travelocity. Then she asked if I think we can actually use the ticket by May. I tell her that's why my wife was trying to get us new flights by the end of February because that's the last time she'll be able to travel by air before we have the baby. She said, "I did see that, that's why I'm asking". She then told me that she'll just give us travel vouchers for the full amount of the original ticket so we don't have to worry about having to go somewhere before May.

That's customer service. US Airways did what Travelocity should have done, but won't. We were given wrong information, and they honored what we were told. They could have left it at "sorry, but it's Travelocity's fault and we didn't even know this happened". Instead, they not only tried to fix the situation, they made it more convenient for me.

Thank you US Airways.

Travelocity misadventure (part 2): We'll give you $100 so you can spend $900

2011-01-05T18:31:00.000-08:00

In my first "Travelocity misadventure" post I shared how Travelocity is putting us $1,073.30 dollars short. After I posted the link to my last post on Twitter, Travelocity's public relations guy posted a comment giving me his email address. I have since contacted Joel Frey who forwarded my email to their "Executive Resolutions Team". This is Posie Brown's email:

Dear Mr. Mendoza

We are sorry to hear about the problems you encountered with our customer service department and regret that your recent experience did not meet your expectations. I’ve completed our investigation of your issue and, again, we apologize for any incorrect information you received from our agents and the amount of time you were on hold. The reissue policies our agent provided are not Travelocity policies - they are the airline’s policies and per the Federal Aviation Administration we must adhere to all carrier policies and procedures. The agent who provided the incorrect information unfortunately did not document the reservation accordingly as per our policy. Due to our call volumes, it is not possible for us to record every phone call.

Although Travelocity was the ticketing travel agency all monies collected for the tickets in question were paid directly to US Airways, as noted on your credit card statement. Our records indicate that you purchased three tickets and per carrier policy each ticket was billed separately. In reference to the dispute you filed with your credit card company since Travelocity is not the merchant and did not receive the funds we are not involved in that process and any contact would be made by the airline.

Mr. Mendoza, please be assured that the situation you experienced is not typical of our usual performance. We want to continue being your online travel provider and we are confident we can do a better job for you in the future. We would like to offer you a $100.00 Future Trip Discount which can be used towards your next Vacation Package or Good Buy Hotel reservation. You will receive an email with the discount usage details. We value you as our customer and we hope you will give us another opportunity to be your online travel provider. Thank you for choosing Travelocity.

This is the reply that I sent to Posie Brown:

Ms. Brown,

According to your email, you admit that it's your agent that provided the incorrect information. I understand that the reissue policy is not a Travelocity policy, but an airline policy. However, the transaction is between Travelocity and me; not between me and the airline. Forget the awfully long hold line, this is a matter of someone in your organization providing the wrong information and holding me--the customer--accountable to it. I have dealt with traditional travel agents before--long before e-commerce was a household concept--and those travel agents always advice that they be called if there are any issues.

I understand the fact that it is US Airways who billed my credit card; however, I wasn't dealing with US Airways. My wife was on your website, and talking to your customer support representatives, and now I'm dealing with you.

You mentioned that it is FAA regulations that requires you to adhere to airline policy. Could you please provide to me where in the FAR that is? I just looked through the FAR online and I can't find any section that might indicate regulations from the FAA to handle business operations.

I also find it pathetic that you are providing me a $100.00 discount that can only be used for Vacation Package offering. I do not see this as coming close to being a good faith effort to regain my business with your company.

I hope that this ends in a favorable light for both Travelocity and I.

Travelocity is just getting ridiculous by the minute. If you go to a grocery store and buy something and you return it, they grocery gives you your money back. Posie Brown already admitted that their agent provided incorrect information, but no they're not going to be held responsible for it.

The best she can do is $100 for a "Vacation Package" that runs about $700 per person? So let's calculate this: They already cost us $1073 for their mistake. Then they want me to spend about $2100 before taxes and fee so I can use their $100 voucher. So, let's assume that the package is with US Airways and they can manage to book this so that we get to use our US Airways credits--and I mean all of it. I'm still going to be responsible for shelling out at least $927 (as I stated earlier I haven't counted any taxes and fees). Seriously, they want me to spend another $927 because of their mistake? You got to be kidding me.

Posie Brown also stated in her email that this is FAA regulation. I just pulled this out of the FAA's Mission page:

Our continuing mission is to provide the safest, most efficient aerospace system in the world.

Most pilots will say that the FAA's mission is "we're not happy until you're not happy" but that's another story. The FAA's responsibility is the manage the aerospace system. They regulate the aircraft, pilots, mechanics, crew, air traffic controller, airspaces, and airports. They could care less about how airlines sell their tickets. If she took the few minutes to see my picture on my twitter account, then maybe she wouldn't have mentioned the FAA.

I'll post more as my "Travelocity misadventure" continues.

Update January 14, 2011
It has been 2 weeks since I last heard from Posie Brown. I decided to call her and the stated that their PR department had advised them not to contact me further regard this matter because of my blog post. Okay, they want to play dirty; I can play that game too. I told her that if they don't want to resolve this then I'll be forced to take legal action.

I wonder what kind of PR person they have over there. I didn't get any attempt from them at resolving this situation until I posted on my blog. Then they offer a pathetic take-it-or-leave it? I think that whole company needs to go back to school and take up PR 101 all over again.

Travelocity misadventure

2011-01-03T16:22:00.000-08:00

This post is about my wife's dealing with Travelocity's bad customer service and how they tried to steal $1,073.30 from us. If you or someone you know buys airline tickets from Travelocity and may have to rebook a flight, read on.

My wife originally bought 3 tickets on May 18, 2009 from Travelocity to Kansas City for us to attend her best friend's wedding in June. Unfortunately, the wedding was cancelled so we didn't need the plane tickets anymore. My wife called Travelocity to see if there's any way we can use the money we spent on another flight--either to Kansas City at a later time or to another destination, but we would be charged a re-booking fee . She was told by the Travelocity customer representative that she would be given credits that she can use for both the airline ticket, and the re-booking fee if the new tickets are less than the original tickets. She was told that the credit can only be used by the same people on the original purchase. We were okay with that because we planned to just get cheaper tickets and cover the re-booking fee entirely with the credit, if we had known otherwise we may have not cancelled the tickets. Travelocity also told her that she would get an email confirmation, which she never got.

She called Travelocity today (January 3, 2010) to use the credits to fly to San Francisco on the last weekend of February (She's pregnant with our second son, and this would be the last weekend of her 2nd trimester). This is where all the trouble began. It took an hour from when she the got on the phone to call Travelocity to book the flight only for the customer representative to tell her that the credits can only be used on the same airline where the tickets were originally purchased. Okay fine, then let's get a US Airways flight then no big deal. Then, the Travelocity rep tells her that the credits cannot be used on the rebooking fee.

She explains to the representative that she was originally told that she could use the remaining credit for the rebooking fee. When the representative said he couldn't do that, she asked to speak to his manager. She got transferred to a supervisor, not a manager. The supervisor took another half an hour to check on the same thing the other guy told her only to tell her again that she could not use the credits for the rebooking fee. She told the supervisor what she was told back in May. The supervisor said he was sorry but he could transfer her to US Airways if she wanted to. She said no because it is not a US Airways problem but Travelocity’s problem in mis-communicating what could be done. She asked to talk to his manager and he said he was not available but he transferred her to a US supervisor. Before transferring her, the customer rep asked if he can have someone call her back. My wife said no, so her call got transfered.

Finally, she is talking to someone in the US that she can understand what she said. She talked to the supervisor and she had her wait for another half an hour only to tell her the same thing the previous 2 other people did. She did say Travelocity could waive their $30 a ticket fee but that would still leave us with $150 rebooking fee per ticket (with 3 tickets to $450). Of course, my wife said no. My wife asked if she can pull the records from her call back in May and she was told that she can't because it's too old.

Hold on a minute, they can't pull the old records because it's too old? So they're telling me that a company as big as Travelocity has no way to keep customer notes on the CRM from 6 months ago? My first job out of college was doing IT for a small company and we had to port the CRM system from MS Access to VB and MSSQL because we needed to keep all customer information regardless of how old the information is.

Back to the story. She told the Travelocity supervisor that she won't accept paying for the rebooking fee because the Travelocity representative told her back in May that she can use the credit for this, and now Travelocity won't do it. Then the supervisor tells her that according to their records the person she talked to back in May did not tell her this.

Wait a second. So first the Travelocity supervisor tells my wife there's no record of the conversation going that far back; but, there's a record that the representative she talked to back in May did not tell her this. If the supervisor told my wife that the older records just came up it would have been more believable. Except, that's not what she did. So strike 2 against Travelocity.

At this point my wife knows she's not getting anywhere with this person. So she asked to either speak to whoever is the supervisor's boss or she'll just go to court to get our money back. The supervisor told my wife that she can have her boss call us back, my wife asked to speak to her boss now. At the end of the conversation the supervisor became very rude and won't let my wife talk. She took my wife's phone number for her boss to call us back. My wife said she wants to hear from them by 5PM Eastern today.

After my wife got off the phone with Travelocity I went to Google to search for travelocity rebooking isues and found this forum post: http://www.flyertalk.com/forum/online-travel-booking-bidding-agencies/642496-problems-travelocity.html. I basically stopped after the posts on the first page where someone suggests giving the credit card company a call to see if the CC company would cut the original poster some slack. My wife asked for the link and she went looking further; and she actually found the post where the person said that he called his card company and the card company took the charge from Travelocity off of his bill.

My wife decided to call US Airways to see if there's anything US Airways can do because Travelocity is claiming that not being able to use credits is a US Airways policy. Let me note that my wife was sure that US Airways can't do anything since they never dealt with us, but it never hurts to try. The US Airways representative told her that it is US Airways' policy not to allow using credits for the rebooking fee. The US Airways representative also told my wife that we actually have a credit with them; and if she wanted to she can get us our plane tickets. However, we're still responsible for the rebooking fee. My wife said that's fine, and since she knows its not US Airway's fault she didn't go any further and left the conversation at that. She decided to not book anything because Travelocity had lied to her. Let me point out that her time on the phone with US Airways took 5 minutes.

After talking with US Airways my wife called American Express. The representative she talked to said that since it's past 90 days he cannot reverse the charge. My wife explained what happened between her and Travelocity. This was when the Amex representative said he can put a temporary credit while they investigate further. The representative gave my wife 3 case numbers. Yes 3 case numbers, because Travelocity charged the 3 tickets we bought back in May as 3 separate charges. The Amex rep told my wife that she should hear from them within 6-8 weeks on whether we get our money back or not.

As of 7PM Eastern today we still haven't heard from Travelocity. We have our money--at least temporarily--back from Amex.

My wife and I have decided that if we ever need to fly commercial again, we're going directly to the airline's website. Actually, we've decided that we're just going to fly Southwest whenever we can. Sure, they're not always the cheapest but hey, all I can say is their pilots are nice people. If you ever fly small plane out of John Wayne, you make way for the big jets. Southwest pilots are the only ones who've ever offered to wait 5 minutes at the end of the runway after they have landed to let us little guys taxi past them before they start taxying to their gate. America West on the other hand tried to run me over twice.

Update: See part 2 of this story.

30 minutes by air 2 hours by land (if you obey the posted speed limits that is)

2010-12-30T23:50:00.000-08:00

The destination:

"World's Biggest Dinosaur".

The mode of transportation:

Diamond DA40 aircraft.

The family:

Carysa: the wife.
Junior: the big brother who because of his friend's families have come to the conclusion that all oldest siblings are always big sisters.
Me: The husband/father/private pilot/software engineer writing this post

Let's start from the very beginning. The original plan for this trip was to get to the airport at 9:00AM so I can get the plane from Sunrise Aviation, take off from John Wayne Airport (yes, I mix it up with the big jets out there; and yes, the myths are true, Southwest pilots are some of the kindest out there. If I go on commercial flight and I have my way I'll always take Southwest) at around 9:30AM, get to Banning Municipal airport at 10:00AM, get a cab to the dinosaur place, look around, get lunch, possibly look at the outlet mall nearby. Get back to KBNG at 3:30 for a 4:00PM departure and be back at John Wayne Airport by 4:30PM. That was the plan.

Now, for the story of how the plan didn't come to fruition. We left the house 15 minutes late, to get breakfast at the newly opened Aliso Viejo location of "Bagels and Brew." We left the place 10 minutes before 9. A lead-footed driver on a V8-powered SUV can only be held back by the engine governor. I manage to get us to John Wayne at 5 after the hour. We drive to the ramp where N202LS is parked. Go through the usual pre-flight routine while Carysa attempts to pack Junior and our things in the airplane; after which I pack Junior's car seat. With all the pre-flight checking, baggage loading, and passenger boarding complete, I sit in my spot on the left-front seat. I grab the handle to move the rudder pedals forward (until this day, I was under the impression that I'm the shortest pilot to fly that particular aircraft) and I see the length of the cable come out, which in a DA40 is the classic sign that cable has broken loose from the pedal lock. Given that the pedal is as close to the seat as it'll go, my thighs are now in a position where the control stick will not move all the way left and right--as pilot-in-command I was forced to ground the aircraft. With the family and cargo unloaded from the aircraft, this trip has gone from an airplane trip to a road trip.

Now, for the rest of the trip. We get to the dinosaur museum after driving for 2 hours; Junior actually stayed in the car without going nuts from boredom. It sounded like he actually enjoyed the car ride. A minor misunderstanding between me and the road sign caused us to have to make a U-turn. This U-turn put us in a direction where we were facing upwind, and it showed how strong the wind was blowing along Banning pass. The car was showing signs of struggling to accelerate back to speed. When we got out of the car is when I felt how strong the wind was--and how cold it was. I told Carysa, "if we actually flew here, we would have ended up landing at Palm Spring Airport since there would have been no way I would be attempting a landing at this strong a wind."

Junior has a blast digging for rocks at their "dig site", and panning for stones and fossils in the panning area. What kid doesn't enjoy actually being allowed to get dirty and wet. He enjoyed looking at the dinosaur models that they have; however, he didn't quite enjoy the robotic dinosaurs at first--then he got over it. This was followed by a late lunch at "Wheeler Inn" across the parking lot from the dinosaur museum.

We drove over to "Hadley Fruit Orchard" about a mile west of where we were. Carysa went inside the store, while Junior and I stayed in the car. The intention was for Junior to hopefully take a nap--or at least have quiet time. Junior sang "God has a Plan for Me" from the Joyland Christmas play. After the fruit orchard we headed further west to the outlet mall.

This "leg" of the trip was more for Carysa than Junior and I. Junior actually asked for a "blanket" to be draped over his stroller because he wanted to go to sleep. He was out for a good hour until it was time to drive home. We left the outlet mall at about 7:00PM and stopped for dinner at Rubio's near UC Riverside, there was a "Boba Cafe" (yes, that's the name of the place) across from the Rubio's. This Rubio's has the worst placed sign ever. We saw the sign at the back of the restaurant right before the main entrance to the complex, but not the sign at the front. The smaller boba cafe had a more visible sign. Anyway, we had dinner and it's back on the road again. Considering that many people hit the snow-capped mountains of Southern California at this time of the year I was expecting to hit some traffic particularly on the 91 freeway. Thanks to God, there was none. Guess the road closure of route 330 force people to take alternate routes which delayed the inevitable jam on the 91.

Overall, this was a fun trip albeit filled with delays and unexpected things.