Recovery day

OK, we're back from up north. Last night I discovered that someone has been hijacking the comment plugin on the GT Wiki and spamming and trading illicit links with it. So I spent from about 9PM to midnight manually deleting a couple thousand comments.

The Wiki is now requiring login - I'll try to change that back if I can disable the comments system. It's nice having no login. What would be nice would be to allow any user ID and require the well-known GT password. I have the source, I suppose I could do that if I get time.

Spending the day doing dishes, airing out sleeping bags, etc.

Discover Card phone center: Fail

I got a note saying I hadn't activated my Discover card, so please call. I did, and they said it must have been a mistake, it was activated. More likely it's an opportunity to get me to call so they can try to sell me stuff.

Anyway, about the first thing the guy did was to say "I see you signed up online, let me check to make sure everything's OK." He verified my email, then said "OK, I'm going to send you an email with your password to make sure you can use our online features."

I said "Wait, WHAT are you going to do?" "Email you your password." "NO YOU'RE NOT. MAN, ****NEVER**** EMAIL PASSWORDS. Email is not secure. If you send my password via email, I'll have to go change it, and what's more, I'll have to search all my passwords for other sites I may have used the same password at, and then go change it on all of those sites. It could take me hours."

He put me on hold to try to stop it, but far before he came back, I had already received the email.

I started to chew him out, said that they should NEVER send passwords in emails, they could be intercepted. Heck, that they shouldn't even KNOW what the password is. He said HE didn't know, he just could have the system send the password. I said "The system shouldn't know what my password is, either. You guys have a weak security system, I can tell you that. And you really need to look at your procedures. If you're regularly emailing passwords, any SMTP traffic coming from your data center has got to be a prime target for people sniffing for passwords.

I also told him that I log into the site 4 or 5 times a month, so I don't know why he assumed I didn't already know my password. If I ASKED for the password, that would be one thing. He just sent it.

He didn't try to sell me anything after that, he just apologized and hung up ASAP.

The one good thing is that their system is badly-designed enough that I couldn't use my regular passwords, which are mixed upper/lowercase, numbers and punctuation. They wouldn't allow the punctuation so I was forced to use a pretty weak password, which means it's not one I probably used on other financial sites.

Post-camping discovery

Serendipitous discovery while unpacking camping supplies:

Chocolate Geode

Audiobook finished

Oath of Swords by David Weber

Interesting new universe. No significant long boring technical sections, which is a change for Weber, but there are nice detailed fight scenes.

Kept us entertained on the trip up and back.