Humble Bundle and One Order Too Many

Illustration

I am a fan of Humble Bundle so when they announced their winter sale, I of course had to buy something. As anybody with small kids will tell you, it is hard to go wrong with LEGO Harry Potter.

I used PayPal to pay gift purchase for one kid and tried to get the same for another only to be faced with “Sorry, your Humble Store order has been canceled. We have received too many purchase requests from you in a short period of time, so we have canceled your order (you will not be charged). We are very sorry for the inconvenience.” Well, I did try to buy second game less than another so I gave it a few minutes. Same again. Gave it 30 minutes, same again. Than 2 hours, same again.

At that time I decided to contact Humble Bundle support, the only website that gives you Forbidden error when you try to create a new account. At least their support system sends responses via e-mail so I could afford to give up on setting the proper account.

Talking with the Peter, their support guy, didn’t gain me much: “The purchase limits are part of anti-fraud measures”; “unusually large wave of traffic from one person”; “Sadly I am unable to lift the fraud protection”; and my favorite “Unfortunately I am unable to reveal that information”. I have been Humble’s customer since their very first Bundle. I have bought multiple games before (in one instance three of them). But now, two orders in a row are considered too many.

I understand that there was a need for some automated protections so people would not buy bunch of games and resell them. But I cannot believe that anybody would think a proper limit would be a single game per person, especially since they do offer option of a gift. And even if that is a decision, why would you not give possibility of an override to your own support staff? And why don’t you tell your customers how long they need to wait between purchasing two games? A day? A month? A year?

I did solve it at the end by using my credit card instead of PayPal. Somehow I am not considered a fraud if I use different payment method…

Beware of Magic in AES CBC

In case of encrypted text I commonly see “magic” footer being used as a sole verification method for AES CBC; i.e. assumption is that, if last bytes were decrypted correctly, all previously decrypted bytes are valid too. However, that assumption can fail horribly.

Once case when it fails is when configurable IV is used. You can have nonsense for a IV vector and decryption will succeed. Even worse, while first few bytes will be invalid, 8-byte blocks following it will look just fine. If you validate content only by last few bytes, your program might happily continue to work without any issue.

But lets assume you have static IV and that this issue doesn’t affect you. And you are worried only about stream errors anyhow. Well, I hate to inform you but CBC mode is self-synchronizing, i.e. any recoverable errors in one block will go away after certain number of blocks. For example, if you have an error in first byte of a stream, next fifteen bytes will be corrupted but rest of stream (including your footer) will look just fine.

Corruption in the middle of stream will cause exception most of the time, but not always. If it passes unnoticed you can have valid header, valid footer and garbage in between.

As you can see from the two examples above, you cannot rely purely on fact that some stream bytes were decrypted as a proof that some other part of stream is not corrupted. Only way to be sure about stream validity is to use hash/CRC functions that were actually designed to detect corruption.

Example of both these behaviors is available for download. Below is example output with both valid and invalid decryption having a same footer (FF-FF-FF-FF):

Decrypted (OK) ..........: 00-01-02-03-04-05-06-07-08-09-0A-0B-0C-0D-0E-0F-10-11-12-13-FF-FF-FF-FF
Decrypted (invalid IV) ..: FF-01-02-03-04-05-06-07-08-09-0A-0B-0C-0D-0E-0F-10-11-12-13-FF-FF-FF-FF
Decrypted (invalid input): 31-33-7C-D9-A9-91-47-DD-52-3A-64-08-FD-2F-D4-C8-1D-11-12-13-FF-FF-FF-FF

Bon Voyage

Illustration

For almost five years now I had a Kindle 2 as my companion. Other Kindles came and went and I saw no reason to replace something still working. But there was one thing bugging me for a while now - reading by night. I was pretty much looking to upgrade to Paperwhite when Amazon announced Voyage. So I jumped onto that train.

I decided upon Voyage 3G since I still fondly remember my Kindle 2 keeping me in touch with a world in a foreign expensive land before the age of WiFi. First shock happened when I tried to browse. Amazon actually doesn’t allow browsing on 3G anymore. You can visit Amazon, you can visit Wikipedia, but nothing else is reachable without WiFi. Compared to unrestricted Kindle 2 this seemed as a step backward.

I was also stunned by the fact I could not access my own web site. Since I could access it at an alternate address I would tend to blame this on the lack of SSL Server Name Indication support which I find really strange since Kindle advertises it as an WebKit browser. My guess would be that they’re using quite an older version of SSL code when it manages to fail at thing even Internet Explorer 7 supports.

WiFi itself is 2.4 GHz only which is a bit of disappointment. This is quite literally the newest device I own and only one that has no 5 GHz radio. Yes, 2.4 GHz is more common choice for consumers also but I find 5 GHz a blessing in a crowded environment (e.g., in cities).

Build quality is quite good with a glass front and a magnesium back with a soft finish plastic over it. Only disappointment was a slight misalignment of plastic hiding the antennas with the rest of the body. Fortunately it is not in place where you can easily touch it and it might be only an issue with my device anyhow.

In order to turn the device on you need to reach button on the back. Without cover this operation is annoying at the best. Fortunately, as soon as you get some cover on, things get easier and comfortable. Also annoying is “Swipe to unlock Kindle” gesture at every damn turn on. It is completely unnecessary and serves absolutely no purpose other than showing off the fact you have a touchscreen. This is also solved by putting a cover on (but only if you have version without special offers). As you might deduce, this Kindle is less than enjoyable without a cover.

Since Voyage is a really young device only original Amazon cover is Origami I personally find annoying at best. I’m hoping that Amazon will start selling just a simple leather cover too as same one is available for their other devices. Of course you can always opt for a third-party cover.

On other hand I just adore PagePress buttons. Lack of physical buttons on Paperwhite was what was keeping me back on Kindle 2. Sadly, due to a touchscreen controls, lefties might not really enjoy buttons as they would otherwise. Bezel is really thin so my page turning finger naturally tends to rest at the edge of the screen. This means that each touch to left PagePress button also probably touches screen where that same gesture is interpreted as going one page back.

In the end my page turn occasionally gets interpreted either as nothing at all or as a turn backward. It doesn’t happen often but it kills my flow immediately. Software solution would be simple - just disable touch screen page turns when PagePress is enabled but I doubt that anything will be done since 90% of right-handed people will be just fine with this.

Speaking of page turns, I find it a slightly unnecessary to have a PagePress back button on both sides. Since going backward is a pretty rare operation, having second back button replaced with Home (again, as on Kindle 2) would make more sense to me.

Missing when compared to the Kindle 2 is also any form of audio. While I used read-aloud functionality rarely enough that I won’t miss it, I do miss capability of getting my audio books on it. I dream of a day when I will be able to switch between listening to unabridged audio book and reading it on screen. A beautiful thing when you prefer reading but occasionally want audio (e.g., when driving a car).

Another surprise came when I tried charging Voyage. It would only pull around 500 mA from wall chargers. Compared to 900 mA Kindle 2 could pull this is a real disappointment. I tried using the original Amazon 5W charger but current usage remained the same. Unless Amazon’s fast charger (9W) does better job, I can only deduce that somebody in engineering did a shoddy job and 500 mA is the maximum.

Regardless of all these annoyances I covered in the last few paragraphs, I really enjoy this Kindle. Screen is gorgeous, backlight really pleasant, and it does feel as an upgrade coming from Kindle 2. Even if you are coming from the latest generation Paperwhite you will find new Kindle enjoyable and a quality device. Biggest issue for it will probably be the price since $200 for the basic model and $270 for the 3G one is quite a premium.

All in all I really love this Kindle. Yes, it is not perfect but it is a great companion.

PS: Due to such a crippled 3G, I returned my original purchase and got myself a WiFi-only Voyage.

Visual Studio Community 2013

Illustration

A bit over a week ago a new Visual Studio edition has appeared pretty much out of blue. For all practical purposes you can look at it as a cross between Visual Studio Professional (has same features) and Express editions (it’s free).

Unlike Express editions, Community can only be used by an individual developer, for open source, for learning/teaching, and in a small non-enterprise settings. If you are working for enterprise company, you’re out of luck.

Since Community is essentially the same as a Professional edition, there is not much new things that can be said about it. It can slice, it can dice, and it is an almost perfect development environment. Yes, there are Premium and Ultimate and they do offer some advantages (e.g. IntelliTrace is a gem) but most of the time one can live without those features just fine. Unlike with the Express editions you won’t feel constrained with the Community.

Surprisingly you cannot really install Community edition side-by-side with any other paid Visual Studio. Official explanation is that this is because Community is the part of a same line as other editions but I still find it an unfortunate decision. Developers wearing two hats in BYOD scenarios (e.g. enterprise by day, open source by night) might get into some conflicting situations. Side-by-side with the Express editions will still be supported so not all is black.

Speaking of Express editions, it is not really clear to me what is their destiny. Currently they do stand together with Community but they do overlap quite a bit. If we learned anything from the past, their days are numbered. I would like to be wrong since I do love them. Even with all their shortcomings, I can still see them useful in multiple scenarios (mostly due to their quite permissive licence). I will miss them.

If you currently don’t have anything better than Express on your machine and you fit into the restrictions, it is definitely worth checking out.

Windows Installation Media Creation Tool

Illustration

For quite a long time Windows 7 USB/DVD Download Tool was the easiest way to create your bootable USB. Yes, it had its issues (e.g. didn’t work for UEFI) but it usually did its work. Only issue was where to get install media in the first place.

Well, now Microsoft gave us Windows Installation Media Creation Tool. As soon as you start it (no installation possible) you will get a selection of languages, editions (Standard/Pro), and architecture (x86/x64). Afterward you select whether you want to create a bootable USB or save it as an ISO file and, after a lengthy download, you will have your installation media. Perfect!

However, tool is not really perfect. First of all, it seems to have issues with some USB drives. I tried three different SanDisk Cruzer Fit USB drives and neither of them was even recognized by the tool: “We can’t find a USB flash drive. Insert one and try again.” This is first time ever I saw issue like this in any program.

One drive it did recognize (Super Talent’s Pico-C) was deemed too small although it’s size was required 4 GB. Yes, I know disk manufacturers like to count bytes a bit differently but I am puzzled by that 4 GB requirement. Pretty much all Windows installations are just slightly over 3 GB so better approach would be just to compare given flash size to selected installation media. And there is no technical reason since I could manually create a bootable drive from downloaded ISO just fine.

If you have a limited bandwidth, beware. Utility downloads a new file every time. It doesn’t matter if you just downloaded ISO five minutes ago and now you just want to create a bootable media. It will redo the whole download. Seems wasteful to me.

It would also help if default selections would match running system rather than being empty. The whole idea is to give you installation media for your machine and this gets quite a bit annoying if you are inexperienced user trying to guess which release you are currently running.

But all in all, I am happy with this tool for its ISO download capability. It finally makes it possible to do the pristine installation on your machine with original Microsoft media without having to be MSDN subscriber.

PS: If everything else fails, you can always make USB install manually.