dwc

Close Call

Okay. Only a couple of weeks after my accident, another bike incident. I was very nearly hit by a car while riding to work this morning. Had I been hit, it would have been the second time in a year. Strangely enough, it happened very much like the first: the car slowed down for a stop sign (this time coming to a complete stop), and then started going again. I had slowed down quite a bit to give the driver room in case she decided to go, which was really the only reason I didn't eat pavement.

The car's windows were also illegally tinted (I mean completely black), which didn't help in terms of watching the driver. I can't say for sure, but I would guess the driver saw me, thought she had enough space to turn, and then realized she didn't. Being cautious only helps so much when the person driving the larger vehicle is a moron.

I'll probably ride on campus as much as possible to avoid the worst of the traffic from now on, even though it makes the ride a little longer. Who would have thought 2nd Avenue was so dangerous?

Best to keep things in the shallow end
Because I never quite learned how to swim

Feedback

I decided to send feedback to the myUFL team about the most serious problems:

myUFL doesn't seem to use Secure Sockets Layer (SSL) for HTTP transactions except for the initial login. It would seem that my personal information - such as my UFID, my bank's routing number, my checking account number, and my Social Security number - is being transferred in the clear when I use the portal. This makes me very nervous.

I tried to change the URL from "http://my.ufl.edu/..." to "https://my.ufl.edu/...", but myUFL claimed that my session had expired.

Further, why is my UFID stored in a cookie (named SignOnDefault) on my hard drive with an expiration date of 7 days from login? If I login to the portal from a public computer, someone else could theoretically get it without too much trouble. Would it be possible to encrypt the contents of this cookie?

Thank you.

myUFL: Cookies, SSL, Redirects, Interface

So myUFL has been unleashed on the University of Florida community, and it's gone well...I guess. Ross has voiced (what I expect to be only) some of his complaints about the browser requirements, which I of course agree with. But this isn't about browser requirements, because I can still access myUFL in Galeon (though it's painful at times). This is about cookies, SSL, redirects, and user interface.

First, let's talk about cookies. Like any sensible person, I have my browser set to only accept cookies from the current server. This lets me login to myUFL. When I try to use any of the employee functions, however, it tells me that my session has expired. Setting it to accept all cookies, of course, lets me use those functions.

Logging into the portal sets, by my count, nine cookies. One of those is the UF_GatorLinkState cookie, which is used by other services on campus, so let's call it eight. Another cookie, SignOnDefault contains my unencrypted UFID. I can't find any specific policy on who is allowed to have access to your UFID, but I can forsee major headaches with leaving such data around on people's hard drives (this cookie doesn't expire when you close your browser, unlike some of the others), especially in lab settings.

Further, myUFL doesn't seem to use SSL for anything except the login transaction. That's right: I login using an HTTPS transaction, which redirects me to an HTTP URL. This means that ALL of my personal information is being transferred in the clear. It's possible that my UFID has been intercepted. Not to mention my payroll information - such as my bank's routing number, my checking account number, and my Social Security number.

Modifying the URL to use HTTPS (by changing http:// to https://) causes myUFL to claim my session has expired. Hitting the back button returns me to my last page, and from there I can go anywhere - so my session is obviously still active.

Now, let's talk about redirects. When you type http://my.ufl.edu/ into myUFL's "recommended" browsers (Internet Explorer 5, 5.5, or 6), you are redirected what looks like twice. Once is to http://my.ufl.edu/ps/signon.html, and finally to a secure version of that page. This breaks the back button. I kindly point the myUFL administrators to the W3C's writeup, Use standard redirects: don't break the back button!.

On user interface: it's obvious the interface was constructed by programmers, with no help from UI experts. Let's face it: as programmers, we are often horrible at creating user interfaces - we see the interface from a very technical perspective, and so it often mirrors the structure of the database tables, even when it doesn't make sense to. A complaint of one instance of poor interface design came up on the Campus Computer Coordinators list today, specifically:

-Could the time reporting link appropriate to each employee (for me, for example, weekly time) be moved up several levels in the hierarchy to, for example, my home page on my.ufl.edu? It's an awfully deep lot of clicking to do every time
-Could the date field on each punch default to today's date?
-Could the add punch button be done away with and instead just always provide a new (or, better, a few extra) blank punches at the bottom? A few blank punches would make for many fewer HTTP transactions

To give you an idea of the issues here, take a look at a screenshot of the "timecard" feature, which is used to report when an OPS employee works:

On the left, you see the navigation menu. I had to click on "Employee Self-Service", then "Time Reporting", and finally "Time Reporting Home" to get to the screen prior to this one (so a total of 4 links to get to this screen). If "Time Reporting Home" is the only thing I have in that section, why can't it come up when I click "Time Reporting"?

To actually report time, you have to first add a "punch". Then you have to select or enter a date (there's a calendar widget, or you can type into the date field). Next you type the time of the punch. Finally, you select the "type" of the punch, either "In" or "Out".

When you have one or more punches, I think the date defaults to that of the last punch. That's okay. Now, it would be really nice if the punch type would default to the opposite of the previous one, so if you last punched in, "Out" would automatically be selected.

If you leave a punch blank, you get an error message. The server should be able to simply ignore blank punches. This would also allow for the third suggestion above - always giving a few blank punches. I understand the technical reasons why this isn't done, but I would think that they could be overcome without much difficulty.

Also in that CCC thread, Sandy McArthur gave a number of good suggestions. Usability and other improvements will be made over time, hopefully.

Overall, the transition to myUFL is going better than I expected, but there is a lot of room for improvement. I want fewer cookies and the ability to constrain them to the current server only. I want secure transactions everywhere. I want a better interface. Urg.

And I don't want to feel this overwhelming hostility

ARGH

ARGH. I've said it before, and I'll say it again: STOP USING emerge -U. That is all.

New Computer!

I got a new computer at work recently. It's a dual Xeon 2.40 GHz with Hyper-Threading, 1 GB of RAM, SATA, etc. It's, uh, fast. :-)

Bicycle Accident

Last Thursday, I managed to get myself into a pretty bad bicycle accident. I wasn't hit by a car this time, but it was definitely a worse accident. I unfortunately don't remember much of the accident, but I think I was thrown from my bike or lost my balance when I went over a huge tree root near my neighborhood. I lost consciousness, fractured a few places near my right eye, hurt my neck, and got a few scrapes and bruises.

They gave me a neck to wear collar until today, since I apparently had whiplash ("surgical strain" is what they told me when I left the ER this morning). The bruises around my eyes are still pretty apparent, and there is still some swelling.

The hardest part, I think, was being unable to keep fluids down immediately after the accident. I had to go back to the ER on Saturday, to get fluids by IV. They also gave me a prescription for phenergan. I don't like taking medicine, but it was really helpful in keeping me from getting sick to my stomach.

I've seen a couple of specialists (an oral maxillo-facial surgeon and a plastic surgeon), and both have said that I probably won't need surgery. Phew.

All in all: 18 hours in the Shands ER across 3 visits, 6 stitches, 7 x-rays, and 1 CAT scan.