A safe too far: Goodbye Hotels.com

As I recently described, my primary requirement for selecting a hotel is that it has an in-room safe for storing my laptop.

Recently I have been running into problems regarding that. In the last year or so, there have been many cases when the safe has been too small for my laptop, and in one case there was no safe at all despite the advertisement on Hotels.com.

I just returned from this year’s vacation trip which included going to the (very crowded) World Science Fiction Convention in Dublin (which had a bit more excitement than usual, e.g. Jeanette Ng’s speech, the consequences of which are still emerging, although some are wondering about how to best handle such problems), and the Eurocon in Belfast the next weekend. No problem with in-room safes in both hotels, one of the hotels was booked through Hotels.com, the other direct. Then, to wrap up the vacation, I booked a stay in London and found this safe (my laptop for scale): Laptop on top of too small safe

I have generally not had problems with the size of in-room safes in London before, although there was one case (5 years ago) when the hotel didn’t have the advertised safe. There is a first time for everything, I guess. Laptop on top of too small safe

In fact, it was barely big enough for the document wallet I bring along (if the safe had been in working condition which it wasn’t, but that got fixed). Actually, this may be the smallest in-room safe I have seen, except for the Anaheim safe 13 years ago that I mentioned in my earlier post. The previous contender was able to hold a 12-inch laptop (with the battery removed).

In the past year or so, I have booked 12 hotel stays via Hotels.com (which I have been using for more than 10 years). In two cases I didn’t bother with an in-room safe, since the stays were just overnight at an airport.

Among the remaining 10 bookings, 5 hotels did not have a safe big enough for my laptop or did not have one at all (and that hotel entry still hasn’t been fixed two months later). In one other case, I was able to work around the problem by using the hairdryer for something it was not designed for.

So, that means that in the past year or so, 50% of hotels booked via Hotels.com did not have in-room safes that met my requirements. This is also a very sharp increase in such problems compared to before.

That is not good enough!

The whole point about booking services like Hotels.com is to search for, and book stays at hotels that fit the guest’s requirements without having to search all over the internet through various hotel booking sites. There is an implied promise and expectation that the information provided about the hotel is accurate and sufficient. That turns out not to be the case regarding in-room safes, and one may start to wonder how much other information about hotels is incorrect?

It should not be necessary to phone or email each hotel that is being considered to verify information on their Hotels.com booking page (which is what Hotels.com support have suggested I do).

This is a safe too far, and I am therefore no longer going to use Hotels.com for booking hotels until they have implemented the following:

  • Removed all “in-room safe” entries that are NOT listed as “large enough for a laptop”. Alternatively, changed the text for these to specify that they are “small”. In any case, new in-room safe entries must either specify “small” or “Large enough for a laptop” (“large enough” meaning that it will comfortably fit a 17-inch laptop).
  • Each hotel must be informed about this change and will have to confirm that their safes are capable of comfortably holding a 17-inch laptop (that is, at least 40×27 cm). The images from their hotel rooms should also include at least one picture of the safe, with a recognizable laptop model inside.
  • Searching for hotels must include a filter for in-room safe (large enough for a laptop). It’s been over five years since I first suggested this to Hotels.com.

And Expedia, Momondo&Co., before you start crowing and try to invite me over: this applies to you as well. You are not just all basing your information on the same data. When I checked your various sites regarding the hotel without safe in July, the information I saw suggests that you all engage in a game of telephone, mangling the data until it has no resemblance to the original data.

What will I do about hotel bookings from now on? I’ll likely start using one, maybe two big brand hotel chains and book directly which likely means that stays are going to become more expensive, and the smaller hotels (like the recent London hotel) will loose a few stays. Sorry about that.

Where did all the nice things go?

Over the years we buy many things that we use for various purposes, and some of these things become favorites that we replace with new items of the same kind as the old ones get worn out. Until we are (surprise!) no longer able to do so, because the favorites have disappeared from the market.

Sometimes it is possible to easily find a usable replacement, other times it is more difficult, even impossible (and the search can get expensive).

Below are some favorites of mine that have disappeared from the market.

Behind-the-neck headphones

While for many years I used small on-ear, over-the-head headphones, when I discovered behind-the-head headphones, especially Sony’s, they quickly became my favorites, specifically the one set I found with a retractable cord, as well as the foldable ones.

Unfortunately, it seems Sony has stopped producing these headphones, at least the wired variation, as have most other manufacturers, and the last (low quality) set I have is now nearing end-of-life.

I do notice that there are some small shops in Norway selling headphones like these, but they all lack iPod remote control functionality. I also found listings of similar Sony headphones on Amazon, but considering that Sony does not presently list any wired behind-the-neck headphones I have not looked closer on those listings as I suspect they are actually years-old leftover registrations that are no longer for sale.

For the iPod it seems that the only real option is the Bluetooth variations (see below), but I also use such headphones with my stationary computers, too, and I don’t want to add Bluetooth connectivity to them (Paranoia mode: I’d rather not have any wireless connections to them, at all). I might try out those small Norwegian shops to get some behind-the-head headphones to my computers (don’t need remote controls for those).

The Classic iPod remote control

IPod FM remote
Years ago I replaced my Walkman. First with a Discman, and then started using various MP3 players, and eventually started using iPod players.

Among the benefits of the iPod players was the (Radio) remote control that you could fasten in an easily accessible location on your jacket, sweater, or t-shirt (unlike in the classic iPod ad, I carry the iPod in a pocket or my bag, not in my hand).

Like all mechanical items, the remote control eventually wore out, so I replaced mine multiple times until I was no longer able to find them since Apple had stopped producing them.

Various headphones did fill in the void with a simpler kind of remote control, but these are mostly either the earbud type (which I do not like; I only have one set of earbuds, the noise-canceling headphones I use when flying), or the gigantic over-the-ear-and-over-the-head headphones, none of them are of the wired on-ear, behind-the-neck type I prefer.

As far as I can tell the only current alternatives for behind-the-neck headphones with remote controls are the Bluetooth variants (frequently with an unnecessary microphone), which is a problem since the iPod does not have that capability, or start using a (new) phone (won’t be an Apple phone) as an MP3 player instead.

I have discovered that there are Bluetooth adapters for the iPod, but I worry that they do not provide good enough sound quality. The reason for this worry is that some years ago I tried a third-party iPod remote control, which also could use a Bluetooth connection to your phone.

However, what I discovered was that this remote control distorted the music quality, so I stopped using it. I am worried that the Bluetooth adapters will have the same issue.

Thinkpad Classic keyboards

As one can surmise from my recent article about keyboard layout switching, I think keyboards are important. After all, I use them for all my work.

And like many, I have strong opinions about how a keyboard should be laid out and work. Among my must-haves for desktop keyboards is the classic layout with the horizontal 3-by-2 section Insert/Home/PgUp in the upper row and Delete/End/PgDn in the lower and arrow keys below that. I was seriously annoyed when some manufacturers changed that layout, as were many others. Fortunately, the old layout has remained available.

When it comes to laptops, one does have to make some adjustments. After all, the room available for the keys is a bit … limited. Originally, I used IBM Thinkpads from the X-series, first an X20, and later an X40, when traveling, and these had a keyboard that looked and felt like an ordinary keyboard in the main part of the keyboard, which meant that the transition between the normal desktop keyboard and the laptop was fairly easy.

However, sometime after Lenovo bought the Thinkpad product line from IBM, they started replacing the Classic keyboards in the low-end laptops with the newfangled (and less expensive) island-style keyboards where the keys have a bit of space between them. That keyboard organization is not a good fit for me since the key spacing is slightly different compared to ordinary desktop keyboards, which results in my fingers not hitting the keys correctly when not looking at the keyboard, so typing becomes slower than it could be and switching keyboards become more difficult.

In early 2013, I came across a Lenovo blog article effectively saying that the Classic keyboard was “dead” and to “get over it”.

Lenovo Thinkpad X220
Lenovo Thinkpad X220

Get over it? No way! Hours later I made off with one of the last X220s sold in Norway, thus making sure I had a laptop with a Classic keyboard for years to come.

Late 2017, it seemed like Lenovo did a small rethink of their position (at least for a short while) since their 25-year anniversary edition of the Thinkpad had the Classic keyboard. Both Jon and I hurried to the store to get ourselves one.

Unfortunately, it does not seem like Lenovo decided to return to the Classic keyboard permanently. Considering that the Thinkpad, and in particular the X series is/was considered the pricey, high-end laptops purchased by business users with a need for good quality hardware, it seems a bit odd to remove one of the trademark parts of the series, just to save a few dollars.

My recommendation to Lenovo is to bring back the Classic keyboard, preferably to all their laptops, but at least the X series laptops.

Rockport XCS shoes

It isn’t just electronic favorites that have gone missing. Good shoes went missing, too.

In my case, I need extra support under my feet’s arches, and unless the shoes provide that support I have to use steel inlays like I had to do since before I began primary school.

After more than 10 years using Nike Air shoes, which did give me the necessary support without inlays, I discovered Rockport’s XCS shoes which, besides a businesslike look, had very good support for the arches and real good shock absorption in the sole. These shoes worked very well for me and I kept buying at least one pair a year, including winter shoes (I had to use inlays until then).

However, a few years ago Rockport stopped producing the XCS system shoes that were what I call “business shoes” (nice black ones, but not dress shoes), leaving mostly hiking shoes.

A different product line was supposed to take over, but I stopped using the one pair I did buy after only a few days – they were not good for my feet.

At present, I continue using the old pairs I have left, having them repaired whenever there is a problem, but they will eventually wear out. The winter shoes already have taken their last step.

Why do nice things disappear?

There seems to be a line of thinking among vendors and outlets that, unless something is a runaway sales success, it does not deserve a place among the products they sell, and even the products that are being sold get their features removed if they are deemed too costly and/or not relevant to how well the product sells.

This is something that we’ve seen in software as well. This trend in browsers was one of the main reasons Vivaldi started. As another example, I am still using Smartgit 4.6 because newer versions removed a fundamental UI feature that I am frequently using several times a day, and replaced it with something that does not work very well when you have a dozen projects with 500 000 files or more.

If they are not careful, this may eventually cause them to go out of business, because this will drive away the loyal customers who did buy those items because of those features. For example, I haven’t been buying any Sony headsets or Rockport shoes since they stopped selling the ones I was buying, and if Lenovo isn’t selling Classic keyboards I might go looking at other brands instead (although the red cursor button in the keyboard is still a good reason to buy; I don’t like touchpads, and disable them within minutes of first boot).

Others are making similar observations. Recently, one of the Science Fiction authors I follow posted an article with similar concerns about how (brick and mortar) retailers were removing items from their list of products, thus forcing customers to buy the items they need online, then complaining about how the “internet is destroying their business”.

Sony, Apple, Lenovo, and Rockport, where did all the nice things go?

Maybe you can tell me which of your competitors are able to sell me something that works as well as yours did?

Microsoft, keep your hands off my keyboard!

The keyboards connected to our computers are essential to controlling every aspect of our computer experience, and to our communications with everybody we communicate with. A very basic aspect of the keyboard, and of our personal choice (it is really a major aspect of our national identity), is the layout of the keys. In my case, I am using a keyboard with a Norwegian layout, which is essential when writing text in my native Norwegian language.

What happens when someone, or something, changes how the keyboard is working?

About a year and a half ago I started working on a Windows 10 machine at work (having used Windows 7 until then), but after I while I started running into a particularly obnoxious problem: The keyboard layout would, occasionally, automatically be changed to the US layout, instead of my Norwegian layout.

For somebody who is reasonably competent at typing without looking on a Norwegian keyboard (aka. the “Touch” method), that is rather irritating, because keys like “<“, “:”, “-“, “æ”, “ø”, and “å” suddenly produce completely different characters. The result is a disruption of my current activities.

After some searching I discovered this thread about it, started in 2016 (and still active), and there are indications in the thread’s references that the problem first appeared in Windows 8, at least as early as 2012, maybe 2011.

Based on information in the thread and its references, what seems to be happening is that Windows 10, being “concerned” that the user’s configuration might not be correct in the context of his or her environment, scans the other Windows 10 machines on the network, or obtains information from computers it connect to, and possibly other information, such as the machine’s geographical location, and automatically reconfigures the enabled keyboard layout based on this information.

I do not know if this is correct, but the name of a registry value mentioned in this information, “IgnoreRemoteKeyboardLayout”, indicates that there may be something to it.

This problem seems to have been affecting many users from non-English
speaking countries, especially those working in multilingual, global companies, or those having moved to a different country.

In Vivaldi, I work with colleagues from many countries and we are all using different keyboard layouts, including German, Icelandic, and US layouts.

The thread I found discusses various workarounds, some of them requiring
you to edit the registry (one of which I used to fix my problems), which is something the average user should never be required to do.

Recently, though, I have run into this again with my personal laptop, and as far as I can tell the workarounds are not just not working anymore, it seems
that the workarounds I did apply earlier were removed somehow, possibly by the recent major Windows 10 update.

The keyboard layout of my laptop keeps changing to the US layout several times a day, even several times an hour. In fact, I have had it happen in the middle of writing emails!

And what is happening to my laptop is not an isolated case: One of my colleagues has reported the same thing has started happening to his laptop, too.

So, I think Microsoft is being too “helpful” in this case.

I have configured my PCs the way I want them configured, with the UI language I want, and the keyboard layout I want to use, and I did so when I installed Windows on the PC, and I have no plans to change them.

Microsoft, keep your hands off my keyboard!


Update June 24: The jury is still out on this, but a couple of days ago I decided to try two changes: I removed all the extra languages and keyboard layout combinations (again), and also disabled the keyboard shortcuts for switching between these settings.

If this continues to work, it may have “solved” my problem.

However, it is still a “solution” for a problem that should never have existed, the automagic addition of languages and keyboard layouts, and it may be that the workaround only hides the issue.

It also points to what I think is a bad design choice by Microsoft: The choices for the keyboard shortcuts are Ctrl+Shift and Left Alt+Shift (never mind that Norwegian keyboards only have one Alt key, the left one; the other is the AltGr key that is an alias for Alt+Ctrl, used to type various characters like “@”, “{“, and “€”). Both of these shortcuts are used as part of various keyboard shortcuts, and the Alt+Shift key variation is part of the “Switch to previous Application” shortcut Alt+Shift+Tab. What happens if you start to press this shortcut, and decides to not change application after the first two keys are pressed? That’s right: The keyboard layout changes!

And even if these two actions “solved” the problem, it should never have been an issue for my systems, since I never added extra languages or keyboards. Microsoft added them without asking, then a bad choice of keyboard shortcuts exacerbated the problem.

And users that, for various reasons, do have multiple languages and/or layouts enabled, may still be having problems.

Update June 27: After rebooting the laptop, the US layout returned, despite having been manually removed, and the keyboard shortcuts being disabled.

Secure online X-mas shopping? Big stores encrypt, the corner-store doesn’t

Encryption usage by Norwegian online shopping sites (2016 edition)

Over the past several years I have performed occasional surveys of Norwegian shopping sites and their use of encryption. I decided to limit my surveys to Norway, because I concluded that limited knowledge would make collecting a representative international list of foreign shopping sites difficult, and would probably only contain large stores, not small ones.

The last survey I wrote about was performed in early 2015, and while I did not publish an article about it, I did perform a second survey a few months later, in order to get an impression of the effects of some actions initiated after my article. The changes at the time were not significant enough to change what I presented in the previous article, so I did not publish an article discussing those updated results. Continue reading “Secure online X-mas shopping? Big stores encrypt, the corner-store doesn’t”

There are more POODLEs in the forest

In December it was announced that several TLS server implementations were affected by a problem similar to an SSL v3 issue called POODLE disclosed by Google researchers in October. This attack worked by modifying the padding bytes of the encrypted SSL/TLS records that are used to make the records into even multiples of 8 or 16 byte blocks of data, checking how the server responded, and used this to deduce the plain text of the transmitted data, one byte at a time, with just a few tries.

Several major vendors were affected by the TLS variant of the POODLE issue, and released patches. Continue reading “There are more POODLEs in the forest”

The POODLE has friends

In October last year, researchers from Google published details about an attack on SSL v3, called POODLE. This attack worked by modifying the padding bytes of the encrypted SSL records that are used to make the records into even multiples of 8 or 16 byte blocks of data, as used by 3DES and AES encryption in the “CBC” mode, checking how the server responded, and used this to deduce the plain text of the transmitted data, one byte at a time, with just a few tries. Continue reading “The POODLE has friends”

Usikker registrering av persondata i mange nettbutikker

[Apologies to my English language readers, as this article mainly concerns encryption in Norwegian online shopping sites, I decided to write it in Norwegian]

Jeg har ved at par tidligere anledninger undersøkt bruken av kryptering av norske nettbutikker, sist i 2013. Konklusjonen begge ganger har vært at kryptering er lite brukt.

I løpet av januar gjennomførte jeg en ny undersøkelse av kryptering i norske nettbutikker. I tillegg til 59 butikker jeg hadde undersøkt tidligere, inkluderte jeg denne gangen 184 nye nettbutikker fra Posten.no‘s liste over nettbutikker, totalt 243 butikker.  Continue reading “Usikker registrering av persondata i mange nettbutikker”

A possible reason why many e-commerce sites do not use encryption?

If you have read my past articles, you may have noticed that I am a little annoyed by the low number of e-commerce sites using HTTPS encryption to protect their customers. While most do use encryption for payments, usually that is because they use the services of a payment processor, and because using encryption for the payment info submission pages is required by the credit card companies. As far as I can tell, very few e-commerce sites use encryption for displaying the shopping cart, collecting customer information about name and address, or the customer login, although I have an impression that larger e-commerce companies are better at this than smaller ones. Continue reading “A possible reason why many e-commerce sites do not use encryption?”

Not out of the woods yet: There are more POODLEs

As I wrote in my previous article about this, in October a group of Google security researchers had discovered a problem, called POODLE, in SSL v3 that in combination with another issue, browsers’ automatic fallback to older TLS and SSL versions, allowed an attacker to quickly break the encryption of sensitive content, like cookies.

The main mitigating methods for this problem are disabling SSL v3 support, both server side (now down to 66.2%, but slowing down) and in the client, and to limit the automatic fallback, either by not falling back to SSL v3 (which is now implemented by several browsers), or by a new method called TLS_FALLBACK_SCSV (introduced by Google Chrome and others). Continue reading “Not out of the woods yet: There are more POODLEs”

Attack of the POODLEs

Three weeks ago a group of researchers from Google announced an attack against the SSL v3 protocol (the ancestor of the TLS 1.x protocol) called POODLE (a stylish abbreviation of “Padding Oracle On Downgraded Legacy Encryption”). This attack is similar to the BEAST attack that was revealed a few years ago, and one of the researchers that found the POODLE attack was part of the team that found BEAST.

POODLE is able to quickly discover the content of a HTTPS request, such as a session cookie, but only if the connection is using the SSL v3 protocol, a version of SSL/TLS that became obsolete with the introduction of TLS 1.0 in 1999. As almost all (>99%) secure web servers now support at least TLS 1.0 (which is not vulnerable to the attack, provided the server is correctly implemented), it might sound like this attack is not very useful. Unfortunately, that is not so. Continue reading “Attack of the POODLEs”