[thelist] Site check: Staples.com

[Ken Schaefer]

> -----Original Message-----
> From: thelist-bounces at lists.evolt.org [mailto:thelist-
> bounces at lists.evolt.org] On Behalf Of Shawn K. Quinn
> Subject: RE: [thelist] Site check: Staples.com
> 
> On Tue, 2005-09-20 at 17:20 +1000, Ken Schaefer wrote:
>   [I wrote:]
> > > There is. It's broken. 
> >
> > What evidence (other than your opinion) do you have that it's broken?
> > Site seems to work perfectly well for me.
> 
> The fact that I got a blank page. Thus, it's broken.

You disabled functionality in your browser. That doesn't make the site
broken. That means you chose, voluntarily, not to partake in part of the
functionality of the site. That becomes *your* problem, not someone else's. 

They could have implemented this some other way (if they chose to), but for
whatever reason chose not to. Just because they didn't implement it in a way
that gets around the functionality you chose to disable doesn't mean it's
broken. 


> > > Yes it is, the same way running every program you get in an e-mail is
> > > poor security practice.
> >
> > Again, your opinion only.
> 
> And that of CERT, as well.

Really? CERT says it is bad security practice to enable scripting in your
browser? Care to post a current link?


> > > I do, for sites that I trust, and only sites that I trust. Everybody
> > > else falls back to the non-script alternative.
> >
> > So, it's not poor practice. It's a risk.
> 
> No, it's poor practice. Quit playing word games.

I'm not playing word games. I do security as part of my job, day in and day
out. Poor practice is not the same as managing acceptable risks. Poor
practice is almost universally condemned. Walking down the street in a
crime-ridden neighborhood telling everyone you meet how you have $100,000 in
cash on you is generally "poor practice" (unless you part of some undercover,
covert police sting or something).

On the other hand, there are certain things that are done by tens if not
hundreds of millions of people every day, like driving to work. Doing these
things entails risk of "bad things happening", but we choose to accept those
risks, and we manage them. In some cases, for some us, we pass those risks
onto others (insurance is an example), and in some cases some of us choose to
avoid the risk (we might catch a train, or work from home). Risks we manage,
pass onto others, or avoid.

So, I'm not playing games. The fact that you choose to use javascript when
viewing some sites indicates to me that even you do not believe that enabling
javascript is bad practice per se.

 
> > > So are people with >$1,000,000 annual income. Are you as quick to
> > > write them off as a tiny minority?
> >
> > It's all about what makes good business sense. I'm astounded that your
> > fail to see that.
> 
> Turning away *any* customer based on arbitrary criteria, such as their
> browser type, is poor business sense.

Rubbish. It's all about costs/benefits. 

Suppose you come up with some custom browser. You're the only person in the
world that uses it. It has some peculiar quirks (like not supporting cookies,
scripting or CSS, and it displays all text in red). Unless you're going to
bring a lot of business to the firm, there's no point supporting you.

And you know what? The entire software industry makes judgment calls about
supporting certain platforms, or browsers, or what-have-you. But hey, those
companies are all stupid, and what they do is all bad business practice.
Because Shaun K Quinn knows better, and Shaun K Quinn says so.


> > There are *costs* involved with catering to any particular
> configuration.
> 
> I'm not asking that they cater to any one configuration, just that they
> do what works, according to the RFCs and standards, 100% of the time. I
> have yet to see an HTTP code 301 or 302 redirect fail to work.

There is nothing about what they do that /doesn't/ support, or breaks a
standard. They just did something in a way that you disapprove of. That isn't
a crime in any jurisdiction I'm aware of.

And by the way, you can disable following 301/302 redirects in some browsers.
Just like you can disable scripting support.


> > Unless there's a payoff, there's no point spending the money.
> 
> Then don't spend it to go fix it later. Make it right the first time so
> the money can be spent on better things. To do otherwise and turn
> customers away for no good reason is poor business sense.

Just because you don't agree with it doesn't make it "wrong"

And fundamentally, this is what it all boils down to. You don't like it, so
it's "broken" and "wrong". Perhaps you should just get over yourself. You
don't have the "answers" (unlike your previous claim), and it appears that
you have a serious dose of commercial reality to ingest as well. I'm all for
evangelism, but the constant "putting down" of everything you don't agree
with is really beginning to be a bore.

Ken