Ventra - Bugs, Feedback, and Questions

[Fails the Turing Test]

Not without some form of additional security protocols such as answering some variety of security questions which you set up that are used to verify your identity first.

No, this is wrong. It should literally be impossible to retrieve your password in cleartext, anywhere, ever. Even if you have direct database access, all you should see is a bcrypted hash of the password, not the password itself.

I, too, cringed when I got the email containing my password in cleartext. I agree with Kevin; it's absurd that this is happening in 2013.

[Busjack]

...

I, too, cringed when I got the email containing my password in cleartext. I agree with Kevin; it's absurd that this is happening in 2013.

The reports on the New York Times website being hacked indicate that someone got the password to the nameserver in Australia and used it to redirect traffic. It would seem that a lot of organizations are not taking care of password security.

[Fails the Turing Test]

The reports on the New York Times website being hacked indicate that someone got the password to the nameserver in Australia and used it to redirect traffic. It would seem that a lot of organizations are not taking care of password security.

Well, information security isn't sexy. The thing about a lot of big projects—and I strongly suspect Ventra is no different in this regard—is that the product people are employees of whatever organization needs the software, and the engineers are often outside contractors. The product people don't know anything about passwords other than that they're constantly forgetting their own, so they kind of handwave over it when they're writing the specs (because these kinds of projects are always waterfall or some kind of "Agile" which isn't). By the time the contractors—who are often better at writing resumes than code—get their mitts on this, there's already a feature written down that you can have your password emailed to you.

Now, even though I hold a lot of contractors in relatively low esteem, an entire team usually has at least one or two people who know the very basics of our profession, like, "Don't store passwords in cleartext. Use bcrypt." The problem is, the specs have already been written, and the team would have to actually spend effort—a lot of effort—in annoying meetings just to get this one feature written out. And that might not even happen, because the Product people are the guys in charge, and they're not going to budge on this password emailing thing, it's just so much user-friendly than keeping it secret, you know? So, often there's no will from the engineering side to do the right thing, because by only having engineers who would accept a big, government contract, you're already selecting from the more risk-averse and authority-respecting side of the pool, rather than the engineers who A. know what they're doing, and B. aren't afraid to scream and shout and go face-to-face with The Bureaucracy when they know they're right. So the poorly thought out password recovery feature necessitates a poorly designed database, which inevitably gets hacked through some mishap, and whoops! All your customers are screwed. Because information security isn't sexy enough to be in that initial set of specs, and the culture is too rigid to get the specs changed (or to not have pages-thick specs to start with).

For a taste, try reading this Daily WTF. It's why I will only work for companies that respect engineers, because ain't nobody got time to be fighting bureaucracy simply to avoid putting your name on a hideously amateurish error (that you know is a hideously amateurish error, but that's...what the customer wants, you know?).

[Busjack]

..It's why I will only work for companies that respect engineers, because ain't nobody got time to be fighting bureaucracy simply to avoid putting your name on a hideously amateurish error (that you know is a hideously amateurish error, but that's...what the customer wants, you know?).

So, the Pointy Hair Boss and all other Dilbert characters still live.

In this case what would seem to be the bigger mess is that CTA first turned the job over to Cubic in exchange for $450 million. I'm sure everyone you mentioned work directly or indirectly for Cubic, but when this problem turned up, the CTA spokesmodel had to apologize and assure that it would be cleared up, but Cubic was not available for comment.

BTW, I assume that today's Dilbert passes the Turing Test, if I interpret the term correctly.

[jajuan]

Well, information security isn't sexy. The thing about a lot of big projects—and I strongly suspect Ventra is no different in this regard—is that the product people are employees of whatever organization needs the software, and the engineers are often outside contractors. The product people don't know anything about passwords other than that they're constantly forgetting their own, so they kind of handwave over it when they're writing the specs (because these kinds of projects are always waterfall or some kind of "Agile" which isn't). By the time the contractors—who are often better at writing resumes than code—get their mitts on this, there's already a feature written down that you can have your password emailed to you.

Now, even though I hold a lot of contractors in relatively low esteem, an entire team usually has at least one or two people who know the very basics of our profession, like, "Don't store passwords in cleartext. Use bcrypt." The problem is, the specs have already been written, and the team would have to actually spend effort—a lot of effort—in annoying meetings just to get this one feature written out. And that might not even happen, because the Product people are the guys in charge, and they're not going to budge on this password emailing thing, it's just so much user-friendly than keeping it secret, you know? So, often there's no will from the engineering side to do the right thing, because by only having engineers who would accept a big, government contract, you're already selecting from the more risk-averse and authority-respecting side of the pool, rather than the engineers who A. know what they're doing, and B. aren't afraid to scream and shout and go face-to-face with The Bureaucracy when they know they're right. So the poorly thought out password recovery feature necessitates a poorly designed database, which inevitably gets hacked through some mishap, and whoops! All your customers are screwed. Because information security isn't sexy enough to be in that initial set of specs, and the culture is too rigid to get the specs changed (or to not have pages-thick specs to start with).

For a taste, try reading this Daily WTF. It's why I will only work for companies that respect engineers, because ain't nobody got time to be fighting bureaucracy simply to avoid putting your name on a hideously amateurish error (that you know is a hideously amateurish error, but that's...what the customer wants, you know?).

Basically boils down to a prevailing business culture as a whole that's gotten even more deep rooted over the past few recent decades and even moreso in the last decade and a half. Bosses want the solution that costs the least and while maximize the profit generated by any given contract. That's even further fueled by businesses increasingly stacking their management and exec positions with MBAs with an ever smaller focus on showing any technical skill. And that's ironic given the huge increases in how technically based our society is an will continue to be for the foreseeable future.

[Busjack]

In what first appeared to be a nonstory, the $5 fee is waived only if the card is ordered on line, at customer service, or by phone, but is charged if you buy a card at a vending machine, subject to being credited on registration.

I suppose they could come up with ways to make the rollout even more confusing.

[jajuan]

With all the latest unneeded confusion CTA bosses have caused with the rollout, I forgot that I had been meaning to ask how long it takes to get a card if you were to order it online.

[Juniorz]

The $5.00 is waved until January 1st, 2014 @ 12:00:00 or military time 0:00:00 (which the penny rides are given until about 5:00am on January 1st 2014)

[jajuan]

The $5.00 is waved until January 1st, 2014 @ 12:00:00 or military time 0:00:00 (which the penny rides are given until about 5:00am on January 1st 2014)

Thanks but that wasn't my question. I was asking about how long it takes to deliver a card ordered on line, for those who may have done so already.

[nflyer22]

Since I never received the emails for Chicago Card/Plus users about replacement Ventra cards, I'm gonna assume that I won't receive any (I have 3 registered under my name: one for myself and two for my parents). With that said I'm going to order one in the next several minutes after posting this message. I'll make another post when I do receive the card in the coming weeks, if not days, however long the card may take to get here in Urbana.

[owine]

Since I never received the emails for Chicago Card/Plus users about replacement Ventra cards, I'm gonna assume that I won't receive any (I have 3 registered under my name: one for myself and two for my parents). With that said I'm going to order one in the next several minutes after posting this message. I'll make another post when I do receive the card in the coming weeks, if not days, however long the card may take to get here in Urbana.

I'd suggest logging into the CCP website and clicking Ventra Transition instead. That's where the email sends you anyway to confirm your shipping address.

[nflyer22]

I'd suggest logging into the CCP website and clicking Ventra Transition instead. That's where the email sends you anyway to confirm your shipping address.

I forgot to mention that all 3 cards I have are plain old regular Chicago Cards, so I don't have an online account for the site. Visited the CC/CCP sites and tried looking for the link by itself, but didn't see it.

[BusHunter]

So I have a question about Ventra myself. How does someone get a free ventra card by ordering the card online? When you go to the page online it forces you to at least put $5 on a card or you cannot purchase a card. I learned that when ventra refunds your $5 it goes to your transit account, so don't expect a check in the mail. This in itself poses a problem. If someone does not have a debit card for online purchases, how is one supposed to buy a card? It would seem that they would have to buy a card from the machine itself or buy the card from Jewel. Then if one wants to purchase a pass they can do it online or at a machine. Just a reminder, cta will stop selling all magnetic striped cards and passes Nov 15th. To me that sounds like all the transit card machines will be removed by that date. They will stop honoring all magnetic striped media dec 15th, so it sounds like for us procrastinators, we don't have that long to procrastinate.

[trigger]

So I have a question about Ventra myself. How does someone get a free ventra card by ordering the card online? When you go to the page online it forces you to at least put $5 on a card or you cannot purchase a card. I learned that when ventra refunds your $5 it goes to your transit account, so don't expect a check in the mail. This in itself poses a problem. If someone does not have a debit card for online purchases, how is one supposed to buy a card? It would seem that they would have to buy a card from the machine itself or buy the card from Jewel. Then if one wants to purchase a pass they can do it online or at a machine. Just a reminder, cta will stop selling all magnetic striped cards and passes Nov 15th. To me that sounds like all the transit card machines will be removed by that date. They will stop honoring all magnetic striped media dec 15th, so it sounds like for us procrastinators, we don't have that long to procrastinate.

You can't just request a card online without spending any money.

You have to load it with at least $5 or with a pass of some sort. (It was only $2 the first week they were available.)

The $5 purchase fee is waived until the end of the year.

When you purchase online, you must register it as part of the purchase process, so there is no delay in getting credit for the $5 purchase fee.

If you don't have a credit or debit card, you can purchase for cash at Ventra vending machines, Jewel stores, and other retailers starting September 9th.

It should be possible to purchase passes both online, at machines, and at retailers. You can use the cash balance ("transit value") in your account to purchase a pass. So if you have at least $10 in transit value in your pass, for example, you can use it to purchase a 1-day pass.

The latest news is that the CTA will stop selling all magnetic stripe card and Chicago/Chicago Plus cards on its web site by September 9th. Rail station vending machines will no longer sell magnetic stripe cards on October 7. Chicago and Chicago Plus cards will not be accepted afer November 15th. Magnetic stripe cards will not be accepted after December 15th.

If you have any magnetic stripe passes, they will not be transferred to a Ventra Card, so use them up by December 15th.

Transit Cards and Chicago Cards will be transferred to Ventra cards at various Chicago parks and the Rosemont CTA station from Sept 17 to Dec 13 mostly in the evening. In January, February, and March they can be mailed to the CTA to be transferred to Ventra cards.

[Busjack]

...

The $5 purchase fee is waived until the end of the year.

When you purchase online, you must register it as part of the purchase process, so there is no delay in getting credit for the $5 purchase fee.

...

So, despite the press releases, CTA isn't waiving anything, because either one orders a card through a means that registers it automatically, or buys one at a machine and has to pay the $5 deposit to be credited on registration. More doubletalk.

[BusHunter]

I'm surprised that they are letting the machines handle pass transactions. They just made those machines a bank. Is someone going to trust not getting mugged putting $100 in these machines. It just doesn't sound safe, and it targets the machines for vandalism.

Another question, since Pace is a part of this will they have ventra machines? If someone lives in Joliet and does not have a debit card, what do they do? The system is not just CTA.

They really need an express machine in all the Jewel food stores, I think that would solve both problems.

[Busjack]

...

Another question, since Pace is a part of this will they have ventra machines? If someone lives in Joliet and does not have a debit card, what do they do? The system is not just CTA.

...

The July minutes approved 12 machines in Pace transit centers. There was prior talk that the cards would be more readily available in the suburbs, I guess sold like gift cards.

[BusHunter]

I see also that they still have the pace/cta 7 day pass and the cta only one. Why? This will just add to the confusion aboard Pace. I think they just need one card. How is someone going to explain to someone they have the wrong virtual pass. Hopefully there is a disclaimer on the machine that tells someone this, or many new riders are going to be confused. This still goes against the meaning of a universal fare card.

[Busjack]

I see also that they still have the pace/cta 7 day pass and the cta only one. Why? This will just add to the confusion aboard Pace. I think they just need one card. How is someone going to explain to someone they have the wrong virtual pass. Hopefully there is a disclaimer on the machine that tells someone this, or many new riders are going to be confused. This still goes against the meaning of a universal fare card.

That goes back to when neither CTA nor RTA would reimburse Pace for accepting the CTA 7 day pass. The RTA at one time did but quit. Then CTA and Pace bypassed the RTA and agreed to the joint pass that would cost $5 more than the CTA one.

Apparently CTA and Pace have intergovernmental agreements with respect to the 30 day passes and transfers, as Pace has claimed that CTA has paid up what it owes it.

The distinction seems to be between universal media and universal fares, as the Pace Fare chart indicates that the Pace/CTA 30 and 7 day passes are the only ones it has in common with CTA; there are other things like the Commuter Club Card and 10 Ride Plus tickets (11 rides for the price of 10) "not valid on CTA."

As far as disclosure, I have ruminated about that before.

[owine]

So, despite the press releases, CTA isn't waiving anything, because either one orders a card through a means that registers it automatically, or buys one at a machine and has to pay the $5 deposit to be credited on registration. More doubletalk.

Waving the fee over the phone or at customer service centers.

[Busjack]

Waving the fee over the phone or at customer service centers.

No indication that you get the card by those means without registering, as with respect to phone orders, they have to have your mailing address to send it to you.

Also, according to the Press Release, the only customer service center is on Jefferson St. Will they let you have a card without registering it?

Also, I guess there was a point to saying"spend your cards down," in that, other than mailing in the cards, balance transfers are one day at a park supposedly near you, according to the Press Release. Wonder what those lines are going to be like?

I'm sure that trigger has all the answers to that. Also, this is #10,000.

[sw4400]

I'm surprised that they are letting the machines handle pass transactions. They just made those machines a bank. Is someone going to trust not getting mugged putting $100 in these machines. It just doesn't sound safe, and it targets the machines for vandalism.

Another question, since Pace is a part of this will they have ventra machines? If someone lives in Joliet and does not have a debit card, what do they do? The system is not just CTA.

They really need an express machine in all the Jewel food stores, I think that would solve both problems.

I don't think that's on the horizon anytime soon. All we have is the little machine that activates* and adds value. But who knows in the future... we might get vending machines.

*= Registration still required through CTA/Ventra. $5.00 fee applied for new card purchases.

[Busjack]

I don't think that's on the horizon anytime soon. All we have is the little machine that activates* and adds value. But who knows in the future... we might get vending machines.

*= Registration still required through CTA/Ventra. $5.00 fee applied for new card purchases.

From the Pace minutes indicting that the Ventra machine is $226,000 each, I doubt that. Looks like the activation machine will be it, although I am surprised they went that far.

[BusHunter]

I don't think that's on the horizon anytime soon. All we have is the little machine that activates* and adds value. But who knows in the future... we might get vending machines.

*= Registration still required through CTA/Ventra. $5.00 fee applied for new card purchases.

So you are saying a machine that accepts debit card transactions. So far I've seen no machines of any type at Jewel. (How does it add value if it's doesn't have the capability of the big standup machines, sounds like a ventra card machine to me, at least a little more on the primitive side of the "L" station ones)

[Busjack]

So you are saying a machine that accepts debit card transactions. So far I've seen no machines of any type at Jewel. (How does it add value if it's doesn't have the capability of the big standup machines, sounds like a ventra card machine to me, at least a little more on the primitive side of the "L" station ones)

sw would have to answer it himself. However, there is usually a sign at the top of the gift card rack that gift cards don't have value unless activated, so I suppose the cashier must have a means of doing so. It shouldn't take much more than a touch terminal.