I know cops, hems is lifting lenses
kid, Armani suits, fresh fruits, Bally boots and Benzes
counting up, smoking, one cuff
live as a red Jag, a Louis bag, grabbing a blunt, fuck it
steam about a hundred and one L's
kites off the jails, buying sweats, running up in Stetson
nigga had game was special
it matched every black pair of Nikes
throwing dice for decimals
the older head, bolder head, would train a soldier head
make sure he right in the field, not a soldier dead
got made code red
break up the black skunk
the black dutch, back of the old shed
if you can't live, you dying
you give or buy in
keep it real or keep it moving, keep grinding
keep shining, to every young man, this is a plan
learn from others like your brothers Rae and Kanye

Yeah, that's why I write code, not lyrics :)

We go to Red Robin about once a month; it's close by and has reasonable kid food, and the burgers aren't bad, if a little greasy. At least at the one by our house (Bridgepointe, in San Mateo, CA), the waitstaff are generally very nice and do their best, which is more than I can say for a lot of other places, let alone chain restaurants (which I generally loathe). So while pre-kids we had only been to RR a few times (mostly as "work" outings), it's now someplace we frequent.

The enrollment website

Birthdate

Interestingly, the lawyers at RR may have known this all along. The Terms and Conditions for enrollment state (see bold, underlined text):

ENROLLING

Pick up a Red Royalty™ Card (“RR Card”) at a participating Red Robin® restaurant. That RR Card identifies you as a member of the RR Program. You can start earning Rewards the moment you receive your RR Card, but you must register your RR Card on-line at www.redrobin.com/RedRoyalty (“Website”) before you can receive any Rewards. Enrolling is simple: Step 1: Enter your RR Card number; Step 2: Re-enter your RR Card number to verify, Step 3: Enter your local zip code, Step 4: Select your local Red Robin restaurant, Step 4: Enter your name, postal address, email address, and telephone number, etc., and answer several questions; Step 5: Confirm that you are at least 18 years of age by checking the appropriate box, Step 6: Agree to the Terms and Conditions. That’s it!

Phone number as password?!

Probably one of the most surprising aspects of the program is that your phone number is used as your password. Now, I haven't had a chance to actually try all of this out, so it's possible at the current moment, this is OK (i.e., knowing my password is only used for crediting my account, and never as a way to divulge my information, even to myself), but I doubt this is the case now, nor can be guaranteed for the future. Sure, phone number is easy for people to remember, but it's just about the worst possible data to use as a password. If you want to do this, don't call it a password, just say 'phone number'. It's not secret, far from it; many people know a person's phone number, and it's trivially easy to find out for most people, as well. Casting it as a "password" is ridiculous.

This is from the T&Cs, btw:

You will need your password (phone number) to access your Red Royalty™ account ("RR Account"). If someone does learn your password, then you accept full responsibility for any actions that person takes using your password.

So what it honestly reads is, "if someone does learn your phone number, then you accept full responsibility for any actions that person takes using your phone number". Hmm, really. Not good; this is bad planning at best, and lawsuits waiting to happen at worst. Come on RR, you can do better than this.

T&C agreement: Privacy

Specifically, the section on "Privacy", which is honestly typically the only useful/interesting bit of these things, and the part you should actually read when agreeing to these things (well, yes, you should read the whole thing, but let's be realistic here). But it's usually worth a minute or two to see how these folks expect to use your information. RR's privacy section (the first, relevant bit) is relatively straightforward and typical, except for something odd. Check this out:

 PRIVACY

We will use the information you provide us in the manner described in our Privacy Policy, which you may read by clicking on the Privacy Policy button where it appears on this Website. If we revise our Privacy Policy, then these Rules will automatically refer to the revised Privacy Policy

Yes, this is what I want to find out... how will you use the information I provide? Let me click that 'Privacy Policy' link that's underlined right there... oh wait, that's just underlining, it is NOT a link. Oh but I guess you knew that would be the case, since the next sentence is "you may read by clicking on the ... button where it appears". So where does this "button" appear? It's a link in the footer, which is fine. And the actual Policy is long, but better-than-industry average in terms of the controls and language used. But basically, like many, says we're going to give your info to any business partner, which essentially means anyone, in the future. The sticking point is that the policy clearly states that at the time of PII (personally-identifiable-information) collection, they will inform you of the use of the information, except when it's prohibitive (such as the space on a comment card) to do so. Obviously on the web this isn't an issue, and yet at the time of the Rewards program enrollment, there is no indication of the use of this information, so I believe the enrollment form technically is NOT in compliance with their own stated Privacy Policy.

Wait, who cares?

The biggest concern is that Red Robin will lose your information, either via direct electronic attack or via social engineering. For example, if I know a phone number, I can say that I left my card at home and still receive credits. What if I call RR's customer service with "my phone number" and try to extract other information such as birthdate from the call center? This happens every day to businesses, and it's a lot easier many times, than you might think. I'm not saying RR doesn't have strong privacy controls in place (such as customer service not being able to even access PII), but I'd be surprised if it was bulletproof. Remember that they are a restaurant, not an IT firm. And much bigger companies than this, get their customer records stolen by outsiders, disgruntled employees, etc. With name, address, phone number, and birthdate, I'm only one piece of information away from getting credit cards (social security number). Now, I can probably get a CC without the correct SSN some percentage of the time anyhow (more on this in another article one day) but let's assume I do want that piece of information as well. How much social engineering will it take, with a stolen customer DB, to extract that from the customers themselves? I bet the same database will have information about visits. I can call up customers posing as Red Robin, saying they've won the special prize of the day (say, $500, that's a good tipping point) for visiting last Tuesday (when they actually did visit), and all I need is to verify your information (name, address) oh and by the way I need your SSN. This will work on a nontrivial percentage of consumers.

Just don't register?

Well, obviously if you don't care about the program, no. And if you want to actually redeem the rewards, then yes, you do. But you don't need to do so just to collect 'credits' (i.e., buy 9 items, get the 10th free). So I think for now, I'll just be collecting credits. If I feel compelled to later (and the enrollment form gets a bit less involved), I might actually register to redeem them.

Reducing risk

To reduce the risk of exposure due to data leakage, one certainly could provide fake information, such as an alterative birthday (perhaps of your favorite musician or President), and a fake phone number. The phone number's tricky, though, since of course someone probably has that number, and since that's sufficient for at least granting credits to the account (not harmful in and of itself but not ideal, either), you probably don't want to do that. Probably even a fake address would be fine, as the points are earned, and 'rewards' paid out, at the restaurant proper.

Another tactic would be to use nonstandard phone numbers, for example, if you were the first person to register an account with the Red Robin corporate headquarters' number (it's probably too late already :) ) or local restaurant's number, you might accumulate a huge number of credits; I bet at bunch of employees will sign up with that number, too and forget their cards, and provide their "password" one day...

It appears their registration form supports the "+" style email aliases provided by Gmail (for example, yourname+redrobin@gmail.com), which is good because (a) it's a perfectly valid email address and sites that don't like plus signs in emails are broken and (b) allows you to track marketing contacts, or other contact, if and when your email address is sold/traded/shared/stolen out of their database.

Finally

Red Robin is entitled to conjure up and sort of loyalty program they wish, and as with most, it'll provide some value to some customers, and certainly, to Red Robin. But for the sake of those of us who care, it'd be nice if they could use a little more care with the actual enrollment/implementation of the program, to protect customer privacy as much as possible; they should work hard to acquire, and store, only the bare minimum data required to fulfill their needs. This really doesn't mean birth year, and certainly doesn't mean using phone numbers as passwords. I like Red Robin, but probably won't participate fully in this program (and will miss out on some discounts). If you choose to participate, know what you're getting into, weigh the risks, and try to minimize them if possible. And of course, if you do sign up, make sure you get your rewards, that's the whole point for you, right?!

Pretty amusing transcript via Google Voice, of a voicemail from AT&T about my cell service. I apparently have the proper data plan, that doesn't have a cat.

 ---------- Forwarded message ---------- 
 From: Google Voice <voice-noreply@google.com> 

  Date: Mon, Jan 24, 2011 at 5:57 AM
 Subject: New voicemail from (800) xxx-yyyy at 5:55 AM

Voicemail from:  (800) xxx-yyyy at 5:55 AM

Hello Ben, This is ZZZZZ retrieve is that support calling you back in regards to your phone notfunctioning, I did see that you have, the proper data plan, that doesn't have a cat. So, he has a cat.The automatically charge, in addition 10 bucks. That's not where your a. She lies. Please keep well,the kids off at work. I don't know how much will be able to help. The please. It's a call back. At (800) xxx-yyyy. Thank you and have a nice day.

Holy crap, I am stoked! The 10.6.6 update, which I had put off because it seemed like the only "improvement" was The App Store (cough bullshit cough), actually fixes one of my biggest complaints of late! From the announcement, the last bullet point:

• Resolves an issue with some Macs (that have in ATI graphics card) in which the mouse pointer movement could become erratic if an external DVI display is connected.

And, it actually does seem to fix this! Joy! Finally! This was super annoying, and hard to believe Apple could get away without fixing this for so goddamn long (as in, many point releases, many months, if not at least a year; I haven't had a setup that exhibited the problem that long, but from posts on the Apple support board it appears to be at least that long.)

 This is fantastic, and long overdue. Remember when Macs used to be so bulletproof and everything "high end" (like multiple monitors) worked so much better than the equivalent on Windows? Yes, a time before the iPhone. It's sad that it appears so much attention has been diverted to the sexy new products, that it at least feels like, "legacy" products like Macs/OS X, have suffered. Maybe it's just perception, but it has felt this was since the OS release right around the time of the first iPhone. I hope with the App Store etc. that the Mac division starts getting the extra attention it really needs, or seems to.

I kept being harassed to upgrade Silverlight to v4, and finally gave in. And then, got the dreaded "Netflix DRM error n8156-6013". Sigh. Some quick searches turned up threads about the issue and what seemed to make sense to fix it, but were mostly/all Windows-centric. Finally partway down the many replies in one of the posts, there was a message about fixing it on the Mac. Essentially, just the location of the file that needs to be deleted. So I thought I'd write about it here for my own future reference, and for anyone else who might search for it with "Mac" as a nearby term.

The file is called "mspr.hds" and can be found in /Library/Application Support/Microsoft/PlayReady; delete that, restart the browser, and all should be well.

Update: it's actually worth using Silverlight 4 for me, too -- the improvement allowing fullscreen video to stay in fullscreen mode, even when you switch focus, is great -- one monitor FS for Netflix, browsing in the other. Nice.

On the Apple trailers page for the new Liam Neeson movie, Unknown, it seems at the very least, what's unknown by the promotions department, is how to spell 'February'. See GIANT ALL-CAPS MISSPELLING in the image. Sure, why don't we just spell it "febooairy" since that's how everyone pronounces it, anyway, right?