Walt-O-Matic

This morning I woke up to an email, it basically read this:

You received this email because you have created an account on Beyond.com. This is a one-time mailer. If you have any questions, please contact us.

I’m thinking to myself, “what?!?” Actually, I’m thinking something quite a bit more colorful.

Then there’s another message from Customer Service.

Then there’s another message with my username and password.

…right.

After deciding it isn’t some email spammer trying to get me to some foreign national site, I login. And what do I find? Someone had screen scraped an old copy of my resume and contact information and made an account for me.

At this point, I figure that anyone with any common sense should completely discount beyond.com’s credibility completely. Here’s why.

First, if any arbitrary user is able to make up accounts for someone else, then clearly the database of provided by beyond.com can’t be trusted. I know my information was wrong, so clearly any potential employer looking for candidates would actually be wasting their time — it isn’t an accurate representation out there. But more over, this represents bad business and security practice if someone other than the actual person can create an account.

Second, let’s assume that such a thing isn’t possible. The alternate conclusion is that beyond.com is scraping the web, making accounts, in an attempt to build a database to give the appearance they are more than they really are. Will some suckers sign on and “correct” the information? Perhaps. But I suspect many others will ignore it. Again, this is really not helpful for anyone trying to use beyond.com for candidates.

Bottom line, either side of the coin — something is wrong. Very wrong.

And, of course, removing that profile is painful and obscure. The help files toss around words like ‘deactivate’ rather than ‘delete’. Such things should make users of beyond.com question the marketing metrics of beyond.com as well.

To me, and in my personal opinion, beyond.com isn’t worth the pixels its printed on. In fact, it sucks.

REVIEW: Walt gives Beyond.com two thumbs down.

In trying to repair a Windows laptop which was acting really slow and appeared to be riddled with problems, I discovered it was running Norton / Symantec Anti-Virus.

Ugh.

It’s been shown with benchmarks that this software kills PC performance. And, in other tests, AVG, which costs less, catches more, without being a resource hog.

So, I go to uninstall Symantec, which can be a chore unto itself. But this time I was greeted with a new source of irritation.

I got a dialog box which said “Please enter the uninstall password”. Great. Just great.

So, given that this OEM laptop had paid support by Dell, I figured I’d ask.

The answer I got back was “I wasn’t aware there was a password to uninstall.”

While Dell was dodging the support question, I found this very helpful article:

http://www.mydigitallife.info/2007/05/05/hack-to-removeuninstall-symantec-norton-antivirus-sav-client-without-password/

In it, it said change the value of this registry key, HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\CurrentVersion\Administrator Only\Security\, from 1 to 0 with RegEdit.

I tried it. It worked. No problems. Problem solved.

So, I tell the Dell Support person the point is moot, I got past it, and shared the link with him so that future customers with the same problem could have the problem solved. Isn’t that how it’s supposed to be? Learn something, and share — that way others don’t waste time down the path you traveled?

Dell’s tone instantly changed, they didn’t seem happy I got past it. And, then he tells me that Dell support doesn’t give passwords, or tell how to override them, even for OEM installed stuff; they would not be sharing the information, no matter how useful.

So, did they know about the password and just feed me a line? I was certainly left with that impression.

Incidentally, I’ve been told by an IT person, the next time I encounter the password box, enter: symantec

You’ve got to be kidding me.

Before we begin, let me say that I like Apple and that I had a very smooth transition to OS X 10.5 Leopard. I had the foresight to upgrade all of my applications, thanks to Version Tracker Pro pointing out what needed upgrading. And, I also had the foresight to update Unsanity’s Application Enhancer before doing the OS X upgrade.

Things couldn’t have been smoother. Shortly after inserting the disc, I was running the upgrade, and my desktop, data, applications, and settings were all preserved perfectly. I’ve never had that kind of experience with Windows.

That said, there are four complaints I have regarding Leopard.

One: Dot-Mac is in-your-face. There’s a new icon in the status bar at the top for .Mac, and you can’t get rid of it with the preference pane unless you sign up for a trial account. Then the preference pane gives you the option.

Come on Apple, that’s so unlike like you.

Here’s why I don’t want .Mac in a nutshell: I have Linux, and it does a better job. I can secure FTP, secure copy, and rsync; it has Apache, Lighttd, and a host of other web servers; it has Sendmail, Postfix, and other mail options; it has DNS, ssh, X-Windows and other services; it has Samba; it has multiple accounts, with permissions; and it has far, far, far more than 10GB of disk space. For those of us with Unix experience and servers of our own, we don’t need .Mac, therefore, we don’t want it on our desktops. It comes across as an overly inflated service that can be mimicked by simple services included in the standard install of Ubuntu. And it’s free.

Sure, some people don’t know how to set it up, and they might want it, but don’t force it on my desktop.

Two: The Finder’s Sidebar has much smaller icons. Plus, for example, the desktop icon doesn’t mimic the desktop wallpaper I’m using. I liked large, findable, easily clickable icons.

Three: It feels like it boots slower. Yes, once I’m in it, it feels very snappy. And, intellectually, I know that a one time short wait is worth far more than perpetual ongoing stalls, though emotionally, to be honest, I haven’t gotten used to it.

Four: Stability. Yes, that’s right, I said stability. As in, it has problems.

My first experience was when someone handed me a disk with .JPG images dumped from their camera; a disc verify hadn’t been done, and unbeknown to me, it has a read problem with one or two files. Guess what – when cover flow hits them, it crashes the Finder.

Now, good on you for restarting the Finder, but I’d much rather it didn’t crash in the first place. At least my machine is still usable.

Which, incidentally, is more than I can say for Time Machine. It has serious glitches.

Using a directly connected firewire drive, I backed up my machine using Time Machine. And, as I worked, I let it run in the background.

Two problems there.

One, Spotlight appears to be finding things on my backup and on my main drive. Oh, that may sound handy, but not when you’re trying to launch an application. And certainly not when you right click a file and see two copies of things with the Open With… menu.

Two, Time Machine can sometimes take a good moment to backup the system. Especially if you’re using Virtual Machine technologies and your image file changes; that thing is huge. Time Machine dutifully starts to back that up, so I get up to take a break while it does its thing in the background. That causes the machine to fall into sleep mode, and that’s where the real problems begin.

When you wake the machine back up, Time Machine looks like it’s still backup up, but you’ve got just a spinner doing it’s thing. Worse yet, if you go to start any applications, they appear to start, bouncing the icon in the dock, but then nothing happens.

Almost.

According to both top and the Activity Monitor, a process is started, although the desktop doesn’t show any applications. You can see them with Command-Tab, but you can never get the application to come to the foreground. You can’t quit. You can’t force-quit. You can’t get rid of them from the command line using kill, either. Any open applications you have do continue to run, though.

That’s when you discover that your log has crazy reports about messages being sent to selector 0, and then you find out that Apple / Restart… doesn’t work either. Killing tasks with Command-Option-Esc simply reports “Application Not Responding.”

The solution, known to many Unix folks, is to ssh into your machine from another system, and issue the sudo shutdown -r +0 command. That does work. It also gives the illusion everything was just fine on shutdown, so Apple doesn’t get an error report.

However, don’t use Time Machine, and all is well with the world.

Concluding Thoughts
Does any of this worry me?

No.

I’m certain that other users are experiencing the same thing and deducing what causes the behavior, and that everyone is filling out the report-this-problem-to-Apple dialogs that appear.

Most certainly, Apple with issue a patch or two, and by 10.5.1 or 10.5.2, all will be well, and applications will come out with minor updates to fix problems. All will be well soon enough, and each of these problems will get addressed.

While minor bumps are expected with any major new release, this is certainly a much better experience than what happened with us and Vista.

I’m sticking with OS X 10.5 to ride it out, but to my Mac friends and followers without solid Unix experience, I’d say don’t let go of 10.4 just yet. One more pass from Apple’s magic wand is still needed.

ASIDE: Third Party App Problems Encountered So Far
SnapZ Pro is using CGSCreateCString, CGSCreateBoolean, CGSReleaseObj, and CPSPostKillRequest; these are obsolete and degrades system performance.
Parallels is using a forked process, when it should be using exec().
Firefox is reporting memory deallocation issues.
Version Tracker Pro crashes when it quits.

UPDATE 27-NOV-2007: Well, those smaller icons have grown on me. I’m liking them now, and before where they just sat there, I’m using them more often. Booting still seems a bit slower, but realistically, I don’t now, and never did, really have to reboot the Mac.

Furthermore, as I write this, 10.5.1 has come out, as well as many package updates. Version Tracker PRO works fine, Firefox has had an update, as have a number of utilities. I’d have to sat the Mac is quite usable and stable.

My recommendation is not to do an Update, but either an Archive and Install, or a migration from another machine/backup. This seems to clear things up quite well.

A lot of people seem to be treating this as a bash the OS post. It’s not. It required some serious digging to find stuff that was a little off. Unlike Vista, which instantly tried my patience and provoked my anger for many months.

One of the big things holding me back from buying an iPhone in the first place, aside from lack of SSH (which was soon resolved), was an article about the hidden evils in the Terms of Service contract.

Well, not sure about whether to take things at face value or not, I bounced my concern off my friend Phil, who’s extremely knowledgeable about telecommunications.

He wrote me back a wonderful point-by-point analysis, which swayed my decision. Feeling that other people might benefit as well, I sought permission from him to reprint it here.

iPhone Requires a 2-Year Contract with AT&T.
1. True; they make the 2-year contract requirement pretty clear. This isn’t a great thing but it’s pretty standard in the U.S. when you buy a phone.

Expensive: Requires $2,280, Over $1,730 in Wireless Costs.
2. Also true, though he overstates the price. The service plan runs about $60/month ($40 voice, $20 data); if that’s too expensive, the iPhone is probably a bad idea. That’s still less costly than a Blackberry or Treo (both about $80/month when you turn on the features needed).

Double Billing. You and the Caller Both Get Charged for the Same Call.
3. True, but not unique to the iPhone. Every cellular carrier in the United States save for a few Nextel plans will charge airtime on both incoming and outgoing calls. If you call another wireless phone user, I suppose you could call that double-billing (though if that other user is on the same carrier [ATT], the airtime rate is the princely sum of zero cents per minute).

All Use of the Networks Are Always Rounded Up to the Nearest Kilobyte or Minute.
4. Standard practice for the wireless industry. The per-kilobyte complaint is pretty funny, though, since the charge per kilobyte for domestic data usage is zero cents per kilobyte.

Customers Are Billed for “Network Errors” and “Network Overhead”.
5. I have no idea what he’s talking about, but it makes no sense.

Billed Even Though the Call Doesn’t Go Through.
6. Basically untrue. Billing in a wireless system begins when the call is answered, though the timer starts when the call is initiated. In other words, if a call rings for fifteen seconds and then is answered, the clock begins at 15 seconds and counts up from there.

Bogus Fees Added to the Bill: Regulatory Cost Recovery Charge
7. While I agree that regulatory recovery fees are basically bogus padding, I challenge him to find a wireless (or, for that matter, conventional wireline) carrier that doesn’t do this.

$175.00 Termination Fee.
8. The early termination fee is pretty well standard throughout the industry. There are certain circumstances where you can avoid paying it (for example, if they raise rates during your contract term).

International Messages Are Charged Additional Fees as Are Files Over 300Kbps.
9. International text messaging (i.e. SMS) costs extra on every cellular carrier I’m aware of. The picture/video messaging charging he complains about isn’t even relevant to the iPhone. And the “additional fee” for large messages that he talks about is irrelevant to the iPhone. My phone communicates directly with my IMAP server over SSL; there’s no way that ATT can tell how large a message is, let alone bill me for those messages over 300K.

Over Your Quota: Get Gouged: 40¢ Per Minute and 69¢ Roaming Offnet.
10. Once again, he’s whining about something that’s absolutely standard in the industry: if you go over your bucket of minutes, you pay a pretty high rate. He conveniently neglects to mention that UNUSED minutes from your plan roll forward into the next month and can be used to offset high usage up to a year later. If that’s not enough, just call and switch to a higher plan and ask them to make it retroactive to your previous month’s usage.

The Services Are Not Secure and Can’t Block Your Phone Number.
11. “Not secure” is a leftover from the days of ANALOG cell phones, which could be listened in upon pretty trivially. And they’re saying that when calling certain toll-free numbers, you can’t block your caller ID since the recipient pays for the call. There’s a MENU on the iPhone that allows you set the default for whether you send caller ID or not; you can also set it per-call. In other words: JUST LIKE A LANDLINE.

The Current Mobile Email Service Doesn’t Support Attachments.
12. Absolutely false. You can send photos trivially (about the only sort of attachment that makes sense to create on a phone), and the iPhone will read a lot of formats (Word, Excel, PDF, JPEG at a minimum).

Prohibited Uses and “Unlimited” Sales Hype.
13. The prohibited uses language is pretty standard wireless carrier language. I agree with him that the claim of “unlimited” is pretty misleading marketing puffery, but it’s an industry-wide problem. If you use your FIOS connection at full bandwidth 24×7, you’ll soon discover that “unlimited” basically means that you’re not billed per unit of data, but that you can still be cut off if you abuse the service. There’s basically nothing you could do on the iPhone that would cause this to happen, though.

Service Is Not Intended to Provide Full-Time Connections: Unlimited is Hype
14. Same as above.

Wi-Fi Service is Limited
15. I think he’s deliberately misinterpreting this one. He’s talking about a completely different wi-fi service that one can purchase through AT&T that has nothing to do with the iPhone. There is of course no limit at all to the number of times in a given time period that the iPhone can connect to a wi-fi network.

“Offnet” Restrictions
16. Another deliberate misinterpretation, I think. “Off-net” usage refers to areas where you’re roaming. Since cell phone roaming charges basically don’t exist anymore for the consumer (the carriers charge each other, though), what they’re saying is that you can’t buy the phone and then use it full-time where, say, T-Mobile has service and ATT doesn’t.

Plan Goobly-gook
17. He’s so incoherent here that it’s hard to figure out what he’s mad about.

Comparing US and Other Broadband Countries: America Is being Laughed At.
18. Perhaps he should move! He forgot to mention that countries using the metric system think we’re pretty silly too–but I’m sure he would have if he’d thought about it. Seriously, he has a point: mobile telephony is more advanced in other parts of the world (largely due to standardization on one network type–GSM). But I’m not sure why that would be the fault of ATT and the iPhone.

Normally, I don’t provide XP support, however, because I was the one who recommended the owner perform a Windows Update that precipitated the total incapacitation of the machine, I felt a slight guilty streak of obligation.

Because of the horrible reputation of Windows Genuine Advantage disabling legal installations, the owner of the box disabled all Windows Updates for fear his system would become disabled and he’d lose his data. As such, when I recommended keeping the system patched, there were well over 60+ patches to start with.

Problem was, one of those patches was for the NVIDIA GeForce Ti 4200 graphics card, and during the installation process, when the Microsoft Version was applied, the machine froze, requiring a manual reboot via the reset switch.

Naturally, after a forced shutdown one should invoke a check disk. However something insidious occurred. Explorer, and I don’t mean Internet Explorer, no I mean Explorer – the GUI shell, would lock up shortly after login. The start menu would go dead, icons didn’t function, start/run couldn’t invoke programs, applications invoked from the command line wouldn’t work, Internet Explorer wouldn’t even start, and Windows Update did nothing. Even Ctrl-Alt-Del wouldn’t work, as the Task Manager couldn’t start. Nor could the user logout or shutdown the machine. Things were bad. It was like the desktop was there, but the underlying services that made it function were dead.

I’ve had easier recoveries from the blue screen of death. If you can get past that, usually you got yourself a working system. In this case, the system would boot, and even allow a login, but once there, the interface wouldn’t function.

Of course you’d think booting and reverting to the last known good configuration would help. It didn’t. Safe mode was equally hosed. Anything past the login prompt rendered the machine in a frozen state, popping up a message about a Windows General Services failing, with an option to report the problem to Microsoft.

That’s the state of the machine as I received it prior to repair.

Here’s how I fixed it.

The detail message reported that the offending file as WUAUENG.DLL. A quick Google search showed this was the Windows Update module. It seems between going from Windows Update to Microsoft Update, the DLL got corrupted. As Windows booted after login, it accessed the DLL, and the system froze.

My goal was to replace at least this file from a working system. Problem was, I was in a catch-22. I couldn’t access the broken system, and if it was possible, the files would be in use by the operating system anyhow.

I downloaded Ubuntu and burned it to a CD using OS X. I then booted off the live CD on the broken machine, however while it could see the NTFS volume, it couldn’t write to it.

So, I enabled all the repositories by going to System / Software Sources, making sure Universe and Multi-verse were included. Then I opened up the terminal and entered sudo apt-get install ntfs-config, and installed the package that allowed writing to NTFS drives.

I added root to the fuse group, and then went to Applications / System Tools / NTFS Configuration Tool. It was quick to tell me I needed to run ntfs /dev/hda1, which fixed the volume and set it to check the disk on boot.

I shutdown Ubuntu, booted Windows, which caused a check disk, and when I finally got to the login prompt, shutdown again without ever logging in.

I booted back off the Ubuntu CD, did the same trick as before with the repositories and installation of the NTFS driver, and this time was able to mount the drive as writable.

I went to the WINDOWS\System32 directory, and found the following files, to which I renamed them, appending .old to their extension for the purposes of a backup: wuaueng.dll, wuaueng.dll.mui, and wuaueng1.dll.

Then I booted Parallels on OS X, brought up a copy of XP, went to its C:\WINDOWS\System32 directory, and copied those three files to a USB stick. I unmounted the USB stick and shutdown Parallels.

With Ubuntu still running on the broken machine, I plugged in the USB stick, which instantly appeared on the desktop, and copied over three files to the broken machine’s system32 directory.

I then shutdown Ubuntu, removed the USB stick and CD, and booted into Windows. The error message was gone, but it was obvious things were still fragile.

Back on OS X, I downloaded Windows XP Service Pack 2, burned it to CD, and stuck it in the broken machine, executing it. A bit later, it finished and I rebooted.

I was suddenly able to run Windows Update again, and that downloaded 40+ updates, effectively jump starting the process by grabbing only the critical updates. In a rise-lather-repeat cycle, I did this until all the critical updates were obtained. Then I did the same with the optional software.

Each time I came in from a mandatory reboot, I made a system restore checkpoint.

Just to confirm it was the NVIDIA driver, I downloaded just that option from Microsoft, and the machine locked up. Which, to get out of I had to hit the reset button, screwing up the disk again. No problem though, I booted, holding down F8, and booted to the last known good configuration. When it came up, I right clicked properties on the C: drive, and forced a check disk, rebooting. The machine came up fine.

Going over to NVIDIA’s site, it was a trivial matter to download the latest driver for the GeForce 4200 card, and unsurprisingly, it worked without incident.

Ubuntu saved the day for being able to repair and manipulate the NTFS volume, while Parallels made it possible to see what needed fixing, where it went, and a working copy without having to have a second dedicated Windows box.

A recovery solution wouldn’t have been possible with an disc of an OEM version of XP alone. Honestly, I don’t know why users put up with this, or how Microsoft can sleep at night.

The recover process, non-stop, took from 10am – 7pm straight. No breaks. No food. No stalling. That’s nine hours of my life I’m never getting back.

I’m currently working on an application that takes content from various web resources, munges the content, stores it in a database, and on demand generates interactive web pages, which includes the ability to annotate content in a web editor. Things were humming along great for weeks until we got a stream of data which made the browser burp with a JavaScript syntax error.

Problem was, when I examined the automatically generated JavaScript, it looked perfectly good to my eyes.

So, I reduced the problem down to a very trivial case.

What would you suppose the following code block does in a browser?

Try it and see.

To my eyes, this should produce an alert box with the simple text </SCRIPT> inside it. Nothing special.

However, in all browsers (IE 7, Firefox, Opera, and Safari) on all platforms (XP/Vista/OS X) it didn’t. The close tag inside the quoted literal terminated the scripting block, printing the closing punctuation.

Change </SCRIPT> to just <SCRIPT>, and you get the alert box as expected.

So, I did more reading and more testing. I looked at the hex dump of the file to see if perhaps there was something strange going on. Nope, plain ASCII.

I looked at the JavaScript documentation online, and the other thing they suggest escaping are the single and double quotes, as well as the backslash which does the escaping. (Note we’re using forward slashes, which require no escapes in a JavaScript string.)

I even got the 5th Edition of JavaScript: The Definitive Guide from O’Reilly, and on page 27, which lists the comprehensive escape sequences, there is nothing magical about the forward slash, nor this magic string.

In fact, if you start playing with other strings, you get these results:
  <SCRIPT> …works
  <A/B> …works
  </STRONG> …works
  <\/SCRIPT> …displays </SCRIPT>, and while I suppose you can escape a forward slash, there should be no need to. Ever. See prior example.
  </SCRIPT> …breaks
  </SCRIPTX> …works (note the extra character, an X)

With JavaScript, what’s in quotes is supposed to be flat, literal, uninterpreted, meaningless test.

It was after this I turned to ask for help from several security and web experts.

Security Concerns

Why security experts?

The primary concern is obviously cross site scripting. We’re taking untrusted sites and displaying portions of the data stream. Should an attacker be able to insert </SCRIPT> into the stream, a few comment characters, and shortly reopen a new <SCRIPT> block, he’d be able to mess with cookies, twiddle the DOM, dink with AJAX, and do things that compromise the trust of the server.

The Explanation

The explanation came from Phil Wherry.

As he puts it, the <SCRIPT> tag is content-agnostic. Which means the HTML Parser doesn’t know we’re in the middle of a JavaScript string.

What the HTML parser saw was this:

And there you have it, not only is the syntax error obvious now, but the HTML is malformed.

The processing of JavaScript doesn’t happen until after the browser has understood which parts are JavaScript. Until it sees that close </SCRIPT> tag, it doesn’t care what’s inside – quoted or not.

Turns out, we all have seen this problem in traditional programming languages before. Ever run across hard-to-read code where the indentation conveys a block that doesn’t logically exist? Same thing. In this case instead of curly braces or begin/end pairs, it was the start and end tags of the JavaScript.

Upstream Processing

Remember, this wasn’t hand-rolled JavaScript. It was produced by an upstream piece of code that generated the actual JavaScript block, which is much more complex than the example shown.

It is getting an untrusted string. Which, to shove inside of a JavaScript string not only has to be sanitized, but also escaped in such a way that the HTML parser cannot accidentally treat the string’s contents as a legal (or illegal!) tag.

To do this we need to build a helper function to scrub data that will directly be emitted as a raw JavaScript string.

1. Escape all backslashes, replacing \ with \\, since backslash is the JavaScript escape character. This has to be done first as not to escape other escapes we’re about to add.
   
2. Escape all quotes, replacing ' with \', and " with \" — this stops the string from getting terminated.
   
3. Escape all angle brackets, replacing < with \<, and > with \> — this stops the tags from getting recognized.

At this point we should have generated a JavaScript string which never has anything that looks like a tag in it, but is perfectly safe to an XML parser. All that’s needed next is to emit the JavaScript surrounded by a <![CDATA[ ... ]]> block, so the HTML parser doesn’t get confused over embedded angle brackets.

From a security perspective, I think this also goes to show that lone JavaScript fragment validation isn’t enough; one has to take it in the full context of the containing HTML parser. Pragmatically speaking, the JavaScript alone was valid, but once inside HTML, became problematic.

Please do not leave a comment if you haven’t read the full entry.

UPDATED PREQUEL: Brother in law goes window shopping for machine; brings cute seven year old daughter along. He home schools and has documentation with him. Manager offers assistance and pulls up educational pricing online and constructs machine. We go to put games back on shelf, since educational pricing is only offered on web store. Manager, unprompted, offers to match price on website, if we commit to purchase in store – knowing we’ll buy the games we’re holding. We thank her and agree. Manager starts to check us out, gets radioed away, has another person do the transaction, gives directions, but in the confusion the sales person rings up the regular store price, not the offer the manager just offered. Honest mistake. Please be aware as you read this, we knew about the retail/online price difference. She had explained that. This is a happy story, not a rant – as evidenced by the category the post.

Had an interesting thing happen with the Apple Store — my brother-in-law recently purchased for his home school an iMac, but the educational discount wasn’t applied to the software as it should have been, the sales person had made a simple goof. And, being Apple and 14 days of purchase, I suggested we go back to get the problem fixed.

Unfortunately, we got someone who was fairly new working there, and he explained to us that the Apple Store didn’t have educational discounts on software. He wasn’t going to credit the amount. We asked if he was sure, and he ran off to ask his manager, and returned confirming that was the case.

We asked him to pull up the Apple Store online and quote us the price. He did. We were correct, the educational price still stood, but he refused to refund the $30. I could tell this was frustrating my brother-in-law, and I could tell our insistence was frustrating the cashier.

“What if I return the machine in the 14 day period, and re-buy it?”

The cashier asked if it was opened, we nodded, and he said there was a 10% restocking fee.

I had enough, and I asked him to get the manager. He said it wouldn’t help. And I insisted. He flagged the manager over.

“We’re confused. The Apple Site is telling us that we can buy software at an educational discount, but the cashier is telling us the Apple Store doesn’t do that.”

“That’s correct.”

“You’re both owned by Apple. It’s the same product.”

The manager insisted that that’s just how the store operates.

UPDATE CLARIFICATION: The iMac comes with a working 30-day copy of iWork, long enough for you to go home and buy the software online with the educational discount. To have purchased a machine with the educational discount and the iWork package from the store is illogical. It was very clear from the receipt what had happened. The sales person was new and didn’t know Apple’s managers would often override pricing to make a sale. He had asserted the policy, and a good manager will back his employees. The manager was acting exactly as he should have in this circumstance. We needed to get to the point where the manager knew we had dealt with another manager, and in such a way that the employee who told us it wasn’t possible to get a refund didn’t lose face or have his manager correct him in front of us. That’s good business on Apple’s part.

“That makes no sense. It’s illogical, inconsistent,” and with slightly raised voice, “so unlike Apple. Fine, I just have one question. Why on earth would I ever buy anything through the Apple Store instead of online knowing this?”

UPDATE CLARIFICATION: This wasn’t making a scene, it was putting verbal emphasis on the Apple’s policy. I have previously dealt with this manager before, on at least two occasions, and he has happily addressed the issues. There was no problem between us or the manager. It was a friendly discussion. The banter was jovial in tone.

“Because of our superior customer service.”

“Great. Show me some. We’re talking $30 here between being happy and unhappy. We were in the store looking at machines online, and the sales person talks us into getting the machine and says the price is the same.”

“Our sales person must have been mistaken.”

“You guys go through a lot of training, she was very confident and insistent this was the case.” I then proceeded to describe her and the date of purchase. The manager interrupted, “I know who you’re talking about, that’s the other manager.”

“She told us about OS X, helped us pick the machine and software, and handed it to the cashier — a lot was going on, and I don’t think that person followed her instructions.”

“That’s what it sounds like. She does have authorization to change the price. She should have followed the transaction end-to-end, that’s what must have gone wrong.”

“Make sense. Since you’re the manager on duty at the moment, please fix it.”

“I’d be happy to.” He starts punching buttons, and in a moment he announces, “I’ve credited back your $30, and an extra $10 for your trouble, consider it for time and gas of having to make the extra trip.”

We thanked him, shook his hand, and did what any happy, satisfied customer would do… we went over to the game area and bought something with the money we just had returned to us.

The moral of the story seems several fold:
1. It always pays to stay calm and be polite.
2. Order from the Apple Store online.
3. If you do order from the Apple Store in the mall, there is wiggle room in the price.
4. Make sure you’re dealing with the manager and not a regular sales flunky.
5. Politely ask the manager to see the sale through from end-to-end.
6. Apple will make good, and even go beyond the call of duty, but you have to realize the number of people who are constantly trying to scam them on a daily basis. (We watched some kid try to claim his iPod was under warranty after admitting that he stepped on it and cracked the screen. Warranties are for manufacturing issues, insurance is for user problems.)

While we did learn that educational discounts can be had, the easier route is the Apple Store online. Should you get a student version of some software, like Final Cut Express, note that you cannot upgrade it the next release cycle.

Additionally, one extra tid-bit. When one buys a Mac at the Apple Store in the mall, you often get a “free” printer with it. You pay $99 for the printer and get a rebate for $99 back that you need to submit. We recently learned that the rebate center does not honor rebates for printers when bought with machines via an educational discount. Most sales people don’t know this and sell the standard package, thinking they’re giving you a free printer, but are accidentally setting you up for an extra $99. Ask, ask, and ask again.

Finally, if you work for the government, a contractor, or a big company — you may have a special deal cut with Apple. Always have your work badge with you when you go to the Apple store. It may be worth 10% off, but without the hassles of the educational issues.