Recently I had the “pleasure” of cleaning up one of the websites we host, and encountered one of the sneakiest website compromises (”hacks”) I’ve seen so far. I’ve decided to document the details, in case the information is of any use to other people whose sites have been compromised the same way. This incident is also a good example of how sophisticated (or at least sneaky) these attacks have become, and the amount of effort required to cleanup a site compromised in this way.

Read more for the gory details.
Read the rest of this entry »

» Comments

OpenTable – an online restaurant reservation system – is wide open for spamming.

This discovery comes after a flood of mobile phone spam to one of my email addresses – the kind that costs a mint thanks to embedded images and all sorts of other useless but bandwidth-intensive eye candy.

The OpenTable system is wide open for spamming thanks to the company’s failure to require confirmation for sign ups. This is a fairly typical oversight when greed trumps common sense.

Sign up for an OpenTable account, sign up for all of their many newsletters, add someone else’s email address in the contact field, and the fun begins: OpenTable will start mindlessly spamming your victim.

If the first email or any change of email address required the recipient – or victim- to confirm the validity of the email address, this spam wouldn’t be possible. It’s also worth noting that unlike most legitimate online registration systems, OpenTable doesn’t use a Captcha or any similar technique to try to separate human from machine registrations. This is generally a sign that greed is on the ascendant and common sense got buried in among the dirty laundry.

So what if you’re the victim of this type of spam, and don’t find much joy in having your cellphone’s inbox filled with unwanted ads for restaurants half a planet away THAT YOU GET TO PAY FOR AS PART OF YOUR MOBILE BANDWIDTH FEES?

You can try the unsubscribe link on the junk mail OpenTable sends to you, but that only works per newsletter and OpenTable has a bunch of them. If you’ve been signed up for more than one, the only way to get at the list is to liberate the offending account. Otherwise, you’ll have to wait while OpenTable spams you with each of their newsletters and unsubscribe one at a time. No, it’s time to act.

Here’s how:

OpenTable uses the email address in each account as the username.

Go to the OpenTable page and click on the Login link. You may have to type in your email address in the username field. That would be the email address that OpenTable has been happily spamming.

Then follow the instructions for re-setting the password. This will generate a reset password email that will arrive in your inbox in a few minutes.

Open this email – click on the Reset Password link – and this will take you to an OpenTable page where you can change the password to whatever you wish.

Once you’ve done that, you can now log into the offending OpenTable account.

The first tab to head for is My Account: this is where you’ll find the list of OpenTable newsletters you’re signed up to receive. Uncheck them and – if you’re lucky and OpenTable doesn’t pull the old ‘we reset your account because we know you want to pay for our advertising’…

Finally, prepare an invoice for the data charges incurred when OpenTable spammed your mobile phone without permission, and for the time required to put a stop to it, and mail it to:

OpenTable Inc.

799 Market Street

4th Floor

San Francisco, CA 94103

What’s sad is that all of this could be easily avoided if OpenTable applied commonly used techniques to verify that signups are, indeed, both human and valid. They’ve clearly chosen the more spammy option.

-g

» Comments

Photobox is a digital photo company based in the UK that just teamed up with a digital greeting card company. Coincidentally, what had been a single ‘Welcome to Photobox’ spam which I ignored, has turned into a nearly daily deluge of offers for a service based in Europe that I wouldn’t use even if I did live there.

Tried getting the attention of their Twit-bot on Twitter @Photobox (the avatar is a blonde with big hair – the humans behind it could be anything). After much back and forth (’just drop what you’re doing and call when it suits us’) it said that ‘Andy’ was anxious to sort this out and was waiting for my call today (Sept 15/2011).

I called. Didn’t get Andy, but got Kash who goes by just the one name: “Andy’s not in today.”

Thanks for nothing, blonde avatar lady. Are you clueless or did you flat out lie?

Kash did make the request I get from every spammer I’ve ever called: Give me your email address and we can fix it.

No.

You bought a bad list, or let people sign up others without their permission, and have clearly stepped into opt-out territory: That’s where the spammer keeps hammering you until you say stop, rather than requiring an okay from you before they even start.

I want to know how you got my personal email address in the first place – I’m guessing it was through what you call the ‘Refer a Friend’ page and what should be renamed ‘Annoy your friends and enemies’ page. And why you started battering away at me after more than a year of silence.

One email in March, 2010, then silence until July 5, 2011, when Photobox apparently changed policies and the near-daily barrage began.

I doubt it’s just me: this smells like policy. The kind that spammers adopt.

-g

» Comments

It’s been a strange weekend. What seemed a toothache turned out to be a mouth pimple.

What seemed like a missed voicemail message turned out to be a big hole in my heart.

We were trying to set up a conference call to talk about a project long in the making. A call that won’t ever happen: My friend Bill Kunkel died yesterday.

Because he was such a fine writer, it’s intimidating to write about him.

I met Bill because I’d met Barry Friedman and, with Barry involved in my Internet company, landed in Las Vegas with a bunch of Barry’s old and new friends in 2000 at a dinner high above the city…and just clicked with Bill. Smart, articulate, funny, and the real deal.

I am not a gamer. I’m not into professional wrestling. It’s only as time passed that I became even remotely aware of Bill’s influence on both genres. And Bill was a cartoonist? Really?

Bill was one of my few true friends. That’s what I know, value, and will remember.

I’m shocked, sad, stunned…and remembering a guy who really made me LMAO.

RIP I miss you already.

-g

» Comments

What’s not to hate about spam?

It’s about as infection-free as a dirty penny lying in spit, fills inboxes daily with offers to steal your identity, to kill you with fake pharmaceuticals, and it’s starting to hit mobiles – phones, tablets, etc. – where pricey data rates mean the recipient gets to pay for the delivery of this garbage.

But the most hateful thing about it?

When a company I actually like doing business with joins the slime.

Toronto Bound

In the late spring of 2009, we did video production at an event in downtown Toronto. As normal, we stayed in the same facility as the event. And it was horrid: terrible service, totally unreliable Internet – our life blood – and suspecting we’d be back the next year, we thought it wise to look for another place to stay.

Enter  Metropolitan Hotel Toronto.

The Metropolitan is on Chestnut, a curious bit of streetscape bounded by the University of Toronto and Nathan Phillips Square that t-bones Dundas Street to the north, heads south to a 90-degree bend into Armoury Street which runs briefly west before intersecting University Avenue.

This convergence has created an odd combination of bustle and bliss: whizzing honking traffic and a flood of pedestrians, convenience stores, coffee shops and ethnic fast food joints, broad and shaded car-free walkways.

We’d been on the road for a week when we pulled into Toronto for the same event in 2010.

Because of the nature of our equipment – cameras, mics, lights, mixers, computers – it doesn’t stay in the car but goes with us. All 400 pounds of it. And we always load and unload ourselves.

Tired. Hungry. Worn out.

And a doorman is right there – with a cart.

Can I help?

We’d rather do it ourselves. Camera gear. You understand.

And he simply nods and backs off.

Two people stand next to us and light up cigarettes. I cough when the cloud surrounds us. The doorman asks them if they’d mind moving away from the entrance. Please.

From the rejection of the offer to help, noticing we’re troubled by the smoke, asking gently if they’d mind moving…all done in such a pleasant, professional way.

We thank the smokers. They nod.

We’re already starting to relax.

We get into our room: clean, decent, and we’re online in minutes after a quick call to the front desk (yes, we do really need a half-dozen Internet access codes).

Downstairs for something to eat. Did I mention the restaurant in the hotel the year before was closed and ‘no, we can’t give you an apple, sir, the restaurant is closed but if you hurry, there’s a Subway up the street that closes in about two minutes’. Not sure if it slipped my mind or it’s just another repressed memory.

So downstairs at the Metropolitan, where we had one of the best meals of the entire trip. Exactly when we needed it most.

Yes, it was a pain to have to pack up and move all of our gear to the event venue and then back again, but it was worth it.

The event moved out of Toronto for 2011, but is heading back in 2012 and if we’re taking part, we know where we’re staying.

Or at least, we did.

And Then There Was Spam

Imagine this: The Postie drops a few flyers into your mailbox. Knocks on your door once a month and demands that you pay for their delivery. You’d be saying: Are you nuts? Pay for junk mail I didn’t ask for and don’t want? Slam.

Imagine this: Your mobile provider drops a few flyers into your mailbox. Comes back once a month and demands that you pay for their delivery. You should be saying: Are you nuts? Pay for junk mail I didn’t ask for and don’t want?

Here’s a typical trip through my inbox:

Mrs. Handsome Darling has 4.5 million US dollars to share 70:30 with me because she’s dying of a half-dozen different diseases, is a pure Christian woman whose email address is ‘Barr James Something’ at Yahoo! in China. Sure. Four words: Nigerian advanced fee fraud.

See XXX celebrities I don’t care about do unspeakable things with each other and office equipment. Here’s a photo.

Thanks. My wife just walked by.

Not happy with the strongness and size of your manlihood then our best Canadane pharmacy is ready to srevice you with the perfect product. Get a girlfiend like this to wish your every dream.

Great. Nice timing. And just love the command of the language.

I get another ping – check my mobile mail – and after honouring my request to use the email address provided when I made the reservation in 2010, Metropolitan Hotels hit me with two within a few seconds of each other.

I could stand up in front of a crowd and give them – off the cuff – a brief history of spam with examples, names and dates. I belong to a high tech crime fighting organization – a joint venture between law enforcement and the private sector – and it’s become clear that what was once a nuisance is now generally the tip of the organized crime icerberg.

If you’re a criminal, the online world is THE place to do your business: it’s hard to get caught because national laws generally aren’t enforced internatonally, the penalties are generally just a license fee to keep doing it, and as P.T. Barnum noted: There’s a sucker born every minute.

Our Weird Email Addresses

Whenever I come in contact with a business for the first time that I think may be spammish, I create a special email address that’s only provided to that business. Sell, share, give it away or have your contacts database hacked and it’s simple to track the problem back to the source.

Hello, Tamara

Tamara Stepek is the Metropolitan’s head of PR. She answers her phone line and she returns calls when she says she will. She told me straight off that she was relatively new to the job but was coming up to speed quickly.

I told her about the spam – the fact that the address hadn’t been bothered in over a year and now two in the space of a few minutes – and asked what was going on here.

“I don’t know,” she said, “but I’ll find out and get back to you.”

What? None of the usual lame excuses?

1. It was a technical glitch. (We don’t know what we’re doing with your personal information, but you can trust us with it.)

2. We thought it was really important information. (Great. I pay for you to tell me about your lunch specials. What part of NO do you misundertand?)

3. Just give me your email address and I’ll remove it from the list. (We’ve been busted. Now we want you to help us clean up our dirty little list that we bought/stole/harvested from the Internet.)

So Why Do Companies Spam?

Because it’s easy. And it seems really inexpensive: reach millions for only $1 a day.

As we move to mobile – where data charges can be usurous – shifting the cost of advertising to the recipient isn’t so hard to spot.

A few dozen junk emails a day? Annoying.

A few dozen junk emails a day on your mobile? That could push you over your data cap – more and more telcos are capping data – and start costing the recipient silly amounts of money.

See what happens with mobile spam when you’re racking up roaming and overseas data charges on your travels. The costs can be shocking.

Your Call Is Important to Us

I said a callback in a couple of days would be fine with me.

But Tamara didn’t call back the next day as we’d agreed.

She called back a few hours later, said she’d made some progress, asked a couple of quick questions, and said she’s have more information the next day.

No silly excuses, no BS.

What kind of PR person is that?

What she learned and shared with me was that I should have been spammed earlier. I’m not being sarcastic or facetious. An update that should have dumped my email into the marketing database was missed. When the error was caught…boom. Spam.

Spam that I pay for.

“I agree. It’s not fair,” Tamara said. “Were not at all like that.”

Metropolitan Hotels are now reviewing their entire online marketing strategy. “We’re checking on the settings,” she told me.

One big consideration is opt-in versus opt-out. In other words, you’re given a chance to keep the promo emails coming rather than being forced to opt-out. And for hard core spammers, opting out only confirms that they have a live one. So you’re damned if you do and damned if you don’t.

The Social Media Angle

The Metropolitan Hotel Toronto isn’t just a hotel: it’s a downtown nightspot and home to fine dining. So not all of the clientele are stayovers. Many of them appreciate knowing when something special is on offer – either in terms of price or rarity.

Nearly every company wants to be seen on social media – and that cuts both ways.

It means I can post on Twitter and the Metropolitan’s Facebook page for the world to see. Which is what I did. Tamara was obviously paying attention and responded in kind.

What’s Next?

I’m looking forward to finding out more about the Metropolitan’s review of online policies and practices.

I’m looking forward to meeting Tamara in person. She’s a prime example of how to deal with legitimate complaints in a a social media world.

And I’m looking forward to staying at the Metropolitan again.

-g

» Comments

The objective of this test was to see if we could use the same keyboard – in this case a Motorola bluetooth keyboard – with either our iPad2 or our Playbook.

It took some mucking about, but we now have the Motorola bluetooth keyboard working with both. Not at the same time, but that could be a challenge for another day. ( We have a Motorola Xoom tablet going through some other testing at the moment, and assumed for better or worse that would be a slam dunk. We’ll see about that later.)

So why try to use a Motorola keyboard intended for the Xoom for two competing tablets? Because I liked the feel of the keyboard.

Blackberry is talking – yawn – about a bluetooth keyboard this summer. It’s mid August, gents. That’s 8,000 emails and Facebook posts ago. Hello?

Tried the Apple industrial aluminum chicklet keyboard. So clean. So pure. So…alien. Better than using bloody stumps to hunt and peck on the onscreen keyboard, mind you, but only just.

(If the lack of tactile feedback isn’t bad enough…what monster programmed autocorrect? But that’s off topic. For now.)

The keyboard and the tablet need to find and then connect to each other. It’s called ‘pairing’ and the most likely part of the process to cause headaches.

First, a disclaimer: This worked for me. I don’t know if it will work for you, but if you decide to follow these instructions, the responsibility for whatever ever happens is all on you.

OK. So step one?

Turn everything off. Power down the tablet. Take one of the batteries out of the back of the keyboard. Shut down and/or remove any other Bluetooth devices in the immediate vicinity.

And now we’re going to divide the class into two streams: iPad2s first and then Playbooks.

iPad2:

Fire up your iPad. Go to settings. You’ll find Bluetooth under General settings. Make sure it’s turned ON. Click on ‘Bluetooth’ and you’ll be taken to the Bluetooth ‘page’ where you’ll see a list of available Bluetooth devices.

Now put the battery back into the keyboard and turn it on, too.

You should see the Motorola Keyboard appear on the list of devices. If it doesn’t automatically connect, click on it.

You should be good to go. That simple. Really.

Playbook:

This is going to be a little weirder and requires you to put the keyboard into what Motorola calls ‘PC mode’.

Fire up your Playbook. Go to settings. Select Bluetooth. You’ll be taken to the Bluetooth page with a drop-down list of discoverable devices. Click on ‘Discoverable’ – which means that other Bluetooth devices can find and connect to your Playbook.

Now click on the Add New Device button. You can either choose to search for the keyboard or have it find you. Doesn’t really matter. Pick one.

Put the battery back in the keyboard and close the cover.

This is the odd bit: You need to hold – I don’t mean touch but HOLD – three keys down: V – A – R

Keep HOLDING while you press the keyboard’s power button.

The little green LED on the top right of the keyboard  should flash a few times – keep HOLDING – and then, finally, your keyboard should automagically appear on the list of devices.

Now you can relax your fingers.

Xoom? Why not. It’s right here in front of me.

Since I was switching from PC mode (the only way to connect to the Playbook that I could find and which calls for the V – A – R three-finger salute), the keyboard wouldn’t play nicely until the power was cut off. (The ‘power’ button the keyboard only seems to power it ON, not OFF.)

So there you have it: one keyboard, three tablets.

Hope that helps.

Oh, and by the way, we’ve coined this pairing of a keyboard with a tablet as ‘a Lego Laptop’ because we thought all this mobile technology stuff was supposed to give us fewer bits and pieces to carry around, not more.

-g

Fanboy Disclaimer: We are technologically agnostic. Hell, we even gripe about companies or products we’ve invested in. Dumb? Maybe.  But if we think it sucks, we think it sucks. It may not suck for you. It may save your life. Good for you. But it still may suck for us even knowing it saved your life. That’s called ‘having an opinion’.  We’ll probably praise a product, service or company you totally hate. In fact, we sometimes praise a product or service from a company that we totally hate. But if it’s good, it’s good.  If we tell you about stuff we get for free, we’ll tell you. We used to ask – and get all kinds of goodies – but mainly buy retail these days and that gives us the same ugly beauty experience y’all are having. Just the way we like it.

» Comments

I’m generally not a fan of hotels that perch on the edge of the highway cloverleaf, but the Comfort Inn & Suites on Route du Pont, St. Nicholas, Levis, Quebec, is such a treat, that it’s a rule breaker.

It’s admittedly an off-highway hotel with a drive-by clientele, and that’s likely the original intention. It’s not spartan, nor is it luxurious.

The complementary breakfast – which seems to be slipping a bit in variety – is what you’d expect from the usual highway stopover.

So what’s the big deal?

Location, price, connectivity and staff. And not in that order.

It’s just off the TCH across the St. Lawrence from Quebec City, and on the Montreal side so that the morning traffic heading west towards Montreal – less then 3 hours away (barring any more deteriorating bridge delays) – is paltry. And it’s about 7 hours drive from our home base.

It’s new, it’s clean, and it’s a great bargain. We’ve had singles, doubles, and self-

The best part: the staff. They’re friendly, accommodating and seem genuinely happy to interact with their customers. In English and French.

And the wireless Internet connection has been reliable and speedy.

For all of those reasons,  it’s become our regular one-night-away-from-home-base stop between home and points west.

The only problem is that the hotel hasn’t been terribly busy when I’ve stayed there. Not that we mind the peace and quiet, the great service, the great rates and the reliable Internet connections, all of which could go to hell if the place becomes too popular. But closing due to lack of business would be equally disappointing.

So I’m giving away this personal travel secret and hope that it spreads…but not too far.

-g

» Comments

Not really, but it’s the search term I used to seek examples of people with catastrophic experiences with their mobile devices – what more catastrophic than an iphone in the crapper? – and Google claimed to find 5.9 million instances. It petered out after less than 500 links, actually, but that’s still a lot of Jobsian slips.

And what’s double disturbing is that the very first thing you should do if your phone is immersed in liquid, whether of the i-variety or otherwise, is to get it out as quickly as possible.

Be not afraid, or squeamish but reach right in there – dig around if you must – and drag it back to dry land.

Read the rest of this entry »

» Comments

It seems that every year at about this time the annual spring spamfest begins. Why now? All the university business and marketing students are at their summer jobs, and many of them have ‘great ideas’ about how to market online: forget the wishes of the recipients, forget privacy policies and common sense when you can auto blast hundreds, thousands, millions, forget that a lot of us now use iPhones and Blackberries and other smart mobile devices.

Cool: Email right to our mobiles and tablets where it is likely to get our attention. Especially when we get our next mobile bill and can see how much we get to pay to receive this unsolicited, unwanted advertising.

How bad is it? Here’s a short list from just the past 24 hours:

Rogers Communications – And this is something the CRTC should be concerned about. Purchase a mobile phone with data services from Rogers, and they start spamming same phone with data rich advertising. Not only to you get to pay for it, but Rogers gets it both ways: you pay to receive the advertising and they get the direct benefit of helping you churn through your data limits. To push you into post-limit territory – where you pay huge amounts extra for tiny amounts of data and where the profits are measured in the hundreds of percent. This is the same Rogers that crows about how 95 per cent of its mobile customers use very little data. No wonder: they’re scared shitless by the ridiculously high data rates. (Canada has one of the most expensive m0bile data regimes IN THE ENTIRE WORLD.)

Delta Hotels – In May, the national media council of the Communications, Energy and Paperworkers Union met at the Delta Halifax for their annual convention. Yesterday, every single one of them who stayed at the host hotel started getting spam – nice, rich media spam that churn though mobile data plans like hot lead through soft flesh. The hotel chain says it was probably just a glitch, or somebody did something wrong by accident. That was when I only knew it was coming to me. Not everybody who stayed there. And I’m guessing not just for the media conference, but throughout the past few months. And in the spam, they have the unmitigated gall to say that the recipients requested to be added to the junk mail list. Despite making it abundantly – at least I did – that the email provided was to be used for one purpose and one purpose only: Confirmation of the registration including terms and conditions.

Eventbrite – This is a US-based online registration system that also harvests the email addresses of the registrants and immediately begins blasting them with direct spam that has nothing to do with the event they registered for, but all about Eventbrite. And, as usual, nice media rich spam that helps your mobile carrier wealthier.

Digital River – This is a payment processing company. One of their clients is Nuance, the company that produces Dragon Naturally Speaking voice-to-text software. According to Nuance, buying software from them through Digital River’s payment system means you are requesting relentless rich media junk mail from them.

And that’s just the harvest from part of one day, but then the season is still young.

-g

» Comments

While cleaning up some old paper recently, I came across an EMail that I’d printed out back in 2009. It appears that I then promptly forgot about it, which is a shame because this is probably the most hilariously-inept “phishing” scam that I have ever encountered.

Read on for the EMail. Warning: due to choking hazard, do not read while consuming food or beverages (or “C&C” for any Usenet old-timers out there).
Read the rest of this entry »

» Comments