by Jason on June 20, 2009
I got a Twitter follow notification in my inbox for this profile:
Marge is looking for love in all the wrong places
Like Tyler Durden in Fight Club who never answers his own phone, I never click on links on the internet (it saves so much time!) so hey, maybe it’s a legitimately lonely person on the interweb and not some kind of scam or spam or spacam.
Except this follow wasn’t for me. It was for my cat.
That’s what’s wrong with spammers. They don’t even try anymore. No work ethic. When I was a boy, you had to copy addresses by hand out of the phone book and put them on envelopes. And you had to lick the stamp! None of these peel off stamps for us, nosir.
(And yes, my cat has a Twitter account. It gives my family no end of amusement, for we are easily amused. I’m sure someone has made a Twitter account for the hummous they made a week ago, so this really isn’t as lame as it seems in the grand scheme of things.)
No tag for this post.
by Jason on June 4, 2009
Back when I developed ticketing software for events, the clients would complain that I made the ticket ID too long. I feel vindicated today.
Via a post to the Torcamp mailing list (from Stephen, last name left out to give some semblence of after-the-fact privacy,) I found out about an email campaign being run for Primus Canada. It’s got all those slick bits that marketers love: you get a personalized link that shows a video WITH YOUR NAME IN IT! Wow! And better still, you get to send customized videos to your friends! Viral wow!
The only real problem here is that instead of using, say, a GUID or some other really big identifier in the personalized URLs, the company used an integer. A few quick tests confirm that it’s a sequential integer.
Let’s spell this out: Primus has provided their customer list of names and emails to anyone who can edit a URL.
So what’s the exposure? In about 3 minutes of entering higher and lower IDs in the URL, I found a consecutive range of about 144, 657 IDs. I didn’t try every number in that range (you can be sure some scrapers are doing that right now, somewhere on the internet) but given the overall naivete of the URL scheme I’m guessing the range is unbroken.
What’s more, it’s highly possible that there are other ranges in there from other database loads.
Picking an arbitrary starting number for your consecutive number range is not a realistic security measure. In my ticketing days mentioned above, the exposure would have been counterfeit tickets which might or might not have been caught at the gate (there were secondary measures like the customer’s name on the ticket matching the scan.) Here, I can pretty much guarantee that a lot of Primus customers just got added to a bunch of spam lists.
So, for developers out there (or marketers with half a brain that want to test their dev team), what’s a better way to do this? As I suggested, a GUID would work better – it’s a really big number that’s harder to guess, but not impossible, and the more names in your database, the more hits, so I’d add the customer’s actual email address (or a tokenized version of it) to the URL as well – this is an email campaign, and it’s not like people will be typing these URLs in anyway, so there’s not much harm in making them bigger. The email token’s probably overkill, but this way the only way an attacker is going to see the email address is to know it in the first place.
Oh, and added bonus: if you view the source of the landing page there’s a link to the privacy policy and the terms and conditions. They’re commented out.
Update: Andrew Loius has even more gory details over here.
Update 2: The site’s been pulled (like, hard down, 404 not found, Gordon Ramsey style “shut it down.”) Hopefully they’ll resolve this properly and recover somehow; it’s not a bad campaign, just an unfortunate deployment.
No tag for this post.
by Jason on April 14, 2009
I’m not sure if I’ll have the time tonight to write what I want to write about, so here’s a link to the review I posted about Stealing MySpace: The Battle to Control the Most Popular Website in America by Julia Angwin. Oh wait, the title of the book’s the link.
That’s not Amazon affiliate bait either, just a regular link. BUT it’s to the .ca version of Amazon so 80% of you will have to look the book up yourself on the .com. And I don’t get paid. So we’re even. Nyah.
I need more practice writing book reviews. Amazon’s like a practice blog where I can put stuff that I’m not sure I’ll like in a few months as my writing gets back up to speed. If I posted it here, I’d end up leaking mental energy over the mild urge to edit or delete it, but once it’s on Amazon (and no, I’m not going to check this,) I can’t delete it.
Which isn’t to say I didn’t mean what I said, I just figure I need work before I can turn “I really liked this book” into a full page feature in some literary review magazine.
If you like business stories, check it out, I don’t think you’ll be disappointed, except about the having to look it up on Amazon.com thing.
Oh fine, here.
No tag for this post.
by Jason on April 13, 2009
One more thought for the day on the NY Times while I wait for a data report to generate…
As I mentioned earlier, I had to log in to their site today to read an article. It was free, no huge deal, except that it’d been so long since I’d had to do it that I didn’t have a BugMeNot extension installed so I opted to reset my legit account.
And why had it been so long? Or had it? It really isn’t something I’ve tracked that much – I remember the days when I’d read Slashdot and scroll through the comments for the no-login link to whatever article it was (and for all the griping about the login, there were a LOT of NY Times stories being linked up), but in recent times I don’t recall having to log in at all. Maybe I had a really old cookie. Whatever.
When we’re in a time where the AP is trying to block websites from spreading its content, it’s worth a look at some of the media companies’ motiviations before dismissing them outright. In the NY Times article’s case, while I didn’t go to BugMeNot, I’ll admit that the first thing I did was Google the opening sentence of the article.
I was a bit surprised by what came back.
There were about 267 results (I put quotes around the search.)
The article was only a few hours old.
And I don’t think the NY Times were in them at all.
What was in there was a ton of Adsense blogs – sites with the same headline, same opening quote that’s (I assume) available through RSS, plus the link to the story. Oh, and a ton of ads around the page.
These sites (the majority, anyway; I didn’t cick through and examine several pages of each) exist for one reason only, and that’s to make money off of people like me who are searching for the original article. Some of us are trying to avoid a login, and some of us are just trying to find the original article, whether it’s on the source site or not.
But you know what? This isn’t a Big Media problem. Most bloggers have had the same thing happen to them. It just happens less often, since our content, uh, kinda sucks sometimes.
Big Traditional Print Media might be whining a bit about Google News killing their business, but that’s not what’s happening.
It’s Google Adsense.
Think about the growth of the big search engine indexes. Remember when they used to brag about them and compete amongst themselves over whose was bigger?
Do you really think that the internet’s near-geometric growth in number of pages would be anywhere near the path it’s been tracking if it wasn’t for automated feed-generated web pages plastered with ads?
I think there’s tons of room for bloggers and other web publishers to reuse existing content in a way that brings traffic and authority to the authors, but let’s be clear on who the targets are before slamming down claims of theft and/or walling off big chunks of the internet like it’s 1995.
No tag for this post.
by Jason on April 13, 2009
So I was resetting my NY Times account password so I could read the article for my last post about hyperlocal websites, and they had one of those “tell us something unique about yourself so you can reset your password later” questions. Here are the options:
What am I supposed to do with this? I swear, I’m going to start trying to hack friends’ passwords, no because I want to do anything with them, but I just want to know if I’m their best friend.
Seriously, what’s wrong with the usual email reset link flow?
No tag for this post.
by Jason on April 13, 2009
Tom from the office (our office, not The Office) sent me a link to a NYTimes article about hyperlocal sites. Surprisingly, I had to log in to the site to read it, which I don’t remember having to do in a while. More on that in another post.
I hadn’t been tracking this area in a while, mostly because 1) most of these efforts are for US cities, and 2) most of them suck, so it was a good chance to see where things were going at a high level.
Sadly, not much has changed, and it’s a bit unfair to say they suck, but the thing of it is that it’s hard enough to get an audience of dedicated early adopters for a given subject area, but adding geographic constraints to the problem makes it even harder.
An analyst named Greg Sterling has a good quote in the article that explains a lot of the core problem: “When you slice further and further down, you get smaller and smaller audiences… Advertisers want that kind of targeting, but they also want to reach more people, so there’s a paradox.”
And it’s not just advertising, content suffers the same issue. At the moment, the people who want to read this kind of site are the exact same people who are working to feed it.
So let’s allow for the time machine to zip forward to a point where any given neighbourhood has a thousand voices and ten thousand readers (hey, will these numbers happen anywhere outside of a condo farm?) – what’s the difference going to be between something like this and the local community paper? We have one in our neighbourhood, the area it covers keeps growing, and it’s biased as anything else you can imagine. The loudest voices are going to win here, just like anywhere else.
Here’s an upside for a Monday: yes, I think these things will all fail, at least in their current approach. That said, I think a lot of great lessons are going to come out of it, a lot of new features and gizmos are going to spin off, and in the meantime, maybe I’ll find out what’s up with that pothole across the way.
No tag for this post.
by Jason on February 20, 2009
Random thought while installing the latest ASP.NET MVC build (latest to me, the latest one to the party, that is). Here’s the usual EULA acceptance form:
That's not fine print; I shrank the image
Now, this form doesn’t do it, but I’ve seen some (the WoW EULA, for example) that make you actually scroll down to the bottom before accepting the terms, which thankfully doesn’t have a timer attached to it to ensure you actually made the pretense of reading them.
As a compromise, I’d like to see a form that shows the “I accept the terms in the License Agreement” checkbox regardless of the status of the scrollbar, but if the bar’s at the top, adds the word “blindly” to the label.
Tags:
EULA,
Installers,
Law,
UX
by Jason on February 12, 2009
Looks like Warren Ellis is having trouble with his BAD SIGNAL mailing list (it’s worth trying out even if you’re not into comics, by the way) – the mail server changed hostnames or something, so he’s trying to find out how many subscribers he lost.
Not relevant to the story, but I love how he went about verification: an email invite to a simple poll on a free poll site with one question (“are you reading this”) and 2 options (“yes” and “no, I’m dead”), a nice play on “anyone who can’t hear me raise their hand” but I digress…
In today’s mail, he says:
But I have to assume that a lot of people just had the list vanish on them. And that most of them were okay with that. Is the age of the mailing list over?
It’s not, and I was thinking along a related line this morning. See, I subscribe to a magazine. Several, really, but this is one of those ones that publishes every 2 weeks except for when it doesn’t. I’m sure there’s logic behind the schedule, but the unpredictability (to me) is such that I’ll notice the presence of a new issue a lot faster than I’ll notice the absence.
The sad fact is that there’s not a lot of stuff out there, online or off, that I subscribe to where I’ll anticipate the new edition eagerly and notice the second it doesn’t arrive. If you can publish regularly (Warren doesn’t by the way; it’s just not that kind of list) and provide huge value to your readers, and maybe warn them to call the police if the next issue doesn’t arrive on Monday at 2 because a lack of deliverability surely means you’ve slipped and cracked your skull open getting out of the shower and need immediate medial assistance, then maybe, MAYBE you’ll get people who check into the problem right away.
Most people won’t notice for a while. For most, in fact, it’ll be a “whatever happened to that thing…” moment in the supermarket or the car or whatever weeks or months later. Even then, once they realize it’s not there, there’s usually not enough control in a unidirectional publish/subscribe setup for the reader to do anything about it.
So there’s the riddle. How do you keep subscribers engaged enough to notice if they’ve been dropped from your list and to take immediate action to get back on?
All I’ve got are two things to mitigate risk:
1) Stick religiously to a schedule, as noted above. If people expect your email/newsletter/whatever on Mondays at 2, there’s a chance they’ll be looking forward to it and notice its absence. That’s only going to help you if you…
2) Publish your archives online with a clear link to the latest issue. It’s the only way people will be able to figure out that something new went out and they didn’t get it. Sure, some people will choose to just read online (or what you’re afraid of, say to themselves that they’ll read online and never return), but more and more people are going to engage with you on their terms, not yours, so get used to it and set up multiple fallbacks for your content, like RSS feeds, Twitter announcements, etc. As a trade-off, you could only publish the archive URL in the thank you for subscribing email and at the bottom of each newsletter, so it’s not public knowledge until they’ve opted in.
That’s all I’ve got. Any other ideas?
No tag for this post.
by Jason on February 12, 2009
Over at LGG Media, we’ve started sharing some of the stuff we do in a series of Technical Notes (OK, there’s only one right now, but it’ll be a series, honest!). We’re releasing them as PDFs because… wait for it… yes, I frigging hate formatting source code in HTML even with a good plugin.
In the first note, we go over a new technique we’ve developed with Microsoft’s ASP.NET MVC framework to easily make WAP, iPhone optimized and other versions of a web page without duplicating any code or otherwise creating a maintenance nightmare.
This is my first “technical article” and I’m sure there are a lot of other ways to exploit this technique, so comments are more than welcome – let me know what you think! You can see the note (and all future ones) here.
No tag for this post.
by Jason on February 5, 2009
Setting up a new Microsoft MVC.NET site today, I made a possible error in not verifying the initial setup before ripping it into an alternate structure (mostly moving the controllers to a new class library and changing the MVC DLL references to a known version in source control versus what’sGAC), so when the time came to run the site for the first time I didn’t know who to blame for this error:
Compiler Error Message: CS1928: ‘System.Web.Mvc.HtmlHelper’ does not contain a definition for ‘ActionLink’ and the best extension method overload ‘System.Web.Mvc.Ajax.AjaxExtensions.ActionLink( System.Web.Mvc.AjaxHelper, string, string, System.Web.Mvc.Ajax.AjaxOptions)’ has some invalid arguments
The resolution, as found here, was to add:
<add namespace=”System.Web.Mvc.Html”/>
to the system.web/pages/namespaces section of web.config, and all was well.
No tag for this post.