YouTube Stabilize Video - Not always a good thing.

I did some video editing for a client. They provided me with several videos shot on-location without the use of a tripod. We went through found all of the cuts we were looking for and edited the video to make something really pretty cool and authentic looking. After adding all of the proper titles and fly-ins to the video I rendered the video down so it could be uploaded to YouTube. YouTube will not accept a 40gb raw file.

So I get a call today saying "The type in the video is going all over the place." I quickly opened all of the videos I provided the client to check, and they all appeared as expected. So I go onto YouTube and something crazy is happening with the video. I know all about JPEG and MPEG compression and what that does when you start increasing the compression level, but this was altogether different and wildly amusing (yet scary). They type was crawling across the screen and climbing into areas where I was sure there was no type. I looked at the formats I used to make sure I hadn't selected some hybrid in After Effects that used vector layers by chance (they're always upgrading things) and found no issue with the raster-only formats I was using.

YouTube has some excellent features and this one is supremely impressive. My client upon uploading the video decided to select the option to "Stabilize Video" in the video editor section of the YouTube Video Manager for their channel. The video shakiness was remastered to make the video look completely stable (like a professional videographer shot the footage). If you watched the off-camera areas in the shots they appeared a little strange having been cloned from shots where they existed prior and post. The type however was everywhere, so it made it look like a bad editing job. I mean really bad. It was super distracting. Luckily there's a way to tell YouTube to revert to the original video (you have to dig for it in the video editor settings). Upon selecting the "revert to original," after some time the original non-corrected/non-stabilized video *should* be in place. If this doesn't work you can always delete the video and re-upload the original.

Leave it to Google / YouTube and their new features and upgrades to really ramp up your learning curve. Luckily this time however the crisis was averted.

'Project Mayhem' Hacks Accounting Software - A Rebuttal

The more I read Dark Reading, the more and more I'm starting to notice certain aspects of the new market for hackers. In a recent post on the site - 'Project Mayhem' Hacks Accounting Software, No exploit required for defrauding Microsoft and other accounting systems, researchers at Black Hat Abu Dhabi reveal - they go into detail about this elaborate scheme to create a fake billing transaction in a database.

In my comment about this possible "threat" I mention:

Microsoft should probably use SSL between the client machines and the database and lock down the database so only clients with the appropriate credentials (IP addresses, SSL Keys, and login credentials) would be allowed to make database queries and injections. They might also look at splitting up the database logins, so you have one login for queries and one login for inserts. The tables per client should be named according to the actual company so they're not standardized within Microsoft Dynamics Great Plains across the board. Also the database itself needs to be encrypted (I'm not familiar with the Great Plains system myself) so it couldn't be updated somewhere else and replaced (after the end of business). (One of the things that used to be sort of a standard practice in the 90s was make a copy, hack it offsite, then return it to the system at a later date... so there is no trail.) They might also limit access to the terminal that is authorized to only being allow to make transactions during business hours (like banker's hours for the machine itself).

There are probably hundreds of ways to secure this particular issue. Also from an IT standpoint you would require that all communications to the accounting database come from an accounting computer on the network subnet.

It sounds more like a fail on the Information Technology or Information Systems department's part (or something they wouldn't consider as a possibility).

The problem is more of a human issue. The IT department thinks to themselves that the company only hires qualified people who don't have bad backgrounds. The admins are busy (probably under staffed or better yet outsourced) so they either aren't familiar with the system themselves, don't need to be familiar with the system, or don't have the time to think about all of the possible injections. The idea someone could gain access to the network, have a machine with the necessary tools to actually perform an attack, not have that attack be logged, and do this consistently is a little far-fetched?

Stepping back I see that it makes a great story, but it's just a company trying to get creative with ways of saying "There is no need for our services, but we can prove to you that you need us because we can show you a world of possibilities that are highly improbable, but capable given an enormous amount of funding, interest, and time in the realm of distant possibility."

Another thing, is the people who would have this skill set, the ability to pull off the job, and the ability to collectively network with other individuals and collaborate on something this illegal probably would only ever do this just to say it could be done as a proof of concept. It's unlikely these highly skilled professionals would be unemployed and outspoken enough to say to their other unemployed colleague, "I have a way we could make some money." A little too Hollywood for the real world.

I have a larger thought brewing about these particular "issues" and if given enough time will probably write more about it here and possible in some sort of thesis... unfortunately it's back to my day job for now. Just think, if I had gone to college someone might actually take me seriously.

Until later.

Beware of Bad Holiday Scheming

Okay, so I've had my eye on an iPad Mini since they came out. Smaller device, new form factor, I just want to check them out, and could use one for testing purposes. So I've noticed that on the Apple website when you try to make a purchase during the holidays around Black Friday that the really cool *new* items aren't on sale at all. They're at their regular prices.

So a couple of years ago I found a couple of ways around this. I've bought a few refurbished items from the Apple site at a considerable discount over the regular priced items. The idea of a second-hand, handheld device like an iPad, anything with a keyboard, and even Smart Phones skeeves me out, but luckily when Apple refurbishes an iPad or iPod they actually replace all of the pieces that you would touch with new parts (meaning you're not going to get a scratched touch-screen). This is cool because I can't bring myself to pay full-price for something I don't feel is worth it, and I'm sorry Apple, they're cool devices, but you're paying substandard wages to the people who make them, and they're imported so I shall not reward you. So that's one way to beat Apple at their own game (they still make the money, but not as much from me).

Another way is to check out Best Buy because when they have a Black Friday sale they DO put the Apple items on sale with the other items. This is great for things that aren't yet available as a refurbished item on the Apple store and for things like Apple's horrible excuse for a non-laptop, the Macbook Air (more about that at some other time), that WOULD be nasty to get as a refurbished item if they don't replace the keyboard. Having worked as a network administrator I can truly say YUCK!

So this brings me to the reasoning for this write-up today. Working in advertising and marketing for much of my career (my day job) I've developed a quick eye for bad math and tricks of the trade. Today I received and email that says "Save $25 on your Next Purchase when you use Store Pickup for an Order of $250 or More" at Best Buy. Here's the image from their email:

Seems like a good deal. I can save $25 on that not-yet-refurbished iPad Mini, which amounts to a little less than local sales tax, but it's a savings of sorts... right?

Wrong again.

Apparently the people at Best Buy don't understand the meaning of the word "NEXT."

According to their site:

"Here's how it works

• Place an order of $250 or more on BestBuy.com on Wednesday, December 5 through Saturday, December 8.
• During checkout, choose Store Pickup and select your store.
• The savings code will be e-mailed to you FOUR TO SEVEN DAYS AFTER your order has been picked up in store.
• Redeem your savings code in store or online on YOUR NEXT PURCHASE.
• Note: not all products are available for Store Pickup."

So yes, you're not saving anything AT ALL on your actual NEXT purchase because you have to make a purchase of $250 or more NOW before they take their sweet time to send you your savings code. Then you get a coupon or discount code (I would hope in the form of a $25 gift card but probably not) only AFTER you've made your purchase for the full price. I guess this is what happens when you don't have a marketing budget.

Hey Best Buy give me a call if you need any help understanding English or possibly want to hire someone who isn't out to trick people.

Until later keep an eye out for trickery.

Dark Reading Mailing List Compromised?

So I try to stay on top of the tech news in regard to exploits and security. One of the sites that I subscribe to is Dark Reading. It's more of a main stream sort of whitepaper delivery system for vendors but every once in a while I find something useful. They usually provide links to the real content and I go in search of something more informative on the topic, but they're a good starting point (unlike the 2600 Hacker Quarterly who publishes exploits directly on their pages).

As a hacker I'm paranoid about a lot of things. I see the system and I see all of the nuts, bolts, cables, users, and the complete infrastructure all at once. It's sort of a mind-numbingly overwhelming gift for information overload.

While I was Web Manager working at CertMag.com one of my responsibilities was configuring, securing, and learning the ins and outs of our StrongMail MTA and maintaining our mailing lists locally (amongst a bazillion other things). We had an offsite service that "maintained" our list, but there were a few ways that the list(s) could be captured by savvy listeners when we were submitting it or receiving it over non-secure or non-encrypted channels (think Wireshark). At the time we employed the services of Hallmark Data Systems, and they had several procedures and securities in place to make sure our list was "safe." Basically from what I gathered it was an offline database on an AS 400, although I think they were considering integrating some aspects online (for a fee of course).

We weren't controlling any sensitive information, unless you count names, addresses, titles, and email addresses as sensitive (I guess altogether it could be something because it was a loosely targeted list if you're into marketing). For the most part once that information was sent to the database house it was out of our hands and pretty much would never be seen again in its complete state unless we pulled an audit query. They managed providing the list to the printer that distributed the print versions of our publications and they would also email back to us a queried list of names and email addresses only matching certain criteria per publication (I think this was eventually accessible online after a while come to think of it). They would then update the lists for people who had opted out or unsubscribed for legal and advertising audit purposes. In short it's a big technical inefficient process.

Jump ahead 5 Years later, one of the major issues with web subscriptions today or services where you expect to get something for providing a little personal information is getting tons of stuff that you don't want. So how can you tell whether the unsolicited email you're receiving is random spam, from a sold list, from a compromised web form or from a hacked database? One of the ways I combat this myself is I create a custom email address for every site that I'm registered on. I think right now I'm up to 400 or something ridiculous like that. It's usually nothing anyone would guess... acronyms but not random gibberish. When I register for a new site, I give them a new address. If an email looks like a legitimate pass with something in the footer like "You're receiving this message because you subscribed for Dark Reading," then I know they sold it or it's a sister publication. By law any legitimate sending service is required to provide an opt-out.  Also when someone opts out there is a certain amount of time to stop sending that person messages or the fines could be steep (severely).

So today I'm going through my emails and I see a message to my Dark Reading account titled "Re:Re: sending servers /.../." Out of curiosity I open the message on a *NIX machine and it's an ad for "Highly Stable and Secure Bulk Email Servers for Email Marketing." Sort of ironic. The company that I subscribed with was exploited by a company that provides "Highly Stable and Secure Bulk Email" services that are apparently more secure than my subscriptions own service?

So out comes the magnifying glass. A reverse look-up of the sending server's IP address with ARIN.net goes back to 173.192.141.86 at SoftLayer in Texas. No domain information was provided on the handshake with my email server, so it's no doubt a compromised machine running a root kit or a slave app. The return-path goes to an email address at fillmore.com which is owned by Fillmore Real Estate in Brooklyn. It was more than likely either hacked or they could just be a bounce back victim of a spam reply at which point they're not even involved.

So I dig a little deeper.

There's an email address in the links only(no websites) that goes to 21cn.com. If you're familiar with ccTLDs or country-code Top Level Domains then you'll recognize "cn" as China. This is a .com TLD, so on a hunch I look up the domain in APNIC.net... returned no results, Network Solutions... no results, Ripe.net... no results, but Internic.net came back with very little information and a different whois server for the domain at whois.35.com. So I plug that in and found the registrant to be:

     21cn corporation limited domainmanage@21cn.com +86.2085264358 +86.2085265827
     21CN Corporation Limited
     2F,NO.52 Liuyunwu street,Tiyu Rd,East,Tianhe,Guangzhou,China
     Guangzhou,Guangdong,CN 510620

So apparently the Dark Reading website's database, or their database management service, or some machine at Dark Reading's HQ was "hacked" and their list stolen, because I've not received any bulk emails on that list where I saw any other "subscribers," like an accidental broadcast with everyone in the CC field or some rookie mistake like that. There is the chance someone might have run a cycler to guess my own email address, but it's unlikely since I have a lot more email addresses that begin with letters other than "D" prior. Since it's only been provided to Dark Reading and it's a receive-only alias account I know it is not an issue on my end because that address isn't stored anywhere. If someone gleaned it from my mail server on the off chance they were listening to the data center in California then I'm sure I would receive a lot more of these to all of my email addresses (aliases) on record.  If they're using a service like we were it also might have been compromised in the transfer between Dark Reading and their database managing service.

From a PR standpoint, it always looks bad when a website that publishes info about online security experts might not have an IT staff that implements what they read in their own material. Okay that might be a little harsh considering there are more important things to do like replace faulty mice or tell people their company provided laptop no longer works because they've dropped it one too many times, but I can almost guarantee I probably won't read about it in Dark Reading.

That's all for now.

New "Microsoft" Phising Scam

Today I received a phone call (Out of Area, Unlisted) from a guy with an Indian accent. He claimed to be from Microsoft and told me that they had received a message from my computer saying it was infected.

So I immediately replied:

"How did you get this phone number?"

His response:

"Because your ISP told us it was you and that it was your computer and when you register for Internet service they provide that information to us."

My retort (BSing of course):

"So Microsoft (someone who I haven't purchased anything from for 4 years) said my computer is infected, and you got my home phone number for my business account Internet provider?"

The guy hung up. I'm sure the rest of the phishing scam is that they are going to ask you to download something and install it to make sure your system is "clean." I myself am running an enterprise level anti-virus firewall (with subscriptions) and have AV installed on all of my Windows workstations and Virtual Machines.

According to Wikipedia:

Phishing is the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication.

The term "Phishing" first came about because a telephone or phone was used to fish for information. So the "PH" from "Phone" replaced the "F" in fish. Despite the Wikipedia entry, it is actually a part of "Phreaking" and not just possibly due to phreaking because a lot of phone privilege escalation involves a question and answer session with the phone network provider. There are all sorts of articles about Phishing and Phreaking in the older issues of the 2600 Hacker Quarterly now available at Amazon as an Kindle magazine subscription.

If you have a Mac / Linux based machine only, I probably don't have to say this but you can tell them you know they're full of it. If you have a "PC," Microsoft will NEVER contact you to tell you that you have a virus. They as a company, unless you're paying for some security service directly from them, would never take the huge effort to police the Internet and tell everyone that they're sending out a virus. That's not one of their core business motives.

There are all sorts of things that can be downloaded knowingly or unknowingly off of the Internet that contain back doors (where people can get into your machine), viruses (that give out information), slave systems (where people can make your computer work for them), and root kits (so your anti-virus applications that you are hopefully using can not detect of remove them).


Remember to NEVER provide any personally identifiable information about yourself over the phone to ANYONE who calls you unprompted (unless you are expecting the call).

SQL Injection Attack Precautions

I try to remain perceptive and learn from my own mistakes as well as the mistakes of others. I was reading an article on Dark Reading called "The SQL Injection Disconnection," a fluff article just for clicks that briefly mentions SQL Injection attacks and how hackers are talking about them to the same degree as DDoS attacks.

I was the Web Manager at CertMag.com for a couple of years and noticed a lot of different ways someone could harm a website with poorly written code. We had a forum written in Argentina, another forum product called vBulletin, and had even written our own custom forum at one time. When I took over the technical operations to my surprise there were five extra user accounts in the Microsoft SQL server and one database called "test" in Japanese that contained all sorts of content related to the adult video industry. Needless to say we had been "pwnd." Our server was serving who knew what and we were a sitting duck. Shortly before we switched to our upgraded vBulletin forum we were being injected every 3-4 hours with someone claiming prize.

When I went out to the server farm to my surprise there were no filters on the firewall at all to even try and prevent some of the attacks taking place; an IT oversight. Also the web server was on the DMZ rather than being filtered by our Enterprise Level anti-virus firewall. When I left this was all "fixed."

The problem with the disconnect in regard to SQL Injection isn't that people aren't aware of them or that people aren't taking notes. There is usually a disconnect in human communication. There is no one person who in most situations would ever cover each of the steps to make certain an SQL injection attack was preventable. More often than not the issue falls across several people who all have to do their part in order to make a nice "safe" system to prevent or mitigate SQL Injection attacks. I obtained a special insight into the issue by being lead developer, web manager, network administrator, and IT manager all over the course of about 6 months. It was an eye-opening mind-altering adventure that really made me come up with some very dark options someone could do to take down a server.

What is SQL?
Basically SQL stands for Server Query Language and is used more specifically in communications with database servers. When someone needs to insert into or pull information from a database they more than likely use some form of SQL.

So what is an SQL injection attack?
There are several varieties of SQL injection but they all usually involve someone finding an exploit in a system and loading something into the database. This might be a snippet of code that runs when the page is redrawn (quite common) or an SQL script that either rewrites all of the content in the database with something else or wipes out all of the content altogether. It may also add something to all of the content (eg. pharmaceutical links).

How does this happen?
The more frequent occurrences happen because some off-the-shelf (or open source) application being used was not patched. For example someone downloads and installs a copy of WordPress. A patch is released to fix a known issue with the software, but the person who is responsible for applying the patch does not. Someone then goes on the web and searches for WordPress websites and through trial and error discovers the unpatched site. They apply their code (more than likely downloaded off of the web somewhere) and then the page, site, or database is compromised. I use WordPress as an example, but this happens with almost all open source (public) content management systems at one point or another.

Who is involved or more importantly responsible for the failure?
It depends on the environment of the site being taken over. If the site is corporate, there are several roles that could be responsible for the downfall of the server.

1. Webmaster or IT person: If incorrect server permissions are set (meaning someone has read and write access through something like a search box) then the attacker could take over the website by installing a backdoor. Then they download the passwords for the database from the code they've exploited, now they can create their own.
2. Webmaster or IT person: If separate accounts for the web server application or if the server is executed under a Root account then this could compromise the physical box itself (IT would need to provide a new box or wipe and reinstall in the event of a root kit).
3. DBA, Webmaster, or Web Developer: If the web browsing user account being used to communicate with the database by regular web users has full or elevated database privileges then new tables could be created, existing tables deleted, all data destroyed, or rewritten.
4. Web Developer: If website forms do not filter or clean the inbound content before being inserted into the database the content can be compromised.
5. Web Designer or Web Developer: If the site uses a prebuilt script from someone else's site (open source or shared code) and the code is not inspected, it may contain backdoors which could allow code injection. An example for this might be someone using an AJAX filter to check incoming content before a client submits, but blindly trusting the content. AJAX would insert the content on the check and the site would then be infected.
6. Web Designer or Web Developer: Assuming people will always input proper expected information into a form is bad practice. If someone can inject Javascript into a site they can inject AJAX, backdoors, or worse.
7. CEO, Owner, or Board of Directors: If budget for building a website or maintaining an IT department is cut, low, or non-existent this can lead to poor programming and administrative performance when trying to complete the project on deadline. This can lead to poor planning which can also lead to bad code being written, faulty code being reused, or anyone cutting corners from IT all the way through the web designers.

So this is more of a systemic issue overall since there are several avenues that could lead to a server being exploited. The main issues start at the top in regard to deadlines and fall onto the people who set up the server, the user accounts, the database accounts, and the permissions on the server, the database, and the files for the website. Once this is passed over to the development team, planning and security strategies need to be implemented in order to create a site that functions and does not trust outside users ever.

Things to keep in mind.

1. If a person is able to inject code, but the account doesn't have the proper privileges then the code will not work.
2. If the code is written but restricted to a non-web-accessible directory, the end user cannot execute the code and the site will be a little "safer."
3. Not everyone who attacks your website will use your frontend code. They may not even use a browser. If you're a programmer and checking the validity of an insert, turn of JavaScript and see if you can exploit the site. (eg. If a phone number field for insertion into the database allows something other than a phone number it may throw an error showing your directory structure or bringing down your server or code briefly.)
4. People attack websites for various reasons to name a few: Web real estate (for serving content), prestige ("script kiddies"), competition (corporate or political), religious or idealist reasons (eg. Anti-American), and just because they're bored (hobbyists).
5. If a site is attacked, restoring the database doesn't remove the exploit, only the temporary blemish. If the site is not patched quickly the attackers are given time to experiment and take over more control of the server.

The best way to stop some of these attacks are for everyone involved to do their part completely. The following goes into more technical detail.

Steps to take to secure a server:

1. When the server is being installed or set up, the Web Server needs to have proper directory permissions assigned. There are several articles about this on the web.
2. When the database server is installed it should have its own user account.
   (This is usually the default for MySQL)
3. The administrative account(*NIX) for the web server should not be accessible from the web at all. (No Root SSH) I know it sounds like a no-brainer, but it happens.
4. In regard to MySQL, the administrative account for the database server should not be accessible from the web at all. (No web queries from Root or the main Admin account)
5. Ideally if the site has a backend (CMS) and a frontend then on the backend (which should be secured and NOT in a folder called "Admin" or "controlpanel") the site's interface should use an account that has the ability to select and insert... maybe even delete (not drop). No other permissions should be allowed. On the front-end of the site if there is some reason to insert (like statistical tracking) then THAT user needs to have Insert-Only access to that one specific table or special database. It should not be able to access any other accounts or databases.
6. If the site has no reason to insert from the frontend, then the frontend user needs select-only access.
7. When allowing the site to upload files into the database ALL content must be screened, filtered, and checked. For example just because someone uses a feature like mysql_real_escape_string in PHP, it doesn't mean that all content entered into the database is safe for display on the site. That function simply prevents someone from escaping SQL statements and concatenating their own statement to alter the database itself. They can still write a backdoor when the code is visible on the site again (redisplayed using PHP). Something like strip_tags or a language like Regular Expressions would need to be used to filter code on insertion AS WELL AS on execute.
8. The backend of the website should be as hardened or more-so than the frontend of the site. Many times developers will figure someone who is on the backend has been authenticated, but if someone compromises the system by leaving themselves logged in or by logging in from an unsecure location then the whole site could be destroyed.
9. Ideally no changes to the live website would happen in real time from an interface on the backend. There should be a staging site for maintaining back-ups, a higher level of security, also for code testing to make sure someone outside doesn't see underlying issues with the site while it is under development.
10. Everyone who touches the website and web server needs to be on the same page in regard to safety. Downtime costs money all the way to the top.

That's all for now.

"No Seriously... YOU HAVE BEEN HACKED."

So I find myself yet again trying to do the right thing... as I sit there on the phone with someone's customer support line trying to explain to them that someone has exploited their website (or mailing list provider)... usually with my hand on my forehead.

I have highly restrictive email account settings (on purpose) and do not use a "catch-all" account for non-existent email addresses. So when I sign up for a new account as a rule I go in and create a new email address specifically for the site at hand. This helps me track whether they're sticking to their Terms of Service.

Calvin Klein (Yes they're still around.)

The last time this happened was way back in May 2012 and I was registering for the Calvin Klein website. So I go in and set up ck@[mydomain_for_potential_spam].com and register for the mailing list. (Since I'm requesting this it's not spam.) Two hours later I get a spam (non-solicited) email to this address from a completely different site than Calvin Klein. I think to myself... that's fast!

So I contact customer support and explain to them that Yes, I did just register for the emails today. Yes I did just create this very email account today. Yes, nobody else but your website has this email address and I have only shared it with you. All other connections to make the account were "secure."

Calvin Klein follows up to say "our site is secure and there is no way it was anything on our end." This prompts a swift response stating "Your site is not secure in the truest form of the word on the Internet. You're not using any sort of encryption whatsoever, so if anyone wanted to read any traffic from your site all they would need to do is run a packet sifter and they can read everything that transacts between your site and their machine and look for an exploit." (This is of course not the check-out portion of the site we're talking about.) I get no further feedback from them.

I think to myself... let me check on my end... so I close the CK account and open a new account called CK2. I go in and this time, I register on a Mac (just on the off chance that my firewall didn't catch that I've random traffic communicating directly with my Windows box, or my machine's firewall seems to think that some Trojan [something I installed on purpose that really infected me] is perfectly acceptable.) 30 minutes later more spam for the newest address.

So I go in and take a look at all of the stuff that's being loaded on the CK site using a plug-in for Firefox called Firebug. There are (at the time) no less than 30 scripts running from the CK site... 4 of which keep off-site live open feeds (AJAX and the like). For anyone who doesn't know what this means AJAX is a way for your browser to send information to a web server without you having to really enter anything. People can track your mouse movements, things you click on, all sorts of stuff. So on the CK site I narrowed it down to Omniture,  Shoprunner, and a couple of others before I gave up (it takes a long time to create new email addresses and sign up for stuff when you're just curious)... also I don't want to create too much traffic and make them think I'm the one who took over their mailing form.

So I respond to CK with a second notice that the same thing happened... copied customer support and the default admin@ and abuse@ accounts. I get a reply of "please leave our website alone, we have not been hacked." Oh well. (I still get random spam messages off of the custom CK emails.)

Enter Walthers

So I totally dig toy trains... they're quite a bit more pricey than what I'm willing to pay, but Walthers is one of THE places to get trains if you're considering keeping the hobby alive. I get a print catalog and subscribe to their email newsletters (on the off-chance I win the lottery some day). So today I go into my email account and see a message in the Walthers folder for HVAC air handlers. I contact Walthers and the conversation goes something like this.

Me: "Hello, my name is Chris and I'm calling to let you know that I think your email mailing list has been compromised." (They could have sold my name... A.K.A. shared it with their business partners.)

Support person: "What makes you say that?"

Me: "I've setup a custom email account specifically for Walthers and have been receiving your newsletters for some time, but today I received a message I believe to be Spam at the address that I specifically set up to work with your company."

Support person: "What kind of spam message?"

Me: "Air handlers from Nicor Services."

Support person: "We didn't send that to you. I get Spam all the time... there's no way to stop it."

Me: "No, you don't understand... I only get messages on this email account from Walthers and have only ever shared it with your company, so either you have an infected machine, someone got to your main database of subscribers, or your list handling service was compromised."

Support person: "What's the email address?"

Me: "walthers@[mydomain_for_potential_spam].com"

Support person: "Well I get spam on my Walthers account all the time and I work at Walthers so it's not surprising that you would get spam too."

Me: "I think you're not getting what I'm trying to say."

Support person: "We send out to over 100,000 people every time we send a newsletter... I think we would have heard about it before now."

Luckily my other line started ringing so I had to hang up quick...

Common misconceptions about Online "Safety"

Note: Nothing online is completely "safe."

1.  Our website is secure
   Your website is only "secure" if you're using SSL. Your email is more than likely NOT secure unless you work for a bank and you're sending your email to another person inside the bank behind the company firewall... even then it's iffy at best because some of the firewalls will decrypt SSL so they can speed up the transfer. When you have a form on your website people and someone hits submit, the site transmits that information over the Internet from their browser to your server. If your server stores the information through and encrypted channel, then it's "safe" only because the channel was encrypted. Anyone who was able to get the handshake keys at the start of the transactions could decrypt everything you've sent. If your site sends you an email containing the information, what happens is that the web server has its own email sending server... this server more than likely uses the standard email protocols and sends the message in what's called "clear text" or "plain text" if it's not configured to log into your server directly with SSL. Most mail servers allow the people sending the messages to send in clear text because it's faster and not everyone submits messages in SSL (or any of the other encryption protocols).
2. We are a big company, we're invincible
   This is funny. I work with a lot of big companies. The reason the big companies are super successful is because the investors come in, take a look at operations and cut out everything that seems to be non-important. If you're not in a financial market then chances are your IT staff has been cut, just like everyone else's. Most IT guys that I've had the experience of working with are sort of "old-skool" in the sense that they learned what they do mostly on the job. Sometimes these guys have been at a company for eons and they started in some other department, learning the ropes as they go. If they've not been hacked, or if they're not resourceful enough to look stuff up, chances are they're not as up-to-date on the latest threats as most companies would like to believe... despite what they're being paid. It's a lot of work to read 25 blogs a day, check all of the latest security threat sites for zero-day attacks (attacks without warning) AND help Pat in HR figure out how to copy and paste (for the 25th time this week).
3. We have a custom website, nobody knows about it except for the developers
   There are a couple of things that happen here... sometimes you do have a real custom site where it's been written from the ground up. If that's the case then there were definitely corners cut somewhere. Not everyone has the time to make sure that all of the form fields in every form being submitted conform to what you're expecting (it's almost impossible). The other thing I typically run into with "custom websites" are sites that were created with something like WordPress and then they have a custom skin on the front-end. At some point in time the site goes down and then people start asking "How did this happen?" or "How can my site be infected by trackbacks when we don't even know what those are?" There are hundreds of thousands of lines of code in the "industry-leading" CMS systems out there. All of this code is available on the Internet and there are people overseas who have nothing better to do than look for an exploit and take advantage of some website.
4. We don't have a very big company, someone's surely not going to target us.
   People who hack servers don't care about who they're hacking unless it's a site in the security industry or some large company where they can get "street cred." If you're not in those two categories most "hackers" won't make a distinction between your site or anyone else's... and here-in lies the problem. You have a web server and you have server space somewhere in a server farm on the internet. This server is publicly accessible from all over the world. In the industry we refer to it as real estate. If someone takes over your server, now they can use your real estate to do things like launch attacks, or steal information from your customers while they pretend to be you, or they can use your system to host something called a "bot net" for example. Botnets are hundreds upon hundreds of machines that have also been infected by some exploit that now answer to the main control server... in this case your web server. So there are a lot of reasons why someone who has a need might want to take over your server real estate. Unlike regular real estate because you're on the internet location doesn't really matter, unless you're hosting a web server on dial-up, then your "safe."
5. "How come we've never heard about this before?" or the best of all... "We've never been hacked before."
   This may be true, but it all starts somewhere. The first step to fixing the issue is realizing that you have an issue.

               

That's all I have for now. Hopefully this wasn't too wordy. Until next time, if someone says "we think you might have been hacked," there may be an off-chance that they're trying to help you out.

-Chris

Search Engine Optimization is The Devil's fruit.

I do a lot of work on different websites and people are always impressed by how high we are in the search rankings. I tell people that I don't do anything special in order to achieve the proper ranking for my sites' content, but I understand how the search engines work and design accordingly. Because of this I'm rewarded for presenting all of my information in a way that the search engine can read, understand, and process; and for writing my content to gain the interest of the intended target market. When the visitors respond and stay on the site, it affirms to the search engine that they have provided a good result.

According to Dictionary.com, Search Engine Optimization or SEO is

"the methods used to boost the ranking or frequency of a Web site in results returned by a search engine, in an effort to maximize user traffic to the site: The first step in search-engine optimization is to generate keywords that are relevant to your site's content. Abbreviation: SEO" (http://dictionary.reference.com/browse/search-engine+optimization)

In short we're tricking the search engine to rank a page if we're not doing things the right way. There are companies that provide "SEO" services for websites that result in having a lot of clients downranked or unlisted.

What the search engine wants

This industry standard practice isn't always in the Search Engine's best interest. As described by Larry Page, the co-founder and CEO of Google, the “perfect search engine” is something that “understands exactly what you mean and gives you back exactly what you want.” This would have to happen almost intuitively.

The bigger picture

In various languages there are different meanings for the same word. Out of context, the search engine has to determine what your intended search result was based on these various meanings, your dialect based on your region, and deliver the websites for the same keywords that show the appropriate level of stickiness (duration on page).

This is a huge undertaking on the part of the search engine, because not only are they trying to get the correct results for the search on the whole for their entire audience, but now they have to get the results right for individuals... people like me who look up a lot of stuff. So their approach is to follow habits through tools like Google Analytics, Google Search, Android Phones, various web browsers, Gmail accounts, online social network accounts, and blogs to get a better idea of who a person is... a profile if you will. When someone searches they can use previous search history to get the results they were looking for (You can opt out), based on search phrases from before. It's almost dynamic.

Because they're trying too hard (or maybe they're cutting corners), I've experienced searches where I'm looking for something, an exact phrase even, that I know exists and I never get the results I'm looking for. They're close, but hours daily have been wasted trying to find the correct results. If you're researching anything technical online you know what I mean.

The mistaken case for SEO

There is no perfect solution from a design standpoint for "Search Engine Optimization" because people are involved, everyone uses different phrasing, people change their minds, the definitions of words change, things lose popularity, and people alter their speech patterns over time. When a regular website isn’t designed properly (to present the information appropriately), as a last resort we have to perform SEO by definition to trick the search engine into displaying our site in the search results (or pay). When the search engine finds out we’ve tricked them or that we’re not in the best interest for the search engine for the keywords their users are searching on, we are down-ranked in the results for the term. They have a blog about this.

So when someone pays for SEO-only services, they're really paying for a temporary fix to a major problem. Many companies have shorted themselves in terms of a web design and development budget, hired people who don't know the correct answers to the problem (or that the problem even exists), and don't want to pay people to write the information they need on the website to make sure they're providing valuable information to the search engines for their results and the end users. In essence they've crippled their growth.

The Solution

In the long run, because Google has a lot more money to throw at this problem than most companies, the companies will lose out by trying to trick the search engines over and over, whereas it's simply much more cost effective to do it right the first time and hire the proper talent. This will make the Internet a much better place.

1. Write interesting content for the visitors that will keep them on the site and informed.
2. Provide clues in the interface to the search engines that will help them to target your audience.
3. Provide methods for your audience to share information about your site.
4. Analyze your statistical traffic data and adjust accordingly.

A nibble of a little bit of knowledge from the old tree might lead one to be kicked out of the garden.

Danger in the proliferation of QR Codes

You might have noticed more and more of these graphics popping up everywhere from your packages you receive in the mail, to the backs of toys, games, electronics, consumables, and even on billboards and ads throughout our societies around the world. They're everywhere and without the proper software you can't tell what they say until they've been decoded. QR codes are a relatively new way to encode information usually for mobile devices, so the lazy masses can open a URL without having to type anything (it's one of the little things we're doing for the kids so their lives aren't as complicated as ours).

This one specifically (above) is a QR code that I created with the website at qrcode.kaywa.com that says "This could have been a virus." And that would be correct. It could have been a virus, a link to a Trojan, or a link to who knows what, and in the wrong place at the wrong time, it could cause a lot of trouble. Let's say it's to an illegal website and you're on your network at work, and you open a webpage with one of your devices that you have been authorized to use on the company network. It could cost you your job. You could open a backdoor to your corporate network. If it's placed for you specifically to open, you could give someone your physical location(stalker) or information unknowingly. (Think forms that auto-complete and use AJAX - an acronym for Asynchronous JavaScript and XML for processing)... by the time it opens whoops, it's too late.

The problem is, because your phone, ipad, etc, can open a URL or a bit of code under the assumption it's something else, the codes can't always be trusted. See the graphic itself is harmless. It's just a high contrast collection of squares in a pattern that tell the decoding software which characters are meant to be represented when the code is translated. The problem comes back to people. A malicious individual could place a link to a website with a specially crafted payload or better yet a script that qualifies a device, then delivers a specially crafted payload to the device to take over the device, to steal information, or to simply implant something for the sake of tracking on the device (such as a cookie). This can all happen super fast and then the site can redirect you back to another site. It says flowers.com, I ended up on flowers.com, but what really happened in-between? In actuality the in-between part is commonly referred to as an XSS attack (Cross-Site Scripting) where one website is used to exploit the visitors of another.

So take it from someone with a devious curiosity when it comes to technology. The next time you see one of these things on a package or somewhere in the wild, before you scan it, think about what it is you think you're getting and whether the risk is worth it. If it's on a toy, you're probably okay, they're just going to track you or sell you more stuff, but if it's stuck to a pole next to Wrigley Field, you might be getting more than you bargained for.