Dark Reading Mailing List Compromised?

So I try to stay on top of the tech news in regard to exploits and security. One of the sites that I subscribe to is Dark Reading. It's more of a main stream sort of whitepaper delivery system for vendors but every once in a while I find something useful. They usually provide links to the real content and I go in search of something more informative on the topic, but they're a good starting point (unlike the 2600 Hacker Quarterly who publishes exploits directly on their pages).

As a hacker I'm paranoid about a lot of things. I see the system and I see all of the nuts, bolts, cables, users, and the complete infrastructure all at once. It's sort of a mind-numbingly overwhelming gift for information overload.

While I was Web Manager working at CertMag.com one of my responsibilities was configuring, securing, and learning the ins and outs of our StrongMail MTA and maintaining our mailing lists locally (amongst a bazillion other things). We had an offsite service that "maintained" our list, but there were a few ways that the list(s) could be captured by savvy listeners when we were submitting it or receiving it over non-secure or non-encrypted channels (think Wireshark). At the time we employed the services of Hallmark Data Systems, and they had several procedures and securities in place to make sure our list was "safe." Basically from what I gathered it was an offline database on an AS 400, although I think they were considering integrating some aspects online (for a fee of course).

We weren't controlling any sensitive information, unless you count names, addresses, titles, and email addresses as sensitive (I guess altogether it could be something because it was a loosely targeted list if you're into marketing). For the most part once that information was sent to the database house it was out of our hands and pretty much would never be seen again in its complete state unless we pulled an audit query. They managed providing the list to the printer that distributed the print versions of our publications and they would also email back to us a queried list of names and email addresses only matching certain criteria per publication (I think this was eventually accessible online after a while come to think of it). They would then update the lists for people who had opted out or unsubscribed for legal and advertising audit purposes. In short it's a big technical inefficient process.

Jump ahead 5 Years later, one of the major issues with web subscriptions today or services where you expect to get something for providing a little personal information is getting tons of stuff that you don't want. So how can you tell whether the unsolicited email you're receiving is random spam, from a sold list, from a compromised web form or from a hacked database? One of the ways I combat this myself is I create a custom email address for every site that I'm registered on. I think right now I'm up to 400 or something ridiculous like that. It's usually nothing anyone would guess... acronyms but not random gibberish. When I register for a new site, I give them a new address. If an email looks like a legitimate pass with something in the footer like "You're receiving this message because you subscribed for Dark Reading," then I know they sold it or it's a sister publication. By law any legitimate sending service is required to provide an opt-out.  Also when someone opts out there is a certain amount of time to stop sending that person messages or the fines could be steep (severely).

So today I'm going through my emails and I see a message to my Dark Reading account titled "Re:Re: sending servers /.../." Out of curiosity I open the message on a *NIX machine and it's an ad for "Highly Stable and Secure Bulk Email Servers for Email Marketing." Sort of ironic. The company that I subscribed with was exploited by a company that provides "Highly Stable and Secure Bulk Email" services that are apparently more secure than my subscriptions own service?

So out comes the magnifying glass. A reverse look-up of the sending server's IP address with ARIN.net goes back to 173.192.141.86 at SoftLayer in Texas. No domain information was provided on the handshake with my email server, so it's no doubt a compromised machine running a root kit or a slave app. The return-path goes to an email address at fillmore.com which is owned by Fillmore Real Estate in Brooklyn. It was more than likely either hacked or they could just be a bounce back victim of a spam reply at which point they're not even involved.

So I dig a little deeper.

There's an email address in the links only(no websites) that goes to 21cn.com. If you're familiar with ccTLDs or country-code Top Level Domains then you'll recognize "cn" as China. This is a .com TLD, so on a hunch I look up the domain in APNIC.net... returned no results, Network Solutions... no results, Ripe.net... no results, but Internic.net came back with very little information and a different whois server for the domain at whois.35.com. So I plug that in and found the registrant to be:

     21cn corporation limited domainmanage@21cn.com +86.2085264358 +86.2085265827
     21CN Corporation Limited
     2F,NO.52 Liuyunwu street,Tiyu Rd,East,Tianhe,Guangzhou,China
     Guangzhou,Guangdong,CN 510620

So apparently the Dark Reading website's database, or their database management service, or some machine at Dark Reading's HQ was "hacked" and their list stolen, because I've not received any bulk emails on that list where I saw any other "subscribers," like an accidental broadcast with everyone in the CC field or some rookie mistake like that. There is the chance someone might have run a cycler to guess my own email address, but it's unlikely since I have a lot more email addresses that begin with letters other than "D" prior. Since it's only been provided to Dark Reading and it's a receive-only alias account I know it is not an issue on my end because that address isn't stored anywhere. If someone gleaned it from my mail server on the off chance they were listening to the data center in California then I'm sure I would receive a lot more of these to all of my email addresses (aliases) on record.  If they're using a service like we were it also might have been compromised in the transfer between Dark Reading and their database managing service.

From a PR standpoint, it always looks bad when a website that publishes info about online security experts might not have an IT staff that implements what they read in their own material. Okay that might be a little harsh considering there are more important things to do like replace faulty mice or tell people their company provided laptop no longer works because they've dropped it one too many times, but I can almost guarantee I probably won't read about it in Dark Reading.

That's all for now.

New "Microsoft" Phising Scam

Today I received a phone call (Out of Area, Unlisted) from a guy with an Indian accent. He claimed to be from Microsoft and told me that they had received a message from my computer saying it was infected.

So I immediately replied:

"How did you get this phone number?"

His response:

"Because your ISP told us it was you and that it was your computer and when you register for Internet service they provide that information to us."

My retort (BSing of course):

"So Microsoft (someone who I haven't purchased anything from for 4 years) said my computer is infected, and you got my home phone number for my business account Internet provider?"

The guy hung up. I'm sure the rest of the phishing scam is that they are going to ask you to download something and install it to make sure your system is "clean." I myself am running an enterprise level anti-virus firewall (with subscriptions) and have AV installed on all of my Windows workstations and Virtual Machines.

According to Wikipedia:

Phishing is the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication.

The term "Phishing" first came about because a telephone or phone was used to fish for information. So the "PH" from "Phone" replaced the "F" in fish. Despite the Wikipedia entry, it is actually a part of "Phreaking" and not just possibly due to phreaking because a lot of phone privilege escalation involves a question and answer session with the phone network provider. There are all sorts of articles about Phishing and Phreaking in the older issues of the 2600 Hacker Quarterly now available at Amazon as an Kindle magazine subscription.

If you have a Mac / Linux based machine only, I probably don't have to say this but you can tell them you know they're full of it. If you have a "PC," Microsoft will NEVER contact you to tell you that you have a virus. They as a company, unless you're paying for some security service directly from them, would never take the huge effort to police the Internet and tell everyone that they're sending out a virus. That's not one of their core business motives.

There are all sorts of things that can be downloaded knowingly or unknowingly off of the Internet that contain back doors (where people can get into your machine), viruses (that give out information), slave systems (where people can make your computer work for them), and root kits (so your anti-virus applications that you are hopefully using can not detect of remove them).


Remember to NEVER provide any personally identifiable information about yourself over the phone to ANYONE who calls you unprompted (unless you are expecting the call).

SQL Injection Attack Precautions

I try to remain perceptive and learn from my own mistakes as well as the mistakes of others. I was reading an article on Dark Reading called "The SQL Injection Disconnection," a fluff article just for clicks that briefly mentions SQL Injection attacks and how hackers are talking about them to the same degree as DDoS attacks.

I was the Web Manager at CertMag.com for a couple of years and noticed a lot of different ways someone could harm a website with poorly written code. We had a forum written in Argentina, another forum product called vBulletin, and had even written our own custom forum at one time. When I took over the technical operations to my surprise there were five extra user accounts in the Microsoft SQL server and one database called "test" in Japanese that contained all sorts of content related to the adult video industry. Needless to say we had been "pwnd." Our server was serving who knew what and we were a sitting duck. Shortly before we switched to our upgraded vBulletin forum we were being injected every 3-4 hours with someone claiming prize.

When I went out to the server farm to my surprise there were no filters on the firewall at all to even try and prevent some of the attacks taking place; an IT oversight. Also the web server was on the DMZ rather than being filtered by our Enterprise Level anti-virus firewall. When I left this was all "fixed."

The problem with the disconnect in regard to SQL Injection isn't that people aren't aware of them or that people aren't taking notes. There is usually a disconnect in human communication. There is no one person who in most situations would ever cover each of the steps to make certain an SQL injection attack was preventable. More often than not the issue falls across several people who all have to do their part in order to make a nice "safe" system to prevent or mitigate SQL Injection attacks. I obtained a special insight into the issue by being lead developer, web manager, network administrator, and IT manager all over the course of about 6 months. It was an eye-opening mind-altering adventure that really made me come up with some very dark options someone could do to take down a server.

What is SQL?
Basically SQL stands for Server Query Language and is used more specifically in communications with database servers. When someone needs to insert into or pull information from a database they more than likely use some form of SQL.

So what is an SQL injection attack?
There are several varieties of SQL injection but they all usually involve someone finding an exploit in a system and loading something into the database. This might be a snippet of code that runs when the page is redrawn (quite common) or an SQL script that either rewrites all of the content in the database with something else or wipes out all of the content altogether. It may also add something to all of the content (eg. pharmaceutical links).

How does this happen?
The more frequent occurrences happen because some off-the-shelf (or open source) application being used was not patched. For example someone downloads and installs a copy of WordPress. A patch is released to fix a known issue with the software, but the person who is responsible for applying the patch does not. Someone then goes on the web and searches for WordPress websites and through trial and error discovers the unpatched site. They apply their code (more than likely downloaded off of the web somewhere) and then the page, site, or database is compromised. I use WordPress as an example, but this happens with almost all open source (public) content management systems at one point or another.

Who is involved or more importantly responsible for the failure?
It depends on the environment of the site being taken over. If the site is corporate, there are several roles that could be responsible for the downfall of the server.

1. Webmaster or IT person: If incorrect server permissions are set (meaning someone has read and write access through something like a search box) then the attacker could take over the website by installing a backdoor. Then they download the passwords for the database from the code they've exploited, now they can create their own.
2. Webmaster or IT person: If separate accounts for the web server application or if the server is executed under a Root account then this could compromise the physical box itself (IT would need to provide a new box or wipe and reinstall in the event of a root kit).
3. DBA, Webmaster, or Web Developer: If the web browsing user account being used to communicate with the database by regular web users has full or elevated database privileges then new tables could be created, existing tables deleted, all data destroyed, or rewritten.
4. Web Developer: If website forms do not filter or clean the inbound content before being inserted into the database the content can be compromised.
5. Web Designer or Web Developer: If the site uses a prebuilt script from someone else's site (open source or shared code) and the code is not inspected, it may contain backdoors which could allow code injection. An example for this might be someone using an AJAX filter to check incoming content before a client submits, but blindly trusting the content. AJAX would insert the content on the check and the site would then be infected.
6. Web Designer or Web Developer: Assuming people will always input proper expected information into a form is bad practice. If someone can inject Javascript into a site they can inject AJAX, backdoors, or worse.
7. CEO, Owner, or Board of Directors: If budget for building a website or maintaining an IT department is cut, low, or non-existent this can lead to poor programming and administrative performance when trying to complete the project on deadline. This can lead to poor planning which can also lead to bad code being written, faulty code being reused, or anyone cutting corners from IT all the way through the web designers.

So this is more of a systemic issue overall since there are several avenues that could lead to a server being exploited. The main issues start at the top in regard to deadlines and fall onto the people who set up the server, the user accounts, the database accounts, and the permissions on the server, the database, and the files for the website. Once this is passed over to the development team, planning and security strategies need to be implemented in order to create a site that functions and does not trust outside users ever.

Things to keep in mind.

1. If a person is able to inject code, but the account doesn't have the proper privileges then the code will not work.
2. If the code is written but restricted to a non-web-accessible directory, the end user cannot execute the code and the site will be a little "safer."
3. Not everyone who attacks your website will use your frontend code. They may not even use a browser. If you're a programmer and checking the validity of an insert, turn of JavaScript and see if you can exploit the site. (eg. If a phone number field for insertion into the database allows something other than a phone number it may throw an error showing your directory structure or bringing down your server or code briefly.)
4. People attack websites for various reasons to name a few: Web real estate (for serving content), prestige ("script kiddies"), competition (corporate or political), religious or idealist reasons (eg. Anti-American), and just because they're bored (hobbyists).
5. If a site is attacked, restoring the database doesn't remove the exploit, only the temporary blemish. If the site is not patched quickly the attackers are given time to experiment and take over more control of the server.

The best way to stop some of these attacks are for everyone involved to do their part completely. The following goes into more technical detail.

Steps to take to secure a server:

1. When the server is being installed or set up, the Web Server needs to have proper directory permissions assigned. There are several articles about this on the web.
2. When the database server is installed it should have its own user account.
   (This is usually the default for MySQL)
3. The administrative account(*NIX) for the web server should not be accessible from the web at all. (No Root SSH) I know it sounds like a no-brainer, but it happens.
4. In regard to MySQL, the administrative account for the database server should not be accessible from the web at all. (No web queries from Root or the main Admin account)
5. Ideally if the site has a backend (CMS) and a frontend then on the backend (which should be secured and NOT in a folder called "Admin" or "controlpanel") the site's interface should use an account that has the ability to select and insert... maybe even delete (not drop). No other permissions should be allowed. On the front-end of the site if there is some reason to insert (like statistical tracking) then THAT user needs to have Insert-Only access to that one specific table or special database. It should not be able to access any other accounts or databases.
6. If the site has no reason to insert from the frontend, then the frontend user needs select-only access.
7. When allowing the site to upload files into the database ALL content must be screened, filtered, and checked. For example just because someone uses a feature like mysql_real_escape_string in PHP, it doesn't mean that all content entered into the database is safe for display on the site. That function simply prevents someone from escaping SQL statements and concatenating their own statement to alter the database itself. They can still write a backdoor when the code is visible on the site again (redisplayed using PHP). Something like strip_tags or a language like Regular Expressions would need to be used to filter code on insertion AS WELL AS on execute.
8. The backend of the website should be as hardened or more-so than the frontend of the site. Many times developers will figure someone who is on the backend has been authenticated, but if someone compromises the system by leaving themselves logged in or by logging in from an unsecure location then the whole site could be destroyed.
9. Ideally no changes to the live website would happen in real time from an interface on the backend. There should be a staging site for maintaining back-ups, a higher level of security, also for code testing to make sure someone outside doesn't see underlying issues with the site while it is under development.
10. Everyone who touches the website and web server needs to be on the same page in regard to safety. Downtime costs money all the way to the top.

That's all for now.

"No Seriously... YOU HAVE BEEN HACKED."

So I find myself yet again trying to do the right thing... as I sit there on the phone with someone's customer support line trying to explain to them that someone has exploited their website (or mailing list provider)... usually with my hand on my forehead.

I have highly restrictive email account settings (on purpose) and do not use a "catch-all" account for non-existent email addresses. So when I sign up for a new account as a rule I go in and create a new email address specifically for the site at hand. This helps me track whether they're sticking to their Terms of Service.

Calvin Klein (Yes they're still around.)

The last time this happened was way back in May 2012 and I was registering for the Calvin Klein website. So I go in and set up ck@[mydomain_for_potential_spam].com and register for the mailing list. (Since I'm requesting this it's not spam.) Two hours later I get a spam (non-solicited) email to this address from a completely different site than Calvin Klein. I think to myself... that's fast!

So I contact customer support and explain to them that Yes, I did just register for the emails today. Yes I did just create this very email account today. Yes, nobody else but your website has this email address and I have only shared it with you. All other connections to make the account were "secure."

Calvin Klein follows up to say "our site is secure and there is no way it was anything on our end." This prompts a swift response stating "Your site is not secure in the truest form of the word on the Internet. You're not using any sort of encryption whatsoever, so if anyone wanted to read any traffic from your site all they would need to do is run a packet sifter and they can read everything that transacts between your site and their machine and look for an exploit." (This is of course not the check-out portion of the site we're talking about.) I get no further feedback from them.

I think to myself... let me check on my end... so I close the CK account and open a new account called CK2. I go in and this time, I register on a Mac (just on the off chance that my firewall didn't catch that I've random traffic communicating directly with my Windows box, or my machine's firewall seems to think that some Trojan [something I installed on purpose that really infected me] is perfectly acceptable.) 30 minutes later more spam for the newest address.

So I go in and take a look at all of the stuff that's being loaded on the CK site using a plug-in for Firefox called Firebug. There are (at the time) no less than 30 scripts running from the CK site... 4 of which keep off-site live open feeds (AJAX and the like). For anyone who doesn't know what this means AJAX is a way for your browser to send information to a web server without you having to really enter anything. People can track your mouse movements, things you click on, all sorts of stuff. So on the CK site I narrowed it down to Omniture,  Shoprunner, and a couple of others before I gave up (it takes a long time to create new email addresses and sign up for stuff when you're just curious)... also I don't want to create too much traffic and make them think I'm the one who took over their mailing form.

So I respond to CK with a second notice that the same thing happened... copied customer support and the default admin@ and abuse@ accounts. I get a reply of "please leave our website alone, we have not been hacked." Oh well. (I still get random spam messages off of the custom CK emails.)

Enter Walthers

So I totally dig toy trains... they're quite a bit more pricey than what I'm willing to pay, but Walthers is one of THE places to get trains if you're considering keeping the hobby alive. I get a print catalog and subscribe to their email newsletters (on the off-chance I win the lottery some day). So today I go into my email account and see a message in the Walthers folder for HVAC air handlers. I contact Walthers and the conversation goes something like this.

Me: "Hello, my name is Chris and I'm calling to let you know that I think your email mailing list has been compromised." (They could have sold my name... A.K.A. shared it with their business partners.)

Support person: "What makes you say that?"

Me: "I've setup a custom email account specifically for Walthers and have been receiving your newsletters for some time, but today I received a message I believe to be Spam at the address that I specifically set up to work with your company."

Support person: "What kind of spam message?"

Me: "Air handlers from Nicor Services."

Support person: "We didn't send that to you. I get Spam all the time... there's no way to stop it."

Me: "No, you don't understand... I only get messages on this email account from Walthers and have only ever shared it with your company, so either you have an infected machine, someone got to your main database of subscribers, or your list handling service was compromised."

Support person: "What's the email address?"

Me: "walthers@[mydomain_for_potential_spam].com"

Support person: "Well I get spam on my Walthers account all the time and I work at Walthers so it's not surprising that you would get spam too."

Me: "I think you're not getting what I'm trying to say."

Support person: "We send out to over 100,000 people every time we send a newsletter... I think we would have heard about it before now."

Luckily my other line started ringing so I had to hang up quick...

Common misconceptions about Online "Safety"

Note: Nothing online is completely "safe."

1.  Our website is secure
   Your website is only "secure" if you're using SSL. Your email is more than likely NOT secure unless you work for a bank and you're sending your email to another person inside the bank behind the company firewall... even then it's iffy at best because some of the firewalls will decrypt SSL so they can speed up the transfer. When you have a form on your website people and someone hits submit, the site transmits that information over the Internet from their browser to your server. If your server stores the information through and encrypted channel, then it's "safe" only because the channel was encrypted. Anyone who was able to get the handshake keys at the start of the transactions could decrypt everything you've sent. If your site sends you an email containing the information, what happens is that the web server has its own email sending server... this server more than likely uses the standard email protocols and sends the message in what's called "clear text" or "plain text" if it's not configured to log into your server directly with SSL. Most mail servers allow the people sending the messages to send in clear text because it's faster and not everyone submits messages in SSL (or any of the other encryption protocols).
2. We are a big company, we're invincible
   This is funny. I work with a lot of big companies. The reason the big companies are super successful is because the investors come in, take a look at operations and cut out everything that seems to be non-important. If you're not in a financial market then chances are your IT staff has been cut, just like everyone else's. Most IT guys that I've had the experience of working with are sort of "old-skool" in the sense that they learned what they do mostly on the job. Sometimes these guys have been at a company for eons and they started in some other department, learning the ropes as they go. If they've not been hacked, or if they're not resourceful enough to look stuff up, chances are they're not as up-to-date on the latest threats as most companies would like to believe... despite what they're being paid. It's a lot of work to read 25 blogs a day, check all of the latest security threat sites for zero-day attacks (attacks without warning) AND help Pat in HR figure out how to copy and paste (for the 25th time this week).
3. We have a custom website, nobody knows about it except for the developers
   There are a couple of things that happen here... sometimes you do have a real custom site where it's been written from the ground up. If that's the case then there were definitely corners cut somewhere. Not everyone has the time to make sure that all of the form fields in every form being submitted conform to what you're expecting (it's almost impossible). The other thing I typically run into with "custom websites" are sites that were created with something like WordPress and then they have a custom skin on the front-end. At some point in time the site goes down and then people start asking "How did this happen?" or "How can my site be infected by trackbacks when we don't even know what those are?" There are hundreds of thousands of lines of code in the "industry-leading" CMS systems out there. All of this code is available on the Internet and there are people overseas who have nothing better to do than look for an exploit and take advantage of some website.
4. We don't have a very big company, someone's surely not going to target us.
   People who hack servers don't care about who they're hacking unless it's a site in the security industry or some large company where they can get "street cred." If you're not in those two categories most "hackers" won't make a distinction between your site or anyone else's... and here-in lies the problem. You have a web server and you have server space somewhere in a server farm on the internet. This server is publicly accessible from all over the world. In the industry we refer to it as real estate. If someone takes over your server, now they can use your real estate to do things like launch attacks, or steal information from your customers while they pretend to be you, or they can use your system to host something called a "bot net" for example. Botnets are hundreds upon hundreds of machines that have also been infected by some exploit that now answer to the main control server... in this case your web server. So there are a lot of reasons why someone who has a need might want to take over your server real estate. Unlike regular real estate because you're on the internet location doesn't really matter, unless you're hosting a web server on dial-up, then your "safe."
5. "How come we've never heard about this before?" or the best of all... "We've never been hacked before."
   This may be true, but it all starts somewhere. The first step to fixing the issue is realizing that you have an issue.

               

That's all I have for now. Hopefully this wasn't too wordy. Until next time, if someone says "we think you might have been hacked," there may be an off-chance that they're trying to help you out.

-Chris

Search Engine Optimization is The Devil's fruit.

I do a lot of work on different websites and people are always impressed by how high we are in the search rankings. I tell people that I don't do anything special in order to achieve the proper ranking for my sites' content, but I understand how the search engines work and design accordingly. Because of this I'm rewarded for presenting all of my information in a way that the search engine can read, understand, and process; and for writing my content to gain the interest of the intended target market. When the visitors respond and stay on the site, it affirms to the search engine that they have provided a good result.

According to Dictionary.com, Search Engine Optimization or SEO is

"the methods used to boost the ranking or frequency of a Web site in results returned by a search engine, in an effort to maximize user traffic to the site: The first step in search-engine optimization is to generate keywords that are relevant to your site's content. Abbreviation: SEO" (http://dictionary.reference.com/browse/search-engine+optimization)

In short we're tricking the search engine to rank a page if we're not doing things the right way. There are companies that provide "SEO" services for websites that result in having a lot of clients downranked or unlisted.

What the search engine wants

This industry standard practice isn't always in the Search Engine's best interest. As described by Larry Page, the co-founder and CEO of Google, the “perfect search engine” is something that “understands exactly what you mean and gives you back exactly what you want.” This would have to happen almost intuitively.

The bigger picture

In various languages there are different meanings for the same word. Out of context, the search engine has to determine what your intended search result was based on these various meanings, your dialect based on your region, and deliver the websites for the same keywords that show the appropriate level of stickiness (duration on page).

This is a huge undertaking on the part of the search engine, because not only are they trying to get the correct results for the search on the whole for their entire audience, but now they have to get the results right for individuals... people like me who look up a lot of stuff. So their approach is to follow habits through tools like Google Analytics, Google Search, Android Phones, various web browsers, Gmail accounts, online social network accounts, and blogs to get a better idea of who a person is... a profile if you will. When someone searches they can use previous search history to get the results they were looking for (You can opt out), based on search phrases from before. It's almost dynamic.

Because they're trying too hard (or maybe they're cutting corners), I've experienced searches where I'm looking for something, an exact phrase even, that I know exists and I never get the results I'm looking for. They're close, but hours daily have been wasted trying to find the correct results. If you're researching anything technical online you know what I mean.

The mistaken case for SEO

There is no perfect solution from a design standpoint for "Search Engine Optimization" because people are involved, everyone uses different phrasing, people change their minds, the definitions of words change, things lose popularity, and people alter their speech patterns over time. When a regular website isn’t designed properly (to present the information appropriately), as a last resort we have to perform SEO by definition to trick the search engine into displaying our site in the search results (or pay). When the search engine finds out we’ve tricked them or that we’re not in the best interest for the search engine for the keywords their users are searching on, we are down-ranked in the results for the term. They have a blog about this.

So when someone pays for SEO-only services, they're really paying for a temporary fix to a major problem. Many companies have shorted themselves in terms of a web design and development budget, hired people who don't know the correct answers to the problem (or that the problem even exists), and don't want to pay people to write the information they need on the website to make sure they're providing valuable information to the search engines for their results and the end users. In essence they've crippled their growth.

The Solution

In the long run, because Google has a lot more money to throw at this problem than most companies, the companies will lose out by trying to trick the search engines over and over, whereas it's simply much more cost effective to do it right the first time and hire the proper talent. This will make the Internet a much better place.

1. Write interesting content for the visitors that will keep them on the site and informed.
2. Provide clues in the interface to the search engines that will help them to target your audience.
3. Provide methods for your audience to share information about your site.
4. Analyze your statistical traffic data and adjust accordingly.

A nibble of a little bit of knowledge from the old tree might lead one to be kicked out of the garden.

Danger in the proliferation of QR Codes

You might have noticed more and more of these graphics popping up everywhere from your packages you receive in the mail, to the backs of toys, games, electronics, consumables, and even on billboards and ads throughout our societies around the world. They're everywhere and without the proper software you can't tell what they say until they've been decoded. QR codes are a relatively new way to encode information usually for mobile devices, so the lazy masses can open a URL without having to type anything (it's one of the little things we're doing for the kids so their lives aren't as complicated as ours).

This one specifically (above) is a QR code that I created with the website at qrcode.kaywa.com that says "This could have been a virus." And that would be correct. It could have been a virus, a link to a Trojan, or a link to who knows what, and in the wrong place at the wrong time, it could cause a lot of trouble. Let's say it's to an illegal website and you're on your network at work, and you open a webpage with one of your devices that you have been authorized to use on the company network. It could cost you your job. You could open a backdoor to your corporate network. If it's placed for you specifically to open, you could give someone your physical location(stalker) or information unknowingly. (Think forms that auto-complete and use AJAX - an acronym for Asynchronous JavaScript and XML for processing)... by the time it opens whoops, it's too late.

The problem is, because your phone, ipad, etc, can open a URL or a bit of code under the assumption it's something else, the codes can't always be trusted. See the graphic itself is harmless. It's just a high contrast collection of squares in a pattern that tell the decoding software which characters are meant to be represented when the code is translated. The problem comes back to people. A malicious individual could place a link to a website with a specially crafted payload or better yet a script that qualifies a device, then delivers a specially crafted payload to the device to take over the device, to steal information, or to simply implant something for the sake of tracking on the device (such as a cookie). This can all happen super fast and then the site can redirect you back to another site. It says flowers.com, I ended up on flowers.com, but what really happened in-between? In actuality the in-between part is commonly referred to as an XSS attack (Cross-Site Scripting) where one website is used to exploit the visitors of another.

So take it from someone with a devious curiosity when it comes to technology. The next time you see one of these things on a package or somewhere in the wild, before you scan it, think about what it is you think you're getting and whether the risk is worth it. If it's on a toy, you're probably okay, they're just going to track you or sell you more stuff, but if it's stuck to a pole next to Wrigley Field, you might be getting more than you bargained for.

Holiday Shopping Help - How to get the good deals.

Here's a cheat sheet for doing the math. In our household we do a lot of shopping (looking for the best deals). I have the ability to memorize prices items, quantities, and container packaging. Because of this I've noticed a bit of trickery. Around holiday time people are desperate for deals and sales and will unknowingly purchase things at a much, much higher price.  Some companies increase the prices a month or two in advance (in regard to Christmas, this can be as early as late September) to offer the item for the original price they are claiming is a new sale price. Here are a few of the phrases that companies uses that aren't always intuitive, but seem like a good deal.

Buy 1 Get 1 Free = 50% off of two.
You'll want to watch this, usually they've increased the price by double which makes it so you only get 25% off in the end. Not bad? Well, considering the items they do this to have a huge mark-up it's rare you'll get your money's worth.

Buy 1 Get 1 for $1 = 50% off of both plus $1.
Same as above, they've already increased the price astronomically and people are typically preoccupied with the plus $1 to think about what the original price was.

Buy 3 Get 2 free = 40% off of each. You're still paying 60% of the price for each. If it seems reasonable, then go for it.

Buy 1 Get 1 for 50% off = 25% off both.
Not a real deal if the place you're shopping is 25% higher than the competitor.

Be sure if you're going for a sale not to get lured into purchasing other items you might normally buy if they are going for a higher price. High sales also mean they have to make-up the cost, so that savings is spread around to other items in the store. Statistically, if you buy soda, and then Tuna Fish, Pizza or Toilet Paper, one of the items might be on sale, whereas the others will carry an inflated price.

It's a good idea to always look around for the best price before going out to shop.

Another trick I've noticed is varying quantity amounts. Some products (eg. Bullion Cubes) might be sold in 5 or 6 different quantity sizes at various stores. When you visit one store for price comparison, the price may seem lower, but you're getting a considerably less amount. Each package might seem like a scaled down version of the other and since the side-by-side counterpart offerings aren't available you might not be aware of the change in quantity. Sometimes this is a visual trick because although the front of the item is the same size and shape, the depth may have changed.

Another one of the tricks that companies do is when they change the package they've usually changed the quantity is some way or another. In regard to toilet paper, if there is a raised pattern on the paper this will cause less paper per roll. Toilet paper companies increase the diameter of the tube inside of the roll (to give you less paper), they change the sheet count so you get fewer sheets per roll in different arrangements, meaning if you buy 24 rolls you may be getting fewer sheets per roll than you do if you buy three 8 packs. Also look out for another change a shorter tube where they take up to an inch and a quarter off of one end of the roll.

Soda is bad for you and this year, they've introduced a new 20 pack instead of a 24 pack. They're still charging the inflated prices for the soda to begin with but it's harder for people to make the comparison. They also don't use the same measurements for comparison from one product line to the other (2 liters is 67 US Ounces) If you're comparing a 12-pack of soda (144 ounces) vs two 2-liters (134 ounces), then you'll get one fewer can. If the price for the two liter is 11/12ths (Price x .92) the price of the 12 pack then it's a deal. I always try to break down the price per ounce for a comparison in my head, but most phones have calculators as well.

If you're looking at the two prices for the comparison, consider the amount of gas and time it takes to shop at both places. If there is very little difference in price, then it might not be worth it to do a lot of comparison shopping.

The work around, buy items all year round. If you know you have special occasions to buy for, pick up the items on clearance after the holidays and put them in a safe place. If you are running a little behind, start shopping around August for December, you'll be well ahead of the price hikes. Also don't buy the latest technology Zero-day. Companies will usually drop the prices back down around May or June, so if you can live without it, you can save up to 25% of the cost in some cases.