Recently in Software Category

Can you trust your bulk mail provider's security?

By Kee Hinckley on February 1, 2010 5:41 PM | No Comments
Note: I heard back anonymously from a customer of iContact. Are they upset that all their customer's email addresses were stolen? Yes. But they aren't that worried about the impact, because they know that most of their customers will never realize that iContact or their company was the source of the leak. In other words, there is no incentive for bulk mail providers to improve security. An email address, particularly one associated with a particular set of services, is the means by which targeting spammers target phishing attacks. It's the key to password changes, bank accounts, and more. Why are the security standards for email any less than they are for credit cards?

Every time a web site asks me for an email address, I use a unique address that includes their domain name in it. This makes it very easy for me to track when a company either misbehaves, or their mailing list has been compromised. Of course, often the company sending me the mail is using a third-party email provider to deliver, and here's the dirty secret.

When your email provider's database gets broken into, and a spammer gets all of their customer emails? They don't necessarily tell you, the client. And they certainly don't bother telling the poor sucker whose email address was stolen.

Image representing AWeber Communications as de...

Image via CrunchBase

Case #1—AWeber
Starting December 2009, I began receiving spam to the address I use for the help-a-reporter service. I filed a report with their existing bulk mail provider, but got no response. It turned out that HARO had only recently switched to this provider, the real culprit was their previous email provider. A discussion with Adam Shankman led him to research the issue and find out (from an article on the internet!), that his previous email provider had been compromised and all of HARO's email addresses had been fed to spammers. AWeber's subscriber list had been compromised, and they had told none of their customers until they started getting complaints. 

Image representing iContact as depicted in Cru...

Image via CrunchBase

Case #2—iContact
Today I noticed three identical spam messages to three different custom email addresses. They were for the morrisonsoftdesign.com, fontgear.net and myhappyplanet.com. I went back and found that a) it had been going on for at least a few weeks and b) all three companies do, or have used icontact.com to deliver their mail (morrisonsoftdesign.com switched providers at some point). So in other words. If you have an account with morrisonsoftdesign.com, fontgear.net or myhappyplanet.com, or any other company that uses iContact, your email address has almost certainly been fed to the spammers. But don't blame the company you subscribed with, the culprit is iContact. Other iContact customers include  (according to their web site) Peach Running Co., West Race Cars, Pro Mom Couture and 58,654 other customers with 577,545 email addresses. Feel free to let them know what you think of their ineptitude.

spam.png
It's unconscionable that these companies are not notifying their own clients of data breaches, let alone the end-users who end up getting spammed. If any of them have a presence in California, it is probably also illegal.


Related articles by Zemanta

Some updates after a little more research.
A search shows that a few other people have noticed the iContact breach, but no news from the company itself.
iContact has a blog post in which they admit that people have complained, and they casually admit that "the subscriber email address is the only data affected" but they imply that it was limited to a small number of people, although the other reports make it clear that at least half a dozen customers (with thousands of addresses) were impacted.


Reblog this post [with Zemanta]

Dealing with Security Issues in Non-Latin Domain Names

By Kee Hinckley on December 29, 2009 1:59 PM | No Comments
Lauren Weinstein recently posted the following to his NNSquad Mailing List.

Example of how "de-Latinized" domain names can be subverted

http://bit.ly/6YbTBR  (Dean Collins' Blog)

Dean, the "fun" has only just begun.  Some of us have been warning of
this consequence for ... well ... pretty much since day one of the
concept.

As the character of Margo Channing (Bette Davis) so accurately warned
in "All About Eve":

"Fasten your seatbelts, it's going to be a bumpy night!"

To say the least ...

--Lauren--
NNSquad Moderator

The article starts off discussing the trademark issues when someone registers an identical word in a different language, but then hits the more critical (and long-anticipated) issue that it is now possible to have the domain name.
раyраl.com
which, when pasted in your browser window looks like "paypal.com" but is actually cyrillic and goes to an entirely different site.

Here's my take on the situation (I've sent this to Lauren, it may or may not appear in the mailing list).

Things like the alternate character sets in раyраl.com are one reason why I depend on browser's and/or packages like http://agilewebsolutions.com/'s 1Password (Mac & iPhone, formerly 1Passwd for you Unix geeks) or http://supergenpass.com/ (bookmarklet-based, cross-browser) to remember passwords. They aren't fooled by what the URL looks like, they only enter the password if the site actually has the same domain. That said, depending on lack of feedback (the browser didn't enter the password automatically) is lousy security. I'm very surprised that the browsers makers weren't prepared to at least provide a character set indicator on the URL (we all knew this was coming) not that it would make a huge difference for the majority of users.

I've become convinced that there is no UI solution to phishing. Password entry (or a completely different authentication model) needs to be done outside of the browser, and the interaction between the browser and the web site needs to be under secured program control. The system is too complex, and the possible failure modes so varied, that the average user simply cannot be expected to tell a legitimate error from a forged one. The other day my mother cut up her credit card because an online store said it wasn't valid, so she assumed it had expired. Presumably she either entered a typo, or their back-end was down (it was a valid site). No UI in the world is going to help when the system is too complex for the user to understand.

Solutions like 1Password and SuperGenPass work 90% of the time, until the domain name changes, or the form field names change*; then you have to enter the info by hand. A secure certificate solution for filling out and remembering forms, per-site randomly generated passwords, and a protocol for passing the information back and forth might put a dent in the phishing market, but like spam and viruses--this isn't a solvable problem, it's an ongoing battle.

* And yes, obviously a software password repository creates single target to all of the user's information. But given that most people use the same password for all sites, and those sites are in their browser history, I don't see the security issue as significantly different from the current situation.
Reblog this post [with Zemanta]

Will the Apple App Store Stick to Just the iPhone?

By Kee Hinckley on June 12, 2008 9:52 PM | No Comments

I brought this up a while back when Apple first announced the store, but now that analysts are estimating possible revenues of $1+ billion in 2009, I think it's worth repeating.

Apple's App Store could emerge as $1.2B business by 2009 AppleInsider

Investment bank Piper Jaffray is urging investors who typically focus only on Apple's hardware announcements to also pay attention to the company's iPhone software strategy, particularly its upcoming App Store, which could balloon into a $1 billion market by next year.

Once you've gone to the trouble of setting up all the infrastructure necessary to sell, deliver and update applications—why stop with just the iPhone? You've done the hard work, everything else is just incremental costs. The Macintosh is the obvious next step, but there's no reason not to provide Windows applications as well. The market potential dwarfs that of just iPhone software.

The initial folks who stand to lose are places like Kagi and Digital River, who currently provide payment and (in some cases) delivery services for small software vendors. But they don't provide marketing, automatic updates, signed applications, and FairPlay copy protection. Apple is going to roll right over them; but they won't stop there.

See The iTunes Trojan Horse: Selling Applications for more thoughts on where Apple might go.


Search field under the Help menu is a great way to search Safari history

By Kee Hinckley on March 11, 2008 10:18 AM | No Comments
The new Leopard menu-search field under the Help menu is a great way to search your Safari history. Just click on help and start typing in the field. A list of menu items will show up. Don't worry that it doesn't seem to make sense, just use the arrow keys to move down, and you'll see the history menu appear with each of the matching items.
via Twitter

The iTunes Trojan Horse: Selling Applications

By Kee Hinckley on March 10, 2008 4:57 PM | No Comments

Once Apple has set up iTunes as a software store for the iPhone and iPod Touch, there is no reason they shouldn't leverage that functionality and presence to become the dominant software reseller for both Macintosh and Windows platforms.

iTunes has got to be the most inappropriately named application on the planet. Sure, you can play music, but it also synchronizes your photos, sends contacts to your phone and iPod, synchronizes your calendar with different services, let you buy games for your iPod, and now; will let you buy applications for your iPhone and iPod Touch. it is this last feature which particularly interests me.

IPhone applications will only be available via the iTunes store, to which the only interface is the iTunes application. All applications have to be approved by Apple, and all applications are digitally signed. This means that when you install an application on your iPhone, you know that it hasn't been modified from time the application developer first gave it to Apple. That's a very nice feature from a security standpoint, and one that is also available to programs written for the Mac OS Leopard operating system.

When Apple started selling music, the record companies didn't take them seriously, and never really saw what was coming. As a result, they lost control of the market for their music, and Apple gained the ability to become the number two music reseller in the United States. The only reason that Apple wasn't able to do this to the movie industry as well, is that the movie industry had been forewarned, and limited Apple's access to their content.

When I look at everything that Apple has to do in order to become a software reseller for the iPhone; I wonder whether they're really going to restrict their software to just the iPhone. The hard work in selling software for the iPhone has nothing to do with the iPhone itself. Apple has to set up marketing, digital signing, software evaluation, developer tools, download servers, software upgrade mechanisms, alpha and beta test processes, policies for handling sales and variable pricing, and all the other features that are expected of an online software store. After having gone to all this trouble, why is Apple going to stop with just selling software for the iPhone? Why not use the same software store to sell software for the Mac? For that matter, Windows Vista, also has digital signing support. Given the vast numbers of computers, both Windows and Macintosh, that have iTunes on them, Apple automatically has a huge distribution mechanism for software, and a pre-installed application for marketing, advertising and downloading that software. On top of that, because of the digital signing, Apple can advertise the software is being safer to download than the software that is downloaded off of other download sites.

If I worked at Kagi, Digital River, or one of the other companies that currently handle software sales and distribution (but not marketing), for independent software developers, I would start looking in my rearview mirror. Because iTunes is coming up fast, and has pulled out to pass.

(As a side note, this article was written using MacSpeech Dictate after only five minutes of training. It has worked extremely well, and I'll be writing a review shortly.)

I really like VisualHub's progress dialog

By Kee Hinckley on March 7, 2008 11:06 AM | No Comments
I really like VisualHub's progress dialog. No "99% done" for 20 minutes. Instead: "Looks like I lied. It will be done when it's done."
VisualHub Progress Dialog

Seriously, it may be funny, but at least it's telling the truth. A progress bar that spends 90% of its time in the last 1% is of no use to anyone. It not only doesn't tell me what's going on, it makes me worry that something may have gone wrong. Amusing or not, this is a better approach.

New Hope in Challenging Business Method Patents

By Kee Hinckley on March 6, 2008 5:17 PM | No Comments
New Patentable Idea - A Way to Invalidate Vague Patents Bits - Technology - New York Times Blog

There’s not much love in legal circles for the so-called “business method” patent, an exclusive intellectual property right over a novel way of doing business. Critics of such patents – think Amazon “One Click” or Priceline’s “name your own price” patents – argue that they clog up the U.S. Patent and Trademark Office, lead to excessive litigation and have little connection to real, physical invention.

Now the patent law community is closely watching one case in particular and speculating that federal judges could invalidate business method patents sometime this year. The case, generally known as re Bilski, involves a method for managing the risk of bad weather to crops by making hedged trades in the commodities markets. The twelve judges of the U.S. Court of Appeals for the Federal Circuit have agreed to hear the case en banc, or in a single joint session in May, and have suggested that they might reconsider the ruling on State Street Bank & Trust Co. v. Signature Financial Group Inc., which helped to inaugurate the age of business method patents a decade ago.

If you think legal circles don't have much love for "business method" patents, try bringing them up in software development circles. Far too many of these are things which anyone, sitting down to deal with a particular problem, would immediately come up with. We can hope that the Bilski case may change things, but I wouldn't anticipate anything earth shattering. As the article points out, the very concept of "business patent" is pretty vague; it's hard to ban something you can't define. Like porn, it's one of those "I know it when I see it" things.

However, if you'd like to help put an end to nuisance patents, there are a number of organizations you can support. Here are a few:

Related articles:

My Del.icio.us links on patents:


Meebo and Adium developers give their reactions to Open AIM 2.0.

By Kee Hinckley on March 6, 2008 6:37 AM | No Comments
Meebo and Adium developers give their reactions to Open AIM 2.0. Link

The initial reaction seems to be that the provided libraries come with restrictions which make them unsuitable for use in most open source clients (like Adium) that use libpurple—a GPL'd multi-client IM library. However, the documentation of the Oscar protocol may open the door to new implementations, and those in turn might finally be able to support audio and video chat. That would certainly be good news for users, as the lack of a video and/or audio solution is the one thing that leaves people torn between using default solutions like iChat and AIM as opposed to multi-platform solutions.
« Social | Main Index | Archives | Technology »

About this Archive

This page is an archive of recent entries in the Software category.

Social is the previous category.

Technology is the next category.

Find recent content on the main index or look in the archives to find all content.

Subscribe via Reader

 Subscribe to TechnoSocial

Subscribe via Email

Enter your email address:

Delivered by FeedBurner

Tag Cloud

About Me

I'm the CEO/CTO of Somewhere, Inc., a company building a unified social networking layer that gives people the means to track their friends across multiple social networks.

Categories

Creative Commons License
This blog is licensed under a Creative Commons License.

Search

Lijit Search

Recent Entries

Archives