It's Fixed in the Next Release

TD Bank Tries an End Run Around Site Tracking Blockers

nospam@example.com (Alan Langford) — Fri, 21 Nov 2008 14:21:26 -0600

I'm well aware of the value of site analytics. Most of my sites make extensive use of them. But at the same time I'm aware of a user's absolute right to not be tracked, be it anonymous or not. When it comes to my personal information, I'm usually happy to let most sites drop in a statistical tracking cookie, but I almost always set the lifetime of those cookies to "session only".

Basically, I'm happy to let someone know how I navigate their site, because that information is likely to result in improved usability. What I don't like is disclosing how many times I visit a site over a period of time, and what my multi-visit user patterns are like.

With browsers like Firefox and now even Internet Explorer providing easy tools to manage cookie acceptance and lifetime, more and more users who don't want to be tracked are limiting cookies. This is giving marketers a more challenging time and skewing their statistics. Poor babies.

Some marketers are fighting back. What's not commonly known is that Adobe's Flash Player lets sites store cookie-like information as well. Now Adobe hasn't quite caught up with the concept of individual liberties, so the default configuration of the Flash Player is to allow local storage without any explicit user permission. Adobe pretty much has a monopoly when it come to this sort of thing, so there's little incentive for them to change.

So now marketers who claim to seek to improve customer service have a method where they can gather data even if their customers have taken explicit steps to prevent it. News Flash: That is NOT good customer service! It's really rather offensive customer abuse.

Some time in the past few months, TD Bank decided to join the ranks of companies who have elected to bypass their customer's wishes. I recently connected to my online banking site, and got asked for permission to allocate local storage to an invisible bit of Flash. So I cranked open the page and found this link: https://easyweb46w.tdcanadatrust.com/dojo111/dojox/storage/Storage.swf?baseUrl=/dojo111/dojo/. At least its name reflects its purpose.

Anyone familiar with the big Canadian banks has become accustomed to dealing with these arrogant behemoths, protected from significant international competition by legislation, and reading from some version of a dictionary where the meaning of "service" is very different from the commonly accepted definition. Really the only surprising thing is that they haven't found a way to charge me 25 cents per byte of information that they want to store on my computer.

But you don't have to be subject to corporate whims. These things are configurable. Don't go looking through your browser, plugins or program settings for the control panel, though. Follow this link to your Flash Player control panel. This looks like a screen shot of what a control panel might look like, but don't be confused: it's a live presentation of your current settings. Click on the second tab, "Global Storage Settings". There's a reasonably good explanation of the settings below the panel, but if you move the slider to the left until it reads "None", then every site that tries to save data in flash will have to get your approval first. If you don't want to be asked, set the "Never Ask Again" check box. Then go to the last tab, "Website Storage Settings" to take a look at which sites have left tracking codes on your computer. Delete all the ones you don't trust.

Now you have control of your information again.

Liberal Hopeful Bob Rae Expects Three Years of Recession?

nospam@example.com (Alan Langford) — Thu, 20 Nov 2008 19:25:01 -0600

Bob Rae announced that he will be seeking the leadership of the Liberal Party today. "I'm running because I believe I have the judgement, the character, the values and the experience to lead at a very difficult time in the life of our country," said Mr. Rae.

It's not exactly clear which leadership he's talking about. If he had said "a very difficult time in the life of our party," I would probably be in agreement. He and Michael Ignatieff are both pretty strong candidates, but I think Mr. Rae stands a better chance in a federal election. I find Ignatieff to be a little distant... he might very well make the best Prime Minister, but that's no good if you can't win an election. I also don't think Mr. Rae's much-discussed stint as Ontario premier is anywhere near the liability that it's been made out to be.

But watching today's press conference, I got the distinct impression that Rae is saying that he's got what it takes to be PM during hard economic times. So he's got some magic plan to win the leadership race and topple Harper's government in the next nine months or so — that would be quite a feat — or he expects the recession to last a good three to four years, the most likely time we'll be called to the polls again.

Now this downturn may very well last that long, but it sure doesn't look good to come out looking like that's your expectation. Looks like poor judgement, which makes the statement self-contradictory.
Continue reading "Liberal Hopeful Bob Rae Expects Three Years of Recession?"

The Anatomy of a Security Breach

nospam@example.com (Alan Langford) — Fri, 15 Aug 2008 11:15:16 -0500

"Joomla!" had an extremely serious security issue arise earlier in the week. I'm pretty deeply involved in the project, and I happened to be on the Bug Squad chat when the news broke. The issue was not a SQL injection problem, as many sources have assumed but reported as fact. Ironically, it had to do with defeating a session security feature. The security problem was a programming error. "Joomla!" goes through extensive procedures to defend against SQL injection, and from version 1.5 onward, such a vulnerability in the core code is highly unlikely. [Extensions are another matter. I strongly recommend that users only install open source extensions that have either been audited or that have broad community support.]

Even though this problem caused a fair bit of damage, I'm very proud of how the "Joomla!" team responded to the problem. This was a worst-case scenario: the exploit was published with no advance notification, and it was dead simple to implement.

The first we heard of it was a post on the Dutch "Joomla!" forums. One of the Bug Squad team mentioned this in chat on August 12th at 15:50 EST. We immediately took steps to verify the issue, and then once confirmed, to remove the details from the forum post. A patch was made available for testing at 16:10. A full package release was made available for testing at 18:19. Announcement of the release was made on joomla.org at 18:57, and by 19:40 update packages were also available. That's three hours and 50 minutes from report to full public release. If that's not a record I'll be surprised.

What is distressing is that a large number of security focused sites reported this as a SQL injection vulnerability, along with a variety of other erroneous or misleading information. Almost a week later, many have corrected their errors, but several have not. Considering that the "Joomla!" team responded so quickly, and that complete information was posted as the first item on the joomla.org web site before the exploit became widely known, this suggests that many of these sites simply repeated each other's misinformation, rather than taking even the smallest steps to verify the report.

Granted a sample size of one event is not sufficient to draw conclusions, but if this is any indication of how "trusted" security information sources behave, then it is no wonder that whole security field has a serious credibility issue. These kinds of reports are extremely serious matters, with a lot of potential for damage. Certainly the timeliness of information is critical, but hopefully not at the expense of accuracy. The security community has a deep obligation to perform the simplest verification of facts before rushing to publication.

Paris Hilton Gives Republicans a Lesson in Internet 101

nospam@example.com (Alan Langford) — Thu, 07 Aug 2008 12:11:28 -0500

I kind of like republican Presidential candidate John McCain — as a person. He seemed to have great personal integrity until last week, when his campaign started running attack ads against his Democratic opponent, Barack Obama.

Unfortunately for him, this ill-advised manoeuvre seems to have been engineered by a bunch of old dinosaurs who are completely out of touch with the reality of the Internet. I guess nobody told them that big television advertising dollars no longer get you exclusive access to the attention of the populace. Oops.

The McCain ads sandwiched Obama's image with those of Britney Spears and Paris Hilton, deriding him as a mere celebrity, not ready to lead. I've always maintained that Ms. Hilton plays her public image as a lot dumber than she really is (don't get me wrong, I'm not giving her Rhodes Scholar either), and this week Paris Hilton shot back at the use of her image in that ad.

Analysts have said that the main advantage of the McCain ads were that they got widespread news coverage, and that having segments of them lead the news gave them huge extra exposure at no cost. Unfortunately for them, it looks like Hilton's spoof, likely shot for a few tens of thousands of dollars and featuring McCain being referred to as "wrinkly white-haired guy", is going to get almost as much exposure.

In general, I think attack ads are crass and desperate (particularly when run by a party that is in power outside an election, but that's another post entirely), and it's good to see them backfire. The only real downside of this parody is that there will probably be an embarrassingly large number of ballots filed in November with Paris Hilton as a write-in candidate.

To conclude, here's the Internet 101 summary for anyone contemplating an attack ad:

In a wired world, be careful about where you lob the muck. It's a lot easier to fight back than you think.

RIP, SUV: Gas Prices Are "Getting There"

nospam@example.com (Alan Langford) — Mon, 09 Jun 2008 06:44:50 -0500

This weekend the Toronto Star announced the death of the SUV. One of the reasons this came up has to be the closing of the General Motors truck assembly line in Oshawa. It seems that as the price of gas gets above about $1.25 per litre (or $4/gallon in the U.S.), the number of people who "need" an unsafe gas guzzling SUV drops off pretty quickly. Now these same people "need" to unload their luxury land barges. There's nothing like a flexible definition of needs.

This is a good start. There's going to be a lot fewer road trips in the family road boat this year. Some people will argue that this is a bad thing, that families should be able to get out there with their kids to see all that this vast country has to offer. These people haven't actually seen a family in one of these vehicles. The parents are happily enjoying their time "together" while each kid is in their own isolated space with individual DVD players and noise-reducing headphones. They see as much of the countryside in their basements. Besides, a lot of travel options remain open. Our geography is every bit as dramatic from a train. Better yet, on a train it's a lot easier to get your kids to come out of their multimedia shells and look at something without risking a major accident.
Continue reading "RIP, SUV: Gas Prices Are "Getting There""

Malware Injection: More Fun With Skype

nospam@example.com (Alan Langford) — Thu, 29 May 2008 13:43:15 -0500

Skype screen capture

This one probably isn't new, but it's worth noting. An associate recently got this bogus "security warning". Appropriately named "irony", the message warns the user that "Security Center has detected Malware" and directs the user to a site where they can download a patch. Click on the image for a full sized version.

The "patch" will install malware on the user's computer. At least they can't forge the link as belonging to Microsoft, but this could easily fool an unsuspecting user.

The Single Best Way to Bust a Telephone Scam

nospam@example.com (Alan Langford) — Thu, 24 Apr 2008 12:57:06 -0500

This is simple and effective. If you suspect that the company who is calling you is not legitimate, ask the caller for their web site address.

If the call is a fraud attempt, the "agent" probably won't be able to give it to you. One of these things will happen:

They won't "remember" it. For extra bonus fun, ask them if their sales manager knows it.
They'll give you a legitimate site that isn't theirs. Ask them to hold on while you pop it up. If that doesn't make them hang up, ask them where the information relating to their offer is. They might tell you it's an exclusive offer that's not available on the web, but if the site has nothing that seems to be related to the offer, it's a big warning that they're not telling the truth.
They'll give you a fake site that is theirs. This would be pretty stupid on their part, since it would provide the authorities with a path back to them. Do a search on the site to see what the world has to say about them. If they're not in the search index, then the site was probably set up a few days ago. More sophisticated users can do a whois lookup on them... look at the registration date. Also if the site owner is masked for privacy, you can be sure it's not a large established company. Either way, report the site to your local authorities as soon as possible.

These fraud schemes depend on leaving the smallest possible trail back to them. Legitimate businesses want to open as many possible channels of communication with their potential customers as possible.

So it's as easy as this: no web site equals no legitimacy. Protect yourself.

Earth Hour: Little More than a Message

nospam@example.com (Alan Langford) — Sun, 30 Mar 2008 09:42:38 -0500

Earth Hour has come and gone. Overall it was pretty successful: the statistic I heard was that electricity consumption in Ontario was down by 8%.

What does that mean? From a pragmatic viewpoint, not a hell of a lot. From a political viewpoint, it's pretty significant. I don't have the numbers that project the percentage of the population that participated, based on an 8% reduction, but I'll guess it's somewhere between 15% and 25%.

That's a lot of people sending a message. At this point it seems the big environmental problem is politicians. Most individuals get it, most corporations get it, but the politicians, who can actually manage the process of real change, just aren't there yet.

Maybe having as many as one in four voters demonstrate their commitment to change through Earth Hour will be enough to wake them up. I'm not holding my breath though.
Continue reading "Earth Hour: Little More than a Message"

I'm Boycotting the Olympics

nospam@example.com (Alan Langford) — Thu, 27 Mar 2008 08:00:47 -0500

There was a time when the events unfolding in Tibet would have caused rapid worldwide outrage, followed shortly by a flood of withdrawals from the Olympics.

But that was when China was of little economic importance.

I am dismayed at how flexible our collective principles are when it comes to the economy. It seems that the only time when a political leader has to be concerned about minor trifles — say for example, killing off a few tens of thousands of people from that pesky tribe next door — is when they're not either producing oil or keeping those same tribe members working 16 hour days to make cheap clothing.

So it is with China. Most of the West is enjoying a great standard of living(*) thanks to China. Their leaders know this well. They may even be rubbing it in our faces. Or maybe they're just rubbing the 1938 games in our faces and laughing.

Are we going to actually support the principles of Human Rights and take a stand? What, and pay more for consumer goods as a result? In the pocketbook versus principles battle, it looks like pocketbook wins, no contest.

If politicians are unwilling or unable to act, it's up to the people. A small step though it may be, I'm opting out of the Olympics this year. This summer I'll be watching something else.

There's also a few companies who have lost my business: Coca-Cola, GE, Johnson&Johnson, Lenovo Group, McDonalds, UPS, Panasonic, Swatch, Samsung... at this point, the Olympic logo on any product is an icon for "don't buy me".

Last but not least, there's a Facebook group that expresses similar sentiments. I don't agree with everything they say, but they're close enough and are the largest of a handful of similar groups. Join them and be counted.

* I mean this in the "wow, this is inexpensive" sense, not in the formal economic sense.

Viral Marketing from a Venture Capital Company?

nospam@example.com (Alan Langford) — Fri, 07 Mar 2008 12:56:08 -0600

Two interesting things about viral marketing:

In a lot of cases, you can't even be sure if there was originally a marketing intent behind it.
Just about any business can wind up as the subject of a viral "buzz".

That's any business, even including a Sand Road Venture Capital firm. Take a look at this "Anti-Portfolio" from Bessemer Venture Partners.

I've had that link sent to me via IM twice today. That's buzz.

Why does it work? It's true, it's funny, and it's out of the box. Every VC I've met to date seems to like to put forward the image of near-prescient infallibility. Openly admitting to your mistakes, and naming names is an utter reversal of this image-making. It is so novel and unusual that it's immedately worth passing along. Not only that but it instantly humanizes the entire firm and makes them seem like the sorts of people you'd like to pitch to first.

Its both superb and brilliant — be it intentional or not.

Online Shopping versus Traditional Shopping

nospam@example.com (Alan Langford) — Mon, 25 Feb 2008 13:36:49 -0600

It's interesting how often the question of online versus traditional shopping comes up. A friend asked me this earlier today and I gave him the same answer I've been providing for a decade now.

These days the response seems reasonable, but back in 1998 it was heresy. It used to be guaranteed to make a room full of start-ups and venture capitalists go dead quiet. Of course back then we were in the middle of the dot-com boom, when somehow geeks who don't like daylight managed to convince everyone that their concept of a good shopping experience was somehow universal.

So here it is:
Continue reading "Online Shopping versus Traditional Shopping"

Steve Jobs Just Loves Windows Vista!

nospam@example.com (Alan Langford) — Tue, 29 Jan 2008 22:55:51 -0600

As more Windows users cry "Help, I've been Vista whipped!", I thought that the introduction of the oppressive Windows Vista was going to be a boon for Linux.

I got the first part right. As Vista subverts your computer into a Microsoft Peripheral, subject to whatever whim "Balmer and The Boys" cook up, users have resisted. A large number of not-so-technical people I've talked to want to avoid Vista like the plague. [And in my opinion, rightly so.]

My assumption was that given reasonably priced hardware from several suppliers and completely free Linux distributions like Ubuntu, the discomfort with Vista would be the kick that finally pushed Linux into the consumer mainstream.

Not so.
Continue reading "Steve Jobs Just Loves Windows Vista!"

Open Source Changes Software Acquisitions

nospam@example.com (Alan Langford) — Tue, 29 Jan 2008 08:25:32 -0600

It used to be that when one software company acquired another, it was frequently as much an acquisition of a customer base as it was one of technology. Often it was a "strategic acquisition" which frequently meant taking a competitor out.

These sorts of acquisitions are the worst: Some innovative company gives a major player a hard time by delivering a great product. It develops a fiercely loyal customer base. "Majorco" users start to ask "when are you going to implement feature X like 'Smallco' does"? Unfortunately feature X requires a complete re-write of the major company's fragile solution, and being constantly reminded of this is no fun. So what does the major player do? Simple, acquire Smallco and throw their technology away. All the customers who hated you now really hate you, but they now have no choice and the customer bleed stops.

As a customer I've had this happen to me more than once, and it sucks. I've dropped entire lines of business partially because I couldn't bear working with the purchaser's sorry-ass excuse for a product.

The integration process must be something else in these situations too. The guys who run Smallco are now rich. They have a contract that makes them hang around and say nice things about Majorco for a couple of years. Then they can go off and do what they want. The rest of the staff, at least those who survive "cost efficiencies", have a choice of working with a product they probably hate, or finding new employment.

In the open source era, customers are defended from this sort of thing.
Continue reading "Open Source Changes Software Acquisitions"

OpenProj: Proprietary Spin Meets Open Source Product

nospam@example.com (Alan Langford) — Thu, 17 Jan 2008 18:56:34 -0600

Notification of the 1.0 release of OpenPrjoj came through my news feed recently. The contents were a typical press release. The release quickly gets to making the statement "Projity announced the initial OpenProj beta in the Fall, over 200,000 users joined the beta testing in over 132 countries." Now this is interesting, because a news item just five days previous claims "OpenProj has now been downloaded over 200,000 times with deployments accelerating around the world."

It seems to me that someone has drawn an equivalence between "downloads" and "beta testers". What they can really claim is "200,000 tire kickers" or without the metaphor, "200,000 evaluations".

I can speak to this because I'm one of the people who downloaded it. I have to say that I was impressed, both with the concept and with the obvious level of effort that's been put into it.

I used it to import a Project file, with the intention of making some changes and printing a report. Although I was able to change the data, the report they produced was wholly inadequate. Butt-ugly, rasterized fonts, and so on. It sucked. I wound up exporting it to an OpenCalc file and reporting from there.

Now if I was a beta tester, I'd probably have provided some feedback to let them know about my experiences. If it was really a beta release (instead of just another one of thousands of projects with "v0.9" releases) you think it might have told me. After all user involvement is part of the "social contract" of open source.

I resent being placed in a group (or so it seems) that I never thought I belonged to. This press release smacks of the kind of marketing over-hype that isn't — and shouldn't — be associated with an open source project.

So make that "over 199,999 users".

Criminalize False Caller-ID Messages

nospam@example.com (Alan Langford) — Thu, 10 Jan 2008 10:37:45 -0600

Here's a crime for modern times: make the transmission of an intentionally false Caller-ID message a minor criminal offence.

There's an established mechanism for blocking identity through caller ID, namely the "Private Number" message. Therefore the only conceivable use of false information is to mislead the person being called. Most of the fraudulent calls I receive use bogus, rather than private numbers.

But what should the penalty be? How about something proportional to the impact on the victim? In and of itself, direct victim impact is pretty small, so how about three hours in jail per occurrence?

What, you say that's ridiculously low? Well then how about this: mandatory consecutive terms, no concurrent sentences. Fraudsters have to make a large number of calls in order to find victims (see footnote). Three hours in jail works out to about a year for every three thousand calls. These guys need to make tens of thousands of calls a day, so in a month or so they could easily rack up a sentence in excess of their entire lifespan.

A slap on the wrist for people who flirt with the idea, major hard time for the fraudsters. Works for me.

Footnote: One operation I led on started with an automated dialler, transfered to a "qualifier" who made sure I had a credit card, and then transfered to a "closer", who was none too thrilled when I finally admitted that I was deliberately wasting their time, eight minutes in.