Archive for the ‘Security’ Category
… and Pennsylvania, and Indonesia …
Once upon a time (early this morning, actually) there was a photographer who came across a lovely website called fotoLibra.
“Gosh,” he thought. “If I sign up I can upload my pictures to fotoLibra and if they sell I’ll make some money.” So he uploaded two pictures for nothing.
This very same morning a nice lady in New York found the same lovely website.
“Gee willikins,” she thought. “I’ll sign up, and what I’d like to do tonight is buy a photograph of some guitar strings, for 5000 corporate CDs in Europe.”
Within minutes another nice lady in Pennsylvania also discovered fotoLibra and signed up. “Now, let me see,” she mused, “I think tonight I’ll have a photo of some guitar strings on my commercial internet site for a year. Ah! Here we are! The very thing!”
And both ladies, by fortunate happenstance, had hit upon the same photograph, uploaded by our lucky new member in Indonesia only moments before.
What joy! Two satisfied customers and one happy photographer! And they all signed up within 30 minutes of each other! The picture was uploaded and sold twice before it had been online for half an hour. Job done by fotoLibra!
But then, far away on the other side of the world, a new day dawned, and deep in her feculent pit the great JACQUI NORMAN stirred. She pointed one terrible eye at the computer screen and in an instant spotted the improbability of such transactions.
“FF RR AA UU DD !!” she bellowed slowly and heavily, shaking the sere and devastated land around her lair.
As I write, there is no happy ending. The money — a fair amount, paid by credit card — will be deposited in the fotoLibra account by close of play tomorrow. In 30 days we have to pay the photographer.
And in four or five months HSBC will slowly realise there has been a fraudulent transaction and will remove the entire amount from our account without informing us first.
So maybe we won’t be paying this gentleman from Indonesia in 30 days. We’ll just hold on to the money for a little while, and see what happens.
We could be wrong.
But we don’t think so.
We have come across websites which are using fotoLibra images without paying for them. They are using watermarked Preview images, which anyone is at liberty to drag off the site, but not for commercial use.
I’ve borrowed the following piece in its entirety from Jacqui Norman’s May fotoLibra Newsletter because I think an important function of a picture library is not only to sell but also to guard and protect our photographers’ assets, and if we come across any unauthorised image usage it is our duty to harry and beset the perpetrators as best we can. In Britain we have the Small Claims Court which we will unhesitatingly use — overseas it’s more difficult, but there are ways and means — one of which Jacqui proposes at the end of her article.
The benefit for fotoLibra photographers is that a complaint from a company will usually carry more weight then a complaint from an individual. A company is generally perceived to have deeper pockets and better legal support than most individuals, and will usually be prepared to pursue trivial debts which a sole person may not be able to afford, in time or money.
We’re mainly talking here about image sales in the region of £25 / $40. This is not going to rescue Greece’s economy, but if our photographers are losing money through illegal usage, then so are we. We are going to do something about it — but you have to help us by following this procedure. Over to Jacqui:
fotoLibra Member Bob Crook alerted us when he found one of his images with a large fotoLibra watermark being used on somebody’s blog. He asked if we’d made the sale, and we hadn’t — the thief had simply stolen the lo-res watermarked Preview and posted it on her blog.
But Do Not Panic. Your original images are safe. They cannot be downloaded from the fotoLibra site without our knowledge. But anyone can drag Thumbnails and Previews off any website, which is why in our case they are protected with embedded metadata and, in the case of Previews, with embedded watermarks too. We don’t mind students using such images for free in dissertations and essays. If they want to use an unwatermarked version they have to pay, which of course outrages them because they think everything on the internet should be free.
If it’s not for student use, we charge. But how do you track down unauthorised usage of your images?
Here’s how Bob does it, slightly adapted to suit all fotoLibra members:
Open Google Images in one browser.
In another browser, go to your Portfolio in the fotoLibra Control Centre. Choose one of your images. Double click to enlarge it into a watermarked Preview image.
Highlight the image, and slide it onto the bar on the Google page.
It will take only a few seconds to search.
When it has finished you will see the image at the top of the page and a list underneath of where it is being used.
It also attempts to show you similar images by matching the colours. Sometimes this is impressive. Sometimes it makes you realise how alien a computer’s “intelligence” can be.
If you have some curiosity and spare time, please check through some of your images this way. If you do find evidence that one or more of your images is being used without your knowledge or consent, this is what we want you to do: Email me [that's jacqui (dot) norman (at) fotoLibra (dot) com] with a) the FOT number of your image, and b) the precise, full URL of where you saw that image being used.
We will contact the abusers and demand payment on your behalf. We can never guarantee success, particularly in overseas jurisdictions, but we can certainly frighten them, and we can name and shame them.
In fact — here’s a thought — if people don’t pay up, I might publish a regular Cheat List, where we can publicise URLs where any unpaid for fotoLibra Preview images appear, and fotoLibra members and friends can then comment on the probity and honesty (or otherwise) of the offending sites. What do you think?
Well Jacqui, I think it’s a good idea. Not a great one, because at heart I’m not confrontational, but if I sit down and think about this I can work myself up into quite a state of indignation. These people — I don’t know how many of them there are — are thieves. Bob Crook has found two, and checking through ten of my underwhelming images I have already found two which are currently being used illegally. That’s 20%. Admittedly I did choose ten images I thought might lend themselves most readily to theft. Tineye is another good way of uncovering shady image use.
I’m happy to name and shame any site which uses a fotoLibra watermarked image without permission. However I won’t rush straight in whirling my bat around my head because I’ve stepped up to the plate for young Bob before, when he claimed some publisher had used a fotoLibra image without permission. We investigated and discovered the image had been uploaded to fotoLibra three weeks after the book had been published — Bob had sold it through another picture library and had forgotten all about it. We had our ears torn off by a slider from the publisher and I don’t think we’ll be selling them any images for a while.
So we’ll tread softly. And carry a big stick.
We’re busy with our final preparations for fotoFringe London 2012, the picture buyers’ fair which is being held tomorrow in King’s Place, a newish office block and conference centre where The Guardian have their offices, near King’s Cross.
And it’s an article in The Guardian that I want to write about. A friend in Euskadi alerted me to this one (thank you Peta) because it’s one of my favourite topics — the freedom of photographers to use their cameras.
Stonehenge, Trafalgar Square, National Trust properties, a whole bunch of places in the USA — the list of places where photography is banned or restricted lengthens daily. Now, unsurprisingly, we can add the Olympic park in East London to the list.
I’ll never get to see this place because all my ticket applications have proved unsuccessful. However I am permitted to contribute substantially towards it through a hike in my London rates over the next ten years. So I’d like to see some pictures of it.
The Olympic venues are technically private property (purchased using our money, but when did that ever restrain our dear leaders?) so control can be asserted over what can and can’t be photographed within the precincts. But not on the public spaces surrounding the venue, of course.
The Guardian thought this could be interesting, so they sent a couple of photographers and a video to test the temperature of the waters. They struck lucky straight away when they ran into an incompetently and incompletely briefed security guard whose debating skills and command of English were no match for the fiercely well prepared Guardian hacks. He simply attempted to stop them filming in a public place. They refused. Reinforcements arrived.
And here — well, you know I’m on the side of the photographers, but this was outright provocation and harassment. The Guardian hacks were milling around, pushing for a reaction. But they came up against an intelligent, articulate and reasonable security supervisor who conceded they had a right to photograph on public land but as this was a sensitive area — the Olympic Park’s security centre — it would be most awfully kind of them if they could possibly desist.
The Guardianistas hectored and interrupted. They tried to photograph the armband name badge of an old fart security guard who looked worryingly like me, and he tore it off to prevent them. Bad move. The hacks loved it.
I want photographers to be able to photograph what they want when they want where they want, within reason and without causing offence, upset or danger. Yes, there are security concerns. Yes, there are privacy issues. I’m less impressed by the “we own it, therefore we should profit from it” brigade. I personally find papparazzis distasteful, and I believe they were the major contributing factor in the death of Princess Diana.
Our cause isn’t helped by photographers manufacturing an incident where none existed. But every movement needs an obnoxious vanguard.
Doesn’t it? What do you think?
Having been ripped off by a Nigerian scammer (details here) we asked our local MP Elfyn Llwyd (Plaid Cymru) if there was anything he could do to help.
He was as outraged as we were that the issuing bank knew of the fraud two months before coming to HSBC and demanding that $800 be removed from the fotoLibra account, by which time of course we had disbursed the money. He said he would write to the Chairman of HSBC.
Which he did. He received a reply from David Lewis, Head of HSBC Customer Relations, absolving the bank of any responsibility and arguing that it was fotoLibra’s fault for accepting ‘cardholder not present’ transactions. This amazing statement ignores the fact that 10.7% of all retail sales* are now made via the internet, every one of which is a ‘cardholder not present’ transaction.
Mr. Lewis concluded
There are some steps the merchant/retailer can take to minimise the possibility of fraud, for example asking for the numbers in the post code of the card holder and only delivering to that address (as fraudsters often ask for the goods to be sent to another address other than that of the registered cardholder).
That might have been relevant if fotoLibra delivered boxed goods to physical locations. But we don’t. We permit the download of digital images to an email address. There’s no connection to any part of the credit card.
Maybe a credit card could be linked to a fixed email address which would form part of the verification process? No, that’s probably far too simple. Isn’t it?
We are most grateful to Mr Llwyd for his concern and his response. That’s exactly what MPs are for. Full marks.
*Office for National Statistics, February 2012
The perceived risk of buying and selling using a credit card on the internet was the biggest single barrier to the growth of the World Wide Web.
In the eighteen years since I launched my first web site, that fear has largely been allayed. Internet users who now won’t buy with credit cards are a tiny minority. If your card is compromised in any way, the banks and card companies will refund your money and issue a new card.
But what protection is there for the merchants? The punter must be recompensed — but the financial organisations aren’t going to be the ones who lose. Someone has to pay. It’s going to be the merchants.
Here’s the Dramatis Personae of our little play:
- Innocent Punter
- Evil Fraudster
- Innocent Merchant
- Innocent Photographers
- Innocent Credit Card Company
- Innocent Bank
This is what happened to us. On Nov 17 Evil Fraudster used Innocent Punter’s credit card details to buy six images — over $800 worth — from us, the Innocent Merchant, and download them to Innocent Punter’s apparent email address.
On Nov 25 Innocent Punter signed an affidavit to say his card had been used in a fraudulent transaction, i.e. the purchase of $800 worth of images from fotoLibra. Innocent Merchant isn’t told of this, either by the bank or the credit card company. All we know is that $800 has been paid into our account and the images have been downloaded.
The $800 payment appears on our next bank statement. Christmas intervenes, and we make all the payments to our photographers on Jan 21. The $800 payment is still visible in our bank statements.
This morning, Jan 31, we receive a letter through the post from the bank telling us there has been a fraudulent transaction involving a credit card payment on Nov 17 and they are removing the $800 to pay for it. So the status quo of the Dramatis Personae is now as follows:
- Innocent Punter — unscathed
- Evil Fraudster — 6 digital images the richer
- Innocent Merchant – $800 poorer
- Innocent Photographers – $400 richer
- Innocent Credit Card Company – unscathed
- Innocent Bank – unscathed
My questions are
- Who benefits from this fraud? Evil Fraudster gets 6 images (which haven’t been used as far as we can tell). Innocent Photographers get $400. Assuming the photographers aren’t linked to Evil Fraudster, they’re doing better than he is.
- We pay the credit card companies substantial annual fees for the privilege of using their service. If they authorise a payment, we have to take their word for it. We cannot check every individual credit card transaction ourselves — that’s what we pay them to do.
- So why is Innocent Merchant the only loser in this scenario? If the bank and the card company says ‘Here’s the money — spend it wisely’, how come they can snatch it back nearly three months after they’ve given it to us?
- Most importantly, if the fraudulent transaction was reported on Nov 25, why weren’t we informed till Jan 31? That is OUTRAGEOUS.
Damien our IT guru has traced the route the transaction has taken. Unsurprisingly it trails back to those bastard Nigerians again. They’re not doing their country any favours at all. Could anyone ever trust a Nigerian nowadays?
Obviously the villain of the piece is the rogue Nigerian, but I fail to see how he can benefit from the scam. Can anyone enlighten me?
The end result is that we’ll just have to wait longer paying photographers after making a credit card sale from someone we haven’t dealt with before. 99% of credit card sales made through fotoLibra are perfectly legit. In fact, this is only the second one that’s gone wrong. The first one was such a blatant blag that even I could see through it — someone in Brazil signed up as a photographer and uploaded 4 photographs. The following day someone else from Brazil signed up as a buyer and bought the four images for £2,000. We then should have paid the Brazilian photographer £1,000. But we had our suspicions. We waited. And the bank claimed back the money after three months. We were not compensated.
But I cannot figure this scam out.
There was an interesting blog posting by Paoga’s Graham Sadd recently on the perils of ignoring cyber crime.
For the last four weeks someone based in China has been registering as a buyer on fotoLibra.com.
Not once, but approximately every four minutes throughout the Chinese working day. It seems like a manual attack rather than an automated one, because although the fake addresses are all the same — Cherry Street Room 318 Atlanta Georgia USA 30332, which I think might be a lie — there are occasional spelling mistakes. It’s easy for us to block the attacks. But despite failing every time, they continue to trundle in every four or five minutes.
We hope we’re not complacent about online security. We do what we can to protect ourselves against such attacks, but what we can’t get our heads round is what can they hope to achieve through multiple registrations as a picture buyer on a picture library site?
At the very least they ought to try and buy a picture from us.
Cybercrooks are exploiting security flaws in Google Image Search to try to frighten people into buying evil software.
If you’ve ever seen a flashing banner saying something like “CAUTION — YOUR COMPUTER IS AT RISK” then you are a click away from being led down the path of perdition.
According to the SANS Internet Storm Center (always worth checking when a friend sends you another shouty email telling you yet again that some new bug has been classified by Microsoft as the most destructive virus ever) the villains have “compromised an unknown number of sites with malicious scripts that create Web pages filled with the top search terms from Google Trends.”
Click on an image, and there’s a possibility you’ll be routed to a page offering unverified anti-virus “scareware”, complete with misleading security alerts and warnings.
As far as we can tell, if you simply ignore the ads no harm will ensue. But of course we’re not experts, so we can’t be sure. Keep calm and shut your browser down. You can restart it straight away.
Apparently there are more than 5,000 hacked sites, injected on average with about 1,000 of these bogus pages. This means Google Images is referring about 15 million searches a month to these scam merchants — a mere drop in Google’s ocean, of course, but still a significant number.
There are free plug-ins available which will enable your browser to detect such evildoing. Check out Noscript for Firefox, and a chap called Denis Sinegubko is developing another Firefox plug-in that will flag malicious Google Image search results by placing a red box around images that appear to link to hostile sites, but I don’t think it’s ready yet.
Thanks to Netapplications.com for alerting me to this.
… is better known as SPAM, a sort of tinned meat. It’s a strange foodstuff, something I thought of as a product of the irretrievably grim British food rationing of the 1940s and 50s. But it turns out to be American, and some people eat it because they like it.
When Monty Python satirised the unimaginative British cuisine of the 1960s, they did a sketch in a restaurant where every dish was spam-based. This tickled the funnybones of early computer folk, and they would type “SPAM” over and over again to edge unwanted visitors off their primitive bulletin board sites. Once the verb “spamming” was coined, the force was unstoppable.
The key word of course is “Unwanted”. I do not want endless emails from China offering me Canadian pharmaceutical products (can’t see how that works) nor do I need any more chances to enlarge my manhood.
But if I sign up to an organisation, register with a business, give a company my details, join a club or become a member, I would expect to hear from that organisation. Especially if I’d paid a membership subscription. If I didn’t, I may simply forget about it — but if I’d paid, I’d want to know why I hadn’t heard from them.
Enter fotoLibra. It’s not compulsory to sign up to fotoLibra, just highly recommended. If you do, we will email you. And as a picture buyer or seller, what we send will be of interest to you. If it’s not, there’s a link at the bottom of every email which you can simply click on to be removed from our list. It also has our address so you can write and complain if we fail you.
What I’m saying is that we do not send out spam. People have signed up to fotoLibra, and we email them. Our problem is that a LOT of people have signed up to fotoLibra, and we simply cannot write to everyone individually, so we have to do what computers and email clients are very good at — sending one message to lots of different people.
Surprise, surprise. Lots of our innocent, requested emails get classed as spam. Of course we are to blame for some of it — we should never type the subject IN CAPITALS (apparently that’s popular among real spammers); HTML formatted emails (which ours are) send out alerts; bulk mailings are an obvious no-no. Trigger words such as ****, !!!! and %$%$ will often lead to blocked mail, even if used innocently.
Someone who will remain nameless recently sent out a fotoLibra Picture Call for photographs of guitars. Unfortunately she added an extra word commonly used in the publishing world to describe such books. Bang, bang, bang. Down came the shutters. The vast majority of ISPs blocked the mailing. As a result we only have 12 pictures of guitars to answer the call. Memo to self: get her to resend the call today WITHOUT the funny words.
Nevertheless it’s frustrating for us to mail people with information they genuinely want and then find our mailings are rejected. Some filters seem to be fairer than others, and I was particularly impressed by one company which sent us this message:
Your message was waitlisted.
Please add yourself to my Guest List so your messages will be delivered to my Inbox. Use the link below.
Click here to deliver your message
Boxbe (www.boxbe.com) prioritizes and screens your email using a Guest List and your extended social network. It’s free, it removes clutter, and it helps you focus on the people who matter to you.
Now that really does seem to screen out the professional spammers. HOWEVER — and this is a big HOWEVER — a quick search on the internet reveals a lot of people slagging off this company for spamming people themselves. I won’t be using it as a result, but it may suit some people.
So. Here’s our problem. Where is our solution?
Man joins fotoLibra as a Seller at 12:45 and uploads four photographs.
Another man in another country on another continent joins fotoLibra as a Buyer at 17:15 and immediately buys one of the new seller’s photographs for £140, paying by credit card.
Why am I suspicious?
Nobody has joined and made such a quick sale as this since last year, when a Brazilian signed up and uploaded five photographs, all of which were bought within two hours for comfortably large sums of money by another Brazilian who had just signed up the same day. He too paid by credit card. 89 days later the bank snatched back the money, all of it.
Have I the right to be suspicious?
Last week my credit card was refused (I was trying to buy several litres of Pimms). We contacted the card issuers and found a payment of £10 had been made a couple of days earlier to Oxfam. Not by me it hadn’t been. This was followed up by an attempt to pay a large Southern Electricity bill with the card, which had been rejected. We don’t have Southern Electricity. So the credit card was compromised — how? — and quickly cancelled. A replacement arrived yesterday.
If this transaction turns out to be fraudulent, we stand to lose £70. It’s not a huge amount of money, though God knows we could all do with it. If they are fraudsters — and how can I tell? — they’d have to do it many times over to make a living out of it.
We received the following email this morning:
As the owner of this rare car, I would request that this image be deleted from this site on the grounds of privacy.
If my car was parked outside my house and it was captured on Google’s street maps facility, at least they respect an individual’s privacy by blurring out vehicle licence plates. This aspect also extents to images in the media such as newspapers and TV broadcasts.
Additionally, I was not approached or contacted regarding the inclusion of my car for a third parties financial gain.
I agreed to appear at this show because the organiser of this event is a personal friend.
Please respect my request – thank you.
This is a perfectly polite and reasoned request. But what is at stake here? We’re under no obligation to take down images because the subject of the photograph objects to his property being depicted. If he doesn’t want his car to be seen he shouldn’t take it out in public.
Yes, the photograph was posted on fotoLibra for the purpose of financial gain. We haven’t yet found someone who is planning a calendar of AC cars, but we always live in hope.
You can’t stop anyone taking and publishing a photograph of your house, and it’s a lot easier to find out who lives in a house than who owns a car. Just check the electoral roll, or the census. We as private individuals can’t find out who owns this car by looking at the registration plate (which we’ve pixelated out here).
©Geoff Alan France / fotoLibra
But private parking companies can get a driver’s name and address simply by submitting the vehicle registration number to the DVLA and filling in a form confirming that they are pursuing an alleged parking offence.
The DVLA charges £2.50 a time for details from its ‘confidential’ database of 38m drivers. Income from this lucrative sideline in selling our personal data has risen every year from £4.7million in 2004-5 to £9.2m for 2009-10.
The owner of the car might find more reason to complain about this collaboration than about an enthusiastic photograph in a picture library.
What do you think?