Archive for the ‘Security’ Category

The Cost of Complacency

September 26th, 2011

There was an interesting blog posting by Paoga’s Graham Sadd recently on the perils of ignoring cyber crime.

For the last four weeks someone based in China has been registering as a buyer on fotoLibra.com.

Not once, but approximately every four minutes throughout the Chinese working day. It seems like a manual attack rather than an automated one, because although the fake addresses are all the same — Cherry Street Room 318 Atlanta Georgia USA 30332, which I think might be a lie — there are occasional spelling mistakes. It’s easy for us to block the attacks. But despite failing every time, they continue to trundle in every four or five minutes.

We hope we’re not complacent about online security. We do what we can to protect ourselves against such attacks, but what we can’t get our heads round is what can they hope to achieve through multiple registrations as a picture buyer on a picture library site?

At the very least they ought to try and buy a picture from us.

Gwyn Headley

by Gwyn Headley

Managing Director

Cybercrooks are exploiting security flaws in Google Image Search to try to frighten people into buying evil software.

If you’ve ever seen a flashing banner saying something like “CAUTION — YOUR COMPUTER IS AT RISK” then you are a click away from being led down the path of perdition.

According to the SANS Internet Storm Center (always worth checking when a friend sends you another shouty email telling you yet again that some new bug has been classified by Microsoft as the most destructive virus ever) the villains have “compromised an unknown number of sites with malicious scripts that create Web pages filled with the top search terms from Google Trends.”

Click on an image, and there’s a possibility you’ll be routed to a page offering unverified anti-virus “scareware”, complete with misleading security alerts and warnings.

As far as we can tell, if you simply ignore the ads no harm will ensue. But of course we’re not experts, so we can’t be sure. Keep calm and shut your browser down. You can restart it straight away.

Apparently there are more than 5,000 hacked sites, injected on average with about 1,000 of these bogus pages. This means Google Images is referring about 15 million searches a month to these scam merchants — a mere drop in Google’s ocean, of course, but still a significant number.

There are free plug-ins available which will enable your browser to detect such evildoing. Check out Noscript for Firefox, and a chap called Denis Sinegubko is developing another Firefox plug-in that will flag malicious Google Image search results by placing a red box around images that appear to link to hostile sites, but I don’t think it’s ready yet.

Thanks to Netapplications.com for alerting me to this.

Chopped Pork & Ham …

July 6th, 2010

… is better known as SPAM, a sort of tinned meat. It’s a strange foodstuff, something I thought of as a product of the irretrievably grim British food rationing of the 1940s and 50s. But it turns out to be American, and some people eat it because they like it.

When Monty Python satirised the unimaginative British cuisine of the 1960s, they did a sketch in a restaurant where every dish was spam-based. This tickled the funnybones of early computer folk, and they would type “SPAM” over and over again to edge unwanted visitors off their primitive bulletin board sites. Once the verb “spamming” was coined, the force was unstoppable.

The key word of course is “Unwanted”. I do not want endless emails from China offering me Canadian pharmaceutical products (can’t see how that works) nor do I need any more chances to enlarge my manhood.

But if I sign up to an organisation, register with a business, give a company my details, join a club or become a member, I would expect to hear from that organisation. Especially if I’d paid a membership subscription. If I didn’t, I may simply forget about it — but if I’d paid, I’d want to know why I hadn’t heard from them.

Enter fotoLibra. It’s not compulsory to sign up to fotoLibra, just highly recommended. If you do, we will email you. And as a picture buyer or seller, what we send will be of interest to you. If it’s not, there’s a link at the bottom of every email which you can simply click on to be removed from our list. It also has our address so you can write and complain if we fail you.

What I’m saying is that we do not send out spam. People have signed up to fotoLibra, and we email them. Our problem is that a LOT of people have signed up to fotoLibra, and we simply cannot write to everyone individually, so we have to do what computers and email clients are very good at — sending one message to lots of different people.

Surprise, surprise. Lots of our innocent, requested emails get classed as spam. Of course we are to blame for some of it — we should never type the subject IN CAPITALS (apparently that’s popular among real spammers); HTML formatted emails (which ours are) send out alerts; bulk mailings are an obvious no-no. Trigger words such as ****, !!!! and %$%$ will often lead to blocked mail, even if used innocently.

Someone who will remain nameless recently sent out a fotoLibra Picture Call for photographs of guitars. Unfortunately she added an extra word commonly used in the publishing world to describe such books. Bang, bang, bang. Down came the shutters. The vast majority of ISPs blocked the mailing. As a result we only have 12 pictures of guitars to answer the call. Memo to self: get her to resend the call today WITHOUT the funny words.

Nevertheless it’s frustrating for us to mail people with information they genuinely want and then find our mailings are rejected. Some filters seem to be fairer than others, and I was particularly impressed by one company which sent us this message:

Your message was waitlisted.
Please add yourself to my Guest List so your messages will be delivered to my Inbox. Use the link below.
Click here to deliver your message
Boxbe (www.boxbe.com) prioritizes and screens your email using a Guest List and your extended social network. It’s free, it removes clutter, and it helps you focus on the people who matter to you.

Now that really does seem to screen out the professional spammers. HOWEVER — and this is a big HOWEVER — a quick search on the internet reveals a lot of people slagging off this company for spamming people themselves. I won’t be using it as a result, but it may suit some people.

So. Here’s our problem. Where is our solution?

Curious

July 1st, 2010

Man joins fotoLibra as a Seller at 12:45 and uploads four photographs.

Another man in another country on another continent joins fotoLibra as a Buyer at 17:15 and immediately buys one of the new seller’s photographs for £140, paying by credit card.

Why am I suspicious?

Nobody has joined and made such a quick sale as this since last year, when a Brazilian signed up and uploaded five photographs, all of which were bought within two hours for comfortably large sums of money by another Brazilian who had just signed up the same day. He too paid by credit card. 89 days later the bank snatched back the money, all of it.

Have I the right to be suspicious?

Last week my credit card was refused (I was trying to buy several litres of Pimms). We contacted the card issuers and found a payment of £10 had been made a couple of days earlier to Oxfam. Not by me it hadn’t been. This was followed up by an attempt to pay a large Southern Electricity bill with the card, which had been rejected. We don’t have Southern Electricity. So the credit card was compromised — how? — and quickly cancelled. A replacement arrived yesterday.

If this transaction turns out to be fraudulent, we stand to lose £70. It’s not a huge amount of money, though God knows we could all do with it. If they are fraudsters — and how can I tell? — they’d have to do it many times over to make a living out of it.

Privacy

March 9th, 2010
Gwyn Headley

by Gwyn Headley

Managing Director

We received the following email this morning:

As the owner of this rare car, I would request that this image be deleted from this site on the grounds of privacy.

If my car was parked outside my house and it was captured on Google’s street maps facility, at least they respect an individual’s privacy by blurring out vehicle licence plates. This aspect also extents to images in the media such as newspapers and TV broadcasts.

Additionally, I was not approached or contacted regarding the inclusion of my car for a third parties financial gain.

I agreed to appear at this show because the organiser of this event is a personal friend.

Please respect my request – thank you.

This is a perfectly polite and reasoned request. But what is at stake here? We’re under no obligation to take down images because the subject of the photograph objects to his property being depicted. If he doesn’t want his car to be seen he shouldn’t take it out in public.

Yes, the photograph was posted on fotoLibra for the purpose of financial gain. We haven’t yet found someone who is planning a calendar of AC cars, but we always live in hope.

You can’t stop anyone taking and publishing a photograph of your house, and it’s a lot easier to find out who lives in a house than who owns a car. Just check the electoral roll, or the census. We as private individuals can’t find out who owns this car by looking at the registration plate (which we’ve pixelated out here).

©Geoff Alan France / fotoLibra

But private parking companies can get a driver’s name and address simply by submitting the vehicle registration number to the DVLA and filling in a form confirming that they are pursuing an alleged parking offence.

The DVLA charges £2.50 a time for details from its ‘confidential’ database of 38m drivers. Income from this lucrative sideline in selling our personal data has risen every year from £4.7million in 2004-5 to £9.2m for 2009-10.

The owner of the car might find more reason to complain about this collaboration than about an enthusiastic photograph in a picture library.

What do you think?

Gwyn Headley

by Gwyn Headley

Managing Director

We all have to live with spam, and if a blog or a site is widely read or visited, we have to accept that among its users there will be people who hold violently different opinions to the majority. Do we allow them their comments, or not?

Well we do, even when the one tired old fotoLibra Stalker, frothing over his keyboard, posts another gratuitous assault on the company he loves to hate. It’s his point of view, warped and twisted though it may be, so up it goes. If anyone is remotely interested, I’ll post the story of how many years ago a sad man flagellated himself into this state of apoplectic rage.

On the other hand, we will delete out-and-out spam and comments which have no relevance. Someone posted something like “Way – Hey! R E E E S P E E E C T!” on the BAPLA Shock Horror blog posting the other day, so as it added nothing to the debate I deleted it. Back came a resentful “So much for Open Access.” I deleted that too. If you posted those and you really want to contribute, why not say what you want to say instead of just shouting incoherently? It will be published.

I have to scan through all the spam that’s picked up by the excellent Akismet plug-in for WordPress, because something genuine might slip through. Sometimes they make me smile with their guile, but this one brought a tear to my eye:

Copywriting…
Very interesting post. On the other hand, good copywriters are very well considerated because they achieve very good results. For exemple, a good headline can make that much more people read your post.

The person can’t write English. Yet he’s offering copywriting services. Very … very … very; good … good … good — two words repeated 6 times in 33. Bad style, I’d say.

“Considerated”. Is this George W. Bush coming back to haunt us?

“For exemple”, for example.

“make that much more people”? Wrong, wrong, wrong!

I wouldn’t dream of going to Saudi Arabia and setting up as a Hafiz. What makes this guy go to the lengths of spamming something which proves he’s incompetent?

What hope! What confidence! To set up a spamming business offering something you so clearly cannot do! It’s like the fotoLibra Stalker deluding himself he’s a photographer.

Gwyn Headley

by Gwyn Headley

Managing Director

We have been deluged by junk mail over the past few days, even more than usual, and as Yvonne has a migraine I’m checking her emails as well.

I thought I got bombarded with junk — but she gets twice as much. She was sent over a thousand between midnight and nine am.

Anyway, this morning Jacqui Norman sent out four Picture Calls to our members (who sign up voluntarily — there is little or no coercion) and loads of them came bouncing back, all with email addresses ending in yahoo.com — Delivery temporarily suspended: host mx2.bt.mail.yahoo.com[195.60.116.133] refused to talk to me: 424 4.6.0 [TS02] and other such impenetrable computer speak.

If I’d signed up for a service like fotoLibra and didn’t hear anything more from them, I’d be inclined to think the company didn’t care. It wouldn’t occur to me that my service provider was blocking messages from them. It’s damaging to us, but I’m at a loss as to know how to deal with it.

The prime offenders are Yahoo, Hotmail and BTInternet. We even have a note in our Welcome email to new members that if they use one of those service providers for their email, the should add mailman@fotoLibra.com to their address book. Even that doesn’t always work, but it helps a little bit.

We’ve tried contacting the companies direct, however we have but a limited life span on this earth and I don’t intend to spend it listening to ‘Fur Elise’ played on a Stylophone. These are companies that are not comfortable talking to customers or other outsiders.

Maybe they have Google Alerts when their names get mentioned frequently. So, Yahoo, Hotmail, BTInternet, Yahoo, Hotmail, BTInternet, Yahoo, Hotmail, BTInternet, Yahoo, Hotmail, BTInternet, Yahoo, Hotmail, BTInternet, Yahoo, Hotmail, BTInternet, Yahoo, Hotmail, BTInternet, Yahoo, Hotmail, BTInternet, Yahoo, Hotmail, BTInternet, Yahoo, Hotmail, BTInternet, Yahoo, Hotmail, BTInternet, Yahoo, Hotmail, BTInternet, Yahoo, Hotmail, BTInternet, Yahoo, Hotmail, BTInternet, Yahoo, Hotmail, BTInternet, Yahoo, Hotmail, BTInternet, Yahoo, Hotmail, BTInternet, Yahoo, Hotmail, BTInternet, Yahoo, Hotmail, BTInternet, Yahoo, Hotmail, BTInternet, Yahoo, Hotmail, BTInternet, Yahoo, Hotmail, BTInternet, how do we become an acceptable entity in your eyes?

Data Protection

January 20th, 2009
Gwyn Headley

by Gwyn Headley

Managing Director

The Data Protection Act is another great law like Helf ‘n’ Saiftay — you can use it to hide behind, use it offensively, obstructively or aggressively. Or all four.  It is a Godsend to the sort of mindset that seems to run through half the population.

Don’t you know there’s a war on?

I was only doing my job.

I’m alright, Jack.

It’s more than my job’s worth

Computer says no.

Now they have the law on their side, and it’s infinitely adaptable. I’ve been calling some photographic companies recently on the phone — a shocking enough tactic nowadays, given the silence that lies heavy over most offices today — and the reactions have been varied, to say the least.

Look, I’m guilty of this myself. The smaller the company, the more guarded and suspicious the response. People ring up fotoLibra and say “Can I speak to the managing director or the owner of the company please” and frankly that’s as far as they get. We always apologise before we put the phone down, because that’s how we were brought up.

Some of them have done a little research. “Can I speak to Miz Gwine Heeedlee please?” Depending on how mindless the caller sounds, I either switch to basso profundo — s p e a k i n g ? — or warily ask who is calling. At the moment the calls are about water coolers or investment plans.

But the boot is on the other foot when it’s me making the calls. I’ve got something they should be interested in. The default state is that they’re not, of course, and it’s a tough barrier to break down. The big problem is getting through to the right people.

First there’s the voicemail barrier. Speaking to someone is never one of the options. As soon as I hear voicemail kicking in, I hit Nought, which usually gets me the operator. Here comes the operator barrier. If you have a name, there’s firstly the tone of disbelief, as if you’ve asked to speak to Pol Pot or Robert Mugabe, then the suspicion that he left the company late last century.

Then the Data Protection Act kicks in. “I’m sorry, we’re not allowed to give out names.” What am I going to do with them? Make voodoo dolls?

If you’re lucky, you might be allowed to get through to a department in the company.

The person who picks up the phone at this stage is one of two people. Either it’s the trainee managing director, on her way up through the glass ceiling, or the deputy assistant’s secretary’s temp’s daughter, who happens to be eating her McDonald’s by the phone.

The TMD is a whirlwind of efficiency, all instant comprehension, ‘right’ being the most crucial word in her vocabulary, barking out rapid fire instructions and leaving you bathing in a warm glow of efficiency. Nothing at all will happen.

The temp’s daughter will not know what to do. You run through your pathetic spiel, trying to rid yourself of the mental image of a golden retriever listening to Wittgenstein. At the end, there’s a silence. “Err, yurrr. Can you send us an email?” Nothing at all will happen.

I do what’s wanted anyway. Then I follow up. Sometimes I strike gold. The largest company I spoke to listened to what I had to say, said “That sounds great, but you need to speak to Jerome. Here’s his mobile number.”

I’m too awed to call.