Archive for the ‘Security’ Category
SSL Certificates
September 14th, 2017Firstly, many apologies for the lack of fotoLibra service over the past few days. The good news is that everything is now back up and running as it should be.
The problem was with our SSL Certificate. An SSL Certificate is a cryptographic protocol that provides security over a computer network. Websites use SSLs to secure communications between their servers and web browsers. Without a valid SSL Certificate you wouldn’t be able to access a website — unless you ignored a string of increasingly dire warnings.
We have automatically renewed our SSL Certificate every two years for the past fourteen years. This year we paid for the renewal on August 25th. Unfortunately our service provider 123-Reg changed their certifying authority from Globalsign to an American company, without notifying us. An email from this unknown new company, Starfield Technologies, demanding sensitive corporate data, went straight into trash.
When we eventually checked with our service provider we were told the email wasn’t spam, it was actually from a legitimate company, despite its very iffy write-up in Wikipedia. In order to verify our SSL Certificate Starfield demanded from us a letter of attestation signed by a lawyer, and an invoice from an outside supplier verifying our telephone number.
How many invoices do you get with YOUR telephone number printed on them? Right — just one, if any; from your phone supplier; BT in our case.
The American company rejected the bill from BT because they had made it out to VisCon Pro Ltd, not to fotoLibra’s holding company VisConPro Ltd. An errant space was sufficient for disqualification.
They rejected our letter of attestation because it was signed by a solicitor, not a lawyer. Americans, eh?
They were not at all interested in the fact that all our corporate data is freely available from Companies House, presumably because Companies House is not yet totally under American control.
Because these verification letters did not meet their demands, this foreign company had the ability to pull the plug on our certification. And so they did. Despite their failure to comprehend our valid credentials, they ensured we were unable to trade for five days.
Do we get recompense? Maybe, if we had phalanxes of highly trained American lawyers. But we don’t.
So once again, please accept our apologies for this downtime. I hope it won’t happen again.
Account Number & Sort Code — An Awful Warning
March 27th, 2017by Gwyn Headley
Managing Director
Tags: account number, BBC, cheque details, Getty Images, HSBC, Jeremy Clarkson, sort code
Paying by bank transfer is much easier than paying by cheque, which is why so many companies now include their bank details — account number and sort code — on their invoices.
That’s reasonable when the recipient is a private individual or another company. It’s not so good when they are published on the fifth biggest website in the country.
To illustrate an article “Bank cheques to be cleared within a day” on their website last Wednesday the BBC used a photograph of a handwritten HSBC cheque, clearly showing a company’s account number and sort code details.
The trouble was they were ours — fotoLibra.com’s.
This was a cheque we’d paid to one of our contributors in 2012, and to add aggravation to outrage she photographed it and uploaded it to Getty Images, who then sold it to the BBC, complete with our clearly visible bank details.
James Cliffe, HSBC’s Head of Business Banking, is no call centre drudge and he took the issue sufficiently seriously to call me direct. HSBC had seen the article shortly after it appeared and immediately called the BBC to complain. The photograph was replaced within the hour.
An account number and sort code is all an unscrupulous individual needs to set up a standing order or direct debit, as Jeremy Clarkson found to his cost when he published his bank details in the belief they only worked one way. He found he was suddenly paying out a £500 direct debit to the charity Diabetes UK.
Clarkson revealed his account numbers after rubbishing the furore over the theft of 25 million people’s personal details. He wanted to prove the story was a fuss about nothing. “The bank cannot find out who did this because of the Data Protection Act and they cannot stop it from happening again,” sighed Clarkson. “I was wrong and I have been punished for my mistake.”
We hold the BBC and Getty Images equally responsible. We expect they know (Getty, that is) they’ve done wrong because there’s no trace of that image on their website today.
We still don’t know what damage we may suffer.
But if HSBC’s big guns are concerned, then we are concerned.
fotoLibra Smashes International Drug Ring
December 17th, 2015Well, that might be pushing it a bit, but I’ve always wanted to write a headline like that.
We take care to vet every image uploaded to fotoLibra. The first hurdle of course is quality; images must have a minimum pixel dimension of 1750 and a resolution of 300 ppi. (PPI and DPI deniers — I know your arguments, but the majority of fotoLibra sales are for print use and they need to be 300 dpi). If you read this blog about PPI/DPI you’ll see that one of the reasons we demand 300 ppi is to prevent porn being uploaded.
We hadn’t thought of drugs.
Someone I’ll call Eugene had. He appears to be from the Ukraine, but that’s easy to mask. What he did was very simple and (I’m reluctant to say it) quite clever. He simply uploaded photographs of drugs to fotoLibra and offered them for sale. In the Image Description field he wrote “Ve vant to build strong lasting relationship mit customers like you” and followed it with a Skype contact.
Ingenious. Had the images remained on fotoLibra they would very quickly have been picked up by search engines (all our keywords are indexed so search engines can crawl and find them easily) and anyone searching for, say, Hygetropin on the web would have been able to find it nicely displayed on the squeaky clean fotoLibra site together with handy details of how to purchase it.
We spotted the images within an hour of upload. Not much discussion was needed. We simply deleted them.
Yvonne (and if you’ve had dealings with Yvonne, you’ll know she makes Jacqui Norman look like a pussycat) wrote to our hopeful new member:
Hello Eugene
fotoLibra is a professional picture library selling image usage rights to publishers, advertising agencies and so on. We are not a shop window for online drugs’ salesmen; we have therefore removed the images from your portfolio and cancelled your membership.
Regards,
Yvonne Seeley
Curses! Foiled again!
A Fairy Tale Of New York …
August 22nd, 2012by Gwyn Headley
Managing Director
… and Pennsylvania, and Indonesia …
Once upon a time (early this morning, actually) there was a photographer who came across a lovely website called fotoLibra.
“Gosh,” he thought. “If I sign up I can upload my pictures to fotoLibra and if they sell I’ll make some money.” So he uploaded two pictures for nothing.
This very same morning a nice lady in New York found the same lovely website.
“Gee willikins,” she thought. “I’ll sign up, and what I’d like to do tonight is buy a photograph of some guitar strings, for 5000 corporate CDs in Europe.”
Within minutes another nice lady in Pennsylvania also discovered fotoLibra and signed up. “Now, let me see,” she mused, “I think tonight I’ll have a photo of some guitar strings on my commercial internet site for a year. Ah! Here we are! The very thing!”
And both ladies, by fortunate happenstance, had hit upon the same photograph, uploaded by our lucky new member in Indonesia only moments before.
What joy! Two satisfied customers and one happy photographer! And they all signed up within 30 minutes of each other! The picture was uploaded and sold twice before it had been online for half an hour. Job done by fotoLibra!
But then, far away on the other side of the world, a new day dawned, and deep in her feculent pit the great JACQUI NORMAN stirred. She pointed one terrible eye at the computer screen and in an instant spotted the improbability of such transactions.
“FF RR AA UU DD !!” she bellowed slowly and heavily, shaking the sere and devastated land around her lair.
As I write, there is no happy ending. The money — a fair amount, paid by credit card — will be deposited in the fotoLibra account by close of play tomorrow. In 30 days we have to pay the photographer.
And in four or five months HSBC will slowly realise there has been a fraudulent transaction and will remove the entire amount from our account without informing us first.
So maybe we won’t be paying this gentleman from Indonesia in 30 days. We’ll just hold on to the money for a little while, and see what happens.
We could be wrong.
But we don’t think so.
Policing Illegal Image Usage: What You Can Do
May 14th, 2012by Gwyn Headley
Managing Director
We have come across websites which are using fotoLibra images without paying for them. They are using watermarked Preview images, which anyone is at liberty to drag off the site, but not for commercial use.
I’ve borrowed the following piece in its entirety from Jacqui Norman’s May fotoLibra Newsletter because I think an important function of a picture library is not only to sell but also to guard and protect our photographers’ assets, and if we come across any unauthorised image usage it is our duty to harry and beset the perpetrators as best we can. In Britain we have the Small Claims Court which we will unhesitatingly use — overseas it’s more difficult, but there are ways and means — one of which Jacqui proposes at the end of her article.
The benefit for fotoLibra photographers is that a complaint from a company will usually carry more weight then a complaint from an individual. A company is generally perceived to have deeper pockets and better legal support than most individuals, and will usually be prepared to pursue trivial debts which a sole person may not be able to afford, in time or money.
We’re mainly talking here about image sales in the region of £25 / $40. This is not going to rescue Greece’s economy, but if our photographers are losing money through illegal usage, then so are we. We are going to do something about it — but you have to help us by following this procedure. Over to Jacqui:
fotoLibra Member Bob Crook alerted us when he found one of his images with a large fotoLibra watermark being used on somebody’s blog. He asked if we’d made the sale, and we hadn’t — the thief had simply stolen the lo-res watermarked Preview and posted it on her blog.
But Do Not Panic. Your original images are safe. They cannot be downloaded from the fotoLibra site without our knowledge. But anyone can drag Thumbnails and Previews off any website, which is why in our case they are protected with embedded metadata and, in the case of Previews, with embedded watermarks too. We don’t mind students using such images for free in dissertations and essays. If they want to use an unwatermarked version they have to pay, which of course outrages them because they think everything on the internet should be free.
If it’s not for student use, we charge. But how do you track down unauthorised usage of your images?
Here’s how Bob does it, slightly adapted to suit all fotoLibra members:
Open Google Images in one browser.
In another browser, go to your Portfolio in the fotoLibra Control Centre. Choose one of your images. Double click to enlarge it into a watermarked Preview image.
Highlight the image, and slide it onto the bar on the Google page.
It will take only a few seconds to search.
When it has finished you will see the image at the top of the page and a list underneath of where it is being used.It also attempts to show you similar images by matching the colours. Sometimes this is impressive. Sometimes it makes you realise how alien a computer’s “intelligence” can be.
If you have some curiosity and spare time, please check through some of your images this way. If you do find evidence that one or more of your images is being used without your knowledge or consent, this is what we want you to do: Email me [that’s jacqui (dot) norman (at) fotoLibra (dot) com] with a) the FOT number of your image, and b) the precise, full URL of where you saw that image being used.
We will contact the abusers and demand payment on your behalf. We can never guarantee success, particularly in overseas jurisdictions, but we can certainly frighten them, and we can name and shame them.
In fact — here’s a thought — if people don’t pay up, I might publish a regular Cheat List, where we can publicise URLs where any unpaid for fotoLibra Preview images appear, and fotoLibra members and friends can then comment on the probity and honesty (or otherwise) of the offending sites. What do you think?
Well Jacqui, I think it’s a good idea. Not a great one, because at heart I’m not confrontational, but if I sit down and think about this I can work myself up into quite a state of indignation. These people — I don’t know how many of them there are — are thieves. Bob Crook has found two, and checking through ten of my underwhelming images I have already found two which are currently being used illegally. That’s 20%. Admittedly I did choose ten images I thought might lend themselves most readily to theft. Tineye is another good way of uncovering shady image use.
I’m happy to name and shame any site which uses a fotoLibra watermarked image without permission. However I won’t rush straight in whirling my bat around my head because I’ve stepped up to the plate for young Bob before, when he claimed some publisher had used a fotoLibra image without permission. We investigated and discovered the image had been uploaded to fotoLibra three weeks after the book had been published — Bob had sold it through another picture library and had forgotten all about it. We had our ears torn off by a slider from the publisher and I don’t think we’ll be selling them any images for a while.
So we’ll tread softly. And carry a big stick.
An Obnoxious Vanguard?
April 25th, 2012by Gwyn Headley
Managing Director
We’re busy with our final preparations for fotoFringe London 2012, the picture buyers’ fair which is being held tomorrow in King’s Place, a newish office block and conference centre where The Guardian have their offices, near King’s Cross.
And it’s an article in The Guardian that I want to write about. A friend in Euskadi alerted me to this one (thank you Peta) because it’s one of my favourite topics — the freedom of photographers to use their cameras.
Stonehenge, Trafalgar Square, National Trust properties, a whole bunch of places in the USA — the list of places where photography is banned or restricted lengthens daily. Now, unsurprisingly, we can add the Olympic park in East London to the list.
I’ll never get to see this place because all my ticket applications have proved unsuccessful. However I am permitted to contribute substantially towards it through a hike in my London rates over the next ten years. So I’d like to see some pictures of it.
The Olympic venues are technically private property (purchased using our money, but when did that ever restrain our dear leaders?) so control can be asserted over what can and can’t be photographed within the precincts. But not on the public spaces surrounding the venue, of course.
The Guardian thought this could be interesting, so they sent a couple of photographers and a video to test the temperature of the waters. They struck lucky straight away when they ran into an incompetently and incompletely briefed security guard whose debating skills and command of English were no match for the fiercely well prepared Guardian hacks. He simply attempted to stop them filming in a public place. They refused. Reinforcements arrived.
And here — well, you know I’m on the side of the photographers, but this was outright provocation and harassment. The Guardian hacks were milling around, pushing for a reaction. But they came up against an intelligent, articulate and reasonable security supervisor who conceded they had a right to photograph on public land but as this was a sensitive area — the Olympic Park’s security centre — it would be most awfully kind of them if they could possibly desist.
The Guardianistas hectored and interrupted. They tried to photograph the armband name badge of an old fart security guard who looked worryingly like me, and he tore it off to prevent them. Bad move. The hacks loved it.
I want photographers to be able to photograph what they want when they want where they want, within reason and without causing offence, upset or danger. Yes, there are security concerns. Yes, there are privacy issues. I’m less impressed by the “we own it, therefore we should profit from it” brigade. I personally find papparazzis distasteful, and I believe they were the major contributing factor in the death of Princess Diana.
Our cause isn’t helped by photographers manufacturing an incident where none existed. But every movement needs an obnoxious vanguard.
Doesn’t it? What do you think?
http://www.guardian.co.uk/sport/2012/apr/23/olympic-park-security-guards-journalists-photos
The end of the Credit Card Scam story
April 12th, 2012by Gwyn Headley
Managing Director
Having been ripped off by a Nigerian scammer (details here) we asked our local MP Elfyn Llwyd (Plaid Cymru) if there was anything he could do to help.
He was as outraged as we were that the issuing bank knew of the fraud two months before coming to HSBC and demanding that $800 be removed from the fotoLibra account, by which time of course we had disbursed the money. He said he would write to the Chairman of HSBC.
Which he did. He received a reply from David Lewis, Head of HSBC Customer Relations, absolving the bank of any responsibility and arguing that it was fotoLibra’s fault for accepting ‘cardholder not present’ transactions. This amazing statement ignores the fact that 10.7% of all retail sales* are now made via the internet, every one of which is a ‘cardholder not present’ transaction.
Mr. Lewis concluded
There are some steps the merchant/retailer can take to minimise the possibility of fraud, for example asking for the numbers in the post code of the card holder and only delivering to that address (as fraudsters often ask for the goods to be sent to another address other than that of the registered cardholder).
That might have been relevant if fotoLibra delivered boxed goods to physical locations. But we don’t. We permit the download of digital images to an email address. There’s no connection to any part of the credit card.
Maybe a credit card could be linked to a fixed email address which would form part of the verification process? No, that’s probably far too simple. Isn’t it?
We are most grateful to Mr Llwyd for his concern and his response. That’s exactly what MPs are for. Full marks.
*Office for National Statistics, February 2012
Credit Card Scam
January 31st, 2012by Gwyn Headley
Managing Director
The perceived risk of buying and selling using a credit card on the internet was the biggest single barrier to the growth of the World Wide Web.
In the eighteen years since I launched my first web site, that fear has largely been allayed. Internet users who now won’t buy with credit cards are a tiny minority. If your card is compromised in any way, the banks and card companies will refund your money and issue a new card.
But what protection is there for the merchants? The punter must be recompensed — but the financial organisations aren’t going to be the ones who lose. Someone has to pay. It’s going to be the merchants.
Here’s the Dramatis Personae of our little play:
- Innocent Punter
- Evil Fraudster
- Innocent Merchant
- Innocent Photographers
- Innocent Credit Card Company
- Innocent Bank
This is what happened to us. On Nov 17 Evil Fraudster used Innocent Punter’s credit card details to buy six images — over $800 worth — from us, the Innocent Merchant, and download them to Innocent Punter’s apparent email address.
On Nov 25 Innocent Punter signed an affidavit to say his card had been used in a fraudulent transaction, i.e. the purchase of $800 worth of images from fotoLibra. Innocent Merchant isn’t told of this, either by the bank or the credit card company. All we know is that $800 has been paid into our account and the images have been downloaded.
The $800 payment appears on our next bank statement. Christmas intervenes, and we make all the payments to our photographers on Jan 21. The $800 payment is still visible in our bank statements.
This morning, Jan 31, we receive a letter through the post from the bank telling us there has been a fraudulent transaction involving a credit card payment on Nov 17 and they are removing the $800 to pay for it. So the status quo of the Dramatis Personae is now as follows:
- Innocent Punter — unscathed
- Evil Fraudster — 6 digital images the richer
- Innocent Merchant – $800 poorer
- Innocent Photographers – $400 richer
- Innocent Credit Card Company – unscathed
- Innocent Bank – unscathed
My questions are
- Who benefits from this fraud? Evil Fraudster gets 6 images (which haven’t been used as far as we can tell). Innocent Photographers get $400. Assuming the photographers aren’t linked to Evil Fraudster, they’re doing better than he is.
- We pay the credit card companies substantial annual fees for the privilege of using their service. If they authorise a payment, we have to take their word for it. We cannot check every individual credit card transaction ourselves — that’s what we pay them to do.
- So why is Innocent Merchant the only loser in this scenario? If the bank and the card company says ‘Here’s the money — spend it wisely’, how come they can snatch it back nearly three months after they’ve given it to us?
- Most importantly, if the fraudulent transaction was reported on Nov 25, why weren’t we informed till Jan 31? That is OUTRAGEOUS.
Damien our IT guru has traced the route the transaction has taken. Unsurprisingly it trails back to those bastard Nigerians again. They’re not doing their country any favours at all. Could anyone ever trust a Nigerian nowadays?
Obviously the villain of the piece is the rogue Nigerian, but I fail to see how he can benefit from the scam. Can anyone enlighten me?
The end result is that we’ll just have to wait longer paying photographers after making a credit card sale from someone we haven’t dealt with before. 99% of credit card sales made through fotoLibra are perfectly legit. In fact, this is only the second one that’s gone wrong. The first one was such a blatant blag that even I could see through it — someone in Brazil signed up as a photographer and uploaded 4 photographs. The following day someone else from Brazil signed up as a buyer and bought the four images for £2,000. We then should have paid the Brazilian photographer £1,000. But we had our suspicions. We waited. And the bank claimed back the money after three months. We were not compensated.
But I cannot figure this scam out.