Archive | tech RSS feed for this section

iDrive doesn’t take security seriously

24 May

I’ve mentioned before how I’m able to act as a canary in the email-database coal mine. …And how companies often don’t take my free, valuable chirps seriously. It happened again.

The unique email address I use to access iDrive started receiving spam in February 2018. It wasn’t just any spam; these sophisticated phishing emails were sent to an email address only iDrive had, and also contained my username/login.

When I contacted iDrive, they blew me off.

Then they blew me off again. More accurately, they gave me plenty of lip service, denial, and smoke far up my ass. (All the while admitting other people had contacted them regarding the phishing). This continued for several calls over several weeks. Until I posted publicly on twitter.

iDrive CEO Raghu Kulkarni promptly contacted me.

We talked about the difference between companies reacting appropriately to breaches:

twitter had just announced a big breach and contacted millions upon millions of users asking them to change their passwords

…and companies reacting poorly:

idrive trying to convince a whistle-blower there wasn’t a breach, despite hard evidence. (How does one prove a negative, anyhow?)

In exchange for deleting my tweet, Mr. Kulkarni agreed to set up a crisis communications plan. Within a week’s time, he promised to get all levels of iDrive customer support on board with an appropriate response, should a similar problem arise in the future.

More lip service

Weeks later a friend who signed up for iDrive because of my recommendation contacted them regarding the phishing attempt. He received the same brush-off I did.

iDrive does not take data security seriously.

I only have evidence of a third party accessing email addresses and usernames. Did they also gain access to other allegedly secure bits? I don’t know. Probably not. All the more reason to just react appropriately, and send an email warning customers that somebody gained access to a subset of clients’ usernames and email addresses. …With a little note about how to avoid sophisticated phishing attempts. …Phishing they have hard evidence of. iDrive doesn’t want to do this, clearly.

How did this iDrive breach happen?

Maybe an employee had this info on their laptop or PC, which was then infected with malware. The malware shared the data.

Maybe a former or current employee sold the data to spammers or used it for personal gain?

Maybe it was a good old fashioned breach by some 1990s movie-style hackers.

I can tell you one thing for sure; as in many cases, nobody seems to know. I don’t know how it happened. iDrive won’t even admit there was a breach. What we do know is that iDrive would rather brush evidence of a minor breach under the rug than address it properly.

What would iDrive do after a more serious breach?

I don’t trust them with my data anymore. I’m looking for a new data backup provider. I’ve been with iDrive for years. I really wanted them to do the right thing so I could stay with them. Alas, I don’t trust them, now.

Screenshots of both phishing spams I received are included below. I can only assume the spam continued for others; I set my iDrive email address to return a server error upon message receipt, so I can’t tell you. Spam sucks. So do companies that don’t take security seriously.

idrive phishing spam

First evidence of iDrive hack

idrive email breach

Second evidence of iDrive breach.

 


Dan Dreifort consults on SEO, UX, and sometimes crawls out of the woodwork to opine on infosec, too, it would seem. His band Cat Shit’s new album (Make America Shit Again) hits in June 2018.

 

 

Redirector Browser Extension Takes You Where You Want to Go

2 May

AT&T just installed fiber to my house. It’s fast. I get a steady 949 Mbps up and down. I had no complaints about the 160 Mbps/14 Mbps I was getting from Cox, but my inner geek couldn’t say no to faster-for-the-same-price.

attdnshijackThe install was pretty smooth, but during the bumps, I would type nonsense URLs in to see if things were working. Most of the domains actually existed, but when I hit something that wasn’t live, I got the AT&T-branded page telling me the page I’m looking for isn’t available. Well, it said that somewhere within the mess of ads. Call it what you will, it’s DNS hijacking. Amazingly, AT&T allows users to opt-out of “this service”. But some ISPs don’t.

End ISP DNS Hijacking

Before I noticed that opt-out, I took a minute to update my Redirector settings appropriately. No more AT&T DNS hijacking. (I’d previously used it to prevent Cox from hijacking my DNS).

It works in FireFox, Chrome, and Opera, and Redirector is good for more than stopping DNS hijacking. It’s a versatile browser usability enhancer.

Use Redirector to Help Your Favorite Charity

I don’t have a car, and I loathe shopping, so I regularly shop with Amazon for things I can’t get by foot or on my bike. I made a valiant effort to remember to use Amazon’s Smile program special URLs to help my favorite charity (Death With Dignity National Centers,) but I’d usually forget. The AmazonSmile Foundation will donate 0.5% of the purchase price of eligible products to the charitable organization of your choice.

I didn’t want to leave those easy donations on the table, so I searched for something that could remember for me. Enter Redirector. Now, every time I click an amazon link, or type amazon.com into my browser, I’m taken to the smile.amazon.com version of that page, instead.

I’ve uploaded an image of my Redirector settings at the bottom of this post in case you too want to more frequently, passively donate to your fave cause, or if you want to stop your ISP from hijacking your DNS. It’s easy. For the latter, you can use the same DNS hijacking forwarding URL I use, or copy the PHP snippet from that page.

<?php
if(isset($_SERVER['HTTP_REFERER'])) {
 echo $_SERVER['HTTP_REFERER'];
} 
?>

…Not that you need the php on the page you load instead of your ISP’s branded page, but it helps to be able to see a printout of the potentially improperly typed URL. e.g. below.

icurdDNSerror

Above: This is the plain-Jane message I get when I type in a bad URL, e.g. doesthisdomainexist.com

 

Redirector settings below. Click for larger image.

 

redirector

Let me know if you have problems. I’ll add more detail to this post as needed.

 


Dan Dreifort consults on UX and SEO.  I also make music, and enjoy biking and walking around San Diego, when I’m not broken.

 

Guide: Comparing Arpeggiator Pedals

18 Oct
arpeggiator-pedals-roundup

Tararira, PitchGrinder, AARP, Arpanoid & More!

Wherein Dan talks himself into buying one via this arpeggiator pedal roundup/shootout. (Spoiler alert: I bought the Tararira.)

What is an arpeggiator pedal?

An arpeggiator is a sequencer. A sequencer plays a series of sounds based on a source and parameters set by you, the user/musician. In the case of an arpeggiator pedal, the “source” is whatever you plug into it: guitar, bass guitar, synth, toy, etc. The parameters are the pedal knobs and buttons, controlling things like: pitch, tempo, order, steps, scale, key, etc. We’ll leave it at that for now.

Why do I want one?

Keep in mind: My criteria for an arpeggiator are likely different than yours. That said, they’re fun. I recently picked up an Electro-Faustus Drone Thing, and this guy seems to have fun pairing it with arpeggiators, so…

EarthQuaker Devices Arpanoid

First I saw the Earthquaker Arpanoid. (Link immediately above). I wanted it.

Its small size and lack of a zillion knobs and whistles belie its nifty factor. However, it lacks a few things I’m looking for: per-note/step pitch control, CV or midi control, tap tempo, etc. And because it lacks features, it doesn’t so much arppegiate as it plays scales. At $225, it’s definitely ‘affordable’ in this lineup.

“But what else is out there?” I wondered.

Cooper FX AARP

I fell hard for the Cooper FX AARP (v1) when I saw that same dude playing with it.

AARP stands for Automatic Arpeggiated Repeating Patterns, which seems redundant, right? Also questionable product naming, what with the AARP being a 38-million-member thing, and all. Regardless, the AARP v1 has almost everything I want: tap tempo, eight pitch knobs, etc.

While looking for one, I learned about the upcoming AARP v2, but I’m not as attracted to its menu-driven interface (vs. all the knobbies on the older version.)

Regardless, both AARPs are currently unavailable, and you have to be on your Instagram game to snag one from the limited supply when v2 is released circa Q4 2017 or Q1 2018. Price unknown, but certainly higher than the v1’s $275 price tag.

Dwarfcraft Devices PitchGrinder

At $350, it’s not the most affordable option, and while I like that it crunches the signal down to 8-bit awesomeness, it lacks some features I want (external control, pattern control diversity, etc.). Another cool bit about the PitchGrinder: Its “Glide” knob acts as a portamento effect, controlling whether the pedal jumps or glides from pitch to pitch.

Hologram Dream Sequence

$425. It’s much more than an arpeggiator, but I’m not looking for more-than-an-arpeggiator, and I don’t want to spend that much. Furthermore, the UI isn’t setup for a great arpeggiating UX, if you know what I mean.

But it has midi in and out, and an assignable expression pedal insert, and it’s feature-rich. So maybe it’s your jam?

Bananana Effects Tararira

$269 + $20 shipping. This one might be my jam. It doesn’t break the bank – at least in this space, and speaking of space, it’s small, which is a plus. Each of the eight steps is knob controllable. …And if we’re grading on quantity of buttons and knobs, the Tararira is the clear winner, scoring a whopping 19 in the controller bells and whistles column.

^That was my original blurb on the Tararira. Then I bought it. Additional thoughts:

The Bananana Effects Tararira is everything I hoped it would be. (Fun and weird!) It has just about everything I want in an arpeggiator pedal. But if you want me to nitpick, I could say this:

bananana-tararira-arpeggiator

Added rubber feet for traction.

Par for the course with boutique pedals these days, the bottom of the Tararira is plain ole metal. I added four rubber feet to help it stay in place a little.

The scale, step and divider knobs are smooth-spinning, without a tactile hint when you spin to another value. …So you kind of have to visually know where the knobs are, which is tough because they’re small and black, with scant visual cue as to which number value/setting they’re pointing. I plan to remedy this with a little white paint and a tiny paintbrush, or something. If I find appropriately sized and calibrated clicky knobs, I might solder those in instead. But I doubt I’ll find any. Bananana Effects clearly had to make some minor sacrifices for the sake of size and cost. Worthy trade-offs for most consumers, I think.

I’ve no doubt I made the right choice in picking the Tararira. I look forward to many hours of noise-making weirdness with this pedal. You should get one.

 

Other arpeggiator pedals considered:

Eventide H9 – Billed as “a complete pedalboard in one pedal,” I find it way too separated from effect controls. If you want presets, this might be for you, but if you want knobbies, not so much. $399 + you may purchase/download additional algorithms (read:fx) for more $.

Line 6 RollerShifter – Near as I can tell, this is a custom-made Line 6 ToneCore module that was never available to purchase. It earned the nickname “talent simulator” on at least one pedal forum.

That’s it. I hope to get up the nerve to buy one of these toys soon. Thanks for reading!

 

 

Dan Dreifort consults on UX and SEO. He’s been in hardcore noise-punk band ‘Cat Shit’ for over a year now. Accordingly, he and pals are getting ready to scare trick-or-treaters with noise from: Microbrute, Theremini, Drone Thing, and guitar through sundry fx pedals on Halloween. #LureThemInWithCandy

 

CheapoDrugs.com Database Hacked?

29 Jan
cheapodrugs-blog

Not all companies care about privacy

Update: 7/1/2017
If you use CheapoDrugs.com, stop. If you put any faith in the CIPA, stop. Neither of these organizations take cybersecurity seriously. I don’t consider them good stewards of your or my personal information. Neither organization will address evidence of a breach. …The CIPA at least gave me lip service for a while, before blowing me off.

Is CIPA legit? If CIPA doesn’t hold its members accountable, it’s worthless and you should ignore its recommendations and “certifications”.  Check out the Wikipedia entry for more evidence. Malarkey.

Original post follows

For almost 20 years, because I’m a big nerd, I’ve been using unique email addresses for every single website. e.g. the email address I give VictoriasSecret.com is different than the one I use to sign in to Fredericks.com.

When I start getting spam at an email address, I can quickly turn off that one address.

Problem solved. No more spam.

For those of you thinking, “That multi-address thing sounds like an ongoing hassle!” All addresses come into a single inbox. It’s easy. …It wasn’t necessarily easy to setup, but that was forever ago. Who even remembers that? 😉

Canary in an internet coal mine

Anyhow, if I start getting spam to an address, and its content is unrelated to the site/business where I used the address, something is amiss. If it’s a biz/site I don’t care about, I just kill that address. However, when it’s a biz I care about, I let them know. I’m a canary in a coal mine. But much larger, and figuratively in email databases instead of literally in a coal mine. I also lack feathers.

Most of the time these businesses are thankful when I have an opportunity to act as an email canary. They listen. I tell them, “I don’t know how it happened, but somebody got into your database. I don’t know what they didn’t get, (credit cards? social security number?) but I can tell you that they for sure have your email list.”

How did somebody get our database?

There are three likely routes:

  • One of your employees or contractors grabbed it and sold it or is using it themselves.
  • Somebody hacked into your system and stole it.
  • A computer/laptop with your db and/or email list got infected with malware, which then sent the list to its devious hacker makers.

There are other options, but those three methods account for the vast majority of email leak incidents.

Why oh why is he blogging about this?

Cheapodrugs.com. I used ’em. …And while I still sometimes use Canadian pharmacies for my sweet, sweet drugs, I haven’t used Cheapo Drugs in a few years.

How strange then, that a little over a week ago I started receiving emails to the address I only gave to Cheapo Drugs. Within these emails I’m encouraged to use a coupon code to save on drugs at safemedspills by clicking on a tinyurl.com link. Nope. Not. Clicking. That.

What’s worse, the email contained evidence that the spammers also have access to other Cheapo Drugs’ clients’ information. (Full name, address, etc.)

I emailed Cheapo Drugs and let them know what had happened and shared with them the three possibilities (see above). In their reply, Cheapo Drugs confirmed that, shocker, they had not sent me the spam emails. The only other substance in their missive was, “We guarantee our patients that we do not sell their information to any phishing websites.” …I never said that you sold your address list. Idiots.

I went back and forth with Cheapo Drugs customer support a few more times trying to help them understand, but was met with a stonewall of non-customer-service. I even called and talked to somebody. I’ll spare you the frustrating details and summarize: Cheapo Drugs does not take proof of a database leak seriously. What to do?

Reporting a pharmacy to CIPA

I contacted CIPA, the Canadian International Pharmacy Association. Let’s see if CIPA takes this more seriously than Cheapo Drugs. …It would be hard not to. I’ll report back.

Sidenote: Now that Gmail’s spam filtering is so on fleek, I’ve considered using my gmail address more, in lieu of the system above. However, doing so isn’t as secure as using a different address for every site. Especially if you use the same password for multiple websites. Natch, I use unique passwords for each site, too. hashtag: nerd.

How is responsive design connected to SEO? It’s mobile.

3 May
the long tail of search

Image by Victoria Jones

Follow the money and you’ll find that hot trends in design and search engine optimization are tied to our shrinking technology.  What’s in your pocket?

This mobile, responsive design, SEO and the long tail article originally appeared on the Geekly Group blog. (Thanks, Archive.org for the save!) (This article is from May 2013.)

The Tale of the Long Tail Search

And Why You Should Have Implemented Responsive Design Years Ago

My latest pocket toy, (a 5th generation iPod Touch), is great at taking dictation. I’ve already carefully enunciated two emails into its microphone today. Because I usually work from home and I’m one of the strange beasts to still use a landline. The iPod is my tiny window into the mobile world.

I also have a mobile phone, but while I don’t often lean on my Android, I recognize that more people are using their mobile devices to search for goods and services. I help companies harness this mobile traffic with responsive design, long-tail keywords and other engagement strategies. The ROI is huge, but it can be a tough sell– unless you have the data to back it up.

The Mobile Traffic Writing is on the Wall & the Font is Getting Bigger!

A few years ago I told a mid-market e-tail client that mobile devices and tablets would soon account for the majority of their traffic and business. I said something like, “Time to think about responsive design lest we alienate the fastest growing segment of consumers.” Instead, this client decided that its core demographic (married women over 35) didn’t (and wouldn’t) purchase or research expensive household products on handheld devices any time soon.

I disagreed.

Without a Mobile Crystal Ball, Let Data Make Smart Decisions For You.

The next year I was able to turn to the data. I pointed out that the company’s mobile bounce rate was higher than that of the overall site average.  When I again suggested it would be best to use a responsive website design to encourage mobile users to engage, the company decided instead to modify its PPC campaigns.

“Don’t address mobile. Ignore it!” was the company mantra. “Who would use a phone to search for luxury goods?!” They stopped serving ads to mobile devices.

In February 2010, only 5% of this company’s site traffic came from handheld devices. By May 2012 that traffic source had grown to 36%. Shortly thereafter they stopped advertising to mobile devices. By March 2013, phones, tablets and iPods accounted for 45% of their traffic. This is remarkable!  Why?  Because they’d specifically and actively tried to alienate those consumers.

So what happened?  The client finally embraced responsive web design. When I juxtaposed the previously mentioned 45% figure with a random sample of a few other sites’ analytics data, it was easy to see that married women over 35 (or whoever their demographic really was) actually used mobile devices more than the average person.

It took a few years and some good data but this company will soon offer a website that will be attractive, usable and engaging regardless of screen size. Lower mobile bounce rates and higher conversion rates are sure to follow.

But engagement is only part of a successful mobile strategy. Customers must find you, before you can engage them.

How Do Mobile Traffic Trends Affect SEO?

A few years ago we searched with our fingers on a keyboard attached to a PC or laptop.  In a few more years, we’ll probably just think about our searches to get things started via a subdermal implant.  In the meantime, we’ve begun talking to our devices.

With the advent of Apple’s Siri, Dragon Dictation and Android-based virtual assistants like Vlingo and Skyvi, more of us are speaking our search phrases than ever before. These new technologies are leading to increasing numbers of “conversational-style” searches, or long tail searches. This interesting combination of conversational search phrases and guttural caveman-like searches performed in noisy environments means that the long tail of SEO keywords is now more meaningful than ever.

Pair this new human side of search trends with the ongoing semantic efforts of search engines like Google and Bing and it’s a welcome perfect storm for wisely managed SEO campaigns. Use great traffic research tools to identify slightly longer, more specific search phrases and you’ll find your ROI going through the roof.  And you’ll live happily ever after…at least until everybody else catches on.

Robocalls Are Easy To Fix

4 Jan
English: A Fox 40 whistle from the late 1980s.

A Fox 40 whistle from the late 1980s. (Photo credit: Wikipedia)

In early November I received my umpteenth call from Rachel at cardholder services. A few years ago I wasted time filing FTC reports on these jokers in a wholly ineffective effort to thwart their incessant nagging. Of late I’ve instead taken to passive aggressively nagging them back.

How I Used to Deal With Rachel and her Cardholder Services Minions

This time, as is now my custom, I pressed whatever number would get me to a consultant to discuss the urgent scam relating to my credit cards. I then pressed mute and walked away. A few minutes later, per my routine, I picked up the phone to hang it up, but this time there’s a guy whispering all sorts of awesome stuff still on the line. So I listened for a while. He’d just started at his call center job two weeks earlier and had yet to get any training. He was bitching about the people near him and how backwards and horrible everybody and everything about his job was. Very entertaining. (He was using more colorful language than I’m willing to recount here.)

I wanted to un-mute and talk to him but decided not to. What would I have said? “Become a whistle-blower!” These $#%^ing phone spammers are breaking the law and I’d love to see some convictions. Unfortunately I (and likely most call center drones) are unaware of incentive to blow the whistle on such illegal activity, if any even exists.

FTC Robocall Challenge to the Rescue?

The FTC is planning to spend serious dough on “new and innovative ways to block these illegal calls,” and is soliciting fresh ideas via the U.S.A.’s official challenge website. They’re also offering $50,000 in prizes for challenge winners. But I recognize problems with most of the submissions. They’re either ineffective, costly, unproven, violate basic privacy or show other weaknesses. Solving this problem is as simple as the American dream itself and it’s a bargain too.

Incentivize Whistleblowers

From aforementioned breathy undertones of the underbelly of the robocall world, I was able to infer that call center workers are overworked, underpaid, shown little respect and mistreated. What if we offered cash rewards for proof of illegal telemarketing activity? How much would it take? I’m guessing not much.

What person working at a thankless illegal job is going to turn down a four figure reward for ten minutes of work? IT WILL WORK. But how will we fund it? While there’s likely already a budget for this sort of thing, I understand that taxing and spending isn’t sexy these days and that we’re to rely on the private sector for things like… money. (?!)

I’ll start. If I win the challenge, I’ll donate 10% of my take to an FTC telemarketing whistle blower fund.

Won’t you join me? (Boring details for my FTC challenge submission follow. Thanks for reading!)

Project Details FAQ

Q: What is required to stop robocalls and encourage whistleblowers?

A: Funding. A website to field scam reports. Small staff to review reports. Initial marketing push.

Q: What about robocalls that don’t provide an option to speak to a human?

A: There are still underpaid minions in these shady organizations. We can turn them from the dark side.

Q: What about robocalls from other countries?

A: People in other countries like cash too. We can turn them and stop the flow of robocalls.

Q: Harumph! I hate government spending! What else would we need to crowdsource the funding?

A: If the gov doesn’t have the ability to do it already, hire somebody to use free, off the shelf, open source scripts to accept donations. Initial marketing push.

When he’s not traveling or making music, Dan Dreifort likes to consult on search and usability. Dan also likes his wife even though she has neglected him for almost four years while she’s been at veterinary school. She comes back in three weeks. Dan is very happy about this.

Best Mozilla Firefox/Thunderbird Add-on

20 Nov
add-on compatibility enable screenshot

This is what you’ll see after enabling your new favorite add-on

Disable Add-on Compatibility Checks is a great little add-on for both Firefox and Thunderbird. It makes Mozilla’s rapid release cycle totally tolerable.

If the keeper of your favorite plugin can’t keep up with Mozilla’s zany release schedule, worry no more. Disable Add-on Compatibility Checks does exactly what it sounds like it’ll do. Install it (no restart needed) and head to your Add-ons Manager where you’ll be able to enable previously dead-to-you add-ons. I’ve periodically posted links to several repacked add-ons in the past, but this plugin means I’ll never again have to edit an install.rdf file.

Sometimes Plugins Die, Little Johnny

Occasionally a plugin really and truly can’t be resurrected by this method. Case in point, today’s update to Thunderbird 17.0 killed the Quicktext add-on for good. Sad times. I loved that plugin too! RIP little buddy.

Big kudos to Kris Maglione for making one add-on to rule them all. Thanks!

Updated Extensions for Latest Firefox Update

28 Aug
English: Firefox word mark. Correct clear spac...

Firefox. Love it. Hate it. (Photo credit: Wikipedia)

Remember back when Firefox 3.5.17 came out? I’ll give you a clue; it was 2011.

It’s just a year later and the latest version of Firefox (15.0) ships with new features under the hood, including better memory handling for plugins and new “Silent, background updates,” but it’s not enough. When Mozilla switched Firefox to a faster release cycle in 2011, users relying on extensions and plugins suffered. Many jumped ship for Chrome and Safari. Those of us who have stayed either suffer or update extensions on our own. I’m in the latter camp.

Head here to download a zip containing the following usability extensions updated for the current Firefox release:

  • Duplicate Tab – keystroke or context menu to dupe a tab
  • Quick Restart – without shutting down Firefox!
  • Show Go! – Always show the go arrow in the URL window/bar

I’ve posted links to other updated Firefox plugins in the past but I don’t make a habit of it. If you’d like updated versions for any of those, drop me a note in the comments.

Internet Explorer 8 Compatibility View SNAFU

6 Sep

File this one under Microsoft usability nightmares. I was visiting one of my W3 standards compliant pages using Internet Explorer 8 to check for cross-browser layout/rendering consistency when I noticed that IE8 served a pop-up.  I was not pleased to learn that I could press the compatibility view button to fix problems in pages made for older browsers. The page looked fine to me. What the hell, I’ll click the button.

Naturally, clicking the IE8 compatibility view button destroyed the layout. It wasn’t illegible, but it really no longer looked professional.

How to force a page into IE8’s standards mode

I found this gem to force pages into standards mode

<meta http-equiv=”X-UA-Compatible” content=”IE=EmulateIE8″ />

Works like a charm. No more annoying pop-up.

Consider adding this to any page/site that’s built to W3 specs.

IE8 Compatibility Mode Pop-up Message

Internet Exploder

Swine Flu Tracker

Swine Flu News and Information

Grown Up Book Reports

Book reviews with a healthy dollop of snark

Ethan McCarty

Digital strategy | Social business | People-centric biznology

%d bloggers like this: