Category: Web Development

ANZ on the Security of Email

A while back, ANZ offered me the opportunity to receive some of my statements as ‘e-statements’. While I fully approve of the move away from paper, I must confess I was slightly disappointed to find out that they’d be emailing me notices about these e-statements – one of the big reasons I think Australia (or at least, ANZ) has done well in the fight against phishing is because they’ve simply not ever sent any emails out, ever. Contrast this to a US bank (Wells Fargo) – within days of signing up I’d received a huge variety of emails, making it easy to see why so many US citizens get scammed so easily.

I typically ignore these emails but as part of my ever-growing interest in how email works and how people use it, I checked out my most recent one, and was interested to see the following disclaimer in the email footer:

ANZ does not guarantee the integrity of this communication, or that it is free from errors, viruses or interference. As email is transmitted via the Internet, which is an unsecure environment, ANZ cannot ensure that an email is not interfered with during transmission.

Clearly they’ve never heard of public cryptography! Of course, even if they had, and the email was encrypted and/or digitally signed, that last sentence wold probably still exist from a sheer cover-their-ass perspective.

Still, I’m looking forward to the day when my bank (and other sites) let me enter in my public key as part of my account settings so all correspondence from them can be encrypted. I’m continually surprised that so few sites do this. I’m keen to integrate something like this into AusGamers – not that we really need it, but just because I think it would be cool to do.

It should be noted though that their emails include /no/ links at all and are sent in plain text.

Event Cinemas/Birch Mobile Site (with XSS holes)

I went to www.birch.com.au the other day to look up some timetables and they’ve replaced it with a new loud glary site that I couldn’t get working instantly. I turned off Javascript and found they have a mobile site as well, which is at http://m.greaterunion.com.au – it offers a really simple interface to quickly get timetables for their cinemas all across Australia.

Except, as jadz0r points out, it appears to be subject to XSS vulnerabilities, so use at your own risk.

Strategies to Mitigate Astroturfing for Forum Owners

Astroturfing (the practice of companies pretending to be ‘regular people’ and posting product or service recommendations on forums or blogs) is becoming a big issue. It’s becoming an increasing pain in the ass for us on AusGamers – as our site grows, we get more people drifting in from search engines on random keywords trying to pimp various products.

Unfortunately for this particular campaign – which is surprisingly subtle, giving the sheer obviousness of most of the others we get – it’s going to backfire, because I’m trying a new strategy. Rather than just blowing the whole post away, I’ve posted a link to a competitor.

We’ve been thinking for a while how to stop things like this. The most obvious strategy is to simply not allow new users to post URLs. This is what we’ll probably end up doing – before a user is allowed to post a URL, they must have at least (say) 10 regular posts to prove they’re actually interested in contributing to the community. The number will probably have to be tweaked a little.

There’s a bunch of other ways – approving first posts by new users, stopping them from creating new threads altogether, etc. At the end of the day I think the require-some-posts method works for us because we want to encourage a community of active users that regularly post useful information, and post counts is a simple (if not completely accurate) method of deriving some base level of trust – if they’ve got 100 posts, they’re more likely to be useful (simply because they haven’t been banned for astroturfing).

Chase Bank’s Email Security

For a few months I’ve been getting emails from Chase, which appears to be a financial establishment of some kind. These emails are addressed to a ‘Barbra Harrison’, who is not me. These are coming to my Gmail address – a fairly common occurrence, as many people mistakenly think they own my Gmail address.

People not knowing their email address – or simply mistyping it by accident – is a ridiculously common occurrence. In fact, I was working on how to mitigate it on AusGamers just before writing this. It seems a little scary though that people would screw up their actual email address in anything related to their bank or financial institutions.

But what’s worse is the emails don’t provide me with a clear way to notify the bank that they’re coming to the wrong place. I’ve tried replying to them a few times (despite the notice saying they won’t read them – sometimes they do). I’ve tried navigating their website, but it’s a maze and the only way I can seem to do it easily is to either log in with the account details of Barbra (which I might be able to retrieve as I am in control of the email address she submitted for her online account!), or call them.

I was a little amused when I got this email from them today:

chase-email-security

I decided to spend a bit more time reading the email to see what my options are. I can unsubscribe from mailouts – which I don’t want to do, because my email address might still be attached to Barbra’s account, which is not great for anyone. I can report it as fraud, which I don’t want to do because it’s not really appropriate.

The FAQs have one useful question: “I don’t have an account with Chase, but I’m getting e-mail about my Chase account. How does that happen?” The answer to that, however, assumes that I’m the victim of a phishing attempt. I’m confident that is not the case here.

They have an email address for other inquiries – emailquestion at chase.com. I always feel like mailing addresses like this is a total waste of time, but I’ll give it a go – for Barbra.

Update: emailquestion@chase.com bounces:The original message was received at Tue, 4 Aug 2009 20:44:45 -0400 (EDT)
from sg3.svr.us.jpmchase.net [155.180.248.7]

—– The following addresses had permanent fatal errors —–
<t000900@gti0s025.svr.bankone.net>
(reason: 550 5.2.0 /var/mail/t000900: irregular file)</t000900@gti0s025.svr.bankone.net>

They sure make it hard.

Screenshot a Web Page from the Command Line

f you ever need to take a screenshot of a website then CutyCapt is probably worth a gander:

CutyCapt is a small cross-platform command-line utility to capture WebKit’s rendering of a web page into a variety of vector and bitmap formats, including SVG, PDF, PS, PNG, JPEG, TIFF, GIF, and BMP.

Doesn’t seem to be able to pick up Flash objects though and save them (which makes sense, as it’s just a simple renderer based on WebKit), but it’s still pretty handy.

LinkSys Newsletter’s One-Click Unsubscribe

I signed up for the LinkSys forums ages ago to whine about the problems with the WAG-325N series of devices.

I’m usually pretty careful when signing up for new sites to uncheck all the “send me email” boxes – I get enough email already. So I was a bit surprised this morning when I received what looked like unsolicited commercial email from LinkSys to my Gmail address: “the first issue of Linksys by Cisco e-newsletter, Connections.”

Determining the difference between actual spam and sneaky company tactics is a little tricky. Most people probably don’t care and just hit the ‘report spam’ or ‘junk’ or whatever it is in their email client. As a discriminating email nerd though I take the time to figure it out, because it’s often only a few extra seconds of reading and thinking, which I can generally justify.

In this case I decided that this probably wasn’t real spam and instead was either LinkSys being a bit lame and sending me unsolicited email because I’d signed up to their forums, or perhaps I did check the box that says “send me your stuff” – or maybe I missed something in a 400 page Terms and Conditions document that said by signing up it means they can send me email anyway.

At this point, who cares, right? I either want to keep getting the emails or I want to ditch them. My usual practice then is to just scroll immediately to the bottom of the email and look for the unsubscribe link. I saw this:

At first I just saw “managed subscriptions” and groaned internally, because that generally means its a multi-step process to unsubscribe – slow and painful. Then I saw the “one-click unsubscribe” link!

Being able to immediately and simply unsubscribe from email services is really, really important. This sort of link – a clearly labeled link that actually does what it says, instantly and quickly, is something that should be in the bottom of every single email you’re ever sent from a service.

Akamai’s Non-Open “Open Video Player” Initiative

I just got an email from Akamai announcing the launch of their Open Video Player initiative. I was immediately interested as this is something that I think the Internet really needs, because at the moment we’re mired in a horrible mesh of closed-source, proprietary systems like Adobe Flash and MPEG-4. With Microsoft pushing Silverlight as an alternative, the landscape isn’t really shaping up to look any better.

Unfortunately, despite the wording of the email and the official website with gratuitous use of the words “open” and “standards”, the end result appears to be nothing more than a bunch of resources to help you make generic video players using the same old proprietary technologies we’re using already – Adobe Flash and (heh) “Micorosft” Silverlight.

They also throw around the term “open source”, and have a SourceForge page for their Open Video Player (which includes two download options, Flash and Silverlight).

Now, there’s pretty much fuck-all documentation on the website about it – their “Resources” link in the menu just gives me a page full of videos that no sane person will want to watch. There’s no FAQ and their blog and forums links just go to their (as yet almost unused) SourceForge pages. A quick glance at the documentation and downloads seem to indicate there’s just a bunch of pre-defined classes and methods for getting video working relatively quickly, as well as a bunch of interfaces to (unsurprisingly) Akamai’s services.

I’m not exactly sure what they think is the standard they’re attempting to create here though. This looks like a thinly-veiled attempt by a bunch of commercial partners to increase their proprietary lock-in on one of the fastest-growing parts of the web – video.

Adobe already rule the roost with their system, so they get some sheen from being associated with this new “open, standard” system – having a solid, free, open source player (that hooks into Akamai for content distribution) can’t hurt them. Microsoft get more exposure for Silverlight, which they’ll start pimping desperately soon, no doubt. And all the other media and advertising partners get exposure as well for their various products and services.

And, of course, Akamai seem to get the most out of this by having a stack of players pre-programmed to support their network. So kudos to them for this as a marketing exercise. But bullshit has to be called on their attempt to try to declare this as a standard.

This “initiative” does nothing to help the web standardise on video. It MIGHT mean a more standardised experience for users as there will be more people using these free players. This, in itself, is a commendable achievement – releasing robust and flexible Flash and Silverlight applications as open source (although it should be noted that I can’t find any mention of what license these things are released under; it’s not included in the Flash download and I can’t see it on SourceForge or anywhere on the official site) will help a lot of people add video into their site.

Of course, if you’re making video and want people on the web to see it, you’d be mad not to use Flash at the moment. It has the highest install base, works on a pretty wide variety of systems, and (as much as the mass market gets used to anything in software), people are used to it. So the Flash player might be worth a gander anyway, but just don’t delude yourself into thinking you’re doing something opens and standards based because big companies just because a big company told you that you are.

The real standard

For those of that that are still holding out hope for a truly open video experience on the web – the HTML specification draft now includes a tentative mention of a new VIDEO tag, and the goal is purportedly to ensure that their recommended standard is completely open, to the point of using open source and non-proprietary codecs like Ogg Theora for video and Vorbis for audio.

A quick Google search indicates a few people (like this guy have gotten Theora working in Firefox, and Opera have been strong proponents of it for a while now.

Still, there’s opposition to it. Nokia made a fuss a while back by opposing inclusion of the Ogg stuff in the video tag (here’s some commentary about it).

But at the end of the day, it’ll be best for users if we have a truly open standard for web video – Akamai’s initiative is not it.

Completely Accidental Privacy Violations

I have a Gmail account which is based on my real name. Since the advent of the Internet, I realised just how common my real name is around the world, which really should have come as no real surprise – but for some reason it did.

Gmail doesn’t pay attention to full stops in email addresses. That is, alicebob@gmail.com is the same address as alice.bob@gmail.com. This was reported ages ago and has been the subject of a lot of discussion, because it seemed like a bug – why would you want to get email that’s not addressed exactly to you?

At least one other person bearing my name has signed up for a Gmail account. Not an unreasonable thing for them to do. They no doubt got through the sign-up process with few problems and managed to create a Gmail account.

Or at least, they think they did. Unfortunately, they also think their email address is the same as mine (albeit with a full stop in the middle of it somewhere). Not a real drama, until they start giving that email address out to friends and family and using it for things like hotel reservations and business.

After all my time on the Internet, I’m long accustomed to getting email that I don’t want. I get literally hundreds of spams a day to my work and personal addresses that I ignore more or less completely.

However, emails like this tend to bust through my spam filter, because they’re often very similar to actual emails that I’d get myself. They’re definitely not spam, but they’re definitely emails that shouldn’t have made their way into my inbox.

I go to pains to NOT read these emails, and almost always hit reply to let the sender know (after a quick check to make sure they’re not spam that crept through) that their email was misdirected. When its a personal email or something from a business contact, I usually get a reply thanking me. But when its an automated email from a mailing list or some other non-human sending process, I’m a little bit torn about what to do.

I don’t really want to get any more emails from here, but often my only recourse from an automated email is to click a link in it that takes me to some sort of online profile, helpfully logging me in to someone else’s account. While there’s probably no real damage I could do (I’m sure, for example, that I couldn’t get my alternate namesake’s credit card details), if I was a little more malicious I could probably at least make his life a little uncomfortable or embarrassing.

Needless to say, I don’t want to do that. I just want the emails to stop. So this raises the question – can I ethically (and legally) claim some ownership of emails that are accidentally sent to an address that – while it isn’t mine per se, is still delivered to me – so that I can try to make sure the sender knows they’re sending it to the wrong person?

Case study:

My alternate namesake created a profile on an international dating site. He, no doubt, put in all sorts of personal information into this site. I could have probably gone in and messed with his profile and made him a she-male seeking furry companionship or something, but instead I went through this arduous and painful process of trying to contact the site through normal means to ask they take me off.

This process took weeks – they floundered around for a while trying to verify it, told me they’d removed me, I still got emails every few days, floundered around again, etc.

It would have been vastly easier for me to just log into the guy’s profile and delete his account. But I couldn’t do that – even though he’d used my email address to (somehow) create a profile, it wasn’t my account.

While I went through the process then, this guy just keeps signing up for services using my email address – thinking it’s his. I’m getting all sorts of stuff I don’t want. At some point, I’m just going to start deleting them, meaning they’ll go into a black hole until he finally figures it out.

I’m sure this is happening to a lot of other users. It’s crazy how much personal information I could have obtained from this guy without him even having the slightest idea about it – if I was maliciously inclined.

Obviously, you should be careful when deciding when to give someone your email address – the last thing you want is spam or more useless crap filling it up. But remember – also be careful that you’re giving it to them correctly, because it’s probably worse that your personal and private information is going to someone completely different.

David Harrison of the UK, I’m talking to you.

(Further – as a web developer-type, I find it somewhat objectionable that several sites have let this guy sign up to various emails and services without first verifying his email address.)

Better Image Resizing in Firefox 3

As I am extremely lazy, I often put up images on AusGamers and just use the image tags “width” and “height” to resize the image to make it fit how I want (rather than doing the correct thing and resizing the image correctly).

This generally results in the image looking like crap – at least in Firefox 2 and other old browsers – presumably because the browser uses an image resizing algorithm focusing on speed, rather than quality, so it looks something like this:

You can see – especially around the blue box with the question mark – there’s some ugly jagged bits in there. Typically, I wouldn’t be able to stand looking at those horrible flaws and would then be inspired to upload a correctly resized image.

Safari, however, does a better job and resizes the image much more nicely:

And as I discovered recently, so does the latest Firefox 3 beta:

So, net result is good news in that you can now lazily include an image that isn’t correctly sized and not have it look completely terrible. If you don’t mind assuming everyone is using a modern browser, of course.

“RSS has no value without a filter”

I thought this article by Publishing2.com writer Scott Karp was particularly interesting, as it was basically my thought process more than a year ago when I decided a Bayesian RSS filter would be the only way to fly:

He’s the simplest way I can put it: There is NO value to having information come to you in one place when the result is TOO MUCH information for you to sift through.

Or even simpler: Without a filter, RSS has no value.

It was this exact sentiment that lead to the conception of FeedZero.