This is a quick post – let’s compare Dropbox new TOS lines about the license you give them when you upload “stuff” to the service:

We sometimes need your permission to do what you ask us to do with your stuff (for example, hosting, making public, or sharing your files). By submitting your stuff to the Services, you grant us (and those we work with to provide the Services) worldwide, non-exclusive, royalty-free, sublicenseable rights to use, copy, distribute, prepare derivative works (such as translations or format conversions) of, perform, or publicly display that stuff to the extent reasonably necessary for the Service. This license is solely to enable us to technically administer, display, and operate the Services.

with Box.net’s same lines about the same license you give them:

By registering to use the Services, you understand and acknowledge that Box.net and its contractors retain an irrevocable, royalty-free, worldwide license to use, copy, and publicly display such content for the sole purpose of providing to you the Services for which you have registered. In the event that you give Box.net the right to distribute your content, additional terms may apply to Box.net’s usage or distribution of this content.  You continue to retain all ownership rights in any User Content you provide and shall remain solely responsible for your conduct, your User Content, and any material or information transmitted to other Users for interaction with other Users.  Box.net does not claim any ownership rights in any User Content.

Box.net is asking for a license to use, copy and publicly display your content, whereas Dropbox goes much further, asking for rights to distribute (which is not the same as copy), prepare derivative works, and perform (eg. play in a concert!?). The wording in bold on Box.net’s TOS is key, however, as it clearly states that this license is used for the sole purpose of providing the service you ask for. Dropbox, in turn, says extent reasonably necessary, which is extremely vague.

You said everyone else

Indeed, let’s take a look at Amazon S3′s TOS, where clause 8.2 states:

Your Submissions will be governed by the terms of the Apache Software License, unless you specify one of our other supported licenses at the time you submit Your Submission.

Does this mean your uploaded content becomes open source somehow? I’m not entirely sure how to read this one, maybe a lawyer could chip in.

Finally, a snippet from one other large cloud storage provider, Apple, and its MobileMe/iDisk TOS:

Except for material we may license to you, Apple does not claim ownership of the materials and/or Content you submit or make available on the Service. However, by submitting or posting such Content on areas of the Service that are accessible by the public, you grant Apple a worldwide, royalty-free, non-exclusive license to use, distribute, reproduce, modify, adapt, publish, translate, publicly perform and publicly display such Content on the Service solely for the purpose for which such Content was submitted or made available. Said license will terminate within a commercially reasonable time after you or Apple remove such Content from the public area. By submitting or posting such Content on areas of the Service that are accessible by the public, you are representing that you are the owner of such material and/or have authorization to distribute it.

This one is probably the one I’d be most comfortable with, as it specifically mentions that the license applies only to content placed in areas accessible to the public, such as your “Public” folder, and that the license is solely for the purpose for which the content was uploaded, eg. sharing it with the rest of the world.

To be honest, this smells of a lawsuit gone bad resulting in bulletproofing a service, maybe someone noticed his files were being served from servers in another country and sued the storage provider on non-permission to copy/distribute grounds. Then, every other lawyer copied the TOS to match. Remember that case with a woman spilling hot coffee on her lap, resulting in all take-away coffee cups showing large “this stuff is hot” labels? Yeah, exactly. There are some great posts on this topic on J. Daniel Sawyer’s blog, and on UtestMe here.

I’m going to keep this short and simple. Apple is going to buy Twitter  – here’s why:

1. There have been very few cases of such a deep level of integration into iOS with a service provided by a company many orders of magnitude smaller than Apple.
2. When such integration has taken place, but Apple didn’t acquire the company, it eventually replaced its service. Example: Skyhook & Google Wi-Fi based geolocation, now replaced with Apple’s own database.
3. Apple needs a secure way to counter-balance Facebook (thanks @om for that one!). If Twitter remains an acquisition target much longer, Facebook or Google could reel it in.

Now I just wonder if @jack will want twtrr.com back… (yeah, out of a freak coincidence, I own that one!).

This post is triggered by a Twitter exchange started last night with Glenn Fleishman on the subject of how heat affects wireless communications. His initial tweet was:

I’m not getting the love. How does high temperature prevent Wi-Fi signal propagation?

followed by others,

Ok, the stupid “temperature affects Wi-Fi” story? I read the report. The report is talking about all tower-based wireless comm (1/2)

and it says that heat could affect transmission distance (implies this), but also that heat might damage towers/backhaul (2/2)

It referenced an article on The Telegraph which quotes Caroline Spelman, UK’s Environment Secretary, saying:

The signal from wi-fi cannot travel as far when temperatures increase. Heavy downfalls of rain also affect the ability of the device to capture a signal.

The first statement is misleading and even FUD-like, while the second is true – I have personally witnessed a statewide TETRA network go down (over 200 base stations) when a heavy thunderstorm sat on top of the SwMI, with rain curtains killing all outbound wireless links (hint: star topologies with a central switching node are a no-no).

Quoting the report itself (click for larger version), four things are notable:

The first being:

Location/density of wireless masts may become sub-optimal as wireless transmission is dependent on temperature.

Cellular service and hot air

The phrase above, in my view, implies wireless services that rely on frequency re-use as part of their inherent design, such as cellular telephony and TETRA, for example. These networks are called cellular for a reason, as they are designed in individual cells with shape and coverage made to fit into a puzzle. A graphic explains this much better:

Here, we are using four frequencies to serve a total of eight cells. As can be seen, no neighboring cells use the same frequency, so the spectrum usage efficiency is doubled in this particular case. In designing cellular networks, one can increase the density of cells by decreasing their coverage, and thus increasing the capacity of the network. In a city it’s common to find cells covering 300m, whereas in rural areas I’ve been registered on cells as far as 27km away.

The coverage of each cell is configured by careful handling of parameters such as power output and sectorization using panel antennas. The following graphic illustrates how sectorization and power management helps shape a cell’s coverage (source: University of Washington in St. Louis)

With all this in mind, how could heat possibly affect the arrangement of cells in a way to make their location and density “sub-optimal”? Take a look at this:

The heat output from the chimney is causing visible light to refract, as the density of air above it changes with temperature. This is an extreme example, but illustrates the idea of the report’s claims. Visible light falls on the high end of the radio spectrum, so if it can be affected by air density, so can lower frequency wireless signals. To make a point clear,

Heat doesn’t affect electromagnetic radiation (wireless signals), density does.

A very interesting observation can be found on Rob Flickenger’s Wireless Hacks, published by O’Reily:

This displays radio data for a one-mile link, averaged over several days. You can see that in the middle of each day, the signal drops by as much as 6 dB, while the noise remains steady … The repeating pattern we see indicates the effect of thermal fade.

What they did was control the signal strength of a one-mile wireless link over several days, and noticed that during periods of higher temperature (and thus lower air density) the signal strength dropped considerably.

Thermal fading could end up being a problem in cellular networks. Refraction by density variations could affect the path of wireless signals, causing interference not by ‘range’ changes but by interference on the same frequency. Secondly, decreased density due to increased temperature could result in coverage ‘holes’ at the edge of cells, which if compensated simply by increasing output power, could then result in interference with other cells when the density decreases.

Let’s go with the second one:

Reduced stability of foundations and tower structures.

Frankly, having studied materials engineering, I fail to see how an increase of even a few degrees could compromise a tower structure.

Third:

Increased damage to above ground transmission infrastructure.

This ties in with the previous one, the only obvious issue being the increased ventilation requirements for wireless infrastructure. They have cellular networks in Dubai, which is way hotter than the UK will ever be…

And finally:

Possible reduced quality of wireless service.

In turn, this ties with the first issue – the fading problems discussed can indeed affect the quality of cellular networks.

However

Your home Wi-Fi will NOT be affected by thermal fading significantly enough for you to notice. Temperature gradients inside a home are not capable of bending your Wi-Fi signal towards the neighbor and away from your laptop.

The report, while mentioning possible issues in wireless services, fails to mention them again, and fails to provide any deeper analysis of the issues listed, or possible solutions.

Finally, Glenn later said:

Range, not re-use.

The problem, in my view, is with systems that re-use frequencies. On a single-site system, you can just increase power to compensate for any losses due to density variations, and you’re done. On a cellular system, you simply cannot do that. I feel Glenn admits to this when he tweets

@alfwatt Anyway, she said Wi-Fi, but the report is talking about cellular infrastructure.

Cheers!

After reading about Sony’s major clusterf… cock-up on their PSP network breach, and how up to 77 million accounts could have been stolen, including credit card data, I propose a method to cure the generic problem of storing customer payment details for recurring billing, such as subscriptions or subsequent purchases.

Step 1. Payment gateway provides business with an individual public encryption key

Upon setting up a payment gateway for processing credit card payments, the business, in this case, Sony, would be issued a public key – be it by the bank if they deal directly with them, or a payment gateway such as RBS.

Step 2. Business encrypts credit card data with public key before storage

PCI DSS specs for storing credit card data securely call for very strong access control, encryption and accountability, but this is not viable against sloppy employees, loss of encryption keys that protect the card data, and so on. Once you have a break-in, if you keep the keys to the safe in the office your valuables are completely naked. With a public key, you are effectively storing the safe’s keys somewhere else. This is how the process works, schematically (click for large size):

Step 3. User makes a purchase

Once the user decides to make a purchase, or has to be billed for the month’s service, the business pulls the encrypted credit card data off its database, combines it with the purchase price and other required information, and sends it to the payment processor for authorization. The payment processor can decrypt the credit card data with its private key, and can thus process the transaction normally:

What does all this solve?

• Users only hand over their credit card data at the start of the relationship, and the data is never stored by the business/merchant.
• Merchant doesn’t keep credit card data that can be recovered, even by a corrupt employee or full-blown data breach.
• Encrypted card data cannot be used in replay attacks in other places, or by other merchants, as the public-key is issued per-merchant.
• If a breach takes place, all the payment gateway needs to do is to revoke the public key and destroy the private key, thus card data cannot be compromised.

All this would obviously cost time and money to implement, but in my view it would be a big step forward in keeping customer credit card data secure.

It appears that GoGrid has suffered a security breach, which has resulted in exposure of costumer information, including credit card data. I have just received this from GoGrid’s CEO John Keagy via email:

Dear Valued Customer,

In the normal process of reviewing our system activity, our Security Team discovered that an unauthorized third party may have viewed your account information, including payment card data [my emphasis]. We immediately took action to protect our customers, including notifying federal law enforcement authorities, who have since seized the computing equipment and records of the single individual suspected of this misconduct. The criminal investigation is ongoing, and we will continue to assist the authorities in working toward a successful prosecution.

The security and reliability of our platform is fundamental to our business, as is the trust and faith that our customers place in us. We have completed a rigorous audit conducted by a leading security firm. There were three important findings that lead us to believe the situation has been contained:

1. The method utilized by the suspect to gain access has been identified and remediated.
2. It appears that the suspect’s sole motive was to acquire free services from us. We have no evidence suggesting that the suspect was targeting customer infrastructure or payment cards.
3. We have no indication that any customer information was shared with any other unauthorized parties or that there has been unauthorized use of any cardholder’s data.

In addition, we are instituting a series of new measures designed to further enhance security. Any information that you may need in order to comply with these measures will be communicated through the user portal and the support ticketing system. As an added precaution, affected cardholders will receive a letter in the mail offering credit monitoring services at our expense.

Client privacy, confidentiality and security are central to us. We greatly value your business and apologize for any inconvenience this causes. If you have any questions related to any of the above, please contact our Customer Service Team at [phone # redacted] or [phone # redacted] or via email at [email redacted].

This would be rather worrisome were it not for the fact that I signed up using a virtual credit card, specifically, a MasterCard issued by my local bank, La Caixa. What is more worrisome is that during the signup process, I had to endure a series of checks and verifications so that GoGrid would accept this virtual card as a method of payment.

Round 1

After signing up, which requires entering your credit card details, and taking up their offer of $100 free credit towards a virtual server and storage service, I received this email:

Dear Customer,

Thank you for choosing GoGrid!

Your order has been queued pending verification of your contact information.

Please Reply to All with the following information:
1. Business Name:
2. Full Contact Name:
3. Telephone Number:
4. Billing Address:

Once your information is verified, your order will be processed. Feel free to reply to this message if you have any questions.

Nothing out of the ordinary, so I replied with the required details, and waited. A few hours later, I emailed to enquire about the status of the process, and received a reply as if they hadn’t received my original answer. Second copy of the questions sent, more wait time.

Round 2.

Continue Reading…

I’m writing this in response to VeriFon’s “open letter” regarding the security, or lack thereof, of the Square credit card reader device, as I hate seeing a good-natured startup get bashed by a competitor worried that it may catch up or even overtake its business. The whole thing has been commented on TechCrunch and GigaOM already, and it’s making rounds in Twitter. First, an analysis of the VeriFon statement.

An open letter?

Today is a wake-up call to consumers and the payments industry.

No, the wake-up call came when the first carders started hitting the credit card industry years ago.

In less than an hour, any reasonably skilled programmer can write an application that will “skim” – or steal – a consumer’s financial and personal information right off the card utilizing an easily obtained Square card reader.

Why would anyone waste the time to do so? There are ‘skimmers’ designed exclusively for the task of stealing credit card data, and what’s even more curious, they’re available right on eBay (more on this later).

A criminal signs up with Square, obtains the dongle for free and creates a fake Square app on his smartphone. Insert the dongle into the audio jack of a smartphone or iPad, and you’ve got a mobile skimming device that fits in your pocket and that can be used to illegally collect personal and financial data from the magnetic stripe of a payment card. It’s shockingly simple.

A criminal doesn’t need to sign up for anything, he can just buy a purpose-built skimmer, and start “working”. Skimmers are used, for example, by bartenders, in parallel to the legitimate POS tool that processes the payment. It takes a second to swipe the card through the skimmer, so any time the card is away from the owner’s sight, makes it ripe for stealing. It is logically stupid to have skimming device and legitimate payment processing device in the same device. Let me write that bigger, as it is an important point.

It is universally stupid to place skimming and legitimate readers into the same device.

As an example, one would think – why haven’t bank-issued POS devices been hacked to skim cards while performing their legitimate duty? Same would go for the Square solution – the reasons:

1. The corrupt employee needs to dump the skimmed card data. He needs to take the device away with him, or connect it to a PC for download. It looks mighty suspicious to connect your restaurant’s POS terminal, or the iPhone given by your employer, to a PC, never mind walking away with it every night.
2. Legitimate devices come with tamper-evident seals, upon inspection by the bank or a maintenance agency the game will be up.
3. Criminals need to duplicate the legitimate functionality, which means connecting to the payment gateway. This requires testing to verify functionality, which generates noise – and attention – during development.
4. In many cases, to duplicate the legitimate functionality, the criminal would need to extract signing and/or encryption keys that verify authenticity against the payment gateway. This is a PCI requirement in every implementation I have seen, and would mean the keys themselves have been compromised.
5. If the skimmer is the owner of the business, which moots some of the above points, he is so dumb he deserves to be caught. And he will.

[Update] Some say that skimmers have been found inside POS devices, true – but this is different from modifying their logic, one can add a card reader in parallel, which is then removed via an access door and taken away, or add cables that take the card data to a secondary remote device.

The issue is that Square’s hardware is poorly constructed and lacks all ability to encrypt consumers’ data, creating a window for criminals to turn the device into a skimming machine in a matter of minutes.

Repetition – also, the note about being poorly constructed is a highly objective observation. It is cheap and no-frills, but this doesn’t mean it is poorly constructed too.

And because anyone can get their hands on these Square readers, anyone can masquerade as a legitimate business or vendor and swipe your payment card.

This is false – just like a restaurant cannot masquerade as a fake restaurant, complete with plastic food, just to skim cards. Nobody in their right minds will give the card to a stranger, unless it is involved in an actual payment. An actual payment requires at least some level of background checks on those receiving the payment. Matching skimmed cards to a source is extremely easy once a pattern of payments vs. skims is established. Many skimming employees get caught this way, and they are using other devices to skim – the rate would go up if they used the method proposed by VeriFone!

Consumers who hand over their plastic to merchants using Square devices are unwittingly putting themselves in danger.

Unless they take the same precautions as they do when they hand over their plastic at any other location.

Today we are handing a copy of the application over to Visa, MasterCard, Discover, American Express, and JP Morgan Chase (Square’s credit card processor), and we invite their comments.

Square has most likely already gone through PCI audits and checks to become a payment gateway. This includes a full description of their operation, which is no different than many POS terminals using COTS readers that dump card data over RS232 or USB links. I have personally implemented such a system, and it was accepted under PCI rules and put into service. The security isn’t between the reader and the application, but between the application and the rest of the system. If the application itself is corrupt, it is very easily caught and dealt with.

Secure payment systems, like those provided by VeriFone and other credible providers which adhere to the highest level of security practices, are critical in protecting consumers, merchants and banks.

Ah! Finally, the real motive of the “open letter” – none other than to remark that VeriFone is a competitor and provides secure payment systems. And that it is scared about competitors like Square.

There is great promise in the future of mobile payments and our innovations will help drive the industry forward.

Even more self-promotion, not in the spirit of an open letter. An open letter is open precisely to promote commentary and criticism, not to sell one’s own products or ideas.

Security by FUD

The “open letter” also has an elaborate video attached, with careful editing and effects, something that has taken time and effort. It looks like one of those ads thrown by politicians when they get into mud-slinging matches before elections, while not bringing anything new to what is said in the letter. [Update] The video has been removed by YouTube due to TOS violations. VeriFone has re-uploaded it to Brightcove – showing further intent on causing damage to a competitor, rather than making the industry more secure.

In addition, VeriFone has gone through the trouble of registering a custom domain name, sq-skim.com, which was registered through GoDaddy, and even further, uses GoDaddy’s Domains By Proxy privacy service to cloak who is behind the domain. VeriFone should note that should a slander lawsuit be brought up, these privacy services are worth nothing, as the original records can be requested by the court. It looks really bad to register a domain name, which in part contains your competitor’s abbreviated name (“sq” for Squared), and joins it with a word full of criminal intent such as “skim”. It would appear that Square is selling skimming devices, and not a payment solution that competes with VeriFone’s.

Finally, the letter lists “resources”, which are nothing but a bunch of links to marketing papers, articles negative towards Square, and “news” regarding skimming. The final touch is a “Be Secure Now” box with a big blue button that reads “Sign up for PAYware Mobile”. All this makes the whole thing stink even more of a mud-slinging in an attempt to kill a competitor.

Wait, skimmers for sale on eBay?

Yep. There are skimmers for sale on eBay. Search for “card skimmer” and you’re presented (albeit with no direct results) with related searches such as “bank skimmer” or “credit card skimmer” (click for large version):

Search instead for “portable card reader”, and you’re presented with a wide selection of small, battery powered magnetic stripe readers, such as this one (click for large version):

It’s an irony that eBay provides buyer protection against an item designed to scam buyers at physical retail locations.

The listing is even so helpful as to show a picture of an actual Bank of China credit card being swiped through the reader, showing its really small size!

Major selling points and features are listed, but some are particularly striking for something that would pretend to have a legitimate use:

512 K bytes memory for storing more than 2,000 records of data

OK, so we can fit 2000 credit cards into this tiny thing. Useful.

3-track version can collect all three tracks data…

Meaning all the information needed to make a physical clone of a credit card, including the CVV1.

Password Protection defends user

… from law-enforcement officers trying to see what the waiter or gas station attendant had dumped onto the device, surely. Useful to deny criminal use of the thing. A self-destruct or auto-wipe button would be even better.

Transfer data to MSR206, MSR605 and MSR606 directly

This is a real kicker – transfer the skimmed credit card data directly to the magnetic stripe encoder models of choice in the carder “industry”! This means you don’t even need a computer to make physical copies of stolen credit cards, just connect the two devices and go!

Bi – Directional

So it’s eyes-free, battery powered, no need to pay attention while you swipe the customer’s card under the counter while he’s not looking.

My question to VeriFone – why don’t you write an open letter to eBay about the blatant trading of what are evidently skimming devices? None of the above ‘features’ can be found on Square’s device. Maybe register ebay-skim.com in the process. I just checked on GoDaddy, and it can be yours for just $11.99:

If you are positive that your UPS is correctly connected (check System Profiler etc.), then look for a ‘dummy’ kext installed by apcupsd, an alternative UPS monitoring tool, here:

/System/Library/Extensions/ApcupsdDummy.kext

If found, simply

sudo rm -rf /System/Library/Extensions/ApcupsdDummy.kext

and reboot your Mac.

Que me digan lo que quieran – que si cumple con la norma de decir que se trata de un servicio de suscripción, eso sí, en letra minúscula, que si tiene la casilla de “he leído las condiciones de la oferta” con un enlace a unas bases que nadie se lee… Zed, o Club Zed, se dedica a captar ‘clientes’ mediante tácticas como mínimo engañosas, si no directamente fraudulentas. Veamos.

Consigue un iPhone 4 gratis

Una vez pasas del anuncio de 250×250 en cualquier página, te encuentras con ésto (haz click para ver la versión a tamaño real):

Antes que nada, el obligatorio asterisco [1]. El texto, “Enhorabuena”, “Llévate, antes que nadie, este iPhone 4 GRATIS”, induce al error. Ya que la “promoción” se trata de un concurso, debería decirnos, por ejemplo, “participa y gana”, o “podrías conseguir este iPhone 4 dándote de alta”, etc. El texto principal induce a pensar que uno va a conseguir un iPhone 4 gratis, directamente, y como dice el texto a la derecha, “AQUÍ”. El “Paso 1″ es introducir nuestro número de móvil, sin mencionar para qué exactamente, tan sólo añadiendo una casilla donde aceptamos haber leído los “términos y condiciones del servicio de suscripción”.

Se nos vuelve a engañar diciendo que se nos va a enviar un “código promocional” [2], que no es tal, sino el código que las operadoras necesitan para verificar que el usuario realmente ha querido darse de alta en el servicio de suscripción. Un alta en un servicio de suscripción tras el cual hay un sorteo no puede considerarse una promoción.

En la parte inferior [3] se pueden ver los logotipos de varias operadoras. Esto induce al engaño, ya que uno puede pensar que la “promoción” cuenta con la aprobación y respaldo de las operadoras. Nada indica que se trate, por ejemplo, de las operadoras compatibles con el servicio. Es igualmente ridículo el logotipo de “sello de confianza” de AESAM, que no es otra que la ‘Asociación Empresas Servicios a Móviles’ (si, sin “de”). Si realmente cumpliesen con las normas de dicha asociación, tendrían en cuenta los siguientes puntos de su código de conducta [PDF], página 9:

c. Llevar a conclusiones erróneas como consecuencia de información inexacta, ambigua, exagerada, incompleta o similares de la información comercial.

d. Contener información falsa, inexacta o caduca.

Igualmente, en la página 14, encontramos:

2. Cuando se trate de ofertas, concursos o juegos promocionales que incluyan descuentos, regalos, premios, etc., se deberá indicar a los usuarios de manera clara e inequívoca su identificación como tales y las condiciones de acceso y participación.

Es decir, que la palabra “sorteo” que aparece en letra pequeña, casi ilegible en un iPad, debería aparecer de forma “clara e inequívoca”. Para más inri, en la página 18, aparece:

- Deberá aparecer en el texto del anuncio la palabra SUSCRIPCIÓN (O SUSCRÍBETE), impresa en caracteres de un tamaño no inferior a 35,5 puntos.

En el caso que nos ocupa, el tamaño de la palabra “suscripción” es de 9px, o unos 7 puntos. 35,5 puntos corresponden a unos 46px. Hay una salvedad en el siguiente punto,

- En aquellos casos particulares en los que este tamaño resultara ser desproporcionado para las dimensiones totales de la inserción publicitaria, se admitirá un tamaño inferior, pero en todo caso deberá ser el 66% más grande que el logo del Proveedor cuyos servicios se publicitan.

que tampoco se cumple, ya que en primer lugar no hay ningún logo del proveedor, y si nos referimos a los logos de los operadores que aparecen, o al de AESAM, tampoco encontramos la palabra “suscripción” en un tamaño 66% más grande.

De todas maneras, la web de AESAM no es funcional, ya que los enlaces a los diferentes apartados no muestran ningún contenido, ni existe el formulario de denuncia que también mencionan en el código de conducta. Sinceramente, huele a tapadera para crear un “sello de calidad” sin ningún tipo de contenido ni validez.

Paso 2: confirme su adhesión al engaño

Si introducimos un número de móvil, veremos la siguiente página:

Ahora, nos hablan de un “código promocional”, y abajo, de un “password” [1] – en qué quedamos? Y por si el mensaje con dicho código se pierde, son tan amables de darnos una “Ultima recomendación”, indicando que podemos seguir con el proceso de alta enviando un SMS, sin necesidad de códigos promocionales. Hay que recordar que un máximo de 60 mensajes al mes, a 0,35€, son 21€ que tocaran pagar a aquellos que quieran un iPhone 4 “GRATIS”.

Por último, una última recomendación, ahora a los desarrolladores de las webs de Zed – comprueben la ortografía:

I am befuddled by how @Twitter can miss some blatant cases of spam accounts. So much that I have come close to conclude that these are paid accounts, thus won’t be removed no matter how much they are flagged and/or blocked. Here are some suggestions, based on what I have observed with spammers on Twitter, for spam-matching rules to improve the catch ratio. The accounts I use as examples have been hand-picked, so my points are open to interpretation, and could be way improved with data that Twitter has, such as tweet rate, number of spam flags and blocks, etc. These checks could be triggered in escalating order according to the number of users flagging an account for spam, as an example.

[Update] @Ed has replied to my tweet and part of this post:

I said “I have come close to conclude…”, not that they are paid accounts. But, it defies all logic how an account like @kredits can still be up and running after close to 64.000 (yes, that’s sixty-four thousand) spam tweets that break many of the rules/filters I have written about below. It is not a question of writing an algorithm for every variation, but a set of rules which give individual scores, and a minimum score to suspend an account. Basically, x-spam-score followed by an x-spam-status that determines account suspension, or lack thereof.

Follower to following ratio

Some spam accounts use aggressive follow techniques to try and spread their trash, and this gets reflected by auto-follow bots. The result are accounts with following/followed ratios close to one. Case examples: @Bqe1212 with a ratio of 1.01, or @vidalconsulting with 1.04. Others do not follow this approach, and only follow few accounts, for example, @kredits, with only 168 followers and following 49.

Tweet rate

One case I observed (the account is now suspended, so kudos there) had the particularity that tweets were pushed out every three minutes exactly. Twenty-four hours a day. This is something -very- easy to catch (and equally easy to defeat, but hey, some spammers are dumb).

Tweet content

We can split this check into various sub-checks:

1. Keywords

In the case of @jenlock1014, the word ‘money’ appears in almost every single tweet pushed out. The actual text of the tweets vary, as do the linked URLs, but the keyword is there. Other usual keywords are ‘free’, ‘cash’, and so on.

2. Linking the same URL

In some cases we see links to the same URL in every tweet, such as @Bqe1212, with tweets like:

http://twttr.me/dbxV Q&A: HOW CAN I MAKE MONEY FAST ON THE INTERNET FOR FREE!! NO …: by Chri… http://bit.ly/aJVi6Whttp://twttr.me/dbxV

and

http://twttr.me/dbxV How to Make Money Online With Online Writing Sites: There are many sites … http://bit.ly/cichxl http://twttr.me/dbxV

The target site’s linked short URL is different, but every tweet contains (two in this case!) copies of the same short link. Again, both tweets would also trigger rule #1 above for keywords.

3. Linking the same URL with differing URL shorteners

One technique often used is to spread the target link among various URL shorteners. This is the case of @kredits, which uses snurl.com, ej.uz, short.ie, bit.ly, and others, all of which redirect to the same final URL. A simple check, once an account is flagged for processing, is to follow all shortened URLs and look for patterns. For example:

• Exactly the same URL.
• Same host, same path, but varying query string (oft used to track sources).
• Same host, varying path, but same query string.
• Same host with both varying path and query string.
• Varying subdomains of the same host.

A combination of the above can be used to determine a spam score for a set of given URLs. An extra check when fuzzing techniques are used on the final URL is to parse the target site’s content, looking for similar headers, keywords, image URIs, Google Analytics account IDs, etc.

Reaction tweets™

Many times a spammer searches for certain keywords, and sends a reaction tweet when one is found. As an example, when I sent this reply to Ed Shahzade (@Ed) in reply to his tweet about auto-follower bots and spam, I received this other tweet from @atraiskredits:

@mikepuchol Problēmu var atrisināt ātrais kredīts? Izvērtēs kredīta piedāvājumu! Atver www.opencredit.lv un gaidi naudu savā kontā.

Obviously this is not English, and thus it was sent as a blind reply to my tweet mentioning @kredits without caring much about my original language, or wether I understand the content of the tweet.

On a flagged account, it should be very easy to check when response tweets are sent, by accumulating the words used in the original triggering tweets, and testing the occurrence of each word in all, or a high percentage, of them. As another case example, 10 minutes after @djsandman813 was sent this tweet by @kredits, and he replied this, @atraiskredits sent this reaction tweet. Screenshots below in case they go missing:

* OK “Reaction tweets” is not really trademarked, but maybe it should be!

Account aggregation

Spammers can try to avoid being flagged, or delay detection, by spreading their activity across multiple accounts. The way to detect this is to run a check among flagged accounts for the above filters, eg. catching various accounts all sending reaction tweets with the same short URL.

Account name

Many spammers are not too creative and simply throw random words and letters into the account name – this can also be an indicator of a spammer account.

Reaction flags

When a user receives a spam tweet, his initial reaction may usually be to block flag the sender as spam. An accumulation of such flags, particularly with other indicators such as single tweets towards a user followed by a flag (denoting not a conversation but a directed one-way message), should be enough to suspend an account.

What else?

I’m sure there are many other checks possible, but I have to get back to work – so, @delbius, do I get a job offer? Just kidding – was thinking of the guy who got offered a job at YouTube after writing ‘YouTube Instant’.

It should have been premonitory – while looking for other reviews or info on the upcoming AutoCAD for Mac OS release, I stumbled upon this post by Steve Johnson, owner of cad nauseam, in which he details why AutoCAD for Mac would be a bad idea. While I agreed with some of his views, as this has happened before countless times (case example: Skype, which took years to catch up still lacks behind in features and stability compared to its Windows version), I believed things wouldn’t be that bad.

It turns out there is a list of over 80 holes which Autodesk lists here. Steve has posted this in response, and we now even have an interview with Autodesk staff with money quotes such as:

It really does not make sense for us to implement features on the Mac platform that nobody’s going to use. So basically what the customers are asking for is that we are going to deliver. So like I mentioned before Mac users on the Architecture side shouldn’t notice much of a difference.

OK so you release a trimmed product with not-so-oft used features missing, but at the same price? That doesn’t really fly, no matter how you look at it.

San Rafael, we have a problem

My first reaction when I saw the activation window, right after installing AutoCAD on my Mac Pro, was “OMG they have transplanted the Windows version using Java”. It was SO ugly – in essence, a copy-paste of the Windows workflow into a Mac window, and I suspect they load the content as HTML from a server. Scrollbars? On a modal tool window?

This was before I had to activate the product, which required creating a whole new account, as my teacher login details would not work at all. Autodesk apparently “had no record” of my email address and password, so I had to go through the account creation once more, then finish the activation process, which takes a few more, totally unnecessary, steps. A simple “give us your product code and serial” followed by a “thank you for activating” is more than enough.

Once you fire up AutoCAD, you’re greeted by this splash screen:

which is not particularly informative, but still, shows something. The next thing you are greeted with, at least with the educational version, is this:

OK, so I am using an educational product, but you don’t need to keep reminding me of this fact every time I open a drawing done with a different version – a “don’t remind me again” checkbox is all it takes. The warning would be useful if it came up with drawings you made with a full AutoCAD version, given by others, etc. but it also shows up when creating a new drawing from one of the included templates!

Finally, expecting a normal drawing area, I was greeted by this (click for full size):

It almost reminded me of a BSOD. No matter what I did, I could not even get the cursor to appear in the drawing area, never mind actually draw something. The application was completely unusable. Creating a new drawing, from a template, blank – nothing worked, I either got the blue bars of death (BBOD) or a black drawing area into which everything was sucked into, a-la-black hole. No cursor, cross-hairs, nothing.

The next logical step was to open a drawing recently created using AutoCAD on Windows, and this came up:

I give up. I will try to install it on my MacBook Pro, and see what happens. If the problems reappear, I’ll go back to BootCamp or VMWare with the Windows version, which is fully-featured, stable, and usable. Nice and commendable work on bringing back AutoCAD to the Mac, but so far, it appears the bugs and missing features, even when they are fairly unused ones, are killing the product. Again.