mediajunk

I participated in an Irish Internet Association debate this evening as part of the team that was cautioning against the use of credit cards online.

The debate was light-hearted and just a bit of fun. I probably wouldn't have chosen this argument but, when I researched it and thought about it, there are some pretty good reasons against using credit cards on the internet. What follows is, in essence, my speech:

*****

First of all, I must confess that I have often used my credit card online. The first time I used it -- to buy a book from Amazon, about ten years ago -- I was worried about security. But, the transaction went smoothly, there were no negative repercussions, and so I continued to use my credit card online for several years after that ... up until last year.

Last year, I attended a seminar in London on internet security, hosted by representatives of each of the major online security companies - Symantec, Kaspersky and others.

They experts explained that we are currently experience a "Cambrian Explosion" period in computer viruses, specifically in spyware and keystroke logging viruses -- or "keyloggers". These are designed to stay hidden on your computer and record any personal information you type into websites -- such as credit card, banking or name and address details.

Modern viruses take advantage of your always-on broadband connection by downloading updates that ensure they stay one step ahead of anti-virus programmes, and by secretly "phoning home", passing your personal information onto their makers.

So who are their makers? We tend to think of hackers as spotty teenager nerds, working out of their bedrooms, creating viruses just for kicks. That stereotype may have been accurate ten years ago, but not anymore.

A lot has changed since I first made my Amazon purchase online. The internet has gone from a few million users back then to over a billion users today. Inevitably this growth has attracted organised crime. Today, spware is funded by crime rings in developing countries, or former Eastern Bloc countries, who are counting on your false sense of security, relying on you to sit in front of your PC thinking, "I've done this a hundred times in the past -- it's bound to be secure."

But it's not only viruses that put you at risk. Many of my clients offer online shopping and credit card processing. Analysing their e-commerce solutions, we usually find that they have little understanding of security or best practices. And why should they? After all, they are small businesses with many other concerns.

Their online booking processes had many glaring holes that were putting both the businesses and their customers at risk. For example, one client was passing credit card details through the URLs of his website, which effectively allows them to be seen by other users. Others were taking the addresses securely, but then storing them in online databases that weren't secure.

When I discovered this I decided to try something out: I entered my own credit card details into Google. No results. Phew. Then I entered the first 12 digits, leaving out the last four. This time I found some credit card details, along with the name and address of a man in Dublin. In fact, I found hundreds of other names, address and credit card details. I was looking at a hotel booking database that was so insecure you could find it through Google. The hotel owner was putting all his customers at risk.

I found that many others were taking credit card details online but processing them manually with hand-held machines -- sometimes they were emailing them to another person for processing. Sending credit card details via email is not secure. When you send an email to someone it passes through a lot of other computers on its way to its destination, more or less randomly - that's how the internet works. Cyber-criminals monitor the traffic that passes through certain servers, looking in particular for credit card details.

So, my advice is to avoid sending your credit card details via the internet, because you don't know who is lurking behind the ones and zeros, waiting to steal your money or, worse, waiting to steal your identity!

*****

p.s. Our team won the debate!

Digg has recently changed its algorithm, making it harder for a story to reach the first page and thereby benefit from the resulting traffic spike.

From a Darwinian perspective, Digg's algorithm update is part of a co-evolutionary spurt whereby Digg is upping the stakes in the evolutionary arms race with Digg "parasites".

Online arms races -- accelerated growth involving mutual adaptation -- occur where individual webmasters benefit financially from a large, successful website or web service. In biological evolution, spurts occur in the co-evolution of parasites and hosts or other mutually dependent organisms. Consider, for example, the recent emergence of superbugs in response to the widespread human use of antibiotics.

The phenomenon of search engine optimisation is another co-evolutionary spurt. Realising the benefit of top 10 rankings, webmasters learned to game search engine algorithms, developing techniques such as stuffing keywords into murky corners of web pages, or writing programs that automatically added backlinks to guestbook pages or blog comments.

Search engines, particularly Google, responded by improving algorithms to filter out pages using such tricks, and by promoting preventative measures among web publishers (e.g. popularising the "nofollow" attribute in blog links). For every response, of course, there is a counter-response, particularly as the stakes get higher: Google and Yahoo depend on profits, while individual webmasters depend financially on their SEO strategies.

Each cat-and-mouse game ratchets up the complexity of the algorithm, and of the gaming strategies.

Another host-parasite symbiosis involving Google takes place with its Adwords/Adsense services. Here, Google battles against click fraud or, more recently, "Adwords Arbitrage" and Made-For-Adsense sites.

But the arms race is not confined to search engines. eBay has developed Bayesian responses to fraud techniques such as shill feedback, of which it identifies two types:

Shill feedback, defensive - Using secondary eBay User IDs or other eBay members to artificially raise the level of your own feedback. Shill feedback, offensive - Using eBay User IDs or other eBay members to leave several negative comments for another user (commonly called feedback bombing).

"This is no different than the offline world -- the bad guys come up with more creative ways of doing things," says Rob Chestnut, vice president of rules, trust and safety at eBay (via eBay Strategies blog).

Speaking of Bayesian methods, let us not forget their most common online uses: to detect email spam, viruses and phishing attempts.

I recently wrote about how spyware and malware authors -- motivated by the lure of financial gain -- are creating more and more sophisticated social engineering techniques, which antivirus companies are struggling to counter.

So who will win these internet arms races? Well, most of them will continue in a prolonged stalemate of increasing complexity. After all, if the "Digg spammers" win, Digg would become useless, and the Digg spammers would have no raison d'être.

Scott Karp is annoyed. In the online world, he argues, advertisements should be clearly distinguished as such:

The definitions should be clear and simple. It's an "ad" if someone paid for it. If anyone looking at whatever the thing is -- a blog post, video, text link, whatever -- can't tell it's an ad, that's deception.

And I agree with him - in principle. In reality, however, I don't think advertisers will call this deception.

Unlike other media, web users can - and do - choose to ignore most of the advertisements surrounding web content. This trend is only going to continue.

Consider the case of Firefox users ignoring ads. In my experience those who use Firefox are typically "savvy" web users. Eventually of course - when the generation that has grown up with the internet represents the majority of its user base - we will all be savvy users.

Another dilemma for advertisers is the shift from "push" to "pull". With the exception of some exceedingly annoying Flash interstitials, online ads aren't shoved down our throats. Rather, they try to entice us to another site (where, presumably, the advertised wares will be shoved down our throats).

Think advertisers are going to sit idly by and watch continued audience migration to online media, without putting up a fight? Of course not. Advertising will adapt to these new, harsh conditions. Search-related advertising is one example of that. Text-only links - or "gentle" adverts - is another.

But these adaptations alone will not be enough. Economics will not allow it. Just as product placement is now an integral part of the film and television industry, so too will the rate of surreptitious advertising increase in the online world - regardless of how unethical we consider it to be.

In the meantime, expect more secretly-sponsored blog posts, "authentic fan of product x / pop group y/ movie z" sites, advertisement links masquerading as editorial links, link-creating tools that are barely distinguishable from malware, and so on.

Have you been using the same passwords for years? Do you use the same usernames and passwords for lots of different accounts - e.g. email, PayPal, etc.? Or perhaps you use one password for accounts that you really don't want anyone to access, and another password for accounts that you're not as concerned about?

Think these are good strategies for keeping your accounts secure? Think again! But I'd wager you're in good company.

A few years ago, I conducted an online experiment. Since I'd become reasonably good at SEO (it was easier back then!), I got a web page to show up near the top of Google's results for phrases such as "check any email account".

The page was spartan in style, with two input boxes, followed by a submit button. The two prompts were:

• Enter your full email address
• Enter your password

Within a few days, almost a hundred people had given me the usernames and passwords for their online email accounts - and probably more, since people use the same usernames/passwords for all sorts of things.

Since my experiment wasn't very ethical (to say the least), I discontinued it once it had validated my hunch - that many internet users are naive about security risks. Lucky for them I'm not a real hacker, huh?

Admittedly, I do not update my passwords as regularly as I should. I have a lot of username/password combinations to remember, and worry about adding to this load.

Sidebar: Ever worry about taking passwords to the grave?

Anyway, Lauren Simonds offers some excellent mnemonic techniques for creating strong passwords. Now I have no excuse for not updating my passwords. And I'm going to update them.

Tomorrow.

Where is the most internet-related innovation at the moment?

Rich Internet Applications, some say. User-generated content, say others. Meta-search, social networking sites, blogging, voice-over-IP and podcasting are other contenders.

Cutesy technologies they may be, but sometimes the internet's innovation comes from underground sources. Pop-up windows(!), peer-to-peer file sharing and (more recently) bit-torrents, owe a lot to hackers - and the pornography industry.

Today, malware is arguably growing and evolving faster than any other internet-related technology. I base this on nothing other than my personal experience, some scant research, and an event I attended in London last year, where I listened to representatives of each of the main anti-virus companies.

What I learned at that conference was that the people who create viruses are no longer teenage hackers, trying to show the world how smart they are. Rather, today's virus creators are criminals motivated by profit.

Many do not regard themselves as criminals of course, but as Robin Hood type characters. This is particularly true when they are based in societies that they perceive to be suffering at the hands of the wealthy West. Not that that's much comfort to you if your bank account has been raided.

Sidebar: Watch this BBC News clip of Nigerians getting busted for spam, and the reaction of the community around them.

So, these virus creators are motivated by profit. They are after your bank details, your passwords, or anything that will allow them to create "identity theft" (e.g. by accessing your emails, they may potentially be able to send instructions on your behalf, make payments from your PayPal account, etc.).

Rather than searching an exploit in your system that will cause your computer to crash, today's virus writers manipulate you in order to get their creations onto your computer, where they remain hidden, lurking silently, gathering information, downloading sibling viruses, and "phoning home".

Virus authors regard you as the weakest link in the security of your computer/internet accounts. It has long been a maxim of the security industry that it is much easier to get an individual to divulge a password than it is to programmatically try and discover that password. Thus, spyware/malware authors are confidence tricksters, employing social engineering [wikipedia] techniques.

Their attacks are becoming much more targetted, regionalised and customised. Take a look, for example, at this highly personalised example of phishing recently reported to Kaspersky.

Digital invaders are no longer simply attached to emails. They are disguised as MPEGs or MP3 files, then downloaded from websites or leeched from peer-to-peer networks; they are encoded in JPEGs; distributed by hidden active-x controls in web pages (particularly porn or warez sites - a.k.a. "honey pots"). In WiFi infrastructure, computer viruses have become airborne.

Trusting the source isn't enough - reputable providers can do little about the mathematical impossibility of a computer program being able to detect 100% of all viruses.

Thus MacDonalds (trustworthy to the last, ahem) unwittingly distributed a nasty trojan in 10,000 free MP3 players it gave away to Japanese competition winners.

So how do you protect yourself? Install a good antivirus program, right? Hmmm... it's better to install a combination of solutions. Even then, successful malware may disable anti-virus systems, and/or stop them from updating online, and/or fool you into thinking that your anti-virus sofware is nonetheless working perfectly.

Just as society must accept that terrorism will never go away, we have to accept that viruses are something we simply have to deal with. Stay vigilant about what the spyware authors are ultimately after. As Authentium puts it:

So many times people think that simply just disinfecting a file is sufficient to handle a virus incident. This is no longer the case. You really have to start thinking about which passwords were stolen, what bank accounts and credit cards were compromised and what proprietary and/or personal information were stolen.

Time magazine has a nice story about companies who are trying to get bought out - just like YouTube did.

During the dotcom bubble of the late 1990s, garage innovators could peddle imaginary businesses in initial public offerings. If an idea seemed as if it might make money someday (remember Pets.com?) that was good enough. Today's upstarts are more fully formed and are often led by wealthy veterans of the first boom.

True, but few of those dotcom boom companies bothered writing a business plan either - or making a profit for that matter. That's why the dotcom crash happened.

Okay, so Google didn't envisage that its revenue would come primarily from advertising, but the start-up attracted investment because its founders had clearly "built a better mousetrap", and it earned significant revenue from licencing its search technology.

I agree that it's different this time around. Investors are more prudent. Start-ups are encouraged to create "servucts" on a shoestring budget, not by burning capital. But coming up with the right recipe and making it happen - that's the truly difficult part, and it has a lot to do with self-belief.

Personally, I'm always suspicious of those entrepreneurs who's intention from the start is to have their company bought. But hey, what do I know?

Five or six years ago, when Google was emerging as "the next big thing" on the internet, I had many conversations with Gerald Adams of Vision Consulting about the importance of being listed high in Google search results.

As Gerald used to put it, "where you show up" in Google was becoming crucial. We weren't the only people to understand this; soon search engine optimisation (SEO) was born.

Gerald and I also discussed the importance of "where you show up on other websites". This related practice has finally got a name too - social media optimisation (SMO).

For a phrase that was coined only a few months ago (in a blog entry by Rohit Bhargava), the SMO meme is spreading rapidly; already it has a wikipedia entry.

Bhargava lists 5 rules of social media optimisation, and commenters have weighed in with more suggested rules. Expect to see "SMO skills" appearing in web marketing job advertisements soon.

One of the most commented posts I've ever published here at Mediajunk was a story that broke in August 2003 about the BBC. Apparently, the Beeb was about to launch its vast archive collection free on the web.

The comments, bizarrely, were all from people looking for a copy of "Futtock's End", apparently a one-off show that starred the now posthumous Ronnie Barker.

Well, it's taken two and a half years, but today we've finally seen the first few archives go online. Check out http://www.mediajunk.com/public/archives/000160.html

Who knows -- you may even find Futtock's End?