FTC delivers major blow to spam facilitator ISP

A company, most prominently operating as Triple Fiber Networks (3fn.net), got a rude awakening from the FTC last Tuesday. http://www.ftc.gov/opa/2009/06/3fn.shtm. The data center was not shut down; their bandwidth providers were petitioned to turn off the "internet spigot," effectively leaving the servers running with no way to get to the rest of the digital world.

Turns out, the company is not only allowing/tolerating spam bots, child porn hosts and online scammers to operate from its datacenter, 3FN has been actively positioning and advertising themselves as a premium solution for such dirtbags. Their ads have been spotted on several identity theft and other community sites where "high-risk hosting" services may be sought. These guys were pretty seriously nasty, and it's nice to have them out of the game.

Here's the government filing PDF. Actually, not too heavy reading, and some very interesting little tidbits of information collected to get the court order to shut down. http://www.ftc.gov/os/caselist/0923148/0906043fncmpt.pdf

The other side of the coin is that this move seems to have shut down many legitimate sites. One example I can cite is: http://www.freesoftwaremagazine.com/columns/free_software_magazine_caught_3fn_shutdown_crossfire. Thankfully, it looks like they landed on their feet OK. I know of other companies, and indeed entire web hosting companies (legit ones - yes) whose sites were hosted through 3FN. Some of these legit business sites have been dark since Tuesday, as their owners seek to retrieve their data and quickly move the sites over to another host.

I'm not sure what the alternative was, and certainly "the perps" needed to be taken down suddenly and without detection, but I must wonder whether another substitute/temporary host could have been arranged beforehand to avoid the downtime for legit operators. The ingenuity and creative thinking involved in web sites these days always amazes me; seems like it could have been employed to help alleviate some of the pain.

The ne'er-do-wells will of course also move their sites, but if this move sends a message about what the US will tolerate to happen on our turf, this is a victory for the good guys. Overall, I think we've done more good than harm here.

9 Tips for running a better webinar

I'm on so many technical and business webinars, I thought I'd give my little Top 9 list of do's and don'ts for delivering one.

• Callers muted!! I cannot tell you how many times some goofball talking in the background, combined with the host's inability to isolate and/or remove that line has led to a completely ruined webinar.
• No phone bridge if you don't need one. If you don't need to have people talking, don't force them to call a phone number - deliver the audio online with the video and don't make people take that extra step. Some webinars I've been on will offer the phone bridge, but it's only for people who want to comment - fine. People can give themselves the option of calling in if they think they might need to chat, versus people like me who are always listeners-only with questions afterward offline. Unnecessarily requiring a phone bridge will lose some participants.
• Communicate beforehand. Remind them at least twice (one of which being within 2-4 hours of the start of the webinar). Can't tell you how many webinars I've casually signed up for and then never attended because I forgot and was never reminded, or only reminded once, days in advance and forgot the day-of.
• Communicate during. A good alternative to phone bridges is to just allow viewers to comment-and-question in a little chat box right in the viewer. The talker needs to have someone monitor this while they're speaking, otherwise they will miss questions.
• Communicate afterward. Webinars also *must* publish a replay. Basic stuff, but some do not. I missed the webinar, and now I get no info? We're all losers in that equation. Publish the replay, and make it easy to get to (no convoluted logins, please!).
• Keep the thread going. Either on the replay page (via a comments section), or in an actual billboard/forum-type posting area, allow people to anonymously (again - without &$%^#%# login requirements) comment on the webinar and discuss the topics. This gives the moderators the ability to easily publish answers to "I'll have to check on that" questions, and for offline-question-askers like me to ask and get answered.
• Slides work and applications transfer nicely. It's awkward having to divert our eyes from someone's half-naked son on their desktop background as they close their PowerPoint deck so they can move over to the video player. It's called a hyperlink - embed it in your PowerPoint slide, test it and use it. *Click* and you're playing video. Video finishes, and you're back on the slide deck. No half-naked sons.
• Time wasting. People either with their decks out of order ("This is someone else's slide deck that I'm using, so I'll skip around a little") or otherwise not able to deliver succinctly are wasting that time *multiplied by* the number of viewers on the webinar. This kind of behavior tells me this is not very important to you to get right . . . so it's probably not worth my time either!
• Have I mentioned no logins? You will probably have to require some kind of login or authenticating link, but then everything else should be free to do whatever without having to jump through more security hoops. You're providing information and mainly filtering out bots, not guarding Fort Knox. If you're collecting info for marketing purposes, do it as non-invasively as possible.

What does a LOST laptop cost?

Much has been made in the past 3-5 years regarding the attractiveness of laptops, and dwindling purchase cost premium over desktops. Laptops are more popular than ever. What people often forget is that there are higher costs of ownership in laptops, and one of those is the "risk cost" associated with having company data out there in the world.

Laptops are more easily broken or lost/stolen, and we have certainly found that they are FAR more likely to contain data that has not been backed-up. Laptops are on the network with the server less often, and when they are the users usually want to be 100% productive (won't understand the performance hit while their data synchronizes).

This combination of fragility/lose-ability of the systems, plus the "untethered" nature of the data makes for a very dangerous combination.

Here's a great article about the cost of a lost laptop. Some of it's probably exaggerated/overblown, but the fact remains that data security and backup are the biggest challenges when dealing with a laptop-mobile workforce.

Anatomy of an IT Debacle: Norm Coleman Campaign

As many in MN know, the Norm Coleman campaign had a pretty serious security breach, to the tune of exposing 40,000+ e-mail addresses and 4,500+ credit card numbers to any anonymous person on the internet.

This was not a case of a web site being forced-entry hacked. Rather, as the Mpls-based consultant who discovered it explains, the database was actually published - without any security layer at all - to their web server. It may have been a database backup and not live data, but the fact remains that irresponsible action - backing up a sensitive database in public view - by someone who (presumably) did not know what they were doing has jeopardized the personal information of tens of thousands of people.

The vulnerability was secured fairly shortly after it happened back in January, but it was open long enough for ne'er-do-wells to acquire the database and it has now been posted for download (with credit card numbers strategically scrubbed) on a site which shall remain nameless (shameless?).

This opens debate on another issue altogether. It's certainly not legal to publish an e-mail list that you gather yourself; why should posting someone else's data breach be any different? It's going to make a very bad situation into a complete nightmare for thousands of people, and it's disappointing to me that (apparently) no legal action has/can be taken to stop this posting. It's surely serving as a nice little source for a whole array of scam artists. I can't for the life of me figure out how it could be that now, almost two full days after the list was posted on the internet, the ISP of the poster has not been petitioned to take it down. I'm not on the list, but for those who are . . .

A place to park files online

In troubleshooting computer issues, I'm always looking for a place to quickly, simply "park" a file or two online.

A great service for this is found at www.drop.io. The things I like the best are that it's free (of course), and there is no login required. It just gives you a randomized URL when you drop your file on their site, and you just pull it up on the other end . . . and you're good to go. There are encryption and time-to-live settings as well, which is also cool.

How to: Automatically Receive Craigslist Search Updates by E-mail

Who doesn't love Craigslist . . . but it's a bit of a pain to check all the time if you're looking for something specific. Here's how to use a free service to receive the latest postings of whatever search you choose - by e-mail, automatically.

First, go to Craigslist and pull up the page of stuff that you want to be notified about. For instance, a search for "wii" in Mpls/St Paul is: http://minneapolis.craigslist.org/search/sss?query=wii. This is an RSS feed, so you can just subscribe directly to it in IE7 or Outlook 2007 if that's what you prefer.

If you're old-fashioned like me and want to actually receive e-mail the updates to this search every single day, go to http://www.feedblitz.com/ and sign up for a free account. Once you've got an account, go to Subscriptions, select New and paste the URL you copied from Craigslist.

That's it! (I believe Feedblitz e-mails send every day in the morning sometime.) Of course, you could do this to subscribe to any kind of feed you like, such as Astronomy Picture of the day, popular Diggs page, or whatever you like. Anyone have another cool application for this?

Did PayPal get hacked?

I very rarely use PayPal, especially the account I have set up for Foxtrot use. I had to get a used/old part for a server the other day, so I sucked it up and eBayed/PayPalled.

When I went in to use my PayPal account, what appeared to be a verification screen came up - IN CHINESE!

I could not figure out how to switch back to English, so I called PayPal. After quite an interesting jaunt through their phone customer service system, I finally got to a guy who was able to set my account back to English. I did indeed need to verify my account, so this was also "interesting."

I asked the customer service guy why my account would have been switched to Chinese, and without hesitation he said, "Because it was compromised." This was also the reason for the account verification. He suggested the possibility of a keylogger virus or something snagging my password as I entered it.

Then I logged in . . . and there was a balance there. This is very strange, as I rarely keep a balance. I investigated further, and saw four transactions for 10 Euros each, to Skype . . . and then four apparent refunds back into the PayPal account. This was the shyster's method for getting money out of my linked bank account and into "cash" in my Skype account, which presumably they would have wired to their e-mail address and PayPal account.

Apparently, PayPal caught wind of the shenanigans because they suspended the transactions and required a verification on the account. Once I verified the account, I was able to restore the money back to my bank account, so no money lost.

So, what happened? Was it a keylogger as the customer service guy suggested? I don't think so, because I have not logged into my PayPal account for at least 9 months, probably more like a year. Zero transactions this year up until this snafu.

Was it a good guess at my password? I just don't see it, as my password is kind of jibberish and not prone to being guessed. It should also be noted that my password was what I expected it to be, so it was not a guess at my verification info and a reset password.

It seems more likely that PayPal itself got hacked somehow. PayPal figured it out and suspended the accounts and the transactions before the ploy could unfold completely. There are lots of stories similar to this one out there on the net - most much worse. That's my theory . . . check your PayPal account.