A mixed bag of cool

Let’s try something different. Posting the newsletter. This was the TalkBiz News issue for November 16, 2015.

Lots of cool tools, new courses, and useful tips in this one. New income streams, security notes, video schtuff, lead generation, and more.

And it’s not 10 pages long, like the last one. 😉

After that issue, the few folks who replied almost all said it would be better to have stuff like that one in PDF format. So, that’s how I’ll finish it. I’ll let you know when it’s ready.

I wasn’t surprised at the small response. That’s what you get when you drop a question at the end of a 5500-word email on a subject that only appeals to maybe 20% of your readers. (Another good reason to do those in PDF.)

First tip: One lady mentioned that her browser rendered the text in very small print. If you run into that online, hold down the CTRL key and tap the + sign. That enlarges the display, making it easier to read on-screen. To go back to normal, tap CTRL and 0 (zero).

Great for blogs and the like that use tiny type faces.

….

Alice Seba and Ron Douglas have another training system out. This one, called “Content Cash Flow,” is about turning your writing skills into a regular business by creating and selling PLR content.

Alice has over 20,000 customers for a site where she does this. So, there’s major clue behind the thing.

I’ve personally bought a ton of PLR graphics, templates, and software. There’s money in the PLR business if you can create good content.

This one is a definite “check it out” if you can write decently. It can be an extra income stream, or a whole business by itself. And the teacher really knows her stuff.

http://talkbiz.net/plrbiz

By the way… Don’t confuse that with my course with a similar name. Very different material.

….

Some of you know I’m a big fan of open source software. (I’ve never liked proprietary file formats.)

Open Office and the GIMP are pretty well known. The audio geeks have all heard about Audacity. This week, though, I was pointed to something I hadn’t seen before. A free, open source video editor that rocks.

It’s called Shotcut.

You can download it at http://talkbiz.net/opensourcevideo

Ray Dale, the guy who pointed it out to me, has a course on it, along with some extra graphics and audio that you can use with the program. The course is free, and contains 6 videos to walk you though the process of creating and editing your own videos.

That’s at http://talkbiz.net/shotcuttraining

Ray also hosts a Facebook group (also free) to help people get things going with Shotcut.

Definitely rates “Cool Tool” status.

….

One of the things that can cut into your responses from online content is the difficulty in getting people who like it to get in touch with you. Mostly because they don’t remember how once they’ve left the page.

Ray has a cool product to solve that problem. Called “Tube Caller,” it shows you how to put a ‘click to call’ button on your YouTube videos. When someone watches your video and wants to get in touch, all they have to do is tap a button on the screen and the phone dials you directly.

The applications for this are pretty broad. If you’d benefit from more phone leads, this one’s for you.

I’d probably use it a bit differently. I have a phone number that is used just for people to leave me messages, and it would be fun to post that link to videos or even blog posts. I can check the messages via the phone or online, and download them as audio files.

Cool way to collect testimonials or suggestions. Or funny stories.

Yes, it can be used on any page. Setting it up on YouTube isn’t a real obvious thing, which is why the course. Once you know how, it can be used on other types of pages. Like, for example, for restaurant reservations, consulting interviews, catalog sites, and more.

http://talkbiz.net/tubecaller

Classic “one problem, one solution” product. Nicely done.

….

WordPress Notes: If you use the BulletProof Security or Fast Secure Forms plug-ins on your blog, update them. There have been security flaws discovered – and fixed – in them recently.

While you’re at it, you should probably update all those other plug-ins that have been waiting. But do a back-up first. Just in case.

….

I got tired of all the bogus registrations and spam comments, so I went looking for something to stop them. Tried a few, and settled on “Anti-Spam by CleanTalk.” Made sure it didn’t conflict with anything on the blog, and signed up for the year’s membership.

Best $8 I’ll spend on WordPress this month, I think. Stopped them cold. Over 1000 attempts blocked in the first week.

….

After I moved my sites recently, I discovered the link tracker I’d been using wouldn’t work with their system. So, I looked into a few. Been trying out Pretty Link Lite for the past few days, and it’s working nicely. As soon as I’m sure it won’t conflict with the security stuff on my blog, I’ll be upgrading to Pro.

It’s the simplest WP plug-in I’ve installed in a long time. Upload it, activate it, and go. Video tutorials linked right in the dashboard.

Pretty Link is how I get those short links with sensible names, rather than long, ugly links, or using a public redirect service that hands my tracking data to some third party. Or, in the case of bit.ly, to any random stranger who’s curious.

Seriously. If you want to see the stats on a bit.ly redirect, just put a plus sign at the end and visit the link. All is revealed, to anyone who wants to see it.

And people wonder why I keep this stuff in-house.

You can find these in the WordPress plug-in collection. Or just search for them through the Install New Plugin page in your WordPress dashboard.

….

For you Android users… You may want to keep your phone “open” so you can make phone calls and get to your camera without needing to unlock the phone. Still, it’s likely you have some apps that you want to keep protected.

For this, you want an app locker. Be careful, though. The most popular, called simply “App Lock,” triggered all sorts of security alerts from my phone.

I found another one called “Smart App Lock.” This is handy. You set a code and then choose which apps you want to lock. You can use it “as is,” or set it up to look like the apps crashed when someone tries to access them. (Yes, there’s an easy way to get past that part, but you still need to unlock code.)

You can also set it to take a picture of anyone who tries to unlock it and gets the code wrong. Nice way to see who’s messing with your phone.

And, if you have your phone set to automatically upload photos to an online account, it’s a good way to get pictures if someone finds or steals your phone and tries to get into the things you want kept private. You know. Like banking or email or text messages. Or your social media accounts.

Whatever you want, it will lock.

That one’s free in the Google Play store.

….

Lots here to help you protect your online assets and build more of them.

If you want more leads from your sites and videos, check out Ray’s TubeCaller course, at http://talkbiz.net/tubecaller

And, if you write well and want to add a serious extra income stream or start a business based on that, don’t forget to grab a copy of Alice and Ron’s latest, “Content Cash Flow.”

You can get that here: http://talkbiz.net/plrbiz

Good stuff, all the way around.

Enjoy!

Paul

….

Find the newsletter handy? Stop by the Pub and buy me a beer. http://buy-paul-a-beer.com

Affiliate disclaimer: You should assume that the sender of this email has some sort of relationship with the sellers of products linked to from the email. This means they may receive compensation if you click on links and buy stuff, sign up for a list, or do other things once you get there.

Take any recommendations with whatever amount of salt you deem appropriate.

“Anyone who tells you you can succeed without work is probably trying to sell you something that won’t.”

So, that’s what a recent issue looked like. To subscribe and get them all as they come out, along with some cool welcome aboard gifts, go to http://talkbiz.com – and welcome aboard!

Big Brother’s little helper – Hacking Team

This is the (so far) 3-part TalkBiz News series on the recent explosive Hacking Team revelations.

Part 1 – “Who Hacks the Hackers?” – July 6

In what may be the scariest story on digital security since the hacking of systems to spy on the international community’s discussions with Iran over it’s nuclear program, a firm called “Hacking Team” has been hacked. In a big way.

The firm sells tools to governments to spy on their citizens, even when they’re using encrypted communications.

According to early reports, these tools allow anyone who has them to break into virtually any mobile device. There seems to be no country the firm won’t sell to, regardless of their record of abuses.

The 400 gigabytes of data stolen from the firm and released to the public includes source code.

Wired has a good summary of the story, at:

http://talkbiz.com/needtoknow/hackershacked

They don’t really get into the potential security issues down the road, as the story focuses more on the Snowden-like implications of the disclosure. It’s also difficult to know just how dangerous that source code might be in the wrong hands without knowing exactly what was released.

400 gigs is a lot to go through, and the leak only appears to have happened last evening (Sunday, July 5).

….

The worst case scenarios are pretty bad. As in, security nightmares for hundreds of millions of people. Depending on what’s in there, we could soon have random hackers gaining access to spy systems installed and operated by governments. Or the digital creeps could use that code to bring botnets and identity theft to a whole new level.

It’s likely we’ll see companies using the code and/or the contacts to expand their industrial espionage systems.

Small-scale tools could easily come out of this, too. It may well be another source for “spy on your spouse/ex/kids/employees” malware.

Given the degree of control over remote devices that are implied in the stories I’ve read so far on it, this is way beyond just tracking locations.

….

Of course, sunshine doesn’t always mean a burn. As Justice Brandeis remarked, “Sunlight is said to be the best of disinfectants.”

It is possible that security firms like Kaspersky could use that code to find ways to remove or block Hacking Team’s tools, and governments which are responsive to their citizens could face huge backlash against this level of spying. Given the timing, that seems to be the likely goal of the release.

The political fallout is almost guaranteed to be significant. As for the implications for individuals and companies, a lot will depend on that code.

I’ll be keeping an eye on this story, and will update you as more information makes its way out from security analysts and bleary-eyed coders.

This could become very interesting.

Part 2 – “Freaking Team” – July 8

Hacking Team, the company that sells the literal spyware that I mentioned last issue, is freaking out. I suspect their customers are, too.

According to Motherboard, they’re telling all the countries and spy agencies they’ve sold it to that they need to shut the software down, completely.

It also appears the various entities who bought the product, called Galileo, got “watermarked” copies. That could make it possible to tell which agencies were tracking which people or groups.

This has the potential to be more politically and diplomatically explosive than Edward Snowden’s leaked documents.

….

Digital spying and crippled encryption is among the most important civil rights issues facing people throughout the world right now. Hopefully, this kind of leak will create enough backlash to get things moving back in the right direction for a while.

I can imagine the chaos in some spy circles at the moment. And as far as Hacking Team… As Bruce Schneier put it, “It’s one thing to have dissatisfied customers. It’s another to have dissatisfied customers with death squads.”

Or, to paraphrase Jerry Lee Lewis, “There’s a whole lotta freaking going on.”

Further bulletins as events warrant.

Part 3 – “More on Hacking Team” – July 15

There’s bad news and good news on the fallout from the release of all those files stolen from surveillance software form Hacking Team.

The bad news: So far, the discoveries include 3 zero day exploits in Adobe’s Flash software, 1 in Windows Internet Explorer, and 1 in the Windows kernel. These were previously unpublished, which means they were exploitable until after these files were stolen and released.

Of those, fixes have been rolled out for all but the 3rd Flash exploit, as of this writing. One assumes that last one will be patched soon. So, update Flash and install any Windows updates that may be waiting. The relevant Windows patch was released July 14th.

The IE bug was nasty. It allowed for remote code execution, which opens vulnerable machines to all sorts of nasty abuses, including drive-by downloading and installation of malware.

The Flash bugs were the last straw for some folks. Firefox and Chrome both changed their default settings to disable the Flash plugins. You have to explicitly change those to make it work without intervention on a case-by-case basis. Alternatively, you can leave it off, and allow individual Flash elements (like videos) to play when you’re confident of the source.

I’ve left it turned off and found very little that I really wanted to see enough to enable it even on a one-time basis. It’s interesting to see how many ads use Flash, though.

The new security chief at Facebook wants Adobe to set a date to kill Flash once and for all. He, like many people in the field of digital security, has gotten tired of the incessant flow of critical vulnerabilities in the software.

I can’t disagree. I’ve had to update Flash for security reasons more than any software I’ve ever used. Well, except for Windows, but that’s a lot more complex than just Flash.

….

That kind of industry pressure is part of the good news, as is the patching of all those gaps.

More good news comes in the fact that anti-virus/security software companies are said to be modifying their products to detect and remove the Hacking Team code. Nothing definitive yet, but that’s not surprising. Lots of stuff to go through.

Back on the bad news front, it seems HT also developed and sold a BIOS-based root kit. It is said to require physical access to a device to install it, but once it’s there, it stays. You can’t even get rid of it by swapping in a brand new blank hard drive.

You’d have to re-flash the BIOS to remove it. And how many people are going to know that’s an option, much less understand how to do it? (Added: It’s also not uncommon to brick a machine in the process of flashing the bios.)

The network-savvy will find it scary that Hacking Team, in conjunction with the Italian government, also used a BGP hijack to recover access to some of the targets they lost when their spammer-friendly hosting service went down.

That’s dangerous in all sorts of ways.

….

The political issues involved in having the kind of surreptitious access to someone’s computers that this stuff allows are serious. Those are fodder for a later discussion, though. They boil down to how far you trust a given government.

On a more practical note, you need to stay aware of these things as you go through your digital routines. This software allows tracking someone through pretty much any sort of security. As an example, the FBI wanted to use it to identify someone through a TOR connection, and were told that, with certain conditions being met, they could do so. (One hopes they had a warrant for that…)

And these kinds of exploits allow for planting files on remote machines. Yep, just like in the movies, where the target’s computer is seeded with phony evidence, and all traces of the real source eliminated.

Can you say phr4m3d?

….

Governments aren’t the only ones who might want to use this kind of “feature.” If you operate a WordPress site, you know, as you’ve probably had hackers drop files on your server without permission already. Or if you’ve ever had a computer infected with malware.

The worst is the stuff that turns your machine into a torrent node. You have no clue what kind of illegal trash might be getting routed through your system when that happens, and you may well be legally responsible for all of it.

An interesting aspect of this story is the degree to which these folks rely on social engineering to get their software onto the targets’ machines. The approaches range from blunt tactics like crude spams to more long-term trust development through fake personas.

In the end, though, it seems to most productive methods involved exploiting the end user, rather than just technological weaknesses.

Apparently, their customer in Azerbaijan had a hard time wrapping his head around that concept. 😉

….

On the good news front, it seems each governmental customer got a copy of the software that was traceable to them. So, with the spreadsheets in the released file dump and a copy of the software, you can see a lot about who’s tracking whom.

Well, that’s not good news if you’re a legitimate LEO going after a genuine terrorist. It is if you’re a reporter or political activist who’s being tracked by a government hostile to free speech or dissent, though.

….

Now, let’s shift gears for a minute. We’ve been talking about governments having this kind of ability. What about private entities?

What if someone could track every move you make, listen in to all of your phone conversations and much of the chatter in your home or office, and turn on your webcam or the camera on your phone any time they wanted?

Let’s call the main “secret agents” in this trend Siri, Cortana, Alexa, and … Google.

No, I’m not suggesting that Apple, Microsoft, Amazon, or Google are eavesdropping on everything you say. Just that they could. Those voice-activated helper apps have to be listening all the time to know when to activate, after all.

And they’re only one good hack away from being hijacked by not-so-benevolent critters. A much more serious concern, I think.

Some of the apps that are available for phones and tablets can do all of what I just described and much more. And I don’t give them anywhere near the benefit of the doubt I’d give Apple or Amazon. Some of them are pure malware in games’ clothing.

Look at the permissions before you install anything. And, if you’re using an Android system, install DCentral1 and check the permissions of apps you’ve already installed.

If you use Apple products and only download from the iTunes store you’re probably okay, as far as that end of things goes.

Android is a whole other kettle of fish.

….

Back to the Hacking Team stuff.

The really good news is that this has helped push more attention to the use of digital espionage by governments. Hitting at the same time as the push by various western spy agencies to cripple encryption, this may help make folks more aware of just how widespread data surveillance has become.

The UK is on the verge of simply criminalizing the use of strong encryption by private citizens. Prime Minister Cameron seems to have no clue the damage his policies would do to legitimate businesses and individuals.

The US agencies are taking a more nuanced tack. They’re trying to get the various services involved to leave them back doors and access to encryption keys. Same damage potential as the Cameron approach, just less clumsy.

These folks should look into the encryption wars of the 90s. This fight has already been done, and the “no secrets” crowd lost. And that’s back when there were a whole lot fewer people involved, and a lot less at stake.

And it’s not just the Good Guys who’re watching.

To give you a hint of the kinds of problems all this digital tracking can create without you knowing, consider…

“An Apple a Day Keeps No-one Away”

According to Virgin Radio Toronto, your iPhone may be a serious threat to your safety and privacy. Nifty feature called “Frequent locations” that most people don’t know about.

They give the following instructions to find it:

“Go to Settings, Privacy, and Location Services. Then go to System Services and find the Frequent Locations menu. There, you will see your home address and basically anywhere you’ve been recently, from malls to restaurants to your friends’ houses.”

Click on one of those items. It shows your home address, when you arrived at the specific location, and how long you stayed. And, if you use some geo-tracking systems on your phone, the person holding it could even tell how you travelled to get there.

For some folks this won’t matter. For others, it might be a huge deal. And some of us object purely on the principle of the thing.

If you don’t want anyone being able to see your every move just by getting hold of your phone, here’s how you fix that.

Under the frequent locations menu, clear the history and just turn the option off.

Simple, no?

Another landmine in the digital terrain avoided.

….

I may get into some of the reasons law-abiding people should care about this in an upcoming issue. In the mean time, just be more aware of what’s going on with your portable devices, eh?

And don’t make public posts on Facebook announcing when you’re going to be on vacation away from home.

Just sayin’.


This series originally appeared in TalkBiz News. To subscribe (it’s free) visit http://talkbiz.com

“Honey, have you seen my computer?”

Like most geeks, when I look at changes in electronic gadgets, I can be momentarily fascinated by the tech behind them. Once the “Oooo, shiny!” factor wears off, though, I spend time thinking about what they mean for real people. You know… folks who use them to actually Do Stuff.

“How will this change what we do and how we do it?”

You see the push to more powerful and portable devices everywhere. Phones get bigger and computers get smaller. You can now buy a fully functional computer that’s smaller than a standard mouse.

Called “PCs-on-a-stick,” they’re somewhat barebones computers that plug into the HDMI port on a monitor or TV. They’re designed to use local software, remote apps, and cloud storage.

Intel has the Compute Stick ($149 US for Windows, $89 for Linux). Microsoft just announced the Splendo (by iBall), a $140 Windows unit that will be released in India in July. Dell has the Wyse Cloud Connect ($129). Google has the Chromebit, at under $100.

Paired with a bluetooth keyboard and mouse, these critters are going to change the way a lot of people think about computers. The current Splendo version runs Windows 8.1, has 2 gigs of ram, and 32 gigs of internal storage. More importantly, it also offers a MicroSD card slot and USB port.

The power in these beasts is increasing dramatically, both in terms of hardware and apps. Combine that with the drop in the price of microSD cards ($25 for a 64 gig Sandisk card at Amazon, and $80 for 128 gigs), and these are no longer just toys for the easily distracted.

They are the future of portable computing, especially for business travellers.

You won’t be using these for heavy gaming or video editing any time real soon, but you can do almost anything else on them that the typical user needs. And the price pretty much guarantees a lot of people will pick one up just to see what they’re all about.

All you really need along with them is a display with an HDMI port and a bluetooth keyboard. You can bet they’ll also work with Roku-style remotes and game controllers soon, if they don’t already.

Know those back-of-the-seat screens you can get to let your kids watch videos while you drive? Add an HDMI port to each and you’ve room for two (or more) computers in the car.

Hotels that offer business service offices? Won’t need those separate areas any more. The rooms will have monitors, or just cables leading to the HDMI ports on the TVs, so you can access them in private. Not a huge change, you might think, but consider not having to carry a laptop when you travel. Your computer will be on your keychain.

Doing presentations? Add a bluetooth remote to the keychain. No need to worry about which OS the display uses.

Consider the educational applications, especially in bulk and using an open source OS. Add in digital versions of the textbooks and required software and issue them on microSD cards. Imagine how much this could save school districts.

Homework can be submitted and graded digitally. Or automatically, in some cases. Forget your homework? Log in to whichever cloud storage account you use, and voila! You’re good to go.

They’d be so cheap there’d be no real incentive to steal them, unlike laptops. The keyboards would cost more than the computers.

Backpacks would be a whole lot lighter, too.

….

Unless Microsoft drops the price on their mobile OS, these things will tend toward Android and Linux distributions. That means a whole lot of people using those systems where they used to learn Windows or Mac.

I definitely see these accelerating the move from proprietary operating systems to more open source stuff.

I can also see them adding some phrases to the language that you wouldn’t expect to hear today.

“Honey, have you seen my computer?”

Digital Insecurities

No, this is not about who hangs with the coolest kids on Facebook or has the biggest social media klout. (Seriously? Does anyone believe Klout scores mean anything?)

It’s not even about those late-night drunk texts, although you really should stop that.

Think of it as a minor rant in a major key, and it’s all about digital security. Or, more precisely, the lack thereof.

Doesn’t really exist, folks.

I know. You’ve heard some of this before. Some of it you haven’t, and I don’t want to leave out the newer visitors.

Plus, there’s a really good chance you didn’t do anything about it the first dozen times around.

….

I’ve been thinking about this one for a while. The thing that pushed me into writing it is a private message I got yesterday. Seems the dude got himself on one of the Spamhaus blocklists and wanted some help.

Ooops.

So, I called him up. After explaining to him that no, the Spamhaus folks really aren’t horrible people (not the words he used, but this is a family friendly rant), we got to the specifics. His WordPress site was hacked and the creeps sent 100,000+ spams through it.

Well, yeah. They’re supposed to block that. Fix the hack and the block will expire automatically. 3 days without more spam and you should be good to go.

It should be mentioned that nothing online is 100% secure. It’s just not possible. That said, this gentleman is running a fairly large operation that sends millions of legit emails each month, and it was based on an unsecured WordPress installation.

That’s just begging for a spanking.

When this happens to you, don’t panic. Fix the problem, and don’t send mail to your lists until after the block expires. That way you won’t lose a ton of subscribers to the hard bounces it will generate.

In the mean time, secure that puppy. Back up the site, all files and the database. Then install Bulletproof Security or Wordfence. (If you use BPS, make sure the installer is well clued, or you can bork things in an ugly way.) Make sure your choice of plugin doesn’t break your themes or other functionality.

If your operation is larger, consider using Sucuri. It’s a paid service, and it’s a bit easier for the technically challenged. I’m told it’s also lighter on server resources.

And have a system that makes backups of the whole blog on a regular basis. That way, when the digital rats find a way through your security maze, you won’t lose everything.

Yes, it’s a pain. So are locks on your house and car.

You’ve got locks, right?

….

Moving on…

If you use Lastpass, you may want to change your master password. Yes, they got hacked.

Again, don’t panic. From what they say, no user accounts or data were compromised. The odds of the hackers getting access to anything based on what they stole are low. The people at Lastpass are just showing an abundance of caution, which we like to see in a security operation.

They could teach the US government a thing or two.

You’ve probably heard that the Office of Personnel Management, overseen by the DHS, was hacked. Somewhere between 4 and 14 million records of government employees and contractors were “exfiltrated.”

That’s spook-speak for “stolen.”

As it turns out, the crooks (believed to be agents of the Chinese government) had valid credentials, so even encryption wouldn’t have kept them out.

What would have stopped them in their tracks is 2-factor authentication of logins. You know… like Facebook and Paypal and even Gmail offer.

The absence of any sort of serious security on those systems allowed a foreign government to pull data on millions of people, many of whom have high security clearances. In fact, some of the most potentially damaging stuff was the huge collection of files involving applications for security ratings.

If you’re familiar with those investigations, you know just how in-depth these things go, and how thoroughly they dig for any and all dirt there may be on you. Including legit stuff that you just don’t want broadcast to world+dog.

In short: If there’s anything that could be used to embarrass or blackmail you, it’s in there.

That makes this potentially the most damaging national security threat ever to come from a cyberattack.

And it could have been prevented by basic measures that you can get on a Gmail account or your personal blog.

Department of Homeland “Security,” indeed.

….

The lessons for us…

Don’t assume anyone is handling your data in the way you’d like. Even people whose job is to keep things secure.

If an account is important to you and offers 2-factor authentication, consider using it. It’s not that inconvenient. In most cases for consumers, it just means getting a text message or email confirmation each time you access an account from a new machine or IP address.

If it’s only your data involved, you can make whatever decision you think fits your risk tolerance. If you’re handling sensitive data that belongs to other people, though, take every precaution available to you to protect it.

That’s what you’d want others to do for you, right?

….

It’s not just the Bad Guys who pose a threat, either. The US government is pushing hard for social media, cell phone companies, and app providers to leave them “back doors” to gather data. They’re also objecting to the use of strong encryption in consumer products.

Let’s stay away from the whole conspiracy theory thing, and look at the more likely source of problems if they get their way on these issues. It’s really pretty simple.

If there’s a back door, the bad guys will find and exploit it. And if encryption is weak or non-existent, that puts everyone at greater risk.

You don’t need to be paranoid to know that’s a problem.

….

Conspiracy theories aren’t always wrong, by the way. A good example is the recent hack of Kaspersky, the security software giant.

Again, it doesn’t appear to pose any threat to their customers, so if you’re using a Kaspersky product you don’t need to panic. The interesting thing here is more who’s behind the hack then what effect it might have on you personally.

It’s a fascinating story. Leaving out the technical bits, it boils down to this: The attack uses code with clear ties to Stuxnet, the malware the US and Israel used to attack Iran’s nuclear program in 2010. Kaspersky calls this version Duqu 2.

The same malware was used to spy on the current discussions with Iran about limiting their nuclear program, and on people involved with the 70th anniversary event celebrating the liberation of Auschwitz.

The analysts at Kaspersky Labs are confident that an attack of this complexity and expense could only be launched and maintained by a nation-state.

Kaspersky does not attribute the malware to any specific country, but the implications of the data that has been released all point to one place: Israel.

That’s hardly a proven assumption, of course. Still, one can see their interest in 2 of those 3 targets. If I were them, I’d certainly want to keep an eye on such things. They’re legitimate national security interests.

You don’t have to like it, but you can’t help but understand it.

What concerns me is a government – any government – doing things that can compromise legitimate players in the digital security industry. That could expose companies and individuals across the world to unnecessary and unpredictable risks.

Including their own citizens.

For the record, I don’t put this kind of thing beyond the will of any country with the necessary resources. Or, for that matter, any number of major transnational companies.

And that’s really the point. There are many entities in the world with the technical capacity and a direct interest in defeating or circumventing security software.

Too many to assume some won’t succeed.

….

Another interesting thing about the Kaspersky hack is the way they got in to begin with. It appears that a non-technical employee got a very targeted email that got them to visit a site which dropped malware on their machine. From there, it was relatively easy to spread to the rest of their network.

The lesson is this one is obvious: Be careful about which sites you visit on the web, and what files you open that come in via email.

You’ve heard the last part a lot, I’d bet. Most people don’t know, though, that it’s possible to get your machine compromised just by visiting a web page. Or, in some cases, by visiting a known and legitimate website with a malware-enabled ad.

Yep. Google “malware Yahoo ads” (without the quotes) for the details, if you’re interested in how that works. If you just want the down and dirty, it’s this: Any page that hosts 3rd party ads can potentially be a source of “drive by” malware infections.

That’s pretty much every major site on the net.

Ain’t that just ducky?

….

The lesson? Update everything, all the time. If your browser, OS, Java, Flash player, or any other component says there’s a security update, install it.

One special note: If you visit a site and get a notification that you need to update the Flash player, go to Adobe.com and look for the link manually. Don’t do it though a pop-up at a website. That’s a common ruse to get you to install malware under cover of updating legitimate components.

For that matter, don’t ever believe any website pop-up with a security warning.

The very first thing I do every day when I sit down at my computer is a live update of my security software. It’s set to auto-update through the day, but when I start surfing I want to know I’ve got the very latest available.

Nothing is 100%, but you can stack the odds heavily in your favor. Doesn’t take much effort, either.

….

In a mildly amusing security breach, the St Louis Cardinals are being investigated by the FBI for allegedly hacking the systems of the Houston Astros.

The scenario: One of the key management staff that helped bring the Cards to their current dominant status went over to the Astros, and has made similarly spectacular moves for them. The Cards supposedly went in to get trade and scouting intelligence, assuming it would give them an edge.

Not an unreasonable assumption on their part. Illegal, yeah. Unsportsmanlike, certainly. If true.

It’s more often the case that the person who leaves will take intelligence with them which can potentially endanger the original firm’s data or systems. When someone leaves, make sure any passwords or security they had access through is changed to lock them out. Even if you trust them, you may not know what they might have leaked unknowingly.

It’s just good practice.

If you hire someone away from a competitor, be sure their passwords don’t come with them. They’re likely to use the same ones as at the old place, because that’s what people do.

When it comes to security in businesses, people are often the weakest link. Disgruntled employees or staff that want to make a few extra bucks can do you as much damage as any hacker.

….

The real point here is that you need to develop a security mindset. Never assume anything is secure, and be aware of the risks you may be taking with each action.

This applies to everything. Even the seemingly small stuff.

As an example, I have a friend who used a “swipe” pattern to unlock his cellphone. It was the number 4, which anyone could see every time he unlocked it. He did that about once every 10 minutes, most days.

He broke up with his girlfriend, and she didn’t take the news well. She did take his phone, though. The next day, a whole lot of very nasty comments appeared on his Facebook account, directed at many of his friends.

Guess who?

As you might imagine, that took some ‘splainin’.

I’m not going to tell you to keep your phone locked so your spouse or other family members can’t get at it. That’s a decision you have to make, based on your situation.

Even if you trust someone completely, though, there may be other factors. Like, for example, how careful they’re likely to be about not letting anyone else get that access.

Just be very clear with yourself which decision you’re making, and why.

And don’t go snooping around other people’s phones. If you feel the need to do that, you have bigger problems than data security.

….

In the “I would never have imagined” category, consider that somewhere around 600 million Samsung phones can be turned into remote bugging devices because of a vulnerability in their keyboards.

Yep. From the Galaxy S4 to the S6.

Because of the extremely broad permissions a keyboard has to have, this gives an attacker powerful access to almost all the phone’s functions.

They don’t all have problems, mind you, even if they’re vulnerable. They have to be actively hacked, which happens under specific circumstances while the keyboard app is updated.

Samsung has sent the fix to the various service providers, but it’s unknown how many of them have distributed it to their customers.

Gotta love it, eh?

….

Want to scare yourself? If you use an Android phone or tablet, go to the Play store and install an app called Dcentral1. (It’s safe.) Do a scan on your device using it, and watch how many apps come up with scores well into the red.

Tap on the ones with scores above 40, and look at the permissions involved. Sometimes, as with a multi-function app like Viber or Skype, those make sense. They’re needed for the app to do what it was advertised to do.

Some won’t make any sense at all. There is no reason for a photo editor to need access to your microphone, for example.

You won’t run into too many of these sorts of permissions abuses through the Apple store. Google Play is another story. And if you start sideloading apps on any platform you’re pretty much on your own.

Developing a security mindset doesn’t mean you need to be paranoid. It does mean, though, that you’re aware of the potential of the devices and systems you use. That smartphone in your pocket is a capable computer, with the ability to be used as a remote camera, an eavesdropping system, a personal location tracker, and much more.

With reasonable precautions, it’s a powerful tool. If you’re careless, it’s a window someone can use to see nearly everything you do and much of what you think.

….

Another concern is not mixing your personal and business stuff in the same accounts. That’s way too easy to do with all the proprietary services that come bundled with a phone or tablet.

Separate storage, requiring that you enter the passwords manually each time you access it, if possible. Dropbox allows this. You can use a Dropbox account on your home computer and not even install the app until/unless there’s a real reason to access it through your phone.

Or you can do what I do. Have one Dropbox account for stuff you use on the phone, and another for more important (and secure) long-term backups and project storage. That gives you the best of both worlds.

Losing your phone should not involve compromising your employer’s data, or your customers’ personal information.

That’s a security mindset.

….

The security mindset has another component. As far as possible, don’t create data on any network-connected device that you wouldn’t want “out there.”

The most recent example is Google’s revised Photos app. It’s great, as long as you’re aware of the risks. That data, along with anything you store at any other Google service, is available to anyone who manages to get that one single password.

Something like the iTunes hack that ended up revealing all those revealing celebrity photos is just the tip of the iceberg. You probably don’t need to worry about that. But there are other concerns, like who has access to those pics of your kids at school, or snapshots that could reveal info you don’t want strangers to have.

Or the crazy ex who steals your phone.

….

By this point, some people are getting paranoid. Others are thinking, “Cool. Some useful stuff I didn’t know.” A few are yawning, because they knew all this already.

The goal isn’t to scare you. It’s to show you that, despite the fact that there is no such thing as guaranteed digital security, you can reduce your risks to a manageable level. It doesn’t have to be expensive or involve a lot of technical knowledge.

Unless you’re a big target, the business risks are largely restricted to random attacks that are easily defeated. WordPress hacking, email attachments, and wi-fi snooping are the big ones there.

Risks from people you know are a different story. Not a problem at all for most folks, and easily deflected by good passwords for most others.

Just be aware, and be careful out there.

7 Easy, High-impact ways to leverage your content

Adding THUD to an offer is one way to get more results from your work. Another, and often easier, way is to leverage your content. The main ways to do that are to increase distribution and to repurpose what you’ve written, recorded, or licensed.

There’s some overlap, but we’re going to focus this time around on 7 specific things you can do to repurpose your content. Some will be familiar, and have a few twists you may not have considered. Others will be new to a lot of people.

They all work. Let’s start with the short form…

Twitterize It: If your content contains high-impact quotes or strong section headlines that will fit in around 120 characters, use those as Tweets. Essentially teasers to attract people to the web page where they can read the content.

I say 120 because Twitter seems now to only include part of a URL in measuring the length of a Tweet.

2 examples so far from this article might be:

“Winning the Content Wars: Get maximum leverage from your… [url here]”

That one talks to a somewhat general group, but is specific enough to sort down to content creators. Because it’s targeted to that group, the unfinished second part adds curiosity without being a blind ad.

“7 easy, high-impact ways to leverage your writing [URL here]”

This one is very straight forward. It talks to a clearly defined group (writers) and promises an easy to understand benefit. The specific number makes the “high-impact” part more credible. And everyone loves techniques that are “easy.”

Not very creative stuff, but it works. If you have a flair for quotable lines, that can make this a more productive technique. Use those quotes in your Tweets. If the content they point to is good, you’ll find people retweeting them.

This is an excellent way to practice your subject line writing, too. Tweets that get clicks and retweets should be saved to a “This worked” file. Over time, you’ll start to see patterns that you can emulate in future Tweets and email subjects.

If you use benefit-laden text, they can also show you what your audience is most interested in.

Really productive Tweets can even be used as the basis for the primary text of banner ads.

Exploding Bullets: This is a great trick for developing promotional content that has high value and will generate targeted traffic.

The concept is simple. Take a small but significant point from your product and expand it into an article. Explain some of the nuances you might have left out of the product, or give examples to show how to use the ideas in a practical way.

An example from this article would be the idea of using productive Tweets to design banner ads. You could talk about the standards for measuring it, layouts for the banners, what goes into a popular Tweet, or how to increase the chances of retweets.

That’s at least four possible articles from one short sentence. You can probably find dozens of similar opportunities in a typical product. They will all be attractive to your market, and are likely to generate only very targeted traffic.

For another twist on this, look at your sales letter. Every bullet point in it is a likely prospect for this strategy. Even if you explain the concept fully in the product, a new article, phrased in different ways or from another perspective, can be useful.

There’s an added benefit that should be obvious. All that content serves to expand the product itself in future versions.

Checkpoints, Charlie: Everybody loves checklists. Clear, point by point outlines of what you need to do or have to accomplish something in a practical way.

Almost every bit of content that suggests a course of action could be the basis for a checklist.

There’s a benefit to using checklists as content that doesn’t get discussed a lot. Because they involve specific actions, people picture themselves doing what’s described. If the picture they form involves fun or real results, they’re more likely to view the product the content points to as offering the same.

If visitors arrive at your sales page in a results-focused and action-based mode, they’re much more likely to read the whole thing and do something about it. Like, for example, buy stuff.

That’s always nice.

Map the Minefield: This is one of the most underused content strategies around. It’s especially useful when talking about alternative tools or techniques.

When you talk with people about ways to get something done, tell them the potential problems. Things to avoid, why a strategy can backfire if you do (or don’t do) certain things, what shortcomings various tools have, etc.

You might stay with “Stuff newbies should avoid” or go into more advanced questions. That will depend on your desired audience. Just tell them what could create problems, why, what the consequences would be, and how to avoid them if possible.

The only thing people like more than curing a headache is preventing one. And, if you know the common pitfalls, there’s a really good chance you’re going to stop them from making a mistake they were actively considering.

If they’ve already made that mistake, you’ve done wonders for your credibility with something like this. They know, from personal experience, that you know what you’re talking about.

Not only is this useful, it’s the sort of thing a lot of people tend to leave out of their products. We think that telling people what they should do will isolate them from all the bad ideas. Anyone who’s observed any niche or market for long knows… the new folks all tend to make the same mistakes, have the same bad ideas about what will work, and see the same time-wasting “shortcuts that aren’t.”

The trick to getting mileage from this is to give them the specific advice mentioned above, but to offer them alternatives with a more positive result. Then point them to your product for even more ways to get things done without the hassles.

That’s major marketing mojo.

Be Resource-ful: Similar to checklists, a list of recommended resources, carefully chosen and picked for results, is another very popular type of content.

Combined with the “minefield notice,” these things can go viral, and they’re simple to create. The thing that makes them work best is when they’re complete. That doesn’t mean they list every resource available, of course. Just that they include at least one good resource for every step in the process they’re intended to help with.

Be specific about which step each item is meant for, and why you chose it, and you’ve got something that people will value. You’ve just saved them the time spent looking things up and trying them all out. You’ve helped them avoid mistakes and pointless expense. And you’ve shortened the time to getting results, often by a lot.

Done right, these things are gold.

Tell Me a Story: Stories are powerful. They can teach a lesson without preaching, make complex concepts easy to grasp, and bring home the consequences of actions in ways that have real impact.

You have thousands of stories that could illustrate your ideas in entertaining and thought-provoking ways. Use them.

As an example, here’s a true story I use in my creativity course.

I was sitting in a restaurant one day, working on the outline for this book. The waitress, a freshman at a local college, was complaining about several kids who had ‘pushed by’ her on their way ‘in’ through the ‘out’ door.

“How rude,” she said.

Later, she came back with coffee and asked what I was writing. I told her it was a book on some creativity exercises I had developed. She told me that she didn’t have a creative bone in her body.

I hear that a lot.

I bet her I could prove, right then and there, that she was extremely creative. She laughed and asked me how much I wanted to lose.

I asked her about the people who’d gone rushing past her the wrong way through the door that morning. The conversation went like this:

Me: “Do you know any of them?”

Her: “No. I don’t hang with people like that.”

Me: “Like what?”

Her: “Rude and pushy.”

Me: “Did they bump into you, or say anything on the way by?”

Her: “No, they just laughed.”

Me: “At you?”

Her: “No, they didn’t even notice me!”

Me: “You probably figured out just what they were like, too, didn’t you? Just as soon as they did that.”

Her: “Oh yeah.”

Me: “You know what those kind of people will do, pretty much all the time, don’t you? You probably even know why most of them are like that.”

Her: “OH YEAH! Spoiled little rich kids. They’re all over campus.”

Me: “Did any of that go through your mind as they pushed by?”

Her: “Now that you mention it, it all did.”

Me: “See how creative you are?”

Her: (Confused) “What do you mean?”

Me: “It only took you three seconds, start to finish, to invent three complete human beings!”

That punchline set up the rest of the chapter the story started. It works because we all do what she did. And we’ve all been on the receiving end of that kind of wrong assumption. Most of us never stop to think about just how it happened.

That’s the key to one sort of effective story. If it has that “been there, done that” feel, it works.

Don’t have a story? Invent one.

There’s nothing wrong with fictional stories, as long as you don’t present them as facts to support a sale. It’s all in how you start them out. You could begin with “Imagine you’re at the mall and…” or “Suppose you were talking with someone and the conversation went like this,” or “What if…?”

Describe the fictional scenario as though it really happened. Use active words and create a clear picture. Then finish with something like, “If that happened to you, what would you do, say or think?”

These kinds of stories can add a lot of impact, especially if they’re believable and consistent with common experience.

Here’s an advanced trick for the writers in the crowd: Choose your set-up line based on what point you want to make.

“Imagine” puts the person in an experiential mode. They will see themselves in the setting and feel what they’d feel if it happened to them.

“Suppose” sets the stage for an analytical process.

“What if” leads to more of a choice or reaction frame of mind.

These are what I call “leaners.” They’re not absolutes, and the effect they have is strengthened or lessened by the words that follow. They are good ways to start out, though, and they’re common enough openings that people know what you’re getting at.

More to the point, they make it clear thee aren’t true stories. If they illustrate common problems or situations, the person will relate to them anyway.

A real advantage to invented stories is that you can make them a perfect fit for the point you want to make. That’s not always the case with real life examples. The true ones have more impact, but may not always cover every base.

Here’s a tip for the less experienced writers: Don’t overdo it. You don’t need to be extreme to make your point, unless the real-world consequences would be that extreme.

If you’re trying to explain or teach something, the person reading or hearing your story has to find it believable or you’ve just wasted your time and theirs.

If you’re going to stray outside the real world results, do it by understatement. An intelligent person can fill in the more extreme blanks on their own.

Even the most mundane principles or techniques can be illustrated by stories. And there’s no limit to the imagination, so they can be focused around almost any part of your products.

The “two guys” approach is especially effective for using this as a promotional tool. Start with “Guy one does X, Y, and Z, and fails utterly.” Follow up with “Guy 2 does A, B, and C and gets these amazing results.”

If you think stories are just for fun products, consider: The Wall Street Journal used the “two guys” approach to sell a huge number of subscriptions.

Stories are powerful.

Graphic Violence: Hammer the net with graphics. But make them GOOD graphics.

One example that’s easy is to take a quotable part of your product and turn it into a Facebook graphic. Post it the page your content is on, and then post the link to Facebook. If the quote is shareable by itself, that means more traffic. If the article it links to supports the quote and people feel it says something about them, that increases the odds it will be shared.

If it’s an action-based quote, you may get some traction just by including the URL at the bottom of the image. That’s not as solid a source of visitors, but it may be worth doing just for branding

You can also post these images to a Facebook page and share them on your timeline to drive traffic to the page.

You can post them to Twitter or Pinterest, use them on your blog to set the stage for a post, or add them to sales letters to focus attention and break up the monotony of long swaths of text.


A really popular format these days is the infographic.

These are huge images. They make their point using statistics and quotes about business models, industry trends, social changes, or pretty much anything else.

People seem to love these. They’re more likely to visit sites mentioned in them than in any other image type. (Or so their promoters claim.) They take a bit more design skill to create, but they can be worth the effort if your topic lends itself to statistical explanation.


Images that tell a story or promote a point of view can go absolutely nuts on social media.

One that I saw yesterday was a photo of a n elderly woman who had allegedly been beaten by an 18-year old kid who got a reduced sentence despite this. Problem is, that image was a fake. That didn’t stop it from being shared over a quarter of a million times.

Someone took a Photoshopped image, posted it to their Facebook page, and hit the traffic jackpot.

I don’t recommend faking situations, especially like that. It takes “graphic” to an extreme level. The lesson in this one is that tapping into emotional responses is a powerful way to get attention in social media. So, what is there about your product, or the problem it solves, that people feel strongly about? Tap into that. It works.

Get graphic, get traffic.

By the way… If I turned just this section into an article or report, that last line would be a great example of Twitterizing content.

Promo Power-Up: This is a bonus tip that can more than double the results you get from the other ideas here.

Take the leverage points you’ve created using any or all of these ideas and offer them to your affiliates as sales tools.

Let them repost the articles and stories, with their affiliate links in the call to action. Give them the images or Tweets, with instructions on linking properly to get credit for sales. Give them the stories to post on their blogs or Facebook pages.

Put those checklists and resource lists in text, html, and PDF format, and let your affiliates brand them and give them away. Or offer them as subscription bonuses, and make sure your affiliates get credit for what their visitors buy after they sign up.

If the content is good, you’ve just set everyone up for a win.


The thing to keep in mind here is that most of this doesn’t take much time at all. You may not be good at graphic design, but that’s only one tactic. The rest is just taking what you already know and have written about and framing it in different ways.

This is, in some ways, a marketing extension of the “THUD” principle. Combine these ideas with adding THUD to your offers, and watch what happens.

Why change to HTML mail?

Why the shift to HTML mail after 17 years of plain text? Sometimes you just get dragged into the present, despite your best intentions…

I did one of my occasional romps through the unsubscribe folder recently and found two reasons that accounted for around 90% of the unsubscribes.Continue reading

Think like a creep

One of the regulars at Paul’s Pub (my little Facebook group for marketers) read the post here from the other day, titled “How scared should you be?” It’s about taking a common sense view of online security, and mentioned an article from the Times which stated that Russian hackers had collected 1.2 billion username/password combinations.

The poster looked at the huge number of credentials the thieves had gathered and suggested “you’d have more chance of catching aids off a nun than anything happening to your website.”

Apparently our colorful correspondent has not yet learned to think like a creep.


First, let’s keep in mind that the guys who stole those log-in pairs have access to a botnet. That’s a large group of computers that belong to other people, which are infected with malware that lets the crooks use their systems without the owners knowing it.

Your machine might be one of them.

Even a modest network of 10,000 zombied machines gives them a lot of computing power and distributed IPs. According to the article in the Times, they managed to grab credentials from 420,000 sites, so dismissing a task as being too large seems a bit hasty.

1.2 billion log-in pairs. In that, they have 500 million email addresses. One assumes the rest are username/password combos, or a combination of all three.

Let’s look at the records that include email addresses, and think like a creep. How could we use that info?

To start with, there are probably duplicate addresses in the list. If I were the kind of person to play this game, I’d sort on those and look for duplicate addresses that used the same password at more than one site. They probably use the same password everywhere. So, that’s a good bet for checking out possible financial and shopping accounts. Paypal, Amazon, banks local to them, etc.

If the SQL dumps they got all this data from include IPs, it wouldn’t be hard to find the most likely local banks. And they probably have bots in the network that are in the same geographic areas.

No need to be tripping alarms, eh?


Next, I’d generate a list of the most commonly used passwords. With over a billion in hand, they’ve probably got an authoritative sample. To do this step, you’d really only need to start with a few million records, which a fast computer could do in a lot less time than you might think. We’re talking hours, if that. Possibly minutes.

Then you just run through the master list in batches.

I’d look for accounts that used one of the top 20 or 50 passwords (depending on how simple they are) and sort them to a separate file. People who use simple passwords are reasonably likely to use the same one at many places.

Same potential for criminal joy as above.

Note that none of this is rocket science. You don’t need to be an evil genius to do it. Just evil.


The previous scenarios are only of concern to people who use weak passwords, or re-use them at multiple sites. Now we get into the more annoying “everyone’s a target” stuff.

I’d get a list of the 500 or 1000 most commonly visited sites in the database (same simple process as above) and look through that. Might be some gems in there for an enterprising villain.

Hard to guess what, since we don’t know which sites were compromised in this attack, but the Times did say they included “household names” and “Fortune 500 companies.”

I’d also search the domains and usernames based on high-value keywords. More potential gold in them thar ills.

Come to think of it, I’d start by sorting out every record with the username “admin.” Gotta be a few thousand of those, right?

Oh, the places you’d go.


I’d also look into categorizing those top sites by interest and segmenting them into separate lists for “targeted bulk email deployment.” (read: spam.)

No need to send the stuff yourself, of course. There are plenty of spammers happy to buy that kind of tinsel.

Then there’s the potential in selling the log-ins to link spammers.  How would you feel if you went to a favorite site and discovered your account had been used to spam porn links or some other NSFW nonsense in a parenting forum?

Why yes. Yes, they would.


According to Hold Security, the firm that discovered this, the folks who assembled this access goldmine are currently only using it to send contract spam on social networks. Even if that’s all they ever plan to do with it themselves, there’s a good chance they won’t ignore the extra dosh to be made in selling it. And there are people out there who would do everything I’ve outlined here, and things I probably haven’t even heard of, without a moment’s hesitation.

There is a market for all that data. If the people who stole it decide to push the cash flow, it will end up being sold at least once. Some of it a lot more.

And, being the upright citizens you’d expect buyers of this sort of information to be, they’ll sell it on again. As often as they can get people to pay.

Feelin’ all warm and fuzzy yet?


So, why hasn’t Hold Security announced the list of sites that were hacked?

Well, for starters, that would create chaos. Chaos is usually not a helpful thing to add to a security snafu. That starts rumors and misinformation, and all manner of other Bad Stuff.

As a rule, it’s better to notify the affected companies, toward which it appears an effort is under way. They can take measures to pre-empt further breaches and misuse of the data without panicking people unduly.

Again, it’s just social network spam at this point. A nuisance, but generally not all that devastating. (There are exceptions, but that’s a story for another time.)

That being the case, I believe a quiet heads up where possible is the most responsible course of action.

Edited Sept 2, 2014, to add: This is no longer true. Some collection of creeps is currently trying to use these credential pairs to get access to hosting and/or domain registration accounts at Namecheap.

Namecheap is the only one publicly mentioning this and warning their customers. If they aren’t already hitting other hosts and/or registrars, they will be soon.

For the sites they can’t contact the owners of, I might think about sending emails warning people that their passwords had been compromised. That’s a course fraught with its own perils, though. Especially since a villainous critter who has that data could be sending their own emails and using a man in the middle attack to be sure they had the new access info. For some sites, that might be a profitable approach.

And you can be pretty sure a lot of people would accuse the person warning them of being the ones who stole the data in the first place.

They might also face significant liability if people reacted badly in ways that affected the firms from which the data was stolen. You can bet a lot of lawyers have made good coin advising on this sort of situation.


Back to you.

Bottom line is, there’s a pretty good chance one or more of your log-ins is included in that archive. If you use simple passwords or re-use them at more than one site, I’d do a couple of things, really quick. First, I’d do as complete a scan of my computer as possible, to reduce the odds that the creeps aren’t already on your system. Then I’d start changing the important passwords. Now.

Third, I would be absolutely certain none of my email addresses used the same password I used anywhere else. If thieves get the password to an email address you have linked to any important accounts, they can get into all of them.

Password reminder is not always your friend.


The point of this isn’t really to be a security tutorial, though. It’s to suggest that dismissing the risks in situations you aren’t familiar with isn’t generally a good idea. Advising others to ignore them is even less good, as plans go.

Especially if you haven’t learned to think like a creep.

How scared should you be?

There’s no question about it. The Internet has more than its share of scumbags, lowlifes, and general miscreants. And boy, do they get press.

The New York Times recently ran a story about a small Russian group that has collected the log-in credentials for 1.2 billion accounts at various sites and services online. There’s an app running around that promises to let you change the colors on your Facebook page, but really just loads malware onto your phone if you enable it. Target was hacked to the tune of 40 million customer credit cards. And Coco the WarKitteh is mapping vulnerable wifi systems in people’s homes.

We’ll get to that last one soon enough.


Some of these scares are exaggerated to attract media coverage. Others are highlighted to sell products.

For example, while I was writing this, I got an email with the subject line, “Malware Has Been Found on Your Site.”

(Ooops. Got a second copy – both spam – minutes later.)

As someone who’s seen a fair number of those about a server with domains I host for friends, I take that seriously. Turns out, it was a pitch for a piece of security software for websites.

I have no problem with pitching security software. It’s a valuable type of product, when it works. Certainly a good hedge against the damage a hack can do. I don’t object to scary subject lines, either, if they’re legit.

That one crossed over into deceptive, though. Hardly surprising for a spam, but still…

I have no doubt it got a lot of people to open the email. This is an area people are justly concerned about. And there are plenty of folks who are willing to exploit that.

Sometimes, though, the threat is less real than the fear.


The Target breach got plenty of press. Based on what I’ve read, they used “less than adequate” systems for protecting customer data. Fortunately, there are already safeguards in place to deal with that kind of problem. Gonna cost Target a bunch, but hey, when you’re that big, you need to always consider yourself a … well … a target.

Since no other personal info was involved, the damage per individual is mostly limited to $50 or less. The 1.2 billion username/password collection is much less clear.

The credentials were supposedly collected by hitting a ton of websites using a hack called SQL injection. It causes vulnerable systems to spit out the entire contents of the database being attacked. Out there in front of Dog and everybody, ripe for the picking.

The attacks appear to have been carried out by zombied machines. That is, computers used by innocent people who weren’t aware their hardware had turned criminal.

Maybe even yours.

The firm that discovered this database hasn’t revealed which sites were compromised. Seems they ran the gamut from very small systems to big companies. It’s also not clear what percentage of the passwords involved were unencrypted or easily decrypted.

The interesting question that should really concern you is, why would hackers bother with credentials for tiny mom-and-pop websites?

Two words: Password re-use.

It’s fairly common for people to use the same password for multiple log-ins. If the virtual snakes get hold of one, they’ve got them all. And believe it, it doesn’t take a lot of fancy programming to test those combos at banks, Paypal, Amazon, and other places you don’t want them getting into.

Even more of a problem… If they test the password on the email account you use for other accounts and it works, they can access anything connected to it by using the password reminder system.

At the moment, the crew that stole that batch is only known to be using them for spamming. That could change at any time. There’s a huge black market out there for that kind of data.

There is no way to guarantee you won’t be affected by something like this, but you can reduce the odds and the risk significantly. Try not to use the same email address for every account, and don’t ever use the same password for more than one site.

And use strong passwords.

This doesn’t have to be as big a problem as most people make it out to be. It can be easy to create strong passwords that are easily remembered. Consider the following sentence:

This blog is dedicated to my 1958 Chevy!

As a password, that translates into Tbidtm1958C!

12 characters, mixed case letters, numbers, and a punctuation mark. Very strong. And you could keep a file of those (or just handwritten notes), and no-one would be likely to guess the purpose.

Simple. And it works.


The phony Facebook app is no joke, either. That’s a straight out scam. Avoiding that one is largely a matter of not approving apps when you don’t know the source. Sort of like “Don’t download pirated software, since it’s often got hidden nasties buried in the code.”

But what about scares from known sources?

There was one hell of a hullabaloo recently about the permissions you need to give Facebook messenger. FB requires people on cellphones to download and use their new app in order to use FB messages from their phones, and that got a lot of people angry. The suggestion that the permissions could be used for spying made that a hotter topic than it already was.

The fact is, the permissions for that app are no different than any other app that lets you take and upload video, chat via text, or any of the other things Facebook Messenger does. They are required in order to give people the functions they want.

The scare was due in large part to one news source alleging potential government involvement.

Now, it’s not surprising a lot of folks don’t trust Facebook. Their reputation on privacy issues isn’t enviable. Yes, there are risks with anything that gives an app access to the camera, microphone, and GPS service on your phone. And obviously Facebook’s app would be the most attractive target, simply because of the number of people using it.

Still, there’s no reason to blast them for offering something that requires permissions that have to be there to do what you want.

There’s an opportunity there for an encrypted social chat app. Or you could switch to some other app, just to spread the data around. Or you could do what I do…

Don’t use Facebook from your phone.

Don’t kid yourself, kids. You aren’t going to become a social pariah if you stick to text messages and stop broadcasting everything you do to the whole world.

If that’s a problem, you need new friends.


Then there’s the ongoing concern about WordPress security. Given the number of blogs that get auto-hacked every day, it’s a valid issue.

Yes, added security is good. Yes, automated backups are good.

Here’s a simple 5-step formula that will eliminate most of the potential problems.

1. Back up your files and database regularly.

2. Keep text file backups of your posts.

3. Give your admin user a name that is unlikely to be guessed (NOT admin), and a strong password. Then never post using that account.

4. Create a separate account with Author or Contributor status, and only post using that account.

5. Install the Wordfence plugin.

Bang. Twenty minutes, tops. It ain’t bulletproof, but it’ll keep out most random roving hackers and the like. Unless you are specifically targeted by someone with skillz, it’s probably more than enough.

There’s a lot more you can do to protect a WP blog, but much of it needs to be done when the blog is being installed. These, you can do pretty much any time.


Oh yeah. If you’ve already been making public posts using your admin username, create another user and give that one admin privileges. Then demote the existing account to Editor.

And change the password.


And we come at last to Coco the Siamese WarKitteh.

Yes, that one is real. Dude put together a little gizmo with some common chips and hand-rolled code, and attached it to a family cat’s collar. As cute little Coco wandered the neighborhood, the unremarkable device collected data on wifi connections within range. Including 4 that used the easily hacked WEP protocol, and 4 more that were completely open.

Now, people could easily be suspicious of some guy sitting in a car with a wifi amplifier on the dashboard. Or even just a stranger walking around the neighborhood.

Who would suspect a stray cat of being a cyber-spy?

The potential problems from having strangers sending who-knows-what out over your connection are obvious. The real issue is the ease with which it can be done.

Attach a widget like that to a mail truck and pick it up the next day. Or spend a few more bucks making it possible to read the thing remotely. Hide it on the neighbor kid’s bike. Or just keep it in your pocket for your daily stroll.

Again, it’s easy to avoid most of this.

Make sure your wifi modem has a strong password (not the default, and not your address). If it doesn’t support at least WPA, get a new one. WPA2 is better. Your provider should have them available, or you can buy one at reasonable prices from any decent electronics store or local superstore.

Not rocket science.


These incursions aren’t limited to scary criminal strangers.

A friend of mine constantly complained about his Internet connection getting very slow at the same time every evening. It messed with his gaming, and he said some very unpleasant things about (and to) the customer service folks at his ISP.

I suggested he get a newer modem (WPA2 capable) and change his wifi password. Solved the problem. He later found out one of his neighbors was using a cheap wifi antenna to leech off his connection.

My buddy is lucky the guy wasn’t doing anything illegal on his evening surf…


So, should you be worried?

Maybe. You should certainly be careful. But the extreme levels of fear and paranoia that some people associate with the online world are not useful. Fear doesn’t stop bad things from happening.

Get good security software, and don’t let it lull you into a false sense of security. It won’t protect you from innocent mistakes like enabling a malicious app, or brilliant moves like sending money to a “Nigerian Prince.”

Do the basic things I just outlined, and you’ll eliminate, or at least minimize, a lot of the issues.

Worried about buying things online? See if your bank offers separate accounts for online use, so you can make sure you’re only at risk for what you knew you’d be spending. Most do, and the fees can be as low as $3 or $4 a month. A small price to pay for peace of mind. Or use pre-paid debit cards and only add what you need.

Don’t log in to online financial or shopping accounts by clicking on links in emails.

Simple stuff. Common sense.

The problem is, many people think they’re insulated from problems because they’re the only one in the room. They forget they’re sending data out into a world that’s rife with would-be spies.

Think of these steps as installing curtains on your digital windows.

Make no mistake, nothing is 100% protection against bad stuff happening. But, like looking both ways before crossing the street, a little attention can go a very long way.

Don’t be afraid. Be aware.

What do you want?

What would make this blog useful to you? What do you want to learn or stay informed of or do that you aren’t finding the way you want somewhere else?

Frequently asked questions

So, what’s the theme?

I assume you mean the topical theme, rather than the PHP code. The latter is likely to change at a moment’s notice.

“News, reviews, and how-tos.”

Where are all the cool conversion and social linking gimmicks?

On their way. There’s a lot of stuff that will be added, but I’d rather get the thing open and plug in the extras later. If you wait until it’s done, you fall into the whole “It’s not perfect yet” trap.

Well, you might not, but I do.

Why are comments moderated?

I’d rather have 2 thoughtful comments, critiques, or questions than 20 “Me too” or “Billie Joe’s an idiot” posts. On some posts, friendly banter will be more than welcome. On others, it’ll be just business.

I suspect that will evolve over time.

Why so few categories?

I’ll add them as posts are made. Why waste space with empty listings?

Do you accept guest posts?

Eventually, yes. From the right people. If I don’t know you, the odds are good I won’t. To submit a post, go to http://thevirtual.co/support and choose the “Guest post submission” category.

Why now?

Why not?

How do we make suggestions?

If you’re a registered member, you can leave them them as comments in response to this post. Or go to http://thevirtual.co/support and use the “Blog – Comment or Suggestion” category to send them to me.