Tue, 09 Jun 2009

Fighting spam with spam

I've always found it mildly irritating when I get a response to an email message that says:

I'm protecting myself from spam. Please click the link below to complete the verification process. You have to do this only once.

When I receive one of these messages in response to email I did NOT send, it's not just irritating, it's infuriating.

It is a common technique of spammers to not only send spam to their harvested addresses, but also to use them in forged From headers. With this type of spam verification, you get to be a victim twice.

Spam filters have gotten quite good. I rarely received spam in my inbox. Any spam filtering technique that generates unwanted mail itself should be shunned. They are just adding to the problem.

The message I received came from Spam Arrest. It not only came with the verification, but an advertisement for the service. Isn't that the very definition of spam?

I've added an email filter. All mail from spamarrest.com is automatically reported as spam. If you happen to use Spam Arrest—sorry—your mail is undeliverable here.

[/internet] [link]

Tue, 15 Apr 2008

Geezeo responds

After posting my comparison of personal finance webapps, I received an email from Peter Glyman, Co-Founder of Geezeo.

Peter let me know changes are in the works that will address many of my concerns. I am anxiously awaiting them.

I'm very impressed with the fact that Peter took the time to write a thoughtful reply to my post. It demonstrates that Geezeo is paying attention to its users. Companies that listen to their users deserve success.

[/internet] [link]

Washington Mutual External Accounts

Washington Mutual online banking allows the addition of external accounts for ACH transfers. It is an extremely useful feature.

I recently opened an HSA at another bank. That bank is out of state. I wasn't looking forward to mailing checks to make deposits and writing checks on the HSA to reimburse myself for medical expenses. The external accounts feature makes that all unnecessary. I can transfer funds between my WaMu accounts and my HSA from the WaMu website without ever licking a stamp or signing a check.

To verify ownership of an external account, WaMu makes two small deposits of less than a dollar (then yanks them back out with a single withdrawal). When the deposits appear in your external account, you confirm the account on the WaMu website by entering those amounts.

I first saw this technique used by PayPal. Now it seems to be a standard account confirmation method.

If WaMu just offered OFX as one of the transaction download formats, I'd give them a perfect score.

[/internet] [link]

Wed, 09 Apr 2008

Twitter abuse

Yesterday, I got an email from twitter notifying me that I have a new follower. I checked the page to discover my new follower is a complete stranger. It was apparent she was following me and others simply to drive traffic to her website. I say her, but there's a good chance the account is just a front.

Twitter is an extremely simple, interesting, and effective tool. I've really enjoyed the updates my friend Joe has been posting while in China. But like almost every simple tool on the Internet, people find ways to abuse it.

I'm not sure what the best policy is, here. Block followers you don't recognize and who don't provide any reason for following? Ignore the notice? Turn follower notices off?

A Google search for twitter etiquette will turn up literally thousands of pages of advice. I'm happy to simply not follow people whose posts annoy me. What bothers me about the new follower notices is that I really do want to know who is following me and I don't see any reasonable way to know that without being subjected to complete strangers whose motive is driving traffic to their sites.

I'll just have to see how it works out over time.

[/internet] [link]

Tue, 08 Apr 2008

Geezeo, Mint, and Wesabe

I took some time over the weekend to experiment with the three personal finance web sites I discussed in my last entry. That changed my perceptions. Although I still have high hopes for Wesabe, I find that requires the most work to use, currently.

Mint appears to be the most useable out of the box. It did the best job of assigning useful names to the transactions I downloaded and giving me some immediately useful information.

Geezeo had support for more of my accounts than the others. My biggest complaint about Geezeo should be easy to fix on their part: all the transaction names are in UPPERCASE. Yuck!

None of the sites handled all of my accounts. I use thinkorswim for stock and options trading and was unable to add it. Mint actually had an entry for thinkorswim when I searched for it using the Add Account feature. However, after providing my thinkorswim username and password and watching the connection progress, Mint gave me the disconcerting error message:

This just isn't going to work.

I have access to three checking accounts through my bank's website: my personal checking account, my business checking account, and my daughter's checking account. Of the three, I only want my personal checking account aggregated. Only Wesabe allowed me to make that selection. Mint lets me hide the other two accounts, or mark them closed, but not until it has downloaded transactions. Geezeo let me delete accounts after the initial import.

Here's a short list of pros and cons as I see them:

Geezeo

Pro

  • Supports the most accounts and account types. Only Geezeo allowed me to aggregate my mortgage account, student loans, and all my credit cards.
  • Does a fair job of naming and categorizing transactions, automatically.

Con

  • Transactions are named in all UPPERCASE.
  • I found the site navigation a bit counter intuitive.
  • Unable to select specific bank accounts for aggregation.

Mint

Pro

  • Clean, professional looking design.
  • Transactions automatically renamed appropriately.
  • Very nice graphs and charts.
  • Relevant and timely email notices.

Con

  • No support, yet, for mortgage accounts, student loans.
  • Unable to select specific bank accounts for aggregation.

Wesabe

Pro

  • Very open communications between company management and users.
  • Most customizable.
  • Allows selecting specific accounts from a single bank.
  • Social integration, such as user tips.

Con

  • Requires a browser plug-in to manage bank account connections.
  • Managing account connections can be difficult.
  • Does not rename transactions out of the box. Once you've renamed a transaction, the name is applied to similar transaction on subsequent, similar transactions. However, manually assigning names to each new, unique payee is time consuming and cumbersome.

Security

It's worth noting that Wesabe has a very different security model from the other two sites. All three sites claim they do not store your sign on credentials for the various accounts they integrate. Mint and Geezeo don't store them—they pass them to a third party that does store them. Mint uses Yodlee and Geezeo uses CashEdge. Wesabe provides browser plug-ins that let your PC establish connections to your banks then feed the data to Wesabe—your credentials are stored on your own PC.

Since Mint and Geezeo ask for your credentials and pass them to a third party, you have to first trust Mint and Geezeo to abide by their security policy and never save or use your credentials. You also have to trust the third party providers they pass the credentials to, Yodlee and CashEdge. The security policies of all involved are disclosed and explained. I have no problem trusting them, but it does require trust.

The advantage of this approach is that it makes features like Mint's email notices possible. Mint can access your bank data even when you're not logged in. Getting notices about transactions that have cleared the bank when credit cards payments are due, without signing in, is a useful benefit.

With Wesabe's approach, you need to trust the plug-ins they provide. For the truly paranoid, and technically capable, that should be possible. It would require monitoring just what gets passed to Wesabe. I'm willing to trust their security policy and believe they aren't capturing my sign on credentials. On the other hand, I'm not sure having my credentials stored on my own system and using a plug-in is any safer that passing them on to Yodlee or CashEdge. It just seems more likely to me that some browser bug or flaw in the Wesabe plug-in might eventually be exploited, than Yodlee or CashEdge being hacked.

This is still a new application area and there's no clear winner, yet. If we could pick and choose the features of these three sites we would have a very attractive application. I'm sure we'll see a lot of progress with all three in the near future.

[/internet] [link]

Wed, 02 Apr 2008

Personal finance management

My exploration of social networking software lead me to some interesting applications for personal fiance management:

These applications let you import data from bank, credit card, and other accounts and manage them in a central place. They provide help with budgeting, graphs and reports of spending, and tips and advice on spending and saving.

I haven't explored any of these applications in depth, yet, but Wesabe, initially, appeals to me most. The company seems extremely open and interactive with its customers. The CEO, Jason Knight, is available by phone seven days a week! Have a problem or concern? You can pick up the phone and talk to the CEO.

Wesabe also has an API. As a programmer, that appeals to me.

From user comments, it appears Mint may have some better graphs and reports and has a more business like demeanor. All three, in fact, have their particular strengths and weaknesses. Wesabe's open dialog with users leads me to believe they are likely to add missing features and incorporate feedback quickly, so I've decided to invest some time with it before pursuing the others in depth.

So, what's the social software tie in? These sites provide a variety of ways for users to interact with each other, from sharing tips and advice to comparing spending habits against averages. The social aspect is context sensitive, so, I might learn about a zero interest balance transfer option while dealing with my credit card bills.

Wesabe is on twitter, so you can keep tabs on some of the news and happenings at Wesabe by following along in twitter.

I used to meticulously enter every receipt in GnuCash. I still use it for business. But I've done little to manage my personal finances for the past 2 or 3 years outside of quick online reviews of my bank and credit card accounts, periodically. Perhaps Wesabe will help me be a bit more proactive.

[/internet] [link]

Mon, 31 Mar 2008

Twitter, the simplest thing that works

The past few weeks I've immersed myself in some of the web social networking applications: LinkedIn, Facebook, and Twitter.

Twitter, my most recent plunge, is conceptually the simplest and may turn out to be the most useful.

One of the tenets of good software programming is "Do the simplest thing that works." Twitter seems to epitomize that concept.

Twitter is simply a message routing system. Send a short message and Twitter rebroadcasts it to your followers. Unless you have opted out, the message is also dispatched to the public time-line.

Prefixing special commands can alter the message routing. For instance, prefixing a message with d someuser dispatches the message to someuser, only. Twitter calls it a direct message, thus the d command.

What sets Twitter apart from IRC, email, IM, and other message dispatching systems is it's simple message routing control and its ability to work across devices: web, IM, cell phone.

You receive messages from those you are following. As your family and friends join Twitter, you can follow them. When I'm at my computer, I receive Twitter messages with my instant messenger. When I'm away from the computer, I receive them as text messages on my cell phone. I don't receive cell phone messages between 10pm and 7am—I'd rather sleep. In the morning, I can check my Twitter web page to see any messages that arrived overnight.

This simple messaging framework supports some interesting applications. (Applications, here, meaning use cases rather than software products, although it does provide opportunity for those, as well.)

I'm an avid cyclist. I don't mind riding alone. In fact, I do most of my riding alone. But it's nice to have companions to ride with, sometimes. Meeting up for rides with friends can sometimes be a bit problematic.

Imagine all my cycling friends and I using Twitter. No planning necessary. Joe sends a message:

Headed for Beacon with Bobby for a couple hours.

A few minutes later, Steve says:

I think I'll try to catch Joe and Bobby at Beacon.

And Cathy says:

Mark and I are going to ride to Rockford and back.

Great! I've got 3 options: head to Beacon for a mountain bike ride with Joe, Bobby, and Steve, do a road ride with Mark and Cathy, or neither. Since Twitter is a low expectation interface, neither Joe nor Cathy is expecting a reply from me. Whether I show up or not is immaterial. They've simply notified the rest of us of their intent so we can join if we want to.

I think I'm up for a mountain bike ride:

@mtnbk1 Watch for me on Beacon, I'll head that way soon.

Joe may or may not see my message; he may already be away from his computer and he doesn't carry his cell phone when mountain biking. The @mtnbk1 is mostly convention. It indicates I'm replying to Joe, using his username. The message is routed to all my followers, so Cathy knows not to expect me. If Steve sees the message, he'll be watching for me on Beacon, too.

Joe and I are training for a grueling mountain bike race in June. We do most of our training alone, but meet for a couple rides together each week. Joe's job will take him to China for a few weeks, soon, where he'll be running to keep in shape and may not have access to a bike. And he'll be 15 or 16 hours ahead of me on the other side of the globe.

Yet, keeping in touch with Twitter will help us both keep motivated to keep up with our own training. I look forward to messages from Joe, like:

8 mile run on the beach; running in sand is exhausting

And I'll be sending updates that will let Joe know I'm on track:

Finally cleaned the entire climb on Tower.

Now, I just need to get Joe, Steve, Cathy, and all my other cycling friends twitterized.

I found these articles on Twitter useful:

[/internet] [link]

Thu, 04 Nov 2004

Stupid Security

I discovered an ISP that allows DNS changes through a simple web form. To ensure changes are made by authorized personnel, they only accept changes from the Administrative Contact listed in the WHOIS records for the target domain.

Talk about a gaping security hole. Just find a domain with DNS hosted by this particular ISP, use the results of a WHOIS query to get the necessary credentials, and hijack the domain. Doing it from a public terminal at 5:30 PM on a Friday should minimize the chance of being noticed before the change is complete.

I discovered this flaw at work this week when I was asked to submit DNS changes for a client that moved their physical location necessitating an switch to a different ISP.

We had a technician on-site, but he had his hands full with the hard work: wiring, bring up systems, etc.

Initially, I submitted the changes using my own name and e-mail address, explaining in the special instructions box who I was, how they could verify the authenticity of my request, and why it wasn't practical to submit from the Administrative Contact's e-mail address: the mail server was setting at the new location, on one of the new ISP's IP addresses, which couldn't be reached by name until these very DNS changes were made.

The reply to my first submission:

For security reasons, we will only accept DNS requests from the administrative contact (WHOIS Lookup) of the domain name.

After hours of tail chasing with the ISP's support department (mortals are not allowed to talk to the DNS team directly), and rather frustrated, I just filled out the web form with the unreachable contact information. An hour later, the DNS changes were active.

No e-mail messages requesting a reply to authorize or a link to their website to verify the authenticity of the request was sent. The web page just generates an e-mail to the DNS team and a copy back to the submitter. The fact that the courtesy copy is undeliverable is overlooked.

The following morning, I got a call from the ISP with the account manager and a supervisor on the phone. They were ready to conference a member of the DNS team on the phone get the DNS changes I needed made. Already done, I told them. "I walked through a gaping security hole in your system and the DNS team happily made the changes for me."

I explained the situation. Hopefully they will fix the hole. I'd hate to see our client or any one else have their domain hijacked due to such stupid security.

[/internet] [link]

About this weblog

This site is the personal weblog of Marc Mims. You can contact Marc by sending e-mail to:
marc@questright.com.

Marc writes here about cycling, programming, Linux, and other items of personal interest.

This site is syndicated with RSS.

Archives

Credits

CSS stolen from Tom Coates who didn't even complain.