Note To Future Self – Keep Email Address

Post a comment on your old self from the future.

Wonderful tool (thanks BoingBoing, via Marc), which allows you to send emails to yourself at any point in the future — assuming, of course, the site, FutureMe.org, is still functioning and you haven’t changed your email address.

What is fascinating is to read other people’s emails (there’s an option to allow them to be viewable or private). One anonymous posted told her future self:  “Dear FutureMe, I am a stupid bitch. I am writing this because I am drunk and feel that i need to tell someone how I feel”. Another:  “Dear FutureMe, please buy me a G5. also, marry me a hott ethnic chick. yeah. oh, and dont die.”  

Indeed.

The Audio Wonder Of OneNote

I’ve been playing with OneNote — the Microsoft program that allows you to create and organise notes — quite a bit lately, and I have to say it’s a big leap forward for software.. and Microsoft’s record for innovation.

Here’s an interesting post on a feature I haven’t explored as yet: audio. Wayne reports that OneNote will add timestamps to your text notes as you record audio, so jumping to a particular note will include an icon shortcut to the corresponding part of the audio.

So, say you’re recording a lecture (or an interview, if you can imagine taking your laptop with you): You’re typing (or writing, with a TabletPC) brief notes about what’s being said, but also recording. Hovering your mouse over the notes afterwards will throw up little icons, matching the same point in the recording. Pretty cool.

One comment pointed out that recording audio on a laptop isn’t great. True. You really need an external mike. And while those folk recording lectures, meetings or seminars in civilized environments (quiet, you can get near the subject, power outlets, tables to park your laptop on) should be ok, this is not going to be particularly helpful for us journalists.

For that I’d recommend Olympus digital recorders. Of course there are others but I’ve had one (well three, actually) since 1999 and they’ve been a godsend. The best trick: use an external microphone on a long cable, keep the recorder close to you and use the yellow index button to mark good quotes. When you upload the file to your computer to transcribe, you can quickly jump to the best bits.

Another option if you’re looking to record lectures with your laptop: LectureRecorder.

The Dos And Don’ts Of Dealing With The Press Online

I thought I would start penning some guidelines for companies seeking to provide resources for journalists online.

I’ll post this on the cache and add to it there as www.loose-wire.com/press. Please feel free to let me know if you’d like to see stuff added, changed, taken away, or whether you have any experiences that may be instructive.

Overriding Principle: Journalists are in a hurry. So:

  • Keep it Accessible: All media pages should be accessible via just typing www.company.com/press or www.company.com/media.
  • Keep it Simple: Contacts need to be clearly listed, along with their positions, full company name, address, direct line, switchboard number, fax number, email address, and (if possible) an out of hours number to be reached on. This information should be presented in simple text form that can be copied and inserted into Outlook or some other contact organiser easily. No Flash, no PDF, no text in graphic format, no fancy stuff. Titles and areas of responsibility should be clear; no flashy titles that mean nothing to folk outside the company.
  • Keep it Fresh: If the contact is not available/on leave/left the company, their name should not be up there. If there’s any chance they’re not available that day, or that hour, then there should be a clear backup person to contact.
  • Make all company information, including press releases, available from one page, make the material searchable, and try to avoid PDF files where possible. The page should load quickly.
  • Write any press release or press web page in clear English, and purge if of jargon. Where you can’t avoid using jargon, explain it.

Some Do Nots:

  • Do not require journalists to register before they can reach someone.
  • Do not add journalists to mailing lists unless they’ve specifically requested it.
  • Do not send any email larger than 100 KB unless the journalist has requested it. Some of us still use dial-up.
  • Do not send press releases in Microsoft Word format. They look ugly, and often contain more information than you think (about revisions, authors, and company data). PDF is best, if you can’t put it in simple HTML.
  • Give your press releases, and your emails, clear titles so we know what it’s about.
  • Don’t put pictures of happy workers smling, sitting in front of laptops, shaking hands, punching fists into the air, or any other cliched image, anywhere near the media page. We know they’re all models and don’t work for the company; most of them we recognise from other company websites. Leave it out.

More to come as I think of stuff/have bad experiences with PR people/have postive experiences with PR people and websites.

How Long Do USB Thumb Drives Live?

Had my first USB thumb drive (sometimes called USB flash drives, or USB key drives) die on me today.

They’re a great way to move stuff from A to B, and to keep an extra back-up in your pocket, but don’t rely on them too much. I’ve had several over the years (they first started appearing in this part of the world in 1999, if I recall) and this is the first time one has just refused to give up its secrets.

It’s not a well-known brand, but I guess it’s true of all these devices, which use flash memory to store up to half a gigabyte of stuff. I’ve read they live for “up to one million rewrites and can retain data for up to 10 years”. Not in this case they don’t. This one hadn’t been much further than my pocket for the past couple of years, and my pocket hasn’t been anywhere exciting since the Great Drinking Session of 1996.

My advice: Don’t treat them as any more substantial than floppy disks. Keep them for moving stuff from one computer to another, or as a second back-up (after hard drives, online backup and/or CD-Rs). Assume that you could lose the data, and plan accordingly. They’re wonderful little gadgets, but I just realised they’re not the trusty friend I thought they were.

The Perils Of AutoResponse

Be careful what you put in your email auto response when you head off on holiday/maternity leave/business trip. Anyone can read it.

One of the the things that came out of Daniel McNamara’s travails at Code Fish was that, by having phishers put his name in the from field of one of their attacks he got swamped by bounce-back emails that didn’t reach their destination. This is part of the Internet email system where a server will return anything it can’t pass on.

But among those bounce-backs are emails from legitimate addresses where the recipients have automated some sort of response, usually stored on the server, that will send a message back to the sender, informing them they’re out of the office. It’s these emails that are a problem.

I haven’t heard it happening yet, but I’m sure it will. Daniel says a lot of those autoresponses contained a lot of surprising personal information that would be very handy to someone somewhere. Who to call, where that person will be, when they’ll be back. Daniel says some of the messages are surprisingly informative, ranging from the person’s full-name and workplace, through details of injuries incurred that are keeping the person in question at home, to companies using the autoresponse to notify senders that the person in question no longer works there, or, in some cases, has been “fired for misconduct”.

In these days of targetted phishing this is an invitation to social engineering of a high order. All a phisher would need to do is flood a company with emails, either guessing the email addresses, using a dictionary attack (where practically every word in the dictionary and English language is used) or else grabbing names from the company directory online. If a dozen people have autoresponds on, the information gained could easily facilitate a socially engineered attack on the company as a whole.

My advice: Assume that sleazy folk can read your autorespond messages and ask yourself whether you want to share that kind of information with them. Then either rewrite the autorespond message, or better still, don’t use one at all.

Anatomy Of A Phishing Trojan

Phishing emails don’t need to be sophisticated to lure the unwary. Indeed, there’s some evidence those behind the more convincing looking emails masquerading as bank emails are also behind a spate of key-logging trojans, which use basic methods to fool the recipient into making them active.

Australian Daniel McNamara of anti-phishing website Code Fish has found a new trojan that does a scary amount of work; he believes it’s the same phishing gang which recently launched attacks against his website and which targeted Westpac and ANZ banks. The emails themselves contain no special tricks, just plain text mentioning something newsy about Australia and offering a link to read more.

In this case it’s not the emails themselves that are sophisticated (in fact, their very simplicity may be the lure); it’s the website they link to (the website in question, apparently, is a cracked Windows XP machine sitting on a broadband link in Canada). All the user sees there is a blank page, whereas in fact, for unpatched Internet Explorer users, the website quickly uploads a trojan into the user’s computer using a Java applet built into the web page. All it takes is a second, and all the user might see, if his eyes are quick, is a message appearing for a few seconds in the status bar at the bottom of the browser window: “Applet intialising..” Now his computer is infected.

It’s worth taking a look more closely at the payload, courtesy of Daniel’s groundbreaking sleuthing. The trojan copies the contents of a file to the Windows directory. It then creates an executable file, which is then launched. It creates a subfolder in the Windows directrory called “ijn” in which it then places two files, nm32.exe and mn32.dll. The executable is then deleted. A small text file is created in the same directory.

This is all so well-hidden from view only a real expert could know it was going on. As far as Windows is concerned the trojan and the directory it created doesn’t exist, even in the Windows Task Manager, even with “show hidden files/directories” turned on. As Daniel says, “somehow the trojan has set up a ‘screen’ so that the overlying Windows GUI denies their existence. Judging from what we found out later it’s because it’s managed to place some hooks into Explorer that allow it to basically become invisible to the average end user.”

Behind the scenes, however, the trojan is busy. As soon as a user visited an Australian banking site it will log all keystrokes to a file, in the same directory, called “kbd.txt”. The results are then emailed to a server in Russia. The ps.txt file, the other file created by the trojan, is delivered via FTP — a standard to send one file from one computer to another over the Internet — which appears to include, Daniel says, passwords stored on the victim’s computer, including those for Outlook Express, AOL and possibly Microsoft’s Passport. The FTP site is hosted on a computer belonging to a web hosting company in the U.S.

In other words, this trojan not only captures your banking passwords, it also trawls around for any kind of passwords on your computer that may prove useful.

So who’s behind it? There are a couple of clues: The email appears to be delivered to a Russian email address (server@mail.ru). There’s also a snippet in one of the files that would seem to indicate the author, or someone involved in the trojan’s creation was Russian, or at least East European.

There are a couple of points worth making here:

  • The weekend attack: These attacks happen too quickly for anti-virus companies, but particularly if they hit at weekends. Daniel says he spotted the trojan on Friday night, but said the website that supported it was not working until midday Saturday, Eastern Australia time (This is Friday afternoon/evening, U.S. time). Within an hour or two he had heard from one person was infected after his anti-virus software failed to stop it. Daniel says he forwarded the trojan to the anti-virus companies late Saturday (Australian time), but so far there’s no sign they’ve updated their libraries, or posted a warning.
  • Phishers are not just after your bank details. They could also make use of your other passwords — remember, the trojan loading website was on a hacked broadband computer (probably a home computer) in Canada, which may or may not have been hacked into. The FTP site was a on a legitimate web hosting server in the U.S., where an account had been hacked into.
  • Phishing is not just fancy graphics. Phishing is about social engineering, but it can be primitive, and still successful. This was a plain text email but with enough appeal to get someone to click on the link. (Indeed, with public awareness of the more sophisticated phishing attacks growing, this may be a deliberate move on their part.) Daniel’s convinced the people behind this one are behind others: He points to the fact they use exactly the same technique to upload the trojan as in previous attacks on Westpac and ANZ customers.
  • Sophistication This trojan does add some elements to the mix that show how, with every attack, the folk behind them get smarter. There’s really no evidence this trojan has gotten onto your computer and resides there unless you take a real, close look.

Bottom line: Phishers use lots of different methods, and lots of different tricks, to get a broad range of information out of you. And, if they hit at weekends, anti-virus companies may be asleep at the wheel, so don’t rely on them.

A Directory Of RSS Readers For Windows

A new resource for Loose Wire Cache: A list of quality RSS readers for Windows.

If your favourite isn’t there, let me know. It’s not supposed to be a definitive list, just a ‘best of’.

(Loose Wire Cache is a companion website to this blog. Please note the new URL: www.loose-wire.com . Most resource pages can be reached by entering the website name and then the topic, for example www.loose-wire.com/readers . So far we have pages for Plaxo, MessageTag, Indexers, email clients and creating short URLs.)

Narrowing Down Those Search Results

Here’s an interesting, albeit quirky, search program called, suitably enough, Mercurius. From the blurb:

When you perform a search using Mercurius, as well as the usual search engine results you are shown lists of words and phrases found within these results. So, if you feel that the returned sites are not exactly what you wanted, you can iterate the search using any of the listed words and phrases that you think are relevant, and continue this iteration until you have found exactly what you want.

Basically Mercurius will search for you, then list all the words and phrases inside those results, allowing you to form a more specific search. It should be great for those times when you’re trying to find something where the keywords are not specific enough. Mercurius is available from Silvawood Software, an apparently one-person operation in the UK.

Is SPIM Another Non-Problem?

No. It is a real problem, if only because there’s still plenty of sleazy people figuring out new ways to ruin your day.

There’s some skepticism out there about this new spam threat: SPIM, in case you didn’t know, is spam that’s delivered, not to your inbox, but to your instant messaging chat program, like ICQ. Some folk say it’s a problem.  Yankee Group, according to a recent report, estimates that currently five to eight percent of all instant messages are spam generated by automated bots. Others are more skeptical. Greg Cher on thespamweblog points out that he’s “been on all three of the major IM’s for at least years and have never…ever had a problem with ‘spim’.”

I was skeptical too, until I today saw these programs being peddled via PRWeb: ”ICQPromoter is a powerful tool for sending messages to thousands of Online or Offline ICQ users. Audience can be targeted by specific interests, country, city, occupation, age, gender or language.” The company behind this, Nanosoft Inc. of Milpitas, California, also offer:

  • Admessenger (“a feature-rich direct advertising program designed to deliver your messages directly to upto 2 Billion Windows 2000, XP, and NT desktops…It is like showing Banner Advertisement with paying a single penny”)
  • Yahoo Answering Machine (“Serves as Perfect Advertising Machine and Advertisement Machine. You can send Message in Room after Predefined time. Send PM to all users in Current Chat Room.”)

You get the idea. These programs will basically spam large numbers of people using chat messengers, or Yahoo chat rooms, all of them automated. What would be amusing if it weren’t so dumb is the fact that Nanosoft prominently display their “zero-tolerance policy” towards Spam. “If you have found this website due to spam, please let us know,” they say. Presumably that doesn’t include using the products they sell?

On closer inspection, Nanosoft have some other rather sleazy products on display. How about this for size: Shadow Pooper [sic], which will, unknown to the user, “periodically open new browser (in fullscreen mode) and load your ad page.” And just in case that’s not intrusive enough for you, “it also can change users Homepage in browser to any URL you choose.” Helpfully, the blurb says “All you need, is to force user install your application on his PC. Use your imagination. Advertise your application as free xxx-dialer, internet booster, etc… You can even include it in installation pack with other free software.” So now we know how spyware works.

Then there’s the problem that Google have come across: The way that advertising via pay-per-click can be abused. Nanosoft offer this: the Traffic Blaster/ URL Generator which will “allow you to generate a massive amount of traffic to any website you wish. Affiliate sites, Banner Sites, Exit Exchanges, and the list goes on and on.” To be honest, I’m not clear from the blurb exactly how this works. Definitely worth a closer look though.

Ironically, these are the same guys selling Popup blockers, chat encrypters, privacy protecters and evidence eliminators. Which brings me back to an earlier post on the question: How can you buy software to protect your privacy from folk you don’t trust? (And I couldn’t help noticing that Nanosoft don’t really trust their customers. This message appears on their website: Because of the growing incidences of Internet fraud, we log everything and take it very seriously. All the fraudulent transactions will be reported to FBI’s Internet Fraud Complaint Center (IFCC).” Right.)

Beware the phisher’s revenge

Australian Daniel McNamara, who runs the hugely informative anti-phishing website Code Fish Spam Watch says he was today the victim of an attack on his website and his character, by a phishing email.

The email, spammed all around, pretends to be from him and says,  Dear Online Banking User, You should be heard about such called interned scam, also called phishing – the activity, aimed to stole your personal details. Possibly you already seen letters, asking you to verify your personal bank account details, reactivate it, or to stop illegal payment…

It then goes on to say more information can be found at his website of that of the Australian Federal Police. Of course the links don’t go there, they go to a website that, for IE users, downloads a trojan, which (probably) installs a program to log keystrokes and mail passwords back to the originator.

The phishing email not only seeks to implicate Daniel by delivering a trojan with his name in the email, it also overloads his servers. Since the email spoofs his email as the return address, those emails that do not reach their destination bounce back to his inbox. He says he has had to turn off his email server because of the traffic.

Daniel has been at the forefront of recording and investigating the phishing phenomenon, and has clearly attracted the ire of those involved. He tells me he believes it’s the same people who left a hidden message in a recent phishing email directed at Westpac; the message implied somehow Daniel and Codefish were involved in the scam. Daniel believes he “really managed to nark them.”

This kind of thing shows that one guy like Daniel can make a difference, simply by cataloging phishing attacks, since he’s provoked their authors into what appears to be a somewhat inept attempt at revenge. It’s a shame more people aren’t doing this kind of sleuth work.