trust me...

Mobile interwebs to grow 26x over next few years.

2011-02-07T13:19:00.001-08:00

http://latimesblogs.latimes.com/technology/2011/01/worldwide-mobile-data-traffic-exploding-nearly-tripled-in-2010-cisco-says.html

Google Latitude Checkin - fail

2011-02-06T14:53:00.000-08:00

Google maps/latitude/places checkin misses a big point. The post below nails its problems and the underlying of repurposing maps data as opposed to 4sq's freestyle place creation. Case in point: both in 4sq and Facebook places have loads of people checkin to the local beach - on Google Latitude the beach does not exist nor can I create it. So Google has missed an entire use-case (social connection at non commercial properties).
More important to note is the number of checkins at the beach far outnumbers ALL the checkins for local businesses - including a pub!
So putting aside if checkins are useful or just a fad - Google would be advised to think of use cases that help the user - not just Google "local" revenue plans.
One approach would be to drop checkin metaphor and do friend-proximity alerts like Whereoscope.
Heres the post:
http://blog.arhg.net/2011/02/will-check-in-latitude-embarrass-google.html?m=1

Sense shifting - hearablog and Feedspeak

2010-12-01T01:59:00.000-08:00

A few years back we got excited about "time-shifting" - PVR's like Topfield and Tivo taught us that it was OK to watch the news at 8:17pm instead of the 7pm that had been dictated to us for decades.

Same goes for blogs - we've been slaves to RSS feeds since 2003 without too many cool filtering mechanisms (Yahoo Pipes or Google Alerts anyone?). In the last 2 years RSS is proclaimed dead and Twitter is the new heir but the social filtering (ahem) is a complete fail.

So being a good slave, I know I need to carve off whole sections of my life to keep up with RSS feeds and my friend has been gReader on Android by the almost palindromic "Noin Nion". But I'm failing: sites like Techcrunch have ramped up to ludicrous volumes of articles to justify AOLs purchase and so "Mark as Read" is the my new new (and oldest old) friend.

HOWEVER - Whilst not a new idea, I've been experimenting the last week with Medium shifting (or Sense shifting). Typically in the car or when walking or working in the yard I use my surplus audio sense to consume podcasts - whats cute about Hear A Blog is they have pretty good narrations of Suster, Shirky, Ariely - all the guys you want to read but can't get to because of Team Arrington's textual diarrhea...

So Hear a Blog is pretty nice - but its only a few top 20 geek blogs. So for more edgy stuff I'm using Feedspeak Pro on Android - it cost me $1 and uses the TTS (Text to Speech) built into the phone. Its almost but not quite as annoying as the TTS on my old Amiga - but I will stick with this "sense shifting" app for a while and give my eyes a rest. Next step is to aggressively filter Techcrunch - how about "grep -vi lacy" ?

Any other suggestions for filtering Techcrunch down to: segment, interesting people and serendipity?
I can't believe this is still an unsolved problem.

Thoughts on Books - using an example:Do More Faster: TechStars Lessons to Accelerate Your Startup

2010-11-30T22:46:00.000-08:00

Single thesis non-fiction books should just die. Now, Please.

Thankfully, "Do More Faster" is not one of these books and ironically it was a critical book review that inspired me to purchase it.

The book is filled with short anecdotes - just a page or two and a corollary comment from the authors Cohen (@davidcohen, http://www.davidgcohen.com) and/or Feld (@bfeld, www.feld.com)

The criticism levelled at the book that the anecdotes are too short - I disagree. Much of the ethos that goes into the book is about "lean", about getting to the core of what matters. As fellow aussie Mick @liubinskas says: "Focus on the core - the rest is mostly crap".

Whats frustrating about non-fiction business books is the self-indulgence on behalf of the author and the lack of respect for the reader's time that is pervasive. Books like Freakonomics, Blink, Free, Made to Stick are targeted at audiences who have the least time - these readers treat the books as knowledge acquisition missions rather than a leisurely pursuit. But what does the author do? They deliver in 249 pages something that can be concisely delivered in less than 50.

You can argue that nuances are lost but I posit that the anecdotes/stories (yes they are the true way humans learn) can be culled if the author respects the reader's time - get over it, these business books are just snapshot punditry of a moment in time. Just like we shouldn't patent Business ideas, these books arn't a permanent and lasting discovery - just a maven's dispatch from the field.

Example: This beautiful RSA Animate sketch achieves in 10 minutes 48 seconds pretty close to what Pink achieved in 256 pages. I'm not diminishing Pink's tome, just that the longform* should DIE! I'd be happy to pay the same for the "brodie's notes" version:
- in non-fiction, its not the size that counts
- in 2010 (now) I am throwing out my last bookcase, so its not the cover-art that counts.

With eBook readers, tablets there is absolutely no reason to consume non-fiction in linear text only formats - you don't need to fill a book with 21 anecdotes that repeats the same thesis - we get it, in fact we got it before we bought the book. Instead, I see that tablets will drive richer educational formats unlocking the multimedia experience that has been evolving for 15 years.

If you bleat about graphic creation costs then you really need understand the outsourcing marketplaces. Things will also shift to curation of collected works just like Cohen and Feld do here.

So...ANYWAY...I quite like "Do More Faster", it suits my attention-deficit personality type. The rapid fire anecdotes are efficient, address a specific learning point and you can consume one chapter in a few minutes - thats a digestible format that doesn't bloat - its much like a sequence of blog posts and does lack some writing craft - but thats not the point**.

* I love longform fiction, books that take weeks or months: get under your skin, reside in your daily thoughts remain one of the most unique human experiences - I've not seen a movie or TV series that achieves that.

** Ironically curation of collected works will become the new form of editing. Anything anyone says has been said before, so I'd be happy to pay the curator and the authors for the efficiency of collating the best practices (de-surfing knowledge acquisition)

Credit: Competitor.com for the image.

Your feedback is helping us build Earth's Most Customer-Centric Company - Amazon

2010-11-30T15:41:00.001-08:00

The post's title was the footer from an Amazon Customer Service reply to me. I'm usually afflicted with a jaded view of such statements but this time I actually believe this company can and will achieve their goal.

Why?

First: its a bold statement but also humble. Most of the time you get: "The worlds leading...", "The best..." etc etc. But Amazon are saying they a "building" - they are not there but are working on it. They also say I am "helping" them - allowing me to engage with them and giving me recognition.

So all this is very nice and Cluetrain and all that - but only works if the product is good....

Second: I've been using the Kindle Reader on NexusOne for a while to read snippets of books (e.g "do more faster" by Techstars crew - more on that in a later post) when commuting or grabbing a coffee, it did the job and didn't try to do too much. (fit for purpose). However, Kindle drove my emotional justifications for getting the Samsung Tab the day it came available -> my first installed application was the Kindle.

I start Kindle on the Samsung Tab, open "do more faster" and boom, it opens at the page I last read on the Nexus One. Thats a very nice customer experience. The only problem is now I have to compete for the Tab at home (Angry Birds was second installed app thus sealing the Tab's fate as must-have mission-critical domestic tool).

To remedy this injustice: last week whilst in China I purchased a yum-cha Android "iRobot" tablet for $100. I didn't expect much but installed Kindle and boom, it opens at the page I last read on the Tab. I now can pick up reading on the formfactor that suits me.

Moral of the story is that even with a 600MHz 1st/2nd generation Shanzai tablet you can enjoy a great customer experience because Amazon focussed on the few features that really mattered. Second moral is that you can do that without purchasing an Apple*.

Third: No product is ever done - Kindle also syncs comments and highlights. But what I want to do is post or share a highlighted quote to a blog, Buzz, Twitter or an email. More importantly, I think this would help Amazon sell even more books (naturally my post would link to the Amazon page for that book). I used the feedback section of the Kindle and told them so. Unsurprisingly (but often neglected by other companies) they've built in a closed loop mechanism to easily allow me to "help".

That is where the Amazon Customer Service reply came from.

* BTW I saw Android 1.6 tablets a while back in China before the iPad appeared.

when droids date

2010-11-14T17:37:00.000-08:00

dialling back the security stuff (Change of blog title)

2010-11-12T22:58:00.000-08:00

Internet security is still the wild-west - and will be for a long time. Mobile internet security will likely make the O.K. Corral look like an episode of Neighbours:

all that geo-location stuff
real-time elements is a new window of opportunity
The belief that Sandboxing (of phone apps) and app review solves personal security is a delusion - it just shifts the goalposts - moves the problem up the stack.

Its good to see some solutions emerging to "out" applications that may (err) leak personal data from phones but at the same time social networks and search giants are squeezing everything but your banking password out of you (unless its your dogs name or your first car). Consumers are the meat in a data theft sandwich.

In summary, lets just say "security is a feature". As people building solutions for the web and mobile, security patterns and practices need to be builtin - not as a premature optimisation but as a trust element for the communities of users and their data.

From a consumer perspective - we still need the "internet drivers licence" but I'll do that next week :)

That said, I want to use this blog for more topics than security - to "dial back" the security tone. There are plenty of great sources - both corporate and independent - not so many for web fraud and community trust/reputation, I will still likely post some here but probably do more via work channels or just social streams.

So I've renamed this blog - simple and a little ironic.

Just for my own record, this is what the old blog intro text said:

"Trust me, I'm a dog" is homage to the apocryphal and naive 1993 cartoon. Identity, trust, reputation are the cornerstone of basic human relationships, but on the web its broken.
Also writing about my experiences as start-up Founder, CEO, CTO in Palo Alto and Sydney.

Menu option to see the lists I follow

2010-11-12T22:19:00.001-08:00

Once you follow an external public list, you can't find it again until a notification comes. The whole purpose of following a list is to refer to the existing entries as well.

Otherwise I'd need to create a list of "public lists I follow". Thats not efficient.

in reference to: Follow a list : Managing lists and labels - Bookmarks Help (view on Google Sidewiki)

Startup Metrics for Convicts

2010-10-14T20:03:00.001-07:00

Yesterday Matt Barrie, CEO of Freelancer.com and asked me to do a fill-in guest lecture for Technology Venture Creation (ELEC5701) course at Sydney University.

So, because the web is already cluttered with a bajillion posts, articles, platitudes and opinions on startups I thought I'd make some comments on the uniquely Australian perspective. Having started and been involved in a few startups bootstrapped from Australia - its worth sharing some tips and traps that might help young aussie entrepreneurs thinking they have a global product/company.

Most aussies know that the convict thing is a convenient ice-breaker in offshore conversations, so I've called the presentation "Startup Metrics for Convicts" in homage/rip-off of Dave McClure's "pirates" talks. Sorry, its a bit rough - I was short on time.

Startup Metrics for Convicts

View more presentations from David jones.

Zuckerberg says nobody uses lists - umm Gmail contacts?

2010-08-27T14:12:00.001-07:00

truth is facebook has less utility than an a sorted categorized contact list. Google Buzz does it well and you can simply buzz to family, friends or colleagues

http://feedproxy.google.com/~r/Techcrunch/~3/iHeEme-pOTc/

will "green" or "games" drive internet of things?

2010-08-27T05:08:00.000-07:00

This post shows the big boys are taking sensors seriously....BUT it still seems like "technology looking for a problem".
Normally porn is awarded the kudos of furthering internet technology (sort of like NASA) but I half suspect social gaming will be the heir (commercially speaking) to the throne. (iPhone and Wii sensor driven gaming).
Or perhaps it will be the more altruistic, green initiative that will apply sensors for energy reduction and intelligent minimisation of resources. Here are the "thing" sensors (as HP crow):

Vibration
Tilt
Rotation
Navigation
Sound
Air flow
Light
Temperature
Biological
Chemical
Humidity
Pressure
Location

..still seems applicable to porn....

Great post on embedding "viscerality" in your UX

2010-08-25T00:30:00.000-07:00

A perfect companion for Made to Stick by Chip Heath is this post. Focussing on "transitions", "wow moments" and "endings" the post communicates the weaving of a story that embeds deeper in the user's emotional level than just clicking stuff. Made to Stick!

I don't agree with one of the commenters complaining about eBay - yes its an ugly 1.0 site but:

I think the star rating was central to their success. It "took reputation to the consumers" in a form that was (mostly) understandable and dissolved distrust of remote buyers/sellers. People forget how revolutionary that was.
Also the concept of "WINning" an auction was a critical piece of reality distortion that surfaced an emotion that people often don't realise themselves. That reinforcing a visceral experience.

It also reminds me how ever since mint.com - everyone seems to be building green sites - meh.

The emergence of game culture in other ecosystems (foursquare etc) is also another huge wave that will be interesting to follow - will we become fatigued at the endless goals applications/sites start to set for us? Can I monetize my effort, is there a liquid market for "badges"?

Pop will eat itself

2010-08-24T21:58:00.000-07:00

...was the name of a seminal "alternative" Brit music outfit in the '80s.

A mere 3/4 years ago Dave Recordin gave seminal presentation on openid that still stands today. At some point he casually remarks that people want different identities for themselves and in fact he had several OpenIDs.

This seemed perfectly naturally to me coming from a security background - having more fake identities than Sybil (or fellow aussie Tara) is just your starting point.

In OZ various identity systems (the australia card) and various government and banking PKI initiatives have failed because a unique explicit identity is just too creepy. What's worse is a flat social network where there is no granularity. In recent years Chi.MP and Google Buzz have allowed "Groups" but Facebook has remained steadfastly flat - what crazy logic is that?

Its fashionable to critique FB based on privacy - but thats not the point. The point is that it can't work. Now everyone's friend are blamange of mates, Nannas, ex school friends, colleagues and people that owe you one beer. With "lists" Facebook is showing some vague hint of granularity but maybe too little too late.
Leakage of the disenfranchised will become a network effect - Ryze, Friendster the proof.

The Law of 150 probably only survives on your ability to "chunk down" into subsets. Without seeing the mooted FB privacy controls, "pop" will eat itself.
Dave Recordin was right that everyone deserves to select what identities they have and as many as they can keep a track of!

the fridge delivered social granularity for hormone charged transgressions

2010-08-24T06:29:00.001-07:00

http://feedproxy.google.com/~r/Techcrunch/~3/qBPc8TsfEX4/
See earlier post on multiple personalities

exit for Aussie distributor mPath to ExactTarget

2010-08-24T06:12:00.001-07:00

http://feedproxy.google.com/~r/Techcrunch/~3/-ubwkrYO5OI/

All your interesting posts are in "draft" (the personal diary you didn't know you had)

2010-08-23T19:36:00.000-07:00

Hypothesis 1: (My ratio of drafts to posts is 4:1.) I'd posit that most un-professional bloggers have similar ratios.
Hypothesis 2: Many drafts are really interesting. Because you've not wrestled your words to publish-ability - its raw and unresolved. The very nature of your drafts means have more questions and loose ends that remain unsolved mysteries.
Hypothesis 3: The rest of your drafts are inane - but no more inane than your tweets.

This is a quick post triggered by Paul Carr's Thnks Fr Th Mmrs: The Rise Of Microblogging, The Death Of Posterity. Based on Leo Laporte's epiphany that he'd traded his publishing "center of gravity" over to the social networks - them being the main beneficiary. Paul's response is to exit the social networks - will he cease to exist? Perhaps his posts will be short but have focus and punch.

Speed Matters: Urs Holzle from Google on acceleration

2010-08-20T20:00:00.000-07:00

This talk (video, audio) - was really interesting for me. When you get to situations where bursts are coming at you tens of thousands of hits per second (perhaps driven by some social meme), the natural response is just to scale out. However, there are other things that make a lot difference - some you can control and some you can't. For example DNS and content acceleration around geographies is something we work at.

In this talk Urs covers things that can be done now and also things Google are trying to improve explicitly (in Chrome, Android, their own DNS servers, upgrading of Google Analytics tags, Jquery CDN etc) under the hood via IETF drafts and recommendations for web developers.

He also reiterates the thing that marketing knows but geeks forget - "speed = revenue". People will be more engaged and spend more if you are looking after them. 27 minutes well spent.

I think we are going to see a bunch of new mobile design patterns emerge as well supporting interactive performance that can be learned from gaming or even the Powerbuilder, Gupta generation of the early '90s. Mobile (not Mobile Web) is heading back to highly engaged client-server.

Maaaaaate- we're starting up StartMate...

2010-08-16T23:28:00.000-07:00

Some of Australia’s best-known web entrepreneurs have banded together to deliver the first mentor-driven startup fund. Called "StartMate": it delivers a combination of seed funding, access to mentor’s experience, guidance, US networks and a launchpad to further angel funding.

StartMates aims to fill a gap that exists in the Australian startup scene today that may ultimately deliver greater success on a global level. The focus is to help startups through the process of building a business that solves real customer problems, overcoming a common mistake of “working in a vacuum” too long.

StartMate’s initial goal is to select and fund five startups, the program is similar to the US-based “TechStars” and Y-Combinator programs which has mentored and launched exciting companies like IntenseDebate.com, Socialthing! And Omniscio.

The outcome of the program will be that each startup will have launched products and gained initial “traction”. The chance is there to then pitch the business in the US possibly for market entry of follow-on VC funding to grow the business. During the program the startups will leverage mentor pool (at not cost) whose experience and network.

Its possible the number of places in our program will change depending upon the quality of the applications we receive. Applications priority is given to technology-based startups, where code has already been written, and technologist founders. First intake is early-2011 but look here for the Application process.

In Summary:

Focussed on Lean
Mentors on tap at no cost
Seed Funding
Focussed Time period/program and tangible traction goals. How to get from zero to one real customers (not your mum and Aunty Joan)
Access to legal guidance (you will need it!)

StartMate is going to be super-valuable for people trying to build startup outside Silicon Valley and specifically I am sure the mentors will have some scars and stories to share based on the Australian experience.

I am pumped about seeing where this fund goes and grows and how it helps build not only the startup community but also capacity for success.

This was announced at Tech23 today be StartMates participants, Scott Farquhar from Atlassian and Ryan Junee from Omniscio (now YouTube). Startmate was brilliantly conceived and driven by Nikki Scevak (Founder of Homethinking).

Book: Building Web Reputation Systems

2010-08-16T22:49:00.000-07:00

Good Guy Reputation, Bad Guy Reputation, Product Reputation, Company Reputation, Expertise Reputation and the list goes on and on......

As a real-time fraud detection company, one component of our solution is a dynamic reputation system that supports both automated and "asserted" data to build the reputation. Over the last few years social networks have completely exploded the number of reputational ecosystems and also inspired the ingenuity of people/groups that game those systems.

Alisdair pointed me at a new book thats definitely worth a read. Its at http://buildingreputation.com/doku.php and Building Web Reputation Systems - O'Reilly Media.

Commerce (buying online, banking online, paying from my phone), relationships (social, dating, meetups, knowledge, punditry) and even products (music, apps, videos, memberships etc) are become increasingly virtual.
The fullfillment is also irresistibly micropayment (mega volumes of $1-$5 purchases) via methods like Apple Appstore, Android Market, SocialGold, Facebook Credits, BillToMobile etc etc.

This confluence drives a greater need for every site builder to understand the reputational elements that drives value in their site and not to just rely on FaceBook "Likes". New recommendation engines like Blippy say something about the purchase and something about the purchaser - it feels like reputation is just at the beginning - and I still have trouble finding a good plumber.....

test post from blog-droid

2010-08-15T14:12:00.001-07:00

Just experimenting with various android apps for quick blog posting - specifically I'm looking for a sort of a posterous "hit and run" experience - most of the apps don't seem to publish to draft and thats a bit befuddling because quite often you want to tidy up or format something later.

Blogeroid, AndroBlogger, Blogger-droid all have this deficiency.

Blogaway looked really promising but keeps crashing on "Edit". Further, once you post as a "draft", you can't re-edit or even view the draft!

I'll keep sussing it out. This is triggered from Android's excellent "Share" menu option on most applications but mostly RSS Readers and Browser - most days I share to:

- work or gmail (to tell someone something specific)

- Google Buzz (which ends up in Twitter and Facebook)

- gTasks (which syncs with Google Tasks - for me to followup later)

The Google Buzz is getting the "shares" that I should be belting into this blog post. That must stop.

Blog post linking to Buzz

2010-02-10T15:09:00.000-08:00

Normally folks post a blog entry and then broadcast in Twitter. So I thought I'd try it the other way round for Buzz. Here is my recent Buzz Post

What is interesting is this picture that demonstrates what Buzz delivers.
--->>> PRIVACY CONTROLS <<<--- (I wish I could bring back the blinking font)
I don't follow all the social media players, but I've only see http://chi.mp/ have a crack at allowing people to post to private groups simply, easily and in an naturally intuitive manner. Facebook and Twitter just couldn't be bothered giving the granularity, instead they betray their users in relentless pursuit of "network effect".

Buzz changes the game here - I can now post:

just to my family
just to my friends
or public

and as opposed to the chi.mp requiring you redefine your contacts, Buzz just leverages Google Contacts.

Google Contacts was the killer app all along, unsexy, under-rated but at the center of how we define our personal relationships. You know it makes sense.

Are nigerian scams also getting money for identity theft?

2009-10-09T04:18:00.000-07:00

Another day, another nigerian scam - here is a fresh one but lets have a look at what the victims are asked to provide.

Sure this helps the scammer for later on, but is this info also being sold and stored to other maintaining a global database of stolen identities?

From Blogger Pictures

Graham Ingram, Head of AusCERT thinks so, he is probably right - he has been warning people throughout 2009 they have seen evidence of such. After all, its not hard to imaging: for years: spamming lists have been bought, traded, swapped - so you can bet bad guys are mining information and taking ID Theft to the next level.
Folks from Auscert will be at Queensland Police Identity Theft Symposium this week (12th-14th Oct), here a link.

CyberInsecurity: The Cost of Monopoly - remixed

2009-10-08T23:58:00.000-07:00

This week had big news about 20,000 hotmail accounts publicly exploited and published - victims of another phish - but is there a deeper lesson to be learned?

This post's title is the same of a famous paper in 2003 penned by some (now) influential security folks: Daniel Geer, Rebecca Bace, Peter Gutmann, Perry Metzger, Charles P. Pfleeger, John S. Quarterman and one Bruce Schneier. The paper got its fair share of fame not least due to allegations that Geer lost his job because of its scathing assessment of Microsoft product (lack of) security and the risk to the internet because of that.

The basic tenet of the article was that homogeneity (they called a monoculture) of one operating system will crystallize hacker focus on a single predictable target and any exploit can then be multiplied over millions of hosts.

6 years later, no-one is arguing: Botnets and compromised hosts are the primary platform for attacks, fraud and other crime that benefit from anonymity.

But now we are heading for a new monopoly and a new homogeneity: Google Accounts and SSO (Single Signon)
Its been bothering me for a while but now Google is really picking up steam it needs a public comment: Google Voice, GMail, GTalk, Google Docs, Picasa but most importantly OpenSocial/FriendConnect, OAUTH, Adwords, AppEngine, Adsense and Google Checkout. Its an impressive array of value to the user. But is you Google username and password the "keys to the castle"?

Who me - panic?

Try this now: click or type https://www.google.com/acc ounts/
Did you know you were signed up for THAT MANY SERVICES?

So why are OpenSocial/FriendConnect, OAUTH, Adwords, Adsense and Google Checkout more important? Simply because they are gateways to value. Behind each of these services is value that is primarily protected by a single username and password. So how easy is it to phish that? Probably much easier than a bank account because the public has been taught to be paranoid about banking but....surely my Gmail account is of no interest to a fraudster - right?

As Ben Metcalfe (dotBen) says: "My GMail password scares me with its power!". Ben points out that we 2FA would be a nice idea. Setting aside the arguments for/against tokens, the simple exploitation of 2FA in authentication scenarios and the emergence of MITB (Man in the Browser) attacks.

I strongly disagree with Metcalfe's suggestion* to split the services - this is security by obscurity or security via homogeneity, after all, when users have multiple accounts they just use the same passwords - dah!

However, Google, whilst being a monoculture has one distinct advantage from the Microsoft monoculture because an upgrade is entirely under Google's control (Microsoft products are only as patched as the competence of their sysadmins).

So why hasn't Google offered this? Its irresponsible to not provide adequate protection**.
I'd posit that a corporate decision on acquiring someone harmless like Vasco*** or someone potent like Verisign to solve 2FA would be a vexing challenge. I'd posit that Google knows this problem needs to be solved and they need to take time to find the right partner or acquisition candidate. I'd also posit that the Chrome OS and the Android Phone/Netbook OS would kickstart a userbase where 2FA is built into consumer devices.

So are we seeing a replay of the monculture that caused the last 8 years of cybercrime? Will the homogeneity of Google Accounts deliver exploits of identity theft rather than just merely an exploit "platform" (that M$-Windows became)? After-all, if we follow the money it always leads to a user's credentials and the assets those credentials protect....

Thanks to Dan Geer et al...the more things change, the more they stay the same.

* dotBens comments about IMAP/POP3 are more valid because these are largely progrmmatic and often "in the clear"
** Its been confirmed by security researchers that they already perform some sort of "Device tracking" and perhaps this is a method of "Account Hijack" mitigation
*** do these companies have a future?
**** If you get the joke of this last picture, you are even sadder than me :)

Umm, so where do I report cybercrime? Needed: eCrime reporting API for enforcement

2009-10-08T20:16:00.001-07:00

For many online sites: fraudsters are like mosquitos - you can easily handle a few buzzing around but if you don't swat them, they will eat you alive.

We have customers who deal with some pretty sophisticated fraud every day. Their fraud teams use automated tools to winnow the transactions down to a suspicious subset and then use Aikido-like techniques to direct and exhaust the fraudsters energy - exposing the bad guys and minimising the cost of managing it.

It wouldn't be fair to discuss the techniques used, but often a side-effect is that additional proofs of the fraudsters location, their associates, their ability to manufacture or repurpose stolen identities end out being provided to the fraud team. Sometimes, they get hard evidence.

That sounds great for law enforcement right? Not exactly.

Most merchants run lean operations, they don't have time or profitability to spend excessive time reporting incidents and working with law enforcement - after all, the fraud may only be worth $10-200. This is a lot of money in some countries but its just better to swat the mosquito and move on. There is no need to track every mozzy down back to the swamp or puddle, but certainly merchants would appreciate handing-off to enforcement to handle that part.

But....There is no 911, 000, 999, Neighborhood watch, Crimestoppers etc - its still the wild-west. Such things don't commonly and uniformly exist in Cyberspace.

In 2004, we built a system for the government called "SpamMATTERS" - this was a world first*, that allowed consumers to report spam, scam and phishing emails with a simple "click". The system was a great success and was instrumental in various enforcement and disciplinary actions.
Naturally spam hasn't stopped and thats a story/post for another time. The lessons are the love helping swat mosquitos as long as they know their is some material benefit or action from their help. Relating this to fraud......

....is exactly the same. Back in 2005 I did some proofing of a document that was an attempt to extend the IETF IODEF (RFC 5070) for eCrime reporting. You can now get a tool from "the e-Crime Reporting and Incident Sharing Project" http://sourceforge.net/projects/ecrisp-x/ which has emerged from the Antiphishing workgroup.

But the question remains: If I fill out the details and click the information - so what?

Its nice that APWG is providing leadership but
its largely a US centric project
with not a great deal of visibility who is the benefactor and
what is the actionable outcomes from any report.

To truly resonate with SME merchants, their must be a tangible "think globally, act locally" initiative and system.

Alastair MacGibbon's recent article: When it comes to web safety, we’re going nowhere fast
accurately described the landscape and made a passionate appeal for such a reporting system that is simple and actionable - as I mentioned above basically a "hand-off" from fraud teams swatting mosquitos to enforcement who can wade into the swamp. Of course Alastair's appeal is not new, its just that very few are listening.#

This week, one customers asked me if they could report a stolen and Photoshopped identity papers provided by a fraudster. As I mentioned - this customer is running a business, they don't have time to deal with cross-jurisdictional crime but they would be happy to help - IF:

they believed that its not just going into a blackhole.
it really was being actioned
if it will help all/other merchants in the future
don't stop me running my business to get involved in the investigation - I'm interested in a good citizen sense - but Maslow's law dictates I focus on my business.

There is another benefit of such a system - METRICS. Currently there is no real metric for the cost of cybercrime to merchants....here's a hint....its much larger than you realize. Think about it...could it be a case of self-interest that the banks refund your account after a phish/keylog event - if they didn't the number of incidents would start to be reported and we would be getting a sense of how large the problem is.

Cybercrime and Cyberfraud are under-reported (or maybe non-reported).**

With fraudsters using anonymity via botnets and proxies - cybercrime is going to continue to grow unless our enforcement teams can scale on cross-jurisdictional levels.

Its a big deal, merchants want to help - but their is no roadmap, no whitepages and no belief there is anyone on the other side of the phone.

* Specifically for enforcement. The FTC fridge predated SpamMATTERS but did not retain forensic information required by evidentiary handling standards. The feedback-loop and AOL reports followed a little later.

# In 2004, speaking at an OECD conference in Busan Korea on spam control, I warned that spam was not the issue but botnets were the main threat. Being the current Gold Medalist for botnets the Koreans understood and built large KR-CERT teams to wrangle the domestic botnet problem. Other countries dismissed this warning, they thought spam was about viagra - not the anonymity that botnets provide. The rest is history: botnets are now the premier platform for many types of cybercrime including keylogging, identity theft and click-fraud.

**Below is an example or global summaries from apwg.org. Currently there is no country specific statistical reporting of events and there is no quantitative financial study for fraud happening to SME eCommerce operators. The Cybersource Annual fraud report is not a bad indicator or credit-card related fraud but new commerce models are appearing in virtual currencies and micropayment ecosystems - I will leave that for another post.

"DataPervability" - social media and setting the right example for younger generation

2009-09-28T11:39:00.000-07:00

DataPortability is a movement that advocates the ability for a user to extract their data from a social network or other on-line systems/community.

DataPervability riffs/remixes the term to ask the question:

Why can people perve anothers data/lifestream anonymously?

Surely it should be a reciprocal agreement?:

You can see me, so I should be able to see you (if I or my parents care)
Social networks are NOT brochureware websites - just because your profile is on some webserver doesn't mean the social contract is the same.

One of my interests in social media anti-patterns is based on establishing "norms" or "best practices" that protect the vulnerable in the community from malicious acts and actors. Look under the covers of online dating, gaming, auctions and their is plenty of grey activity that leverages information that people are willing to share. This

I've not seen sustained dialog (please correct me if I am wrong) about these elements of social media - possibly because:
a) all the early adopters are still in the hype cycle.
b) all the early adopters are consenting adults.

But we (those building and evangelizing social media) need to step back from enamorment of this new media/conversation and balance with the potential impact on the younger generations that will just "grow into" this technology.

As adults, we joke about who is "stalking" us, or how we spent some voyeuristic quality time trawling someones twitter feed or flickr photos. Have you ever wondered why you can't see a "friend-of-a-friends" Facebook profile but you can see their photos (or maybe its just everyone's photos?*) - thats just plain spooky right?

But what does that mean to kids "growing-into" Facebook or Twitter now? - as they enter these networks, who explains to them in a logical factual (not hysterical fear driven) fashion - what are the risks and traps. Its fine if kids don't care about DataPervability but at least I know.

The Australian Government (ACMA) has started some education on cyber-bullying and the overwhelming feedback from their research is the kids are aware of the technology but have not heard enough anecdotes or war stories about the down-sides. "Stranger Danger" is a paranoid response but adults and social media evangelists can take a leadership position in ensuring the kids and teens become as savvy as they think they are.

Reciprocity...Look at it this way: If you own a normal website:

You can use analytics to profile your users.
You can ask users to log in and self-verify their email address before they can access confidential parts of the site.
You can even use tools like LeadLander to identify what organization visits

So, why is it that Social Networks provide casual browsing of your profile, activities and friends (some Facebook API programs can get a whole lot of data) without give ANY analytical feedback to you? Its crazy.

When Facebook delivered an API, we tried to build a "Who's checking me out?" application,

This is not a Facebook bashing post - its just about the anti-patterns - it applies to all social media sites and evangelists. How will you protect the social sovereignty (privacy) of the users that help build your communities?

* I simply don't have time to figure out all the nuances of Facebook privacy, nor should I or anyone else. It should be clear, understandable and controllable based on clear and accessible user profile setup (but thats the topic of another post).

Social media anti-patterns - how websites teach users to tolerate crap

2009-09-27T16:55:00.000-07:00

The design of websites condition users to believe what is "normal" in behavior.

For example, back in the good old days we learned put our email address on the website so people could contact us easily. Years later (our mailboxes flooded with viagra spam because our email addresses got scraped by some harvesting bot), we changed the design pattern to something like sales AT example DOT com. My guess is that we probably needs to change that as the harvesting bots can easily scrape and harvest those addresses.

Over the last few years, in fraud protection we've learned a plethora of fraudulent methods and what website practices and design patterns actually attracts or invites fraud.

What I mean by "invites" is that a website with low fraud detection skills or poor practices suffers fraud first before their competitors - its a low hanging fruit thing.....fraudsters will make money where its easier, when you skill up, they move on to the next easy target.

But fraud protection has typically been the concern for eCommerce sites. The worst that individuals have had to tolerate is spam/malware in their email box and spam in their blog posts.

Spam in blog posts grew to such a degree that solutions: CAPTCHA, Akismet, Mollom or Defensio have emerged - because bloggers are early adopters and motivated to keep their comment feed clean.

However, as social media crosses the chasm to everyone owning a conversation - what competence will they have to spot a fraud or an attack?

Here is an example from this weekend's Twitter spam:

Now...this fine young lass doesn't seem to have any clothes or friends (Followers:0, Following:0) but she loves to send the same link to lots of folks (or maybe blokes). Blasted out 254 tweets.
The tweeted IDENTICAL link was probably spam but could easily be malware/worm. (There is several precedents and twitter account phishing attacks). But when this stuff appears in your reply stream, its pretty easy to reflex click-thru to the "attack site".

The Twitter account is still live several days later.

So - nothing new about this - but its an anti-pattern that we accept:

the users have no warning
there is no reputation in the reply stream about the sender
the account isn't killed (it may have been disabled invisibly, but surely twitter users should know when an account is blocked by others).

Are Twitter going to spend some of their brand-spanking new $100m investment on keeping the Twitter ecosystem clean and safe? (especially if they think they can cross the chasm with a proprietary solution).

Some examples or other anti-patterns in authentication are:

Username/Password (no 2-factor)
Allowing simple passwords
Making passwords so difficult that the user has to write them on a post-it note
Storing your Username/Password in a 3rd party (yes you Twitter API applications!)
Positioning single signon (SSO) as being safer
Auto follow
Really confusing privacy policies and obscured privacy settings (watch Paul Fenwick's presentation on Facebook privacy - some of you may be surprised)
Changing your Terms and Conditions on privacy (beacon)
140 characters. Not enough to give the recipient context for the target
URL shorteners like tr.im, bit.ly - again, these separate recipient from context of destination without any reputation on the link.
Not allowing users to partition their personal and public life.
Not educating users (like children) the ramifications of public social media behavior. It should be mandatory at primary school to learn how:

difficult it is to get something deleted from google cache is - especially if its not your site: http://lifehacker.com/166500/deleting-things-from-googles-cache
impossible it is to delete all known copies of an embarassing photo, vid or chat thread

Of course, we (including me) are all co-conspirators in one or more of these social anti-patterns. In fact I will use a short link pasted into Twitter *sigh*

I think I will expand on social media anti-patterns in the future, if the next generation will learn the traps too late, we will have more sites promulgating an unacceptable set of "norms".

Is there an existing repository of such?

first blog since 2003 - internet anonymity, privacy and fraud

2009-09-27T14:30:00.000-07:00

In 1993, the famous New Yorker cartoon "On the Internet, nobody knows you're a dog" captured the beauty of a new frontier.

You could be a single person company with a great website that made you look huuuuge. History has proven the clear benefit of size doesn't count (or even location or age) - but the same benefits of anonymity have brought lots and lots of bad guys....botnets, phishing, 419 and advanced fee scammers, credit card fraud, account hijack, identity theft....you get the idea - the list goes on and on.....

Back in 2003, I finished up my role as VP R&D at Surfcontrol a few years after they acquired the email filtering company I started in a bedroom. During that period, I had seen spam grow from a trickle to a pandemic and become more of a commercial tool. Spam had shifted from open-relays and open-proxies to malware that compromised machines - the perfect storm of anonymity and compromisable Windows host was a cybercriminals best tool.

It was clear to me that once the bad guy had your PC, then spam was just one kind of fraud - my partner Scott Thomas and I built a system (SpamMATTERS) accepting crowd-sourced spam and security reports, then correlating to identify the players behind spamming operations - we built this for the federal government and remains in production today.

From this botnet tracking was a key side-effect that could be used as a security defence and in 2005, ThreatMetrix was founded. In 2009, anonymity and fraud is big business and we help websites running eCommerce, payments, dating, marketplaces enable the good guys whilst stopping the bad guys in real-time. The good news for ThreatMetrix is that in a world where identities are phished, keylogged and credit-card numbers are stolen this is a hockeystick problem that we are helping to address.

The bad news is that its a hockeystick problem.

So, I'm excited about the single-signon/auth solutions emerging (OpenID, Facebook Connect, OAUTH, FriendConnect) AND I am excited about the conversation of social media but I am pretty sure that social media spear-phishing is going to grow as more valuable assets are all contained behind one login/password.

If a bad guy gets access to your Google account, they may not merely have access to your reputation but also your Google Checkout or maybe your Google Voice account. Over the weekend, I saw on my screen - I've never signed up for Checkout but there is was. Google doing some A/B testing or maybe just a reinvention of subliminal advertising :)

With Facebook Connect, its likely/predicted that Facebook will allow you to shop purely by logging into a merchant site with your Facebook ID. This is a Paypal killer if they execute it well, an Amazon 1-click experience - but are Facebook users conscious of the risks of having their ID phished? Up until now, its been fairly isolated with mostly scam account hijacks but with purchasing power - your Facebook account is gold to a fraudster.

And it might just be micro-payment fraud. I can easily see Facebook enabling micropayments in their platform. They need to monetize somehow right? :)

I am also keen to understand the impact of mobile on commerce, all of the above applies but the smartphones now offer a semi-solution for 2-factor authentication. But are handsets vulnerable and what if your handset is lost/stolen - is it always logged into your accounts and not protected by a PIN?

Wow - what a downer of a first post - well that not my intent, I aim to post on mobile, social, startups, cloud, meta and other goodies.

stay tuned....

2009-09-27T05:57:00.000-07:00

just a placeholder...