Tuesday, April 15, 2014

Heartbleed Marketing - Call for Ambulance chasers


We are looking for companies who wrap their services around heartbleed hype, to expose them in one consolidated list.

What has happened?

In the last 7 days we have seen an explosion in Security firms that can assist with your Heartbleed woes.  Some are legitimate, some just want to generate more leads, some have nothing of value and are abusing the media's fever pitch around Heartbleed.

Project Goal

I am building a list of vendors that have abused Heartbleed for personal gain.  Here are three examples of who has made list so far:
  • Tripwire - offers "free" SecureScan
    • Existing customers must sign into "new" portal (marketing gathering data for upsales)
    • Non-customers cannot get a scan without providing personal data
    • http://www.tripwire.com/securescan/?home-banner
  • WhiteHat Security - offers 30 days WhiteHat Sentinel scanning service
    • You must enter in all personal data before getting your Heartbleed scan
    • https://info.whitehatsec.com/Social-SecurityCheck.html
  • DigiCert - offers "free" online scan
    • You must enter in all personal data before getting your Heartbleed scan
    • https://www.digicert.com/heartbleed-bug-vulnerability.htm
Here are examples of good ways to market your services, leveraging Heartbleed's attention in media:
  • Qualys - offers free online scan via SSL Labs
    • No marketing / sales wall
    • No requirement to fill out forms with company and personal data
    • https://www.ssllabs.com/ssltest/
  • GlobalSign - offers free online scan via SSLCheck service
    • No marketing / sales wall
    • No requirement to fill out forms with company and personal data
    • https://sslcheck.globalsign.com/en_US

We need your data!

So, have a vendor that has emailed or tweeted about Heartbleed, only to find they want ALL your data before the can give you a status on Heartbleed?  Got someone who is using the Heartbleed name, though, there service does not really have anything to do with Heartbleed attacks?  Send them in! @hackajar on twitter or gmail.com

NOTE:  I do get a lot of positive marketing emails from companies like Rapid7 and Imperva.  They say things like, "Hey existing customer, run these commands to get the value out of the product you already own!".  That, to me, is a positive use of Heartbleed in their marketing.

Wednesday, April 9, 2014

I HeartBleed NSA

Stickers Anyone?

Here is a high quality image to use for a shiny new laptop sticker!  Enjoy!

Wednesday, April 2, 2014

Why I am parting ways with Home Depot

Update: Here is text from CAN-SPAM FTC page for business, supporting my assertions in Online Chat log below.
  1. Tell recipients how to opt out of receiving future email from you. Your message must include a clear and conspicuous explanation of how the recipient can opt out of getting email from you in the future. Craft the notice in a way that’s easy for an ordinary person to recognize, read, and understand. Creative use of type size, color, and location can improve clarity. Give a return email address or another easy Internet-based way to allow people to communicate their choice to you. You may create a menu to allow a recipient to opt out of certain types of messages, but you must include the option to stop all commercial messages from you. Make sure your spam filter doesn’t block these opt-out requests.


It is not worth anyones time to do business with companies that fail to embrace technology in a meaningful way

In summary

In 2014, it is important that companies and website work with customers, not against them.  In the current Web 2.5 revolution, with noSql, redis, "responsive", bootstrap and all these tools designed to make websites drop in customer friendly experiences coupled with banks as a startup like Simple Bank, things should be better than this.  It bothers me when people use the dozens of excuses to explain away bad customer service.  People forget they can always "vote with your dollar", and given enough people who do this, change can and do happen.

It is because of the below experience with Home Depot - where they would rather explain to a seasoned web developer and security expert that he is the problem, not their site - that my principals have kicked in, and I had to cancel my account, solely on the basis that they no longer deserve my business.  I encourage everyone to do the same, that is, cancel business with a company that cannot or will not work towards providing good experiences with their customers, especially in a time in our existence when the tools are there to do so.

Email Marketing and You

Each time I login to my Home Depot account (I do a lot of home projects that dictate having a home improvement only line of credit) I am greeted with a screen asking if I want to be emailed about daily deals, sales and promotions.  Each time I click "No thank you" (I had given up on "Do not ask again" years ago).  Today, I accidentally clicked "Submit" button - which is a bright Orange Icon, in contrast to small, text only, link that says "no thank you" - causing me to suddenly be added to their approved marketing list.

Fixing a mistake

Simple task #1 before I pay my bill, go in and updated my "Communications Preferences".  Digging into site, I find the correct link.  But, upon clicking, nothing actually loads on screen.  Odd, so I try accessing link from different spots (they allow you to get there from drop down and buried in different preference sections of site).  Still all the "frames" of site load, but not actual preferences (header and footer load).  Time to contact them about this...

My Chat with Customer Support

Here is the exact chat transcript with customer support.  I will admit that at this point I am getting pretty pissed, so excuse some of the language:
A Home Depot Credit Services Associate will help you in approximately 0 minutes 2 seconds.

For your protection, we'll never ask you for passwords, PINs, User IDs, security words or any part of your social security number during a chat. Other information may be required to help us verify your identity.
You are now chatting with Chad.
Chad: Hello, welcome to Home Depot live chat in Tennessee my name is Chad. What can I help you with today?
IMHOFF,ROBERT: how do I update contact preferences?
IMHOFF,ROBERT: I click link and page does not load
IMHOFF,ROBERT: I am really mad that you ask me every time to allow you to send crap to my email address
IMHOFF,ROBERT: and I always click "no thankyou"
IMHOFF,ROBERT: today I accidently clicked "submit"
IMHOFF,ROBERT: now, when I try to undo that action, the page to turn it off does not load
IMHOFF,ROBERT: (kind of a dick move on your part)
Chad: I'll be glad to help you with this today. Please go under the Account Profile tab at the top of the page and choose Edit Contact Information to make your updates.
Chad: Also. Just as a reminder, you can set up payment alerts online to email you about your upcoming payment that is due.
IMHOFF,ROBERT: I clicked "Edit contact infomraiton"
IMHOFF,ROBERT: then I click "view communications preference" and nothing loads
Chad: So non of the options under the tabs are pulling up to view or make changes?
IMHOFF,ROBERT: I see the "Email Address" section under "Contact Informaiton"
IMHOFF,ROBERT: in that section there is a link to "View Communications Preference"
IMHOFF,ROBERT: I click that link and only the "Need Help?" side bar loads
Chad: What are you trying to do?
IMHOFF,ROBERT: turn off email communications related to sales and marketing
Chad: That has to be done by a customer service rep. For verification, may I have your first and last name?
IMHOFF,ROBERT: what has to be done by a rep?
IMHOFF,ROBERT: turn off email communications related to marketing?
Chad: Yes.
IMHOFF,ROBERT: so you are ok with violating the CANSPAM act?
IMHOFF,ROBERT: which states a customer must be able to turn off emails electronically and NOT through a customer service rep?
Chad: Never heard of it. I apologize.
Chad: Please call tech support at 1­866­875­5488 and they maybe able to guide you on how you van make those changes
on your won.
Chad: own* IMHOFF,ROBERT: ok, thanks

Phone Support

Sorry, no phone records for this one.  But in summary:

  • Tried 5 browsers - Mac OS X Firefox, Chrome and Safari + Chrome Mobile + IE 11 on Windows 8.1
  • Was told that "One browser controls the preference for all browsers"
  • Was told that it must be my firewall causes one page on their site was not loading 

So long and thanks for the fish

I asked, "Can you cancel my account?"
"No, but I can transfer you"
"Sure lets do that"
CS: "Hi, how may I assist?"
"I would like to cancel my account"
[redacted customer information]
"Why would you like to cancel your account?"
"You employ too many stupid people, and 1998 called, it wants its website/support back"

Monday, January 27, 2014

What can a small Boycott at Chevy's Really Achieve Against RSA and NSA?

A visiting blog post by Jennifer Imhoff

As you have probably noticed we have been flooding social media with posts about a CrowdTilt to buyout Chevy's during RSA.  We are very close to our goal but with well over 400 "likes" and hundreds of "re-tweets" we are still in danger of not meeting our $7000 goal.  But unless you're familiar with the RSA conference and social patterns of attendees, this CrowdTilt might seem odd.

Just how exactly is buying out a Chevy's restaurant any sort of boycott against RSA, and why should we be boycotting RSA?

At the end of 2013, it was discovered that RSA - one of the most influential computer security firms- had very dramatically changed it's once adversary relation with the National Security Administration (those guys doing the wiretaps) to an almost conspirative one. For a mere $10 million (iPhone apps have cumulatively sold for more), RSA agreed to use an NSA designed formula in the encryption tools they sell knowing full well that the formula - designed to generate random numbers- was deliberately flawed in such a way that the NSA would be able to access any account using it.

This "back door" into our computers, our lives, our privacy is not only completely unwarranted but affecting both our corporate AND PERSONAL computers.

Our privacy was sold out for less than the cost of most luxury homes.

And if your saying to yourself "I've got nothing to hide, so why should I be concerned", then I urge you to read this very well written article by Kurt Opsal from the EFF on how something as simple as a phone log can be detrimental to many lives:  https://www.eff.org/deeplinks/2013/06/why-metadata-matters

And let us not forget too quickly how this is the same RSA that was hacked by even less trustworthy entity just three years ago. Don't think the NSA is the only one with a backdoor into their networks and tools.

So what does all this have to do with Chevy's?

The RSA conference is held yearly at the Moscone Center in San Francisco. The conference which host talks regarding data security as well as a large expo floor that has been a major influence in the business relations of security related companies from networking hardware to mobile security software. The conference hosts hundreds of people from across the nation. These networking opportunities often seek quieter venues offsite to talk more or complete a deal over lunch. However, with being located in the center of the "SOMA" district, dining options that are in walking distance are limited to very high end places with just one exception, Chevy's Grill.

Over the years, Chevy's has quickly become THE place to go for a simple lunch that anyone can order from and where the menu is cheap and the margarita's are strong.  Chevy's has become the unofficial “lobby con” of RSA, an assured place to find a friend amongst the hundreds of suits. And the quickest way to get the attention of all the various business that work with RSA.  We want to buy out the Chevy's so we can restrict the business that day to only those on our list. We want each company representative to walk to the front door because its the only place without a line - the place they have always gone - only to be inconvenienced by being denied access.  When they stop to ask why, our lab coat volunteers will have the opportunity to explain to them why. Making them aware of what RSA has done and how it affects everyone.  

So please, we urge you to support our cause.  If you're not going to RSA your $25 donation will still help.  If you can’t help financially then please re-tweet, re-post, and support us!

Jennifer Imhoff
Vegas 2.0