Tuesday, April 15, 2014

Heartbleed Marketing - Call for Ambulance chasers


We are looking for companies who wrap their services around heartbleed hype, to expose them in one consolidated list.

What has happened?

In the last 7 days we have seen an explosion in Security firms that can assist with your Heartbleed woes.  Some are legitimate, some just want to generate more leads, some have nothing of value and are abusing the media's fever pitch around Heartbleed.

Project Goal

I am building a list of vendors that have abused Heartbleed for personal gain.  Here are three examples of who has made list so far:
  • Tripwire - offers "free" SecureScan
    • Existing customers must sign into "new" portal (marketing gathering data for upsales)
    • Non-customers cannot get a scan without providing personal data
    • http://www.tripwire.com/securescan/?home-banner
  • WhiteHat Security - offers 30 days WhiteHat Sentinel scanning service
    • You must enter in all personal data before getting your Heartbleed scan
    • https://info.whitehatsec.com/Social-SecurityCheck.html
  • DigiCert - offers "free" online scan
    • You must enter in all personal data before getting your Heartbleed scan
    • https://www.digicert.com/heartbleed-bug-vulnerability.htm
Here are examples of good ways to market your services, leveraging Heartbleed's attention in media:
  • Qualys - offers free online scan via SSL Labs
    • No marketing / sales wall
    • No requirement to fill out forms with company and personal data
    • https://www.ssllabs.com/ssltest/
  • GlobalSign - offers free online scan via SSLCheck service
    • No marketing / sales wall
    • No requirement to fill out forms with company and personal data
    • https://sslcheck.globalsign.com/en_US

We need your data!

So, have a vendor that has emailed or tweeted about Heartbleed, only to find they want ALL your data before the can give you a status on Heartbleed?  Got someone who is using the Heartbleed name, though, there service does not really have anything to do with Heartbleed attacks?  Send them in! @hackajar on twitter or gmail.com

NOTE:  I do get a lot of positive marketing emails from companies like Rapid7 and Imperva.  They say things like, "Hey existing customer, run these commands to get the value out of the product you already own!".  That, to me, is a positive use of Heartbleed in their marketing.

Wednesday, April 9, 2014

I HeartBleed NSA

Stickers Anyone?

Here is a high quality image to use for a shiny new laptop sticker!  Enjoy!

Wednesday, April 2, 2014

Why I am parting ways with Home Depot

Update: Here is text from CAN-SPAM FTC page for business, supporting my assertions in Online Chat log below.
  1. Tell recipients how to opt out of receiving future email from you. Your message must include a clear and conspicuous explanation of how the recipient can opt out of getting email from you in the future. Craft the notice in a way that’s easy for an ordinary person to recognize, read, and understand. Creative use of type size, color, and location can improve clarity. Give a return email address or another easy Internet-based way to allow people to communicate their choice to you. You may create a menu to allow a recipient to opt out of certain types of messages, but you must include the option to stop all commercial messages from you. Make sure your spam filter doesn’t block these opt-out requests.


It is not worth anyones time to do business with companies that fail to embrace technology in a meaningful way

In summary

In 2014, it is important that companies and website work with customers, not against them.  In the current Web 2.5 revolution, with noSql, redis, "responsive", bootstrap and all these tools designed to make websites drop in customer friendly experiences coupled with banks as a startup like Simple Bank, things should be better than this.  It bothers me when people use the dozens of excuses to explain away bad customer service.  People forget they can always "vote with your dollar", and given enough people who do this, change can and do happen.

It is because of the below experience with Home Depot - where they would rather explain to a seasoned web developer and security expert that he is the problem, not their site - that my principals have kicked in, and I had to cancel my account, solely on the basis that they no longer deserve my business.  I encourage everyone to do the same, that is, cancel business with a company that cannot or will not work towards providing good experiences with their customers, especially in a time in our existence when the tools are there to do so.

Email Marketing and You

Each time I login to my Home Depot account (I do a lot of home projects that dictate having a home improvement only line of credit) I am greeted with a screen asking if I want to be emailed about daily deals, sales and promotions.  Each time I click "No thank you" (I had given up on "Do not ask again" years ago).  Today, I accidentally clicked "Submit" button - which is a bright Orange Icon, in contrast to small, text only, link that says "no thank you" - causing me to suddenly be added to their approved marketing list.

Fixing a mistake

Simple task #1 before I pay my bill, go in and updated my "Communications Preferences".  Digging into site, I find the correct link.  But, upon clicking, nothing actually loads on screen.  Odd, so I try accessing link from different spots (they allow you to get there from drop down and buried in different preference sections of site).  Still all the "frames" of site load, but not actual preferences (header and footer load).  Time to contact them about this...

My Chat with Customer Support

Here is the exact chat transcript with customer support.  I will admit that at this point I am getting pretty pissed, so excuse some of the language:
A Home Depot Credit Services Associate will help you in approximately 0 minutes 2 seconds.

For your protection, we'll never ask you for passwords, PINs, User IDs, security words or any part of your social security number during a chat. Other information may be required to help us verify your identity.
You are now chatting with Chad.
Chad: Hello, welcome to Home Depot live chat in Tennessee my name is Chad. What can I help you with today?
IMHOFF,ROBERT: how do I update contact preferences?
IMHOFF,ROBERT: I click link and page does not load
IMHOFF,ROBERT: I am really mad that you ask me every time to allow you to send crap to my email address
IMHOFF,ROBERT: and I always click "no thankyou"
IMHOFF,ROBERT: today I accidently clicked "submit"
IMHOFF,ROBERT: now, when I try to undo that action, the page to turn it off does not load
IMHOFF,ROBERT: (kind of a dick move on your part)
Chad: I'll be glad to help you with this today. Please go under the Account Profile tab at the top of the page and choose Edit Contact Information to make your updates.
Chad: Also. Just as a reminder, you can set up payment alerts online to email you about your upcoming payment that is due.
IMHOFF,ROBERT: I clicked "Edit contact infomraiton"
IMHOFF,ROBERT: then I click "view communications preference" and nothing loads
Chad: So non of the options under the tabs are pulling up to view or make changes?
IMHOFF,ROBERT: I see the "Email Address" section under "Contact Informaiton"
IMHOFF,ROBERT: in that section there is a link to "View Communications Preference"
IMHOFF,ROBERT: I click that link and only the "Need Help?" side bar loads
Chad: What are you trying to do?
IMHOFF,ROBERT: turn off email communications related to sales and marketing
Chad: That has to be done by a customer service rep. For verification, may I have your first and last name?
IMHOFF,ROBERT: what has to be done by a rep?
IMHOFF,ROBERT: turn off email communications related to marketing?
Chad: Yes.
IMHOFF,ROBERT: so you are ok with violating the CANSPAM act?
IMHOFF,ROBERT: which states a customer must be able to turn off emails electronically and NOT through a customer service rep?
Chad: Never heard of it. I apologize.
Chad: Please call tech support at 1­866­875­5488 and they maybe able to guide you on how you van make those changes
on your won.
Chad: own* IMHOFF,ROBERT: ok, thanks

Phone Support

Sorry, no phone records for this one.  But in summary:

  • Tried 5 browsers - Mac OS X Firefox, Chrome and Safari + Chrome Mobile + IE 11 on Windows 8.1
  • Was told that "One browser controls the preference for all browsers"
  • Was told that it must be my firewall causes one page on their site was not loading 

So long and thanks for the fish

I asked, "Can you cancel my account?"
"No, but I can transfer you"
"Sure lets do that"
CS: "Hi, how may I assist?"
"I would like to cancel my account"
[redacted customer information]
"Why would you like to cancel your account?"
"You employ too many stupid people, and 1998 called, it wants its website/support back"