Thursday, November 30, 2006

Free Enterprise Security Advice Could Save Thousands in Customer Care Costs

When your company has to notify its customers about a change to online security procedures and decides to use email as part of that notification, make sure that the email message does NOT contain any deceptive URLs. Otherwise the email may confuse a lot of customers who end up contacting your company, putting a dent in the customer service budget and thus the bottom line.

Before you say something like "My company would never use a deceptive URL" be sure you know what deceptive URLs are and how they arise, because they can seem innocent enough. Indeed, I have seen them slip under the quality control radar at big companies like Bank of America and Countrywide that do at least have quality control. Typically a deceptive URL is created by or within html email. Here is an example:








Note that I edited the screen shot above to obscure the name of the company that sent this particular message (about new security measures) and my own email address is also edited to something bogus.

Basically this part of the email is inviting recipients to log in to the company web site. The URL of the site is spelled out rather than just being a click here type link. People often spell out links in order to make it clear to the user where the link leads. In text-only email a URL has to be spelled out in order to work (in most email clients). But the above message is html and so the link text is actually within an href=URL tag. This means that the apparent URL can be different from the actual URL in the link, a fact that phishing scams have been exploiting for years. For example, you might see a link to www.paypal.com in a message that appears to be from PayPal, but in fact the link leads to:
http://202.78.2.22/.paypal/secure/login/webcsr/cmd=_login-submit/index.htm
or
http://0x44.0xec.0xb3.0xd0/www.paypal.com/index.htm
both of which are bogus web sites that are in no way connected with the real PayPal.

How do you know where a link goes before you click it? One way is to view the source code of the message, something that is easy enough to do in most email clients (in Eudora, for example, you just right click anywhere within the message and select "View Source"). However, viewing email source, while easy, is laborious, and so a good email client will reveal the URL of a link when you put your mouse pointer over it, then warn you if the link you are about to click is deceptive (i.e. does not match the text of the link). Eudora has this capability and provides further detail like this:
And here you see the problem this poses for an otherwise legitimate company. Good old Countrytom wants you to go to a special page at countrytom.com, but presumably did not want to put that great big [but genuine] URL in the text of the email. So they obscured it but in so doing set off the deceptive URL alarm. As email clients and web browsers get more aggressive in the fight against phishing this sort of thing is likely going to show up more often, thereby confusing more customers. And everyone in enterprise-land knows that more confused customers = increased customer service burden.

So what is the solution. Here is the real money tip in this free security advice: use a simple URL. Could it be that simple? Yes. There is no reason, other than a lack of imagination, for Countrytom to use that great big long URL for a response to email. Sure, marketing would like to track where responses are coming from, and IT might balk at some extra work with redirects and site structure, but a simple phrase and a few lines of code could fix that, as in any of these URLs that could easily appear in the text of the email AND the URL so as not to be branded as "deceptive" by the email client:
www.countrytom.com/confirm
www.countrytom.com/login112306
www.countrytom.com/112306
www.countrytom.com/no34

None of these strikes me as a turn-off for recipients and I bet they generate less customer confusion than the pesky but otherwise very helpful deceptive URL flag.

Sunday, November 19, 2006

Ubuntu Progress Continues Here

As promised...this is where the Ubuntu thread continues from the original "Cobbon blog."

Ubuntu is now installed on the 1999 Compaq Presario 305 and the 2000 iMac G3. The trick with older machines that have less than 200 megabytes of RAM is to a. use a lot of patience, b. use the prompted alternate install method, which uses the files located here:

ftp.ussg.iu.edu/linux/ubuntu-releases/6.06.1/

What you want to download are the image files called "alternate" like: ubuntu-6.06.1-alternate-i386.iso

These don't boot a full graphical Ubuntu, but they will lead you through a text-based install that does remarkably well at hardware detection, including the graphics card, sound system, and network interface (a Buffalo WiFi card in the Compaq and the built-in Ethernet on the Mac). The patience is required for the lengthy wait between stages.

You will also need some patience once these installs complete as the default Ubuntu desktop is not the fastest. Next step with these older machines is to change the desktop.

Thursday, November 16, 2006

Here Begins "Cobb on Tech"

So, I decided I need a separate place to keep all my tech-related thoughts (to be honest, I didn't realize I was going to have so many).

Some of them will be migrating here from "Cobb On" and "scobb's non-blog."

If there is something specific in the hi-tech space that you would like me to comment on, let me know.