Faking Internet comments and reviews

Chances are if you have read commentary and reviews of products and services online, you are reading lots of fakes. Various estimates put this at a third or more, either outright fakes or paid-to-post by organizations looking to game the system. In other words, buyer beware.

“There is a reason comments are put on the bottom half of the Internet,” says one post from the once active Twitter account AvoidComments. The account also includes this one: “The problem with internet comments is that you can never really know who’s saying them.” — Winston Churchill. Yeah, I bet he really did say that, and probably to Al Gore just after the Internet was created.

But enough snarky anecdotes. A communications professor has attempted a semi-scholarly work entitled Reading the Comments, and it is actually an interesting book despite this description. Joseph Reagle knows his subject and sprinkles enough curse words throughout his book to make it almost NSFW if you were going to read it aloud — which mirrors some of the online comments that he quotes from as you might suspect.

I guess I was pretty much naive when I began reading his book. I didn’t think much about the various reviews that I read about restaurants, hotels, or particular products. But I can see how things have gotten out of control in the past decade especially. Now you can pay someone a buck or so to write a review and have it look like it is coming from someone that actually used the product or service. Yelp is apparently infested with this sort of thing, and just recently a restaurant in the bay area rebutted a negative review with video footage of the reviewer and how he spent literally seconds inside the restaurant, mostly standing around.

Reagle states that “Online discussion of sexism or misogyny quickly results in disproportionate displays of sexism and misogyny.” He cites several now well-known cases of where women were buried in negative comments just because they were female.

He describes an entire universe of fakers, haters, and takers and how they have flourished online. That was both eye-opening and depressing. Then there is a whole sub genre of intentionally funny reviews. Computer scientists are using them to train natural language processing to detect irony. Think of them as Sheldon’s answer to the Turing test.

As someone who still writes product reviews for a living (mostly now for Network World, where you can read my collection here), this pains me. Most of the pubs that I once wrote reviews for have folded their tents, and it is getting harder to recruit vendors to support these reviews as of late.

Yes, I have posted some comments on Amazon, TripAdvisor and AirBnB, but only out of some loyalty to the books I read or places I stayed or ate at. AirBnB has this interesting log-rolling ethos built-in to their site. Once you stay at a place, you rate your host and your host rates you. That takes some of the snark out of your comments, but it also helps to improve the descriptions of each place and the expectations you have when you are choosing where to stay. And help to make sure that you are on your best behavior too.

Still, comments can tell us much about the human condition, and the social fabric of our lives. Perhaps too much, as many Gen X’ers are prone to oversharing. But that is for another column and another day. In the mean time, you can pre-order Reagle’s book, which will be available in May, here. And remember, as our Twitter friends have posted: Nobody on their deathbed ever said, “I wish I had spent more time reading Internet comments.”

The cashless customer is now king

I wanted to bring in my winter coat to the cleaners (maybe optimistically a week or so too soon) and in cleaning out the various pockets I came across some cash and a receipt dated last December. I thought about how long it has been since I have actually used cash.

What a difference from my dad’s world. My dad dealt with millions of dollars every day as a comptroller and always carried a wad of cash worthy of a mafia don. I still have his money clip somewhere. I put the few bills on my desk as a reminder and then thought about how the world has changed. Paying in cash is certainly becoming less common.

Most of my customers still pay me with paper or electronic checks, a few go through Paypal and every once in a while I get asked to accept credit cards. Now there are so many options for accepting Internet payments and two good ones that you might not know about. One is Simplify.com, which is part of MasterCard and has done a lot of work in developing their payment gateway. The other is Stripe.com. Both charge a bit less than 3% per transaction but have no other recurring fees. That is a lot less compared to just a few years ago, when you had to pay monthly processing and other annoying fees to have a merchant account. Stripe even accepts non-dollar currencies, including Bitcoins, and converts them into dollars for you.

aaa2Both Stripe and Simplify offer a variety of APIs, tools, code samples, and connectors to various payment-related apps. I like the way Simplify arranges its code samples, as you can see in this screenshot.

Stripe has more third-party plug-ins than Simplify, including more than a dozen just for WordPress. Both offer documentation on webhooks, which are URLs that can interact with short pieces of code for particular event notifications, although I think Stripe has better documentation. Both also support OAuth for consolidated signons to other SaaS apps without having to store your credentials. Finally, both can operate in either a testing or sandbox mode so you can try various things out, and then go live with actually processing real transactions.

We have come a long way with online payments to be sure. Both services allow you to build in payment processing to your website in ways that were unthinkable just a few years ago. I think my dad would be just as amazed as I am.

Ricoh blog: Is Directory as a Service Right for Your Business?

It usually operates behind the scenes, authenticating users and devices without much fanfare until something goes wrong. Typically, you employ Microsoft Active Directory, LDAP, or a Radius server to provide this function. But in the past year, a number of cloud providers such as Amazon and Microsoft Azure have begun to change the directory service model, offering Directory as a Service in the cloud.

In my latest article for Ricoh’s Work Intelligently blog, I talk about some of the issues involved in migrating your directory to the cloud.

Does your city have a data dashboard?

I love data dashboards. They are a great way to visualize data, to spot trends quickly, to get a handle on complex relationships, and to just geek out in general. At the Tableau conference last fall, the central ballroom area had its own data dashboard that showed you interesting up-to-the-second stats about how many Tweets were posted, where attendees came from, and other fun conference facts. You would expect something from the company that delivers a data dashboard product line to do something like this.

Data dashboards are popping up everywhere, and this past week I took a closer look at some of the ones that local cities are creating to monitor their own performance and connect to their citizens. A good “mayor’s dashboard,” as they are known, should show a lot of information in one screen, be attractive but not completely eye candy, and do more than just be a brochure for advancing the latest political agenda.

When you think about a mayor’s dashboard, it would be nice if they were actually used by the mayor to monitor progress and to help with his or her decision-making too. It should weigh items such as crime stats, quality of life metrics, and things that a city’s residents care about: trash pickup, time on hold in various phone queues and so forth. While the mayor’s dashboard is still an evolving area, here are some example of cities that have already implemented them and my initial thoughts.

And if you want some great general guidelines on building your own dashboard, start with this presentation from a past Tableau conference here.

Feel free to recommend your own in the comments below.

New York City has been working hard on opening various databases to public access, with more than 1200 different ones that can display various insights. It is all a bit overwhelming, not much different that what a visitor new to the city might find in real life. There isn’t a single pane of glass to summarize the information that I could find however.

bostonwBoston’s Mayor Walsh has had a public dashboard for more than a year, and is perhaps one of the more attractive ones (one part of which is shown here), with a rotating series of graphics on city performance data. You can see that there have four homicides this year, and compare with last year’s numbers. This is very actionable information too.

You would expect Portland Oregon to have a dashboard, and it does, showing things such as the percentage of renewable energy consumed and other groovy-oriented stats. It is arranged as more of a brochure than a dashboard: so you have to click around to find a particular stat, such as the average response time for a fire alarm is more than seven minutes. You can see in the graph that this hasn’t changed much over the years.

Detroit’s dashboard is more of a book report than an interactive dashboard. This shows you what they have accomplished last week such as how many LED-based streetlights were installed or blighted homes torn down.

London’s dashboard was launched last fall and is just for crime stats. It is chock full of graphs and figures, but you can’t see the whole picture on one page unfortunately.

Denver’s dashboard is more of an RSS portal, and you can customize it to your own particular needs, displaying alerts and news feeds on economic or public safety stats.

LA has several different data dashboards including a “performance” top-line summary that shows single numbers for things such as total employment, non-attainment air quality days, and the time it takes for police to respond to 911 calls. Clicking on any of these items will bring up graphical displays and lots of city rhetoric and more marketing information. There is also an open data project too.

Seattle’s dashboard has a similar design to LA’s, with single number top-line summaries that can be expanded with more graphical detail.

ITworld: Why Israel could be the next cyber security world leader

newThere are plenty of cities in the U.S. that want to lay claim to becoming the “next” Silicon Valley, but a dusty desert town in the south of Israel called Beersheva might actually have a shot at becoming something more modest, and more focused. They want to be the first place you think about when it comes to cybersecurity research, education, and innovation. If things go right there, it may well happen.

You can read my article in ITworld here about my recent trip and what they are doing.

SearchSecurity.com: A closer look at ‘good enough’ security

As calls for breach accountability across industries grow louder, and the government introduces new cybersecurity initiatives, frustrated security experts say change will only occur when lawsuits from shareholders hold C-level executives and boardrooms accountable for lax security practices.

While agreement on what “good enough security” entails is hard to come by, chief information security officers can take actions to mitigate the security and risk tradeoffs that can result from business decisions, to make their organizations less vulnerable to security threats.

You can read my article for SearchSecurity here.

If you own a Lenovo PC, read this asap!

Lenovo has been shipping its PCs with built-in malware that is a new level of insidiousness and nasty. Before I explain what it does, if you have a Lenovo machine, or know someone who does, go now to this site and see what it says.

What is going on? It turns out that Lenovo, either by design or by sheer stupidity, has included a piece of software called a root certificate, from this company Superfish. Now, if you aren’t a computer expert, this is probably meaningless to you. So let me break it down. With this Superfish certificate, every site that you go to in your browser using the HTTPS protocol is subject to being exploited by some bad guys. Chances are, it may not happen to you.

In any case, you want to remove this thing pronto. Here are the instructions from Lenovo.

Back in those innocent days of the early Web, we use to say add the S for security when you were browsing. This forces an encrypted connection between you and the website that you are visiting, so your traffic over the Internet can’t be captured and exploited.

But having a bad certificate turns this completely around: with it, you can decrypt this traffic, indeed, you can manipulate the web browsing session in such a way that you might not even realize that you are going to ThievesRUs.com instead of your trusted BankofWhatever.com. While no one has yet reported that this has happened, it is only a matter of time. There is a great article explaining this exploit on ArsTechnica here.

Certificates are the basic underpinnings of secure infrastructure, they are used in numerous other situations where you want to make sure that someone is who they say they are. By using a bad certificate, such as the one from Superfish, you throw all that infrastructure into disarray.

certs2To get an idea of how many certs you use in your daily life, open up your browser’s preferences page and click on over to the Certs section, there you will dozens if not hundreds of suppliers. (see screenshot at left)  Do you really trust all of them? You probably never heard of most of them. On my list, there are certs from the governments of Japan and China, among hundreds of others. You really have no way of knowing which of these are fishy, or even superfishy.

This isn’t the first time that bad certs have popped on on the Intertubes. There have been other situations where malware authors have signed their code with legit certs, which kinda defeats the whole purpose of them. And back in 2012, Microsoft certificates were used to sign the Flame malware; the software vendor had to issue emergency instructions on how to revoke the certs. And in 2011, the Comodo Group had issued bogus certs so that common destinations could have been compromised.

It is getting harder to keep track of stuff and stay ahead of the bad guys, even when they don’t have the auspices of a major PC manufacturer behind them.

Check your Google Account security settings now, please

I feel almost embarrassed writing this column, but I figured if it can happen to me, it can happen to you. Google is running this cute promotion this week where you can tack on another 2 GB of storage to your account. The only thing you have to do is run through a series of security settings on your account. It will take about two minutes at the most. You go to this page for the detail to read more and then navigate over to your account. Go ahead, I will wait until you come back.

Nice, hunh? Well, not so nice for moi. I found out that someone was using a Windows computer last week in Kentucky and signed in as me. I quickly changed my password, and then forced everyone else to logout of my account. Borderline creepy, right? What happened? I have no idea. I guess that is one of the reasons why the promotion is so useful to them: they can tighten up everyone’s credentials quickly, and the extra storage costs them close to nothing.

Part of the security assessment is to see what connected apps are signing into your account. It is always a good idea to bring up the corresponding screens in other Web services to make sure that you know what is happening. I call this an “app audit” and I mention how to do it for LinkedIn, Twitter and Facebook (but curiously, forgot about Google) in this post from several years ago. That will take you another few minutes.

Please, for your own protection, run through these checks now.

The cyber femme fatales in the Syrian civil war

It is almost a cliche, but the femme fatale — the allure of a female spy who gets the lonely male soldier to give up military secrets — is still very much alive and well in the current Syrian civil war. But instead of using actual people, today’s take on Mata Hari has more to do about social networks, phishing, and clever use of a variety of keylogging programs.

A report this week by FireEye has tracked this trend in Syria and makes for interesting reading. Hackers operated between November 2013 and January 2014 to collect battle plans and specific operational details from the opposition forces’ computers. The information was substantial: FireEye found more than seven GB of data spanning  thousands of Skype conversations and 12,000 contact records. So much was taken from the soldiers and insurgents that FireEye was able to assemble profiles of several of them for their report:


What is astounding is how easily the various Syrians fell for some pretty old-fashioned social engineering. Skype contact requests would be sent to the fighters from unknown and seemingly female correspondents. Once they were engaged in text chats, the hackers would ask what kind of computer they were on, and then send them a “better photo” of themselves that, surprise, surprise, turned out to contain malware. Then the data extraction began, and they moved on to others in the target’s contacts.

It isn’t just that loose lips sink ships. It is that lonely guys are so easily manipulated. Back in WWII days, we needed a lot more human infrastructure to collect data to track enemy movements. Nowadays, all it takes is a female avatar and some sympathetic IM patter, a few pieces of code and let the gigabytes roll in.

The hackers were thorough. FireEye found “whole sets of files pertaining to upcoming large-scale military operations. These included correspondence, rosters, annotated satellite images, battle maps, orders of battle, geographic coordinates for attacks, and lists of weapons from a range of fighting groups.” In addition to using the fake female avatars on Facebook and Skype, they also setup a bogus pro-opposition website that would infect visitors with malware. The whole effort was aided by the fact that often soldiers shared computers, so once an infection landed on one PC it could collect multiple identities quite easily.

Finally, the hackers focused on Android phones as well as Windows PCs and had malware created for both environments.

Figuring out who was behind this massive data collection effort isn’t easy, of course. FireEye thinks there are ties to Lebanese or other pro-Syrian groups, and have tracked its command servers to outside of Syria. That could be almost anyone these days. Still, the report is quite chilling in what a determined hacking group can accomplish during wartime.

Party like the Internet is 1994

BMW has this very funny ad where Katie Couric and Bryant Gumbel discuss the makeup of an Internet email address back in 1994.

To say that the Internet wasn’t mainstream enough for the Today show hosts is an understatement. Back then, few people had any idea of what it was, how email was used, or what the punctuation in the email address signified. Looking at the Today show this morning, things certainly have changed: live Tweeting of the snowstorm, Carson Daly and his magic touch screen surfing social media, and even some of the hosts reading off their laptops on air. We have come a long way.

But let’s go back to what we were all doing 20-some years ago. Back then it was hard to get online. We had dial-up modems: no Wifi, no broadband, no iPhones. PCs had PCMCIA cards, the precursor to USB ports. Other than Unix, none of the other desktop operating systems came with any support for IP protocols built-in.

Now it is hard to find a computer with a dial-up modem included, and without any Wifi support. Even the desktop PC that I last bought came with a Wifi adapter.

The communications software was crude and finicky: it was hard to run connections that supported both Ethernet (or Token Ring, remember that?) on the local office network and then switch to remote IP connections when you went on the road. I was using Fetch for file transfer (I still like that program, it is so dirt simple to use) and Mosaic, the first Web browser that came out that Illinois campus where a young Marc Andreessen was studying before he made it rich at Netscape. Companies such as Netmanage and Spry were packaging all the various programs that you needed to get online with an “Internet in a Box.” This was a product that was a bit different from that described in “The IT Crowd” TV show a few years later:

Back in 1994, I had a column in Infoworld where I mentioned that configuring TCP/IP was “an exercise in learning Greek taught by an Italian.” My frustration was high after trying a series of products, each of which took several days worth of tech support calls and testing various configurations with software and OS drivers to make them work. Remember NDIS and the protocol.ini file? You had to be familiar with that if you did a lot of communicating, because that is where you had to debug your DOS and early Windows communications strings. When they did work it was only with particular modems.

Finding an Internet service provider wasn’t easy. There were a few hardy souls that tried to keep track of which providers offered service, through a combination of mailing lists and other online documents. Of course, the Web was just getting started. Getting a dot com domain name was free – you merely requested one and a few seconds later it was yours. Before I had strom.com, I was using Radiomail and MCIMail as two options for Internet-accessible email addresses.

Indeed, mobility meant often using different modems with different software tools. When I traveled, I took four of them with me: cc:Mail (to correspond with my readers and to file my columns with the editors), Smartcom (to pick up messages on MCI Mail and others that I connected to from time to time), Eudora (for reading my Internet mail), and Versaterm AdminSlip (for connecting to my Internet service provider). That was a lot of gear and software to keep track of.

With all of these modems, if you can imagine, the telephone network was our primary means of connection when we were on the road. Of course, back then we were paying for long distance phone calls, and we tried to minimize this by finding collections of “modem pools” to dial into that were a local call away. Back then I was paying $100 a month for dial up! Then ISDN came along and I was paying $100 for 128 kbps! Now I pay $40 a month for broadband access. I guess things have improved somewhat.