Of course, we’ve all seen what happened to closed services; they became portals of various kinds on the open Internet, but exactly how open is the Internet?

Apple is launching the iPad very soon after its very successful iPhone (which I ought to add I still don’t have because Vodafone have absolutely no interest in talking to its customers; I have been promised call backs three times and I’ve left a voicemail for our account manager who has never called me back. I guess spending tens of thousands of pounds with them means nothing), but not only have they sold it network locked from the beginning (only recently allowing any competition), they have also locked down the applications which can be run, enforcing their own morals on what kind of applications their users should be using. They are now continuing this with the iPad, and techies and everyone else alike is flocking to the iPhone. And yes, even I wanted one, even though one of my colleagues in particular has been trying to talk me into going with Android instead. It’s no different to the requirement to use iTunes for the iPod. I believe Microsoft is planning a similar strategy with its Windows Phone 7 OS.

This movement towards closed devices is precisely the wrong direction for the Internet to be taking and it encourages exclusive deals which prevent consumers from exercising their right to choose the best application. It’s a bit like Microsoft writing Windows in such a way that prevented you from installing any other browsers at all. It seems only Microsoft is in the spotlight of the regulators. I have been a great defender of Microsoft’s right to bundle IE with Windows because frankly, if your browser is better, it will be found. I don’t see it as Microsoft’s job to promote Chrome, Firefox, Opera or any other browser. I should of course add that I am a Chrome/Firefox user mainly but I made that choice willingly, and not because some regulator forced me to.

We need open platforms where the user gets to choose what software they run, and who they buy their services from, not large companies building their mini empires. By doing this, we force companies to innovate. People should be buying applications from the Apple App Store because it’s the best, not because it’s the only choice (without jail-breaking your iPhone). Apple are absolutely brilliant in designing hardware and operating systems. Why do they feel so threatened and weak they can’t compete with others on exactly the same basis?

My inbox always seems to be at around 500 e-mails no matter how much I clear it. If I remove half of them today, by close of business tomorrow it will be back at this level. Most of these e-mails are also ‘action items’ of some kind requiring me to respond (usually with something that would take me 5-15 minutes to deal with per e-mail; so if we assume an average of 10 minutes and 400 e-mails, this would be around 67 hours of “replying to e-mails”).. that’s over 8 working days at normal hours, or 4.2 working days in ‘theo‘ hours..

So, if you haven’t had a reply from me, it may be because your e-mail didn’t require attention this very minute (most fall into this category), it would take too long to reply to now (second most popular), I trust you from having known you so long that I know you won’t take my lack of reply personally (even a few long term customers belong in here), or because I think your e-mail is so pointless it shouldn’t have been sent in the first place.

So, how does everyone else manage this?

So, a few months ago we built this generic unsubscribe form which allows users to type in their e-mail address, receive an e-mail with a new link (with a code) which verifies they are the authentic user of the e-mail address, and then they can select what to unsubscribe from, click Unsubscribe and it’s all done from various systems in one go:

thinkbroadband.com – screenshot of ‘unsubscribe’ page

Now you’d think this should stop all the e-mails from users every week after they get our weekly news summary on Monday morning asking to be removed from the list.. Well.. No..

It’s resulted in e-mails like this:

“I want to stay in subscription and would to take the opportunity to thank you for a great and useful service”

“Please DO NOT Unsubscribe Me The Link was Clicked in Error.”

..and so on. Obviously users would only be removed after going through the verification process so most of these people haven’t actually unsubscribed themselves.

Clearly we have something to learn on the user interface front which we’ve not quite tweaked yet

Quite a few sites ask you for a “memorable question” allowing you to select one of say five. These are usually questions like “What is your favourite colour?”, “What was your favourite subject at school?” or “What was your first school’s name?”. They rarely offer an option of “I don’t believe in silly security questions.”

Unless I happen to have a sophisticated taste in colours, it’s probably not too difficult to find the answer to the above question with a few guesses (probably even fewer if you profile me a bit). Even with the slightly more personal ones, this information is often in the public domain, particularly with the trend in social networking. These types of decisions by website developers make it pointless for me to use a ’strong’ password since it is too easy to bypass.

There has recently been quite a bit of discussion about a distributed single sign-on solution called OpenID which is being supported by AOL, Google, Microsoft, Verisign and Yahoo among others. This might help to solve problems like this by having a central system which requires multi-stakeholder input to iron out security weaknesses in the first place.

The start of the problem: BT ADP Managed Accounts

One of my companies has several BT lines in different locations. BT outsource the management of small business accounts (or ours at least) to a company called ADP whose number appears on our bill and who we would get put through to deal with new lines. We’ve been talking to them a lot lately since we have been ordering a few new lines and a conversion of a BT Business Highway ISDN line into two PSTN lines in one location.

I am conscious in writing this that some of the staff there are very helpful, but in several cases we’ve been promised callbacks which have not arrived.. We’ve sent e-mails to which we’ve never received responses. Our position now is that if we can’t speak to the person we need to get hold of, we call back later since expecting a call back from them is just too unreliable.

Converting the line..

BT are withdrawing the Business Highway ISDN services early 2008 so we were contacted by ADP a few months ago about options to convert the lines into ISDN2e or PSTN lines. Since we are in the process of looking at VoIP for future voice solutions anyway and needing better redundancy on broadband, we opted for two PSTN lines, so an appointment was made for an Openreach engineer to come and convert the BT Business Highway line into two standard analogue business phone lines. I was told this process was quite simple. The first PSTN line was ordered with TotalCare (BT’s supposed enhanced service option which guarantees a 4-hour response to faults)

At this point I ought to point out that we use these lines and made it very clear to ADP that any switch-over had to be managed to minimise the downtime. During the conversion it became apparent that there were problems finding pairs that go back to the local exchange for the second line (with the Business Highway line being capable of carrying two calls down one line). This meant that the number used for faxes was completely dead. The engineer left stating that another colleague would come back later that day to finish the work.

After 3pm, I began getting worried that the problem would not be resolved so I rang our BT managed accounts (ADP) contact (one of the few who seem to have some idea of what they are talking about) and was told they were still working on it and expected it to be fixed this afternoon. We agreed that I would call back at 5pm if the lines weren’t working and of course, inevitably I called back. Following some more discussions another staff member at ADP stated near 6pm that they would be going home and that their department would be closed until Monday morning, and that as the line wasn’t working, the only possible option would be to ring faults.

The run around..

So I rang BT faults (154).. They said that since it’s an order in progress I would need to speak to BT Business Sales (152).. so I rang them.. Their system asks for the phone number and then said something along the lines of “You have one open order on the line. Your order was placed by a third party. Please contact them” before hanging up. So I call back and play with the options to get through to someone. Now this BT employee seemed a bit better and looked at the issue but advise that the system was waiting on a software update (as it had been for the past few hours) and because the engineers who deal with manual updates had gone home, we’d have to wait until the morning. I was then put through to faults on my request to register this as a fault, but faults advised me that since the line was not active, they could not raise a fault.

So.. I have no phone lines.. BT broke them.. and it’s not a fault..

So, let’s recap. BT were supposed to convert one Business Highway line into two PSTN lines because they were withdrawing the Highway service, and as a result, they’ve now left us with both lines not working. Well actually, not quite. One PSTN line has a dialtone and a telephone number attached to it which has nothing to do with us. Go figure..

The real problem with BT..

What gets to me is we pay for a business service (and Highway isn’t the cheapest option either) and then place an order with an even higher service level (TotalCare) and different departments within BT seem to pass the buck between each other. There is absolutely no ‘ownership’ of the problem. We are without a phone service[1] which we had this morning and BT do not consider this a ‘fault’.. This is utterly ridiculous. Imagine if we turned our network routers off for a day.. We wouldn’t have any customers left the following day. My general perception of BT as a company was moving forwards, but I get the strong sense of some major internal co-ordination issues where no one is interested in solving the problem. Is this the result of artificially forcing a split of BT’s Retail and Openreach businesses even?

[1] Although this does mean our fax is down and it causes us all ends of inconvenience, we don’t actually trust BT to run our main phone system (and this is precisely why!).. but that’s besides the point.

Update 16/12/07: I can report that BT did fix the first PSTN line on Saturday morning and I had a call from their sales team at around 8.55am to tell me that. The second line was sorted at 11:35am and the engineer knocked on the door. I have to say I wasn’t expecting this to be sorted until Monday so I was pleasantly surprised, not that this makes 24 hours of no service in any way acceptable because of planned work with no contingency plans in place in case they came across a problem.

We all hate spam. It clogs up our mailboxes, wastes our time in sorting what is and is not a legitimate e-mail and costs us money in wasted traffic and solutions to try and curb its increasing impingement into our lives.

I tend to report spam to the service providers who allow their networks to be used to relay spam or otherwise allow their network to be used by spammers. Recently one spammer (who’se identity I’ll keep off this blog in the hope they’ve now learned their lesson) got in touch with me about a comment I made on a website about their business (after their service provider shut down their service). The e-mail read:

Dear Seb

My name is [name removed] – Sales Manager at [company removed], I have seen you recent comments posted on a website with regards our marketing, may I ask would it of been more professional to have discussed them with us 1st rather than posting in public? We are a proper business that is finding our feet and your comments do not assist the business industry, I await your comments on this matter.

Best regards

[name removed]

To say I was surprised to see an e-mail from a spammer complaining at my criticism of their marketing tactics is an under statement. I certainly didn’t expect to be expected to explain why spam was bad, but in hope I might educate someone as to the errors of their ways, I duly obliged.

[name removed],

It is against the terms and conditions/acceptable use policy of almost every Internet Service Provider including [name of their isp removed] to send unsolicited commercial e-mail/spam yet I’ve received over seven spam e-mails from you.

Most of your e-mails are over 200K.. Do you appreciate downloading one of those large e-mails in full whilst abroad on a GPRS connection could easily cost £2.50 (per e-mail!) nevermind filling up the mailboxes of many people who don’t want to receive them.

Spamming is an antisocial activity and quite correctly service providers are stopping their networks being abused in this way.

You might want to read this site.. If you send this to a personal e-mail address you could be sued in UK courts:

http://www.scotchspam.org.uk/

If you are new in business then I suggest you re-examine your marketing policies because the more you spam the more damage you will do to your brand.

Regards,

Sebastien

So I thought to myself that this would be the end of the matter, and the spammer would probably continue on their ways without changing their tactics, but at least they might take me off their list.

However, the spammer replied once more and now tried to persuade me he wasn’t a spammer.. This is what he said:

Don’t get me wrong I do understand your point but would an approach to a legimate English company not have been better direct rather than taking the seemingly nasty route of trying to stall our business?

I proceeded to explain that reporting spammers to ISPs was a very common response (well it’s not common enough to put a stop to things but it does happen on a regular basis) explaining the spamming was antisocial:

Reporting spamming to ISPs is a very common practice as otherwise spammers just remove one address from the list, rather than stopping their activity and use legitimate marketing methods. Spamming is antisocial behaviour and it’s not enough for you to stop sending those e-mails to me.. You should stop that behaviour outright. [..]

The sooner you get the message spamming is wrong, the better. Go and read the acceptable use policy for [e-mail provider name removed] l and see if it mentions spamming.. I bet it does.

Then in a move which made me feel like I had actually achieved something, he replied back saying he had learnt his lesson, only then to express his concern that it’s the “real spammers” who send viruses who give e-mail marketers like him a bad name. (Hello?! Didn’t you send me unsolicited e-mail I never asked for about services I would never buy from you?)

Be assured we have learnt our lesson and we are exploring other avenues of marketing, the only problem for a new business is they all cost money, the reason for e-mailing is so I can hear your views as it is important to learn from mistakes.

Are we being penalised because of real spammers who e-mail viruses and so like, if these weren’t around would it be more acceptable for legimate companies to do e-mail marketing?

Would this individual ever realise that he was a real spammer not just a mistaken individual.. I was about to have my final rant:

[..] I’m not quite sure what you mean by “real spammers”.. What you did was real spamming.. Viruses are actually a lot easier to filter.. It’s the spams that can’t be automatically detected that cost the most in UK companies.

E-mail marketing has to be confirmed “opt-in”.. i.e. the recipient has REQUESTED to receive the e-mails and you have confirmed they are who they say they are (e.g. to avoid someone randomly adding an e-mail address to the list.. the confirmation is far more significant in online sign-ups).

Unfortunately, starting a business costs money. You have to build up a reputation.. [..] There are plenty of marketing opportunities out there which don’t involve clogging up the inboxes of everyone most of whom will have no interest whatsoever in leasing a car from you. [..]

His final reply thanked me for my time and said he would take my comments on board.

I hope this exchange of e-mails has turned one bad guy into a good guy in the eternal war on spam.

If you send unsolicited e-mail, you are a real spammer. It’s not just the viagra touting people who cost us money!

I went into a Comet store and chose a suitable TV. The silver version was £50 cheaper than the black one, so I decided to browse to their website on my Nokia E90 and see if it was a mistake. Although it was the correct price, I noticed that on the website the black version was available at the same price as the store label for the silver one.

I asked one of the sales assistants if they could sell it to me at the web price, to which they said no as they don’t price match their own website. They said however I could order it on the website and pick it up in store, so I asked if that meant I could place the order on my mobile phone, and then go to the till to pick it up, to which she said “yes.. if you can do that..”

So I did.. well.. actually the Comet website’s “collect from store” option wouldn’t work on my E90 browser, so I excused myself, went to my car, took out my laptop and 3G card, went online, reserved it and went to the till showing them my laptop screen confirmation of the order. It did say it could take up to an hour to go through, but they found it in the system and promptly sold me a TV for £50 less than it was advertised at. Great rate for 10 minutes work

Some of the items on Comet have higher online discounts.. For example a large Sony 1080p HD LCD TV has a £280 discount.. I had to settle for a less expensive model

PAC is an access control system which operates on (among other technologies) proximity card/tokens as identifiers for access. Almost everyone will be aware of these as they are used in most offices nowadays and are similar in use to the Oyster card. Most PAC readers are simple black boxes you present your tag to, and after checking with their controller, they grant or deny access and unlocking the door as appropriate.

The company also supplies a “PAC + PIN Reader”, a special type of device which also requests that you type in a four-digit PIN code after presenting your token to the reader. This is another level on the security ladder, the tag being “something you have” and the PIN being “something you know”. There are however two major problems with this system:

1. Each PAC token (a card or key fob in this case) has a token code which identifies it to the reader (e.g. 20184201AD). There is then a formula which uses this code (dropping the first ‘20′ bits) to generate a PIN (a hash of the token code). This means that anyone who knows your token code (i.e. anyone who has run your token past a reader, and the standard read distance of a few centimetres can I’m sure be extended with enough thought; or anyone who has access to a system on which you are registered if you happen to use multiple systems) can work out your PIN code just by using the PAC EasiNet software. This means that the PIN code is no longer ’something you know’.. it’s just a code written on the PAC token but “in ink only visible under ultraviolet light” in comparative terms. Anyone who knows this just brings a UV light and they have your PIN (i.e. using PAC EasiNet Software)
2. The communication between the PAC PIN reader and the controller appears to only send information when the PAC has been presented and the PIN has been typed correctly. If you type the PIN incorrectly, it is the keypad itself which blacklists you after three attempts but only from that keypad. This means there is no security logging of failed PIN attempts (not that this should happen in any organised attempt to subvert the system due to the first problem). I have not studied the communication in detail so it is possible this is just not visible in the software I was using, but it does seem to be handled by the reader itself.

I think PAC may be offering user-set PIN codes in newer systems. PAC do have a fingerprint reader (“something you are” on the security ladder, also known as biometrics) and a non-biometric Mifare-based smart card system which is a more secure form of RFID proximity access. Nonetheless ever releasing a system which is based on such flawed security basics is worrying.

Firstly for anyone who doesn’t know what “whois” is; It is a tool/protocol which allows you to find out information about for example domain names or IP addresses including who they belong to. There are multiple layers in WHOIS and the server and the one operated by Verisign’s registry service is callers ‘whois.crsnic.net’. If you have a .com or .net domain it will have such an entry which points to whichever registrar you used to register the name which in turn provides details of the domain registrant and other contacts.

The registry also stores ‘host records’ which are a specific kind of record used for nameservers. Because of how the domain name system works, if you have a domain (e.g. seb.me.uk), you need to point that domain to some nameservers that know where to direct you to if someone types www.seb.me.uk or sends an e-mail to something ending in seb.me.uk. However, you first need to find the nameserver–If this is within the same domain (e.g. ns0.seb.me.uk) then it needs a ‘host entry’ (sometimes referred to as a ‘hint’) to find the nameserver, which then will give more information about the domain.

These host records are registered at the registry by the registrars and inserted into the DNS zone files. What seems to be happening, is some companies insert host records for server names with for example “someoneelse.com.www.theircompany.com” which then comes up when you search for someoneelse.com even though this is just a host within the theircompany.com domain.

I spotted this today for bulkregister.com, promoting dndialog.com:

Server Name: BULKREGISTER.COM.RESPECTED.BY.WWW.DNDIALOG.COM
IP Address: 81.177.3.240
Registrar: MONIKER ONLINE SERVICES, INC.
Whois Server: whois.moniker.com
Referral URL: http://www.moniker.com/whois/whois.jsp

The legitimate record which is also returned, is:

Domain Name: BULKREGISTER.COM
Registrar: ENOM, INC.
Whois Server: whois.enom.com
Referral URL: http://www.enom.com
Name Server: DNS1.NAME-SERVICES.COM
Name Server: DNS2.NAME-SERVICES.COM
Name Server: DNS3.NAME-SERVICES.COM
Name Server: DNS4.NAME-SERVICES.COM
Name Server: DNS5.NAME-SERVICES.COM
Status: clientDeleteProhibited
Status: clientTransferProhibited
Updated Date: 16-feb-2007
Creation Date: 08-sep-1999
Expiration Date: 08-sep-2012

I guess preventing host parts with “com” in the middle might help (along with other TLDs although “ns” is a common suffix I suspect.

The Post Office (or at least the one I frequent) doesn’t take credit cards as payment for items such as postage for Special Deliveries, etc. They accept debit cards, but not credit cards. Well, that is to say they say they don’t accept credit cards, but a friend has had no problem using one when he put it in the PIN-pad machine, but I am assured they don’t.

It seems quite backward that an organisation such as the post office cannot accept a modern means of payment for their services. If it was a question of costing too much, I would be quite prepared to pay for it, just like at Ikea where a surcharge applies for credit (and I think debit) card transactions to cover the extra cost they incur in processing.