news
Had to be done – News of the World 404
Jul 7th
Couldnt resist a bit of mockery, quick taking of the Michael out of News of the World with a classic 404 edited.
~Shepy
Travelodge UK hack update & official statement
Jun 23rd
This is an update to a previous post, so if you haven’t already then you may want to read the original post first (new window).
I just received a call from a friend saying they had received an email from Travelodge, which said that no data had been sold. I asked him to forward it here so that I could share it, and in the meantime while I was waiting for it to arrive I checked the Travelodge UK twitter feed, which offers:
@TravelodgeUK Hi there. Please click here for a full update on the issue of spam emails http://ow.ly/5oSh4 #travelbotch #travelodge #spam which I will copy the content of here for you;
Dear Customer,
Our main priority is to ensure the security of our customers’ data, which is why I wanted to
make you aware, that a small number of you; may have received a spam email via the email
address you have registered with us.Please be assured, we have not sold any customer data and no financial information has
been compromised.All financial data (including credit card information) is compliant with current best practice
standards and is audited to PCI (Payment Card Industry) requirements.The safety and security of your personal information is of the upmost importance to us and as
a result we are currently conducting a comprehensive investigation into this issue.If you receive an email similar to the one detailed below, please delete it as spam.
Good day.
Don’t miss exciting career opening.
The company is seeking for self-motivated people in United Kingdom to help us spread out
our activity in the UK area.Conditions:
– Full age United Kingdom resident
– Only basic knowledge of Internet & computer.
– Free access to personal e-mail box
– 2-3 free hours per day
– Immediate replies on our written requests
– good organizational skills.You can without problem connect our work with your primary activity.
Brilliant income ability. Free training available.
Applicants must be smart and commerce motivated. Working only some hours per day.
Any person residing in the United Kingdom can be our representative.
Our manager will contact you within few hours if you attracted.
—————-
Local News: from paris, with love who’s the toast of the airport show.If you have any questions regarding this matter please email: andrea@travelodge.co.uk. A
further update will be given, when we have completed our investigation.Guy Parsons
Chief Executive
The update is basically the same as what has started going out on email.
Whilst I appreciate that the update states no financial information has been compromised and adheres to PCI standards, this still doesn’t sit well with me.
Mainly because;
If they have been compromised enough to steal customer names and email addresses, how are they so sure that financial information has not been taken also?
If safety and security of personal data is of utmost importance, why did it take people complaining on Twitter etc to highlight the situation and get this half update?
What information has been compromised, though a full investigation will take a wee while it would still be more re-assuring to know what they know so far. By saying “no financial information has been compromised” they are, through omission of discussing other details, saying that some data has been compromised.
It is ignorant to think that just because financial information has (claimed) not to have been accessed, that it is unimportant to announce what HAS been accessed. Having name, address and other such details is just as worrying in regards to identity theft. Have passwords been compromised, it makes no mention of these, and some people may have used the same password on Travelodge as they have on other sites.
This ‘update’ is nothing more than fire fighting to try and calm the situation and save face in my opinion, and leaves more questions open than it answers.
~Shepy
Are Travelodge UK selling data, or have they been hacked?
Jun 23rd
I received an email last night which suggests that Travelodge UK have either began selling their customer database, or have had their security compromised. The mail I received was:
From: Ena Walton To: <***@shepy.co.uk> Subject: Richard Shepherd Date: Wed, 22 Jun 2011 19:12:14 +0000 Good day. Don't miss exciting profession opportunity. Our Corporation is looking for energetic representative in United Kingdom to help us spread out our activity in the UK sector. Required Skills: - 18+ United Kingdom resident - Only basic knowledge of Internet & computer. - Free access to personal e-mail box - 2-3 free hours per day - Immediate replies on our written requests - good organizational talents. You can without problem combine our work with your primary work. Great income ability. Free instruction available. Those who are interested must be fair and business motivated. Operate only some hours per day. Everyone residing in the United Kingdom can be our agent. Our manager will e-mail you within several if you attracted.
The eagle eyed among you will notice that the subject is my full name, which is not what you would expect me to see in spam, which caused me to look a little closer and see that the email address to which it was sent is actually one that I have only ever provided to Travelodge UK.
I put out a tweet last night saying “Dear @TravelodgeUK I’ll not be staying with you again as you sold my email address to spammers, and it was a unique mail addy only you have.” and then this morning got a reply from @benjymous providing the email address for the CEO of Travelodge, and suggesting that I was not the only person with this problem.
Following suit from @zoeimogen I have sent an email to the CEO of Travelodge, stating the following:
Dear Sir, Yesterday evening I received a spam email from a company, which was interesting in the fact that it had my full name as the subject of the email, certainly unusual for spam. Looking closer in to this I notice that the email address it was sent to is an email address that I have only ever provided to Travelodge. This leads me to one of two conclusions. 1) You are in the business of selling customer details and databases 2) Your systems have been compromised and customer details have been exposed. I would therefore like confirmation if my details have been sold or provided to third parties or if the security of the data has been compromised. To the best of my knowledge I gave no such permission for data to be passed to a third party, and habitually tick the box to not be contacted for promotion or third parties when registering with a site. As the subject of personally identifiable data I have the right under the data protection act to know if my data is being handled correctly and in accordance with the reason for which it was provided, and nothing else. If the data was sold I would like confirmation that I authorised this to happen, and no doubt will be following this up with a data protection request to view all information held on me and how it has been processed. If you have suffered a security compromise and data has been obtained by unauthorized access I would like to know which data is stored in the systems that have been broken in to, such as address, billing etc. The mail address used to register with yourself was ***@shepy.co.uk I eagerly await your response. If i receive no reply within 72 hours I shall be raising a complaint with the ICO. Regards Richard Shepherd
Hopefully myself and others will receive a reply soon, and if so I will obviously follow up this post with an update.
UPDATE:
Well Travelodge has been thus far silent with consumers, but El Reg is reporting and also Travelodge say themselves “Sorry for the spam email you may have received. We have NOT sold any data. We’re currently investigating this issue and will update you ASAP”, which basically means this is either a leak or a hack, neither of which is very reassuring and confirms that someone has had unauthorised access to the data, the question now is to what extent and what data?
If you’ve seen any of this spam, there is a hashtag at #travelbotch you can monitor / join in to keep updated.
UPDATE #2:
More on this on another post at http://www.shepy.co.uk/blog/2011/06/travelodge-uk-hack-update-official-statement/
~Shepy
Sold another two book covers
Jun 16th
A great start to the day this morning, an email through to say I had sold another two images to be used for book covers. Again both crime thrillers as with the previous ones. It seems my urbex images are quite apt for the genre :)
The two books are:
|
The Sixth Man by David Baldacci |
Truth Lies Bleeding by Tony Black |
~Shepy
Facebook may not be showing you all your messages
May 23rd
I’ve been noticing some idiosyncrasies in the way Facebook has been showing messages recently, but haven’t been able to pin it down until now. I got a message from a friend on Friday, which I saw when checking on my mobile (Android based) and intended to reply to when I got home, yet when I clicked on “All messages” on the site when I got home, the message didn’t show. Searching for the person’s profile then clicking on the message button in the top right took me to the message conversation between myself and that person, at which point the message did then show, though this isn’t always the case.
Several times Yesterday my Facebook profile, on the website, would show the ’1 Inbox’ message notification in the top bar, but when clicking in to it I would see no messages highlighted as unread, clicking on “Unread” would show zero messages. So today I’ve had a bit of a side by side comparison, and it seems something is going seriously wrong. Quite a number of new messages are being delivered to my mobile only, which I don’t always have running so wont get notification until I just happen to open the app. Below is a series of 4 screen shots, both from the website and my phone. I’ve blanked out most of the names and messages for privacy, but left enough in so that you can see the correlation between the two. Look through them and note:
Inbox
There is 1 message at the top which doesn’t appear at all on the website, only shows on mobile.
There is one message from Victora which shows a different message, where as the site shows only my last sent message
Individual Thread
The conversation looks entirely different when viewed on the website, as opposed to the mobile client.
 Inbox - Android |
 Inbox - Website |
 Individual Thread - Android |
 Individual Thread - Website |
If I manually go to the page of the person who sent the missing message from the top of the inbox (which was a bit of a pain as it was a new contact, not in friends list, so they had to be searched) and clicked ‘Message’ then the message appears correctly, but as you can see if I go to Victoria’s page and click ‘Message’ then her replies still don’t show.
As someone who gets a lot of contact from potential clients for photography work through Facebook, this is very concerning that I may be missing work entirely or not getting back to people in a timely manner because it happens to take me a while to notice them on the mobile, despite having checked the website maybe 5 times since the message was sent. I’m going to be keeping a close eye on both mobile and website for the foreseeable future, to make sure I don’t miss anything, but I’ll be using other methods of communication wherever possible to avoid problems.
I’ve no idea yet if this is only happening on Android, or if it is something that is affecting iOS as well, but I would definitely be interested in hearing from people in comments how theirs compare correctly across the two. I would suspect it is something more than just an Android problem, as the same omissions appear if I view through http://m.facebook.com which is the wap friendly site designed for more basic mobile phones.
~Shepy
Why I have left Twitpic, and why you should too.
May 10th
Well as you can probably tell from the image on the right, this is all to do with a matter of copyright. As a photographer copyright is very important to me, it’s how I make money from photographs and it’s what ensures thatI get credit for my work which brings in more work. It also ensures that I have control over the final look of an image, if it is to be associated with my name, so that I can protect my name or brand.
I saw a retweet of an update frorm @iA this afternoon which pointed me towards the terms of service of Twitpic stating that as of 4th of May they were claiming copyright license on all images uploaded to their service. Understandably annoyed at this, I followed the link and had a read, to find the following paragraph (emphasis mine):
You retain all ownership rights to Content uploaded to Twitpic. However, by submitting Content to Twitpic, you hereby grant Twitpic a worldwide, non-exclusive, royalty-free, sublicenseable and transferable license to use, reproduce, distribute, prepare derivative works of, display, and perform the Content in connection with the Service and Twitpic’s (and its successors’ and affiliates’) business, including without limitation for promoting and redistributing part or all of the Service (and derivative works thereof) in any media formats and through any media channels. You also hereby grant each user of the Service a non-exclusive license to access your Content through the Service, and to use, reproduce, distribute, display and perform such Content as permitted through the functionality of the Service and under these Terms of Service. The above licenses granted by you in media Content you submit to the Service terminate within a commercially reasonable time after you remove or delete your media from the Service provided that any sub-license by Twitpic to use, reproduce or distribute the Content prior to such termination may be perpetual and irrevocable.
What this means
That first bold bit there essentially says they can do whatever they like with the image, at no cost, including selling it or transferring their license to any and all third parties which they chose, including the ability to make derivatives works (which would cover removing any watermark you may happen to have placed on the image).
The second bold bit basically covers them for anyone they like to be able to use their images, you have no say in who can use or license the image.
The third emphasis says that even if you delete the image, if they already have a sublicense in place then there is nothing you can do about it, and that license will still stand.
Imagine these scenarios:
- You happen to be there when something major happens, they can sell your images to the news services.
- You upload images of a friend, they sell those images and they are used without yours or your friends permission to advertise something unsavoury or adult.
- Your image / likeness is used to promote a product or service you feel strongly against (a pregnant mother in anti-abortion ads, when she is pro-choice)
- Those “Meet singles in your area” adverts you see on the right of Facebook, how would your husband feel to see you in one of those?
- A photo you took of a product is used, and the trademark owner decides to sue for that use, you as copyright owner could potentially be dragged in to it.
- An image of yours is used in a negative way, and the stigma of that is associated with you name which could affect business if you are a photographer.
Those are just the uses I can think of off the top of my head, there are bound to be plenty more.
Reaction
I immediately deleted all of the images I had on Twitpic, thankfully none of which had been uploaded since the change of terms on the 4th, and removed Twitpic’s right to access my twitter account. I uploaded one final picture which simply said in huge letters “Bye Twitpic You Bunch Of Thieving Bastards” which I can categorically say I have no qualms about if they wish to sublicense or allow the use of by anyone, anywhere.
One of the main reasons I used Twitpic was because of it’s ubiquitous support in Twitter clients, and the fact I had been using it for so long (813 days according to the oldest picture I deleted), and that it is the only choice for picture service native within the Android version of Tweetdeck which I use.
What to use instead
Thankfully the wonderful @alittlebit recommend Posterous, which I have now signed up for and will be using in the future to post pictures on Twitter, probably as well as a few short video clips and suchlike.
Like Twitpic it automatically sends out the tweet for me (as well as also being able to automatically post to a myriad of other services), and there is a handy app for my Android phone which will upload them for me, so in usability terms I lose nothing, but gain the ability to also upload pics via email and to add extra content or information to the post / pic before it is published and obviously retain the copyright, as it should be.
And just in case you’re wondering what Posterous terms of service have to say on the same matter;
You shall retain all of your ownership rights in your submissions; however, by submitting material to Posterous you grant Posterous fully transferable rights to use, reproduce, distribute, modify, transmit, prepare derivative works of, display and produce the material in connection with Posterous and Posterous’s business, but solely in accordance with these Terms of Use and our Privacy Policy.
The key difference there is that you are granting license only in so far as may be deemed appropriate for the promotion and advertising of the Posterous service (which is likely to cover them for screenshots in news magazines etc), and not that they can sub license the images for any other use.
Final thoughts
You think that Twitpic would have learned from the mistake that Facebook made when they attempted much the same thing last year, and then very quickly withdrew the clause from the terms of service after massive outcry from their userbase. You can bet that Twitpic have something in mind for this, you don’t add something like that to your terms of use without having a reason to do so, but I for one don’t intend to be around to find out what that is, and hopefully neither will you.
If you want to sign up with Posterous you can do so by clicking here
You can follow me on twitter by clicking here.
UPDATE: There is a follow up to this article here: http://www.shepy.co.uk/blog/2011/05/twitpic-why-i-wont-go-back-and-why-you-shouldnt-either-a-follow-up/
~Shepy
I know what you did last summer (iPhone GPS Tracking)
Apr 20th
Blog posts and new reports are starting to spread about a recently ‘discovered’ feature in iOS 4 that keeps a regular and continuous log of the GPS fix of your device, at all times. It doesn’t just use this information for location aware services, it’s not just for geotagging photos, this is permanent and retrievable log of all the GPS fixes your phone has had, stored on your phone with time stamps. As if that wasn’t bad enough, this log is also stored in an unencrypted format.
I’ve mentioned here before about how little trust I have for logging exact co-ordinates of anything to any kind of permanent or shared information, but this takes it one step further. At least with all of the technologies and uses that I have discussed so far, you have the option to select not to record or share this information, they are ‘opt in’ features. This isn’t, this is enabled by default and has no option to disable it and does it without your knowledge.
Personally I think this is a massive violation of privacy, and could potentially lead to a lot of problems later down the line, to give a few examples:
- You are suspected in a crime, the police demand and seize your phone. They can legally demand that you had over the key to any encrypted information that you have, under threat of imprisonment, so you can bet your life they can demand this information in the name of evidence.
- You make a claim on your insurance, but they think you may have been going too fast. They demand this file as proof of your location and time stamp (which can be used to factor velocity and trajectory) and refuse to pay out on the insurance without it.
- You are undergoing divorce proceedings, accused of extra curricular activities. The opposing lawyer requests to submit this log into evidence of your whereabouts. Lets say you’ve been to an ‘adult’ store, it bears no relevance in this case, but you can be sure it would be used to bring your credibility into question.
- You lose your rucksack, it has your phone, your wallet and your house keys in it. If you’re unlucky enough not to have any security on your phone then the person who has your house keys and work’s keyswipe card now also has a log that shows two clear clusters of activity around your workplace and home, they know where they keys are for and where they keypass works. Fancy spending a few hours explaining to your boss why they just had 4 laptops stolen and yours is the only keycard used to access the building that night?
- You know that app that you gave permission to access and change files on the storage of your device, and full internet access so it can store it’s pictures and upload them to the net for you to share? Yeah, you also just gave that app the opportunity to send a copy of this file back to wherever it likes for whatever use is so desired.
These are just the first ones I can think of off the top of my head, you can be sure there are more. If ever there was a reason to get rid of your apple device, and get something more open then this is surely it. This log is even included in the default set for device backup when you chose to do so, as prompted so often, by iTunes. Get a new device, or have to restore your current one for some reason and the log gets restored to the device and continues to log further.
I look forward to seeing what the justification for this is from Apple. Whilst I can understand the need to perhaps cache this information to prevent drain on the battery of constant GPS fixes from various apps, anything more than a 15 minute buffer is entirely overkill and without reason.
You can find more information about this through any one of a number of sites and news sources (google link)
~Shepy
Facebook about to launch facial recognition?
Apr 20th
I checked my facebook this morning, and was having a quick look in the privacy settings (as i tend to do from time to time, they change things in there so often) and noticed an interesting but as yet unselectable option, which seems to indicate that Facebook is about to launch facial recognition technology, presumably for tagging pictures.
Here is a screen shot of the new option.
It is at least promising that the wording of this seems to indicate that the recognition will only be presented as an option if the person tagging / uploading the photo is friends with you, otherwise it could lead to some stalkerish actions of using facebook to check who the unknowns are in your pictures (though that would help with photobombs!)
It’s also pleasing to see that presumably this is going to be an option that each user can disable or enable from their end as to whether or not they are going to appear in the list of suggestions to people.
I’ve used a similar system on Facebook previously, the auto tagging app from Face.com but found it to be a bit hit and miss, and it was also another step you had to go through when you were uploading pics. Having it built right into the tagging system like this, and being able to harness the sheer volume of data and pics that Facebook has access to would likely make this a much more reliable and powerful system.
Be interesting to see what happens with it if / when it is launched. I’ve mentioned this to one or two people, and as yet dont see anyone else with it showing, but then again Facebook are well known to roll these things out in batches.
~Shepy
Mr Quib – Speedy and positive response
Dec 28th
So I awoke this morning to a mail from Mukesh Singh, the managing director of Mr Quib, in response to my post about Mr Quib spamming a local hashtag, which is as follows:
UPDATE: The email from Mukesh was previously quoted here in it’s entirety, however Mukesh contacted me and requested that I remove his email from the site, which I don’t quite understand. There was a positive response from several people that they were happy he had taken action to resolve the spamming, as the comments below (which auto retrieve from twitter) show. I have removed the email from this post as requested, but that again shows a lack of understanding of all things social from Mr Quib in my opinion as it’s already in the google cache. as is the way with blog posts.
I’m really glad to see that they have responded so promptly, and have taken action to stop the spamming. I found out last night after my blog post that apparently they use an outsourced company to handle the twitter account for them, and it is this company who have been doing the hourly spamming.
Now whilst I still stand by the premise that Mr Quib will have laid out criteria and requirements for how the account should be handled and ultimately the responsibility lays at their door, I can also appreciate that sometimes the minutia of how it should be ran can get lost along the way when not handling these things internally.
Regardless of what went wrong, I’m very pleased to see that they have re-thought their stance on twitter, and the hash tag, and ultimately that we who follow the #nefollowers tag wont be getting spammed every hour. I hope Mr Quib (and customers/partners) do well, and as Mukesh says I’m happy to put this whole thing behind me now, It’s all dealt with and done as far as I’m concerned.
~Shepy
Mr Quib – Sure fire way to damage your brand
Dec 27th
Screenshot of Mr Quib
Some companies really have not got the hang of this social media thing, and the etiquette that is expected necessary to carry it out successfully. The internet is no longer a one way medium where people read information from the big sites and output little themselves, most people now have a twitter account, a blog, a tumblr or any other number of ways of making themselves heard.
It’s because of this participation and feedback system that companies engaging in social media must take care to do it correctly, or else deal with the repercussions of going at it half cocked. One such example of this is the company Mr Quib, a deals and promotional company which deals with Newcastle at the moment, but looks set to expand to other cities.
In the North East of England we have a twitter hashtag which is #nefollowers, which is typically used to share information that tweeps think would be useful to other people in the region. Typically you can expect to find news information on here, weather reports, traiffic info, job vacancies etc – you know, the kind of thing that people living in the region would like to be kept informed of. Sure, there is the odd advert on there, and as long as it is kept to a minimum then no one seems to mind too much. Then you get people who take it too far…
Mr Quib – who is on twitter as @MrQuibNewcastle, has taken to spamming their deals on this hashtag ever hour, on a loop, without fail. This gets very annoying, especially considering that even if you block a person on twitter they will still appear in any search you may do on a hashtag (such as a search column in Tweetdeck). Twitter is a follow based system, if people want to find out about the latest deals then all they have to do is follow the account, there is no need to spam a hash tag every hour. Do it sporadically to attempt to attract new followers, but not constantly.
As far as I’m concerned, this abuse of a local hashtag is wholly unacceptable, at least if you’re spamming it every hour (once or twice a day, sure I wouldn’t mind so much) and is a sure fire way to guarantee I will have nothing to do with your company. If a company chooses to advertise using such invasive and spamming methods then I will personally never use their services and will actively recommend against them. I’ve even mailed the companies I’ve seen advertised on Mr Quib to let them know this.
I’d urge anyone getting into the social media advertising space to think carefully about what they are doing, what the likely reaction will be from the target audience, and what the potential damage to the brand could be if their advertising is handled badly.
(and yes, I realise I have tagged this post with #nefollowers, but more so that the people annoyed by this constant spamming can see the post and have their say, I’ll only be posting it once)
~Shepy
UPDATE: I got a response from Mr Quib, which is on it’s own post: Mr Quib – Speedy and positive response