Thanks!

Bill Moyers – who has been around for ages, and has interviewed all kinds of incredible people – a man who’s life work speaks for itself – recently interviewed Wendell Potter, a former CIGNA executive, who gives some actual insight in to why the industry so badly wants to kill healthcare reform.  It’s not rocket science of course – the more premiums brought in minus less money going out for treatment equals larger profits for companies and shareholders.  But one quote really caught me – “We make a lot of money in this country off of sick people.”  It’s really a sick situation we find ourselves in.

It’s important that Mr. Potter actualizes “Sicko“, the Michael Moore movie that was so badly beaten down by the industry.  I am no personal fan of Michael Moore, but the lines we were fed about socialism and how bad Canada and the UK actually have it was all a carefully constructed ruse by the industry and lobbyists – that worked all too well.

Wendell Potter is not without blood on his hands – he was a top level executive, flying on private jets, making a massive salary for almost 15 years.  However, a misquote by JFK of Dante’s Inferno – misquote or not – and a visit to a medical clinic in middle America shook him to his core.

“The hottest places in hell are reserved for those who in times of great moral crisis maintain their neutrality.”

Please take the time to watch this, and post, tweet, and otherwise share it as much as you can.

http://www.pbs.org/moyers/journal/07102009/watch2.html

Take for instance, MacPorts – a fantastic way of running some F/OSS on OS X.  Doesn’t work.  Experimental support is built in to nightlies… which I guess is getting there.  Little Snitch simply disappeared.  Programs with ktexts – kernel extensions – like SoundFlower and SteerMouse are also dead in the water.

Other more commonly used programs die as well.  MS Office can’t update.  The Aptna IDE is a non-starter.  In fact, you’ll find that a large percentage of your software works in a large percentage of the way you expect but… wait… what’s that?  Why does this particular function no longer work?

Granted, Snow Leopard won’t be out until September probably, so there’s plenty of time for programmers to get their code up to date.  As one of those programmers, I can tell you that it’s going to be a bit of a battle.  I’m running into major roadblocks with Twistori Desktop and the ScreenSaver.framework package that differs a lot from Leopard->Snow Leopard.

In fact, none of your screensavers on Leopard will run in Snow Leopard.  Just an FYI.

Anyway, that’s enough of a rant.  I keep going back and forth between downgrading or not.  I need to start developing heavily in Snow Leopard to make sure that Multiplex and Twistori Desktop are ready.  However, I also need to push solid releases sooner than Snow Leopard will be released to our Leopard install base.

Hmm… what to do…

With the totality with which people rely on Gmail’s threaded messaging interface, it’s incredible to me that there are a total of ZERO email clients – Windows or Mac – that include the same functionality.  It’s high time for a new email client.  But who will build it??

Well, not me obviously.  Not yet anyway – and that’s not necessarily a good thing.  I really shouldn’t be throwing stones at the development community for not doing a hard task that I’m not willing to take on myself.  Still, there is a gaping hole in the market.

Unfortunately, writing an email client program is no easy feat.  It’s incredibly difficult, actually, which is why Outlook is so heavily relied upon, Entourage is warned away from, and Apple’s Mail.app is universally love-hated – but the alternatives are almost non-existant.  The simple problem of handling massive gigabytes of data – and doing it in a fast, intelligent way – is something that would need to be solved even before one could start thinking of writing a client app.  Want to know why Yahoo, Google, and Microsoft do it so well?  Massive servers that crunch data all day, every day.  So imagine taking your outdated computer and asking it to crunch the same data.  Those are some difficult algorithms.

Still, there is a glaring omission in email clients.  Threaded conversations in Gmail have all but proven that much email – that we care about anyway – is conversational.  It doesn’t make sense to not have the entire conversation at your fingertips.  Some clients attempt to thread incoming emails, but they leave out your outgoing emails – that’s insane!  Conversations are rarely held on your email client without your voice – it’s so massively important that it be part of the thread!

The client that I currently have the most hope for is Postbox. It’s threaded conversations are almost impossible to get at, but once you do – YES! – there they are.  Postbox has done a fantastic job of indexing email, and obviously has the ability to understand a conversation thread.  Why is the thread not managed immediately?  Why does it take twelve clicks to get to it?  Why is it only available when I search!?

One of the beautiful things of threaded conversations is that I may have a single line item with a (12) next to it.  12 new emails – all contextually related – in a single thread.  It unclutters my inbox!  It makes things readable!  And best of all, it allows me to read – all at once – all responses to a single thought.

Postbox – if you’re listening – THREAD ME PLEASE!  Until then, I’ll continue to use Mailplane – a great app, but a fake desktop client.

Man, it’s time for a new email client.

There are people out there, you see, that won’t use Google Checkout.  There are people that won’t use PayPal.  There are people that won’t use their credit card online at all.  As a person that sells software for a living, well, those are people you assume won’t become your customers.  Giving personal (and financial) information to a 3rd party processing agent is certainly something… well… personal.

There are a plethora of reasons that one might choose to pay via PayPal but not Google Checkout.  There are just as many reasons that the opposite may be true.  Personal horror stories of one or the other top the list, or at least knowing someone that has a personal horror story.

As people who collect money, the same sort of choice is presented when you build a custom e-commerce system.  We did so so we could provide a better user experience and integrate it tightly with our on-the-fly licensing back-end – we could have used a service such as Kagi, but we wanted to be able to customize our solution and customer presentation more tightly.

So when it came to choosing a 3rd party payment processor on the seller side, the same sort of arguments were brought up and debated.  We chose to start collecting money via Google Checkout at IndyHall Labs because we found it just a tad more stable – our own personal horror stories of PayPay losing payments, or us not getting the appropriate receipts – things that may well be fixed now.  Because of the custom nature (and some of the magic) of our e-commerce system, each payment processor takes a degree of time to integrate, so we started with our chosen one – Google Checkout – and plan to eventually build in PayPal as well. But as soon as we had any way of collecting money, we wanted to launch our software.

But I’ve digressed – the point is, currently, we don’t accept PayPal.  You’d be surprised how often we get emails like “I would totally buy your software but I refuse to use Google Checkout, can I use PayPal?”  Eventually, the answer will be “of course” but we haven’t completed the API integration yet.  So in the meantime, we’ve come up with a solution that we think works pretty well.

Go back to the second paragraph – we assume someone that won’t use Google Checkout will not become a customer.  So we respond with an email similar to this (this is for Twistori Desktop):

We understand that you may not want to, or may be unable to use Google Checkout to purchase Twistori Desktop. We actually understand. Although we can’t currently accept PayPal, we have a solution!

Please pick from one of the charities below, and donate at least $12 (the price of a copy of Twistori Desktop) to it. If you can, mention “IndyHall Labs” in your donation so that we can track donations made in the name of our software. Pass the receipt along to us, and we’ll send you a copy of Twistori Desktop!

The Mara Triangle on WildlifeDirect
http://maratriangle.wildlifedirect.org/

Operation Smile
http://www.operationsmile.org/

PhilAbundance
http://www.philabundance.org/

So far, we’ve actually raised a small chunk of change for charity.  People seem surprised by our response, and many donate more than we ask. We almost always hear back from those we send this email to.  We couldn’t be more elated about it.

Recently, the entire concept has been gaining some love, and I wanted to point to one particular write-up.  Over at Corvus Consulting they did a write up titled “Why I Paid $25 for a $12 App” – it’s the nicest write up about the program we’ve gotten.

So what’s the point of all of this?  Just excitement.  We had no idea this program would work out so well.  We didn’t realize the incredible kindness of the people that purchase our software.  It makes me wonder how we’ll handle continuing to make charitable donations once we’ve integrated PayPal into our e-commerce system.  We certainly can’t go back now.

Besides, it feels too good

So there are a lot of links in the first two sentences, but Amy and Thomas (who are now husband and wife) are really incredible people, and were a joy to work with.  Amy is the founder of Slash7, and a force to be reckoned with when it comes to usability design on the web.  Thomas is the man that wrote the JavaScript library scrip.taculo.us – which is immensely popular.  They developed Let’s Freckle together, along with recently publishing their first e-book on JavaScript development.

So they had gone ahead and developed Twistori, which people f-ing love.  Problem was, their users wanted to be able to put in their own keywords, do searches, etc.  So we developed what we hope is an evolving answer – Twistori Desktop.  It allows users to create keyword “clusters”, do instant searches for keywords, and has theme support built in.  It ships with a few themes, but we’re hoping some people will pick up the reigns and get to developing their own themes shortly – we’ll be releasing a *cough* “SDK *cough* shortly, which is simply a CSS/XHTML/JS template that can get developers started.

I’ll write more here later about the integration of Objective-C and WebKit, which is simply stunningly cool.  I’ll be presenting on the subject at an upcoming meeting of Philly Cocoaheads, and will post the slides here after I’m done.

Go try out Twistori Desktop – discounted price, and a nice two week trial!

From your friends at IndyHall Labs!  More later.

How do you avoid such social-engineering, or, “phishing” attacks?  By some smart reading.  I’ll walk you thorough some basic rules after the jump.

What is “Phishing?”

First, let’s define this “phishing” thing.  Let’s steal some Wikipedia definition, shall we?

In the field of computer security, phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication.

Phishing, therefore, is basically tricking people into handing over their sensitive information by making them think that in fact they’re handing over said information to the appropriate entity, when in fact, it’s not that entity.  Think bank account websites, etc.

Below are two screenshots.  One is of Twitter’s login page.  The second, of the phishing site that stole all the lovely logins that ended up with bizarre tweets this morning.  See if you can guess which is which.

If you can tell from the two screenshots which is which, you probably can stop reading now.  If not, let’s take a closer look.

Social Engineering

Phishing attacks usually go like this:

1. Make the user think you’re the real deal
2. Take user’s information

In this case, the first thing that happens is you receive an email claiming that you have a Direct Message (DM) and all you have to do is sign on to Twitter to get it.  This should immediately ring alarm bells.  Unless new to Twitter (which many probably are) you should know that if you have ever received a Direct Message (DM) that the DM is automatically emailed to you with the contents of the DM, never with a link asking you to sign on to read the DM.  (You can turn off this email feature, but then you would receive no emails at all when you receive a DM.)

Assuming that you’re new and have never received an email like this before, and have never received a DM, look closer.  The “link” points to a blogspot.com domain.  Why would Twitter ever send you an email asking you to log on, with a link to Blogspot?  But let’s assume that you’ve missed this as well.  It’s easily overlooked.  Social Engineering has just taken place – the email seems to you authentic enough, and therefore you believe it actually came from Twitter.

Without Social Engineering, part 2 (taking the user’s information) would never be possible.  But it’s incredibly easy to gain someone’s trust.  We’re all quite busy, and if we receive an email from Twitter, who has time to assume it’s not valid?  Especially if the from email address is a twitter.com email address, right?

Never believe the email address that an email says it has come from.  If you believe an email to be fraudulent, investigate further.  It’s incredibly easy to send an email and forge the “from” address – it’s actually something that almost anyone can do with a little Google investigating, and is not a trick only reserved for the most seasoned of hackers.

But those domain names…

Now that they’ve got your attention and trust, you click on the provided link, which takes you to a page that looks exactly like Twitter’s.  Which brings us back to the test above.  The first picture is actually the phishing site, the second Twitter’s actual home page.  When two pages look so identical, how can it not be authentic?

For the most part, paying close attention to the URL in your browser’s address bar can save you from 99% of all Phishing attacks.  Let’s look at this particular example.

The twitter website’s address is

http://twitter.com

Everything you do starts with this.  Your home Twitter stream resides at http://twitter.com/home/.  My stream resides at http://twitter.com/themartorana.

Then there is the phishing attack.  Here is their url:

http://twitter.access-logins.com/login/

But wait – that has “twitter.” in the address!  It looks authentic right?  Let’s look at domain parlance.  Domain names run in Right-To-Left (RTL) order of high-level to low-level domain naming, separating important pieces by “.” (dots, or periods).  For instance, look at the last bit of the domain “www.google.com” – it’s “.com“.  You should know by now that there are lots of endings to urls, the popular ones being .com, .net, .org, .edu, .gov, etc.  When you type in a domain name, it’s last bit – that .com or .gov indicate what class the domain name is in.  .edu are educational domains.  .gov are all government.  There are also country domains, like .mx, for Mexico.  These end-pieces to domains are often referred to as TLDs, or Top Level Domains.  

After placing your domain in its class, it then detects the second part of the domain, reading in the RTL order.  ”google” is the 2nd part, after “com“.  This is an organizational level domain, and its name belongs to a single group or organization.  In this case, the name “google” belongs to Google, the company that we all know.  On this site, the name “davidmartorana” comes after “com” – “com” puts me in the common name space, and “davidmartorana” is the organization level, owned by yours truly.

Finally, anything following the organizational part of the domain points to a place inside of that organization.  So while “www” in “www.google.com” points to the main website, “docs.google.com” points to their Google Docs site, and “mail.google.com” points to their GMail service – both subsidiaries of the Google organization.  You can assume even in the most complicated of domain names, such as “http://glassboro.k12.nj.us” which has four domain parts, it is just a list of subs of subs.  The “.us” end indicator is the TLD for the United States.  Below that, “nj“ refers to the state of New Jersey, inside of the United States.  Below that, the state of New Jersey has split out the “k12” sub-organization to be dedicated to all lower-level learning institutions between the grades Kindergarten to 12th grade.  Finally, “glassboro” refers to the K-12 school system of the town of Glassboro in New Jersey.

Make sense?  Awesome.  Now let’s take a look at those domains again.

http://twitter.com

These domains start with “com” and move to “twitter“.  Using a “whois” search, we can see that the organizational name “twitter” in the “com” TLD space is registered by Twitter, Inc.  Everything that is owned by Twitter regarding the Twitter service will exist at or below “twitter.com“.  For instance, http://search.twitter.com, which lets you “search” the “twitter.com” organization level domain space.

However:

http://twitter.access-logins.com/login/

Well, this is different.  Despite the fact that it has “twitter” somewhere in the domain space, it’s below the organizational level!  Once someone owns a domain name, they can create subs of that domain any way they wish.  This is important – let’s look again.

Here, remove the /login/ part.  Any part of a domain after the original / is not part of the domain structure.  We’ll get to that in a second.  So we’re left with “twitter.access-logins.com” – “com” puts the domain in the common namespace for domain names, but the organization level is “access-logins” – this isn’t Twitter!  In fact, a “whois” lookup of “access-logins.com” gives us an error:

Connection refused connecting to whois.paycenter.com.cn

What?  So first off, we can’t even tell who owns the domain, because a common request for that information is refused by the carrier.  That’s a big tell.  Finally, “cn” is the country level domain for China, which means this domain is located somewhere inside of China!  More than likely, their “Great Firewall” is blocking access, but as you can see, just a little investigation brings up a lot of doubts.

Finally, the owners of the organizational domain level “access-logins” can, again, put anything they want after the “access-logins” portion of the domain in the RTL direction.  Here, they put “twitter“, but if they want, they could use “com” first, and THEN “twitter“, making the domain then “twitter.com.access-logins.com” – and this is an easy way to fool people.  Why not?  There it is, “twitter.com“, right in the domain.  This is why it’s so important to remember to read domain names from Right-To-Left.

IP Address / Domain spoofing 

Furthering the spoofing of domains to the common eye, you’ll sometimes see something like this:

http://78.233.142.211/twitter.com/

Again, this can look relatively legit.  You see “twitter.com/” right there!  This goes back to our earlier point that any part of a domain after the original / is not part of the domain structure. In fact, 99 times out of 100, anything after the first slash indicates the folder structure on the web server.  Here, the link doesn’t even use a domain name, but instead uses a quartet of numbers, commonly referred to as an IP address.  Next, they have a folder named “twitter.com” – that’s it.  

(For the record, domain names are nice ways of covering IP addresses so you can remember “google.com“, not Google’s IP address. That IP address, by the way, is totally made up.)

Finally

Although admittedly somewhat lengthy, I hope this gives you some indication of how to be able to smell out the most common of phishing attacks.  Even if they get you on the initial social engineering part, once you get to any site via a link provided to you, check out the URL in your address bar.  You may just see something a little… phishy.

At the center is the idea that stuff can be built and sold, by loose collections of individuals who want to work together on projects.  Each project will have different participants, to varying degrees of input, with varying talents and levels of contribution.  So instead of creating an organization from the top down, with bosses and whatnot, the organization is built to facilitate and make easier the coming together of these people to create an entire array of amazing products with no bounds or limits.

To start out with, we’re talking software.  RipIt, the awesome ripping utility built by Jason Allum, is up first.  Following closely on its heels is Multiplex, a Mac app and generic conglomeration of awesomeness.  The project is led by yours truly, along with Jason Allum, Johnny Bilotta (yes, the one and the same, the other half of Two Guys On Beer), who is a talented designer, and Jason Tremblay, user experience mastermind (and math wiz!).  Somewhere in there is the co-founder of IndyHall Labs, whom we all know and love – Alex Hillman, founder of the coworking space of coworking spaces, Independents Hall.

The organization goes a little something like this.  There are participants, and each participant does a certain task or set of tasks, is part of the team decision making structure, and based on that, gets a share of all proceeds.  There is no salary – you make money based on what you build and sell.  Sometimes – quite often, actually – there will be a micro-financier involved in the project, but that person usually comes from WITHIN the project.  The investment earns some shares, but it usually comes along with active participation as well.

Each project acts independently of the other.  Shares are divided per project, people can participate in multiple projects.  The end goal?  Get everyone off of the J-O-B.  We want all the people we work with (who happen to be independent minded people, entrepreneurs, etc.) to be able to free themselves from the daily grind and be able to become self-sufficient.

When, however, that self-sufficiency is tied to others, it means that teams will usually be based around a group of like-minded people – like minded in that no one will take crap from the other people in the team, team members are hand selected for their talents and ability to deliver, and a project’s success is directly tied to everyone involved.  Truly, this model exemplifies that the success of all will be tied to the output of the weakest member.  No one wants to be that person.

Anyone can start a projects.  Have a dream?  Want to build cool software?  Find people that want to be involved.  Get to work.  Done.

Multiplex will be released shortly – the first of many apps to come out of IndyHall Labs.  After that, expect a flood of amazing software.

IndyHall Labs is a whole new type of business.  Success is tied directly to your ability to deliver.  You are held to account by your team members.  But build enough stuff, be involved in good projects, and see things through – and success will follow, almost guaranteed.  All throughout the process, more and more people will get involved.

Want to be a part of IndyHall Labs?  First, check out Independents Hall.  Then prove what you can do.

The coolest part of all of this?  I’m a part of it.  Watch out for IndyHall Labs.  We’re going to be all over the map.