Twitter Phishing Scams: Reclaim a Hacked Account, Prevention Techniques

Periodically, I get emails from Twitter referencing direct messages from someone I am following and that include a link to a phishing scam. A phishing scam is an illegitimate web site, or in this case, an illegitimate Twitter application that tricks you into giving it your username and password. I was fooled once by a Twitter phishing scam but quickly realized what happened and changed my password. Phishing scams are more malicious than Twitter spammers because Twitter spammers are typically only marketing a web site or service and not trying to steal your password.

Examples of phishing scams I have seen include "somebody wrote something about you in this blog here (insert phishing link)": 

"This you???? (insert phishing link)":

Your Twitter account can be hacked by having your username and password compromised in one of three ways:

1. A third party Twitter application not using OAuth failed to protect your log-in credentials. *OAuth is a technology that allows you to log-in into a third party Twitter application without giving the third party application your Twitter password.
2. You were fooled by a phishing scam; phishing links use the same tiny URL redirects that are used for many links on Twitter.
3. Your password was weak and was guessed by a hacker or hacker software.

You can reclaim control of your account by changing your password to something stronger and revoking access given to third party Twitter applications. You can fight phishing scams and prevent future outbreaks by checking your direct messages sent folder to see if there any illegitimate messages being sent from your account. In addition, you can notify others who have unknowingly sent you phishing scam direct messages. In sum, beware of any links received via a direct message and consider only using third party Twitter applications that employ OAuth. There are more suggestions that can be found on Twitter's support pages.

MacBook Pro iPhoto Running Slow - Install More Memory

For about 2 1/2 years, I have had MacBook Pro running Mac OS 10.4.11 with a 2.2 GHz Intel Core 2 Duo processor and 1 GB 667 MHz DDR2 SDRAM. Over time, it seemed liked my MacBook was struggling more and more with running multiple applications so I uninstalled and turned off as many unnecessary programs as possible; including turning off all dashboard widgets.

Most consistently, I would get a spinning ball of death every time I opened iPhoto while also running Firefox; which made it really difficult to blog about hiking trails.  I thought the problem was due to having a large number of photos and videos for iPhoto to manage so I tinkered with its settings to no avail. I was unable to find anything in the Apple forums to suggest that my problem was caused by iPhoto. In addition, my Activity Monitor reported iPhoto as using a normal amount of memory. As it turns out, the solution was simply to install an additional 2 GB of memory ($100); putting my total to 3 GB. My MacBook has been running smooth ever since; even with multiple programs open at once: Firefox, iPhoto, Safari, iTunes, and Seashore (image editing software).

TurboTax 2009 Online Taxes - Colorado Part Year Not Working, Use Software Download

TurboTax is Better Than Filing by Hand

In March 2003, my wife and I jointly filed our taxes with wages coming from W-2s, work as independent contractors, and two different states. It took me a month's worth of evenings to figure out and complete by hand the Form 1040, Schedule C, state forms, and other forms. Many line items on the Form 1040 reference other documents, forms, and worksheets so going line by line as non-tax professional was slow and stressful. We have been using TurboTax's online tax filing service since and have enjoyed its low-stress, easy-to-use wizard system.

Colorado Part Year Not Working

We spent half of 2009 in Colorado and half in Virginia. As of Saturday February 13th, the online service of TurboTax Home & Business was unable to correctly manage our Colorado Part Year Resident tax filing status. Instead, it treated us as a full year residents of Colorado and was including our Virginia wages in our Colorado taxable income. The solution to our problem was to download the PC/Mac edition of TurboTax Home & Business. A TurboTax customer service representative provided us with a free download after he spent two hours on the phone trying to figure out why the Colorado Part Year was not working online.

The good news was that the download edition worked but the bad news was that I had to reenter all of our information. Reentering our information was especially painful because state taxes is the last thing that gets entered so I had to reenter our personal profile, home business, personal W-2s, personal deductions, Virginia states taxes, and Colorado state taxes.

Choose Download over Online Service

I highly recommend the download edition of TurboTax over the online service for the following reasons:

1. View forms - The download edition allows you to view the tax forms that ultimately get submitted so you can find out the deeper context of the questions TurboTax asks. In addition, it allows you to bypass the TurboTax questions and make changes directly on the forms.
2. Increased speed - The download edition runs faster than the online service (depending on the speed of your Internet connection). Further, the download software does not log you out after 20 minutes of inactivity so you can take breaks without having to spend a couple of minutes signing in online.
3. Includes all of the online features (expect requires payment at download) - The downloaded software asks questions, files taxes electronically, and pays taxes in the same way as the online service. The only difference is that you have to prepay for the PC/Mac download (or CD) whereas the online service is free until you file; which leads me to my next reason...
4. Downloaded software cannot import online data - The downloaded software is more sophisticated than the online service but it does not allow you to import your online data and, thus, you want to start with the download software. For example, I spent a week using the online service only to find out that I needed to use the downloaded software; which resulted in me having to manually reenter all of our information.

The download edition is more expensive than the online service but for me the time-saving benefits would have greatly outweighed the additional cost.

Default Privacy Setting in Facebook for Third-Party Applications is Disturbing

Recently, Facebook prompted all of its users to review their privacy settings. I reviewed mine and my wife's privacy settings and found a very disturbing default setting which allows my friends to share my information with third-party Facebook applications and web sites. I have had a Facebook account for three years so I thought maybe I had previously made my privacy settings too public. However, my wife has only had her account for two months, and I know her privacy settings are set to default values.

As a former developer of Facebook applications, I do not see any reason why you should let an application developed by a third-party (i.e., a non-Facebook company) have access to your information because once your information is in a third-party database then it will be very difficult to track down or know if your information is procured by someone with bad intentions. Trusting Facebook with significant amounts of your personal information is one thing, but not knowing that your friends may be unintentionally sharing your information with a company other than Facebook is disturbing. I say unintentionally because when one of your friends uses a third-party Facebook application or web site, your friend does not know what queries the application is running against your profile behind the scenes. The third-party application could be collecting and storing your information indefinitely with no apparent reason. Facebook policies state that third-party applications can only store your information in a third-party database for a short period of time (i.e., ~24 hours), but I do not believe Facebook has an effective procedure for enforcing this policy.

I have my photos and videos set to only be viewable by my friends. It is possible that Facebook honors this request and denies third-party applications access to my photos and videos. However, the wording in their privacy settings does not give me confidence that this is the case. Therefore, I recommend denying third-party applications and web sites access to all of your information.

My recommended course of action:

1. In Facebook, go to Settings / Privacy Settings / click "Applications and Websites"

2. Click "Edit Settings" for "What your friends can share about you"

3. Uncheck all of the check boxes seen in the subsequent picture and click "Save Changes"

This should ensure that your friends do not unintentionally share your personal information with third-party websites. I do not intend to be an alarmist so please let me know if I am misunderstanding Facebook's default privacy settings.

Google App Engine for Java - 3 Tips for Getting Started

Google announced an early look at Google App Engine for Java on April 7th and I have been using it ever since. Google App Engine for Java is a web application hosting service provided by Google and designed for services that expect rapid growth and, thus, it is ideal for applications that aspire to need a scalable infrastructure.

In an attempt to be a recession proof Java programmer, I created a new niche microblogging service, http://m.TwoKnobbyTires.com, for outdoor enthusiasts, fans of pro sports, and fans of college sports. It runs on Google App Engine for Java and I hope that someday it will warrant the scalable infrastructure that App Engine provides ;). My microblogging service uses Google Accounts for authentication, App Engine's email service, and the default open source JDO implementation provided by DataNucleus. The following is a getting started guide for programmers considering Google App Engine for Java. For more details about Google App Engine, read Google App Engine For Java - A Microblogging Case Study.

1. Start with a new application - App Engine for Java does not support the full Java specification nor all of the frameworks that run on the Java platform. For example, it supports JSTL (allegedly), Java Servlets, and JSPs but does not fully support Struts 2, JDBC, JSF, Hibernate, and EJB. Thus, it is best to start with a new application rather than attempt to port over an existing application that may have compatibility issues. My service runs using plain old Servlets and JSPs; plus Servlet Filters are employed for site wide tasks like pre-loading user data and closing database connections.
   
2. Acclimate to Google's non-relational data store - Google's database is non-relational which was a challenge for me since I have only worked with relational databases (e.g., Oracle, MySQL) . Specifically, Google's database is an object datastore without a schema which means that join queries are not supported and the responsibility for data integrity lies within your code. Some of the data integrity responsibility can be managed by JDO or JPA in the form of one-to-one, one-to-many, and many-to-many relationships. However, I needed to manage some of my object relationships and queries outside of JDO because the JDO annotations plus Google datastore limit the number of relationships an object can have. My application is still experiencing random DatastoreTimeoutExceptions and I have not figured out whether my database is poorly designed or if Google's datastore has been experiencing hiccups in service.
   
3. Automate tests - I used Fitnesse to automate HTML tests for web pages and XML tests for RSS feeds. Automated tests are a good idea regardless of your hosting service but in the case of Google App Engine for Java, there are two good reasons to automate tests:
   1. Auto generate the datastore index file - Your App Engine database on Google's servers requires a datastore index for every query your application needs to run. The easiest way to generate a datastore index file is to let the Eclipse plugin do it for you. Specifically, run every query in your development environment by using automated tests to trigger them and the Eclipse plugin will update the datastore index file after each query execution. Letting the Eclipse plugin generate the datastore index file is easier and less error prone than writing a datastore index file by hand.
      
   2. Quickly adapt to internal redesigns and platform changes - I redesigned the internals of my application several times during the process of adjusting to Google's non-relational datastore. In addition, the Google App Engine for Java platform and service are still under active development. Thus, it is important to create an automated testing suite that can provide rapid feedback on the health of your software so you can quickly and confidently adapt to both internal changes (i.e., your need to redesign to support new features) and external changes (i.e., Google's updating of the App Engine platform).

Retrospective

In the past, I compared Java vs. Ruby on Rails and my analysis ended in a tie. I believe that Google App Engine for Java tips the scales back in Java's favor because it solves Java's biggest long-term problem: a lack of affordable, scalable hosting for entrepreneurs. However, I am not convinced that Google App Engine for Java is enterprise ready because there are still too many unsupported Java APIs and frameworks.

Netflix Instant Queue - On Demand Movies

Netflix.com has created an Instant queue to complement its late fees-free DVD queue. Netflix's Instant queue streams a subset of the Netflix movie collection over the Internet for instant viewing at any time and without delay. We watch movies from Netflix's Instant queue by connecting our MacBook to our LCD TV using Apple's DVI to Video Adapter and Apple's Audio Adapter. Blockbuster.com offers a similar movie download service but it is not compatible with Mac computers. The following are features that make Netflix's Instant queue compelling.

1. No movie previews - Watching a movie from your Netflix Instant Queue is about as instantaneous as it gets because the movie automatically starts and does not include any previews.
2. Pause for a break - Pause a movie or close your web browser and Netflix returns you to the last viewed scene.
   
3. Try movies with no commitment - Netflix's Instant queue is ideal for watching obscure movies and TV shows because there is nothing lost if you do not finish the movie or show. On the other hand, a poor movie choice in your DVD queue results in a two day wait while that movie is being replaced.
4. No added cost - The Netflix Instant queue comes with no additional cost and is available on most of their monthly subscription plans.
5. Reduce clutter of depreciating DVDs - DVDs are steadily losing their value with the advent of Blu-Ray discs and online movie downloads. What's more, Blu-Ray discs are likely to lose their value once online movie downloads provide HD quality. Thus, using an online movie service means you will not be collecting a set of rapidly depreciating DVDs and Blu-Ray discs nor paying for an expensive Blu-Ray player.
   

Blu-Ray discs should do well for a little while because online movie downloads still have some limitations. The following are limitations of Netflix's Instant queue.

• Limited selection - Netflix's Instant queue only includes a small subset of its DVD library. Most of the movies available for instant viewing are a year old or older. So far, the redeeming selection of the Instant queue has been the availability of all four seasons of The Office.
• Reduced picture quality - Our Internet connection allows us to watch movies from Netflix's Instant queue at Netflix's highest quality resolution. However, the picture quality is less than what is experienced with a DVD or Blu-Ray disc. Specifically, the reduced picture quality becomes a factor for fast-moving action movies but is less noticeable for comedies and dramas.
• No special features - Instantly downloaded movies do not include director commentary, deleted scenes, subtitles, or any other bonus features typically found on a DVD.
• Connecting your computer to the Internet can be expensive - Netflix streams online movies via devices like Xbox 360 and TiVo. However, those devices are expensive and connecting your existing computer to the Internet can be complicated and/or expensive too.
  

In sum, Netflix's Instant queue is worth a try if you can easily connect your TV to the Internet and, especially, if you are interested in watching episodes of The Office.

#Twitter Spam is Tweeting Me Off

As of late, Twitter spam is tweeting (i.e., pissing) me off enough to get me out of my technology blogging hibernation.

What is Twitter Spam?

My three criteria:

1. A notification e-mail from Twitter that someone new is "following" your tweets (i.e., your status updates)
   
2. The someone new is only "following" you to promote their business
3. The someone new's business has nothing to do with anything you have ever tweeted (i.e., unwanted communication)

Twitter spam is not a "direct message" from another Twitter user because another user can only send you a "direct message" if you "follow" them and, thus, you can easily control who is able to send you direct messages.

I consider myself a passive Twitter user such that I only follow people that follow me and I only initiate a "following" connection with someone who is tweeting about similar topics. For example, I blog about Colorado trails and use my Two Knobby Tires Twitter profile to connect with people interested hiking, mountain biking, or outdoor gear retail. Up until recently, my experience has been positive including connecting with new people that share similar interests (e.g., Leave No Trace, mountain biking, outdoor gear products).

Spam Life Cycle

In the early days of e-mail, spam was not a problem because e-mail was not heavily used. However, as e-mail became more popular the opportunity to spam people for profit became larger. E-mail spam was a nightmare before e-mail services (e.g., Yahoo!, Hotmail, Gmail) became good at blocking it. Twitter appears to be going through a similar life cycle:

1. Low usage = limited spam
2. Mainstream popularity = increased opportunity for profit
3. Spam escalates
   
4. Twitter develops software intelligence to slow down spammers (losing the battle right now)
5. Spam shrinks but never completely goes away

Twitter Spam vs. E-mail Spam

Twitter spam is not as annoying as e-mail spam once was; at least not yet. Similarities and differences of Twitter spam and e-mail spam are as follows:

• Twitter spam originates from a Twitter profile -E-mail spam can originate from anybody with access to an e-mail account and/or e-mail server whereas Twitter spam can only originate from someone's Twitter profile. Thus, it should be easier to identify Twitter spammers since Twitter should be able limit the rapid creation of spamming Twitter accounts.
  
• Twitter spam is somewhat solicited - E-mail spam is completely unsolicited because you are getting a communication from someone who should never have had access to your e-mail address. However, having a public Twitter profile puts you at risk of receiving unwanted communication because you are choosing to give the public access to you. Specifically, having a public Twitter account is a choice you can make whereas most people receiving e-mail spam want their e-mail to be 100% private.

Obvious Spammers vs. Shrewd Spammers

Obvious spammers - Obvious spammers have a limited Twitter history, a rapidly increasing number of people they are following, and are pushing an unwanted product or service. Twitter shuts down accounts that have received hundreds of "block" requests from frustrated users. For example, the following Twitter spammers have been shutdown: http://twitter.com/Nelly546, http://twitter.com/JohnM101, and http://twitter.com/Jason720 because they were following people at a rapid rate and frustrated users like myself were blocking those Twitter accounts.

Shrewd spammers - A shrewd Twitter spammer puts up a nice facade (i.e., fancy web site) and is less aggressive so that Twitter and other Twitter users do not realize that they are a spammer. For example, I have been too lazy to "block" these Twitter profiles: http://twitter.com/valhallabiz, http://twitter.com/mileso, and http://twitter.com/comfortinnfc. Their "following" to "follower" ratios are unbalanced (2:1 or worse) which means more people will be receiving spam from them. The enablers of shrewd spammers are those that get in the habit of "following" Twitter users that follow them because they want to be nice and return the favor. It is in our human nature to return the favor (i.e, reciprocate). I am guilty of this and I am sure others are too. Unfortunately, reciprocating with a shrewd Twitter spammer legitimizes their presence and enables them to spam more people.

Solution - Software Intelligence

Twitter administration - Twitter allows users to configure which Twitter events (e.g., new followers, direct messages) trigger an e-mail to their e-mail address. In addition, Twitter lets users make their profiles private such that unapproved people cannot follow their twittering. However, neither of these configuration options solve my problem because I want to be notified when someone new follows me and I want to share my tweets publicly so I can connect with new people.

Solution - I think the next step is for Twitter to prevent accounts with an unbalanced "following" to "follower" ratio from "following" new people until their "following" to "follower" ratio becomes more balanced. Benevolent Twitter users should not have to spend energy "blocking" spammers or waste time being fooled by shrewd spammers. In sum Twitter's appeal is diminishing with each new spammer and I hope Twitter can solve the problem before it gets worse.