March 2007 Archives

W3C is holding a Workshop to discuss HTML in email. The event will be held in Paris on May 24. There's a call for paper with a deadline set to April 21. Daniel Glazman summarizes what they are looking for :

In particular - but this is not limited to that - we would like to hear from Mail User Agent and HTML authoring tool vendors, users with security concerns related to HTML email, users with interoperability issues, online retailers sending their ads and newsletters in HTML, companies doing marketing on the mobile market and sending HTML messages to mobile devices, and so on.

The Apple TV has been out in the wild for only a few days, and it's hackathon madness already! From Apple TV Hacks and pretty much any Mac news sources I see one can:
- upgrade the hard drive (that one was obvious, and the meager 40GB borders to the insult when the fattest iPod sports a 80GB HD, what was Apple thinking?)
- enable SSH and AFP
- enable Apple Remote Desktop and VNC
- run Apache (opens the possibility to administer the beast through the web), Firefox or iTunes and VLC
- convert Xvix/WMV/Divx for Apple TV playback
- rip DVDs

And whatnot!?! I wonder if you could use an Apple TV as a NAT router (think of a nice mix of Apple TV + Mac mini, this thing would just be missing an iPod dock connector and a DVD player/recorder).

What's funny is that, for decades, Apple has been known for producing machines that can't be hacked and customized at will. I'm amazed at how willing people are to void their guarantee to tinker with an appliance that's designed to be, well, non-customizable. I hope marketing is watching this very carefully at Cupertino.

Spymac is not the only spammer that abuse people in asking for their webmail credentials to exploit users' address book in a deceptive viral practice. According to this article and comments on Slashdot, you can add Flixster and Facebook to the list. It reminds me that Plaxo used to do that, and that was a strong enough repellent for me to not only use them but bar them from sending me any further message. Those guys play in the same league as spammers, phishers and scammers.

Oh, now I can see it (I know I'm late, just spotted it in your concordophilia). Congrats my friend. I too wouldn't advice to drive across the country without, at least, a diploma in fluid mechanics :p. I've been raised in half a dozen of those, and my parents' garagiste was literally part of the family.

It's not in my nature to regret anything but, gosh, why did my parents drop the DS before I was old enough to drive one? That was a fantastic car.

About two years ago, Bits of Freedom demonstrated that one could easily get a European ISP to pull public domain material using unsubstantiated legal threats. It only took them a Hotmail account. This week, the SNCF (Société Nationales des Chemins de Fer français, the French national railways company), thanks to Typepad and the French law, demonstrated that one can do the same with a blog post.

Xavier Moisant runs a small collective blog titled "Train train quotidien" (a French expression meaning daily routine) focused on denouncing recurrent timetable and traveling conditions problems routinely endured by the travelers on the Le Havre-Rouen-Paris train line run by the SNCF. On March 16, he posted some visuals made by a certain "Teddy" that parody several SNCF visuals, to illustrate the recurring lateness of its trains, such as this one:

Meaning, roughly, "make the trains hours late - National Company of Late Trains".

You can check the official SNCF logo and signature on SNCF.fr (it reads "Give the train advanced ideas", there's a play on words as in French retard (late) is antonymous of avance). You can also check the other images from the MS Live Search cache of the deleted post.

Pretending that the blogger had infringed their copyright on their logos and visuals, the SNCF sent an email to Typepad France, and succeeded to get him censored. Typepad promptly (on March 21) deleted the post, its images and comments, then sent the blogger a nasty email backing up the dubious claims:

Following a complaint by the SNCF, we had to delete a post on your blog "Train-train" that contained several visuals using and modifying the SNCF logo. I remind you that this is illegal and, therefore, we have no choice but to suppress this type of content." (Olivier Creiche, Six Apart Europe General Director)

Trouble is, modifying a logo when done in the clear purpose of parodying, mocking or denouncing something, rather than being illegal, seems to be backed up by several jurisprudence: Esso against Greenpeace France22 (E$$O, 2003), Arreva vs Greenpeace (2003), Danone vs Réseau Voltaire (jeboycottedanone.com, 2003), where the appeal court consistently dropped charges made for copyright infringement, reasserting the freedom of communication against commercial trademarks. IANAL, but I'd not bet a buck on the legal ground used by the SNCF in this case. French law punishes with a one-year prison and 15,000€ fine sentence whoever maliciously uses the Electronic Communications law to take some online content down.

I think it's fair to say that this blog was relatively unknown until the SNCF made this move. Now, it's on the radar of prominent bloggers, and the story and those images have been aired on several trafficky blogs. A big mistake in terms of communication, and a demonstration that the blogs dynamics is something corporations need to understand better.
A few figures to illustrate this point, using Technorati ranks of the top 5 blogs referring to the story:

• The originating blog: Train train quotidien has Rank: 122,346 (75 links from 35 blogs)
• Les Influenceurs: Rank: 688 (13,488 links from 1,627 blogs)
• Pointblog: Rank: 1,880 (2,700 links from 950 blogs)
• Versac: Rank: 4,526 (1,995 links from 554 blogs)
• This blog, padawan.info: Rank: 13,570 (817 links from 262 blogs)
• L'Observatoire Des Blogs Francophones: Rank: 18,493 (513 links from 200 blogs)

Ironically, Typepad now hosts several copies of the images that the SNCF wanted to take down. What are they going to do now? And good luck with trying to play that game with my host ;-).

On an aside note, I think Typepad France made two mistakes:
- not warning the blogger in advance, allowing him to backup the post, files and comments
- claiming that what he did was illegal (how do they know?), instead of simply saying "we're sorry but we received a complain and the law forces us to take the following measures..."

P.S. (March 24): Olivier Creiche from Six Apart left a comment here to point out his follow-up response to the blogger. I find it impressive because, not only did he apologize for the chronology of events, but he went further than the confort zone provided to web hosts by French law (i.e. he could have left things as is in a status quo) by asking the SNCF to backup its threats with a legal procedure, otherwise Typepad will republish the note in 8 days. Pretty courageous when the law clearly favors cowardliness in this case, so Kudos guys!

Read this story about Spymac spamming people through GMail. I was apparently in Reid's GMail contacts and I got hit too. But what really bugs me now is that I got the spam from Spymac not via my GMail address but via my main personal email address on padawan.info, the one I gave to Google when registering to GMail, and one that neither Reid nor Spymac have (or should have). This means that either Spymac has got this address from Google or Google sent the spam on behalf of Spymac. The former looks more probable as the email source shows that the email was sent from a server named http11.spymac.net. They also got my full name. In any case, I didn't give Google the permission to share my name and private email address with a third party. (See post-scriptum below.)

This smells really, really bad.

P.S. the story still unfolds and gets uglier at each episode. Apparently Spymac has found a way to crawl one's entire GMail correspondence and spam whoever you have ever written to. That's how my personal address was hit, as Reid had sent me an email through GMail a long time ago. This is really maddening!

P.S. 2: per Reid's post and Garoo's comment below, I rule Google out as a culprit. But if what Spymac has done isn't against the Terms of Use of GMail, then Google has a problem. If it is against the ToU, as I think it is, then Google lawyers should talk to Spymac.

P.S. 3: Unfortunately, the practice extends.

Social networks are all the rage. Or so it seems amongst those who have jumped on the web 2.0 bandwagon, scratching their heads as they keep adding “stuff” to make their business more “web 2.0” — here a blog, there readers comments, or getting a hard-on at getting-rich-fast on “User Generated Content” (OMG! Free content to monetize !), whatever. The latest seems to build a “social network” on anything (probably when all other 2.0 goodies have failed to produce any satisfying result).

Every now and then, I get an email out of nowhere, claiming that XYZ wants to be my friend, or talk to me, or share stuff with me. Of course, for that to happen, I need to register on a site. And in almost all cases, I have no clue whatsoever who it is who wants me to join. The only clear thing I see is the service provider which wants me to grow its user base, but totally fails in helping people actually grow a social network (or at least pretending to help them).

Worst offender so far in volume: Microsoft MSN / Live Messenger. This service is a pure nightmare when you try to figure out who is who. When I get an email from a stranger it goes along those lines : “<Some pseudo> wants to talk to you! Download this free software. Note this email then do these complicated steps to blahblah...” (the French translation is actually incomprehensible). I have no way to know who's asking unless I send them an email. (My biggest gripe being that once someone is on my allow list, I've still got no way to remember who is who, so once in a while I get pinged by some pseudo who asks “who's this?” to who I can only reply by “who's this?”, utterly stupid.)

The latest offender is spymac.com, which sent me that email today (anonymized to protect the innocent):

Hi François Nonnenmacher,

<some dude> would like to share some photos, movies or files with you!
Signing up for Spymac is free, and takes less than a minute. Just click here:
http://www.spymac.com/accept.php?e=xxxxxxxx

See you there!
From The Spymac Team

p.s. If you are not interested, just ignore this email. Spymac won't bug you again and there's nothing special you have to do.

I have no memory for names, I really don't (to the point that it's embarrassing), so I have no clue who this dude is. The only link (and action) provided in this email is to accept a connection with two total strangers: 1) registering on an unknown site with a link that read "accept" and has an identifier in it, 2) the issuer who I still don't know. Spymac is really doing a shitty job here (at least, in the case of Microsoft, they provide you with some sort of idea of what Live Messenger is about).

In those times of spamming and phishing I would normally treat this email as pure junk, and trash it in half a second. But I tried to do a little research on my own. So I googled the pseudonym, found a few sites that have it as their domain name (still no clue and frankly I wouldn't want to be associated with some of them), found it on several prominent sites like Wikipedia, and Flickr. Hopefully my lack of memory for names is compensated by a good visual memory, I recognized the user icon on Flickr to one I know from the TextDrive community forum. I was also lucky to find the same user icon and pseudonym on Spymac.com, so now I know who this is. If this is Spymac's idea on how to build a social network, then I suggest they take some professional advice on social computing if they can get some common sense in the first place. But right now they're just shooting both themselves and their users in the foot.

I complained already in the past on how easy social networks are making things easier for their users to swamp their friends with invites. The trouble is just that, due to execrable execution from most of them, it's just social spamming in a click of a button.

I have yet to receive an invite to someone's cat friends list, but that too is around the corner I guess.

(BTW, Reid, no offense, but next time you want to share stuff with me, well, you know my email address, but please don't use the one that I exclusively reserve to friends to register me on unknown sites!)

P.S. Reid wrote back with the following, it gets even worse than what I thought:

> take no offense, but you inspired my second "social spamming" post ;-). And no, I won't join until I get a clue on the benefit of doing so.

My apologies. Here's what happened. I got an invitation from a friend
that I had not heard from in a while. So I checked it out.

As part of the sign up, the site asks you if you'd like to *check* and
see if any of your Gmail contacts are already members. It then,
without warning or permission, *spams* your contact list with invites.

Stern letters will be issued shortly. Again, sorry for the intrusion.

Spymac is actually spamming under the disguise of social networking. Craptacular:

A forum admin claims it’s simply not possible, in the face of multiple people saying “um, it happened to me.” And good luck trying to sign up for that forum to chime in.

[Update: Checking into this has revealed that I am not Patient Zero of this spam plague, I’m at least Patient Two … meaning two people before me had this same thing happen to them, which brought me into the chain. You are Patient Three of Spymac Spamplague 2007.]

Of course, I’ve emailed the appropriate addresses at Spymac, and, of course, I’ve heard absolutely nothing in response. So until I do, I have to assume that the folks that run Spymac.com are Bad Netizens who’ve let their greed to grow users overwhelm normal sensibilities.

And I have now seen as much of their site as I will likely ever see. Remember that old business homily, if you treat a customer right, they’ll tell a friend? Well, if you treat them wrong, they’ll tell ten friends.

Or a few hundred, if they’ve got a web site.

Or a few thousands! ;-)

I have two invites for Joost to give away before March 22. Leave a comment with a valid email address in the email field (addresses are not published this way).

Wow, gone in 30 minutes! (And me who thought nobody was reading my English blog.)

François and Xu, your invites are on their way.

For the others, be patient, there are more invites coming along the way, they're just changing the way they distribute them.

P.S. Offer closed, I got only two invites, don't know if I'll get more.

P.S. 2 (May 29, 2007): I finally got the chance to run the Joost Beta on an Intel Mac, so I sent the pending invitations (although I guess you probably got it via someone else who was faster than me ;-).

I wish I had a Wave Bubble ready for traveling quietly (especially for enforcing the "no mobile phones" rules in some trains here). It could almost get me back into soldering, although I can see things have improved (and miniaturized) quite a lot since the last time I used a soldering iron and chemicals to make my own circuit boards. (It's a bit like biking, I lapsed for 20 years and it's a whole new world out there.)

You have more details on O'Reilly radar where I spotted it, This is My Space:

The resulting device, which Limor admits is illegal to operate, will disable nearby cellphones.

Actually a few months ago, I was riding on Amtrak with a certain well-known blogger/hacker. It was late in the evening. A few rows ahead of us a woman with a loud voice recounted her day in excrutiating detail. This fan of Limor's pulled out a fake cigarette box and fiddled with it. Almost instantly, the woman's cellphone had dropped its connection. Oh my. What a shame there's such bad reception.

In today's talk, Phil and Limor speculated that maybe we ought to declare that we own the air space immediately around us. What if others could not violate this air space with cellphones? If they did, then my device would disable their device. Come too close and I'll turn off your cellphone.

A whole new definition of My Space! ;-)

I've been playing for a couple of days with Ning, in its recent reincarnation into a "build your own social network" playground. It's half-baked, to say the least.

The usability is terrible (e.g. you cannot see how many comments posts get from the home page; it took me one hour to understand how to fix the mention "United States" that kept appearing under my name — why is that a default? — until I realized that there are two completely different profile pages that are randomly linked under the same "Edit profile" link, you just have to be lucky to get the right one; if you're invited to a community and go to the Ning home page, you have no easy way to get back to your community home page, clicking on "My Networks" will give you a very unfriendly "You haven't created any networks yet!", etc.), the design is unappealing déjà vu, there are frightening omissions such as a total lack of RSS feeds in the private communities (a real show-stopper for me!), the email notifications don't work... I lost patience in two days. Apparently, they expect you to develop the missing features — that is not totally absurd coming from the original Ning perspective, but it is from the "everybody can build their social network" promise (as in "anybody who knows to develop PHP scripts").

The good things I can say about Ning are: the idea is appealing, especially the level of customization if you're willing to develop on the platform, and they can continue to bake it until it's properly cooked. But until then, I'm certainly not recommending it to the faint of heart.

Did I miss something?

If adoption patterns of wikis are of interest to you, don't miss Wikipatterns, an excellent initiative of Australian company Atlassian, editor of the wiki software Confluence^*.

Wikipatterns is a toolbox, not a recipe book, its content requires a certain knowledge of what a wiki is (here goes the mandatory Wikipedia definition of a wiki ;-). Its target audience is people whose goal is to spur wiki adoption in a community, but it also has some advice for developers, such as how to use WYSIWYG (one of my long lived pet request, since for me wiki syntax = WYSIFUC !).

(*) Wikipatterns isn't limited to a particular wiki software, and they have promised to put the content under a Creative Commons licence. This said I'm currently working on a project using Confluence, and I hope I'll be able to write about it soon.

If you have downloaded WordPress 2.1.1 sometimes between Feb. 27 and Mar. 2, 2007, your blog may have a security exploit added by a cracker who hacked wordpress.org servers:

This morning we received a note to our security mailing address about unusual and highly exploitable code in WordPress. The issue was investigated, and it appeared that the 2.1.1 download had been modified from its original code. We took the website down immediately to investigate what happened.

It was determined that a cracker had gained user-level access to one of the servers that powers wordpress.org, and had used that access to modify the download file. We have locked down that server for further forensics, but at this time it appears that the 2.1.1 download was the only thing touched by the attack. They modified two files in WP to include code that would allow for remote PHP execution.

Fix if you're running version 2.1.1: upgrade to 2.1.2 immediately.

Vista product activation unpicked:

The greater broadband speeds available since the launch of Windows XP have made it a straightforward proposition to download illicit copies of Vista. Rather than going through the tedious business of running something like the key generation we've heard from Register readers that some people on either side of the Atlantic has surreptitiously used the activation codes printed on boxed copies of Vista to get their system up and running. Use of cameraphones to capture these codes makes the process a breeze, we're told.

We don't know how widespread this practice is but it creates a headache for Microsoft, as pirates activate the codes before they are used by legitimate users.

Activation codes visible on unpacked boxes? Unbelievable.

The scandal of electronic voting in Europe continues with a new episode: Jan Groenendaal, head of the Nedap/Groenendaal consortium which builds the Nedap voting machines, is apparently threatening the Dutch governement. Read the whole article, it's really enlightening.

As machines unreliability and lack of security are being exposed, and therefore banned, one could see this coming as obvious. I hope this whole mess falls apart quickly across Europe, and everybody get back to their drawing board, politicians first for playing fools with democracy.

As for our American friends, I'm not sure they're getting it:

The state of New York is currently contemplating buying 28.000 Nedap voting computers (sold as "LibertyVote") and accompanying software (appropriately named "LibertyControl").

I hope they're getting LibertyFries with that! :p