April Fool's Double-Cross: Amazon Dash

So it may be Game of Thrones month for the upcoming season 5 premiere in a lot of internet sites devoted to nerddom, but there was another important day this week that for the last few years has made the internet come alive in the name of comedy and foolishness.

That means shenanigans and hijinx.  April Fool’s day, to be precise.

Every year a lot of companies in the nerd space assail us with pranks for new games or new products or just weird stuff in general – and with each passing year we’ve come to expect it. Google reversed everything with com.google and let you play Pac-Man in your Google maps.  ThinkGeek advertised a Game of Thrones based edition of Clue taking place in Westeros, as well as a steam-powered Steam Box you could enjoy while drinking your Groot Beer.  Microsoft went old school and “launched” MS-DOS Mobile for Lumia devices. And Blizzard, with their tried and true pranks, introduced the T.I.N.D.R. Box as an in-game item.

(Sorry kids, the link for Game of Thrones Clue was taken down.  I’m hoping it’s because they’re going to MAKE IT REAL.  You hear me, ThinkGeek?  MAKE IT HAPPEN!)

But there was one trick I couldn’t figure out – and it was being played on me by Amazon.  You see, they introduced Amazon Dash on April Fool’s day, a series of push-buttons you can affix anywhere in your home so that you will never (ever) run out of stuff.  Stick a button marked “Tide” on your washer.  Press the button when you need more.  And more is bought for you.  And delivered with Prime shipping.  Check out the video below:

So clearly, this was just a joke, right?  There’s no way I’m putting buttons all around my kitchen for Amazon shipment so I don’t have to go to the store to buy things, is there? Crap.  I might.  It’s possible highly probable that I’m just that lazy.

So I gave it a couple days and let it sink in.  I figured maybe it would be a double cross and the reveal that it’s fake would be April 2nd.  Or maybe they were bucking the trend and trying to hit me with a slow roll prank.  Days passed and it didn’t go away.  It just got more fleshed out.  And it was then that it struck me – this is legit. I’ve signed up and I’m waiting for an invitation.  Amazon Dash is part of their Amazon Fresh service, and you can sign up for it here.  My address isn’t in the delivery area, but those April Fool’s buttons were just the start and I’m eagerly awaiting an expansion.  If nothing else, I’ll have something to review for you kids, right? Now it looks like there’s a barcode scanner, with voice, that will scan and link anything you swipe with your Amazon Prime account, setting up an order.  So in the wake of the confirmed legitness of Dash, to Amazon I have one thing to say:

You are absolutely brilliant.

From every aspect, Amazon is using the new “Internet of Things” craze to help people shop – and though these buttons are a bit weird, they might just save the day for people and families that are legitimately too busy.  Doubly true for routine things we buy on a regular basis, like laundry detergent, coffee, and razors for shaving.  What’s more is that big brands are getting in line to partner with them and be part of the program – after all, it’s their stuff we’re buying.

And how about debuting the program on April Fool’s day?  If nothing else, they made Dash a household name within 24 hours of internet exposure – they made sure that regardless of whether we thought it was a prank or not that we at least knew the name.  And whatever you truly believed, we were all scratching our heads on the 1st wondering if it was real.

So is this new IoT buying experience going to help streamline our busy lives, or is it taking us one step closer to what some would call our inevitable WALL-E future?  I guess time will tell as Dash rolls out to more markets, and makes its way to a home near you.  Here’s the latest from Amazon:

So let's see how this goes.

EA's Bad Week - the SimCity Saga Thus Far

By now you kids know how I feel about always-on DRM.  It makes me angry.  It makes the fire burn in me belly.  And worst of all, it’s a trend that shows no sign of slowing down in the near future.  I vented and raged about Diablo III when Blizzard released it last year, seeing white hot flashes of rage at the fact that I couldn’t play my single player game offline.  Seemed like a reasonable to me of course, since the game’s predecessor allowed me to do so,  but hey, maybe that’s just me.

As I’m sure we’ve all learned in a number of times in any history class, relationship or other real-life happening, history seems doomed to repeat itself.  This time it wasn’t Blizzard at the heart of the controversy though – instead it was EA, one of the OG’s of always-on DRM, and the release of SimCity, next in that line of addictive little sim games.  Fans were looking forward to it, and would be erecting tiny digital skyscrapers as we speak if it wasn’t for an absolutely catastrophic launch.

You see kids, the city is a sim.  But the horror was real.

For the last few days since launch, a number of users haven’t been able to connect to theSimCity servers.  Of course no connection to the servers means – you guessed it – no SimCity to play.  The few players that are in fact able to connect being dropped mid game with a suddenly severed connection.  The result?  Extremely unhappy gamers.  Check out the official SimCity Facebook page to see the kind or ire they drew from their customers.  You can take another digital trip over to Reddit where the subreddit /r/SimCity has a ton of discussions between unhappy peoples.

That’s the main story, but it serves as a springboard for a couple of other spinoffs in the SimCity saga.  Tuesday on the EA forums (I’d link but it’s since been edited), global community manager Marcel Hatam issued an apology to customers, saying: “If you regrettably feel that we let you down, you can of course request a refund for your order at [Origin's "contact us" page], though we’re currently still in the process of resolving this issue.”

Then I saw this floating around Twitter.  It appears to be a post of a support chat posted to the EA forums by a user going by the handle CalebPeters.  In that chat, we see the customer support representative telling the user that EA does allow users to request refunds, but doesn’t necessarily process them by their return policy, also adding that account bans are in store for users that dispute said policy.  Of course that chat image went Ebola-style viral across the web immediately after.  Marcel Hatan’s forum post has since disappeared, being replaced with the line “Please review our refund policy here: https://help.ea.com/article/returns-and-cancellations” (check poster EA_ComRaven).  This of course links to their return policy, which states that there will be no refunds.  Through their Origin account (@OriginInsider), EA then clarified that users would not in fact be banned for requesting a refund.  PHEW.  Three days of whirlwind nuttiness, all because of always-on DRM.  But wait, what’s that I hear?

**HERE COMES A NEW CHALLENGER!**

Enter Amazon into the heart of the melee.  Eager to spare their customers from what can only be referred to as a kerfuffle, Amazon has stopped selling SimCity on their storefront.  In addition to marking each purchase option as “unavailable” when selected, they give Amazon customers a warning: “Many customers are having issues connecting to the “SimCity” servers. EA is actively working to resolve these issues, but at this time we do not know when the issue will be fixed. Please visit https://help.ea.com/en/simcity/simcity for more information.”  Click that screenshot I took to see it full-size or hit up Amazon to see it for yourself.

So EA is trying to address the problem.  Naturally, they hate bad press and the prospect of losing future sales as much as the next company.  Today they announced that they are removing “non-critical” aspects of the game to help lower the stress on their servers, letting more people connect without getting the boot.

Now this is the second launch that I’ve seen destroyed by a publisher’s absolute insistence on always-on DRM (of course i say “destroyed” due to user backlash, not money).  It is also the second launch where the publisher claimed that the always on component provided benefits and was not implemented for DRM reasons.  “Oh it’s technical” they say – well I ain’t buying it.  Diablo III‘s DRM-laden launch was paired with sales. SimCity will still sell a bunch of copies once they get all this sorted out.  That’s two kids.  One more always-on DRM launch and I’m ready to call it a horrifying industry trend.

On an actual technical note, this was the second launch where AAA publishing houses didn’t properly test a stressed server load.  You’re requiring every single player to be online.  Don’t you think your servers and network should be beefed up to match it?

The "Epic Hack" of Wired's Mat Honan - Social Engineering at Work

[Article first published as The "Epic Hack" of Wired's Mat Honan - Social Engineering at Work on Blogcritics.]

I spend a lot of time and effort attempting to keep people safe in the digital age.  Whether it's on a professional level at my job or through my writing or social media, to me it's important that everyone is as safe as they can be, knowing that nothing is 100% foolproof.  Part of what I do professionally is keeping computer systems safe, and even I have had to go through the pains of wiping everything from my computer and starting from scratch more than a couple times.  It happens. Even to the nerd elite.

So when someone brings me their machine or reports some sort of issue, I know it's going to be one of a few things - (1) a virus, (2) malware/scareware or (3) phishing scams.  But these are all software methods with the aim of destruction or data theft.  Sometimes, especially with scareware, someone's looking for the user to give up a credit card number, a user name or password, account numbers of any kind, hell, even social security numbers.  The reason is that any combination of these things can be pieced together enough for someone to pass themselves off as you.  And once that happens, your digital life can be reduced to ruins. Accounts or credit cards can be opened in your name, and you can wave bye-bye to your credit, your money, or even your good name.  There are a lot of snippets of code or scripts or SQL injections (and blah blah the list goes on) that can do this to you.  But in my experience, knowing what I know and having had to help people protect against it, I've found that there's one tool that works better than all of the above combined, and that's social engineering. Low tech compared to software hacks, but highly efficient.  I wrote a bit a while ago on the topic concerning RSA if you want some details, but I'll nutshell the concept for you - social engineering means hacking people, not machines.

It's a fancy way of saying "tricking people into giving up information." And attempts have been made on all of you, whether you know it or not.

So why am I going all into this topic today?  Unfortunately the way things work in this world is that something has to happen to someone with some clout for an issue to be addressed. What I just described happened recently to Wired Magazine's Mat Honan.  A bit of social engineering with some security holes at both Amazon and Apple led to what Honan addresses as an "epic hacking."  He outlined his experiences for all to read yesterday, and it is 100% worth the read if you have a couple of minutes to do so.  He details everything to the what and the how all the way to actual talking to the hacker that broke into his life and the conversation they had.  I'll go over a little of it here.

Mr. Honan realized there was a problem on Friday - while he was trying to restore his iPhone, he was getting messages on his MacBook that his saved account information was wrong, asking him for a 4-digit PIN number.  The problem was, he didn't have a 4-digit PIN number.

His timeline that follows should scare the living hell out of you. Especially those of you that entrust all of your accounts to an AppleID.

Upon calling AppleCare for help, it was confirmed that they handed over temporary .me e-mail credentials to someone claiming to be him, and he watched over the next hour as that person reset credentials on his twitter, then his Gmail, then wiped his iPad, and permanently reset his AppleID. But that was only the start - next was outright deletion of his Google account, followed by a remote "Find My" data wipe of his MacBook.  Now not only were all of his accounts effectively locked out to him, but anything on any of his devices that wasn't backed up was gone forever.  Maybe not such a big deal on his iPhone or iPad, but on a MacBook, his primary machine, that's a big deal.  He lost pictures of his kids, all of his email, and other data from the laptop that he'd never see again.  The hacker posted a new status on his now hacked twitter account - " Clan Vv3 and Phobia hacked this twitter."

What the hell happened? On his extensive talk with AppleCare, he realized that all that was needed to get a temporary .me password reset were the last 4 digits of your credit card number and a billing address.  And how did they get that information? Afterwards the hacker (Phobia) contacted Honan.  In Honan's words:

"After coming across my account, the hackers did some background research. My Twitter account linked to my personal website, where they found my Gmail address. Guessing that this was also the e-mail address I used for Twitter, Phobia went to Google’s account recovery page. He didn’t even have to actually attempt a recovery. This was just a recon mission.

Because I didn’t have Google’s two-factor authentication turned on, when Phobia entered my Gmail address, he could view the alternate e-mail I had set up for account recovery. Google partially obscures that information, starring out many characters, but there were enough characters available, m••••n@me.com. Jackpot."

Two-factor authentication being turned on probably would have been the end of this story.

But it went on.  Phobia indicated that any email address associated with an Apple account is pretty easy to get, and Amazon was the next target.  The same kind of trickery was used to fool Amazon into believing that Phobia was a legitimate Amazon user that couldn't access their account - changing the associated email, getting a password reset sent to that email, and logging in.  And what's on file on an Amazon account?  You guessed it, the last 4 digits of the user's stored credit card numbers.

And that's how it all comes together.  Like I said at the top of the post - Low tech, high efficiency.

Mr. Honan asked Phobia why they did this to him. Phobia's response was that they like to publicize security exploits so that all users can see what happens and be able to defend themselves from hackers.  It sounds like the so-called "hacktivism" we've seen over the last two years with stories like Sony's PSN fiasco.  But I'm really not sure how destroying a private user's irrecoverable data was needed to make their point.  If you want to do this thing for the public good, it is well within your power to do it without hurting any of the public involved.

But I digress.  Admittedly Mr. Honan made a lot of mistakes on how he had his personal security set up that led to his digital demise.  I don't mean stuff like strong passwords for people trying to hack their way in through brute force.  I mean other things people can do specifically to reduce their risk of low-tech hacks.  And I'm going to walk you through some of them to help you all stay a little safer at home.

Right off the bat he broke one of the cardinal rules of keeping your stuff safe - routine backups of important information.  Personally about once a month, or when I do something important or official, I back up one or more file sets.  It's the single best way of adding a layer of redundancy to your data in case something should go wrong.  You can use external USB drives, a cloud solution (if you're into that), CD's or DVD's, or a number of other forms of media.  Apple operating systems as well as Microsoft's Windows OS's come with native tools to back up your data.

Secondly, he used a common prefix for all of his accounts. if you have multiple email accounts, try not to use the same prefix for all of them - as in abc@hotmail.com, abc@yahoo.com, abc@me.com, etc.  If someone knows one of your addresses it becomes that much easier to guess what your other accounts could be called.

For Google accounts and increasing in popularity in a lot of things is two-factor authentication.  For those of you that play any Blizzard games, this is the equivalent of your Authenticator.  It means that even if someone has your password, they can't alter your user info without that second piece of information.  Google and others use an "alternate email" or even phone numbers for extra verification.

Next is something that's Mac-specific, and that's the Find My Mac feature.  This is a great feature for the iPhone, because people lose their phones pretty frequently, and need to have some sort of tool to wipe that data.  For a laptop it could be useful, but be real, how apt are you to lose your laptop like you could lose your phone?  And as Honan notes, there's some problems with implementing the service that has been part of their system starting with the Lion OS. Reversing a remote hard drive wipe is easy - but only if you're the one that did it.  If someone remotely wipes your machine, you don't have the PIN number you need to make that happen.  So until they improve it, my suggestion for most of you is to turn Find My Mac off.

In addition to these things that were relevant in what happened in this case, you need to make sure you know who you're giving information to and what you're entering information into. Let me give you an example - if I get a call claiming that there's an issue with my credit card, I don't engage it.  I will call my bank myself using a number that I know is real so I minimize any chances of someone getting my information.  It's little things like this that will help you minimize your risk of becoming a victim of social engineering.  And with all of the forms of social media, email and other types of accounts, there's more information out there to be got than ever before.

Since this event occurred, Apple has suspended over-the-phone AppleID password resets and Amazon has tightened up their security as well. Unfortunately Mr. Honan had to get hacked for them to take a closer look at their practices.

If you have any questions, of course you know by now that I'm here for you America. You can find me at helpdesk@tusharnene.com if you need some pointers.  Of course I can't do the fixes for you (I do have a day job) but I can try and point you in the right direction.

90. Amazon's Tablet Poised to Take a Bite out of iPad Sales?

[Article first published as Amazon's Tablet Poised to Take a Bite out of iPad sales? on Blogcritics.]

OK we’re going to do a little bit of word association.  I’m going to say a word and then you tell me what the first thing that comes to your mind is.  The word is…

TABLET.

So what image flashed across your mind?  The Ten Commandments? The Rosetta Stone?  Nah, chances are, for the majority of you I would think, the image you saw in your head was that of an Apple iPad.  And that makes sense.  When it comes to tablet computing the iPad is in fact the most popular device currently available on the market, with 29 million sold in just the first 15 months the device was on the shelf.   

And the masses love it for a number of reasons, whether that has to do with actual user need and functionality, cool factor, Apple fandom or simply being able to say “I have an iPad.”  So it sells.  At a $499 price point for the entry level model, it’s not really a tough sell to most folks either.  But what if you wanted a tablet but didn’t want an iPad?  What were the options that were available?  Windows 7-based slates were buggy and DOA to begin with.  Android-based units like Samsung’s Galaxy Tab and the Motorola Xoom couldn’t compete on price.  HP’s WebOS-based TouchPad tanked and triggered a fire sale.  Other cheaper models couldn’t compete on quality. 

So there the iPad sits, atop the stack of available tablets, on its golden mobile apple-shaped throne.  All of this bolstered, of course, by Apple’s ferociously loyal fanbase in the cult of Mac.  But I won’t deny the genius of Jobs.  He created a sub-market of computing that there was no real need for by introducing a product, and letting consumers create that need themselves.  Brilliance.  So now we have the current tablet market.  Out-speccing the iPad creates a disadvantage on price, outpricing it means lower quality, and no one has figured out a way to strike that balance and see the same level of success.

As my gaming roots run deep in Street Fighter, this is where I picture “here comes a new challenger!” flying across the screen at the prospect of a new tablet officially being announced this week by Amazon in a Wednesday press event.  And this fight card is shaping up to be a good one as both companies are doing well financially and have strong customer bases.  Both Apple and Amazon have first to market titles for different devices – Apple’s iPad for modern tablet, and Amazon’s Kindle as a modern e-reader.  The real difference between the two giants is tactics and content.

Apple has hardware, and that’s what brings in their dollars.  There’s a healthy amount of profit from hardware sales from the iPad, with Apple pulling down about $200 for each $499 iPad sold.  This contrasts sharply to Amazon’s Kindle strategy, who sells the WiFi model of their Kindle at a loss for $139.  They rely on sales from Amazon.com for their money making, which includes not only e-books, but video streams and music as well.  Logic would dictate that this is the same strategy will be used for the upcoming tablet, and with a projected $249 price tag, that seems highly plausible.

While sales tactics are at opposite ends of the spectrum, it’s going to be content that puts at least a dent in the iPad’s numbers, due in part to delivery through their Amazon Prime subscription program.  I myself am an Amazon Prime customer, and have been for a while so I could save money on 2-day shipping and get a deep discount when I need next-day air.  But over the last year, the Prime service has added a library of on-demand video streams of movies, documentaries and television programs for Prime Customers, which now makes the subscription more than worth the money in my eyes.  Recently they even inked a deal with Fox to add programs like the X-Files and Arrested Development to an already impressive lineup, making the $79/year fee a pretty good deal.  On top of that there’s a lot of potential of that kind of content paired with a mobile Android device for viewing it.  And let’s not forget that it’s sure to have a built in Kindle book reader.

Tablet users generally don’t use their devices for anything heavy or resource intensive, so after email, web, social apps and casual games, my guess is that next on the list is video and music, if my own use of my Droid X is any indication.  If that’s the case then the Kindle Tab doesn’t even have to come close to matching the iPad on specs, as long as it can deliver media content the way I think it can.  I’m not saying it will dethrone Apple on the tablet front, but it has the potential to at least pick up a decent chunk of prospective tablet buyers that were eyeing the iPad.  It’ll be priced right and have an extensive library behind it.