Advertlets’ Explanation To Why They Were “Lazy” And “Amateurish”

In the first part of my review on Advertlets, I used the words lazy, amateurish and shoddy work to describe the design, bugs and quality of work that I found in their system. I was challenged to it but it was answered by these comments (here, here and here).

I received an explanation from Firdauz (from Advertlets) which was supposed to ‘cover-up’ all the laziness, amateurish, shoddy work and maybe even possible password vulnerability that I found.

What’s assumed as laziness and amateurish was in fact; our best decision at that particular time.

Even up till this point in time, they have never stated that the users’ passwords in their system IS ENCRYPTED. They mentioned how their system was capable of warding off “SQL injection, brute force attacks, URL guessing, and social engineering” and that their system is “indeed secure, and we can vouch for the protection of your data and password“.

However, the question to be answered is, “Are the users’ passwords encrypted?” It doesn’t matter if their system is 100% “unhackable” from the outside, encrypting the users’ passwords are considered the fundamental practice in developing a system. The users’ passwords should NEVER be stored in plain text no matter how secure a system may seem to be — that’s the standard principle.

mooiness gave his point of view:

But you don’t let loose an application which fails one of the most basic principles, ie. password security.

You(r) best decision at the time should not have been this. To me, it sounded like you guys rushed it out the door so that you got something to show.

No – your best decision at the time should have been to put yourselves in the shoes of a user and whack the system as hard as you can.

One point that I missed out in my review is that they neglected one of the basic password security feature — setting a minimum password length. According to this and this, the minimum length of a password must be at least 6 or 7 characters to be considered as standard. Shorter passwords are considered WEAK and are more vulnerable.

However, I have tested and their system allows passwords as short as ONE character. I have one account’s password which is “a” and another account’s password which is “abc“. Let’s hope they did not neglect the most important security feature — encrypting the passwords.

If builders built buildings the way programmers wrote programs, then the first woodpecker that came along would destroy civilization.
(Weinberg’s Second Law)

What do you think?

38 thoughts on “Advertlets’ Explanation To Why They Were “Lazy” And “Amateurish”

  1. mooiness says:

    You are correct – the preoccupation with proving themselves immune to outside attacks still doesn’t address *any* of the points that you brought up.

    Without encryption, what’s to say a malicious employee cannot use the data for their own advantage? I’m surprised that they can’t even grasp this simple concept.

    It all comes back to what I had mentioned earlier – don’t they use web services themselves? Gmail, Yahoo, vBulletin forums … heck have they even tried using Adwords/Adsense, Text-Link Ads, ReviewMe or any number of other ad services as part of their competitive research?

    Because if they did, then they would know that their service is not up to scratch. At least NuffNang is willing to learn. All Advertlets is doing at the moment is constantly defending their sub-standard work.

  2. aw says:

    All said and done, I hope that Advertlets is not like the police: When crime rates rise, the police keep saying it’s because of low manpower, because of the citizen’s carelessness themselves and so on.

    Advertlets: it’s OK to mess up. Now just go and fix it, that’s all you have to do to expand the Malaysian blogger ads market.

  3. Amateur says:

    I get your point, but one thing that I dont get is how is it Advertlets problem when users themselves choose to be so smart as to register with a single character password. Or even a bad password. A user’s password is a user’s password, it has nothing to do with Advertlets in my humble opinion.

    I’ve joined their service and luckily enough I’m not that stupid to register with a single character password or a password which is easily hackable on my part. It’s my fault if someone else manages to enter into my Advertlets account.

    Other than that, the same principle is applicable to any other online web services, if I choose to be clumsy and register with an easily guessable password, and someone manages to enter into my email account or my youtube account, etc.

  4. Boss Lepton says:

    Hmmm security should be the #1 priority in any case agree. I’m not too versed with all these methods of encryption, but when i was prompted to set a password for the keyring in my linux desktop, it has a password strength bar beside it, guess what kind of password is the most secure?

    case-sensitive password which includes symbols(

  5. Amateur says:

    The advertlets team has just contacted me via email and stated that their minimum password length for new registrations is now set a 6 characters.

    Thats quick action! Go Advertlets!

  6. Amateur says:

    Oh yeah.. if anyone is wondering, I contacted advertlets first on the issue, their quick response to the issue is a sure good thing for the future users of advertlets.

  7. mooiness says:

    @Amateur: not every user is tech-savvy. It’s in the best interest for a service provider to ensure that a secure password is used. If a user’s account was hacked into, it’s an unpleasant experience for both the user and the service provider.

    Services which suggest good strong passwords on the fly are the best, but at the very least, a minimum password length should be enforced.

    Moreover it should not be sent back to the server in plain-text. Anyone sniffing around on the same network as the user who happens to be changing their password or registering an account can see all the details clearly.

  8. TenthOfMarch says:

    I’m quoting this text from their ‘comparison-chart’ page:

    “They then did not make any further comments – indirectly acknowledging the rest of the items was true.”

    Maybe that is why they did not commented on what I brought up?

    I am sure they are able to “grasp this simple concept” as you mentioned. However, understanding and doing are two different things. If you check the sentence I quoted from Firdauz, you will know where I am going with this.

    I wouldn’t want to comment on the police force 😉 but I agree with you.

    @Boss Lepton

    Anyway, I remember registering for an account some time ago, where they DO NOT allow me to proceed if my password is too weak (ie. all text only). So, I had to mix it up with at least a number in it, which is good practice.

  9. TenthOfMarch says:

    I don’t think the URL and e-mail you entered belongs to you. Since you said you have registered with Advertlets, I believe you have a blog.

    Please contact me with your blog address and e-mail address.

    Everyone gets to speak their mind here — agree or disagree with my points. But I don’t allow anonymous comments like this. If you don’t respond within 24 hours (wahh…sound so serious), I will remove your comments.

  10. mooiness says:

    @Boss Lepton: I think the fact that his/her nickname is “Amateur” says a lot. I mean, can they hide their thinly-veiled spin control any better? 😀

    Methinks that they need better PR personnel. Right now, it’s just embarrassing.

  11. suicidal says:

    HAHAHAHAAHA if that is really someone pretending to be someone else.. that someone is really really sad. If something so amateurish and lazy can be passed off as their best decision, they’ve got a long way to go before they convince me man.

    Btw TOM i’ve pm-ed you (hence I’m not anonymous anymore) so pls don’t remove my comment? lol :p

  12. Mossie`Ol Chin says:

    words said, whatever it is, i think the very least anyone with the right mind going to start a service must at least fulfill all the textbook 101 issues – be it security, be it marketing (just to name 2).

  13. TenthOfMarch says:

    Well…some of us need some “entertainment” like that once in a while.

    LOL. No no. I won’t be removing yours.

    I have checked out your blog. Nice — with your picture and all. But one thing is missing though.

    Where is your Advertlets’ banner/poll?

    @Mossie`Ol Chin
    Agreed. Nothing is more important than securing their user’s information and privacy. In fact, their “best decision at that particular time” is the WORST decision that they have made.

    How much time will they save by neglecting all the issues that I raised? An hour? A day? Whatever amount of time they saved is insignificant compared to the harm that their negligence could have caused.

    The fact that they have collected over 300 user’s information (eg. name, address, e-mail, username, passwords, etc) and not display a “privacy policy” page is worrying.

    What will they do with the information? A “privacy policy” is like a set of “rules” (I think) on what they can do with the user’s information. By not having one, does that mean that they can do whatever they wish with the user’s information?

  14. ABC says:

    Hahahahaa… this is the joke of the century… i mean… seriously… Josh Lim and team.. if you need more publicity… JUST SAY SO… maybe we can all help to pull some strings for you…

    Amateur, you used the right nick to defend advertlets.. having said that …funny that you gave us a blog with no advertlets ad and yet preaching of efficiency.. it’s like crying wolf.. evidence speaks for itself – try looking it up.

    I believe we prefer a more intelligent person to talk about this.

    Just out of curiousity… whats the point of having a password when it’s not secured. In that case why not remove the password accessibility? If it’s not secure and you still proceed… you’d most probably want the whole world to know you secrets. From a dumbo amateur, like myself to another like you.. i’d stop you my friend before your life becomes like britney spears. If you talk about tech savvy or not so tech savvy, an incubating baby would know that security to a site (which most importantly involves money) is bloody important. Would you sign up for online banking if there is no security

    POwer to mooiness. you rock \m/!!! and hands down and foot to leptn.

    Kelw: have you wonder why any devil’s advocate/blabla/doofus nick stops impersonating advertlets IP or somewhat? by all means if it’s so easy to create? why not rub more salt in?

    Keeping myself anonymous again. You know what to find me. Dont post this if you dont want to.

  15. TenthOfMarch says:

    @Boss Lepton
    Eh, is it? I know cannot…but I didn’t know friendster also cannot. That means…that bugger cheating me lah!?

    Oi! Cheating me is it? Who are you? Where is your blog?

    I sent you a message through friendster yesterday evening (20th April). Have you read it yet? Please reply through friendster.

    Waahhaha. That’s a big smack in the face. *OUCCCHHHhh

    I’m not sure if you guys noticed. Whenever people like “DevilsAdvocate” and “Amateur” posts a comment…Josh and the team will be ‘quiet’. You never get the two of them commenting at the same time (same day at least).

    To be fair to them, DevilsAdvocate and Amateur could have been someone who is anti-Advertlets. His/her purpose could be to disguise as them, in hope to be caught. But then again, what are the odds? Who so free nothing to do, do all this nonsense?

    [At this point, I can sense Mr Lim pointing his fingers at me, shouting, “YOU LAH! YOU …”]

    Hmmm…true. If someone really wants to hurt their image using this trick, why not cause more harm? But then again, the way Amateur posted and the comments he made also considered very foolish already. LOL.

    Oh yeah, I don’t mind people commenting anonymously. As in, you can use different ‘nicknames’ and leave out the URL. If possible, at least provide your real e-mail address, in case I want to contact you. The type of comments I don’t like are those like DevilsAdvocate and Amateur (Mr. A disguising as Mr. B).

    -= UPDATE =-
    I stumbled upon this post. It looks like on 18th March, Jee (blog owner) did mention that Advertlets do not have a “Terms of Service (TOS)” page. I guess that includes “privacy policy” and “terms and conditions”. Look under “Miscellaneous” in the post.

    Again in the comments section, Jee wrote, “Still can’t seem to find your ToS though”.

    And the best part of it all, “to be honest, the success of both companies doesn’t concern me much”. I love honesty.

    I think you have delayed this for a little too long. Please put up your “privacy policy” and “terms and conditions” (or equavelant) pages ASAP. I don’t think it’s even legal/right to run a website, requesting for user’s information without those pages.

  16. kukujiao says:

    ***thumbs up thumbs up …

    looks like any college student final year project can be way better than them …

    you know whats the difference between advertlets and some college student’s final yer project?

    they lack the publicity like what Josh Lim is giving them …

  17. ABC says:

    hrm.. Well… for the part when devils advocate or amateur speaks… of course advertlets wont come in.. how can they be talking to each other.. that’ll be jackyl and hyde.. I dont think josh or any of his team has split personality as yet.

    I mean… where is devil’s advocate now? if josh claims that someone is impersonating him now, how come lil devil has not resurfaced since the 1st post? did they become best friends and he just decided to vanish into thin air? I believe amateur here will dissapear soon enough (or not if he comes up with his imaginary blog which he pat advertlets shoulders about). And if you can hear me Amateur… We dont really care how efficient in terms of corresponding and actions taken when in the first place.. such security measures are SUPPOSE to be by default.. let me make this simple for you… its like.. ordering a mcvalue meal without getting your fries or buying a shirt without buttons.

    on a personal note kelw, dont TELL or advice adverlets how to run their policy. All we have to do is just find flaws. 😀 😀 😀

    my usual que. you know where to find me kelw.

  18. Unknown says:

    if you guys are customers or publishers of advertlets i could understand your rants..

    but since none of you guys are their publishers or advertisers, should they take you seriously, right?

    even though you guys have brought up some really good points, i really dont think you guys should be soo caught up in the arguments.

  19. Josh Lim says:

    In case it wasn’t clear enough – passwords have been encrypted since day one. User security is a priority for us, and Advertlets could not have stood up to a very public challenge from a variety of methods to our security if it wasn’t.

    We are a business, and we know what needs to be done (even before you mentioned it). A lot of issues raised here have already been addressed, are in the process of being done and overall, we are continously improving.

    I’m not sure if you’ve noticed, but if any of you have logged in or visited the site would have noticed quite a few changes, including earnings reports, statistics, additional user options and access to demographics polls, and the privacy policy, etc.

    Its funny, but a lot of people here commenting, aren’t actually even registered as having active accounts on our system, which brings up the question – how do you criticize something you haven’t tried? We invite you to actually try it, and send us your feedback on how we can improve further.

    At the end of the day, our system is secure, our publishers are getting their cheques soon, our advertisers are satisfied, and that’s what counts. Keep watching, let’s see what time brings, and whose minds we change. Cheers.

  20. ABC says:

    You see Josh….The fact finding from this blog convinced and tells a story otherwise which any of your team have ought to prove. (since my unfortunate dear friend amateur is not your team member, so he’s not counted as an answer to your ‘efficiency’)

    How is it possible that you are wiping away reality and not admitting mistakes then claim that all of this has been made known to you? In that case YOUR BUSINESS is not the right business we or any of the other bloggers with integrity could ever possible be interested in.

    Remember, that the reason all these write ups here about YOUR business is to define ‘QUALITY’ and ‘TRUST’ to blog advertising.

    This is just so simple. Incase you are not aware, there are such things as ADMITTING mistakes and MOVE FORWARD.

    It’s funny you have never thought of it. Besides, I think your advertisers might be interested to take a look the articles here. Wonder whether it would be that cheerful thereafter.

    I’d be dying to see the results.

  21. aw says:

    OK I’m going to self-censor this one. 10/3, please remove my message above as I’m not going to spend 10 minutes typing out why I think so. Ahahahahahaha.

    I think better not hentam this Advertlets too much, if they go down, then no more fun. Who will Superman fight if there is no Lex Luthor? Ahahahahahahaha.

  22. TenthOfMarch says:

    FYI, I wanted to be a publisher of Advertlets. However, since my unique visitors a day doesn’t surpass their minimum requirement of 100, I had to create a ‘test account’ to enter into their system to review them.

    And I believe every single person who commented has the rights to comment and argue on all the points raised. Even though some of them are not publishers of Advertlets, they are *potential* publishers.

    As for some of the commenter who are tech savvy (or in the IT industry), I believe they have the rights to comment because the errors and faults done by Advertlets reflects a bad image to the IT industry in a whole. I believe the IT industry is a professional industry which has its own sets of standards that each IT person has to follow.

    You must remember. Advertlets are dealing with HUNDREDS (in the future THOUSANDS) of individual’s sensitive personal informations such as telephone numbers, passwords, addresses and more.

    @Josh Lim
    “Amateur” posted 3 comments and logged 2 different “sets” of IP addresses. Guess what? Both of his IP addresses link to you. Of course, “ip spoofing” bla bla bla. Guess what else I found out? Both of you even use the same feedreader to access my blog, the same version even.

    If those comments made by “Amateur” are really from you guys, I think “irresponsible” will be the next word to use.

    I don’t want to bring this up, but you seem to be lingering with confidence too much. In your blog, you said, “From our logs, we could see as various methods were tried”. A real hacker will NEVER leave his trace in any logs. They would have been smart enough to bypass the log files. Therefore, what you are seeing in the log files, are just amateur attempts to ‘test’ out your system for BASIC loopholes.

    So, if you’re just boasting with confidence based on the log file details, I think you should stop.

    Most of the issues raised here should have been addressed before launching your system. Not after getting hundreds of people registered.

    I was getting worried if I should censor it myself. Since you insist, it’s my honor:-)

  23. mooiness says:

    More spoofing?!!? Oh man. Will the hilarity never end? 😀

    “Amateur” – at least they’d chosen a most appropriate alias this time.

  24. TenthOfMarch says:

    I didn’t report earlier because I wanted to “wait for bigger fish”. If I just say “IP is the same” again, then ‘boring’ right? I was looking for 3 factors. now 2 out of 3 is confirmed. I’m still waiting for the 3rd one. But the 3rd factor is not so ‘strong’ because it’s more common. So the 2 should be enough already.

  25. hongkiat says:

    I guess we should stop here. Maybe we should help them instead of attacking? What you think TenthofMarch? Advertlets of Nuffnang, it doesn’t matter now. They are new but at least they are Asia’s first two. It’s a win win situation I see here, if they can improve from blogger’s suggestions and findings.

  26. TenthOfMarch says:

    @ABC & Freethinker
    Eh-eh, the two of you don’t make me shiver ah. If you want to talk things like that, please send “private messages”. 😛 .

    Thanks for dropping by and leaving your comment. Just to clear things up, I am neither here to condemn/attack anybody, nor am I here to help anybody. I am here to blog, and continue to blog I will.

    If you have been following my posts and comments, you will know the seriousness of the flaws that were found in Advertlets’ system. I think you are a tech guy yourself (are you?), therefore you should understand the degree of vulnerability it causes.

    The comment made by ABC, especially this phrase, “ADMITTING mistakes and MOVE FORWARD” is very true. They might not want to admit openly that they screwed up, but the least they could have done would be to just shut up, fix the loopholes, and move on. Instead, they gave excuses explanations that make no sense. Being a tech guy, do you buy into their explanations?

    Lastly, I believe their “tactics” of doing business is a pain in “everywhere”.

  27. Pingback: | - Blog | » Negative side of Advertlets - the bad and the horrible

  28. adverlets is scam says: so pissed off with advertlets..damn.they never paid me since april 2008! the status said SENT,but i havent receive any.then i checked out couple of months later,still UNPAID.FYI now i have more than RM1000 in my account.but,ive just removed advertlets ads on my site after months of waiting (6 months).the real problem is they keep on beating around the system sucks matter how much you contact them.lastly they just ignored you! damn.

    i know,they gave lame excuse of click know what? ive received thousand bucks from Google Adsense without having single problem related to click fraud.we all know Google has a very reputable plus advanced technologies to detect click fraud.

    im willing to DESIGN graphics related to this matter,FREELY! email me at for details.

    let ALL MALAYSIAN BLOGGERS know advertlets is SUCK!! and lets show what we bloggers can do!!

    adverlets suck!

Leave a Reply

Your email address will not be published. Required fields are marked *