More Bugs Found In Advertlets’ System

This is getting ridiculous. After all the suggestions and bugs I found in the Part One and Part Two of my reviews, and a short follow up here, the Advertlets’ team don’t seem to have learned anything at all! I wonder if they ever will.

So, they have done some changes to their system AFTER reading my reviews. To summarize the whole story, those bugs I found shouldn’t even be there in the first place. Proper testing of the system would have ensured those bugs were found and fixed BEFORE their system was launched. Having bugs like that after over 300 people have registered an account with them could be very dangerous. That proves that they did not conduct a proper test on their system before it was launched.

I don’t believe that they have learned their lesson because if they did, I wouldn’t have found another bug in their system. This is not some MAJOR bug but it does prove that they did not conduct a proper test before releasing their new updates.

They provided a new option in their publisher’s admin area called, “Change Your Password“. As the name suggests, you may use it to change your password (which I highly recommend you to do). The funny thing is that they enforce a minimum 6 characters password during registration but do not enforce the same rule when a user changes their password. I tried changing my 10 characters password to a 1 character password, and it was accepted.

*sigh* I am your user, not your beta alpha unit tester, ok?

TenthOfMarch Calling Out For Help To Fight Internet Scams!

Yesterday, I read two articles in the newspaper with great concern.

Article #1: Student falls victim to Net scam
Article #2: Millions lost in e-invest scam

Scams — online or offline — are real. The hazards are real. Despite efforts from various parties trying to educate the public regarding scams, somehow the message is just not reaching out.

Take Article #1 for example; the victim was actually conned TWICE totaling RM148,000 on the same day and by the same group of people. The first attempt saw her losing RM46,000. Having caught a naive victim, her perpetrator tried to con her again. This time, using a bigger cash prize (RM3.2mil) as the bait. Unfortunately, the poor victim fell for it.

We have probably read, heard or saw news about people falling for scams. The victims range from Datuks to lawyers to college students to housewives. Most of them are well educated people but yet they fail to identify these scams. There is nothing to be blamed but the lack of awareness itself. In the past week, I read two blogger’s post regarding scams through the Internet and SMS.

Scams and other methods of fraud will not cease by itself. In fact, it will only grow and strengthen as new techniques and methods are used. Therefore, to solve this problem I suggest we, bloggers run a “Scam Awareness Campaign“. We will use our blogs to spread the message, warning readers to be aware of scams.

We can set a date (eg. 30th April 2007), where on that date, all bloggers who are willing to join this campaign will write a post about scams in their own blog(s). It can be about how to identify scams, latest scams techniques, scam prevention or any other related topic. The post don’t need to be long. Even a “Beware of scam!” message is sufficient. This is an opportunity to spread the message to help reduce the rate of scams.

You don’t have to be a Malaysian or are currently residing in Malaysia to join this campaign. This is because scams happen throughout the world. Check this and this out. The most important thing is, this campaign is FREE. You don’t pay anything to run it. Of course, unless you say, “I pay for this site. Every alphabets, I pay for” (just joking). But hey, it is for a good cause.

Shoot for the moon. Even if you miss it you will land among the stars.
– Les Brown

It would be great if I can gather a large number of bloggers to join this campaign. However, to not be alone at the end, would suffice.

If you have any other ideas or suggestions to help promote this campaign, please leave a comment. To help me better understand the possible response of this campaign, please answer the poll below. Thank you.

**********

Will you join the scam awareness campaign?
View Results

UPDATE: I found another blog entry regarding scam. Go read her entry on how a live scam would have been like.

UPDATE 2: I wrote two posts in the past about scams as well. Check them out here and here.

UPDATE 3: Yet another post from LiewCF entitled, “Why Join Internet Investment Schemes“. At first glance, I thought he was ENCOURAGING people to join Internet investment schemes! LOL! However, after reading his post, I realize he was advising people against it. It’s a good read.

Advertlets’ Explanation To Why They Were “Lazy” And “Amateurish”

In the first part of my review on Advertlets, I used the words lazy, amateurish and shoddy work to describe the design, bugs and quality of work that I found in their system. I was challenged to it but it was answered by these comments (here, here and here).

I received an explanation from Firdauz (from Advertlets) which was supposed to ‘cover-up’ all the laziness, amateurish, shoddy work and maybe even possible password vulnerability that I found.

What’s assumed as laziness and amateurish was in fact; our best decision at that particular time.

Even up till this point in time, they have never stated that the users’ passwords in their system IS ENCRYPTED. They mentioned how their system was capable of warding off “SQL injection, brute force attacks, URL guessing, and social engineering” and that their system is “indeed secure, and we can vouch for the protection of your data and password“.

However, the question to be answered is, “Are the users’ passwords encrypted?” It doesn’t matter if their system is 100% “unhackable” from the outside, encrypting the users’ passwords are considered the fundamental practice in developing a system. The users’ passwords should NEVER be stored in plain text no matter how secure a system may seem to be — that’s the standard principle.

mooiness gave his point of view:

But you don’t let loose an application which fails one of the most basic principles, ie. password security.

You(r) best decision at the time should not have been this. To me, it sounded like you guys rushed it out the door so that you got something to show.

No – your best decision at the time should have been to put yourselves in the shoes of a user and whack the system as hard as you can.

One point that I missed out in my review is that they neglected one of the basic password security feature — setting a minimum password length. According to this and this, the minimum length of a password must be at least 6 or 7 characters to be considered as standard. Shorter passwords are considered WEAK and are more vulnerable.

However, I have tested and their system allows passwords as short as ONE character. I have one account’s password which is “a” and another account’s password which is “abc“. Let’s hope they did not neglect the most important security feature — encrypting the passwords.

If builders built buildings the way programmers wrote programs, then the first woodpecker that came along would destroy civilization.
(Weinberg’s Second Law)

What do you think?

Remove And Block SiteMeter’s Specificclick.net

The controversy of SiteMeter installing ‘spyware cookies‘ on their user website’s visitors without any of their consent continues. Apparently, the SiteMeter Team posted a reply on the spyware allegations. Despite that, an individual suggested SiteMeter did not post any reply in their blog to prevent those who haven’t already know to get to know about it.

Check out this post to read what others think and feel about the whole spyware cookie episode.

The “spyware cookie” that is created on the user’s computer without their consent is named specificclick.net. Well, it is impossible to tell the whole world to stop using SiteMeter. However, what you can do is to protect yourself against it. It doesn’t matter if you do not have a blog or a website. As long as you have been surfing the Internet for the past 1 month, chances are your computer has already been infected.

What you need to do now is to check if your computer has already been infected. If it has, you will need to remove the cookie first. Then, you will need to block the cookie to prevent future infections. Michael Sync provided a detailed step-by-step instruction on how to remove specificclick.net and how to block it from future infections.

After you have finished all the steps, enter a website or a blog that has a SiteMeter counter in it. Check the cookies that was accepted in that session after the page has been fully loaded. If the specificclick.net cookie is no where to be seen, your ‘patch’ is successful.

Humans make mistakes. However, some mistakes can be avoided. SiteMeter sold out their users’ trust. Now, it is time to bare the consequences.

TenthOfMarch Reviews Advertlets From The Inside (Part Two)

(WARNING: This is a lengthy review) — Final Edition

This is the continuation of the first part of my review on Advertlets.

Right after I logged in, I was greeted by the screen below. Bare in mind that I placed high expectations on them after all the hype over “Web 2.0″, gradients and friendliness they said they provided. However, the screen below is just an eye sore.

Ugly looking statistics in Your Stats page

I think that “Imp” means impression, right? Why not write the full word? Since there is enough space anyway.

**********

Next, why after I am logged in, the first page that I see is the “Your Stats” page, and not the “Dashboard“? I don’t have a problem with it, just that in your navigation bar on the left, the “Dashboard” comes first, then only “Your Stats” and the rest. Nothing major, and definitely not a bug.

TenthOfMarch recommends:
I think either displaying the “Dashboard” first or rearrange the navigation bar to show the “Your Stats” first would generate a better ‘flow’.

**********

You have two pages (“Dashboard” and “Your Stats“) that shows statistics. I agree that having some statistics on the dashboard would be great (IF you display “Dashboard” first after log in).

Statistics on dashboard page

Honestly, I am a bit confused which page you intend to come first. But based on my experience using blogger.com, their ‘dashboard’ comes first. Let’s assume your Dashboard comes first, then the statistics provided in the dashboard should be a general overview of all the statistics. While the statistics in “Your Stats” should be a more detailed version of it.

After analyzing your statistics, I can only know today’s impression, total impression from day one (I think) under “Total” and “Your Stats” page, the past 7 days impression, and monthly impression starting from 2 months back. Why I say 2 months back is because there is no statistics that shows impression for the current month (April) and the previous month (March).

TenthOfMarch recommends:
Add statistics for the current and previous months. It would be great if you can provide a daily statistics for at least the past 30 days. Some graphs would visualize the data better.

**********

If you look at the picture below (in their Dashboard), you will notice my account status is “Pending“. There are 3 reasons why it is pending but I want to highlight the 3rd point — Demographics Poll 100 more needed. I am not sure if it is only me, but I haven’t heard anyone complaining about this.

Firstly, they restrict members to have at least 100 unique visitors to their blog before they can join their ad program. Now, after I register an account, they restrict me on an extra ‘requirement’ before I get a chance to see an ad placed in my blog? Is this right? I understand they need to have some ‘data’ before they can target ads on my blog, but they could have at least stated this ‘requirement’ before I joined their program. I think this is wrong but like I said, I don’t see anyone else complaining.

A ‘requirement’ that was not mentioned earlier

The reason why I don’t like the idea of making the users get 100 polls answered before an ad can be served is some (I found two already) of your users have no choice but to ask for answered polls by irrelevant individuals (people that don’t go to their blog but they answered the poll for the sake of ‘helping out’).

Below are two screenshots that I took when I stumbled on Kenny’s blog. (both bloggers’ nicknames are blurred to protect their privacy)

Member begging for poll takers 1 Member begging for poll takers 2

TenthOfMarch recommends:
Inform the users that they are required to get 100 polls answered before ads can be served to them before they register.

**********

My ‘test blog’ is at http://bunnymakemoney.blogspot.com. I notice most of the time that the “Ads Imp” increases together with the “Poll Imp“. Is this a bug or I just don’t understand how it works?

I also notice that a user can repeatedly ‘self-answer’ their own polls. I have done it 5 times just to test it out. All they need to do is refresh the page after each time they answered the poll.

Poll statistics

TenthOfMarch recommends:
After a user has answered the poll, at least store the information into their cookie (or session). That will prevent them from answering it again.

**********

In their “Your Stats” and “Your details” page, there is a note that says:

Please keep in mind that you will not be eligible to view your demographics data, or be eligible for payment until further details about yourself are verified, and further terms & conditions are agreed to. We will contact you shortly regarding additional information needed.

Come to think of it, I have never seen their terms & conditions and privacy policy page before (or did I just missed it?). Is it legal or right to run a website, requesting for users information without a terms & conditions and a privacy policy page? (I am not saying it’s illegal. I have googled and yahoo-ed but found nothing. This is just a question.)

TenthOfMarch recommends:
Change “Your details” to “Your Details”. Add a “terms & conditions” and “privacy policy” page. Ensure the users are aware of your terms and policy by adding a link at the registration form and a checkbox that they have to tick before they are registered.

**********

Next, the “Your details” page.

Your details page 1

Your details page 2

Your details page 3

It is very seldom that I come across a form that looks like this on the Internet. A professional looking form would look more organized and properly arranged. Apart from the outlook of the form, I found that they did not design the database according to the proper industry standards. If you notice, all the inputs that the user has to key-in are in textboxes. That means that they designed the database to store all informations in this form as plain text.

Data such as “Date of birth” should be stored in date format. “Postcode“, “Children” and “No. of blogs” should be stored as integer type. “Race“, “Religion” and “Language Spoken” should be stored in char(1) or enum, or others. Ironically, two informations (gender and blog category) that are dropdownlist from the ‘registration form‘ are also stored as plain text. Those should be stored as ‘char(1)’ or enum, or other more appropriate types.

A properly designed database would create different type of options for the user to select/input such as textbox, dropdownlist and radio buttons. Below is a screenshot of GMail’s settings form.

Example of a professional looking form (GMail)

So, why should a programmer design a database according to the proper industry standards?

1. Rule Seven: User appropriate types and constraints

The structure of a database is crucial to its ability to transform raw data into usable information. Each database should conform to a set of standard rules designed to optimize its utility. These rules make a database a flexible, usable tool, and not just a place to store information.

2. Poor design/planning

Since the database is the cornerstone of pretty much every business project, if you don’t take the time to map out the needs of the project and how the database is going to meet them, then the chances are that the whole project will veer off course and lose direction. Furthermore, if you don’t take the time at the start to get the database design right, then you’ll find that any substantial changes in the database structures that you need to make further down the line could have a huge impact on the whole project, and greatly increase the likelihood of the project timeline slipping.

3. How to Encrypt Passwords in the Database

Realize that the data in your database is not safe. What if the password to the database is compromised? Then your entire user password database will be compromised as well. Even if you are quite certain of the security of your database, your users’ passwords are still accessible to all administrators who work at the Web hosting company where your database is hosted.

As you can see, designing a proper database according to the ‘standard’ is very important. The proper formatting of the data/information given by their users (that is stored in the database) is crucial to a company. So, how could they have possible missed this point? Therefore, combining all the simple mistakes/bugs that I found in the first review together with their lack of effort in designing a proper database, this is why 2 questions popped into my mind:

1. How much time and effort was put into securing the user’s privacy (password)?

2. Are the users’ password encrypted?

TenthOfMarch recommends:
You should spend more time designing a proper database. The longer you wait, the harder it will be.

**********

In the “Your details” page, there is an item, “No. of blogs“. What if I have more than 1 blog? Do I need to register a new account for each blog? Or one account to multiple blogs? In your FAQ, you mentioned “need to install separate tracking code on each site“.

By the way, in your FAQ, this question “How does the RM10,000 for first 200 bloggers program work?” should be changed to “How does the RM15,000 for first 300 bloggers program work?”, no?

**********

To summarize:
The guys behind Advertlets has put a lot of effort at the ‘front-end’ of their website. I love their poll, design and look. However, I personally feel that they should have balanced their time and effort a little more towards the back-end of their website as well. Iron out all the bugs, find more advertisers and you should be good to go.