Virus propagation follows an evolutionary pattern – the ones we see are the survivors, that have the right balance of technical ingenuity and social psychology to get themselves installed. I therefore conclude that lots of people have clicked Continue on sight of the following dialog, which you get if you follow a link on the CNN Daily Top 10 spam email doing the rounds right now (I have had it over 20 times):

In FireFox it is even cruder – just a link to a viral executable, click OK or cancel.

What gets me is that this is such an obvious virus. Here’s several clues:

• The URL for the page is not cnn.com
• The supposed Flash placeholder image is obviously faked. It says “Flash Player 0” is installed
• The English is poor
• This doesn’t look anything like IE’s normal behaviour when installing a new ActiveX control (it isn’t of course, it is just asking you to download an EXE)
• Image missing on the dialog
• The dialog doesn’t even mention Flash
• I’ve not actually checked, but I’d be astonished if the executable is signed, so the user will have to pass further warnings unless they are running an ancient version of Windows
• Of course I already have Flash 9 installed

I also presume from the success of the virus that either lots of people don’t have current a/v software installed, or it didn’t work because it was not updated in time.

Why is this virus succeeding? I imagine because it is trading on two respected brands – CNN, and the fact that most people are happy to install Flash and know it is OK to do so (the real one, that is).

Shows what a tough job the security guys have. You have to assume people will click OK to almost anything.

Desktop Keeley is a new Adobe AIR application from UK tabloid newspaper The Sun. If you are foolish enough to pass this dialog:

then you can benefit from:

Gorgeous Keeley is here to ease you through your day, putting a smile on your face and providing up to the minute sport info, showbiz gossip and news updates direct to your desktop.

She is too. No dull rectangular Windows; Keeley pops right onto your desktop. The default preferences reveal the target readership:

Keeley has a variety of animations and – credit where it’s due – the application is nicely done. From time to time she pops up and scribbles “Get back to work” on your screen. According to journalism.co.uk it broke Sun’s download records in three days.

Now if Microsoft had done Bob like this…

Seriously – what with Adobe Reader 9 and now this, AIR is everywhere, or will be soon.

Not that there’s anything wrong with a CD, when done right. Still, if you pay extra for something like a Linn Studio Master, at 96kHz / 24 bit resolution, you expect something which has better-than-CD audio quality (44.1kHz / 16 bit), even though some experts argue that you cannot hear the difference.

One audio enthusiast opened his Studio Master download in a sound editor and couldn’t make sense of what he saw. The conclusion, after some discussion: most likely the signal passed through digital conversion at 44.1KHz at some point in the recording process, making true 96kHz / 24 bit resolution impossible.

It would be interesting to know how many SACD or DVD Audio releases suffer from similar limitations.

Thawte is a supplier of digital certificates. I’ve used the company to purchase certificates for code-signing.

Today I received an email inviting me to complete a customer survey. I think it is genuine: if I look at the email headers, the source domain belongs to a marketing company called Responsys which lists Verisign as a customer. Verisign owns Thawte.

I clicked the link to do the survey. Immediately I was asked to give my username and password into a web page owned by Taylor Nelson Sofres plc which is a market research company. Again, looks genuine.

What username and password? Well, I’m presuming it’s the credentials for my Thawte account that are being requested. Either that, or it’s a very broken survey.

I don’t get this. An authentication company sends me an (unsigned) email asking me to hand over my credentials to a third-party marketing company?

Could it be a phishing scam from someone who has hacked into these domains? It’s possible – I’ve emailed Thawte to complain so I may discover if this is the case.

Or just another example of woeful security on the Internet?

Update: just received an email apology from Thawte:

I wanted to reach out and apologize. The partner survey that was sent out to all recipients will be resent later on today with the correct link which will not require you to supply a user name and password.

Agreed, that you should not supply login credentials to a third party website.

Faulty survey, or a hasty change of mind? Let’s assume the former.

Chris Green, editor of IT Pro, has written about analysing professional writers in terms of “costs per unique user visit”. He says:

I honestly believe that in the not too distant future, online publications in all sectors, not just technology, will have to adopt a results-driven approach to freelance commissions in order to maximise revenue and to achieve maximum return from their freelance budgets.

The most likely outcome will be that publications begin paying writers purely on how much traffic an article pulls in. Also likely is that commissioning editors will need to take a more frequent and brutal approach to deciding which freelancers to commission regularly and which to drop from their rotation, based on the kind of metrics I am currently looking at.

I write for several publications, print and online, and in every case I am paid per word. If this prediction is accurate, how will this affect me and others who write for money?

Green says writers will have to work harder at pulling in readers. He talks about search engine optimisation (SEO), link seeding, cross-linking, encouraging comments, and supplying photos and even videos as well as words (no doubt to the fury of pro snappers).

If writers are paid per view, clearly they will have more incentive to do such things. Best tread carefully though. Link seeding done badly is spamming. Encouraging comments done badly is trolling. SEO done badly is keyword madness.

Further, there must be a reason why writers rarely write their own headlines. Publishers decided long ago (in print and online) that writing attention-grabbing headlines, which is a kind of SEO, is a job best done by specialists. So is snapping pictures, designing page layouts, and marketing the results. Giving the writer more of these roles doesn’t make sense except for low-budget publications like, errm, blogs. It also gives writers less time for their core competency, which is researching and writing.

Another problem is that not all traffic is equal. If a publication is ad-funded, then the traffic that counts most is that from potential purchasers, those who approve budgets or click ads. Click ratios are easy to measure, but profiling readers per-article is harder.

I agree that the Web is changing journalism, mostly for the better. One of my reasons for starting and persevering with this blog is that I value its immediacy, the feedback from readers, and the comments from those about whom I blog. The quality of the writer-reader interaction is immeasurably better than in the old days of occasional letters printed ages after publication.

Further, I don’t think any writer should mind being paid in some sense by results. Book authors have always had to put up with (or enjoy) this approach.

The problem is how to measure those results. Pay per view sounds good; but it punishes writers who happen to get commissioned for less popular subjects. If those subjects are nevertheless ones that the publication wants to cover, that suggests scope for bargaining.

What about measuring quality? The Register now lets readers rate some articles from one to ten. Nice if you get a good score; but is this more a measure of excellence, or of what readers agree with?

Kudos to Chris Green for throwing this open for debate.

Depressing but illuminating video by Greg Calbi of Sterling Sound on the decline in audio quality thanks to the loudness wars, how his hand as an engineer is forced, and how music today is fatiguing in a way that it never used to be.

It’s a couple of years old but as far as I can tell nothing much has changed.

I am going to write about my life as a music fan, for no other reason than that I want to. The story starts in late 1963. I was 4, nearly 5. We lived in a big old farmhouse in Cheshire in north-west England; there was not a record player in the house. There was, however, a radio or two; and I recall this song being played.

She loves you yeah yeah yeah she loves you yeah yeah yeah she loves you …

I don’t know why I remember it, except that it is catchy as hell, and my dad complained about the lyrics. Unfortunately I don’t recall exactly what he said about them, but I can imagine … simplistic, repetitive, brainless, something like that. He was a lover of words and a published poet; his opinion was worth listening to.

In dad’s defence, I am sure it was not at all obvious that this is a great song. Somehow it captures universal human emotions in a way that almost anyone can relate to. Being a bit annoying to a man of my dad’s generation (he was 52) was part of the appeal as well.

As for me, at the time I didn’t have any opinion about the song. I recognized it though, and it is my first musical memory. It’s good to have one that has withstood the passing years so well.

She Love You by The Beatles (1963)

A couple of weeks ago a fake UK web site called Zavvi Direct garnered thousands of orders for the elusive Wii Fit. Its success was based on several factors:

• Ads on eBay and Google made it easy for potential customers to find
• The Wii Fit shortage meant that customers were looking beyond their usual suppliers – hence eBay and Google – and perhaps taking less care than usual
• Anyone selling Wii Fit at normal retail price is guaranteed a ready market, since it sells on eBay and Amazon marketplace at a premium of around 80%
• Crucially, customers thought the site was run by Zavvi, formerly Virgin Megastores.

In fact it was nothing to do with Zavvi; as far as I’m aware nobody has received their goods and it is under investigation by police.

I wrote this up for today’s Guardian. It was interesting to me because of the number of customers – known to be in the thousands – and as an example of Internet insecurity. As far as I know, none of the phishing filters built into browsers like IE7 or Firefox picked this one up – it’s not exactly a phishing site of course, but nevertheless was not what it appeared to be.

Now put this together with ICANN’s decision to expand the number of top-level domains – the bit after the last dot or couple of dots. It is already near-impossible to register all the possible, plausible variations of a domain name. In the Zavvi Direct case, the fakers got zavvidirect.co.uk, zavvidirect.com and zavvisports.co.uk. They could have used hyphens; they could have used .net or .org; they could have combined zavvi with other words such as games, gadgets, electronics, fast, quick, online, web. Now companies like Zavvi face the possibility of zavvi.gadgets, zavvi.direct, zavvi.electronics, zavvi.directsales, zavvi.shop or even shop.zavvi.

I am not sure that ICANN’s decision is wise. Currently its possible at least to pre-register the most obvious names; now even that will be harder to achieve.

Still, it’s arguably not that much worse than the current situation. Further, the key players in this are not the domain registrars but the search engines. Nobody would have typed zavvidirect.co.uk into their address bar; they all went to Google or eBay. If these companies made more stringent checks, fewer people would be caught out. Note that all the customers I spoke clicked on paid ads, not pure search results.

In mitigation, while the Internet has caused this kind of problem, it also helps to solve it. Zavvi Direct customers soon found help on online forums – again through Google – such as Rpoints and MoneySavingExpert. These communities quickly waved red flags, their users received good advice about the best way to attempt to recover their money, and banks will be under pressure to act consistently.

In this particular case, it looks likely that most or all customers will get their money returned. Too late for the Guardian article, a spokesperson for Royal Bank of Scotland, which also owns NatWest, told me this:

In this specific case we can confirm that all RBS group card holders who are affected will be receiving refunds and that’s going to show on their accounts in a matter of days from now.

I was told that this will be automatic; so if you were a would-be Zavvi Direct customer and paid with an RBS card, sit tight for a week or so before complaining further.

Update: there’s more background on Zavvi Direct in this ComputerActive article.

Yesterday I viewed Apple’s presentation for MobileMe. Here’s my quick take. Live Mesh is a true platform, whose scope extends well beyond MobileMe. Yet Apple’s marketing message is so close to Microsoft’s that most users will not see that difference. Here’s Apple:

Wherever you are, your iPhone, iPod touch, Mac, and PC are always current and always in sync. And with a suite of elegant new web applications, you can access your data from anywhere.

and here’s Microsoft:

No more e-mailing attachments to yourself. Instead, synchronize the information you need across all your devices. The most up-to-date versions will be at hand when you need them—at home, at the office, and on the go.

Apple calls MobileMe “Exchange for the rest of us”. This is spot on. I got onto the Internet in the early nineties. I opened a CIX account in 1991. I remember copying CIX scratchpads – all the downloaded messages – from one PC to another in an effort to keep them in synch. I moved on to POP3 email and still had problems. POP3 usually means deleting messages from the server when you download them; there is an option to leave messages on the server but it tends to be inefficient – I remember having clients that would simply create more and more duplicate messages if you did this. I tried Microsoft Outlook when it came out as part of Office 97, and copied the .PST file from PC to laptop to keep up to date. It was all horrible. Then I realised that Outlook only works properly as an Exchange client. I installed Exchange and loved it; it solved all my email synch problems.

Exchange is fine for corporates and the occasional geek, but Microsoft has done little to help individuals with their mail and contact synch problems. It acquired Hotmail in 1997, and came up with a series of half-baked connectors that synchronize Hotmail with Outlook or Outlook Express. After years of trying, these still do not work well; and I guess that IzyMail does good business enabling standard mail clients to work properly with Live.com accounts.

With MobileMe Apple is promising seamless Outlook integration, push email on the iPhone, synch across all devices, and an alternative web interface like Gmail combined with Google Calendar combined with online file storage up to 20GB. If it works well, it will be attractive even to PC users – though unlike Google’s services, you will have to pay a subscription. It will be $99.00 per annum for an individual, or $149.00 for a family pack.

Now, Live Mesh is great for file synch, but how do I synch email with it? Where is the Live Mesh calendar? Ah no, for that you need Live Mail. So does this work with Windows Mobile? A thread like this is all too familiar:

Using my T-Mobile Shadow with Windows Mobile 6.0, I tried to log on to my Windows Live Calendar. I receive the following message:
JavaScript required to sign in. Windows Live ID requires JavaScript to sign in. This web browser either does not support JavaScript or scripts are being blocked.

Maybe you are meant to use ActiveSync; but that won’t deliver push synchronization. And and how about integrating your Windows Live Calendar with Outlook? There’s a connector but it’s for paid subscribers only. In fairness, Apple’s service costs as well. But Microsoft’s solutions to these problems are fragmented, inconsistent and frustrating. An it-just-works solution to PIM synchronization across all devices and on the web will be a winner. Exchange is nearly there already for corporate users (though if it were fully there, there would be no market for Blackberry); but for individuals, MobileMe may come as a huge relief.

I still like Live Mesh, especially its promise as an application platform in conjunction with Silverlight. MobileMe is a lesser thing in concept, but if it works as promised, it will deliver more value sooner for individuals. The main thing against it is that it will work best with the expensive, locked-in iPhone; plus you have to suffer the embarrassment of a me.com email address, or continue to advertise Apple with .mac. Now, how about MobileMe for domains?