The Two Essential Ingredients You Need to Succeed at Everything

Years ago when I was trying to market my IT services, lots of experts came out of the woodwork and told me I needed a gimmick to succeed.  They had lots of ideas. One biggie was, do a direct mail campaign and hand-address the envelopes. That would make me stand out when everyone used computer generated address labels for their direct mail campaigns. As I read this to myself now, it sounds like satire. But as sure as I’m sitting here typing–and not handwriting this–it’s true.

There’s more. Bloggers who succeed have catchy headlines. Headlines with lists and a call to action are especially good at attracting attention. How do you like mine? Dos and don’ts are also good. So, as a bonus, here a couple of don’ts.  Don’t bother with gimmicks. And don’t pander. People aren’t stupid. Save your energy for something worthwhile.

Which means, I’d better deliver on my attention-grabbing headline. Short and sweet, here are the two things you need to achieve success:

  1. Excellence
  2. Legitimacy

Feel short-changed? I never promised succeeding would be easy.

First, excellence. I want to be a great author. I’m not there yet but I’m working on it. My favorite author, Jerry Jenkins, is correct when he says great writing is where best sellers start. Jerry is the leader of a couple of paid authors’ groups to which I’m a member, and I treasure the dialog Jerry, the other authors, and I exchange regularly. Even when Jerry barbecues writing samples I share.

Jerry says, and I agree, without great writing, nothing else matters in the publishing business. Well, unless it’s a book about weird sex in Seattle. The rules of math and physics are absolute. The rules in life have exceptions. You might say, shades of grey. But they don’t happen very often – that’s why they’re exceptions; better to go after excellence than luck. This is true about all aspects of life, not just writing.

Don’t get me wrong. If somebody were to offer me $1 million for a random piece of my writing, I probably wouldn’t turn it down. I can buy lots of writing lessons with a million dollars, even with taxes taken out. But, when I really think about it, I’d like to achieve success the right way. My grandsons are watching and they need a role model. And that means, I need to learn how to be excellent.

Next is legitimacy. Jerry Jenkins and I disagree on this one. Which is okay. I’m the student, Jerry is the teacher, but sometimes students need to draw their own conclusions. I say legitimacy is an essential ingredient for success.  Jerry says excellence will carry the day. Maybe we’re both right. Maybe one leads to the other.

Here’s a quick story from 1995 when I was starting up my first independent IT consulting business. A customer with headquarters in Chicago and a major site in Minneapolis was in trouble after key IT people left, and needed specialized expertise I possessed to keep them operating. The sales rep from DEC, my former employer and the customer’s IT vendor, called me and asked me to contact this customer and help them out.

I called and introduced myself, but before I could finish two sentences, they shut me down and said I needed to talk to the HR Department. Story of my life.

A couple weeks later, the IT Director called me – this group’s boss’s boss. Apparently, the DEC sales rep had called him, told him about me, and he needed his problem solved. Immediately. He flew from Chicago to MSP the very next day and we set up the engagement on the spot at the airport. It lasted more than a year.

On my own, it didn’t matter what I had to offer. Without legitimacy I wasn’t getting in the door. With legitimacy, the customer literally–and I really mean literally–flew to me.

Now, here’s where Jerry and I might meet in the middle. While it’s true that endorsement from DEC gave me legitimacy, it’s also true I was one of the most knowledgeable people on the planet about the specific topic this customer needed.  Without that expertise, the endorsement may have opened a door, but no amount of legitimacy would have kept it open.

It’s the same today, in 2018, as it was back in 1995. I’m going to bust my butt to make Virus Bomb the best book it can be. I look forward to help from Morgan James Publishing for the legitimacy part. Let’s make some waves in the marketplace. Let’s succeed together.

May anyone who reads this also pursue excellence, earn legitimacy, and succeed.

Oh – one more thing. The hand-written signing gimmick. I almost forgot.

How to Steal Somebody’s Identity for Fun and Profit


I’ve written lots of blog posts about electronic data breaches and identity theft over the Internet. I even published a book about how a data breach might unfold, and I’m publishing another one about what might happen if a nation-state really does get serious about attacking the United States over the Internet. But for anyone looking for an easy way to steal somebody’s identity, here’s a retro way to do it, with a modern twist.

The picture at the top of this post is a USPS change-of-address packet. It’s filled with ads and one form. Here is a closeup of the form.

The form asks for a name, old address, and new address. Fill it out, mail it in, and the USPS conveniently forwards all your mail to the new address.

Let’s say I want to steal from, say, John Smith, who lives in Houston, Texas. I can walk into a post office in, say, Newport, Minnesota, fill out the form, put a stamp on it, and give it to the guy behind the counter. That’s it. A few days later, mail for John Smith starts coming to me.

It really is that easy. It happened to my friend, Ann and her husband. Here is her story.

This gets better. When the credit card companies find out about John’s new address, they’ll start sending mailings to me. Paper statements have complete account numbers, which means I’ll own John’s credit card numbers. If I want John’s online banking password, I can call the bank, give them John’s new address, and maybe persuade them to reset his password. Or, maybe in a twist of irony, I’ll tell them John is a fraud victim and persuade them to cancel John’s old credit card and send a new one to me.

But relying on my social engineering skills to manipulate a telephone banker into giving me access to John’s information is risky. I have John’s address; now I need something John knows. His Social Security Number would be helpful. I’ve heard there are underground markets where I can buy Social Security Numbers, but I’m not sure where to find the best deals. No problem. Here’s the About page of a website named DeepDotWeb with lists of marketplaces, convenient category ratings, and all kinds of helpful consumer information. They’re even recruiting writers. Maybe I should sign up.

And what weapons does John have to fight back? The US Post Office will send a notice to John’s old address about his new address. Yep. Thanks to the USPS, stealing somebody’s identity is as easy as filling out a form.

Sooner or later, of course, the real John will find out somebody at my address stole his identity. But by then, it will be too late. I’ll live like a king for a few weeks and ruin John’s credit before robbing my next victim. Maybe I’ll use DeepDotWeb to find another marketplace and sell John’s Social Security number.

Who said crime doesn’t pay?

By the way, please don’t complain about publicizing a site like DeepDotWeb. If I could find it with a half-hour of Google searches, so can anyone else. Bad guys collaborate in underground forums all day long. Good guys won’t win by isolating ourselves from information.

Outraged? I know I am.

This should be easy to fix. When I change my US Mail address in person, I have to visit a post office and pick up the form. Why not fill out the form right there and give it to somebody behind the counter, along with my ID? At least I have to go the trouble of getting a fake ID that way. Why does the Post Office want me to mail it in later with no proof I am who I say I am?

Maybe it’s time to make noise with our government officials. I found a contact link for the Postal Regulatory Commission. Maybe if several thousand people submit complaints, maybe they’ll get somebody’s attention.  Or maybe they’ll disappear into a bureaucratic black hole.

Nah. Forget all that. I want to get rich quick. My name is Donald J. Trump. My old address is 1600 Pennsylvania Avenue, Washington D.C.  My new address is P.O. Box 111, Newport, MN., where I really did spend $15 in March, 2018, to rent a post office box for three months with no ID required.

Reboot your Internet router to fend off Russian hackers. And other fairy-tales.

It was all over the news. Russian hackers are inside home Internet routers across America, spying on us, stealing our identities, meddling with elections, and who knows what else. But don’t worry – just reboot that little box with all the wires connected to it and it all goes away. And if reboot is too technical a word, then unplug it and plug it back in. Just like your toaster. And to really make sure, press a little teeny tiny button and reset it back to its factory settings (which will probably break your Internet connection, but just call your ISP and they’ll fix you right back up). Here are a couple links to typical fluff articles:

Sometimes, we dumb things down so much, the information is worse than worthless.

Why is anyone surprised about Russian attacks? The United States and Russia have been adversaries since the end of WWII. If Russian hackers can find a way to use our Internet connections as a weapon, we should spend less energy on outrage and more energy understanding and defending against it.

More importantly, why do we throw away our critical thinking skills when the subject is technology? Does it bother anyone that this problem has been growing since 2016 and nobody noticed it until recently? I understand that not everyone in the United States is a software engineer, but even toddlers use cell phones and computers these days. Isn’t it about time the public acquired some Internet literacy?

Forget the Internet for a minute. If your car acted badly, and the suggested cure from the service department was, turn it off and back on again, would that be acceptable? What if the cure were to disconnect and reconnect the battery cables – the equivalent of a reset? Would you be curious about what went wrong and why? And wouldn’t you want it really fixed? Why do we accept weenie fluff around Internet technology when nobody in their right mind would put up with it anywhere else?

Here is a more substantive article from Brian Krebs: FBI: Kindly Reboot Your Router Now, Please. And a pointer to the original Cisco Talos blog that describes the attack, named VPNFilter, and what Cisco did about it.

And indeed, the Talos short-term recommendation is, reboot, and eventually reset our SOHO (Small office/Home office) Internet routers. The recommendation makes sense. But it’s not the whole picture. And the popular media short-changes the public by failing to inform about the broader context.

Here is a summary of what’s going on. Somebody – probably Russian hackers because the people who analyzed the malicious software noted similarities between what they found on SOHO routers and Russian code from other attacks – planted malicious software in thousands of SOHO routers. The malware has at least two components; one is in the system boot image and phones home for marching orders. The other is only in memory and contains the downloaded marching orders. These may change every time the router phones home, which explains why the analysts don’t know all the details around this attack.

“Phone home” means contacting a command and control mother ship server over the Internet. Apparently, VPNFilter drones find their mother ship via a DNS name. DNS, or Domain Naming System, translates names to IP Addresses. Think of DNS as kind of like a phonebook on the Internet, which comes in handy when the mother ship moves. When the mother ship moves to a different IP Address, its masters can update its DNS records, and VPNFilter drones around the world can still find it.

This worked until recently, when the FBI seized that domain name and pointed the name to its own servers. So, when  compromised SOHO routers phone home, now they contact the FBI instead of the Russians.

Wonderful.  Our tax dollars at work. Factory-reset our routers and make the world safe for democracy again. Except, it doesn’t. Here is the dirty little secret with consumer Internet devices nobody likes to talk about. They all use old kernels with known vulnerabilities and none of the consumer vendors offer credible support. Does anyone seriously believe any consumer router vendor will spend money on software updates for a $50 box, and more money to hold consumers’ hands through an update process? Which means, after consumers factory-reset their routers, sooner or later, the Russians will build a new and smarter mother ship and come find them again. But this time, US law enforcement may not get lucky.

What do we do about it? SOHO router vendors and Internet service providers need to step up their games. Consumers pay a monthly fee for Internet service. And since Internet service providers usually bundle routers with monthly service, part of that fee should include frequent router updates, access to a router update site, and prominent and easy-to-follow update instructions.

Somebody needs to educate the public about what SOHO Internet routers do and how to maintain them. I’m not advocating turning everyone into network engineers. But with cars, everyone knows what the steering wheel, gas, and brake pedals do. How many consumers even know how to identify their Internet routers? This has to change. At minimum, every consumer should know how to login to their Internet router, install updates, turn off remote management, and change (and record) its password.

We can beat back Russian hackers. And anyone else who wants inside our homes over the Internet. But we need to care enough first to take action. The media is in a position to lead the way. Up to the challenge?

 

Old-fashioned Identity Theft from the US Post Office

My friend and fellow author, Ann, and her husband found out one day they were identity theft victims because somebody hundreds of miles away filed a USPS change of address form in their name.  It’s mind-boggling that in today’s era of massive data breaches over the Internet, anybody can walk into a post office and fraudulently impersonate anyone else with a change of address form. Surely we can do something about this.

Here is Ann’s story, in her words.  I want to thank Ann for letting me share this.


Here is our experience with our identity theft and Mail Diversion Fraud.

We received a USPS mailed notification for a change of address for my husband’s name. We did not request USPS to change his address, so this meant it was done fraudulently. We contacted the post office, looked at our credit report, saw a bank card issued in husband’s name that we did not initiate, called that bank, canceled the thief’s card, issued a 90 day fraud alert and plan to lock our credit. Then we filed a police report here and in Dallas where the mail was diverted to.

To change or divert someone’s mail address to another mail address is easy. Post office requires no ID or proof of identity when change of address is turned in. It can be done online for $1.

Our banker mentioned this was his first experience with a customer who has had identity theft BY MAIL. The thief actually opened a bank card in my husband’s name- $15,000 limit. The action was likely done online and was issued by another bank other than our bank. It was a puzzling circumstance, because monitoring our existing bank accounts and cards showed no initial funds impact. I guess this “puzzle” of our mail diversion fraud made a pre-set course of action indeterminable, and so we had to make up our process as we went along.

We soon found out that although the identity theft occurs in different ways, the steps needed to amp up our security on bank accounts or credit card accounts would be the same as if there was theft caused by online data breach or by someone hacking into our existing accounts. Since no one gave us a checklist of what to do, we had to think like an identity thief and imagine “What if” scenarios to determine our recovery steps.

We felt an urgency to act fast as we had heard online theft drain of bank funds happens super-fast once a thief “gets in.”

Why? The average Identity theft victim spends over 200 manhours repairing INITIAL damage or instilling barriers to prevent future impacts from identity theft. Resurfacing of fraudulently obtained identity info can occur for 7- 10 years or more. Your identity is now a new commodity on the dark web. A fraudulently obtained identity will be bought and sold, so every conceivable digital detail/doorway that could be breached by thief must be locked down, closed, or changed.

An identity theft victim has to stay diligent in monitoring his or her accounts in an ongoing proactive way. The “small” minor theft of mail diversion fraud- false change of address accompanied by social security compromise is serious business. (If they open a bank card, they have your social security number)

There are two particular things/tips we wish Bank Institutions would do to help their customers with security.

  1.  ONLY print last 4-6 digits of accounts on statements! This seems so simple. Many other vendors do this. Having a full account number on a piece of mail makes looking up a user ID easy on the website. A thief may already have the password via email or other data breach.
  2. Have ALL bank mail envelopes (or at least those with bank account statements!) printed with USPS service called Return Service Requested. This, as some may know, tells the USPS that if a piece of mail cannot be delivered as addressed, the piece is to be returned, free of charge, to the sender, with the new address or an explanation of the reason for non-delivery attached to it, regardless of whether a change of address order is on file for the recipient. I understand from the post master this receipt of new address costs the business money to do BUT, this feature would be a courtesy to bank or credit card customers.

Here are the individual protection steps we eventually implemented. The steps came from conversations with all the people we have been in contact with- USPS, police department, ID theft watch services, experts in security….people in banking….

  1. DON”T ignore or delay opening a USPS mail item labeled “official change of address validation” These should trigger when someone changes their address and the notice is sent to both addresses. We were out of town when ours came, but they seem to trigger and arrive in mail 5 days or so after change of address action is taken.
  2. Don’t delay action. Immediately call number inside on notice to tell them you did not change your address. Ask for a reverse order to be put in. This “reverse” will take a while 10-12 days? So we took matters in our own hands and filed a change of address online back to ourselves. We knew the forwarding address via Zander, our identity watch service that we hired. They picked it up and showed the address.
  3. File a police report. They will say their “hands are tied” to some degree because of the nebulousness of having a crime victim in one jurisdiction and the thief in another jurisdiction. Don’t worry about that. Just file. The case number you receive will allow you to extend a 90 day credit alert to 7 years if you opt to do this. You need the police case #
  4. At the same time you are filing police report, put a 90 day alert on your credit report and plan to extend that alert for 7 years or lock your credit.
  5. NOTIFY bank and card account entities. Do not close unless recommended, because new cards come via mail as do checks. Change passwords on ALL accounts and cards, and do not have one password for all.
  6. Monitor accounts for fraud activity and be prepared to shut down accounts and cards. Setting bank /credit card account ALERTS- (most online banking have alert options) is a relief. Make sure phone is set to receive alerts.
  7. Go paperless. Save trees and mail fraud headache in one action. To undo the change of address is slow and impact ongoing. The data is already online. Why should you be the only one not in the loop?
  8. Set up 2 step authentication. This is a process where ANY time anything is done on your bank accounts/cards a code is texted to phone and you have to enter it. Pain in the ! BUT if you are online doing your thing, then what difference does this one code action matter? 3 seconds more to get into your stuff. If a thief gets into your stuff, and you did not have this set up, it costs you 100’s of dollars and hours …so just DO IT!
  9. Set little used credit cards to have alerts when items charged. Better yet, get rid of all credit cards or line of credit accounts except what you actually need.
  10. Have everything set to alert to cell phone (or email) anytime online activity is engaged in on your account or card, that way if you get alert and you aren’t doing the activity, you can quickly shut it down. Thieves move very fast!!! By the way, the alerts we get do not require us to call or do anything. They are just alerts set by us to text to our phone (& email) over balance or transaction amounts or activity, and we simply see them and can feel relieved because we know it’s our own actions. If activity is NOT us, then we have a heart attack and call a hotline and shut it down.
  11. THE MAIN ALERT to set up? User Name attempt. An attempt other than you to retrieve an account’s user name should send you to the account asap. Setting up the alert keeps you from having to log in night and day multiple times a day. EVERYONE should have at least this one alert set up. If nothing else. User Name Attempt is first step of many fraud issues and very easy for thief to get. All you need is an account number, and the financial institution’s helpful “find your user name” feature carries the thief forward. Sure a password follows, BUT if you have had any email breach, it’s possible that the thief has it already.
  12.  Set up a verbal password. Any call made to your institution to “change a password” will not continue if you have asked for a verbal password of your choosing to be requested. Just don’t forget the verbal password when YOU need to call😊 Banks will straighten it back out with you in person if you forget.
  13. Security questions- Do them. Have them. Write it down and hide your book.
  14. Open a PO box to receive important mail. USPS has alerted on your fraudulently stolen address so it’s likely that you can’t actually change your address again so quickly, BUT you can have checks for new accounts or new cards sent to PO box if necessary. We had no actual fraud on our existing cards so did not shut them down. (Shutting down a card and getting a new one is a bad idea if you do not have an alternate mail address you can securely use.) REMEMBER with mail fraud it might be a while before you can count on all your mail arriving consistently, so you DON’T want to hand new bank cards or new account numbers to the waiting mail thief.

All these steps and actions seem extreme and time consuming especially if “nothing has happened” to existing accounts. (We’ve logged over 150 hours attempting to initially lock down accounts that were attached to the identity that was stolen via mail fraud.) However, Identity Theft is not going away. It’s the fad robbery of the day. Financial and health institutions who use/require social security numbers routinely to do business are most vulnerable entry points for a consumer whose identity has been stolen.

I’m a failure in more ways than I can count.  And that’s a good thing.

Many years ago, I spent hours and hours and hours listening to tapes about success and failure and the power of positive thinking.  And they really were tapes.  MP3 downloads weren’t invented yet. But despite all that good advice, for which I paid $4.99 per tape, I failed as an Amway distributor.  Failure was a bad word in those days. Failure was for losers and good Amway distributors were winners.  Anyone who failed was either lazy or didn’t believe enough in themselves to dig deep enough for success.

What a load of hogwash.

But what a learning experience. While failing as an Amway distributor, I learned not to fear rejection, I learned to approach people higher-up than me who had something I needed, I learned how to eat crackers for dinner at a Denny’s Restaurant in Terre Haute, Indiana, because I couldn’t afford to buy anything from the menu, and I learned how to make tough decisions.

And that leads to my career as an author.  Over the eighteen months from September 2016 into March, 2018, I sent queries to around 110 potential agents, looking for a traditional publisher for my second book. Around half sent form rejection responses, the rest didn’t bother to respond at all. A few took the time to write a real letter. Here is the first part of one custom rejection letter from an agent named Robin:

Dear Mr. Scott:

It’s nice of you to contact me regarding representation. I understand that you haven’t sold large quantities of your self-published book. The endeavor ultimately established the sort of readership you’re able to attract for the category in which you’re writing. A less-than-impressive track record makes it far more difficult to interest a major publisher in an author’s subsequent works. Perhaps a freelance book publicist could have been of some assistance to you.

I’ve been stewing about what Robin said for a long time. I know she’s only the messenger, but the message is, we all have exactly one and only one shot at success. If whatever you try doesn’t work the first time, then crawl back under whatever rock you came from, because you’re a loser and nobody bets on losers.

And that might explain why traditional publishing is in a slow decline.  I looked up revenue numbers for the big five surviving publishers.

See this discussion for more analysis of traditional publishing revenue. Authorearnings.com is another one to keep an eye on.  Here is a January, 2018 market report filled with mind-numbing numbers.

Those are the sterile numbers. Here’s a first-hand observation.  The world headquarters for Penguin Random House is 1745 Broadway, New York, NY 10019.  Back in 2016, I visited a customer in New York City for my day-job and learned Penguin Random House no longer occupies the top floor of its own building. Penguin Random House is hollowing itself out as it lays off people to cut expenses while revenue declines.

By any measure, traditional publishing is declining while the overall market is growing.

Here’s a different perspective on failure. Instead of running away from failure, embrace it. I failed as an Amway distributor, but learned lots of valuable life-lessons. Thomas Edison apparently failed at least 1000 times before inventing his light bulb.  When asked about all those failures, he replied, “I didn’t fail 1,000 times. The light bulb was an invention with 1,000 steps.” Here is a website with lots of inspirational examples around failure.

How many of us fell down on our bicycles when the training wheels first came off? How many overcame academic struggles in high school or college? How many athletes struggled before catching fire? How many of today’s famous business leaders succeeded the first time?  Ever heard of a company named Traf-O-Data?  That company didn’t last long.  But the founding team learned lessons and eventually started a new software company. Today, Bill Gates is one of the richest people on the planet and Microsoft is a household name.

That rock better be awfully big for all those losers to crawl back under.

For the risk-averse publishing companies who don’t want to deal with authors who struggled early – if you want to stay relevant, your boards of directors should bring in new leadership before you drive your once-proud companies into the ground.

Oh yeah, my book #2 recently found a publisher. It wasn’t one of the big five and it’s not a traditional publisher. Why not self-publish again? Well, I learned with book #1 that I need help with sales and marketing. I am grateful to the folks at Morgan James Publishing for betting on me.  Now, let’s go kick some butt in the marketplace.

Come on Samsung, get rid of the cell phone gimmicks

It’s fitting to post this on April 1. Because I have to wonder if Samsung thinks its customers are fools.

The problem started with an update several months ago.  After the update, my phone showed this weird lock screen when I woke it up after a battery charge.  And it started displaying annoying ads.  A few times, it showed video ads that blared noisy music or dialog. Not good in a business meeting. And not good late at night when everyone is asleep.

I figured maybe Android or maybe the cell carrier (Verizon) was trying to generate some extra revenue.  But really – if you want to sell me stuff, is showing ads I don’t want to see a good way to do it?  Sooner or later, the companies that pay for these ads will figure out they’re not effective and stop buying them.

I also noticed battery life getting shorter.  But not enough to worry about.  After all, batteries wear out and the phone was almost two years old.

Well, fast-forward to a couple weeks ago and another update.  After the update, my phone started running hot all the time, and the battery would not stay alive for even one full day.  That got my attention.  Did my phone have a hardware problem?

There are a few suggested cures in various community forums to deal with this.  One suggests clearing a cache partition. Another suggests deleting application caches.  Most of the how-to information is wrong, at least for my phone, but I managed to navigate my way through it all.  None of it made a difference.  The phone still overheated and battery life was minimal.

I loaned my phone to my daughter a couple times and noticed she downloaded some games.  Maybe the games were doing something ugly. I got rid of them. Still no change in behavior.

I noticed a graphic on my lock screen that looked like a grid with four sections with text about an X-Box controller.  Strange, I never set anything like that up.  There is an X-Box in the house.  Maybe the phone mated with the XBox somehow.  It seemed fishy.

There’s a battery app under Settings that claims to show battery usage by app.  It said the phone idle loop consumed most of my battery.  What was up with that?  Why did the idle loop consume all this battery life when the phone was supposedly sleeping?

I poked around and found a Samsung app named Peel Remote.  I launched it and it showed that same XBox grid.  Next, I went to the application manager (Apps…settings…phone…apps…application manager) and disabled it.  (We can’t delete it because it’s apparently part of the factory default installation.)  After disabling it, that useless grid on the lock screen went away, the annoying ads are gone, and the battery life is back where it should be.  The phone is now behaving as well as it did when it was brand new.

Peel Remote was the culprit.  All along.  This pile of electronic junk hinders my user experience and no doubt puts extra wear and tear on the hardware.  When I put on my cynical hat, I wonder if Samsung purposely made this app to cripple no-longer-new phones to encourage naive users to buy new phones?  It’s a nice racket.  Sell me a new phone I don’t need, take back the old phone in trade – that appears to have a hardware problem or a virus – and then restore it back to factory settings and resell it as a refurb.

So, Samsung, make this right.  Prove my conspiracy theory wrong.  Get rid of this junky Peel Remote app – or at least make it optional – in the next update.  Show enough respect for your users that you don’t play games with their phones.  Generate repeat business from quality and not gimmicks.

What if the Internet domain name I want is taken?

Way back in 2005, some friends and I set up a nonprofit named Operation America Cares.  We offered free video services for American families connecting with loved ones serving overseas in the military.  I have lots of great memories from that period, but by 2010, for lots of reasons, our Minnesota OAC had run its course.  Meanwhile, another group in San Diego with the same name started up.  The California OAC sends care packages to US troops serving overseas and they wanted to set up an Internet identity.  I had a few conversations with the founder and, since the Minnesota OAC was dormant and the California OAC was doing great work, we transferred the operationamericacares.org Internet domain name to them.  If you want to support a great group of people doing great work for our troops, go to www.operationamericacares.org and donate some money.

I share that experience because sometimes people are willing to let go of Internet domain names when it’s the right thing to do. It goes back to the original intent of the Internet, to foster free and open collaboration.

Unfortunately, since the great mid 1990s Internet gold-rush, the Internet is not so free and open. Theoretically, anyone can register an Internet domain name for negligible cost. Here is a blog post for how to do it. In practice, it’s often more complicated when somebody else controls that perfect domain name you want. Some organizations make money by registering domain names and using them for pay per click ads. Others put names up for sale at wildly inflated prices. Many call this cyber-squatting. I call it legal extortion.

Let’s say Annie, the author, wants the annie.com domain name to promote her new books.  But somebody already controls annie.com. Visit www.annie.com and it redirects to another website, www.yeah.com, which shows links to ads for all kinds of stuff.

A whois lookup for annie.com shows the name belongs to an outfit named DigiMedia.com, L.P., in Edmond, OK, USA. When I visit www.digimedia.com, I see this friendly announcement:

“Digimedia develops category-defining businesses and brands, utilizing and cultivating each of its globally regarded domain names. The company combines these original, premium domain names with established enterprises, experienced entrepreneurs and growing startups across a vast spectrum of products and/or services. The company serves as a builder, incubator, investor, partner, consultant, accelerator, and/or promoter.”

I wonder if DigiMedia’s founder is familiar with the expression, lipstick on a pig? Cut through the BS and this company makes money from clickbait and Internet domain name speculation.

Where does that leave Annie?  If she owns a trademark around her name in the physical world, maybe she could go to court to seize annie.com in cyberspace.  That fight will no doubt take years and cost a fortune.

Or she could make an offer.  The DigiMedia.com website provides a convenient “Contact” link, where Annie can submit her name, contact information, and the domain name she wants to inquire about.  And now, it’s down to old-fashioned horse trading. DigiMedia makes money from the annie.com Internet domain name, and so it probably won’t want to relinquish it for anything near what Annie can afford to pay. DigiMedia might not even bother to answer Annie’s query. Realistically, Annie will most likely need to find another Internet domain name.

But let’s say either a miracle occurs, or Annie has $thousands burning a hole in her pocket, and DigiMedia accepts Annie’s offer. Now what?

No doubt, DigiMedia will want its money up front. But Annie wants assurances she’ll get what she pays for. Buyer beware should be uppermost in Annie’s mind. The good news is, the domain name transfer process is designed to ensure integrity and it has milestones.  Annie’s real risk is DigiMedia will take her money and run.  Which is unlikely since DigiMedia seems to care about its legal standing.

And now, the rubber meets the road. Time to transfer the annie.com Internet domain name from DigiMedia to Annie.  Just like setting up a new Internet domain name, Annie will need to set up a free account with any domain registrar she likes.  Since DigiMedia uses Tucows for its registrations, it might make sense for Annie to use another registrar for hers.  There are plenty to choose from.

Here is how the process works:

  • Somebody from DigiMedia will log into Tucows and fill out a form to transfer the domain name away.
  • A few days later, Tucows will send an email with a special code to the administrative contact for the annie.com domain, presumably somebody from DigiMedia. This is a check to make sure DigiMedia really does want to transfer the name away.
  • DigiMedia will forward that code to Annie – that’s what Annie paid for.
  • Annie will navigate to her domain name registrar’s screen and fill out a form to import a domain name. That code will be one of the fields. Annie will pay her registrar between $20 and $35 per year for her domain name.
  • Annie’s domain name registrar and Tucows will validate the code and execute the transfer. This will take another few days.

After the transfer finishes and Annie is the proud owner of her domain name, Annie can begin building her Internet identity.  Two cautions for Annie:

  1. Remember your login credentials for your domain name registrar.
  2. Don’t let your registration expire. You don’t want to go through this name transfer time and expense again.

Hopefully Annie will sell lots of books.

Your Internet Identity Doesn’t Need to Be Complicated; But You Need To Be In Charge

Many bloggers and small businesses build websites using service providers such as WordPress or Wix, and friends and family find them using names like mysite.wixsite.com, or mysite.wordpress.com.  This is okay for a hobby.  But it doesn’t work for anyone trying to build a real identity. Spend a few minutes to set up your own Internet identity and look like a pro.  You can still use Wix, WordPress, or your favorite service, but now the outside world will find you by your name instead of the service you use.

This graph from the United States Census Bureau summarizes why setting up your own Internet identity is a good idea.  From Q1, 2008 through third quarter, 2017, US e-commerce sales steadily grew from 3.5 percent of all retail to more than 9 percent. In non-quantitative language, this means sales over the Internet are growing faster than brick and mortar sales, and the trend shows no signs of slowing. This is especially important for authors like me because Amazon is crushing every other sales channel in the book market.  The world is moving to doing most of its business over the Internet, and my books need to be there.

The challenge, of course, is phrases like “domain name” create FUD (Fear, Uncertainty, and Doubt) in people’s minds, and many think setting up an Internet identity is prohibitively expensive.  If you’re one of these folks, don’t let FUD win. It’s not expensive and it’s not rocket-science.

Note that I said “Internet identity” and not “website.” The difference is crucial.  Your website is a critical component of your Internet identity, but it’s not the only component. My Internet identity has several pieces besides my website under my dgregscott.com domain name.

It all starts with DNS, for Domain Naming System. DNS is a mixture of politics, business, and technology. Everyone who uses the Internet should know what DNS does and how to navigate it.

DNS

The concept behind DNS is simple: translate names to IP Addresses.  Think of an IP Address as similar to a telephone number, but on the Internet.  DNS resolvers, also called DNS servers, manage all this.  If I want to access the website at, say, www.dgregscott.com, I first query the DNS resolver assigned to me to retrieve that website’s IP Address, and then send my web request to that website’s IP Address.  The metaphor of looking up a telephone number in an old-fashioned phone-book and then dialing the phone helps visualize the process.

DNS names follow a well-defined set of rules.  They start with a top level domain name, or TLD. The Internet used seven TLDs in its inception – .com, .org, .net, .gov, edu, .mil, and .int.  Today, ICANN, the Internet Corporation for Assigned Names and Numbers, assigns TLDs. Anyone with around $200,000 to spend can file an application and request a TLD, and today’s Internet supports about 1500 TLDs.  But .com will continue to dwarf them all because everyone wants a name in the .com namespace.

ICANN also assigns a two-character TLD to every country in the world. The United States TLD is .us.  ICANN assigned .tv to the South-Pacific island country of Tuvalu, and Tuvalu supports a significant portion of its economy by leasing .tv domain names to media companies.  It’s a great story about mixing technology, business, and politics.

Underneath TLDs are second-level domain names.  These are the familiar names such as google.com, whitehouse.gov, redcross.org, and, millions of others, including my own, dgregscott.com.  And underneath second-level domain names are additional subdomains and hosts. Second-level domain registrants can assign names and subdomains in their namespace as they see fit.

The fully qualified domain name (FQDN) for my website, www.dgregscott.com, consists of the hostname, www, followed by a period (.), and my domain name, dgregscott.com. I also have a few other hosts for different services I offer, including ftp, mail, and others.  Like most domain names, dgregscott.com has no subdomains, and I don’t see a good reason to use them.  The United States .us namespace uses subdomains, as do some other countries.  The website, www.state.mn.us, for example, points to the official State of Minnesota website.  But that name redirects to an easier-to-digest name, mn.gov.  Simple and easy to remember is good.

By convention, we use the hostname, www, for websites, mail for email servers, ftp for ftp servers, and a few others.  But nothing enforces this convention. We also have a concept called a default name, which points the domain name without a hostname to a specific system. Since websites are the most popular application on the Internet, most default names point to the website associated with that domain.  Browse to http://dgregscott.com and end up at the same website as http://www.dgregscott.com.

And that leads to name registration. How does somebody acquire a domain name?

Name Registration

Full disclosure here.  I am an Internet domain name name registrar.  I resell a service from Network Solutions, the original Internet domain name registrar, and I manage the records for a few domain names, most of them my own.  As of this writing in Feb. 2018, I have no desire to ramp up this business.  I do it on a small scale for my own convenience and for a few others. Typical cost is $20 per year per domain name in the .com namespace.

Many website operators bundle domain registration with website hosting service, and many people and organizations use it because it’s convenient and they don’t want to understand how it works. This is a mistake.  Your domain name is your Internet identity and it may be even more valuable than your trademark.  Nobody else should have the power to hold it hostage.  Take a few minutes and learn how to register and manage it yourself for your own safety.

Here’s how to do it.

The first, and most important step is finding a name not registered to anyone else.  Do that by performing whois lookups on name possibilities.  Whois is an Internet service that returns information for registered domain names, and one easy way to perform whois lookups is with the whois website, at http://www.whois.com.  If you find a name not registered to anyone else, you’re free to register it.

An obvious possibility for my  domain name was gregscott.com.  But an artist in Georgia named Gregory J. Scott registered gregscott.com years ago, and he uses his website to sell paintings. How do I know this?  Here’s a screenshot from a whois lookup.

Gregory J. Scott has as much right to the gregscott.com domain name as me, and he registered it first. I doubt he is willing to give it up. So I chose to build my Internet identity around the name, dgregscott.com. D for Daniel, my official first name.

Once you find a name you like, set up a free account with any domain name registrar, fill out a form, charge between $20 and $35 to your credit card for a one year lease (some offer discounts for multiple years), and you have your own domain name.  It really is that simple.  Network Solutions, Godaddy, and Tucows are popular domain name registrars. There are dozens of others.  I like Network Solutions and its sister Web.com companies because they’ve given me good customer service over the years.  I’ve also dealt with Godaddy. Use Google or your favorite search engine to find one you like. Or twist my arm and I’ll do it for you.

Sometimes, people register names they hope will become popular. This is where technology and extortion meet, and it’s the Internet equivalent of buying up blocks of concert tickets and scalping them.  One example – somebody registered the name, startupinvestors.com, and is now auctioning it off.  As of this writing, apparently, the highest bid so far is $1040. Or, maybe the seller is lying and trying to pump up the price.  I hope he chokes on it. Here’s an amusing article from Wired Magazine back in 1994 about mcdonalds.com during the original Internet gold rush.

What if somebody else already controls your perfect domain name and it’s the only name that works?  Here is a blog post with some thoughts on how to proceed. And here is an article about one person who might control the name you want.

When you find a name you like, also look for similar names and grab them too.  The website, www.paint-can.com apparently belongs to an artist in Toronto.  But the domains, paintcan.com, paintcans.com, and paint-cans.com all appear to belong to extortionists. And paint-cam.com (m and not n) is up for sale.  Connecting with customers will be more complicated than it should be for this artist because so many similar names point elsewhere.

If you’re a nonprofit and you register a .org name, protect yourself by also registering the equivalent .com name.  If the name you want is taken in the .com namespace, don’t try to use the equivalent name in the .net or other namespace.  It looks amateurish.  Dot net names are for companies that do something around managing the Internet, and other organizations who register .net names only create confusion.

After registering your domain name, make sure you keep up your renewal.  If your name registration expires, it’s a good bet an extortionist with automation that watches for expired names will scoop it up and offer it back for lots more than you spent to lease it the first time.  You might be able to fight it in court, and you might even win after several years and a boatload of legal fees.  Don’t put yourself in this position.

And that’s it. Now, you have your own Internet identity and you can put it to work by building a website, setting up an email address, and setting up other services you want to offer.

Putting your Internet identity to work

You’ll want to point a DNS host (A) record under your domain name to your website IP Address.

Query your web hosting provider to find out the website name and IP Address assigned to your website. The name will most likely be www. The web hosting provider may offer to handle DNS for you. Don’t do it. This gives your web hosting provider too much power over your overall Internet identity. Instead, keep DNS with your domain name registrar, and set up your host (A) record yourself.  Any web hosting provider should be able to easily accommodate that.

Here are the host (A) records I set up with my domain name registrar for my dgregscott.com domain:

You may also want to set up a Mail Exchange (MX) record for email. This is a special record describing the name of the server that handles email service for your domain.  I host my own, and I set up a host (A) record cleverly named, “mail” with its IP Address.  Next, I need an MX (Mail Exchange) record to point to it. Here is what mine looks like:

Your email will most likely be with a commercial service provider, such as Google, Microsoft, or your web hosting service. They will have their own host (A) records associating the name of their email server(s) with the appropriate IP Addresses, and so all you’ll need in your own DNS is an MX (Mail Exchange) record to associate email for your domain with the name(s) of their email server(s). You’ll also need to work with your email provider to make sure their email servers accept inbound email for your domain.

Once you set up your MX record, email to yourname@yourdomain.com should flow right into your inbox. Combine that with your website at www.yourdomain.com, and your identity to the outside world will be on an equal footing with the largest corporations on the planet. And, if you become unhappy with an email or web service provider, you can move either one by changing your DNS records.

Don’t be intimidated.  If you learned how to drive an automobile in traffic, you can learn what you need to set up your own Internet identity. Invest a few minutes to understand how this infrastructure works, establish your Internet identity, and become a full-time member of the digital economy.

 

 

A Rinky-dink GOP phishing campaign

An email came in the other day from the GOP, the United States Republican party.  The party I used to respect.  It claimed to be a one question survey.  The question was, “The president’s job performance has been…”  My choices were great, good, OK, or other.  Here’s a screen shot.

I’m a civics minded guy. We, the people of the United States of America are supposed to express our opinions. The email really was from the GOP. Maybe the Republicans really were looking for feedback. So, like a dork, I took the bait and clicked “Take the Poll.” I should have known better.

That brought me to a website with the one question, as promised in the email.  I clicked “other,” and chuckled at the obvious bias.  Why no “atrocious” choice?  The survey invited comments, so I added a few about sexual abuse, late night tweeting, alternative facts, fake news, and others to summarize my opinion of President Trump’s first eleven months in office.

And then I clicked Submit.  This is where I got mad.  Instead of “Thank you for taking the time to respond,” or something similar, it took me to a page like this:

The little section at the top left had three steps.  I pasted in step 2 of 3. In step 1 of 3, I had to pledge a dollar amount so the GOP would pass my opinion onto President Trump.  In part 2, the GOP wanted to know my name, address, my occupation, and my employer.  And part 3 is where I was supposed to provide my credit card number.

I have another message for the GOP.  I’m not going to fill out your form and tell you my occupation and my employer.  And, given both political parties’ sorry track record around security, and Trump Industries’ weenie excuses for security problems, I’m certainly not going to trust you with my credit card number.  And asking me for a contribution for you to pass my comments onto the president? That’s just lame.

I could write several paragraphs about how wrong it is to solicit opinions from the public and then tie them to a political contribution, but why go to the trouble?  You guys should already know better.  Are you the same clowns who did the pitches to take money out of people’s pockets for Trump University?  Is this the best you can do to earn my trust?

President Trump, how am I supposed to have any respect for you as the leader of my country when you keep pulling these rinky-dink pranks?

Mr. President, cut the crap.

Care and share to be prepared – Part 2, sharing

I keep asking myself, why do we still see sensational data breaches almost every week?  Are attackers really that much smarter than the good guys?

The short answer is, no, they’re not.

Attackers win because the good guys do a lousy job of defense.  The good guys are so bad because nobody presents cyber-security to busy decision makers in a manner they can digest. Clueless, our leaders throw it over the wall back to the IT staff, but with minimal support because we haven’t convinced them that IT should be an asset, not an expense. So, everyone makes the same mistakes, over and over and over again, and that’s why our private information us up for sale in underground websites.

If we want to beat cyber-attackers, we have to break this cycle. We need to lead our leaders.

Start by presenting security in a manner busy decision makers can use.  I distilled it down to a six word rhyme everyone should take to heart. I don’t know how to make it any simpler.

Care and share to be prepared.

In part one, I made the case why everyone should care enough about cyber-security to take action.  Here, I’ll make the case for sharing.  Warning: It’s radical. Here it is. Organizations should make all their security practices public. Publish it. Present it at conferences.  Subject it all to peer review and scrutiny. Stand up in front of audiences and defend it. Answer questions. Listen to public criticism. Make changes.  Rinse and repeat.  If an attacker steals personal information about millions of people from your organization, fess up, share what went wrong, in detail, and the plan to get better. Operate in the open.

Am I nuts?  I can hear the objections already.  How does it make sense to share security tactics? Shouldn’t that stuff be among the most closely guarded secrets of any organization? Doesn’t sharing it give away proprietary knowledge to attackers?

Here is another short answer. No. Opening up about how we do security doesn’t give away anything. Attackers already know this stuff. Attackers spend all day probing and all night comparing notes to improve their probes for the next day. Bad guys collaborate.  Good guys don’t.  Is it any wonder industry and government are such easy targets?

Don’t believe me?  Forget high-tech for a minute.  Take a look at a tidbit of history.

Alfred Charles Hobbs was a famous locksmith in the mid 1800s.  In 1851, he embarrassed British lock makers by picking their best locks during London’s Great Exhibition, forcing manufacturers to design better locks.

Hobbs’ work led to a book, “Rudimentary Treatise on the Construction of Locks,” edited by Charles Tomlinson, and published in 1853. Take a look at what Hobbs had to say, before most of our great great grandparents were born, starting near the bottom of page 2:

A commercial, and in some respects a social, doubt has been started within the last year or two, whether or not it is right to discuss so openly the security or insecurity of locks. Many well-meaning persons suppose that the discussion respecting the means for baffling the supposed safety of locks offers a premium for dishonesty, by shewing others how to be dishonest. This is a fallacy.  Rogues are very keen in their profession, and they know already much more than we can teach them respecting their several kinds of roguery.  Rogues knew a good deal about lock-picking long before locksmiths discussed it among themselves, as they have lately done.  If a lock—let it have been made in whatever country, or by whatever maker—is not so inviolable as it has hitherto been deemed to be, surely it is to the interest of honest persons to know this fact, because the dishonest are tolerably certain to be the first to apply the knowledge practically; and the spread of the knowledge is necessary to give fair play to those who might suffer by ignorance.

Sound familiar? In today’s world, Hobbs would be an Internet security researcher.

Still not convinced?  I’m publishing this on Saturday morning, Dec. 16, 2017.  Here are a few articles about data breaches or their consequences over the past week.  Not the past year.  Or the past month.  The past week. Plus one more from eight days ago about a company that should have known better.

How’s the way we’re doing things today working out? What was the definition of insanity again? Maybe I’m not so nuts after all.