TrueCar.com Violates the CAN-SPAM Act

I run across this sort of thing all the time: companies that violate the rules of the US CAN-SPAM act, the law that is intended to protect consumers from unwanted email. If I have time, I stop to email companies I find violating the law to kindly point out what they are doing wrong. Call it some sort of self-satisfaction, Robin Hood vigilantism, or pure geekish annoyance, but I can’t help myself sometimes. Here’s one I sent today to TrueCar.com.

To: feedback@truecar.com
Subject: True Care website feedback

Hi, I noticed that when I go to “Subscriptions” in my profile, there is an issue with unsubscribing from emails.

If I uncheck all subscription options, then check “Unsubscribe from all,” then click the Save Changes button, it says my options have been saved.
However, if I go to another page and return to “Subscriptions,” the “In-stock offers from your dealers” button is checked again. How is that “Unsubscribing from all?”
You guys might want to fix that, as it violates the US CAN-SPAM act.
Thanks,
Will
Sneakily re-subscribing me to a category of emails, after I have specifically opted not to be a part of it anymore, is blatantly in violation of the CAN-SPAM act. Particularly, the part that says, “You may create a menu to allow a recipient to opt out of certain types of messages, but you must include the option to stop all commercial messages from you.”
Yes, they include that option, but it doesn’t seem to fully work.
I will let y’all know if I hear anything back.

Are You Putting Your WordPress Site at Risk?

WordPress as a platform has been a solid, secure application over the years. The few times a vulnerability has been found, the WP team has been super-fast to patch it, publicize it, and take care of business.

That said, there are two major areas where WordPress lacks in security:

1. Plugins

2. Administrators

There are so many plugins for WordPress, which is part of what makes it so great. However, those plugins can also present attack vectors, and we see evidence of this almost every day.

It was just revealed that most WP users have very little understanding of the risk they are lending to their own websites. Not updating plugins, not updating WP itself, and not doing backups, are the most easily fixed things that people tend to not do.

This puts WP websites at risk, lets them get hacked, and gives WordPress as a whole a bad wrap.

The survey of 503 WordPress users, which took place online during February this year, revealed that WordPress users are more exposed to security problems than expected. In total, 54 percent of respondents said they updated WordPress between once a week and every few weeks, and yet only 24 percent back their websites up — and only 23 percent have received training in the use of tools such as backup plugins.

ZDNet

On that note, I thought I’d mention that the most popular SEO plugin for WordPress, Yoast’s WP SEO, has a new, major vulnerability in it. GO UPDATE!

Why I Left Facebook For Good

I have quit Facebook for good, in case you came here trying to find out what’s up. Why have I done this?

Facebook made changes to their user agreement on January 30, and I don’t feel OK about them at all. This article, Get Your Loved Ones Off Facebook, factually sums up everything Facebook can do, and does do, with the information it collects about you, and it might give you the same uneasy feeling it gave me.

The information grabbing and sharing Facebook does reaches far and deep, and it’s not limited to what you do while on Facebook itself. Anything you do anywhere on the Internet where a Facebook Like button is present reports your activity back to Facebook. And that means just about everywhere.

“I have nothing to hide”, you say?

The issue here isn’t what we have to hide, it’s maintaining an important right to our freedom — which is the right to privacy, and the right to have a say in how information about us is used. We’ve giving up those rights forever by using Facebook.

I want to quote the part of that article that gave me the biggest heebie-jeebies, because I know most of you won’t actually go read it yourselves. As of 3 days ago:

Facebook is demanding to track what you buy, and your financial information like bank account and credit card numbers. It’s already started sharing data with Mastercard. They’ll use the fact that you stayed on Facebook as “permission” to make deals with all kinds of banks and financial institutions to get your data from them. They’ll call it anonymous, but like they trick your friends to reveal your data to the third-parties with apps, they’ll create loopholes here too.

Facebook is also insisting to track your location via your phone’s GPS, everywhere and all the time. It’ll know extactly who you spend your time with. They’ll know your habits, they’ll know when you call in sick at work, but are really out bowling. “Sal likes 2pm Bowling at Secret Lanes.” They’ll know if you join an addict support group, or go to a psychiatrist, or a psychic, or a mistress. They’ll know how many times you’ve been to the doctor or hospital, and be able to share that with prospective insurers or employers. They’ll know when you’re secretly job hunting, and will sell your endorsement for job sites to your friends and colleagues — you’ll be revealed.

They’ll know everything that can be revealed by your location, and they’ll use it however they want to make a buck.

And — it’ll all be done retrospectively. If you stay on Facebook past January 30th, there’s nothing stopping all of your past location and financial data to get used. They’ll get your past location data from when your friends checked-in with you, and the GPS data stored in photos of you. They’ll pull your old financial records – that embarrasing medicine you bought with your credit card 5 years ago will be added to your profile to be used as Facebook chooses. It will be sold again and again, and likely used against you. It will be shared with governments and be freely available from loads of “third-party” companies who do nothing but sell personal data, and irreversibly eliminate your privacy.

There you have it. You can still find me here and on G+. For now.

Security Update – Links & Tips

SecurityHere are some infosec-related resources, tips, and interesting things I’ve come across in the last few days, all of which are related to to cyber security and you. Hope you find this stuff useful.

Edit: Here’s a late-breaker to add to the list:

  • Surveillance Self-Defense is the Electronic Frontier Foundation’s guide to defending yourself and your friends from surveillance by using secure technology and developing careful practices.

 

 

 

Photo by Brad & Ying

Things I have recently quit

images1. LinkedIn. I deleted my profile and completely quit this most useless of social networks. In all the years I kept up my profile and made connections, I got absolutely nothing in return. Even when searching for a job, it was useless. In retrospect, it’s like the Classmates.com of the aughts.

2. Dropbox. First they looked at user files, then they hired Condoleezza (why does her name have two z’s) Rice as their “privacy advisor.” Besides, I wasn’t really using it anyway.

3. Facebook. Again. But then I had to rejoin. It’s a very necessary evil, unfortunately, being in a band and trying to connect to fans, venues, and clients.

Serious Vulnerability in WordPress Jetpack Plugin

Get your updates going as soon as possible, as this looks pretty serious!

This is a bad bug, and Jetpack is one of the most widely used plugins in the WordPress world. We have been working closely with the WordPress security team, which has pushed updates to every version of the plugin since 1.9 through core’s auto-update system. We have also coordinated with a number of hosts and network providers to install network-wide blocks to mitigate the impact of this vulnerability, but the only sure fix is updating the plugin.

So not only is that an issue, but if you haven’t done your part in protecting yourself from this week’s HeartBleed bug, which has scared the bejeezus out of the entire Internet, get yourself fixed up ASAP!

If you are lucky enough to have been using LastPass to manage your passwords, log in there and do a Security Check to find out which websites you frequent may be vulnerable to that bug. LastPass will also help you quickly change passwords as needed.

Good luck, citizens!