Sex sells … well, sex .. but not much else. Victoria’s Secret was the most recalled product placement on TV — fortunately they sell products related to what was recalled. Not so sure about the mayo and cell phone.
“We’re number two” might not be the chant everyone’s after, but we have a feeling that Google is more than satisfied with that in this case… for now. According to market research firm NPD, Google’s Android operating system edged up into second place in the US smartphone market during the first quarter of the year, leaving it still well behind RIM’s BlackBerry OS, but marking the first time that it has moved ahead of Apple’s iPhone OS. Specifically, NPD found that RIM maintained a strong 36 percent market share for the quarter, with Android coming in at 28 percent, and iPhone OS in third at 21 percent. The growth for Android was attributed largely to strong carrier support — like Verizon’s buy-one-get-one free offer which, incidentally, also helped Verizon maintain a 30 percent smartphone market share, which is just slightly behind AT&T at 32 percent, and ahead of T-Mobile and Sprint at 17 and 15 percent, respectively.
Disclaimer: NPD’s Ross Rubin is a contributor to Engadget.
As part of a special report on the state of couch potatoes in the year 2010, the Economist collected data on perceived vs. actual media consumption. People are in denial about their TV addictions and overconfident in their YouTube cool.
Maybe not consciously, but that seems to be the case. The chart shows that to some extent YouTube is still a media event—something we’re aware of ourselves watching—whereas TV just washes over us and seeps into our rotting brains without us even realizing it.
These numbers are from 2008, though, and it would be interesting to see how the balance has shifted over the last 2 years. Personally, my YouTube watching is way up, my TV watching is way down, and the only time I hear the radio is when someone drives by with their windows down. Because honestly, who needs Treme when you have this. [The Economist]
That little lock on your browser window indicating you are communicating securely with your bank or e-mail account may not always mean what you think its means.
Normally when a user visits a secure website, such as Bank of America, Gmail, PayPal or eBay, the browser examines the website’s certificate to verify its authenticity.
At a recent wiretapping convention however, security researcher Chris Soghoian discovered that a small company was marketing internet spying boxes to the feds designed to intercept those communications, without breaking the encryption, by using forged security certificates, instead of the real ones that websites use to verify secure connections. To use the appliance, the government would need to acquire a forged certificate from any one of more than 100 trusted Certificate Authorities.
The attack is a classic man-in-the-middle attack, where Alice thinks she is talking directly to Bob, but instead Mallory found a way to get in the middle and pass the messages back and forth without Alice or Bob knowing she was there.
The existence of a marketed product indicates the vulnerability is likely being exploited by more than just information-hungry governments, according to leading encryption expert Matt Blaze, a computer science professor at University of Pennsylvania.
“If company is selling this to law enforcement and the intelligence community, it is not that large a leap to conclude that other, more malicious people have worked out the details of how to exploit this,” Blaze said.
The company in question is known as Packet Forensics, which advertised its new Man-In-The-Middle capabilities in a brochure handed out at the Intelligent Support Systems (ISS) conference, a Washington DC wiretapping convention that typically bans the press. Soghoian attended the convention, notoriously capturing a Sprint manager bragging about the huge volumes of surveillance requests it processes for the government.
According to the flyer: “Users have the ability to import a copy of any legitimate key they obtain (potentially by court order) or they can generate ‘look-alike’ keys designed to give the subject a false sense of confidence in its authenticity.” The product is recommended to government investigators, saying “IP communication dictates the need to examine encrypted traffic at will” and “Your investigative staff will collect its best evidence while users are lulled into a false sense of security afforded by web, e-mail or VOIP encryption.”
Packet Forensics doesn’t advertise the product on its website, and when contacted by Wired.com, asked how we found out about it. Company spokesman Ray Saulino initially denied the product performed as advertised, or that anyone used it. But in a follow-up call the next day, Saulino changed his stance.
“The technology we are using in our products has been generally discussed in internet forums and there is nothing special or unique about it,” Saulino said. “Our target community is the law enforcement community.”
Blaze described the vulnerability as an exploitation of the architecture of how SSL is used to encrypt web traffic, rather than an attack on the encryption itself. SSL, which is known to many as HTTPS://, enables browsers to talk to servers using high-grade encryption, so that no one between the browser and a company’s server can eavesdrop on the data. Normal HTTP traffic can be read by anyone in between – your ISP, a wiretap at your ISP, or in the case of an unencrypted WiFi connection, by anyone using a simple packet sniffing tool.
In addition to encrypting the traffic, SSL authenticates that your browser is talking to the website you think it is. To that end, browser makers trust a large number of Certificate Authorities – companies that promise to check a website operator’s credentials and ownership before issuing a certificate. A basic certificate costs less than $50 today, and it sits on a website’s server, guaranteeing that the BankofAmerica.com website is actually owned by Bank of America. Browser makers have accredited more than one hundred Certificate Authorities from around the world, so any certificate issued by any one of those companies is accepted as valid.
To use the Packet Forensics box, a law enforcement or intelligence agency would have to install it inside an ISP, and persuade one of the Certificate Authorities – using money, blackmail or legal process – to issue a fake certificate for the targeted website. Then they could capture your username and password, and be able to see whatever transactions you make online.
Technologists at the Electronic Frontier Foundation, who are working on a proposal to fix this whole problem, say hackers can use similar techniques to steal your money or your passwords. In that case, attackers are more likely to trick a Certificate Authority into issuing a certificate, a point driven home last year when two security researchers demonstrated how they could get certificates for any domain on the internet simply by using a special character in a domain name.
“It is not hard to do these attacks,” said Seth Schoen, an EFF staff technologist. “There is software that is being published for free among security enthusiasts and underground that automate this.”
China, which is known for spying on dissidents and Tibetan activists, could use such an attack to go after users of supposedly secure services, including some Virtual Private Networks, which are commonly used to tunnel past China’s firewall censorship. All they’d need to do is convince a Certificate Authority to issue a fake certificate. When Mozilla added a Chinese company, China Internet Network Information Center, as a trusted Certificate Authority in Firefox this year, it set off a firestorm of debate, sparked by concerns that the Chinese government could convince the company to issue fake certificates to aid government surveillance.
In all, Mozilla’s Firefox has its own list of 144 root authorities. Other browsers rely on a list supplied by the operating system manufacturers, which comes to 264 for Microsoft and 166 for Apple. Those root authorities can also certify secondary authorities, who can certify still more – all of which are equally trusted by the browser.
Soghoian says fake certificates would be a perfect mechanism for countries hoping to steal intellectual property from visiting business travelers. The researcher published a paper (.pdf) on the risks Wednesday, and promises he will soon release a Firefox add-on to notify users when a site’s certificate is issued from an authority in a different country than the last certificate the user’s browser accepted from the site.
EFF’s Schoen, along with fellow staff technologist Peter Eckersley and security expert Chris Palmer, want to take the solution further, using information from around the net so that browsers can eventually tell a user with certainty when they are being attacked by someone using a fake certificate. Currently browsers warn users when they encounter a certificate that doesn’t belong to a site, but many people simply click through the multiple warnings.
“The basic point is that in the status quo there is no double check and no accountability,” Schoen said. “So if Certificate Authorities are doing things that they shouldn’t, no one would know, no one would observe it. We think at the very least there needs to be a double check.”
EFF suggests a regime that relies on a second level of independent notaries to certify each certificate, or an automated mechanism to use anonymous Tor exit nodes to make sure the same certificate is being served from various locations on the internet – in case a user’s local ISP has been compromised, either by a criminal, or a government agency using something like Packet Forensics’ appliance.
One of the most interesting questions raised by Packet Forensics product is how often do governments use such technology and do Certificate Authorities comply. Christine Jones, the general counsel for GoDaddy – one of the net’s largest issuers of SSL certificates – says her company has never gotten such a request from a government in her 8 years at the company. ”I’ve read studies and heard speeches in academic circles that theorize that concept, but we never would issue a ‘fake’ SSL certificate,” Jones said, arguing that would violate the SSL auditing standards and put them at risk of losing their certification. “Theoretically it would work, but the thing is we get requests from law enforcement every day, and in entire time we have been doing this, we have never had a single instance where law enforcement asked us to do something inappropriate.”
VeriSign, the largest Certificate Authority, declined to comment.
Matt Blaze notes that domestic law enforcement can get many records, such as a person’s Amazon purchases, with a simple subpoena, while getting a fake SSL certificate would certainly involve a much higher burden of proof and technical hassles for the same data.
Intelligence agencies would find fake certificates more useful, he adds. If the NSA got a fake certificate for Gmail – which now uses SSL as the default for e-mail sessions in their entirety (not just their logins) – they could install one of Packet Forensics’ boxes surreptitiously at an ISP in, for example, Afghanistan, in order to read all the customer’s Gmail messages. Such an attack, though, could be detected with a little digging, and the NSA would never know if they’d been found out.
Despite the vulnerabilities, experts are pushing more sites to join Gmail in wrapping their entire sessions in SSL.
“I still lock my doors even though I know how to pick the lock,” Blaze said.
Another day, another story about some cheap, plastic Wii motion control accessory finding an application outside of gaming. In this case, it’s the balance board, and not only is this device helping stroke victims recover, it’s saving them money, too.
In fact, doctors at the University of Melbourne found that the balance board, normally used for pseudo Yoga or navigating Mii’s down a virtual ski slope, was so sensitive it could very well replace traditional laboratory-grade “force platforms” doctors use to assess a patient’s balance.
When doctors disassembled the board, they found the accelerometers and strain gauges to be of “excellent” quality. “I was shocked given the price: it was an extremely impressive strain gauge set-up,” said lead researcher Ross Clark, in an interview with New Scientist.
Even better, Clark’s team has already published a paper that verifies the Wii balance board is “clinically comparable” to the nearly $18,000 lab force platform. That’s great news for many smaller physio clinics that would otherwise be unable to afford the traditional rig. [New Scientist]
Need physical copies of some great shots, but you’re a bit too lazy to order and pay for them? HotPrints mails you free 16-page photo books, with shots pulled from Facebook, if you don’t mind some non-intrusive paper ads.
In this case, non-intrusive means the advertisements aren’t watermarked or otherwise touching your actual photos. They’re inserted between the pages, and can be pulled out, kind of like magazine subscription cards. You’d also have to be comfortable with HotPrints using “contextual” data from Facebook to target some ads at you. That means the album style you choose, the content of your profile, and region information from your Facebook account are used to target the ads, but the company claims that no identifying information is given out to its sponsoring partners. You can read more about HotPrints’ do’s and don’ts at their privacy policy.
If you’re cool with that at the cost of free, even free shipping, HotPrints’ Facebook app makes it fairly easy to pull in tagged photos of yourself or any Facebook contacts for a quickie album, with a limit of one per month. It’s a free service, requires a Facebook account (and app authorization) to use.
Samsung’s extreme sheep LED art video went viral and was definitely passed along as the bit.ly stats show below, but whether it drove sales for Samsung, or whether people even knew what it meant (Samsung makes LED lit LCD TVs), no one will really know.
Whereas JetBlue’s All-You-Can-Jet Pass also went viral (similar order of magnitude of shares, again by way of the bit.ly stats) and it led straight to the page about the All-You-Can-Jet Pass where users could then go on to buy it.
In the case of Samsung, the video was cool, entertaining, and unexpected and went viral. But the link to sales was tenuous at best. In the case of JetBlue, the product itself went viral and the link to sales was direct.
Hmm… which had a larger business impact? you tell me.
a great technique to use to see if your website design is too cluttered or busy is to shrink it down to a thumbnail (like below). You will quickly see that your eye is trying to find something to focus on in each case. If you can’t find the thing to focus on, then you need to go back and simplify the design. Only in rare and specific circumstances should your site deliberately have multiple points of focus. Even then, there should be a sequential order to what the user is led to see.
It was originally discovered and reported that while the jkwedding dance video was real, the viral effect was manufactured by Chris Brown and Sony’s marketing and public relations poeple.
Chris Brown and Sony PR made an unconventional, but really really good, decision to promote a home video on YouTube to drive massive increase in sales and also polish Chris Brown’s tarnished image in the process.
The video of JKWeddingDance was funny and it used Chris Brown’s “Forever” song. Instead of suing them and issuing a take-down order, Sony’s PR department promoted it instead and added an overlay ad to purchase the single from Amazon MP3 or iTunes.
This case reads like a how-to guide to create a successful viral video that drives sales. They (Chris Brown) did everything right.
By promoting the video (instead of suing to get it taken down), they got the video past the first tipping point of X thousand views, after which the video remained on the front page of YouTube which gets about 30 million unique users in a day. Most people don’t look through the ocean of videos on YouTube. Instead, they start with the ones listed on the front page as “most popular, top favorited, or most viewed.”
Then real people continued to amplify the snowball effect — social amplification — and passed along to their friends. This added a viral halo on top of the original promoted views. The viral halo is low to no cost to the advertiser so any profits derived from it is pure viral profit.
For a step-by-step guide to creating a viral video, see
Viral hits can be manufactured. A group which has done this successfully and reproducibly is ImprovEverywhere (see their YouTube channel below). They have MANY YouTube videos which have hundreds of thousands of views, and their latest hit — No Pants Subway Ride – achieved 8 million views in 3 months.