Should You Trust Online Reviews?

A whole industry has developed on the internet dealing with reviews of businesses, hotels and restaurants.  Perhaps you’ve used some of these sites, such as Yelp, Trip Advisor, and even Google to assess where you do business.  But can you really trust these reviews?  Should you trust these reviews?

Review Manipulation

The reviews are crowdsourced (meaning the public gives the reviews, not professionals).  In the age of automated bots, as you can imagine, it is very easy to manipulate reviews.  Even without bots, businesses get their friends to give a good review or even bribe customers for good ratings.  They also set up schemes to give bad reviews to competitors.  The Yelps of the world are aware of this and they put protocols into place to prevent manipulation of reviews and ratings.  But do they work?  That’s a valid question.

Fake Restaurant Tops in London

With all the controls in place, Trip Advisor recently rated a completely fake restaurant as tops in London.  The story was detailed in a Vice article written by the “perpetrator”.  In fairness, he did actually open the restaurant at one point (as a joke).  The article also showed something about human nature — scarcity and fear-of-missing-out (FOMO) drives motivation.  The hoaxster kept telling callers that the restaurant was booked for weeks in advance.  This seemed to make people want to eat there even more.  People also didn’t want to seem like they were missing out on something hot or trendy.

Yet Reviews and Testimonials are Trusted

So, all that being said, studies show that website users do trust testimonials on websites. That is odd given how skeptical people, in general, tend to be.


So, the next time you read an online review or look at an online rating or ranking, take it with a grain of salt.  And make sure that you have testimonials on your website.

Drupal 8 is Out…Should You Switch Now?

In November 2015, Drupal released its long awaited Drupal 8.  It’s now the shiny new (free) object in the Content Management System (CMS) world. Should you convert my Drupal 6 or Drupal 7 or WordPress website to Drupal 8?  Not yet.

Drupal and WordPress take vastly different worldviews of their CMS’s and users which largely derives from how they evolved.  WordPress started as a blogging platform that you could add a few traditional web pages to such as an “about me” page.  I started using WordPress as a CMS about 10 years ago by cobbling it together as posts, pages, and menus.  WordPress eventually made these natural features, making my life as a site builder and developer much easier.  WordPress publishes 3-4 “major” updates each year.  These major updates are incremented by each dot number (i.e. version 4.1 is followed by version 4.2).  Unlike Apple and Microsoft products, the first number is not significant (i.e. iOS8 is different than iOS9).  Minor updates — bug and security fixes — are given an additional dot (i.e. 4.2.1 fixes bugs and security issues in 4.2).  Each major update is evolutionary.  It builds on the previous version, is almost completely backward compatible and generally adds additional features or cleans up janky ones.

Drupal, on the other hand, started as a pure CMS and continues as such.  Drupal is a little heavier duty as a CMS than WordPress and certain things are far easier to do in Drupal than WordPress, especially creating and displaying custom post types and data.  Each major release of Drupal (i.e. Drupal 6, Drupal 7) is essentially a different CMS eco-system.  They are not backward compatible at all.  Modules and themes that work in Drupal 6 will not work at all in Drupal 7 or 8.  Major releases come years apart.  For instance, Drupal 7 was first released in January 2011 and Drupal 8 nearly 5 years later.  Bug fixes and feature updates are made in minor releases which are given sequential numbers after the major release (i.e. the current Drupal 7 release is 7.42).

Back to Drupal 8.  The new CMS is a complete re-do of the CMS.  One criticism of CMS’s is they are slow in rendering web pages and are web server resource hogs.  There are workarounds to improve performance (such as server-side page caching and reverse proxies), but the developers of Drupal 8 sought to make the CMS itself more efficient.  It uses the Symfony PHP high-performance framework to operate.  It also sought to change how theme templates are coded.  Previously, PHP was used to code the templates.  Template designers tend to be more artistic types and less coder types.  Drupal 8 uses a simplified template programming engine called Twig to help with this (it’s more like English than coding).  It is also responsive — will adjust to any screen size — out of the box.  This is a huge advantage over other CMS’s which have to build that into each theme or use a responsive base theme.  The world is going mobile and websites must adjust to different screen sizes to accommodate users and Google.

Why wait to switch?  The modules and themes lag in development since the base code is constantly changing during the development of the core Drupal 8 product.  Three months after 8’s release, of the top 20 modules used in Drupal 7 that were not migrated into 8’s core or deprecated because it was not needed in 8, only 2 have stable releases.  Many others have no development versions released and others are at an alpha stage (before later beta, release candidate and stable stages).  There are no stable eCommerce platforms for 8.  I waited about a year after Drupal 7 was released before I migrated clients off of Drupal 6 largely due to the lack of production-ready modules.  It will probably take a year for the same to happen with 8.  If you’re happy with your current D7 or WordPress site, there is no need to change at all.

One caveat: with the release of Drupal 8, Drupal 6 will no longer be supported (as of 2-24-2016).  Not only does that mean no security updates, but it also means removal of all modules from Drupal’s repository.  If you have a Drupal 6 site, you need to strongly consider moving to 7 or 8 quickly.

If you would like to talk about your website needs, please contact me.

How Safe Are Your Digital Assets?

Author Kevin Roose recently dared two hackers to see how much they could mess up his life.

So I decided to stage an experiment that, in hindsight, sounds like a terrible idea: I invited two of the world’s most elite hackers (neither of whom I’d ever met) to spend two weeks hacking me as deeply and thoroughly as they could, using all of the tools at their disposal. My only conditions were that the hackers had to promise not to steal money or any other assets from me, reveal any of my private information, or do any harm to me, my data, or anyone else. And then, at the end of the hack, I wanted them to tell me what they found, delete any copies they’d made, and help me fix any security flaws or vulnerabilities I had.

What happened?

“It’s ridiculous,” [hacker] Dan said. “I have control of your digital life in its entirety. I have all your credentials. I have all your access to all your financial information, all your work information, all your personal information. I can pay people with your bank account or your Amex account.”

For all intents and purposes, he said, “I am you.”

If he had been a malicious attacker, Dan said, he could have done unspeakable damage: draining my bank account, ruining my credit score, deleting years’ worth of photos, videos, and important data from my hard drive, using secrets from my email inbox and my work Slack to ruin my reputation. Anything, really.

“I could have left you homeless and penniless,” he said.

You can read all the really scary details (and watch a scary video) here.  The takeaway is that you can not completely protect yourself, but you can take some helpful steps (like using multifactor authentication), setting up stronger security with service providers such as cell phone companies and banks, and changing your passwords frequently.

Using one of these Passwords? The 2015 List

The 2015 list of most used passwords is out.  It looks much like the list from the previous year.  From the folks at SplashList, here it is without further ado:

1 – 123456 (unchanged from 2014)
2 – password (unchanged)
3 – 12345678 (up 1)
4 – qwerty (up 1)
5 – 12345 (down 2)
6 – 123456789 (unchanged)
7 – football (up 3)
8 – 1234 (down 1)
9 – 1234567 (up 2)
10 – baseball (down 2)
11 – welcome (new)
12 – 1234567890 (new)
13 – abc123 (up 1)
14 – 111111 (up 1)
15 – 1qaz2wsx (new)
16 – dragon (down 7)
17 – master (up 2)
18 – monkey (down 6)
19 – letmein (down 6)
20 – login (new)
21 – princess (new)
22 – qwertyuiop (new)
23 – solo (new)
24 – passw0rd (new)
25 – starwars (new)

 Obviously, there is a Star Wars theme added in 2015 with princess, solo and starwars.
If you use any of these passwords, please change them immediately.  Hackers will try all of these first because they are popular.  In other words, on a brute force attack (where hackers just try multiple passwords until one works), these will be up first.

Site not Mobile-Friendly? Here’s why that Is A Problem…

I previously wrote about Mobilegeddon, the “name” given to the change Google made to their search algorithms which will deemphasize websites that are not mobile-friendly (sites that will not fit on a smartphone or tablet screen, requiring left-right scrolling — which most users don’t like — or that require a lot of zooming in to read the text).  The impact thus far has not been reported to be all that great.  So if you’re website is not mobile-friendly, your search results probably have not taken too bad of a hit.

However, you might have a different problem.  Google is now reporting that as of Summer 2015, more than half of all searches on Google were done from mobile devices.  So, even if you’re showing up, if your site is not mobile-friendly, the user might not stay very long if they can use your site easily.  In other words, you are telling over half of your customers or potential customers that you do not care enough about them to have them easily access your site.  Most will go elsewhere.

Around 25% of all websites are based in WordPress — including the one you are reading.  WordPress has many responsive themes you can use to make your site mobile-friendly.  I am extending my previous offer of $50 to install a plugin that will make your site mobile-friendly.  A responsive theme is the best way to go mobile, but plugins can be a good stop-gap.  This offer is good through the end of 2015.

Contact me to discuss your mobile needs, for WordPress or other website platforms.

Multi-factor Authentication May Have Helped Prevent Cardinals Hack of Astros

Earlier this week, news outlets reported on an FBI investigation alleging the St. Louis Cardinals, one of the National League’s most storied and successful clubs, hacked into the Houston Astros’ scouting system to steal information.  Reports (or perhaps rumors) have also surfaced charging that current Astros General Manager Jeff Luhnow — previously an executive with the Cardinals — used “poor password practices” and continued to use the password he had with the Cardinals.  Luhnow denies using poor password practices.  Authorities, team hired and Major League Baseball investigators will eventually get to the bottom of this mess.

However, there is a lesson in this episode for everyone.  I have blogged before about good password practices.  Do not trust the system you are creating a password for or giving your information to.  Any system can be hacked.  If passwords are not encrypted in the website’s system using a one way algorithm (where the gobbledygook “hash” created by the algorithm cannot be converted back into your password), chances of someone figuring out your password skyrockets.  Tip: if a website can tell you what your password is when you forget it — instead of resetting it — it is clearly not using a one-way algorithm.  If you use the same password on multiple systems (email, banking, credit cards, etc.) like many people do since it’s easier to remember one versus many, you face the real possibility of the hacking of one system compromises all of your passwords.  Try to use a password manager to create random, hard to guess passwords and to store/recall them for you.

What can you do?  Two primary things.  First, do not use the same password or set of passwords for every site.  If your password can be found in a dictionary or is a sequence of numbers, it is a matter of time before a brute force rainbow (or dictionary) attack compromises your password.  And that’s even if it is encrypted since a hacker will simply run all combination through the algorithm to match up the created hash.

Second, use multi-factor authentication.  This uses something you know (like a password) along with something you have (like a smartphone).  In this set-up, after you establish the multi-factor authentication scheme, each time you log in, you enter your password and then a 5 or 6 digit code is sent to your smartphone.  This code is only valid for a few minutes.  It can be sent by text message or using an app (Authy and Google Auth are two popular ones).  You then need to enter the code on the website before it expires.  Presumably, a hacker would not have your phone.  Yes, it can be a pain sometimes and there are workarounds should you not have your phone with you.  I use it for my important accounts (i.e. Paypal, banking, etc.).

Is multi-factor authentication fool-proof?  Nothing is.  Hackers could steal the data directly from the database via a trojan horse or some other phishing exercise.  Security doesn’t guarantee anything.  Security is about minimizing the chances of being compromised.

Had the Astros incorporated multi-factor authentication, they probably would not have been hacked even if GM Jeff Luhnow was using the same password as he did with the Cardinals.

Do you use multi-factor authentication?


You Social Media Posts are NOT Private

Last week, the Gawker reported that Twitter blocked Politiwoops from using its service.  Politiwoops is a service from the Sunlight Foundation (dedicated to transparent government) that tracks Tweets politicians delete.  Sometimes they are just “mistake” tweets (tweets with typos or accidental re-tweets), but others are politically charged/incorrect and potentially career threatening.  Politwoops would use Twitter’s API to log politician’s tweets and see if any of them disappear — then publicize those.  Twitter’s statement to Gawker on the reasoning for the block:

We strongly support Sunlight’s mission of increasing transparency in politics and using civic tech and open data to hold government accountable to constituents, but preserving deleted Tweets violates our developer agreement. Honoring the expectation of user privacy for all accounts is a priority for us, whether the user is anonymous or a member of Congress.

Unless your account at Twitter (or Facebook or any other social media outlet) is set explicitly to private, all of your postings are public — literally for the world to see.  There is no privacy and there should be no expectation of privacy.  If contraband is sitting in plain sight — in public — the police do not need a search warrant to seize such contraband.

Twitter should change their policy immediately and restore Politiwoops’ access.

Mobilegeddon is Here…Fix Your Websites Now!

Why is Google king of search engines?  They provide search results that are relevant to searchers.  They do this by constantly tweaking their algorithm to ensure relevant results.

Over the last 5-10 years searches from mobile devices (smartphones, tablets) have grown dramatically and now comprise roughly 50% of searches.  40-45% of the average website’s page views are done on mobile devices.  But not all websites are designed to be “mobile-friendly.”  What is mobile-friendly?  Namely websites that have easy navigation and button clicking for mobile devices (can be used with one finger without clicking on the wrong item), fit on a mobile device’s screen without having to zoom or scroll left-right, and will not have to load Flash (which typically won’t load on certain devices).

To keep searches relevant for mobile searchers, on April 21, 2015 Google implemented a new algorithm (colloquially dubbed “Mobilegeddon”) that will de-emphasize webpages that are not mobile-friendly when the search is made from a mobile device.  This does not impact searches from non-mobile devices.  Why is this so important?  Google controls over 90% of the mobile search market (thanks to Google producing the Android operating system and a deal with Apple to be their default search provider).  This de-emphasis does not mean a webpage will be stricken from the search results, but will likely appear lower.  Google does not publicize their algorithm details so that webmasters cannot manipulate their results.  The distant #2 player in the search field, Microsoft’s Bing (which also powers Yahoo!), has announced it will slowly roll out a similar algorithm for mobile-friendly searches.

Websites use two primary techniques for being mobile-friendly.  One is by using responsive templates.  Responsive templates resize and re-order the page to fit on the display device.  The other is by displaying a different looking page to mobile devices.

How do you know how Google views your website?  They have a mobile-friendly testing tool you can use.  Bing is developing a similar tool to be published this summer.

What can you do if your site fails Google’s test?  If you have a website operating off a CMS (content management system) such as WordPress or Drupal, update your theme to a responsive one.  For WordPress, if you have little budget or time, you could add one of the plugins that change the site for mobile devices.

If you need help with converting your website to be mobile-friendly, please contact us.  Through Labor Day 2015, I am running a special to install a mobile-friendly plugin on a WordPress site for $50.00.

Lenovo Computers pre-installed with Malware?

Forbes is reporting that Lenovo is pre-installing a piece of software on their new computers called Superfish.  Superfish is considered by security experts to be malware.


From what’s known about it thus far, Lenovo uses Superfish to place adverts into Google search results that the laptop manufacturer wants them to see. It’s a good way to make money after all.

That all sounds very innocent. But privacy advocates are concerned about how this might be used to intercept people’s traffic and be abused for more surreptitious means. For non-encrypted traffic (i.e. connections running over HTTP rather than HTTPS), Superfish is used to inject JavaScript into web pages.

But there’s a bigger concern that Lenovo is intercepting encrypted traffic so it can show ads on people’s computers. In the security world, this is known as a man-in-the-middle attack.

From a privacy perspective, this isn’t ideal. Lenovo could easily abuse this trust to spy on its PC owners.

Lenovo claims that Superfish was installed on a limited number of computers.  However, when you purchase one, how will you know if the one you purchased had Superfish installed?

How do you feel about this?  Will this make you revisit a Lenovo purchase?


To Allow Comments or Not? Realities.

When starting a website or blog, the owner of such a site must determine whether or not they will allow users to comment on pages or posts.  The upside is customer and potential customer or constituent engagement.  Social media, after all, is about being social.

The downside is significant too.  Comment spam needs to be battled, but there are plugins, modules and free services that can handle the spam.  Nasty and mean-spirited comments devalue your website.  Monitoring and culling these valueless comments can be time-consuming and expensive.  A recent Mashable article addresses the issues in a coherent manner.

The bottom line, like most things with designing and operating a website is to determine what your goals are for it and what resources you can dedicate to it.  If you are interested in a website, please contact me to discuss what we can accomplish together.