July 15, 2011 2:00 PM   Subscribe

LulzSec has released thousands upon thousands of hacked email logins. EmailAmbush places an "ambush" email message in your inbox which contains tempting-looking links and images which, if followed or opened, send a text message immediately to your cell phone. With your inbox acting as a skeleton key to all your other online accounts, knowing if you've been hacked is a critically important first step in preventing the compromise of ALL your online accounts.
Role: Owner
posted by Imperfect (10 comments total)

What would I do if I find out someone is in my account? Change the password while they're accessing it?
posted by Not Supplied at 1:39 PM on July 17, 2011

It didn't work with a UK cellphone anyway.
posted by Not Supplied at 12:02 AM on July 18, 2011

You certainly could change the password immediately. For a lot of installations, that would be enough to lock them out of there.

And I apologize, for now I'm only running in the USA/Canada. I'm using Twilio for the SMS alerts, and sending SMS alerts to other countries is in beta and pricing is in flux. Thus, I'm holding off on that for now.
posted by Imperfect at 7:58 AM on July 18, 2011

Sorry to be such a downer but I think your service is waaaay over priced and I suspect you will have very few takers. Essentially what you are providing is a unique URL masked as hacker bait, that will trigger a script on your server, and generate a SMS message. Right?

In the past I've done something similar for personal use and it took less than five lines of code and five minutes to throw up on my server.

$159.99 (~170 US) for the year? holy shit! That is more than what I pay for three years of professional online backup which currently holds 300 gigs of data and versions files every 15 minutes.
posted by babbyʼ); Drop table users; -- at 3:35 PM on July 19, 2011

I agree, and I've changed the prices significantly. I took the "hackers underprice themselves" too much to heart, I think.

The new prices are $15 for 3 months, or $45 for a full year, which I feel is a lot more reasonable.

Keep in mind though, most people can't just "write five lines of code and throw it up on their server". For one, they don't even HAVE a server, let alone have programming skills.

I mean, I pay people to fix "simple" things on my car because I just don't have those skills, while mechanics with ten years experience find it trivially easy and just do it themselves.
posted by Imperfect at 10:42 AM on July 20, 2011

That seems a lot more reasonable.

Yes, I absolutely agree with you that most people cannot write five lines of code let alone have their own server.

However, pricing requires some perspective.

I mean, I pay people to fix "simple" things on my car because I just don't have those skills, while mechanics with ten years experience find it trivially easy and just do it themselves.

Right, but I will not pay a mechanic $500 to change just my oil filter (even if he tells me "OMG, if you don't let me change it, it could cost you thousands in repair bills!!!") when I can get a complete oil change for $24. You are charging 10 to 20x what fully featured mature products charge consumers.

* McAffee cloud based email protection for small-medium sized businesses (< $30 a year)
* Prey, a fully featured mobile device theft-protection software (<> * 1Password, a terrific password management tool that can prevent email breaches ($39, one time).

Also, your product does exactly one thing and it is not necessarily a fool proof defense against an attack from any hacker. Do you really think Lulzsec is going to click through individual emails from every account they hack? They will most likely just download all of the emails (which will not trigger your alert) and then pipe all of that text through some filters to get what they want. You are talking about a one off situation where someone is targeting a specific email account.
posted by babbyʼ); Drop table users; -- at 10:58 AM on July 20, 2011

That should be prey is less than $2 a month. html parser snafu.
posted by babbyʼ); Drop table users; -- at 11:02 AM on July 20, 2011

Lulzsec isn't even the problem. They hack into systems so that they can embarrass people publicly. More dangerous are the people who download those DB dumps and mess with the people within.

Worse still - and the real threat - are the hackers who don't publish their hacks, don't make any noise about it at all. They just break into the account and use it for their own ends. We never hear about those hackers, but they're out there and infinitely more dangerous, and THAT's who EmailAmbush is targeted against.

Also, I wasn't defending the original prices there, just the "five lines of code" comment. Sure, it's simple to you to do it yourself, but other people will pay a reasonable amount of money to have it done for them.

The trick is finding "reasonable". $170 sure as heck isn't. That's why I cut that price by more than two thirds.
posted by Imperfect at 11:20 AM on July 20, 2011

I have no interest in how this turns out so please take my comments/feedback as impartial, 3rd party observations. Here are a few final thoughts:

1. You need a better website. It looks very unprofessional and sticks out in stark contrast to contemporary websites. For example, the stock image of a cell phone receiving a text message is from the late 90s/early 2000s. It makes your site instantly dated (and people have short attention spans and will quickly move on).

2. You need to build up some credibility. No one is going to fork up $$$ for a product that could very well be run by a 14 yr old kid in Ukraine. Write up a small press kit + complimentary account and send it to tech bloggers and sites like Lifehacker and see if they will review it for you. Once you get reviewed, feature that on your front page.

3. I still think this is not really a product. This is not a reflection on your programming abilities but just that the product is not there yet. What you are offering is "I'll send you a text once all the ponies have left the barn". How exactly would an IT manager justify that expense? The first response from any manager would be, well, couldn't we put that money towards better email security? Also, anyone considering this product would be wiser to remove confidential content from the email/server and store it elsewhere if a threat like this is a real possibility.

You might also consider fleshing out the product some more. Offer your customers a control panel. Show them IP addresses that accessed the email (from referrer links), a location on a google map etc.
posted by babbyʼ); Drop table users; -- at 12:32 PM on July 20, 2011

I appreciate the feedback.

1) I'm at the MVP stage right now. "A better website" is definitely on the list of things to do - I just have a limited amount of time and money to sink into the project at this stage. I'm not a fan of the cell phone image either. I've changed it twice already as it's a difficult idea to get across in a single picture. You'd be surprised how few pictures there are of people looking at their phones with a serious face. Everyone's always happy or furious.

2) I'm working on exactly that. Social Proof is definitely something that makes or breaks a product, I agree.

3) I already have IP address display for users and a number of options you can set. I should probably put together a "tour" section to show this off. And my idea is that this is a part of your security package. Use EmailAmbush in addition to whatever other measures you implement.

I have some ideas towards targeting IT departments specifically, like POST hooks that would allow IT admins to register attacks and disable/suspend access, but again, limited time and money.

I definitely have to work on improving the credibility issue though, thanks for pointing that out.

(Actually, also from #3 - I think it's very rare that you'll find anyone who goes out of their way to ensure that email accounts don't contain confidential info. I mean look at Bradley Manning and the information he was able to pull out of the US Army's email files.)
posted by Imperfect at 12:51 PM on July 20, 2011

« Older Anansi Poems...   |   Decrypting Rita... Newer »

You are not currently logged in. Log in or create a new account to post comments.