Do you have a problem with spam?
I do, but perhaps not the one that you imagine.
You see, the anti-spam system I have in place does do a pretty good job of siphoning away offers to purchase fake doctorates, malware posing as attached invoices, and emails in Cantonese or Russian that are trying to sell me… well, I don’t know what they’re trying to sell me as I don’t speak those languages.
But what’s more difficult to filter out are the legitimate newsletters that bombard my inbox.
Newsletters that I never signed-up for.
When you’ve been doing what I do as long as I have there are inevitably some folks who end up not liking you. Some of them might be online criminals, others may be folks who are upset about something I said on Twitter.
And a small number of these people might think it’s worth their effort to sign up my publicly-available email addresses to hundreds, no… thousands of legitimate newsletters and mailing lists that I have no interest in.
I’m not the only one who has suffered from these kind of “email bomb” attacks – which are the equivalent of a denial-of-service attack on your inbox.
The only saving grace is that the better-managed newsletters ask you to confirm that you really really want to receive emails from them. They do this by sending a single email – normally with a clickable confirmation link – to the email address entered on their subscription form.
If you don’t respond to the confirmation email, you don’t get any follow-up emails. That’s how things are supposed to work. And it’s called double opt-in.
But when it comes to the benefits of double opt-in, don’t just take my word for it.
Here’s what MailChimp, a service that I and millions of others around the world use to send out email newsletters, was saying until quite recently:
Double opt-in adds a layer of confirmation to your signup process before adding new subscribed contacts to your list, and it has three main benefits compared to single opt-in.
- Protection against spambots, email scams, and fake subscribers, which could increase your monthly benefit rates.
- Assurance of valid email addresses, confirmation that your subscribed contacts want to hear from you, and an archived record of the subscriber’s consent.
- Higher campaign open rates, and lower bounce and unsubscribe rates.
All very sensible. And a good example of why, in the past, I have recommended MailChimp to organisations and individuals wishing to send out legitimate email newsletters.
Only problem is… after years of protecting internet users from unwanted newsletter subscriptions, MailChimp has had a change of heart.
Last week it quietly (I only found out by logging into my account, I never – ironically – received an email advisory from them) revealed that it would be switching its customers’ mailing lists to “single opt-in” rather than “double opt-in”.
What does that mean? It means that subscribers won’t have to confirm that they really really want to receive a newsletter. Which means that any toerag can enter your email address for a newsletter run on MailChimp’s systems that you don’t want and the onus will be on you to unsubscribe.
And MailChimp has, of course, removed the wording on its website about why double opt-in is a good thing that reduces unwanted emails and means that MailChimp users benefit from lower billing rates.
And how come MailChimp decided to change customers’ settings, and only gave them until October 31st to choose to stay with double opt-in going forward? Seven days notice is a ridiculously short amount of time, for a number of reasons – including that many of us have already got processes in place that tell subscribers to await a confirmation email, and explain how we require confirmed opt-in to avoid spam sign-ups.
You won’t be surprised to hear that many folks were less than impressed with MailChimp’s decision.
All of this adds up to one conclusion: MailChimp has gone bananas.
Evidence that MailChimp has simply not thought through this switch to the ghastly single opt-in model becomes ever more clear when you consider that double opt-in is necessary in the European Union as a proof of consent under GDPR, and expressly required in Germany.
As MailChimp acknowledges in their latest pronouncement on their issue, they were completely clueless about the implications of what they were doing.
Well, they don’t quite say that. But it does appear that they’ve realised that what they tried to do might have ummm.. some legal implications:
“We made this decision after receiving a lot of feedback from EU customers who told us that single opt-in does not align with their business needs in light of the upcoming GDPR and other local requirements. We heard you, and we’re sorry that we caused confusion. Customers located in the EU will receive an email from us today to let them know how we’ve changed the plan.”
“Please know we are committed to helping our customers get ready for the GDPR. Double opt-in provides additional proof of consent, and we suggest you continue using double opt-in if your business will be subject to the GDPR.”
(By the way MailChimp, I still haven’t received the first email – let alone the one you promise here)
So, MailChimp is turning around for lists run by European firms at least – we’ll stay as double opt-in by default.
Not that this necessarily avoids the GDPR issue however. As Marcus Bointon explained on Twitter:
Demonstrates the level of cluelessness – #GDPR applies to subscriber location, not account owners
— Marcus Bointon (@SynchroM) October 31, 2017
That means that American businesses using MailChimp, for instance, need double opt-in if they wish to send newsletters to European citizens. Back to the drawing board MailChimp!
And you know what? MailChimp’s change of heart about switching my mailing list to single opt-in (as I’m based in Europe) doesn’t actually resolve my problem. Most MailChimp mailing lists are being switched to single opt-in, which means they will be used for email bombs, and their owners will end up paying MailChimp more money each month for all of those extra unapproved subscribers.
I complained publicly and privately, and was disappointed with MailChimp’s response.
As someone who has used and recommended MailChimp for *years* I feel massively let down by them.
Changing the settings for my own mailing list (which of course, I did) isn’t actually a solution. Sure, it stops toerags using my newsletter as an email bomb but it doesn’t stop many more MailChimp-run mailing lists switching to a system that will increase the amount of unwanted emails flying around the internet.
I can no longer recommend MailChimp. And with no other options available to me, and a company that seems unprepared to listen to its aggrieved users, the only thing I can do is switch mailing list provider and close my account.
They’ve got a few weeks to see the light and then I’ll be off.
To hear more about the MailChimp debacle, be sure to check out this edition of the “Smashing Security” podcast:
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Good morning, Mr. Cluley.
Good morning. Afternoon, actually. Yeah, afternoon.
Well, I just got back from Canada, you see, so I'm a bit— my timeline is all a bit messy.
You're a bit jet-lagged.
A bit jet-lagged, yes, exactly.
Guess we should get on with this.
Yeah.
Hi, this episode of Smashing Security is supported in part by Netsparker.
Netsparker is a web application security scanner that can automatically find security flaws in your website and fix them before hackers can exploit them.
If you want to automatically check your web applications for cross-site scripting, SQL injection, and other vulnerabilities and coding errors that can leave you and your business exposed, then you need Netsparker.
Try it out now by downloading a demo from www.netsparker.com/smashing.
Netsparker is a web application security scanner that can automatically find security flaws in your website and fix them before hackers can exploit them.
If you want to automatically check your web applications for cross-site scripting, SQL injection, and other vulnerabilities and coding errors that can leave you and your business exposed, then you need Netsparker.
Try it out now by downloading a demo from www.netsparker.com/smashing.
This episode of Smashing Security is also supported by EnterSec.
EnterSec develops authentication and mobile security solutions that make the internet a safer place to bank and shop.
Listen to their webinar where you learn everything you need to know about the secret key to PSD2 compliance. Sign up at smashingsecurity.com/intersect. That's E-N-T-E-R-S-E-C-T.
On with the show.
EnterSec develops authentication and mobile security solutions that make the internet a safer place to bank and shop.
Listen to their webinar where you learn everything you need to know about the secret key to PSD2 compliance. Sign up at smashingsecurity.com/intersect. That's E-N-T-E-R-S-E-C-T.
On with the show.
Smashing Security, Episode 50: MailChimp, Piers Morgan, and the Dark Overlord with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, episode 50.
My name is Graham Cluley, and I'm joined as always by my good chum and co-host, Carole Theriault. Hello, Carole.
My name is Graham Cluley, and I'm joined as always by my good chum and co-host, Carole Theriault. Hello, Carole.
Hi, Graham. How are you?
I'm absolutely gorgeous. How are you?
Oh, I doubt that. I doubt that. Yeah.
What? Hey, episode 50.
I know. I'm very excited. I'm very excited. 50 episodes. It's a lot of work, and we did it. How many podcasts?
How many podcasts just drift off, and they just, you know, it's too much work, and they just stop, you know, giving episodes out? Yeah, we have stayed the course.
How many podcasts just drift off, and they just, you know, it's too much work, and they just stop, you know, giving episodes out? Yeah, we have stayed the course.
We've pumped them out. We've pumped them out every week, haven't we?
We have, we have. And they've, you know, I think most of them are very good. Well, you know, most of them are excellent.
There've been a few clangers.
There's been a few clangers. We wouldn't be— that's how people know that we're authentic.
Did you think you'd be spending the rest of your life— because this now is a marathon until our deaths, you realize this.
In fact, even after you've died, I'll probably prop you up in the chair I'll still be doing it. I'll still be— your contributions may improve. I don't know.
In fact, even after you've died, I'll probably prop you up in the chair I'll still be doing it. I'll still be— your contributions may improve. I don't know.
Weekend at Bernie's.
Exactly. We'll have little strings. So we put, "Rah, rah, rah. Yes, I agree, Graham.
Pick of the week." You know, did you think you're going to be spending the rest of your life doing this? Has this been your dream?
Pick of the week." You know, did you think you're going to be spending the rest of your life doing this? Has this been your dream?
Well, you know what my dream is, right? My real dream has always been to be a talk radio host. So I guess in a way, a bit.
But the subject's slightly different because I would have loved, I still love, I might do it one day, be an agony aunt, right?
I'm talking late night talk radio where people call in with real dilemmas and you get to just hammer them out and help them out and also inform other people, but doing it with a bit of fun, with a bit of poke, poke.
But the subject's slightly different because I would have loved, I still love, I might do it one day, be an agony aunt, right?
I'm talking late night talk radio where people call in with real dilemmas and you get to just hammer them out and help them out and also inform other people, but doing it with a bit of fun, with a bit of poke, poke.
So sort of, hi, you're through to Carole's Agony Corner.
Oh yeah, I would definitely use the sexy voice.
If you have any marital, psychological, or sexual problems, preferably, please ring up so we can discuss them live on air, that kind of thing. Yeah. Wow.
I think I'd even do it just with letters, actually. You know, just getting a problem, being able to discuss it with a second co-host. You know, Graham, we could do a spinoff.
We could. Do you think— should we ask people to send in? I mean, it's 50th.
Should we ask people to do it? And then we'll do one next week. The best one we get, we'll do on the show. And you know what? We'll send a t-shirt to whichever one we cover.
So if you've got a sexual relationship, psychological problem.
The juicier, the better.
Do we want tech support problems as well? Do we want people writing in with problems setting up their VPN?
Yeah, you can handle those.
Really? So maybe the best ones, which we read out on air.
And we can read them out anonymously, right?
Oh, of course.
Yes, yes, yes.
I mean, I don't want anyone actually submitting a question which they don't want to be anonymous. So let's face it, we want it to be pretty juicy.
But how do they do it? Yes, you have to email into .
Email in. And maybe we should offer some t-shirts. Yeah, some very exclusive.
Definitely very exclusive. I will choose the design. It's going to be excellent.
Awesome. Okay. All right. So, right to Carole's Agony Corner, a new section of the show, which will begin if anyone sends them in.
This is a great present.
Send your— hang on, send your emails. We have to tell them how to do it, Carole.
Send your emails to , or you could tweet us as well at Smashin without a G, security.
Send your emails to , or you could tweet us as well at Smashin without a G, security.
Well, direct message if you want to keep it private.
It won't be as private on Twitter, will it? You've got to be a bit careful on Twitter, Carole. I got into a bit of bother last week.
You did get into a bit of bother, and I want to hear the details because I was away in Canada and we didn't talk very much, did we?
No, we didn't.
I saw it online. So tell me what happened.
So it was Thursday night. And as you know, Thursday night, Thursday nights, what do I do?
You play chess.
Exactly. I go out to my chess club and it was a match.
Of course, it's chess. You had to get it in. You had to squeeze it in. Okay. Chess, chess, chess, chess.
50th episode. So, so I played my match and I wasn't terribly successful, but never mind. And I came out and I turned on my phone. You have to turn off your phone when you play chess.
Very serious. Otherwise you lose the match if it makes any beeps or burbles or if you cheat in the loos or something like that.
And I turn on the phone and I had been tweeted by somebody who works for a breakfast TV show here in the UK called Good Morning Britain.
Very serious. Otherwise you lose the match if it makes any beeps or burbles or if you cheat in the loos or something like that.
And I turn on the phone and I had been tweeted by somebody who works for a breakfast TV show here in the UK called Good Morning Britain.
Yep.
Wanting to talk about WannaCry and the NHS because there was something in the news about that again.
Okay. Okay.
And they said, look, can you come on the show? Can you come on the show? Right. Now, I've got a problem with Good Morning Britain.
No, you have a problem with its host. Let's be honest. This has been going on almost as long as I've known you.
Yeah. So the show is hosted, as we know, by Piers Morgan.
You have to say his name like that, don't you? Yeah, you really don't like him.
I really don't like him. He's very high up on my list of people I don't like.
Most people I'm all sort of ambivalent about or I like, you know, but some people really get my goat and Piers Morgan, don't like him.
Most people I'm all sort of ambivalent about or I like, you know, but some people really get my goat and Piers Morgan, don't like him.
So tell them what you tweeted back to them. Openly. Openly.
Well, she messaged me openly, so I thought it was okay for me to reply. So I said back, and I had just lost a game of chess, so maybe I was in a bit of a mood.
I said, hi Claire, I'm afraid every time I see Piers Morgan, I feel like I'm going to throw up a little. So I'll pass on the opportunity. Thanks.
I said, hi Claire, I'm afraid every time I see Piers Morgan, I feel like I'm going to throw up a little. So I'll pass on the opportunity. Thanks.
I love how you write thanks, T-H-X. That was too long, right? It was.
It was. I've only got 140 characters. Yeah. So I said thanks with an X. But yeah, so that was that.
And I basically turned down the TV spot, which was fine with me because I didn't really want to get up at 4 o'clock in the morning anyway.
But particularly, I didn't want to see Piers Morgan's face. So that was all fine.
And I basically turned down the TV spot, which was fine with me because I didn't really want to get up at 4 o'clock in the morning anyway.
But particularly, I didn't want to see Piers Morgan's face. So that was all fine.
For about how long?
Well, for about 45 minutes. And then someone tweeted me. Piers Morgan. Yeah.
Who saw your message, your open message to the world.
Who saw my message. And he said, "Hi Graham. A, I'm currently in America. B, I've no idea who the fuck you are." Well, he didn't write fuck actually.
He wrote F star star K or F asterisk asterisk K. Yes.
Yeah.
But the meaning is clear. Very clear.
The meaning is clear.
He basically responded to you in the way that you wrote about him. So this is good. Yeah. So you guys are getting all fisticuffs.
And he has, I don't know how many million followers. I don't follow Piers myself because he makes you throw up.
But lots of other people do, and they all sort of jumped on the bandwagon saying, well, we know who he is, and, you know, please stay in America, and all the rest of it.
And it was quite amusing, really. I tried not to lower the tone too much, but I thought, oh, clearly I've riled him.
And I really knew that I'd riled him when about an hour or two later, my Twitter got upgraded and he blocked me.
I haven't been blocked by many people, but now I can no longer read his tweets, which I think—
But lots of other people do, and they all sort of jumped on the bandwagon saying, well, we know who he is, and, you know, please stay in America, and all the rest of it.
And it was quite amusing, really. I tried not to lower the tone too much, but I thought, oh, clearly I've riled him.
And I really knew that I'd riled him when about an hour or two later, my Twitter got upgraded and he blocked me.
I haven't been blocked by many people, but now I can no longer read his tweets, which I think—
I don't blame him. I don't blame him at all. I would have blocked you too.
Oh, come on. The thing is, with people like Piers Morgan, right, they love being outrageous, don't they? They are basically like a pantomime villain.
Oh no, actually, he's worse than Simon Cowell.
Oh no, actually, he's worse than Simon Cowell.
He acts like a nice guy.
No, he— I don't know if he acts like a nice guy. He used to be editor of a newspaper, right, which used to expose people's private lives.
He wrote that dreadful autobiography, which Private Eye went through and said was just complete balderdash about people he claimed to have met and remembered conversations with.
In fact, they call him Piers Moron to this day. But also he was editor of one of the Mirror Group newspapers during a period when Mirror journalists were hacking phones. And it's—
He wrote that dreadful autobiography, which Private Eye went through and said was just complete balderdash about people he claimed to have met and remembered conversations with.
In fact, they call him Piers Moron to this day. But also he was editor of one of the Mirror Group newspapers during a period when Mirror journalists were hacking phones. And it's—
He is a bit of a cockroach to still be around, isn't he? He's suffered a lot of public humiliation and attacks.
I should be clear that he has denied any involvement or knowledge that his staff were hacking mobile phones.
However, he has been on record as saying that he's listened to hacked phone calls and voicemails, one between, I think it was Heather Mills McCartney and Paul McCartney that he heard.
And he also told Jeremy Paxman, who's a sort of a bigwig here in the UK.
However, he has been on record as saying that he's listened to hacked phone calls and voicemails, one between, I think it was Heather Mills McCartney and Paul McCartney that he heard.
And he also told Jeremy Paxman, who's a sort of a bigwig here in the UK.
I think people know Jeremy Paxman.
Well, I don't know if they may not internationally, but anyway, he told Jeremy Paxman How to Hack a Mobile Phone as well.
And this all came up at the Leveson inquiry into phone hacking.
And this all came up at the Leveson inquiry into phone hacking.
We watched that together, didn't we?
Oh, yeah.
That's when Wendy Deng got creamed in the face. That was amazing.
I think you have to be careful how you phrase that. Anyway, so what?
I'm going to say it again. That's the time when Wendy Deng got cream-pied in the face.
Oh, yes, that's better. So anyway, the thing is, if I was on the sofa with him on Good Morning Britain, he said, so how did all these computers get hacked?
I might be tempted to say, well, you know how it is, Piers, remember when all those phones got hacked? And that would be awkward, wouldn't it?
So I couldn't go on Good Morning Britain.
I might be tempted to say, well, you know how it is, Piers, remember when all those phones got hacked? And that would be awkward, wouldn't it?
So I couldn't go on Good Morning Britain.
Yeah.
So I feel—
You enjoyed that though, didn't you? You were eating popcorn during all this. I certainly was.
I feel my dignity is preserved and I've only got Katie Hopkins left, I suppose. So we should probably be getting on, shouldn't we?
I mean, we haven't got a guest this week, but we've already been chatting for about 10 minutes.
I mean, we haven't got a guest this week, but we've already been chatting for about 10 minutes.
Why don't we have a guest this week? I think people should know it's not for lack of interest, but, you know, 50 special.
Well, 50. Yeah, exactly.
And we were thinking, who would we get on for our 50th?
We've had some good people though.
We've had some great people.
It would be hard to single out someone for that special treatment to get them on the 50th. So we thought, sod them all. We won't have anyone on. It'll just be you and me.
So as always, we're going to discuss something which caught our eye this week, and I've had a bit of a rant on my blog about Mailchimp.
Now, if you don't use Mailchimp, chances are that you get newsletters from Mailchimp. It is probably the most popular newsletter email service which is out there.
It's really easy to use, nice to set up, and it has this awfully cute logo and character.
So as always, we're going to discuss something which caught our eye this week, and I've had a bit of a rant on my blog about Mailchimp.
Now, if you don't use Mailchimp, chances are that you get newsletters from Mailchimp. It is probably the most popular newsletter email service which is out there.
It's really easy to use, nice to set up, and it has this awfully cute logo and character.
And they've been so good, right, with small companies and enterprises. So I know companies of all sizes use them as well.
So they've really tapped into the market at every single tier.
So they've really tapped into the market at every single tier.
Oh yeah. You can use it for free if you don't send too many newsletters.
And they have very cute ads, right? They're a cute company. I've always thought quite fondly of them until this.
Well, because they've been promoted a lot on podcasts, haven't they? We're probably going to ruin our chances of ever getting Mailchimp as a sponsor of our show.
Oh well.
But yeah, 'cause I've got a problem with spam, but it's not the normal one that people expect, right? Normally problems with spam are Viagra ads or whatever, or Russian brides.
Those sort of things aren't a problem for me. I'm filtering those out. The specific problem that I have with spam are legitimate newsletters that bombard my email inbox.
What happens is there are people, this may surprise you, Carole, there are people out there who don't me very much. Not just Piers Morgan.
And what they've done is they have signed me up for newsletters that I don't want. Now, that would be all right if it was one or two newsletters.
I'd be able to unsubscribe from them. But there are services online.
I'm not going to link to them or tell you the name of them, but there are services online where you can put anybody's email address and it will sign you up for tens of thousands of mailing lists.
Those sort of things aren't a problem for me. I'm filtering those out. The specific problem that I have with spam are legitimate newsletters that bombard my email inbox.
What happens is there are people, this may surprise you, Carole, there are people out there who don't me very much. Not just Piers Morgan.
And what they've done is they have signed me up for newsletters that I don't want. Now, that would be all right if it was one or two newsletters.
I'd be able to unsubscribe from them. But there are services online.
I'm not going to link to them or tell you the name of them, but there are services online where you can put anybody's email address and it will sign you up for tens of thousands of mailing lists.
It's so smarmy.
It's horrible because it's effectively a denial of service attack against your inbox because you can't find your legitimate emails.
And this has really disrupted my work on occasions. And I know other people who work in our space, Brian Krebs, for instance, has suffered from these kinds of attacks as well.
He's written about this in the past.
And with legitimate mailing lists, which asks you to confirm that you really want to sign up for the mailing list, it's not that much of a problem because you only ever get one email from them.
And that's a system called double opt-in. And that's what I would recommend most mailing lists do.
So a legitimate newsletter will ask you, do you really want to sign up for this newsletter? And they normally do that by sending you one email, right? And you click on the link.
And that's smashing. And that's the kind of thing which, of course, Mailchimp was doing.
And they used to have a page on their website where they said, these are all the benefits of double opt-in.
You protect against spam bots and email scams and phishing fake subscribers, and it means that your bill, your monthly bill from Mailchimp doesn't increase because you're not getting bogus people signing up.
Right?
And this has really disrupted my work on occasions. And I know other people who work in our space, Brian Krebs, for instance, has suffered from these kinds of attacks as well.
He's written about this in the past.
And with legitimate mailing lists, which asks you to confirm that you really want to sign up for the mailing list, it's not that much of a problem because you only ever get one email from them.
And that's a system called double opt-in. And that's what I would recommend most mailing lists do.
So a legitimate newsletter will ask you, do you really want to sign up for this newsletter? And they normally do that by sending you one email, right? And you click on the link.
And that's smashing. And that's the kind of thing which, of course, Mailchimp was doing.
And they used to have a page on their website where they said, these are all the benefits of double opt-in.
You protect against spam bots and email scams and phishing fake subscribers, and it means that your bill, your monthly bill from Mailchimp doesn't increase because you're not getting bogus people signing up.
Right?
Right.
So that's fantastic. Well, because about a week ago, Mailchimp fairly quietly announced that they were making a big change and that they were dropping double opt-in.
It's so crazy. It's so crazy.
And switching to single opt-in. Why?
So do you have— do you know why, or do you have any theories as to why?
Well, there's the reason which they're saying, and there's the truth.
Okay. I don't know the reason. Tell me the reason.
So the reason which they're saying is that they've had a lot of their customers saying, oh, it's a real pain, this double opt-in thing, because people start— bullshit!
People start the sign-up process but don't confirm. Right? And that does happen.
I'm sure there are people who don't bother clicking on the email confirmation link for whatever reason.
But of course, the other impact of that is Mailchimp doesn't make as much money because your mailing list doesn't grow as quickly.
Whereas I quite like the idea of these are people who really definitely do want to be on your mailing list. And I think what they're doing is bananas, quite frankly.
And lots of other people have been complaining as well, saying, you know, you shouldn't change the default.
And more than that, they only gave existing customers who are running mailing lists 7 days to change, right?
So they were saying you've got 7 days to prevent your particular mailing list going single opt-in, which is bad enough.
But that also means that you have to change any infrastructure which you have on your website.
For instance, my site, if you people sign up for the newsletter, they are greeted by a page saying, okay, we're now going to send you an email confirmation.
People start the sign-up process but don't confirm. Right? And that does happen.
I'm sure there are people who don't bother clicking on the email confirmation link for whatever reason.
But of course, the other impact of that is Mailchimp doesn't make as much money because your mailing list doesn't grow as quickly.
Whereas I quite like the idea of these are people who really definitely do want to be on your mailing list. And I think what they're doing is bananas, quite frankly.
And lots of other people have been complaining as well, saying, you know, you shouldn't change the default.
And more than that, they only gave existing customers who are running mailing lists 7 days to change, right?
So they were saying you've got 7 days to prevent your particular mailing list going single opt-in, which is bad enough.
But that also means that you have to change any infrastructure which you have on your website.
For instance, my site, if you people sign up for the newsletter, they are greeted by a page saying, okay, we're now going to send you an email confirmation.
And it's a pig to change. It's a pig to change.
I would have to change that. But what are they doing changing the settings anyway? I don't want this. And furthermore, it's not just my mailing list I care about.
It's everybody else's. And the risk that other people could be putting my email address into those newsletters and I'll be starting getting even more ruddy spam.
It's everybody else's. And the risk that other people could be putting my email address into those newsletters and I'll be starting getting even more ruddy spam.
I knew it would come back to hurting you in some way.
Exactly.
Of course. That's why you get irate.
So people started complaining, right? And I complained both publicly and privately to them.
About this, and they basically said, "Oh, just change your settings." It's like, no, no, no, that isn't a fix.
Now, what's cool is that some people have said, "Mailchimp, what about GDPR?" Yes. Yes.
About this, and they basically said, "Oh, just change your settings." It's like, no, no, no, that isn't a fix.
Now, what's cool is that some people have said, "Mailchimp, what about GDPR?" Yes. Yes.
Good point.
Because GDPR, as we've discussed on a previous podcast, new legislation coming into force in just a few months in Europe.
May, yeah, May 2018.
What will happen is, one of the things is that if you've got people up on your mailing list, you need to be able to say they definitely wanted to join it, right?
Yes.
That they've confirmed that they wish to subscribe to this service.
And they need to know how the data is going to be used.
Right.
And they have access, they can actually be taken off the system completely and receive all the information that you have used on their behalf. So it's a big deal.
And companies need to have stored some kind of proof of consent that people want to sign up for this thing.
So Mailchimp clearly didn't think of this, and Mailchimp have kind of panicked, and in the last day or so they've posted up saying, "Okay, if you're running your mailing list, if you've registered your account with us from a European address, then we won't change you to single opt-in by default." That's not the—
So Mailchimp clearly didn't think of this, and Mailchimp have kind of panicked, and in the last day or so they've posted up saying, "Okay, if you're running your mailing list, if you've registered your account with us from a European address, then we won't change you to single opt-in by default." That's not the—
Okay, yeah, they don't understand GDPR. Yeah, they don't understand GDPR. It has nothing to do with where you are based. It has to do with the information you have on your database.
So if you have information of any EU resident and indeed any tourist who is in the EU at the time, you can be held responsible for making sure that data is anonymized, protected, and accurate.
So if you have information of any EU resident and indeed any tourist who is in the EU at the time, you can be held responsible for making sure that data is anonymized, protected, and accurate.
Right. So if someone has logged— if someone has signed up for a newsletter with, I don't know, a Gmail address, which doesn't give away your location.
Yeah.
Then how are they going to handle that then? Yeah. It's going to be a problem for Mailchimp, I think, and a problem for those companies who are using Mailchimp.
Do you know, Graham, do you know what this sounds like to me?
Okay.
I bet, right? So the marketing and sales guys have these aggressive sales targets that they're having trouble to meet because it all depends when their year end is.
But if their year end is coming in April, they're going to need to up the ante. So this is a way of getting more customers, as you said earlier.
But I suspect their technology, their developers, and their security guys weren't involved at all, and they haven't been part of the discussion, and I bet they're probably screaming blue murder.
But if their year end is coming in April, they're going to need to up the ante. So this is a way of getting more customers, as you said earlier.
But I suspect their technology, their developers, and their security guys weren't involved at all, and they haven't been part of the discussion, and I bet they're probably screaming blue murder.
I think you're probably right, because it's probably the techies who work there, the people who sort of live and breathe mailing lists and probably feel as strongly about privacy as we do, are probably— they're probably just as annoyed about this.
Yeah.
I mean, some people are saying, oh, just change your setting, Graham.
And you know, yeah, sure, I can stop toe rags using my newsletter as an email bomb, but it doesn't stop many more Mailchimp-run mailing lists switching to the system is going to increase the amount of unwanted emails flying around the internet.
That is not a good thing.
And you know, yeah, sure, I can stop toe rags using my newsletter as an email bomb, but it doesn't stop many more Mailchimp-run mailing lists switching to the system is going to increase the amount of unwanted emails flying around the internet.
That is not a good thing.
And if Mailchimp CISO okayed this, tsk, tsk, tsk. That's what I got to say.
Tsk, tsk. I'm going to go further than tsk, tsk. I'm no longer recommending Mailchimp. I'm looking for alternatives. I've lost confidence in them.
And that's a shame because for years I have been telling people Mailchimp pretty cool bunch, but yeah.
And that's a shame because for years I have been telling people Mailchimp pretty cool bunch, but yeah.
Well, let's see if they actually get themselves in line.
Let's see.
Let's give them one chance.
So, Carole, what have you got for us?
So I want to talk about this getting-to-be-infamous hacker group called Dark Overlord.
And you probably have heard about them because they've been in the press quite a lot this month. They've been terrorizing companies like Gorilla Glue and Netflix.
They've been terrorizing hospitals and schools. They even terrorize celebrities. And this has all been happening since June last year.
Now, in the last few days, they're in the news again for hacking Hollywood production studio Line 204.
Dark Overlord claimed to have stolen the addresses and phone numbers of celebrities.
And there, here's a quote from them: "As with all our friends who don't accept one of our handsome business proposals, we'll handle them appropriately by publicly releasing all their client data, documents, intellectual property, and other sensitive documentation."
And you probably have heard about them because they've been in the press quite a lot this month. They've been terrorizing companies like Gorilla Glue and Netflix.
They've been terrorizing hospitals and schools. They even terrorize celebrities. And this has all been happening since June last year.
Now, in the last few days, they're in the news again for hacking Hollywood production studio Line 204.
Dark Overlord claimed to have stolen the addresses and phone numbers of celebrities.
And there, here's a quote from them: "As with all our friends who don't accept one of our handsome business proposals, we'll handle them appropriately by publicly releasing all their client data, documents, intellectual property, and other sensitive documentation."
Hang on, so Dark Overlord describe their extortion attempts as handsome business proposals.
Isn't it crazy?
It's slightly weird. It's a bit like Hans Gruber in Die Hard, you know, I am sort of a gentleman villain.
Yeah, well, don't be fooled by it because wait till you see some of the stuff they've done. It's pretty outrageously disgusting, actually. So who are these guys? We don't really know.
This could be potentially one person. It could be one person leading a group of smaller people, or it could be a group of people.
Now, the feeling at the moment is that there's probably a group involved because the writing style and mannerisms seem to change back and forth according to Motherboard.
So sometimes they're using this kind of business speak, and sometimes they're using much more direct, threatening-like speaking.
And I have kind of this interesting conspiracy theory I'll share at the end of this segment with you.
This could be potentially one person. It could be one person leading a group of smaller people, or it could be a group of people.
Now, the feeling at the moment is that there's probably a group involved because the writing style and mannerisms seem to change back and forth according to Motherboard.
So sometimes they're using this kind of business speak, and sometimes they're using much more direct, threatening-like speaking.
And I have kind of this interesting conspiracy theory I'll share at the end of this segment with you.
Oh, I love conspiracy theory.
Yeah, yeah, you can hold on to that.
Fantastic.
So what are these guys doing? Okay, so they're getting into networks, they are stealing very sensitive information, and they're demanding payment.
And if they don't get payment, they make their info either available for sale or they basically release it on Pastebin to cause reputational damage.
And if they don't get payment, they make their info either available for sale or they basically release it on Pastebin to cause reputational damage.
And I've actually been directly contacted sometimes by dark web hackers.
No way!
Oh yeah, absolutely.
So what they do is they will contact journalists and security bloggers and say, "Hey, we've hacked this company, here is the data that we've stolen from this company if you want to write about it."
So what they do is they will contact journalists and security bloggers and say, "Hey, we've hacked this company, here is the data that we've stolen from this company if you want to write about it."
And I hope you haven't.
And well, no, I haven't. I've told them to bog off because I'm not prepared to help them extort money from companies.
I don't mind writing that a company has been hacked, okay, because that's just reporting the news.
But what I'm not going to do is act like some kind of accessory to assist them in their blackmail.
And what they've sometimes done is they've emailed me and say, "Oh, pay particular attention to this spreadsheet or this Word document because there's some really juicy stuff in here you may want to report on." It's like, no, I won't do that because you're a bunch of old scumbags.
I don't mind writing that a company has been hacked, okay, because that's just reporting the news.
But what I'm not going to do is act like some kind of accessory to assist them in their blackmail.
And what they've sometimes done is they've emailed me and say, "Oh, pay particular attention to this spreadsheet or this Word document because there's some really juicy stuff in here you may want to report on." It's like, no, I won't do that because you're a bunch of old scumbags.
Fuck you very much. Exactly.
As we say.
Okay, so who else has been attacked by these guys, right? So currently they're after celebrities. But last week they went after a London Bridge plastic surgery clinic.
And the clinic, of course, has some famous celebs that use their services. And the clinic actually confirmed that data was stolen last week. So—
And the clinic, of course, has some famous celebs that use their services. And the clinic actually confirmed that data was stolen last week. So—
And do you know what they took? Did you hear about this? They took before and after photographs of people getting surgery.
And they're threatening to release these.
Yeah.
Now think about it from, let's just take a pause here. Think about it from the point of view of the customer, right?
So let's say I have had plastic surgery and I've got before and after pictures at the London Bridge Plastic Surgery Clinic.
So let's say I have had plastic surgery and I've got before and after pictures at the London Bridge Plastic Surgery Clinic.
Okay, so I'm imagining that you're going in for some fairly major plastic surgery. That's what I'm picturing. Okay, you picture it. Let's face it.
There's the bum, there's the legs, there's the nose. There's the— everything, frankly.
There's the bum, there's the legs, there's the nose. There's the— everything, frankly.
You're freaking outrageous.
I'll tell you who's got the most surgery out of the two of us. It's a real overhaul that's required. So you've spent a lot of money already with this plastic surgeon.
Is that correct, Carole?
Is that correct, Carole?
That's right.
That's right.
I spent a ton of money and now I'm out in the— I'm outside showing off all my— and the thing is, right, if I hear about this, am I not going to call that surgery and say, pay up?
There's no way we want this information out.
There's no way we want this information out.
To be honest, I'd pay them because I wouldn't want to see the photographs either.
Malware.
So, you know, people that are getting themselves in this position have a lot of trouble, you know, because not only is their client base, are they being threatened by the hackers, they're also being threatened by their client base.
This happened last week.
And again, earlier this month they targeted schools, okay, in Ohio, Montana, Texas, trying to scare the snot out of some parents, okay, by sending personalized text messages from their kids' numbers.
So, you know, people that are getting themselves in this position have a lot of trouble, you know, because not only is their client base, are they being threatened by the hackers, they're also being threatened by their client base.
This happened last week.
And again, earlier this month they targeted schools, okay, in Ohio, Montana, Texas, trying to scare the snot out of some parents, okay, by sending personalized text messages from their kids' numbers.
Oh, so they're faking text messages which appear to come from kids?
Yes.
So they had student names and addresses and telephone numbers and they pretended to send texts from the kid, using the kid's number, sending texts to parents with messages like, "Your child is still so innocent.
Don't have anyone look outside."
So they had student names and addresses and telephone numbers and they pretended to send texts from the kid, using the kid's number, sending texts to parents with messages like, "Your child is still so innocent.
Don't have anyone look outside."
What, why are they doing this? What's the purpose?
Well, they're doing this to try and show that they have the information. So there's two things here, right?
Once they've attacked a school and they've stolen the information, they need to prove that they have what they say they have.
Once they've attacked a school and they've stolen the information, they need to prove that they have what they say they have.
Right.
And this is one way of doing that and ensuring that they cause the school to go into meltdown with parents running in and going, "What the heck is going on?" And it also helps their cause of getting payment.
Yeah, parents are gonna get pretty bolshy.
Right, and I bet you some parents are asking for them to pay in order for this information not to get out, which is, I can see where they're coming from, but there's a real problem with payment.
Anyway, and it gets much grosser than this.
So the schools that did not pay up were rewarded by having the data of these students, so this is student names, addresses, and telephone numbers, pasted on Pastebin.
And they even tweeted, right, that any child predator can now easily acquire new targets and even plan based on grade level because of the data dump that they put on Pastebin of students.
It's disgusting.
Anyway, and it gets much grosser than this.
So the schools that did not pay up were rewarded by having the data of these students, so this is student names, addresses, and telephone numbers, pasted on Pastebin.
And they even tweeted, right, that any child predator can now easily acquire new targets and even plan based on grade level because of the data dump that they put on Pastebin of students.
It's disgusting.
Wow, that's pretty tacky even by toe-rag hacker standards, right?
So the first thing I want everyone to remember, it's do not think these guys are businessmen or are acting in any in accordance of any professionalism.
In another attack that they did, they sent a message to one of the children of the victims saying, "Tell your mother and father we have all their research and development and we plan to destroy their company unless they cooperate with us." And then they finish it with, "Oh, and happy belated birthday by 2 months and 11 days." You know, sometimes I think if you are a young person and you're caught for hacking and you're sent to jail, that must be horrendous and it's gonna mess up your life.
In another attack that they did, they sent a message to one of the children of the victims saying, "Tell your mother and father we have all their research and development and we plan to destroy their company unless they cooperate with us." And then they finish it with, "Oh, and happy belated birthday by 2 months and 11 days." You know, sometimes I think if you are a young person and you're caught for hacking and you're sent to jail, that must be horrendous and it's gonna mess up your life.
It must be a horrible experience, even if you've done something wrong. Other times I think, you know what, they need to be hung up by their goolies.
And these guys are such— whether it's one guy or whether it's a group, the Dark Overlords really are scumbags, aren't they?
And these guys are such— whether it's one guy or whether it's a group, the Dark Overlords really are scumbags, aren't they?
Yeah, I mean, they're saying the reason they're doing this, you know, why attack schools and threaten kids?
They told the Daily Beast, we're escalating the intensity of our strategy in response to the FBI's persistence in persuading clients away from us.
So they're kind of trying to blame the FBI for this, which is also ridiculous.
They told the Daily Beast, we're escalating the intensity of our strategy in response to the FBI's persistence in persuading clients away from us.
So they're kind of trying to blame the FBI for this, which is also ridiculous.
Sounds like the truth is they're finding it harder and harder to get people to pay up, which, you know, good thing, isn't it?
That is a good thing. The sad thing here, however, is that companies really need to step up their security here.
Because the victims are— it's going to hurt, obviously, the company, but it also hurts the people that entrusted them, right?
If I entrust my data to a company, I want them to look after it. And they, I'm sure, give me all kinds of marketing messages telling me how secure their data is.
But as we don't know how Dark Overlord, they don't seem to be following the same protocol as to getting in. So how do you fight back?
And this means things like data anonymization, strong encryption, safe computing practices like multifactor authentication, VPN, strong passwords, as well as things like traffic and network monitoring, antivirus.
I mean, there's loads of things.
But, you know, companies really need to take this stuff seriously because while I'm not blaming them, they are victims too, they have basically effectively promised to make sure they look after our data.
Because the victims are— it's going to hurt, obviously, the company, but it also hurts the people that entrusted them, right?
If I entrust my data to a company, I want them to look after it. And they, I'm sure, give me all kinds of marketing messages telling me how secure their data is.
But as we don't know how Dark Overlord, they don't seem to be following the same protocol as to getting in. So how do you fight back?
And this means things like data anonymization, strong encryption, safe computing practices like multifactor authentication, VPN, strong passwords, as well as things like traffic and network monitoring, antivirus.
I mean, there's loads of things.
But, you know, companies really need to take this stuff seriously because while I'm not blaming them, they are victims too, they have basically effectively promised to make sure they look after our data.
At the very least, make sure that you are covering the basics because a lot of hacks are actually really quite rudimentary.
It may be a simple phishing attack, which is grabbing a password, allowing the hackers gain access to your network and steal your database.
Or maybe you've been one of these companies which has made the mistake of leaving your database lying around on an internet-accessible web bucket, as we've spoken about in the past.
You know, those sort of simple mistakes are happening all the time, and that is making life too easy for groups like the Dark Overlord.
It may be a simple phishing attack, which is grabbing a password, allowing the hackers gain access to your network and steal your database.
Or maybe you've been one of these companies which has made the mistake of leaving your database lying around on an internet-accessible web bucket, as we've spoken about in the past.
You know, those sort of simple mistakes are happening all the time, and that is making life too easy for groups like the Dark Overlord.
Yeah. So I was looking in, I was thinking the Overlord name, right? So here's my little conspiracy theory.
Oh, good. Yeah.
So I was thinking Overlord, and I did a bit of Googling, and because I remembered a game called Overlord. It was a role-playing video game that came out in June 2007. Okay?
Now let me describe the game.
Overlord is set in a fantasy world where the player takes the role of a resurrected warrior simply known as the Overlord, who has control over hordes of gremlin-like creatures that they call minions.
Now, the game features a corruption feature similar to that of the Fable games, for anyone out there who's a gamer. It allows the player to be evil or be really evil.
And in the game, you're trying to perform some of the deadly sins that are out there.
So couldn't it be that these guys were actually fans of this game and decided to play it for real?
Because some of the tricks here are really, really disgusting and dirty, and it's almost as though they set up a playground to try and do things that are just so outrageous.
And they're going after press, they're going after kids, they're going after celebrities. There's no rhyme or reason to their approach other than do awful, awful things.
For money, for payment. So I don't know. I wonder if they're playing this anti-hero role for real as real game.
Now let me describe the game.
Overlord is set in a fantasy world where the player takes the role of a resurrected warrior simply known as the Overlord, who has control over hordes of gremlin-like creatures that they call minions.
Now, the game features a corruption feature similar to that of the Fable games, for anyone out there who's a gamer. It allows the player to be evil or be really evil.
And in the game, you're trying to perform some of the deadly sins that are out there.
So couldn't it be that these guys were actually fans of this game and decided to play it for real?
Because some of the tricks here are really, really disgusting and dirty, and it's almost as though they set up a playground to try and do things that are just so outrageous.
And they're going after press, they're going after kids, they're going after celebrities. There's no rhyme or reason to their approach other than do awful, awful things.
For money, for payment. So I don't know. I wonder if they're playing this anti-hero role for real as real game.
Hmm. I don't know the game, I'm afraid. So, I mean, anyway, there you go, FBI agents, if you need any clues. That's your clue. Okay. Oh, I'll have a guess as well.
So the name Overlord, I'm thinking, okay, over, we get overs in the game of cricket, don't you? And Lords is a famous cricket ground. So it could be someone who likes cricket.
So the name Overlord, I'm thinking, okay, over, we get overs in the game of cricket, don't you? And Lords is a famous cricket ground. So it could be someone who likes cricket.
You take the piss.
Well, there you are then. It must be cricket.
Yes. Well, all the messages I've seen certainly seem to be English as a first language. You know, there's a lot of—
Well, there you are then. It must be cricket.
It must— not English. I don't mean English British. I mean English speaking, English speaker of a language.
Well, that's narrowed it down.
That's narrowed it down.
Good luck, FBI. Fantastic. Yeah, yeah. There you are, FBI. We've helped you. Fantastic. I think we should get Robert Mueller on the case. He's quite good at uncovering stuff.
Get him on the Dark Overlord. Okay. Let's find out who our sponsors are this week.
Get him on the Dark Overlord. Okay. Let's find out who our sponsors are this week.
This episode of Smashing Security is supported in part by Entersekt. PSD2 is a European directive that requires banks to provide communication interfaces to third parties.
And PSD2 is less than 4 months away. Institutions are under immense pressure to meet its key requirements of open access and strong customer authentication.
The danger is that when you expose an API to third parties, there is always the potential for fraudulent transactions.
Entersekt develops authentication and mobile security solutions that make the internet a safer place to bank and shop. Listen to their webinar at smashingsecurity.com/entersekt.
That's E-N-T-E-R-S-E-K-T, and you will learn everything you need to know about PSD2 compliance.
And PSD2 is less than 4 months away. Institutions are under immense pressure to meet its key requirements of open access and strong customer authentication.
The danger is that when you expose an API to third parties, there is always the potential for fraudulent transactions.
Entersekt develops authentication and mobile security solutions that make the internet a safer place to bank and shop. Listen to their webinar at smashingsecurity.com/entersekt.
That's E-N-T-E-R-S-E-K-T, and you will learn everything you need to know about PSD2 compliance.
This episode of Smashing Security is also supported in part by NetSparker, the web application security scanner that can automatically find security flaws in your website and prevent hackers from exploiting them.
Check out NetSparker by downloading a demo from www.netsparker.com/smashing. On with the show.
Check out NetSparker by downloading a demo from www.netsparker.com/smashing. On with the show.
Ding-a-ling, bing-bing.
Welcome back to the show. And it's that time of the show when we say it's Pick of the Week.
Pick of the Week.
50th episode.
50th pick. It's not the 50th pick of the week though.
No. All right. But it's the 50th episode anniversary edition of Pick of the Week. And Pick of the Week is where we choose something that has tickled us in the last week.
Doesn't have to be security related, Carole. It could be a funny story, a book that we've read, a TV show. It definitely should not be a movie.
Doesn't have to be security related, Carole. It could be a funny story, a book that we've read, a TV show. It definitely should not be a movie.
I'm not bored of that joke yet. I'm not bored of it.
No, I— hey, Carole, it's basically a meme. We're going to keep on doing that, right? It's a bit like me saying hello, hello at the beginning of the podcast.
You have to do these kinds of things. So I have got a Pick of the Week for you, Carole, and I've put a little link in our document here.
So click on this and I will show you what my pick of the week is.
You have to do these kinds of things. So I have got a Pick of the Week for you, Carole, and I've put a little link in our document here.
So click on this and I will show you what my pick of the week is.
Clicking on the link.
And it will take you to a Reddit channel called Saved You a Click. You know, one of the things which I really don't like are those clickbaity.
Clickjacky.
You know, those headlines which you get in the press. Yeah. You won't believe blah, blah, blah, blah, blah. You're not, but you know what happened after.
Well, the whole point of this page Oh, I love it. Is it tells you, I thought you'd like it. It tells you both the headline and then it tells you what it's about.
So it saves you clicking on it. Yeah. So I'll give you some examples, right? Yeah. There's a football-related one.
John Laydon, who was on the show the other week, would've liked this and he'll actually know who these people are, whereas I don't.
Well, the whole point of this page Oh, I love it. Is it tells you, I thought you'd like it. It tells you both the headline and then it tells you what it's about.
So it saves you clicking on it. Yeah. So I'll give you some examples, right? Yeah. There's a football-related one.
John Laydon, who was on the show the other week, would've liked this and he'll actually know who these people are, whereas I don't.
If he listens.
What happened when Luis Suárez asked Lionel Messi to take a free kick versus Bilbao? Then it gives you the answer. It says he let him take it. You don't need to click on it.
So this is where titles are kind of designed not to give you any information, but get you to click on it so that you can read.
And they'll often not even give you the answer in the first few paragraphs. They'll bury it low down and make it hard to find. So it all depends on how enticing the headline is.
And I'm with you, they're really annoying.
And they'll often not even give you the answer in the first few paragraphs. They'll bury it low down and make it hard to find. So it all depends on how enticing the headline is.
And I'm with you, they're really annoying.
And they're designed to pique your interest. So this woman sent the Obamas a wedding invite and their response was priceless.
And then it says, the Obamas sent them a congratulatory letter, and apparently they do this all the time.
And then it says, the Obamas sent them a congratulatory letter, and apparently they do this all the time.
I like this one. I'm just reading here. There's one here. It says, girl buys thrift store dress for $5, starts victory dance and reveals it's not a dress at all.
The answer: it's a pantsuit. Love it. Love it.
The answer: it's a pantsuit. Love it. Love it.
Love it. So I think there is also a similar Twitter account, which is regularly posting sort of saved you a click messages as well, which are worth checking out. Here's another one.
Google CEO says the company will drop everything on Monday to fix this glaring error on its cheeseburger emoji. But can you tell what it is?
And the reason is that only Google's burger emoji has the cheese underneath the patty.
And I knew about this one already because apparently Fox News was covering the story quite heavily on the day when Paul Manafort was indicted by the FBI.
They were talking much more about the burger emoji rather than that.
Google CEO says the company will drop everything on Monday to fix this glaring error on its cheeseburger emoji. But can you tell what it is?
And the reason is that only Google's burger emoji has the cheese underneath the patty.
And I knew about this one already because apparently Fox News was covering the story quite heavily on the day when Paul Manafort was indicted by the FBI.
They were talking much more about the burger emoji rather than that.
I'm surprised you didn't use Send Me Roger Stone, that documentary that I think you watched as well, didn't you?
Oh yes, Get Me Roger Stone.
Get Me Roger Stone, that's what it's called. That is good.
It was on Netflix or something, wasn't it?
I just sneaked another Pick of the Week in. But yeah, it's really good.
Greedy on the Pick of the Week, Squirrel. And it isn't yet your turn for Pick of the Week. But now I'm going to hand over to you because that was my pick of the week.
And let's hear your pick of the week.
And let's hear your pick of the week.
Well, I have two picks of the week.
Oh my God, what? As well as that one?
No, no, they're worth it, they're worth it. You're worth it.
All right, okay, okay.
Number one, okay, it's called the Pencil Grip. I will put a link in the show notes. Graham, take a look. Okay, this is one of the most tactile, beautiful things ever made.
I only discovered them from my friends Thom and Lizzie. They have kids. I think they are for kids, but I don't care. I'm using them now. They're kind of this spongy, plasticky, right?
I don't know. And it just holds your finger. So I have a pencil grip.
I only discovered them from my friends Thom and Lizzie. They have kids. I think they are for kids, but I don't care. I'm using them now. They're kind of this spongy, plasticky, right?
I don't know. And it just holds your finger. So I have a pencil grip.
What is a pencil?
Well, you kind of grip it when you write, and it's supposed to be to help children, right, when they're first starting to write, because it's a little bit fatter and it has these grooves in it so your fingers don't slip up and down the pencil shaft.
So you slot the pencil through the pencil grip. Yeah, and it fattens it up.
Are you trying to make this salacious?
No.
Okay, good. So it is a wonderful thing, and I have a little bump, a little writing bump on my middle finger, right? Because I do a lot of writing.
You could get that sorted out, Carole, when you get your plastic surgery.
Well, I should. Or I can just use the pencil grip. So I say if your kid is learning how to write, it's a brilliant thing.
If your kid's left-handed, it's great too, depending on which side you put it on. It can be good for lefties and righties.
They're cheap, they're lovely, and I think they're just a fantastic little item. All right, there is pick number one.
All right, Graham, I have two, so I'll give you one and you can check it out.
If your kid's left-handed, it's great too, depending on which side you put it on. It can be good for lefties and righties.
They're cheap, they're lovely, and I think they're just a fantastic little item. All right, there is pick number one.
All right, Graham, I have two, so I'll give you one and you can check it out.
Oh, okay. All right, thank you.
Number two, this is the— now, you know, people out there who know me know that occasionally I partake in bad habits. One of which—
One of which, how long have we got?
Oh, we've got a long— Don't worry, we're going to plan to go away. I'll give away one. One of which is occasionally I a cigarette. I know it's true. It's an adult show, adult show.
Now someone, actually my cousin Devin and her husband Ken gave me this lighter called Ignite. And this is a rechargeable flameless lighter.
And it charges by USB, micro USB, and you click the little button. I'm gonna put it right near the microphone now so you can hear it.
See if you guys can guess what it is before I tell you. You hear that?
Now someone, actually my cousin Devin and her husband Ken gave me this lighter called Ignite. And this is a rechargeable flameless lighter.
And it charges by USB, micro USB, and you click the little button. I'm gonna put it right near the microphone now so you can hear it.
See if you guys can guess what it is before I tell you. You hear that?
Yes.
It's a little mini bug zapper.
Oh, it's a little electrical charge, from a Frankenstein movie.
Yes. Now I looked this up on Amazon and it only has three stars. Loads of people are complaining, say theirs don't work. So I don't know if I can fully recommend or if I got lucky.
Right. But, you know, hey, who knows? I mine. Mine works perfectly. If you're a proud geek, you should get yourself one of these or something similar.
And then you can go and light people's cigarettes when they're out in a pub, enjoying a naughty fag.
Right. But, you know, hey, who knows? I mine. Mine works perfectly. If you're a proud geek, you should get yourself one of these or something similar.
And then you can go and light people's cigarettes when they're out in a pub, enjoying a naughty fag.
I can't believe you're recommending this when it doesn't appear that it's actually connected to the internet as well. I think that's what you need.
What?
You need a rechargeable USB cigarette lighter.
A smart lighter so it can tell me how much I smoke.
Well, it could do that. And also potentially it could be hacked remotely. Wouldn't that be great?
Yes. And then a huge flame could come out instead of a tiny one. It could give a whole burst of inspiration.
It could encourage you to stop smoking with the thought that at any point a huge flame could come out as you try and light it in front of your cigarette.
Maybe we could find something to stop you eating burgers.
Maybe those emojis would stop me putting the cheese in the right place.
Exactly.
Got a bit catty there, didn't it?
Oh yeah, just got catty. Just got catty.
Yeah, after 50 episodes. Well, I think that just about wraps it up for this week. Carole, thank you for joining me on—
Joining you on our show?
On 50— No, well, oh goodness. Carole, thank you. You've been here for 50 episodes. I've been here for 50 episodes.
High five to us.
High five to us. Isn't that brilliant?
And high five to our listeners, because honestly, if we didn't have any— But we've been growing and it's exciting and we're getting more messages and we love getting them.
You know, it's a lonely business sometimes doing a podcast.
You know, you're in the studio, you're editing, you're researching, you're publishing, and it's really nice to get some feedback. So thank you to everyone who gets back to us.
You know, it's a lonely business sometimes doing a podcast.
You know, you're in the studio, you're editing, you're researching, you're publishing, and it's really nice to get some feedback. So thank you to everyone who gets back to us.
And thank you as well to all those great companies who've been sponsoring the show as well. It's terrific to get your support.
If you want to support the show even more, you can tell your friends about it. You can follow us on Twitter.
You can send one of your sexual or relationship problems to Carole's Agony Corner.
If you want to support the show even more, you can tell your friends about it. You can follow us on Twitter.
You can send one of your sexual or relationship problems to Carole's Agony Corner.
Do that. I forgot about that. Brilliant. I love that. And of course, subscribe to the show.
Absolutely.
Subscribe to the show. We're worth it.
I guess that's it. Normally I sort of thank our guest at this point, but we didn't have a guest this week.
Well, thank you, Graham. Thank you, Graham, very much.
Thank you, Carole. And until next time, cheerio. Bye-bye.
Stay secure out there, guys. Oh, there you are. Do you think we need guests? Well, maybe we don't need guests.
Sometimes we need a guest to pull us apart a bit, I think, because sometimes things can get a little bit ugly.
That's true, that's true. We did get close to the murky waters this time.
It was—
I didn't actually push or shove you in.
And some of our guests have been fantastic.
That's true, some of our guests have been amazing.
A few of them have been, you know— Hey, you know what someone said to me the other day? What's going on with the shower? Because we had the problem with the shower, didn't we?
And I thought the problem had gone away because I upgraded my phone to iOS 11. And for a while it stopped FaceTiming you every time I have a shower.
And I thought the problem had gone away because I upgraded my phone to iOS 11. And for a while it stopped FaceTiming you every time I have a shower.
And it's true, it didn't FaceTime me for ages. And then—
But then I went to a hotel and it FaceTimed you again.
Am I in your favorites list, maybe?
You are one of the people who I FaceTime most often.
No, no, I understand that. There's this option, I think, to say this is a favorite person in FaceTime. And not a favorite, but one of my favorites.
Yeah, I was about to say, hashtag awkward. You're not one of my favorites, Carole.
Okay, that's, no, no, I was thinking if you— I know I am one of your favorites for real, but if I'm not listed in your phone, then that takes my theory away.
Anyway, you haven't done it in ages and I'm very grateful.
Anyway, you haven't done it in ages and I'm very grateful.
Let's move on. Bye.
Bye.
Ah, that explains why I have started getting extra spam. I've looked at the headers and can see
several MailChimp X-headers. Tricky to filter on those headers, if real mailing lists still use MailChimp.
I did try:
X-Report-Abuse: Please report abuse for this campaign here: http://www.mailchimp.com/abuse/abuse.phtml?u=etcetc
but that URL was useless; surprise, surprise.
They also have a pretty bad security problem at the moment with accounts getting hacked and used to send phishing emails. They're refusing to acknowledge or address the issue.
The way to solve this is to set up a filter that bounces all that junk from Mailchimp right onto their CEO's inbox. I guarantee all mailing lists will default back to double opt-in within a day or two.
We've moved to Mautic. It's open source, so you can either use a commercially hosted version at mautic.net, or if you prefer (we do) host your own. Here's how we do it: oer.nz/mautichowto
Thanks for this interesting post.
I moved away from MailChimp a while ago when they discontinued their transactional email service (mandrill) and add it as a MailChimp add-on
I didn't like it so I looked around and been using Sendy since then. It's a self hosted newsletter app based on Amazon ses, it's been great so far
Maybe it'll suit you
How to reach financial ruin in one easy step,…..
Cause harm to your user base! It's a sinking ship, their desperate move cry's "Money Troubles" and most people will flee the "Sinking Ship".
Many of these tech start-ups try to grow way too fast, lack the proper management skills, and experience, hence, failure after the investment capital is gone.
Puzzling thing here is that prior to this Mailchimp were the poster-children for sensible growth.
Actually, GDPR applies to any company that handles data regarding persons who are in the European Union, regardless of citizenship, regardless of where the company is incorporated, etc.
Please don't spread fake news.
See article 3 below:
Article 3
Territorial scope
1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
(a)
the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(b)
the monitoring of their behaviour as far as their behaviour takes place within the Union.
3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
Bointon's tweet says this: " #GDPR applies to subscriber location, not account owners"
Which appears to be consistent with what you're saying.
Very interesting article, Graham. Thank you.
Of course it begs the simple question: which mailing list provider will you be moving to?
Well, if you sign-up for my newsletter you'll find out soon enough. ;)
But bear in mind that my requirements may be quite different from those of a business regularly using email to keep in touch with its customers. It's not going to be a "one size fits all" solution would be my guess.
Let's sign up mailchimp for some newsletters!
I have switched over to AWeber a few months ago from MC and seeing this just solidifies why I won't go back. Plus I like the one on one attention I get from AWeber's support reps.
Drew on the AWeber team is super helpful. If anyone else is looking to switch I would definitely recommend working with him!
https://www.aweber.com/drew.htm?id=475441
Mail Chimp bros are the most self righteous dudes in Atlanta.
Hi Graham,
Mail Chimp sent our company a notification of the change and then they back-peddled a couple of days later with this…
————
Last week, we sent you an email announcing that MailChimp is adding single opt-in as an option and making it the default setting in new and existing lists.
However, because your primary contact address is in the EU, your existing forms will remain double opt-in. You can change your lists to single opt-in on the Signup Preferences page at any time. After November 3, you'll also be able to make that change in each list's settings.
We made this decision after receiving a lot of feedback from EU customers who told us that single opt-in does not align with their business needs in light of the upcoming GDPR and other local requirements. We heard you, and we’re sorry that we caused confusion.
Please know that we’re committed to helping our customers get ready for the GDPR. Double opt-in provides additional proof of consent, and we suggest you continue using double opt-in if your business will be subject to the GDPR.
For more information on why MailChimp is making changes to our opt-in choices, read our blog post.
Please reply to this email if you have any questions.
That is, sadly, evidence of another fail by MailChimp.
GDPR cares little about where your company is based in the world, but rather where your users/customers are located
In this case, the relevant information will be where email subscribers are located – not where companies creating MailChimp accounts are located.
This is likely to bite both MailChimp and MailChimp customers in the bottom (as well as us poor email users, of course)
But how enforceable is GDRP, really, against companies with no nexus in the EU other than having customers there?
That's a great article, and a shame for MailChimp. I'm in Canada, so I use Cyberimpact, which is built to follow the C-28 law (Anti-Spam Legislation). I don't know if it follows the GDPR exactly, but it probably does a good part of that.
Don’t be fooled this is a rant masquerading as a legitimate article.
I have no problem with mail champ‘s new policy. As long as every single email has an opt out for the end-user it takes more not more than a few seconds.
Let me give you a perfect example and this has nothing to do with MailChimp. Many times I’ve made purchases from many websites but have not signed up for their newsletter or flyers. Just the simple fact making a purchase …I get these promotional flyers. I have the option to opt out at any time. I’m not offended… since I already showed interest in that particular company or product it’s legitimate that I might interested in additional offers or information despite the fact I did not opt in.
What really offends me is any spam email where I do not have this opt out feature.
You've clearly never been mail-bombed.
What you describe doesn't scale to the scenario I describe: when you've suddenly been added to 10,000+ mailing lists which only had single opt-in.
The problem with this is that a lot of spam emails use the unsubscribe option to confirm that your email is in fact legit and active. Your email is now more valuable and added to even more lists.
Double opt-in isn't a requirement but automatically updating everyone's preferences to single opt-in doesn't seem fair. We've informed all our current and new clients of the double opt-in options and give them the choice of what they want to do – though we do highly recommend it as best practice at mmunic mail. An extra level of consent is recorded and it ensures the data going into the lists is good quality. I wonder if they'll release further reasoning for this decision?
GDPR will have an impact on the number of emails that companies send. Many companies will have sent an email prior to the GDPR coming into affect asking their subscribers to re-consent if they wish to continue receiving marketing emails.
Now consider this…let's say a company has 10,000 subscribers on its email marketing list. It sends an email prior to GDPR (25.05.2018) asking for re-consent. Let's say only 50% (optimistic) of recipients actually open it and of those only 50% click on the re-consent option.
So from 10,000 subscribers only 5,000 actually opened the email. Of those 5,000 only 2,500 re-consented. So from an original email marketing list of 10,000 this example company is now down to just 2,500 re-consenting subscribers, a loss of 75%. So this company will now be sending 75% less emails through Mailchimp and that is why Mailchimp decided on single opt-in. Their revenues will no doubt be hit by this.
We are now seeing the effects of GDPR coming into play, resulting in less emails, less display ads, etc. It's a hardship for any company with an EU user/subscriber base.
What strikes me most about Mailchimp is how 'unprepared' they are for GDPR. Chaos has reigned for my account. 90% drop-off for subscribers? That's no Mailchimp's fault, but just getting the software to function correctly is a nightmare. Entire lists of new subscribers are deemed 'stale addresses', the segmentation of people who opted in and didn't is incredibly sloppy and Mailchimp's attempt at managing the whole process is one long article that simply does not stack up. I've been in contact with support who have been bordering on useless, and when probed to give simple answers to how Mailchimp now functions fall back on 'Contact a lawyer'. The only explanation I can think of for a company as large and tightly focussed as Mailchimp to be so 'caught with their pants down' about this issue and utterly useless in helping adjust to it is the fact it has instantly chopped their revenue stream (subscribers), so they're playing dumb in the hope people will just stick with the old (higher subscriber) ways for as long as possible.