3. Quick, Buy Now!! Only 37.. 34.. 28.. 23 Copies Left!

The Pitch: The idea here is that only limited stocks of the product are available! You’ll have to be quick and buy before they’re all gone! When the product is an ebook or digital download where limited sales are not realistic, you might see a back story about how “this incredible new programme is going to totally dominate Google and put SEO out of business, that’ll lead to Google fighting back and closing this loophole down! To prevent this, we’re only giving away 52.. 47 more copies!!”

The Scam: These claims are very rarely legitimate. The purpose is to create a sense of urgency, that if you don’t buy now you wont have a second chance. This is because a long time ago sales people learned that if the reader doesn’t buy the first time they read your sales pitch, on an impulse, then they are very unlikely to come back. A commonly used method for this trick is to install a little javascript or php script to track the visitors IP and generate a new countdown timer for that IP with a message like “$20 off if you buy in the next 24 hours!”. Inevitably, if you come back 24 hours later the message will reset. Because of this, you usually only see this on sales pages of relatively little or unknown sales guys that aren’t worried about their reputation.

2. Testimonials

“Your Bluestone Brand Buttscratcher Saved My Life!”
Mrs. F. Icticious

The Pitch: Testimonials are a quick and easy way to add the appearance of credibility. The idea is that the testimonial comes from an outside or third party source or a customer who was so pleased with the amazing product that they just had to let the sales guy know how much the product helped them make buckets of easy cash. All lending to the idea that this is an unbiased review of the amazing product.

The Scam: The vast majority of testimonials on sales pages are offered during the product testing phase and follow a trend where the product owner offers a free copy of the product in return for a testimonial. This is typically done on a forum and immediately biases the recipient to create a positive review (you wouldn’t turn around and bash someone who had just given you a free product, would you?). Another commonly used testimonial bait is to offer a free link back to the recipients website for their testimonial. Again, if you think you’re going to get a free link, you’re going to write them a damn positive testimonial.

In many cases the testimonial will simply be written by the website owner themselves and may use a”personal” portrait photo, usually sourced directly from iStock. This way they can write whatever they want about the product without the risk of having to put up a photo of some ugly mug customer, and they don’t even need to offer a link or a copy of the product.

1. I’ve made $535,677 from this unethically easy programme, just look at my paypal screenshots!!

The Pitch: The idea is to convey the fact that the product has lead to the sales guy becoming so incredulously rich from his product that he falls asleep on a blanket made of 20 dollar bills, that it takes him half an hour to scroll to the bottom of his PayPal incoming payments screen. This usually completely ignores the logical fact that if he were making this much money he wouldn’t need to sell the product in the first place.

The Scam: Once upon a recent time, virtually every sales page on the net had PayPal screenshots with either a month-by-month layout or a total-to-date shot. Due to the saturation of this technique and the fact that you’d have to be a top notch idiot to believe that they weren’t cooked up in Photoshop in 17.5 seconds means that the PayPal screenshot is less common these days. But it is still out there, and it’s just as fabricated.

1. The Most Expensive Car

The most expensive commercially available car is the Bugatti Veyron with the hefty price tag of $1.25 million USD. With all-wheel drive, a W-16 engine with 4 turbochargers, the Veyron clocks in at 1001 hp, hits 60 mph in 2.5 seconds and tops out at 253 mph in just 55 seconds. As such it’s not only the most expensive car in the world, but the fastest and most powerful too. Since it’s also 100% street legal you can also use it to go pick up your groceries. Though, due to the Veyrons excessive consumption of fuel, you’ll probably spend more on getting there than you will on anything else.

2. The Most Expensive Pen

It looks like something you’d buy your aunt Jemima for Christmas, from the “Everything Else” category of e-Bay. Despite its strange appearance, the “Limited Edition Mystery Masterpiece” is actually worth a staggering $730,000 USD.

It was a joint creation between the Montblanc and Van Cleef & Arpels companies to celebrate their credentials in 2006, designed to show their expertise and three version exist; one set with Rubies, one set with Sapphires and one set with Emeralds. Each pen contains 20 carats of the gemstone of choice as well as no less than 840 diamonds!

3. The Most Expensive Watch

The Swiss watchmaker Vacheron Constantin marked its 250th anniversary in 2005 with the “Tour de l’Ile, Vacheron Constantin” which weighs in with a price tag of $1.5 mil USD.

A limited edition, only 7 were ever made, it’s complicated double face shows horological complications and astronomical indications composing a list of sixteen different points including a minute repeater, sunset time, perpetual calendar, second time zone, a tourbillon device, the equation of time and the representation of the night sky.

4. The Most Expensive Chess Board

The Royal Diamond Chess is an exsquisite chess board designed by Charles Hollander made in 14 carat white gold and set with an astounding 9900 black and white diamonds. It was crafted by 30 artisans who spent more than 4500 hours completing it.

Several more astounding pictures are available on the website (www.charleshollandercollection.com) and are worth checking out.

5. The Most Expensive Domain Name

Business.com was resold in 1999 for $7.5 million USD and had a place in the Guinness Book of World Records until it was dethroned on January 19, 2006. At that point the three letter domain Sex.com took its place when it sold to Boston based company Escom LLC for $12 million USD (other sources report it was as much as $16 million). The former owner stated that he wanted out of the adult entertainment business and as such decided to sell it.

If you’ve ever designed a user registration script, a membership site or any script that creates or stores user passwords, there are some practices which every good developer should be aware of. While most small scale applications are not in danger of being targeted by anyone with malicious intent (simply due to the fact that they don’t have enough user accounts to make a blip on the radar), there is a point in the life of any good script whereby it becomes large enough that people can and will target your password list and security will become an issue. By implementing a few simple measures and understanding how password security is compromised you can limit the possibility of your password list being compromised and minimize the potential damage caused.

1. Hash & Salt

One of the most commonly committed cardinal sins of password storage is plain text- that is, storing passwords in plain text. This is frightfully common and I even remember one shocking instance of a fairly popular web application storing password and username combinations in a .txt file. Storing passwords in plain text is not only lazy, it’s a huge security risk. The most common method of storing usernames and passwords is within a MySQL table via PHP. This article explains the fundamentals of password hashing in such a setup, how it works, why it works and how easy it is to implement.

But, in a nutshell, hashing is the process of performing a one way algorithm on a user-supplied password so you can store it as a value which is useless by itself. Any potential hacker would also need to know your local hashing algorithm before they stood even a chance of brute forcing their way in to that account. Furthermore, brute force and dictionary attacks can also overcome by the simple salting method whereby you generate a unique salt for each password locally and store this with the hashed password.

The article linked provides PHP code to hash, salt and store passwords in a secure manner and provides much more information than I could hope to.

2. Passwords Will Be As Secure As You Require Them To Be

People are like lightning; they take the path of least resistance. In the realm of passwords, this means people will magnetize towards the shortest and most easy to remember possibility. In short, what this means is that if you have no restriction on the number of characters or types of characters allowed in your passwords, you will end up with passwords like ‘abc’, ’123′, ‘password’ and ‘secret’. This is not an exaggeration for dramatic effect, people will actually choose and use these types of passwords.

By enforcing some, if not all, of the restrictions below you can ensure the security of your password list will greatly increase:

Minimum character length. Require at least 8 characters. It is generally accepted and confirmed that 8 characters is the minimum required to generate a secure password. You may be scared to enforce long passwords in the fear that people will simply not sign up, but this is a misguided fear. If someone wants to sign up for your site the password field requiring an extra 2 characters on top of their existing password is an unlikely deterrent.

Other password enforcement policies should include:

• Password must contain characters and numbers.
• Password must contain uppercase and lowercase characters.
• Password must contain at least 1 symbol (outwith a-Z 0-9).
• Password must not be based on a dictionary word.

The Password Meter is an excellent resource to test the strength of a password while having a look at how it’s being analyzed. The script is free to download for use with your own applications. While there are pros and cons of making password strength a requirement, there is absolutely no reason not to show strength to the user in a system like this.

As a side note, never require passwords to be too strong. An 8 character password that someone remembers is much more secure than a 16 character password which has to be written down or saved on a desktop (and is therefor susceptible to being hijacked).

3. Retrieval/Reset Mechanisms

Password retrieval is part of password management which, in the field, commonly has vulnerabilities and programmer induced pitfalls. The most common mistake made, bar none, is to send out the users current password upon request. I.e. the user forgets password, clicks the ‘forgotten password’ link and enters their email. The script sends out a copy of their password via email and they get access to their account again. The problem here lies in the fact that hashing is one way. If you store the users password as a hashed value there is no way to send out a plain text version.

Therefor, any site or service you are registered with which sends you a copy of your existing password upon request is not maintaining your password securely. This is a useful tip to know, especially if you are using the same password on more than one site.

Instead, when someone clicks ‘forgot password’ and enters their email, the savvy programmer will have his script generate a new password, send it to the specified email, then store it in his database using hash & salt. This means the user will need to take the extra step of changing their password to something memorable again, but vastly improves the security of your password system and keeps the user safe.

4. Lockout Mechanism

An importantly overlooked part of maintaining a secure password system is having a lockout mechanism. This is a system whereby someone can report their account as hijacked or compromised which, upon review, will be temporarily locked. This prevents compromised accounts being used for malicious purposes. For example if someone gets access to Mrs Bloggs account, logs in as her and sends a message to Mr Blogg asking for his email address password or bank account details so she can “make a payment to the Jones’ next door” (better thought out rouges involving other personal info have been used successfully in the field). It’s uncommon, but it does happen and having a lockout mechanism limits damage caused and protects your users from each other.

An additional lockout mechanism which virtually negates the possibility of brute force attacks is password lockout. Include a simple script to count login attempts. If there are more than 3 failed login attempts, per minute for example, then lockout login attempts for that account for an hour. This makes it very unlikely for dictionary or brute force attacks to succeed and/or go unnoticed.

Having had a few hours free last night and being part of a rather quirky IRC server I decided to code up a clone of Bash.org’s quote database system. My script replicates and clones bash.org almost entirely and has the following features:

• Stores an almost infinite number of quotes or comments.
• Allows users to rate comments up or down and has minimal duplicate voting protection.
• Optional captcha system on ‘add a quote’ page.
• Search, Random, Browse & Other Bash.org features.
• Admin/moderation option to delete quotes.

The script is also surprisingly simple and is all contained within one file. After running the SQL within that file you can drag and drop it into anywhere on your server and it will work immediately.

You can see a demo of it in action here (be warned: this section of the site is NOT safe for work and contains offensive material).

You can download the IRC quotes database script here. To install simply run the SQL statements within the php file in MySQL, edit the settings and upload. It’s extremely simple to setup and use and you can customize the look, feel and layout all from the .php file.

If you use this script on your site please let me know and I’ll put up a link to you here or leave a comment with your URL. Feel free to remove the ‘powered by’ but if you do, please consider making a small donation to make it worth my while.

For no specific reason whatsoever, here are a collection of PHP Jokes and puns. Most of which are terrible.

Q: Why do PHP programmers dislike ASP programmers?
A: ASP programmers only write basic code.

if($girl['looks'] == "hot"){
if($beer == "cold"){
$life = "Sorted!";
}elseif(function_exists($girl_get_beer) == true){
if(msg_send ($girl['job_que'], 1, 'Get me a beer out of the fridge!') === false){
$life = "Get a new girl!";
}
}else{
array_push($girl['functions'], 'get_beer');
}
}else{
$life = "Get a new girl!";
}
echo $life;

?>

Q: Why is PHP freddy krugers language of choice?
A: addslashes();

What did the PHP script say to the server?
Pass me a bottle of water, I’m parsed.

if(crack_check($woman, $dirty)) { ob_clean(); link("/home/me", "home/her"); }
?>

Yo mamma so easy, PHP developers confuse her with Ruby on Rails.
Your momma so fat I called her and got a stack overflow.
Your momma’s so fat, she needs preg_replace() just to make her fit in a page.