Adam Stiles

Here's the first in what I hope will be a long series of mini-book-reviews I'm reading from the Personal MBA list.

Many "persuasion" books teach manipulation - here's how to make people do what you want them to do. Cialdini takes the opposite approach. As a self-described gullible consumer (in spite of being a psych professor), Cialdini explores how "compliance practioners" use the "weapons of influence" against people like him. After identifying each major tool, he teaches defensive techniques. Cialdini doesn't pontificate. He's one of us and falls for the same things we do.

This book was a quick and entertaining read. Here are a few of the topics covered:

• Reciprocation - why fundraisers give gifts, like address labels with your name on them, because accepting them will predispose you to return the favor with a gift
• Commitment and Consistency - why fraternities haze, why we'll do anything to reinforce a decision we've already made
• Social Proof - why so much of what we do is influenced by those around us. The suicide trends data reminds me of a similar chapter in Malcom Gladwell's The Tipping Point
• Liking - how we're more likely to be influenced by people we like
• Authority - why we do things authorities tell us to do
• Scarcity - how your gym gets you to sign up today by making great offers that expire if you don't sign on the spot

I'd recommend this book to just about anyone, not just people interested in the PMBA program. It will definitely remind you of times that you've fallen for the tricks of master persuaders. I bought my first suit this year (not bad, I made it to 32 before buying a suit). Now I know why it was so easy for the salesman to sell me shoes, a shirt, a tie, a belt, etc after I'd already committed to buy the suit. By contrast, the accessories seemed like little purchases next to the high-priced suit.

If you like this topic, here are a few related books on my shelf that I'd also recommend:

• Kevin Hogan's The Psychology of Persuasion: How to Persuade Others to Your Way of Thinking
• Paco Underill's Why We Buy: The Science Of Shopping
• Robert Levine's The Power of Persuasion: How We're Bought and Sold

Tags: personalmba, persuasion, sales,

Gmail's 1337 spam blocker has been working overtime for me.

In case my mom reads this (from Urban Dictionary):

Pronounced "Leet", short for "Elite". The original phrase was 31337, or "Elite", referring to the best hackers. It is still used today by some of the good hackers, but the word has been picked up and overused by so many losers and posers that its meaning has been corrupted.

Tags: gmail, spam, 1337

Is it just me, or does the "A" on my Americano cup from Starbucks this morning look like the international symbol for anarchy? Is this a secret code telling me that the revolution starts today? Hmmm....

Guess I need more adventure in my life.

Tags: coffee, starbucks, anarchy

I'm an entrepreneur with no formal business training. Over the years I've dabbled with the idea of getting an MBA, but I can't justify the time and cost at this stage in my life. I've made up for my lack of training with lots of reading, so I was intrigued when Seth Godin started recommending actual experience combined with a dedicated reading of 30 or 40 books instead of an MBA.

Out of Seth's post sprang the PersonalMBA program. PMBA is a list of 42 books and periodicals designed to help readers "master business without spending a fortune."

So, I've decided to work my way through the list. I haven't set a time limit (though I'm estimating about 18 months) because I want the flexibility to spend as much time as I need to on any given book. I also plan to get as many resources as possible through my local library system and I'm sure I'll buy any books worth keeping.

I've already read a number of books on the list so I'll come back to those later. For now, I'll be starting with the books from the writing, accounting, finance and economics sections as they should be the most relevant to my current business and non-profit endeavors.

Related Links:

• PMBA Cover Montage on Flickr
• PMBA Community

Tags: personalmba, pmba

Has this ever happened to you? You grab a coffee from Starbucks on your way to a client meeting, take sip, and coffee dribbles down the front of your shirt? Doh!

Paper coffee cups from Starbucks have a fundamental design flaw that causes unnecessary drippage. When the vertical cup seam is lined up near the sipping hole in the lid, coffee collects under the lid at the seam and invariably drips on your shirt. To avoid sloppy-coffee-shirt syndrome, make sure the lid hole is on the opposite side from the cup's seam.

Related: Mean Time Between Failures of a Starbucks Cup

Tags: coffee, starbucks, slob

This summer, the interns at FogCreek Software built and shipped Project Aardvark, now known as CoPilot, a service that makes it easy for one person to control anothers computer. A documentary about the process will soon be available - they're taking pre-orders now. Buying this video is a no-brainer for anyone with any interest in the software business - its only $19.95 with free shipping. Anyone else amazed that this DVD is only $20?

• Watch the trailer

Here's a little story that demonstrates how easy it is to create an insecure system when you try to roll-your-own security protocol.

ScamAlarm users can report fraudulent web sites using a form on our corporate web site. We decided to use a captcha on this form to defend against "bots" submitting zillions of sites into the system. A captcha is one of those slightly annoying graphics with slanty words/numbers that you find on many web forms, most commonly on forms where users can sign up for free accounts. Here's a sample captcha from the Hotmail signup form:

From a coding point-of-view, here's how most captcha implementations work:

1. Use a random number generator to create a phrase to display to the user
2. Save that phrase in the user's web session. Give the user a cookie that allows you to find their session on your server.
3. Show the user a form to display this captcha and receive data. The form has an image tag with a src like this: captcha.php
4. Inside the image generator (captcha.php), lookup the phrase in the user's session and generate the appropriate captcha image
5. Validate the typed phrase against the phrase stored in user's session

This process is straight forward and secure because the phrase is only stored in plain-text on the server in the user's session. However, this approach requires us to use sessions, and sessions generally require us to use cookies to track users (yes - you could do url-based sessions, but that's overkill in many cases). I'm not super-paranoid about cookies, but I don't like to use them unless they are really necessary.

Thinking that it would be nice to avoid using cookies for our captchas (we don't need them for any other purpose on the site) I started to design a cookie-less captcha protocol. If the protocol works, we'll implement it. Here's what I came up with:

1. Create a secret that's only available in server-side code to the form processor and the image generator
2. Generate a unique random number each time we display the form - the seed
3. Create the captcha phrase as the first 6 characters of the sha1 hash of our secret + seed.
4. Show the form to the user. Include a hidden form field with the seed value. The form has an image tag with a source like this:
   captcha.php?seed=3284a348dea9d9213
5. Inside the image generator (captcha.php), generate the phrase to display (sha1 hash of seed + secret). The seed to use comes as a url parameter.
6. Validate the typed phrase against the actual phrase (hash of seed + secret), the seed coming from the hidden form field.

At this point I'm pretty proud of myself. I've designed an elegant new captcha protocol that defends against the bot-threat. The bots can't figure out what phrases we're going to display because the secret is unavailable to them - its on the server in code. No secret, no threat, right?

Stop right there. Do you see the problem with this protocol? Here's a hint - the new protocol never checks that the seed hasn't been used more than one time as the source of a captcha image. The same seed will always generate the same captcha image. Theoretically, only a human can actually read the phrase embedded in the captcha image, but that would only have to happen one time. We're now vulnerable to a replay attack. The bot programmer could simply look at one of forms, write down the phrase and its seed, and then program their bot to submit zillions of urls to use accompanied by that one seed + phrase combo. The new protocol would have given us no protection whatsoever. Doh!

The moral of the story - its easy to create insecure protocols using cool cryptography functions. Stick with established protocols. We decided to use cookie-based sessions. We could have created a database of seed values and only allowed them to be used once, but cookie-based sessions was simpler to implement and just as effective.

Tags: security, protocol, captcha