More Facebook App Spam – Who Always Views My Profile sfapp

Update: I think Facebook are onto this; luckystar_profile is just one app that is doing this (I’ve now seen many more), and all have been removed by Facebook. Unfortunately, the spam photo albums are still everywhere.

Yesterday afternoon, I received a Facebook notification from a friend I haven’t seen for about 6 months. It said she’s tagged me in a photo album, called “Who is checking my profile? – Mar 14 2010 07:54”. This struck me as pretty weird – since I hadn’t seen this friend for a while, I didn’t think there was much chance I could have been tagged in a photo recently. I checked the email was really from Facebook – it was – and the message also appeared in my new notifications within the Facebook system, so it wasn’t a case of sneaky phishing.

The original tag notification email, showing a very weird album name

The weird thing is, the very same minute that I got this bogus notification about being tagged in a picture, I got a notification that this same friend had commented on a picture of mine, with a really suss looking lin.

The spam link that accompanied being tagged by the sfapp

I sent a message to my friend telling her I thought her Facebook account had been hacked; she got back to me to tell me she’d changed her password as a precaution, and I thought nothing more of it – the internet is full of nasties that try and steal your identity and access.

Then, over 24 hours later, I logged into Facebook and saw something much more widespread and concerning.

Tonight I went look for a photo I’d uploaded a week or so ago, and I clicked on the “Photos” icon on the left hand navigation. What I saw stunned me – many of my friends all had a very similar most recent album. 11 out of the 20 photo albums displayed – 55% – were showing this spam/phishing application’s calling card as their default picture/most recent album.

All of the red squares shows a friend who's been hit with this facebook spam app, of sfapp

Looking more closely, all of these albums were from a sfapp (Spam Facebook App) called “luckystar_profile” (

I’m not sure yet how it works – and don’t dare install the application in case it then screws with all of my photos and tries to get my friends to install something malicious – but in any case, it is clearly another example of Facebook’s Apps support ruining the user’s experience.

Facebook, the answer is very straight forward.

Remove all apps from your platform.

If you’re not to prepared to do this, then at least stop apps from sending messages, putting in notifications, or messing with user’s data like photo albums.

If people want to have a farm or raise virtual fish, knock yourselves out – just don’t let any application write to anything in a user’s Facebook account.

Clearly app developers can’t be trusted, and this sort of crap is going to drive users away to the next big thing – the same way auto-loaded crap music drove people from MySpace to your service.

Google's OAuth Pain: Token invalid – AuthSub token has wrong scope

While I’d been meaning to play with Google’s applications – and integrating them with our own Affinity – for some time, the launch of the Marketplace pushed this experimentation up the priority list.

After spending a fair bit of time hacking on a Sunday, I’d managed to re-purpose our OAuth platform to play nicely with Google, including their need to have the scope variable passed as a part of the token request process.

Regardless, I’d gotten really really really frustrated with a persistent error. While it is now really obvious, I missed it and it cost me a few hours and a lot of frustration, so hopefully this blog will help someone else trying to solve this into the future.

After correctly getting my token and secret for a specific user – and asking for quite a few scope options – I was still getting the error Token invalid – AuthSub token has wrong scope when I was trying to access a document list via OAuth.

While this error talks about AuthSub, I’ve now discovered it is really a generic error message, and applies to any case where the scope of access doesn’t match what you’re asking for, whether it is OAuth or AuthSub. This confusing error message had me off the scent for a while as I started to wonder whether OAuth was supported as widely as I had expected, whether there was a difference between paid and free accounts, and so on…

The problem in my case is that I’d requested a scope to, but using the example code at Google’s Documents Developer Guide I was then going on to interrogate


To make matters worse, even when you explicitly ask for https based feed scopes, Google doesn’t even show them to the user. Seems like in some cases, Google thinks the http vs https distinction doesn’t matter, but when it does care about it, it doesn’t give you an error message that’s any use at all.

Google can't make up its mind if https and http are interchangeable in a scope: each of these scope requests were with https prefixes.

Unfortunately, Google’s own access summary interface doesn’t clarify which versions of the domains are http, and which one’s are https.

So, in summary, if you’re getting a “Token Invalid – AuthSub token has wrong scope” error when you’re trying to use OAuth (or even AuthSub for that matter?), make sure the scope you’re requesting is using the same protocol as you’re using – http vs https makes a very big difference.

A primer for SMEs who want to work with Defence

This week, ICT Illawarra hosted Air Commodore Anker Brodersen, Director General Defence Preparedness, and his colleague, Rick Souness, who runs the Defence Materiel Office’s (DMO) Business Access Office, as they ran a half day workshop and a follow up day and a half of one on one interviews for Illawarra based technology companies.

For half a day on Monday morning, Anker and Rick presented to a few dozen businesspeople – representing a wide range of small and medium businesses in the general technology space – taking us through what Defence is doing at the moment, and how we can take advantage of the opportunities large changes in big organisations always bring. In terms of Defence, the changes surrounding Anker’s work are are massive – through around 15 distinct programs happening throughout Defence, they’re working to save $20billion over the next 10 years. This requirement is baked into their forward funding arrangements – it isn’t aspiration, but very, very real.

Anker spoke first, giving the audience an overview of the wider Defence organisation. There were more acronyms then you could poke a stick at, but the main take-away I took on board was that there are two main parts to Defence and its expenditure – the big capital expenditure part which eats up lots of billions of dollars over a long period, and then the operational expenditure on personnel, training and deployment issues (abbreviated as POC).

While thinking about Defence spending leads people to naturally think about capital acquisitions, the big ticket military hardware stuff – especially when things don’t work out so well, like with recent investments on Submarines and Helicopters – around half of the money spent on Defence each year goes into running the organisation and executing missions, whether training, humanitarian or combat related. While a lot of Defence’s capital expenditure is run through large, multinational ‘Prime Contractors’, other operational requirements for Defence provide a more of a realistic opportunity for domestic firms, including SMEs.

In addition to painting a big picture of “what does Defence spend money on”, Anker also provided a great insight into why they spend money; the rationale and things that drive Defence, and specifically why they’re different to almost everywhere else. Defence is a ‘command’ or planned economic system. It doesn’t have competitors – there’s only one Army in Australia, and they don’t tender for the work in a competitive process. The fact taxpayers are expecting people to risk their lives also creates an interesting dynamic to whether something is “necessary”. And finally, while Defence has been able to successfully increase their efficiency through contracting services to the private sector, it isn’t possible for the organisation to contract away risk (and responsibility): while the Australian Submarine Corporation built the Collins Class submarine, it is the Defence Department that has to answer to the Australian people when things go wrong.

These factors mean Defence is looking for different types of ROI compared with the private sector.

For example, when Qantas buys a jet, they maximise their ROI by keeping the plane in the air and as full of paying passengers as they can, earning as much money as as they can for their monthly lease finance payments to have the jet. The plane is well maintained and operated safely, but within these parameters, they fly the crap out of it until it gets to the end of its useful life, and then they sell it or give it back to the finance company.

Defence, on the other hand, buys F-111’s, for example, and has a target service age. The equipment gets regular refits to keep its technology up to date, but the airframes will be keep in service for decades and decades – the priority is to maintain the required level of readiness and to maximise ROI by keeping the platform operable for as long as possible.

Anker answered a lot of questions from the floor and gave us some frank insights into the changes Defence is going through, and also undertook to look into a few specific issues raised by some of the companies in the room more experienced with working with Defence.

After a coffee break, Rick then took to the stage and basically explained how he and his team are the ideal first point of contact for SMEs, particularly if they’ve got a product or service that they think would be of benefit to Defence. He covered the various programs and activities that his office either manages or channels enquiries through. The main highlights were:

  • The Business Access Office (BAO) themselves, the first port of call for most SMEs wanting to do business with Defence: They’ve got offices in every Capital city, and a 1800 phone number you can call.
  • There is a Defence + Industry website, where businesses can register, set up a capabilities profile, and get alerts about opportunities in Defence. This also helps people within Defence find your business/product/services.
  • The Unsolicited Promotional Product Offers (UPPO) Scheme, which is administered through the BAO, and which represents a good opportunity for companies to pitch their offerings to Defence. The process is that you get in touch with the BAO, pitch (not sure how), you’ll either tell them who within Defence is your target, or they’ll help you work it out, you then pitch to the unit of Defence who would be your customer, and then they decide whether they don’t want it (now), they want it and will need to go out to (a select) Tender, or they’re prepared to go into negotiation with you and buy it directly.
  • The Unsolicited Innovation Proposals. Like inventions that aren’t COTS type products, which you think might have a defence application. It goes through the DSTO. More info at

Rick also covered a bunch of other things and answered questions, before the questions got more specific, then it became an Anker and Rick show with each of them taking the specific questions as they best know.

In short, while Defence is a big organisation, there are doors that are open to your offers and solicitation. Your mileage will vary depending on whether a section of Defence has a need for what you’re trying to sell, and you’ll need to have a lot of patience no matter what (you’re dealing with a very big government department after all), but the fact Defence has big wide open doors (admittedly with high hurdles and no certainty you’ll be successful) was news to me.

In networking over lunch, I was told by more experienced SMEs that having good, professional but not pushy relationships with prime contractors was also an important way of doing business with Defence: while SMEs might like to think they deserve the opportunity to contract directly with Defence for what they do, the size and complexity of an organisation who’s mission spans the globe, and which employs over 100,000 people, often in very demanding circumstances, means Defence needs to focus its efforts on working closely with fewer contractors than the tens of thousands of SMEs who could be helping them fulfill their mission. From an SME’s perspective, it isn’t nice, but it makes sense, and the tip I got was that if you do good work through a prime, they’ll keep getting you back in again and again and again and again.

A big thanks to Anker and Rick for taking the time to come to Wollongong, and for not only speaking to us, but speaking with us: Anker and Rick both then did a day worth of one on one interviews with many of the businesses in the room, an opportunity I really appreciated them taking the time to make available.

Aussie gets acquired

A couple of good friends of mine, two of the warmest and most giving people in the Australian startup community got a big wet kiss – and a big cheque – after their startup,, was acquired by Los Angeles based Internet Brands overnight.

Founded by the necessity of globe-trotting lovers needing to sort out visa issues to stay together (one a Dutchman, the other a girl from Atlanta), allows people from all over the world to find deals – usually through digital coupons and promotional codes – which save them money.

In the midst of a pretty massive global recession, Tjoos managed to grow at more than 150% in the last year. Obviously, this kind of success and the strong cash generated by their transaction based traffic led to a very compelling offer from Internet Brands. The details are confidential, but suffice to say Bart and Kim don’t need to work another day in their lives if they don’t want to.

Bart and Kim have contributed so much to the Australian Startup Community over these last few years. They’ve been the energy behind, as founding members of Silicon Beach Australia, and their sweat, tears and sleep deprivation have bought numerous Startup Camps’s to reality around Australia (along with Brian Menzies and many other supporters).

Outside the hard work and innovation in a competitive market to build a successful business, they deserve this on a ‘karma’ level more than almost anyone else I can think of in our community. They give so much, and it is great to see them get back their generosity, with interest.

I’m really really really really happy for Bart and Kim, and you can be sure of one thing: their success is only going to speed  up their contributions to building a greater startup community here in Australia, something Bart has been so strong in the last few years that he was awarded Startup Person of the Year by Technation.

Congratulations Bart and Kim!

Another reason Apple is the Evil Fruit

While I’m sure the details will wash through over time, this story about Apple suing phone manufacturer HTC for Patent infringement really, really stinks.

Compared to HTC, Apple is the new kid in the block.

HTC has been manufacturing smartphones for longer than almost anybody. They were one of the key original manufacturers of Windows Mobile phones, all the way back to the WindowsCE days (I think), and I’ve used their products as my primary phone (running Windows) since around 2003. I switched to one of their Android devices in late 2009, and have been really happy with it.

But now I read that Apple are trying to get HTC banned from importing their product (HTC is a Taiwanese company, whereas Apple is American but gets all their products made off-shore), because HTC are infringing Apple’s patents.

While the details are still a bit murky, it really sinks to high hell that Apple, who Nokia alleges are ripping off a bunch of their mobile phone related patents, are going after HTC like this. I really hope that HTC have their own patent portfolio, or can join with Microsoft (who have been designing smartphone’s with for over a decade) to sue the crap out of Apple – who are showing more and more every day that they’re truly the evil fruit.

Update: via, this statement from HTC:

“HTC is a mobile technology innovator and patent holder that has been very focused over the past 13 years on creating many of the most innovative smartphones. HTC values patent rights and their enforcement but is also committed to defending its own technology innovations. HTC only learned of Apple’s actions this morning via media reports, and therefore we have not yet had the opportunity to investigate the filings. Until we have had this opportunity, we are unable to comment on the validity of the claims being made against HTC.â”

I’d really love to see Apple get a bloody nose in all of this.

#leanstartup Sydney Launches

Tonight I was lucky enough to meet Eric Ries, the founder/leader of the Lean Startup movement.

Eric came to Sydney after being coaxed to this side of the Pacific by our ever resourceful and impressive friends, the Kiwi’s, for Webstock, and Mick Liubinskas and Michelle Williams did a cracking job in putting together an event at very short notice at Bar 333.

Mick managed to get a recording of (most – he missed Eric’s attempt at g’day at the start) of the presentation on his Flip – hopefully he’ll be able to get it up online soon. While the content itself wasn’t exceptionally different to the stuff we’ve come to love about the #leanstartup concepts, the passionate delivery by a man with a fading voice who’s been speaking for 10 straight days in a place he wasn’t sure gravity would apply to was awesome.

Also took the opportunity to bring Hugh along for the trip, and I’m looking forward to implementing the lean principles more diligently than ever. And the six circles and the feedback loop was something I’ve either missed before, or never appreciated as fully as I should have – it is the core of the Lean Startup (will try and find that slide/image and insert it when I’m not on the train).

If you want to be in the loop for the next meetup on April 13th (I think), join the Lean Startup Circle Sydney.