Skip to content

Ribbit Voicemail

I’m a long time fan of SpinVox – the Voicemail to SMS service.  In my review of them last year I found seven ways they could improve their service.

Due to SpinVox’s rather beleaguered year, there have been no noticeable improvements or enhancements in the service they provide.

Enter Ribbit!

Currently in beta, Ribbit promises to be all that SpinVox could be – and more.

The basic premise is the same.  You divert all your voicemail to their service, a caller leaves a message, you get it delivered as an SMS.  Perfect.

Set up was a breeze, enter account information and set up the divert.  They even do a test call to make sure everything is set up correctly.

Compared To Wishlist

So, how do they do compared to my wishlist?

MP3 delivery.

It’s great to receive an email with the transcript, but I’d really like to get an audio file as well.  Useful for record keeping, error checking and blackmail.

Yup – done and done!  MP3s come through email. If your phone picks up your email, you can listen to a message without having to dial in.  Perfect.

MP3 Email

MP3 Email

.mobi site.

I’d like to be able to go to spinvox.mobi and see a list of all the voicemails I’ve received – including transcripts and audio downloads.

Again, close to perfect.  There’s a hidden mobile site – http://m.ribbit.com/ which gives you direct access to your transcriptions.  It even lets you dial in to a message or return a call directly from the web site.

Mobile Ribbit

Mobile Ribbit

Personal API.

I’d like access to an API for personal use.  To enable me to generate wordles or similar.  To grab all the voicemails from a particular person or containing a certain phrase.

It’s there! http://developer.ribbit.com/- I need to dig around to see what can be done.

Personalised Greetings.

I’d like to set different greetings for different sets of numbers. I keep the same number for work, friends and family. My friends don’t want to hear my work Out-Of-Office message and my work colleagues don’t want to hear my James Bond impression.

I can’t see a way to do this.  It should be possible.  Once I’ve uploaded my address book, I want my mates to get one voicemail greeting, work colleagues to get another, etc.

Along with greetings, I’d like to be able to quickly flick between my regular voicemail message and my out of office message. It’s great fun recording a new one every time I go away for a few days.

Yes! This works!  You can record as many greetings as you like – you can even use your computer’s microphone.  You can swap them over on the web – I’ve not found a way to do it either via IVR or mobile web.

Direct Dial Voicemail.

On Vodafone UK, I can dial 121 before any number and go straight through to voicemail – handy if I want to avoid someone! I’d like a number I can give out which would just go direct to my voicemail.

Not available.  A minor concern.

Website

Ribbit has an incredibly feature packed website.  As well as giving you complete control over your account, you can also use the website to read and listen to all your messages.

Ribbit Web Control Panel

Ribbit Web Control Panel

You can also see missed calls. This is wonderfully useful. If you’re out of coverage, your phone won’t ring. Once you’re back in coverage, you can get a text or email from Ribbit telling you who rang but didn’t leave a message.

Shortcomings

Nothing in this world is perfect – let’s look at what Ribbit does badly.

Startup

The welcome text is very poorly done…

Ribbit Welcome SMS

Ribbit Welcome SMS

Coming from an unknown number, oddly formatted and no link to the mobile portal. The link presented doesn’t render well on mobile either.

You only get one chance to make a first impression – sadly Ribbit’s first impression is of carelessness.

Accuracy

Always a tricky one to get right.  Take a listen to this MP3 and compare it to the transcribed text.
Listen!

Hi, Terry. It’s Mom. We’re just about to go over to have a cruise in Hong Kong. It’s the most beautiful place I’ve ever seen. I’m just knocked out. Anyway, we’d love to hear from you speak to you, I guess you can ring this phone. We mentioned we have a cruise and I may answer it. I hope you and Lis well. And I love you lots. Bye.

Pretty damned accurate!  I put this under shortcomings because of the American translation of “Mum” to “Mom”.

Timezones

When your servers are in one country and your users are in another, date- and time-stamps become really important.

Mobile Ribbit

Mobile Ribbit

The timestamps in the mobile web version are several hours out.  A minor annoyance – but one which gives people a headache trying to work out why someone is calling you at 6AM!

QA

Notice the “Call Voicemail” link in the image above?

Ribbit Mobile Error

Ribbit Mobile Error

It’s pointing to – I presume – the US dial in number, not the UK one.  There are several little errors like this.  None of them critical, but all enough to remind you it’s in Beta.

Conclusion

Ribbit is close to perfect. It blows SpinVox out of the water in terms of voicemail functionality.

It’s accuracy is good – and it’s upfront about its transcription methods.  It even lets you sacrifice accuracy for confidentiality if you’d rather just have machines listening in.

What will make it sink or swim is its pricing.  Free during beta, it’s promising free automated transcription, with pricepoints of US$10 and $30 for higher tiers of premium human-based transcription.

It’s missing a few “nice to haves” – SpinVox let me reply to voicemails via text-to-voice and would let me update my social networks by speaking a message.

The website and mobile web service need a bit of spit-and-polish – but it is functional.

I highly recommend you sign up for the beta of Ribbit.

Posted in mobile.

Tagged with , , , .

1 comment

By Terence Eden 11/03/2010

The Perfect Twitter Spam Attack?

This morning, when I logged on to Twitter, I saw a user who I didn’t recognise tweeting away in my timeline.

I wracked my brains thinking about how they could have gotten in there before I realised it was a long-dormant friend who had changed their name and avatar.

But, in thinking about how a spammer could infiltrate one’s timeline, I think I came up with a fairly bullet-proof method to spam Twitter users.

I present this as an exercise in devious thinking – and also to show how our assumptions about security can play against us. Remember, hacking and impersonation are likely to be illegal in your jurisdiction.  This information is designed to help you understand how security weaknesses can occur.

Being Evil

Imagine you are a nasty, evil Twitter spammer. Your own mother wouldn’t spit on you if you were on fire – that’s how mean you are. Here’s what you do.

  1. Obtain a user’s password.  Admittedly, this is the hardest part of the process. You might use a dictionary attack, use the same password they use to log in to another site, or somehow steal it.
  2. Log on to Twitter.
  3. Go to “Connections” and see which services they have connected to using OAuth.  For the purposes of this experiment, let’s assume they use Example.com.
  4. Go to Example.com and OAuth yourself with Twitter using your mark’s credentials.
  5. Here’s where the ordinary spammer falls down.  The ordinary spammer will start sending out messages from the mark’s account.  That’s not the aim of this weakness.
  6. From the mark’s account, through Example.com, make your victim follow one of your spam accounts.  An account which exists solely to show adverts to your victim.

Your victim now sees your adverts for pills, poker and porn in their timeline.  With any luck, they’ll just assume that one of their true friends is promoting your illicit wares.

Counter Attack

Most victims will assume that they accidentally followed your spam account – or that one of their friends has been hacked.

Worst case scenario, they unfollow your spam account.

So you just make them follow you again! Remember, you are still OAuth’d to Example.com. You can make them follow as many of your spam accounts as you think you can get away with.

At this point, the intelligent victim will think that their account may be compromised and change their password.

It doesn’t matter! Because you have used OAuth, password changes don’t affect you.  You can continue make them follow as many of your spam accounts as you think you can get away with.

At this point, the really intelligent victim will go through their OAuth connections to look for something suspicious.  They won’t find it.  Remember steps 3 and 4?  You are OAuth’d to a service that your victim trusts.

Because of the way Twitter displays OAuth information, there’s no way for a victim to know when a service was last authorised.

Twitter OAuth Connections

Twitter OAuth Connections

There is no information other than the first time the OAuth was set up.  No last accessed date, no IP addresses, nothing useful.

When following an account, the victim gets no notification of what has happened, when it has happened or how it has happened.  There is no way of them knowing which of their OAuth’d connections have been compromised, nor when it happened.

Their only safe option is to revoke every single OAuth connection.  Then reauthorise.  A time consuming and annoying prospect.

Conclusion

I hope I’ve demonstrated two things.

Firstly, there’s more to spam then just sending out messages.  Forcing someone to read a message is just as annoying.

Secondly, our understanding of security and usability haven’t quite caught up with the new tools which are available to us.  OAuth is still better than giving your password to an untrusted site – but without essential usability changes, a compromised account is a lot more dangerous than the user would suspect.

This “attack” still relies on a victim having their original password compromised.  That’s not a trivial matter.  But security is like sexual health – it only takes one little accident…

Posted in usability.

Tagged with , , , , , .

2 comments

By Terence Eden 07/03/2010

I Love Open Source

As I mentioned in my last post about VoteUK, I found the TheyWorkForYou API to be a little lacking when it came to image sizing.

I posted a request asking if there was a pattern to the image sizes and, if not, was it possible to have the sizes returned in the API.

The “standard” open source reply – “fix it yerself” – was predictably swift.

So I did.

The source code is remarkably accessible – although a few more comments wouldn’t go amiss.  This was my first experience with GIT and Github.  It was easy to get the code and, luckily, I didn’t have to dive too far in to its syntax.

I had initially thought about using the EXIF data within the images to get the width and height.  Unfortunately, not every image can be guaranteed to have (accurate) EXIF data.  PHP to the rescue once again with the getimagesize() function.

So, where we previously had

if ($image) $row['image'] = $image;

This becomes

if ($image) {
	list($width, $height) = getimagesize($image);
	$row['image'] = $image;
	$row['image_height'] = $height;
	$row['image_width'] = $width;
}

Many thanks to Matthew Somerville for testing and releasing the patch in double quick time. You can examine the changes made to the code.

So now the API returns,

<image>/images/mps/10409.jpg</image>
<image_height>59</image_height>
<image_width>49</image_width>

Brilliant!

So, I have a problem, I can see how much effort it will be to fix, I suggest a solution, it works and goes into production.  That’s the awesome power of open source.

Posted in voteuk.

Tagged with , , .

No comments

By Terence Eden 26/02/2010

Hashtag Standards

This is one of the longest and geekiest posts I've done.
It's a work in progress.
All comments and abuse welcome.

#hashtag – As long has there has been a way to search Tweets* people have been adding information to make the easy to find. The #hashtag syntax has become the standard for attaching a succinct tag to Tweets.

The Twitter Engineering Blog

That’s all well and good, but as I discovered yesterday, without standardisation the ability to search falls apart.

I’m not talking about whether you should use the #LondonFire tag rather than #FireOfLondon or #LDNfire. Rather; how does a computer recognise what a valid tag is?

Why Does This Matter?

Search and tracking quickly break down if they are inconsistent.
For example, if you are using #Romeo&Juliet to mark all your conversations about the play you are watching, different Twitter clients will link through to either #Romeo, #Romeo&, or #Romeo&Juliet.  Each search returning potentially different conversations.

What’s The Convention?

Twitter’s website ought to be the definitive source of how hashtags work. This is their main site.

Twitter Website Hashtag

Twitter Website Hashtag

Yet, when we visit their mobile site – we get a completely different experience.

Mobile.Twitter's hashtags

Mobile.Twitter's hashtags

Application Confusion

Because there aren’t any widely publicised definitions for what hashtags are, some applications have a significantly different attitude to hashtags

SocialScope Hashtags

SocialScope Hashtags

UberTwitter's Hashtag Support

UberTwitter's Hashtag Support

Standardisation

To be fair, the Twitter team do have a standard.  Even if they don’t use it themselves.

They even have some limited test cases and libraries in Ruby and Java.

So, given that Twitter, their implementation and apps all disagree on what a hashtag is, let’s try to work our what they should be.

Anatomy of a Tag

To begin at the beginning.  A hashtag starts with a hash. #.  Simple, no? No.

There are two different hash symbols! There’s the # we all know and love, and there’s #.  Looks pretty similar, but in fact it’s the unicode symbol [U+FF03]

Actually, that’s not the beginning.  What comes before the # of the hashtag?

Consider the following examples – which should be hashtags?

  • #tag – the # starts off the Tweet
  • This is my tweet #test – the # comes after a space.
  • This is it.#tag – the # is pushed against some punctuation, perhaps for reasons of space.
  • Here we go-#LiftOff – the # is pushed against a -
  • I’ve run out of space#OhNo – the # is pushed against some text
  • &#nbsp; – the # is part of an HTML entity
  • text #hashtag – the # comes after a “wide space” (U+3000)
  • Should I use #tag/#hashtag? The # comes after a /
  • Is this valid ##tag – there are two #s

So, we can see it’s a little more complicated than we first thought.

The End

Let’s skip over what’s in a hashtag and as “how do we know that a tag has finished?”

Consider the following examples -

  • New album #OMG! – should the ! be part of the hashtag?
  • #BreakingNews: dog bites man – should the : be part of the hashtag?
  • (is this a #tag) – should the ) be part of the hashtag?
  • I like #tags#

We probably don’t want to have any punctuation at the end of our tag.  Can you think of any counter examples?

Yummy Filling

Our language is more than just the letters A-Z. We’ve got punctuation, numbers, symbols and all manner of other glyphs.  Which of them count as part of a hashtag?

Take a look at these examples

  • Vote Bush! #Don’t
  • My dog died #:-(
  • Einstein #e=mc^2
  • I’m on bus #123
  • I’m giving #110%

Using Twitter’s standards, none of the above render as complete tags.

Foreign Languages

We’ve mentioned accents above.  As we can see in the first example, “funny” characters can cause problems.  Broadly speaking, there are three issues.

  1. Accents.  Should the é on #Café be linked?
  2. Accents.  Is #Romeo the same as #Ŕöméø?
  3. Japanese, and some other languages, don’t use spaces.  Is #tagの valid? What about # 会議中 ?

Exhausted

These are a fraction of the possible problems.  It’s exhausting trying to find all the possible textual combinations and permutations which could lead into a hashtag.  No wonder there is confusion!

Search is a complex, profitable, and useful business.  It’s of vital importance that there is a legitimate, comprehensive standard which all sites and applications can follow.

Posted in /etc/, usability.

Tagged with , , , , .

1 comment

By Terence Eden 25/02/2010

Girl With A One Track Mind

It’s always a thrill to hear an author read their work aloud. It’s even more of an honour to be at the author’s début.
Last night, 100 people crammed into the function room of Canal 125 for the launch event of Girl With A One Track Mind Exposed by Abby Lee aka Zoe Margolis.

Sitting around her in a semicircle, it was like Jackanory for adults. Despite never having read her work in public before, Zoe’s voice rang out loud and clear. She relished the innuendo and succeeded in making her audience dissolve into fits of giggles on several occasions.

This is the sequel to her extraordinary first book, Girl with a One-track Mind: Confessions of the Seductress Next Door

In with the smut, the London A-Z of where she’s shagged, and her thoughts on Rampant Rabbits, was unexpected heartbreak.

Anyone who has followed her blog knows the disgraceful way the Sunday Times treated Zoe. Their obnoxious pursuit of her and the lengths they went to for a “scoop”. I knew the story well. But hearing Zoe reading it aloud brought home just how terrifying it was for her.

The abuse – and there is no other word for it – is evidently still a raw subject. This new book is the product of emotional distance from a traumatic event – hence its delay in release.

It takes supreme courage to survive being exposed in front of your peers. Even more courage to take that experience, craft a book around it and then stand up in front of a group of strangers and ask them to listen to you.

Massive congratulations to Zoe for her outstanding blog and her brilliant second book.

Posted in /etc/.

Tagged with , , .

7 comments

By Terence Eden 25/02/2010

Switch to our mobile site