Comments for Virtual Employees | Virtual Assistant Services

Comment on Going Green! by Chad Lawie

Chad Lawie — Thu, 16 Feb 2012 01:16:11 +0000

Hello Jen,

I’m not sure if I completely understand the question. Do you mean, can we discuss our services with you before getting started? If so, most certainly! Please call us anytime, M-F, 9-5:30 EST.

Thank you,

Chad

Comment on Going Green! by Jen Yost

Jen Yost — Wed, 15 Feb 2012 23:50:03 +0000

Hello – Do you offer a consultation to discuss your VA services?

Thanks.

Comment on Writing Services by Chad Lawie

Chad Lawie — Wed, 15 Feb 2012 20:35:57 +0000

Hi Jay,

We would definitely be interested! I’ll send you an email so we can discuss the details of the project.

Thank you,

Chad

Comment on Writing Services by Jay

Jay — Wed, 15 Feb 2012 20:19:41 +0000

I am interested in learning more about your writing services. We are in the process of establishing a physical newsletter to our members and are looking for writers as well as an editor to make sure it sounds good and to create the layout.

I will be more than happy to go into more detail in further emails, however i am just looking to gauge your interest in a project such as this and to see if this would fit nicely into your expertise area.

Thanks
Jay

Comment on Receptionist Services by Chad Lawie

Chad Lawie — Wed, 08 Feb 2012 01:52:04 +0000

Hello Dr. Boyle,

We have a talented team, and we can help with any task that you are willing to train us to do.

You will work with a single point of contact at LongerDays and you can call that person directly by extension. There is typically no waiting time to speak with your team lead.

Comment on Receptionist Services by Dr. Brian Boyle

Dr. Brian Boyle — Wed, 08 Feb 2012 00:40:59 +0000

I am a physician who occasionally requires pre-authorization for certain procedures. If trained, could you do this?

I also need occasional appointment scheduling using an online service. Can you do this for me?

I suppose its possible to call directly to give tasks. Is this right? Sometimes calling is quicker than email.

Is there an average waiting time for calls?

Thanks. Just browsing but looking to hire within the month.

Comment on InfusionSoft 1-click upsell security risks by nonickch

nonickch — Thu, 02 Feb 2012 01:03:31 +0000

just strip out all infusionsoft-special characters like you would do with SQL statements.
That takes care of the wildcard-based attacks, but does not 100% cover for all the attacks.

The problem is that marketing people are all for ease of use, and security is the inverse of ease squared. For example, wildly popular one-click upsell scripts will happily grab your infusionsoft contact ID for an upsell from a cookie. How do you feel about billing random people?

Comment on LongerDays Free Trial by Sean Oberle

Sean Oberle — Tue, 24 Jan 2012 13:45:49 +0000

I spoke with Chad yesterday. I am looking for writers to convert government reports, press releases, etc. into short stories (4-8 para) for my newsletter. Ultimately, this would occur on a weekly basis, on Wednesdays or Thursdays.

Comment on InfusionSoft 1-click upsell security risks by Chad Lawie

Chad Lawie — Wed, 11 Jan 2012 14:06:49 +0000

Thought provoking! Thanks for taking the time to share that.

So you are suggesting it is best to setup webforms to create new contacts, and then routinely check for duplicates, instead of having the webform automatically update the contact information if the contact exists.

Comment on InfusionSoft 1-click upsell security risks by nonickch

nonickch — Wed, 11 Jan 2012 11:53:27 +0000

That doesn’t make any sense.
The name would be andrew;cat%20/etc/passwd and if passed to infusionsoft it will happily store it.
This is not a shell script, it’s PHP, so unless you eval (that function is evil) or somehow sneak it in an exec() call.
Also, /etc/shadow is no longer an easily-breakable encryption (well, at least as easy as it used to be in the 90′s)

A real security issue, which is not widely discussed, is the IS API-special characters like % (the wildcard character for searches). Let’s say for example that your upsell script tries to locate a pre-existing contact by his email, before proceeding to bill him with the current product.

is_find($_GET['Email']).
if found, get first valid card, bill the product to him and ship to some address.

So, if I type my email to be “a*”, this will match all emails starting with an a. Most scripts just grab the first result of the query and bill him something.

Of course, having such a script where the only verification is an email is so bad, it should be illegal (is it?). But I have seen quite a few floating around. A “get hit first, fix later” security mentality of low-cost development which unfortunately is very popular in contractor-based development.

A more commonplace variation of this exploit is when an API-based webform creates/updates contacts:
1. check if contact already exists (by email).
2. If he exists, update the information on the contact table
3. If he doesn’t exist, create the contact.

In this case one can just wipe clean all your IS contacts by simply spamming the form with emails: a*, aa*. ab*… ba*,bb*…