As of this morning, cPanel logins are forcefully blocked from being used as FTP logins across all servers.

While we’ve stated for years that you shouldn’t ever use your cPanel login to log into FTP unencrypted because the login and password is stored and passed unencrypted to the server putting the administrative login (or the “super user”) at some risk of being compromised, due to a rash of compromised logins that we’ve seen of late, we are now forcefully preventing you from doing it.

If you are going to use FTP to transfer files, you should login to cPanel and created an FTP account for that purpose.

If you are unsure of how to do this, please visit

http://www.drak.net/support/#cpanel

and watch Movie #17, Creating an FTP Account.

SFTP can continue to be used with cPanel logins (and, in fact, can only be used with cPanel logins as SFTP actually operates over SSH and not FTP even though the name implies that it does). If you wish to use SFTP to transfer files to your account, please note you must write in to support for the SSH Port Number on your server. SFTP will not operate on the standard FTP or SSH port for security.

Please note that this change will not prevent your web site from being compromised if your computer is infected with a virus and bots obtain your logins in order to upload trojans, redirects, and so on. All this does is prevent your cPanel administrative account from being further compromised if you are infected and keeps your administrative logins from being obtained as easily as they were before.

Always store your passwords in encrypted databases, always surf the Internet with continuously running firewall and virus shields, and share your logins and passwords with as few people as possible.

Later Update:

We’ve added the SSH/SFTP port number in your cPanel under “news” for your server, right beneath the support chat button. If you are using an FTP program that supports SFTP, you only need to change 2 things, the protocol (which should go from FTP to SFTP) and the port number (which will not be the default for SSH/SFTP as we randomize them).

We had a client write in after ordering a new web site, setting it up, and getting ready to launch – and who was baffled that his site got a big, hairy yellow alert from Zone Alarm.

See actual big, hairy yellow alert to the left.

While it says that the site isn’t known Malware or spam or virus, and while it says its in the US, its also a big, hairy, nasty yellow alert as if the site you are about to visit is a big, nasty site that you don’t want to visit.

We’re not sure how recently Zone Alarm chose to do this, and a search in their support area showed no information about why they would do this on a new site (or even that they do), but a dig through their forum does show an official answer that Zone Alarm will alert on all sites, without exception, if they have been registered less than three months from the date of the visit, and there is absolutely no way for web site owners to get the alert off their site until that 3 month time period passes by.

This is the official answer from the Zone Alarm Forum moderator:

Hello,

In this case and ANY website that’s reported like this our software is working as designed and there is NOTHING that can be done to change it.

Its the fact the website if 3 month or newer.

Its the unfortunate fact that hackers put up thousands of sites a day for malicious reasons so we rate any new website like this.

We don’t have the staff to evaluate every new website in the world daily.

So we go with just telling you the website is 3 months old or newer and let the person surfing make a decision to go to that website or not.

We never say there is a definite threat on the website.

Forum Moderator

and you can find this answer posted as the last entry in this thread on the Zone Alarm forum.

Normally, we don’t blog in the middle of the night, but since the forum thread is fairly recent, we surmise that this aspect of the software is fairly recent as well or the question would have come up sooner. This also seems like a fairly serious new step for a security company to take that can seriously confuse people and have an adverse affect on newly launched web sites and e-commerce endeavors. This is something people should be aware of when planning any new web site or registering or changing a new domain name.

Obviously, by not completely outlining the issue in the warning, by throwing a red herring in there by implying its a security certificate even on sites that don’t even use SSL Certs, and by casting a blanket suspicion and warning on all new sites, this has a huge potential to make people seriously suspicious and (especially if its their own brand new site) incredibly confused.

It also will likely backlash onto hosting companies because people will go to their web hosting company if they use Zone Alarm and Zone Alarm says there is a problem with the site itself, and since its already happened to us we felt we needed to address it immediately.

If Zone Alarm was going to choose to do this, it would have been nice if they provided documentation regarding the warning and an explanation of what it means that didn’t panic or confuse people. The decision to cast suspicion on any new site less than 3 months old has more implications than I believe they truly thought through.

But of course, since the hosting companies would get the support tickets, I imagine they didn’t much take that one into consideration.

Those of you that follow us on Twitter and Facebook got to sneak peak at the new forum, and now that the forum URL has propagated, we wanted to let everyone else know about it, too.

We’ve nuked the VBulletin forum that we had after discovering that we had a bit more activity in the comments section once we switched to social media login, and Get Satisfaction is a customer service forum that allows you to login with your various Facebook and Twitter and other “whatever the kids are doing these days” accounts to participate in the forum.

It’s also much less likely to be spammed (at least at this juncture – I imagine if you give it time, the spammers will find their way around just about anything in order to sell you Viagra), and I personally like the format quite a bit more than a “plain old” vanilla Bulletin Board system.

If you have a ticket that you think someone else would benefit from seeing answered that doesn’t require us to actually dig in your account or that would need to be private for security, we urge you to submit it there so other folks can see and find the answer or participate in the discussion. We have three official representatives monitoring and responding to discussions, and they’ll be marked as such so you’ll know who’s who.

To encourage folks to utilize the new forum, we’re going to give away a $25 credit at the end of each week in February to a random name that was active on the forum in submitting a question – sorry, folks, submitting praise won’t count because we’re adamantly against paying anyone to sing our praises.

Though you can submit a question or and idea AND a praise, and that’ll be ok.

We hope you like the forum and if you don’t have one of those new fangled social media logins, there will still be an area to sign up.

We received this email from e-onlinedata yesterday with regard to “Card Not Present” transactions, and wanted to pass it on to our e-commerce customers. In this case, if you have any questions about the information, please contact your merchant bank whether that is e-onlinedata or another Merchant Provider.

Since this information is coming from Mastercard, this applies to all online merchants, not just those through e-onlinedata.

e-onlinedata wants to inform everyone of changes expected from the Payment Brands regarding practices that are considered “Brand Damaging”. As you may be aware, both Visa and MasterCard are taking action in response to increases in consumer disputes related to card-not-present and direct response products and services. e-onlinedata is endorsing the adoption of Best Practices to support our merchant base in conducting business in a manner that protects both businesses and consumers from fraud. To date no formal announcement has been received, however e-onlinedata is issuing this communication now in an effort to educate and assist our agents/merchants in complying with anticipated Payment Brand mandates and actions.

MasterCard has recently warned the Acquiring community that “Negative Option” enrollment will be considered a “Brand Damaging” business practice. “Brand Damaging” is a very broad term and is still being defined, but in light of recent fines to our counterparts, we must be proactive. Indications are that MasterCard will require immediate termination of merchants identified as using this business practice, along with any other practices considered “Brand Damaging”. This follows recent policy changes from Visa regarding descriptor formats and disclosure of corporate entities related to Direct Response offers, with the intent to enforce all chargeback and transaction monitoring programs as defined by the associations.

e-onlinedata cannot accept merchant applications for products and/or services employing “Negative Option” enrollment, in addition to the following practices:

• Marketing models that employ “Free-Trial”, “Deferred Billing” and/or “Shipping Only”. Customers must be receiving a tangible good or contracted service in exchange for charging of payment cards. Incentivized discount offers are acceptable when the cardholder is receiving something in exchange for payment, however we will be unable to support accounts engaging in hidden or delayed charges and ‘free’ offers that are not truly free.

• “Cross-Selling” and “Up-selling” business practices. All sales should be directly between the business entities (merchant) processing the transaction and the cardholder, with cardholder authorization for all purchases.

• Per Payment Brand guidelines, the use of multiple merchant accounts, billing descriptors and merchant processors may be viewed as an attempt to avoid chargeback monitoring programs and is prohibited. Perceived non-compliance has led to termination of processing relationships. e-onlinedata will review the business consideration for opening multiple merchant accounts to ensure compliance with Payment Brand guidelines.

• Transactions generated from internet traffic and all other lead sources must be managed and monitored for potential fraud using an approved system. Third Party service engagement may be a requirement for account approval.

The FTC has recently published guidelines regarding “Negative Option” enrollment programs and is taking a very aggressive position against merchants utilizing/employing this business practice. Recommendations take in part from the FTC’s website may include but are not limited to the following:

• Material terms should be disclosed in a clear, concise manner. Unnecessarily long or inconsistent terms are viewed as an attempt to mislead the consumer.

• Terms should be disclosed in a conspicuous manner, clearly placed and labeled on websites in a location that indicates the importance and relevance to the transaction. Fonts and colors must be easy to view.

• Material terms must be disclosed prior to completion of the transaction and before a financial obligation is incurred by the consumer.

• Customers must provide affirmative consent to any offer, examples include a mandatory “I Agree…” statement checkbox, where the customer is acknowledging the Terms and Conditions of the offer and consents to be entered into continuity program as a result of completing the transaction. Pre-checked boxes do not qualify as affirmative consent.

• Merchants must not discourage or make difficult in any way the disclosed cancellation procedures and all cancellation requests must be honored in accordance with the stated terms of the transaction.

Technorati Tags: e-commerce

Ok, folks, if you have all annual accounts, this won’t affect you – your billing will stay the same. If you are semi-annual, quarterly, or most especially monthly, listen up, as we’re making some changes that hopefully will shine clarity on your billing.

We started using our billing software way back in 2002 – I think we were like the 11th paying customer they had if our billing account number is to be believed. We love Ubersmith, and they keep making it better and adding things we would have loved to see in 2002, and we would love to use now. Problem being that much of their settings work independently and there is no real way to make a mass-global change, so some things that they added that were awesome we just have no feasible way to implement other than manually – and in some cases its not worth the manual effort to retroactively apply it, and its not fair to have some folks have access and not others.

We have realized that billing can be confusing. The grace period system is great – except that it picks up everything renewing during that time period and picking 31 days will leave some double charged on some months and not charged on others. The standard due date is great, except it leaves some people being invoiced after they already have a balance because again, there’s that pesky “days have different numbers of months” thing. Back when we started with Ubersmith, there was no ability to prorate service. The day we installed you was your start date – and that could be any day of the month. That made it a lot more complicated to figure out a system where:

1. The due date was clear, universal, and before your service can get suspended.
2. The invoice was far enough in advance that those who have to go through committee, accounts payable, or who just needed time to budget because they ran into a pinch had enough time to do it.
3. You could clearly understand what date your service with us was in serious trouble.

An invoice date on the 10th, due on the 20th, with 31 days in advance meant that if we billed like that in January, it would renew and invoice packages up to Friday, February 20, 2009. Same billing run in February? It’ll renew up to Monday, March 23, 2009 – which leave a play of 3-4 days in the middle of the month where someone monthly could wind up having a skipped charge, and then a double charge the following month, because if your package was on the 21st, it was not in the January time frame, but was in the February time frame. And, oh, so was March, too.

While not technically a double charge because you’re not paying for the same time twice, it was nonetheless patently annoying both to us, and to people that got caught in the grace no man’s land.

Unfortunately, Ubersmith does not have a built in system to go by calendar dates. The Prior Billing is always a static number of days, presenting the same problem. A grace would be the same regardless of how many days are in the month. It just couldn’t do what we wanted it to do through its interface.

So, we done hacked it.

The first thing that’s changed is ALL of the monthly packages are renewing on the first. Since we can’t prorate you folks after your package starts, your packages have been manually edited and your next renewal date is on February 1st regardless of when you were supposed to renew. Since we “pushed” the vast majority of you out instead of pulling you back, that means you all got a few weeks free (if you had to be pulled back, you got a credit). You’re welcome.

All monthly accounts, without fail, will be installed to have a package renewal on the first of the month, which means whenever you order a package you will pay the prorated fee for the month you’re installed, and the next full month. Then you’ll be billed every month thereafter. We will be doing the same with quarterly and semi-annual accounts in the future, but we will not go back and change the older ones – since you’re not in danger of double billing, there’s no particular need.

All invoices for monthly, quarterly and semi-annual accounts will be on the 1st of the month. Your due date every month will be the last of the month whatever date that happens to be – for you monthly folks, the “how late can I get away with paying before being suspended?” just got a whole lot easier to understand. You’re all on the first, and you will have a full calendar month to get that payment in. If you don’t by the due date, it is now a real and not “symbolic” due date and if you don’t pay by the due date, you can assume with great confidence the following day your suspension may take place. The due date is now an absolute, real, and final due date if you are monthly.

You quarterly and semi-annual folks have a little more detective work, at least those installed up to now. Your due date may be before your package actually renews – you can assume that if your package renewal date comes and there’s no payment, you may have an issue. If you would like to be moved to a 1st renewal so that you too can have the serious, immutable, this is the DUE DATE due date, send a ticket in and we’ll be happy to do it for you.

I know, I know, everyone’s going “The first? I hate the first! EVERYTHING is due on the first!” and we totally understand your issue. We cannot change your invoicing date because of the method we are using to change the dates based on the calendar months of billing. What we can do for you, though, is let you pick the day you want your card to be charged. Since you now have a full calendar month to get the payment in, you have a full month up to the 28th of any date to choose from. Just contact us and let us know what date you want the card to be charged, and we’ll be happy to program it in. This was simply the easiest, most universal, and clearly understood way we could set it up.

We’ll be editing the FAQs and TOS and so on in the coming days.

This afternoon, there was a failure on Alakazam during a routine distillation of Apache. While initially, a setting was changed, this setting was in a separate file that could be included or left out of an Apache restart. Once Apache failed, we deleted the lines that were included, and distilled Apache again. All distillations of Apache came back as successful, however, when restarting Apache, it would fail.

Once we checked the configuration file for Apache to see if we could spot the issue, we did – the configuration file being generated was completely and totally empty. We attempted to rebuild it and though it again stated it was successful, the configuration file remained blank. We completely recompiled Apache with cPanel, and Apache was unable to complete a recompile. We then forced an update, recompiled, and it failed yet again. That took about an hour.

What happens now demonstrates one of the reasons that we’re so incredibly open about what type of web host we are.

We are a small (or mid-sized, depending on who’s metrics you’re utilizing to pigeonhole yourself into a meaningless category) web hosting company, deliberately. We don’t really advertise, we just do what we do, people tell people, and that’s how we’ve grown. We are not a web hosting company with an owner that sits around and collects checks while outsourcing every function because its a money-making endeavor, this is a hosting company because I truly love web hosting and I created myself a job that I would love doing.

Very early on, I made the decision to go with Managed Servers despite the extra cost, and I have never wavered from that decision. Yes, it costs us way more for the servers than a lot of our competitors, and yes, I could be making a buttload more money choosing cheapo servers at a crappy data center, or unmanaged servers where they’re just left to spin on their own. Some people have questioned why I “overpay” for managed servers when I know how to administrate a server just fine, and rarely ever have to go “up tier” for anything at all.

This is why. Because there are times when 3 heads on duty can’t solve a problem, and there are times when you can’t deliver a Class A experience unless you’re a Class A bohemoth with staff to spare and experience with hundreds of machines and thousands (ok, millions) of problems. Tonight we at DrakNet hit a frustrating wall in our attempts to solve the issue.

Luckily, we are in a stellar data center, with an absolutely incredible staff that we can call on at any time for any reason and we can borrow them to come work for us for a bit. And that’s why you don’t choose “cheap” – you can have it fast, right, or cheap, just pick any two. (Although, ironically, I pay less at our current data center than I did at another data center that sucked eggs.) We generally don’t call on them for a whole lot because we’re pretty self-sufficient, but when we call on them we need them OMG RIGHT NAO!!

And we get them.

So, thanks go out to Scott Sullivan and Patrick Hawkins at Liquid Web, who were able to wrestle Apache into submission. We’d love to tell you why it happened, but no one really is totally sure why it happened. The credit, though, goes to them because the only thing we really did was yell help, and they kicked her back up.

A lot of hosting companies hide their dependence on their data center, or the roles that their data centers play in their success. Our set up as a host is not much different than some of the largest players on the market who don’t have their own data centers – no, I won’t name names. You know who you are.

We’ve never done that because we don’t think its a problem that we’re not almighty eggheads that can solve every single thing all the time, and we feel intensely about the role that Liquid Web plays in our success. We also feel its our responsibility to be honest about our company, and there’s no reason to hide or minimize our business set up, or play down their role to make ourselves seem bigger or more than we are. We feel its a great asset to you have two companies simultaneously watching over your sites who are truly intent on making sure everything runs smoothly, and Liquid Web deserves the credit for giving us a fabulous foundation to serve you.

Their safety net’s not too shabby, either.

If you wonder why we chose to discontinue offering dedicated servers and VPS’s and partner with Liquid Web, why we recommend you to their server service when there is far more profit to be made selling slices and boxes, its because we truly think they’re the best and we couldn’t begin to compete in an arena that they accomplish so much in. We’d be remiss in trying to sell an inferior product. (Yes, we think we kick their ass in shared hosting, but that’s another post for another time).

So, thanks Liquid Web for saving our rear yet again, and thanks clients for being patient and not screaming at us while we fought what turned out to be a serious issue.

Though if you need to, there’s a comments section – have at it!

All accounts now have DNS Zone editing available in their cPanel, under their “Domains” button. This is a very handy button – and it can totally take your web site offline if you enter things incorrectly. Anyone cheering about this button likely knows enough about DNS to know what to do with it, so we’re going to focus this more on the folks going:

“Um. Cool?”

Simple

Under “Domains”, you have two buttons, one marked “Simple DNS Zone Editor” and one marked “Advanced DNS Zone Editor”.. As you could kind of figure from the name, “Simple” gives you less of an ability to get into trouble, while advanced lets you shake up the house.

Under Simple, your first option is to add an “A” Record. An A (address) record is a DNS record that can be used to point your domain name and host names to a static IP address. This can be useful if you have a home computer on a static IP you want to be able to get into and you don’t want to remember the IP address, or you have remotely hosted billing software that allows you to point to their IP to make it look more like your own with a subdomain. An A record has to have an IP address.

When putting in the subdomain, you would only include the first part – so, say I wanted shop.drak.net to go to Alakazam for some reason, and Alakazam has the set up to take the name and apply it and all that jaz. I would enter “shop” where it asks for name, and “67.225.155.190″ where it asks for the address, and then hit “Add A Record”. That’s it.

A CName is a little bit different. CNAME stands for “canonical name”. A CNAME record maps an address to its canonical name. When a name server looks up a name and finds a CNAME record, it replaces the name with the canonical name and looks up the new name. So, if I wanted shop.drak.net to point to myshopsomewhere.com, I would put “shop” as the name, and “myshopsomewhere.com” as the CNAME.

Advanced

Advanced also lets you add something to the above, which is TTL. TTL is an acronym for Time To Live and refers to the capability of the DNS servers to cache DNS records. It represents the amount of time that a DNS record for a certain host remains in the cache memory of a DNS server after the latter has located the host’s matching IP address.

OK, english? A very, very, very simplified explanation:

For the very first time, you’re trying to visit a site on our servers. Your computer and ISP and so on ask the registrar where to look, and the registrar says “go to DrakNet’s DNS”, and so you do. Our DNS servers say “here’s the site on this server over here and btw, the TTL is 14400″, and so that’s how you know where the site is. The TTL we gave you is 4 hours – what that means is that we promise that information won’t change for 4 hours, so don’t bother asking us until then. The site will be there – but in a few hours, it may not be, so go ahead and ask us again – but not until then.

The servers that need that information keep it and assume that the site will be at X location, and that’s where they will send you up until its time to ask again.

This cuts down on constant requests to the DNS servers.

Advanced gives you access to your own main domain’s record as well, so you can change its TTL, or delete it altogether. Though we don’t suggest you do that.

OK, but what do I do with it?

Most of the time, you won’t need to mess with any of this information at all. There may be times, though, that you’ll sign up for a service like Google Apps or Etsy and they’ll give you an option to extend a domain name or subdomain name to their location to brand it more as yours. If they tell you to add an A record or CName to your DNS records, now you’ll know where to go to do just that.

Later on this week, we’ll take you step by step through setting up Google Apps yourself, if you’d like to do so.

*The above graphic came from our fabulous data center’s Knowledge Base, and we ripped it off mercilessly because they love us and probably won’t kill us for it. Follow the link to read a great, simplified overview of DNS written by Liquid Web.
 

cPanel has come out with a major release, and we’ve gone through the settings and changed a number of things on the servers. Some of the things are good for you, some things are good for us, and a few of them are going to take some getting used to, so we wanted to let you know of some new behaviors you’ll begin seeing.

Logging in and Security

cPanel has added a new security token system and as of last night, we have implemented it. Our new security token system attempts to prevent cross-site request forgery (XSRF) attacks by appending URLs with a session token in the form of cpsess<number>. When this feature is enabled, absolute URLs are no longer allowed. This new feature helps to ensure a safe environment for you and our servers.

In order to login to cPanel, you cannot go to any URLs you may have bookmarked as you’ll get a big security notice – if you get it and look below, you’ll see two silver bars, one allowing you to authenticate and one asking if you want to book out. If you get it, simply click to authenticate and put in your login and password, you’ll be given a token, and will walk right in.

In order to utilize security tokens, some changes were made, and HTTP authentication has been turned off. HTTP Authentication was that little box that popped up asking for your login and password – you won’t get that anymore. You’ll now get a standard cPanel login page, and will have to have cookies turned on in order to accept the cookie-based login. This cookie will be matched to your IP as well for further security. (If you have saved your cPanel logins in your browser but don’t remember what they are to be able to utilize the new login mechanism, you’ll need to submit a support ticket from your secured email account to have the login reset.)

For the highest security we can achieve with the new settings, encrypted login is now forced, and proxy forwarding (which does not work on SSL) is disabled. This will negatively affect those of you that check or work on cPanel from work but who have employers that block cPanel networking ports. If you have your own firewall, you will need to unblock ports 2083 (CPANEL SSL) and if you are a reseller, you will need to unblock 2087 (WHM SSL). If you check webmail, that’s on 2096 (WEBMAIL SSL). If you do not have those ports unblocked, you will not be able to login from that location.

I use how much disk space?!

cPanel has, at long last, implemented something that hosts have been asking them for, but which probably won’t thrill you all – a much more accurate count of the disk space you are actually using. This may catch a number of you by surprise.

Previously, cPanel could count the disk space you use in the home directory downward (your site, your mail), but despite hosts extreme frustration, it could not count your database size, or your mailman archives in the disk space you were using even though this was disk space you used, so in many cases we hosts just gave that away free. In one cPanel update, that has changed on both counts, and now your database space and your mailman space will appear in your disk space usage – in some cases, pushing you well over your allotment for your account level.

We will be rewriting the TOS regarding Mailman lists, and you will be allowed to keep unlimited archives of the lists – however, those archives will be counted in your space, and you will have to closely monitor your space on busy lists as the smaller legacy accounts may fill up quite fast with busy lists. As Mailman archives are essentially one file, this cannot be easily pruned by date – if you want to clean out Mailman archives, we suggest saving your subscriber list, deleting the list, and recreating it.

If you have an Intro account and have a large database that you have been gleefully adding to thinking it was on a magic disk partition that just kept growing and growing, you may be quite surprised to find that your disk space is now several times over what your allotment is, and your account is essentially frozen and unable to function. On this, you may have no choice but to upgrade or move accounts – though many people seem to keep test databases and old databases hanging around, and you may be able to regain space by deleting those dangling databases.

MySQL disk space does not instantly appear in your disk space count, and it does not instantly disappear when you delete databases. Counts are taken and incorporated every 4 hours.

Better FTP Security – It is Coming

We have noticed a pretty dramatic uptick in compromised sites of the type of compromise we wrote about here, where nefarious exploiters walk right into web sites and start uploading garbage. In examining logs and the IP addresses that perform these nasty little tasks, in every case we have seen so far the exploiting computer had the login and password to the site and used those credentials to walk right in. This indicates to us that the likely scenario regarding how they obtained the passwords is from you, or someone you gave the logins to – in each case, when we contacted our clients, they had reported a recent infection on their personal machine.

Previously, we attempted to get infected people’s attention by utilizing the CBL on Apache – if you were exploited, you couldn’t see our servers Apache, would contact us, and we could explain that your IP had been caught doing the nasty on the Interwebs. Unfortunately, this method only works if you actually look at your own web site (a surprising number of people do not) and if you know how to secure your computer (which, again, a surprising number of people do not). It did nothing to stop the slow rise of exploits being uploaded as we outlined above as we had hoped, so we nixed it.

We have been testing an exploit scanner on Squirtle (the last servers that had someone’s site utilized for nasty purposes) that scans all FTP uploads, and quarantines them if they have the earmarks of an exploit. We were finally able to catch exploits as they happened, prevent the file from being unleashed on the Internet, and suspend accounts within minutes of the exploits beginning to arrive. We’ve had no complaints from users that this interfered with their ability to upload to their site and resource usage was minimal compared to what it achieved, so we will be rolling out this exploit scanner on all  servers over the next month to help combat these problems.

DrakNet is giving away a $100 Gift Certificate on Twitter! Why?

Well, because its fun, and we’re experimenting with the contest software to see how it runs. The first thing we found out is what we initially said about tweeting the #hashtag, which is supposed to work, didn’t actually work the way it should so we wanted to go ahead and make a post about it.

The best way to enter is to visit the home page of the contest, which is

http://twtaway.com/jolurr

and click the “Enter Contest” button on the right. Once you do, the software will enter you in the contest, and will also tweet:

“I’m in this Twitter Contest! $100 New Egg Spree From @draknet! http://twtaway.com/jolurr #eggheaddraknet #twtaway“

to your followers. You can make sure that the software picked you up by visiting the contest page again, and checking “Who is in?” and making sure that your Twitter name appears on the list of folks that have entered. At the end of the contest one winner will be randomly chosen, we will DM whoever won with a code to email in to billing@drak.net (so make sure you’re following us) so we can get your information and send you your gift certificate by email.

Please note that you need to enter that way, or Tweet the link itself to the contest to be entered – the #hashtag alone, as we first thought, doesn’t appear to get picked up alone.

Good luck!

We’ve made some changes to the blog, and switched the commenting system to “disqus” – http://www.disqus.com – primarily so people can sign in a bit easier. The new commenting system allows you to sign in to comment with Facebook Connect, Twitter, OpenID, and Yahoo!, making it easier for you to talk back. You can also tweet a blog post if you feel the need using the retweet button at the start of the post.

As we just installed it and no one’s really commented yet, feel free to test it out on this blog post and let us know if anything isn’t working quite the way it should.

We also began having some fun with Twitter and Facebook, running a few tiny contests for credits that people seemed to enjoy – with the economy the way it is, we figured the thing people would most like rather than t-shirts or discounts on new stuff is money off their current bill. Because of how popular it was, we’re going to start doing that much more frequently. Maybe even daily. Maybe.

So, here are the rules of any “Credit Contest” we run – i.e., if we’re giving away account credits, these rules apply:

1) You can only win a contest once per month. By you, we mean YOU – if you have 4 billing accounts, you don’t get to win 4 times to cover each of them.
2) You can, however, win *every* month, so if you’re a social media maven and constantly attached to your Facebook or Twitter, you have a good chance (if you only have one Jaz account and one billing account) of potentially never paying us another dime again
3) If Twitter or Facebook is hosed up, we can’t be responsible for that – if you miss your chance because either of the service suddenly chokes, that’s just the way it is. Sorry.

Generally, they’ll be run in one of two ways. Either we’ll have a very narrow amount of time to which anyone can respond and everyone will get the credit that responds in that narrow window of time, or we’ll ask a question and the first person that responds with the right answer, or whatever it is we’re asking you to do, will be the individual winner.

If you want to participate, our Twitter is here:

http://twitter.com/draknet

and our Facebook Page is here:

http://www.facebook.com/draknet

Good Luck!