“Hello, I’m calling from Microsoft…”

The “computer doctors” have been making their rounds in New Zealand. Consumer Affairs say about 17% of New Zealanders have been targeted by them. They called us, from Djibouti, from what seemed like a crowded call center. They knew our details, just like they’re listed in the phone book. I think they purposely tried to be hard to understand, using the assumption that overseas victims would think it would be rude to ask for clarification a number of times. The address they gave was actually a Border’s bookshop in Auckland. Eventually they hung up after repeated questioning.

Computer doctorThe story

Their story seems semi-plausible, but is fake: they’re calling from Microsoft or a computer repair shop and have noticed some strange activity from your computer. They tell you to go to a legitimate folder or the Windows Event Viewer and say that if there’s a lot of files or entries there (which there will be) that it’s very bad and means your computer is infected. But fear not! It can all be solved for a reasonable price, plus they’ll continue to support your computer. Just give them your credit card number to be charged a recurring fee and they’ll remotely fix your computer for you…

Don’t trust cold callers

NetSafe recommends asking for their company name and phone number and Googling them to see if they’re who they say they are. I haven’t heard of any legitimate tech support companies cold calling for customers and I don’t imagine it would be hard to create a professional looking website and redirecting a New Zealand phone number if someone overseas was truly determined. So I’d say don’t trust cold callers with remote access to your computer or your credit card information at all, even if they seem legitimate.

Legitimate help

If you need help with your computer there are people on online forums like Geeks To Go that will help you for free, or ask friends and family for a recommendation of a quality company you can visit in person.

The NetSafe post has some good links. NetBasics is an animated video series by NetSafe on staying safe online. The real Microsoft has an article on speeding up your Windows computer, another line the callers use. And the Event Viewer might seem confusing, but Microsoft provides a tool to look up what the entries mean.

Symantec’s experience

Symantec investigated a similar scam being run overseas, recorded the conversation and recorded what happened to the computer. The agent “Brian” gets Orla (who’s from Symantec and is pretending to be a novice computer user) to open the Event Viewer and tells her that she has a serious infection. But it’s alright, they can fix it!

A remote connection to the computer is set up using legitimate third-party software and it looks like their technician is doing something important by running check disk, disk cleanup and deleting some temporary files. Brian informs Orla that she has a lot of malicious files on her computer and gets her to sign up for a one year support contract to solve her issues. After receiving her credit card details insecurely via email, as well her name, address, phone number, email address, email password and getting her to fax a copy of her driver’s licence, the bad infection was “removed” by deleting the innocent items from the Event Viewer and turning off event logging. Of course, with unrestricted access to a computer, the people behind these operations have the ability to install malicious software they claim to be removing. The video is below. At the end the business is confronted about their misleading practices.

If you get called by these people, submit a report to NetSafe’s The Orb. Maybe you want to have some fun with them first. A Fair Go viewer said they apparently get very annoyed when after they’ve been trying to pitch you for half an hour you tell them you have a Mac instead of a PC.

Have you been called by these people?

Image credit: Tabitha Kaylee Hawk

Changing a Comment’s Parent Comment In WordPress

WordPress comment messSometimes someone will accidentally reply to a comment on a WordPress post instead of starting their own comment thread. This can create a set of replies that aren’t actually relevant to the original comment. They’re hard to follow and are ugly, the replies that are relevant to the original comment are hidden by the additional conversation. There’s no way to fix this through the WordPress Admin interface, but you can using phpMyAdmin. You can also use this to change what comment a comment is replying to.

 

 

  • Backup your database first.
  • Open up phpMyAdmin through cPanel.
    phpMyAdmin cPanel
  • Click on the database WordPress uses.
    phpMyAdmin Select Database
  • Click on search.
    phpMyAdmin Search
  • Search for the comment that shouldn’t be a reply (the comment that you want to outdent) inside the comments table, search for something semi-unique to the comment eg. the IP address of the commenter.
    phpMyAdmin Search Database
  • Click browse.
    phpMyAdmin Search Results
  • Click the pencil icon beside the comment.
    phpMyAdmin Edit Entry
  • Change the parent_comment value to 0.
    phpMyAdmin comment_parent

Judging a Book By Its Cover

A book on the deaths of the Kahui Twins, written by Ian Wishart in conjunction with Macsyna King, is going to be released soon. A bookshop advisory on new titles was leaked to TVNZ and publicity around the book started earlier than intended, unfortunately directly coinciding with the inquest into the death of the twins.

A Facebook group is calling for the boycott of the book, and apparently the boycott of shops who choose to sell the book, and a couple of bookstores listened. From reading some of the comments on the page, it is clear that some commenters are misinformed. Paper Plus and The Warehouse have both said that their stores won’t be stocking the book. Whitcoulls is still considering whether it will or not. Paper Plus chief executive Rob Smith said: “The health and wellbeing of children is always front of our mind when we are faced with decisions which might impact the stores and the communities in which they operate”. It’s not clear to me how stocking a book not intended for children, and which doesn’t encourage child abuse would impact the health and wellbeing of children. There actually isn’t a clear reason why the book is harmful at all, nor is there a clear reason why it shouldn’t be stocked, apart from “we don’t like it/Macsyna”. Like Steven Price says, no one has actually read the book, how can they make an informed decision that they don’t like it?

Censorship causes blindnessMacsyna King cooperated with the police and was a prosecution witness, she hasn’t just decided to speak now. She isn’t profiting from the book either, Ian says: “Apart from sharing a Domino’s pizza during lunch, Macsyna has never received anything nor will she.” Ian will earn money for the book, but points out that researching and publishing a book takes time and money and that media organizations get paid for their reporting too (apologies if there’s a country block on the video): “When I worked for TVNZ, I earned a six figure salary to do investigations into cases like this one. I had the luxury of expenses being covered, helicopters at my beck and call, and lots of lovely advertising to pay for all this.”

Books like Mein Kampf by Adolf Hitler (Amazon, Book Depository) are stocked not because the sellers agree with the content, or approve of the author, but because as a society we value all viewpoints, although don’t necessarily agree with them.

Booksellers New Zealand, which represents Paper Plus and many others, says such a move is rare, and dangerous.

“It would be an attack on democracy if we started banning books that some people didn’t like,” said Booksellers. “It’s a matter of personal choice and it’s something we cherish in our democracy”.

Perhaps ironically, criticism was directed towards family members who didn’t want to speak out at the time of the death of the twins. Now someone is speaking out and people don’t want to listen to her. It’s great that companies are taking feedback into consideration, but maybe this a case of the loud minority being listened to. Boycotting a book by deciding not to buy it yourself is fine, but those people shouldn’t make a decision on behalf of everyone else. Macsyna King wants to shed some light on how her lifestyle was molded, maybe we should be listening.

Do you think the book should be stocked? Will you read it?

Image credit: Tracey R

Let’s Try To Be Nice To Everyone, Not Just The Cleaners

Chris Guillebeau, author of The Art of Non-Conformity (Amazon, Book Depository), published a post last week worth reading titled Be Nice to the Cleaners. While interviewing entrepreneurs for his next book, someone gave the advice “be sure you are nice to the cleaners”.

SoapPerhaps he/she was meaning that you shouldn’t give people who have access to sensitive information reason to abuse it, but digging deeper, maybe the message is: treat everyone with respect no matter their position, your mood or how they treat you.

Chris says “you can learn a lot about someone by watching how they treat the people in supportive roles around them”, which reminded me of this. One of the Kardashians’ boyfriends gets a new assistant and ends up berating him in front of the crew for a photo shoot. Apart from generally just being a dicky thing to do, it’s unlikely to impress anyone he planned to continue a professional relationship with. The assistant quits and calls him an “egotistical pompous asshole”.

A handful of recruiters commented on the post saying that they often check with reception and admin staff and base hiring decisions on the candidate’s treatment of them. In one case the boss was actually sitting behind the reception desk. The guy got the job because he was the only one who actually treated the “receptionist” well.

This is another reason to take better care of ourselves.

When you’re at your worst, tired, stressed and worn out… that’s when people find out who you really are, that’s what people will judge you on. That’s when you have a chance to really show who you are. Do you take it out on someone else? Or do you dig deeper and show compassion anyway?

I tweeted yesterday about an email I sent to multiple recipients, of which a few took offense to the wording of, which wasn’t intended. Flipping the above quote around, I can’t change how I worded the email, or change how it was interpreted, but I can choose how to reply to their reaction.

The Do Not Call List could be a good idea if calls from telemarketers are annoying.

Let’s try to be nice to everyone, not just the cleaners.

Image credit: B.G. – Oodwin

A Bad Diagram

Anyone who has driven on New Zealand’s roads knows that there’s a lot of drivers who don’t seem to know the rules surrounding indicators in roundabouts.

Know your way around roundabouts

This is from a NZTA brochure called Know your way around roundabouts from 2005. Well intentioned as it is in trying to simplify the roundabout rules, the diagram seems to suggest that in the middle of the roundabout, when going around the roundabout, drivers can just stop indicating. If someone actually followed this advice, a car waiting at the opposite side of the intersection might think that this car was going straight (which is when you don’t indicate on entry and indicate left on exit) and pull out in front of it. When turning “right”, like in the picture, the driver should really be indicating right until the picture shows to indicate left.

Drivers who don’t know the actual rules probably think they’re doing it right. It wouldn’t hurt to look at the clarity of material released by NZTA.

The Life of a Spam Email

Cans of spamA group of researchers have published a very interesting paper: Click Trajectories: End-to-End Analysis of the Spam Value Chain (pdf). Using three months of spam data and by purchasing over 100 products advertised by spam emails, the researchers followed the life of a spam email and investigated where the money from purchases actually goes. They found that the people behind 95% of spam-advertised pharmaceutical, replica and software products are using just a handful of banks for their merchant services. Anti-spam efforts focus on the delivery aspect of spam, but there is potential for the quantity of spam to be significantly reduced if the banks the spammers are using are targeted.

Purchasing from spam emails

The researchers collected spam-advertised URLs and data about the hosting infrastructure and DNS of the spammed websites. They grouped the sites by content structure, category of goods and affiliate program and/or storefront brand. The most popular goods advertised in spam: pharmaceuticals, replicas and software were focused on. Pornography and gambling weren’t focused on for “institutional and procedural reasons”.

Purchases were made from each major affiliate program or store “brand” and they tried to order the same types of products from each site to try to gain insights into the differences or similarities in product suppliers that are used. A specialty issuer of prepaid Visa cards teamed up with them and let them use a different card and obtain the authorization and settlement records for each transaction. For legal reasons pharmaceutical purchases were limited to non-prescription goods like herbal and over-the-counter products. Software purchases were limited to products which the researchers already possessed a license for.

120 purchases were made, 76 of which were authorized and 56 of which were actually settled, though half of those failed orders were from one affiliate program which researchers attribute to the large order volume raising fraud concerns.

The honest spammers

A finding I found interesting from the paper is that the likelihood is quite high that you’re not going to be ripped off when ordering through spam emails.

Out of the 56 “successful” orders, 49 of the products were delivered and received. Only seven of the products weren’t delivered. Out of those seven: four sites either sent packages or said they’d send packages after the mailbox lease had ended, one said that the money had been refunded (however the refund hadn’t been processed three months later). Only two “lost” orders received no follow-up email.

The researchers explained the reasoning behind actually fulfilling orders would be so the site would get any potential repeat orders and because their relationship with payment providers could be jeopardized if chargebacks were made by customers who didn’t receive items.

Update: One of the researchers, Stefan Savage, confirmed to me that none of the Visa cards used on the spammed sites were subsequently used fraudulently. It also looks like the pharmaceutical products were legitimate. He says “we only ordered a small subset of goods so any results aren’t representative.  However, we did some limited mass spec testing of a few pills against reference samples and the active ingredient was found to be the same and in a similar proportion — note we only tested for the active ingredient and didn’t look at things like binders, contaminants, etc.” Software was pirated, but malware free.

Research done by F-Secure supports this: almost all of their goods ordered from spam emails were delivered, none of the credit cards they used for orders were “stolen” and email addresses used to order the goods didn’t receive an increase in spam.

New Zealand’s fulfillment role

By volume, most herbal products shipped from the United States, but China and New Zealand were also in the mix.

Spam Shippers

A Christchurch based company turned up in results—Etech Media Ltd. Ironically, this: Etech Email is the email address listed in their whois record.

Perhaps unsurprisingly, the company in question and its owner aren’t new to the spam game. Sole shareholder and director, Shane Atkinson was fined $100,000 in 2009 for sending spam under the name ‘Herbal King’. His occupation listed in the 2005 electoral roll was “pro spammer”. The Herald “understands” that Etech Media’s office was one of the addresses searched in spam raids in 2007. In 2003, Shane admitted to sending up to 100 million spam messages a day, that spamming allowed him to have a nice car and house and said he “had no qualms about it”. “In a later interview, Atkinson said he had given up spamming.”

Perhaps not entirely?

I’ve emailed Etech Media to see if they’d like to comment.

The spam bottleneck

The researchers tried to identify bottlenecks in the spam value chain—stages where few alternative options are available and ideally where switching costs for spammers are high. Which intervention would have the most impact?

For the 76 authorized transactions, there were only 13 banks acting as “acquirers”. Herbal and replica purchases generally cleared through St. Kitts & Nevis Anguilla National Bank. Most pharmaceuticals through Azerigazbank in Azerbaijan and DnB Nord (Pirma) in Latvia. And most software purchases through Latvia Savings in Latvia and B&N in Russia.

Spam BanksThe researchers say that the banking/payment component of the spam value chain is the most critical. Payment infrastructure has “far fewer alternatives and far higher switching cost”.

  • Only three banks provided payment services for over 95% of the spam-advertised goods in the study:

    Spam Bank Stats

  • There are only two main payment networks in Western countries—Visa and MasterCard.
  • The replacement cost of a bank is high in setup fees, time and overhead. Acquiring a merchant account requires a lot of coordination and time. Banks used by the major affiliate programs were either still the same four months later or had changed to another one in the set identified above (only one new bank appeared four months later—Bank Standard in Azerbaijan).

Perhaps a solution is for banks that issue credit cards in Western countries to refuse to settle certain transactions with banks that support spammed goods with specific Merchant Category Codes when the card is not present. All software purchases were coded as Computer Software Stores and 85% of all pharmacy purchases were coded as Drug Stores and Pharmacies. There were some exceptions however “generally speaking, category coding is correct”. “A key reason for this may be the substantial fines imposed by Visa on acquirers when miscoded merchant accounts are discovered ‘laundering’ high-risk goods.” Similar policy has been implemented with MasterCard and Visa not allowing US-based customers to transact with online casinos.

The paper concludes: “the payment tier is by far the most concentrated and valuable asset in the spam ecosystem, and one for which there may be a truly effective intervention through public policy action in Western countries.” However spam is probably profitable for banks and payment processors too, so they might be hesitant to do anything about it.

How much spam do you receive at the moment and how much makes it to your inbox? Do you know anyone who has bought something through a spam email?

Image credit: freezelight

Freedom Camping Bill

Camping, tent with mountainsThe Freedom Camping Bill passed its first reading earlier this month and is now at the select committee stage.

It sets out to fine people who camp outside specific areas or incorrectly dispose of waste and will try to improve information available to freedom campers with consistent signage and a website.

Obviously people who are incorrectly disposing of waste should be able to be fined. However banning freedom camping ruins a good thing because of a small minority. Green Party MP Kevin Hague says that’s there’s little evidence about the size of the problem and he suspects it’s relatively small.

If people dispose of waste correctly, are they causing that much harm by camping outside of camp grounds?

Kevin Hague said the smart approach was to create more places with toilets and rubbish facilities. “While there are some ratbags who don’t care, for the most part these people who rent these campervans would look after our environment if they could.”

Do you think freedom camping is a big issue? If someone leaves only footprints are they doing anything wrong?

Image credit: me

Whoops

Labour leak index

Labour accidentally left a server open for anyone to have a look around, and people looked. Using a website that checks what other sites are hosted on a specific web server, Cameron Slater (Whale Oil) says he found that Labour’s healthyhomeshealthykiwis.org.nz was hosted on the same server as lets-not.co.nz. Healthyhomeshealthykiwis.org.nz turned out to list the files and directories on the server. Drilling down, Cameron found that backups were on the server which contained records of donations and email addresses from Labour’s mailing lists. He explains further in a video on this post.

Stealing?

Comparisons to someone stealing something from an unlocked house (or in one comment I read, looting quaked houses in Christchurch) seem misguided. This is more like someone from Labour standing on the street and accidentally including email addresses and donation information in handouts.

Release of personal information

Cameron was going to, but now has said he won’t release the personal information of individuals obtained from the server, a decision which I support as there is no public interest in identifying the Average Joe donator or mailing list subscriber.

Labour leak site indexNational’s involvement

John Pagani (former senior adviser to Labour leader Phil Goff) was apparently given access to the logs (I’m not sure why it seemed like a good idea to Labour to further spread the access logs, complete with IP addresses) and says that the second IP address to access one of the backup files was 202.20.0.120 which resolves to mail.national.org.nz—a National party mail server. So if that’s true, National knew of the security hole in Labour’s website. In the perfect world, even though it’s not their job to, they would have informed Labour, but apparently chose not to. John continues that the logs prove that National tipped Cameron off about the gaping security hole as Cameron appears to be the next person to access this specific backup file. This is plausible, but isn’t proven by the logs. Neither of the above excuse the fact that the server should have been secure to begin with.

Credit card information

Labour says that “no credit card details were held on the site. All people whose privacy may have been compromised have been informed.”

Flo2Cash who handle Labour’s credit card payments say: “All donor credit card data is fully encrypted… the Flo2Cash system… is completely isolated from the Labour Party website… the recent Labour Party website breach has not resulted in any compromise of donor credit card data.”

Do you think National should have let Labour know about the security hole, or, if they did: tip Whale Oil off about it?

New Zealand Post’s Lifestyle Survey

New Zealand PostShop DevonportToday in the post we received New Zealand Post’s “lifestyle survey”, a controversial data collecting tool that’s recently been in the news because the information collected is used to market your address to other companies. The survey is sent to 800,000 households by post and 125,000 by email and asks 56 questions about various things, split into sections on your interests, vehicles, home, finances, shopping habits and travel. New Zealand Post sells names and addresses of respondents, “but not the information they provided in the survey”, for companies to use once. Information is also used to furnish New Zealand Post’s direct marketing tool named Genius which says it helps clients “gain deeper insights and understanding into your customers, particularly around wealth, life stage and lifestyle”.

2009 version

Reports ordered by the Privacy Commissioner concluded that the 2009 version breached privacy principles and violated marketing industry standards for not providing “adequate, non-misleading information about the survey’s (primary) nature and/or purpose” and asking respondents to answer questions about their partners”. Professor Malcolm Wright, head of communications, journalism and marketing at Massey University say that it shouldn’t be called a survey but “an opportunity to join a direct mail database”. Auckland University former marketing lecturer Linda Hollebeek says that a lot of people won’t be aware that New Zealand Post is shifting into a more commercial strategic direction including the compiling of databases for on-selling to marketers.

Wave around a chocolate bar (or $15k) to get what you want

Privacy Commissioner, Marie Shroff argues that people are often dazzled by competitions and giveaways and might foolishly give away personal information. I think this has been shown to be true by numerous research projects where people are happy to hand over their passwords for a chocolate bar, pen or for the chance to win a trip overseas. Close Up in conjunction with NetSafe offered a Moro bar up for grabs for anyone on Auckland’s Queen Street who was willing to answer a short survey, of which the first question was “what is your password?”. 59% of people gave their password (about half of people use the same password everywhere) and those conducting the survey said that the answers to other questions suggested the majority of passwords were legitimate. You can watch the full video here (apologies if it’s blocked in your country). The shorts for tonight’s episode of Fair Go (22nd June 2011) shows a man on the street asking people personal questions, which I’m guessing most people answered. If you’re interested in the New Zealand Post survey it will probably be interesting to watch.

New Zealand Post thinks they’re being clear

John Tulloch, New Zealand Post’s communication manager said the survey states numerous times that it’s optional and the information “could be used by other companies”. I call bullshit.

New Zealand Post Lifestyle Survey 2011 Cover

(I’ve uploaded the full version of the survey here (pdf).)

Spot where New Zealand Post states “numerous times” that the information could be used by other companies. Hint, about once.

The top paragraph states: “New Zealand Post wants to help you receive more relevant mail. We invite you to complete this voluntary survey and tell us about you and your household, so we can help tailor the messages that you receive. These messages will be from companies with products and services related to your interests” (emphasis is theirs).

I’m not counting this one because I don’t think this is clear that companies will actually be given your information. For example, Fly Buys forwards material on behalf of places you’ve shopped at, but the shops never see your personal information. Nor am I counting the text at the bottom of the page: “in addition to receiving selected offers addressed to you through the mail…” as this doesn’t state at all that those offers won’t be from New Zealand Post.

The one time I’m counting (and only other time in the whole form sharing of information is mentioned) is the fourth small print bullet point under “Here’s how it all works” which states:

Privacy: If you participate in The New Zealand Lifestyle Survey, your name, address and other information you supply (including your email and telephone numbers if you tick the boxes below), may be provided to companies and other organizations from New Zealand and overseas to enable them to provide you and/or your household with information about products and services relevant to your responses to this survey. New Zealand Post may also use that information for the same purpose.

Sure I’ll give them that they’ve made it clear that the survey is voluntary (mentioned about four times on the front page). But they only say that information may be provided to other companies, even though that’s the primary purpose of the survey. There is no mention of the information being sold in the whole form.

Blinded

So it’s still true that you need better eyesight to find out that your information is going to be shared than to learn of the cash, television sets and travel packages on offer for participants (if you happened to not be blinded by them, they’re shown in the massive images that take up a third of the first page).

Engaging in direct marketing services is part of New Zealand Post’s job according to the State Enterprises Act. Maybe we need a law change.

Would you fill out this survey? Do you care that New Zealand Post is selling names and addresses?

Image credit: Chatani

The 2011 Budget and KiwiSaver

Piggy bank savingsKiwiSaver will be affected by National 2011’s budget, but it will still be a worthwhile scheme for nearly everyone under 65 to be in.

  • The member tax credit from the Government (which doesn’t apply to under 18s) accruing from July 2011, is going to be cut in half from $1 per $1 matching to 50 cents to $1 matching. So to get the full match you’ll have to save about $20 a week ($1040/year) and will get a $10 match ($520/year) from the Government.
  • To balance this out, minimum contributions will be raised for employees and their employers to 3% from April 2013 (the other employee options will stay as 4% and 8%).
  • However the employer contribution will be taxed from April 2012 (the 2% minimum will end up being about 1.34-1.79% depending on your tax rate, the new 3% about 2.01-2.685%).

This will affect the un/self-employed because their tax credit will be reduced with no balancing employer contribution. Increased employer contributions will benefit people planning to buy a first home using their KiwiSaver savings as they’re unable to withdraw member tax credits anyway. A likely reduction in pay rises because of the increased employer contributions will affect KiwiSaver and non-KiwiSaver employees.

Standard and Poor’s says that the changes “could push New Zealand further into debt and would need to be part of an overall package to boost national savings.”

The $1000 Government kick-start, the up to $5000 first home deposit subsidy and the requirement of being in the scheme for at least a year before you’re able to go on a contributions holiday are staying.

The kick-start, tax credit and employer contributions are still free money.

Ramit Sethi has an excellent book called I Will Teach You To Be Rich which is available from Amazon and The Book Depository—who have free shipping to basically everywhere. He recommends young people invest about 10% of their income and take advantage of available employer/tax benefits. Eg. contributing the minimum into KiwiSaver, getting the employer match (and if necessary topping up contributions to $1040 to get the $1040/$520 government match, but set it up so it’s done automatically each pay period), then invest the rest of the 10% in a non-KiwiSaver scheme. The main benefit of a non-KiwiSaver scheme compared to KiwiSaver is laxer withdrawal rules—the withdrawal age is likely lower, plus if it’s employer based, employers may contribute a higher amount than in KiwiSaver)

I like SuperLife as a KiwiSaver fund provider because of, among other things, their AIMAge Steps fund which automatically re-balances asset allocation from assets like shares to assets like cash as you age. Mary Holm has a book called The Complete KiwiSaver which is from 2009 but will still be largely relevant to making decisions about things like funds and providers.

Are you in Kiwisaver and why or why not?

Image credit: Alan Cleaver