Follow Up: Personal Information In Emails, Library Edition

Deleting messages

I posted a while ago about a security issue with TelstraClear’s webmail. Mainly that someone could access an email account through the referring URL gathered through visitor analytics tools available for most websites.

This made me think about the personal information that I have in my email account.

The library here in Christchurch includes users’ addresses in the header of all emails that they send out automatically (reminders about due books, holds, etc). I gather libraries around the country do this.

This always struck me as strange, because there’s no need to include this information.

An address isn’t the most private information in the world, but if someone broke into my email account, it’s something I wouldn’t like them to have.

So I asked the library about it. Here’s their response:

“Thank you for your recent query as to why postal address details are included in Christchurch City Libraries customer email notifications.

SirsiDynix, the integrated library system provider used by Christchurch City Libraries, have responded that identical address information is shown on both notification options [email and snail mail] because the reports draw on the same User Address information. Their opinion is that modifying the script to suit emailed notices would harm the report’s ability to print the needed addresses for mailed notices.

Unfortunately in-house report customisation is not currently a viable option because of time and financial constraints but we would certainly re-evaluate should there be further customer demand. We are not aware of any likely changes to the SirsiDynix system in the near future.”

No dice.

Image credit: Fiona Bradley

PayPal Policy Update Strangeness

PayPal send out emails about policy updates. Here is one of them:

PayPal Policy Updates

There’s a few strange things going on.

1) I’m not in Singapore but get sent their Singapore address.

2) They link to their site when they could have just said “go to PayPal’s website”. Getting people into the habit of clicking on links asking them to log in, especially ones with weird extensions doesn’t seem good.

3) If you’re going to include a link, at least link to the changes. Why do I have to log in and go to notifications to see them?

4) On the same note, why aren’t the changes just included in the email to begin with?

Here’s one of the changes listed in notifications:

PayPal Policy amendment

It is the whole PayPal User Agreement. What has changed? Who knows.

To their credit, a more recent January change just has the part of the policy that has changed.

Maybe they’re learning.

Financial Advice

Money

Here is a New Zealand Herald article that contains some shitty and some good advice about money.

Thumbs down

Buying over renting

Buy property young, preferably in your 20s. Move heaven and earth to get the deposit. Rent is wasted money.

Buying a house is not for everyone. Sometimes it doesn’t make financial sense for a particular person. Insurance, rates, money spent on repairs (~$5k~ a year) etc. sometimes make renting a better choice. Run the numbers.

Avoid fines

It’s moronic to incur fines. Like the maniac driver in a big red American-style pickup truck who overtook me on State Highway 2 on December 17, just to be pulled over and fined.

Yes, you shouldn’t speed etc. etc., but this doesn’t contain any useful advice if you do get a fine. Actual advice would be to set up an automatic payment account to a ‘Stupid mistakes’ savings account so you have money to pay inevitable fines.

NEVER SPEND MONEY EVAAAA

Every dollar is precious. Think before you spend it.

I regret frittering money on coffees and unnecessary eating out. It would be better to direct that money towards savings.

Needs and wants are often confused. This is perhaps the biggest financial mistake that people make.

If you enjoy a coffee a day, buy a coffee a day. If you enjoy eating out, eat out. There’s no point earning money if you don’t spend it on stuff you love. Cut back on the stuff you don’t care about, optimize existing spending (subscriptions and phone/internet/TV/power etc. plans) and/or earn more money.

Have a [email protected]@111

Track your spending. You can’t budget if you don’t know what you’re spending.

Perhaps the most popular piece of financial advice ever given out. How many people who write this actually do in it in practice, I’m not sure. Tracking your spending by typing into a spreadsheet or basically anything with mainly manual entry is doomed to fail. Xero with BNZ and ASB by itself both offer spending tracking services within online banking. Or, Xero allows the import of other bank’s transactions. Do mainly electronic transactions (because they can automatically coded into categories) and use these.

Credit cards

Credit cards make you look rich. Anyone can live well for a few years, but the debt catches up.

Credit cards with benefits that are automatically paid off each month are excellent.

Thumbs up

Judging people

People are too quick to judge others’ financial decisions, me included.

1) No one wants unsolicited advice. 2) You have your own problems to worry about.

Pay bills

Pay your taxes on time. The IRD has a big stick.

Pay all bills on time. Automate them. The IRD and other companies are always up for negotiation around deadlines.

Experiences

Spending money on experiences is good spending. I am eternally grateful that I sold all but one of my shares at age 22 (by coincidence in August 1987) and went backpacking through Latin America. It’s good spending if the experience enriches life.

Yes. Also, give experiences as presents instead of physical things.

Save for things. Automatically.

Save before you buy. A bit of a radical concept in 2011, but it can change people’s financial future.

Enter into interest-free deals cautiously

Interest-free hire purchase deals are for suckers. You still pay ad establishment fee and the majority of people fail to clear the debt on time and pay interest anyway.

These places invariably have great clauses such as charging you if you pay anything over the set monthly amount. Once you’ve finished paying the item off you get mailed offers from the company for ever and ever.

Avoid interest

Interest payments on personal loans, credit cards and HP are “idiot tax”. Why throw money away unnecessarily?

Work out how much something will really cost when interest is added before jumping into these. There’s calculators online that will help.

KiwiSaver

KiwiSaver is good.

Get in it.

Advice

Take your advice from people who have been through several cycles. Johnny-come-latelies going through their first financial cycle underestimate the risks.

Ask older people what they would have liked to have known at your age. What would they save for if they could turn back the clock?

Read a book

You can learn more about money. The easiest and cheapest way to improve your knowledge is to get a book out of the library.

Image credit: 401k/401kcalculator.org

Megafail: Universal Music Gone Rogue

Megaupload uploaded a $3 million+ viral video attempt in the form of a song, The Mega Song, to YouTube. Containing endorsements from many musicians that have contracts with Universal Music Group, they weren’t the happiest of campers.

Macy Gray sings in the video, which features will.i.am, P. Diddy, Kanye West, Kim Kardashian (who comes running whenever someone utters the word “endorsement”), Lil John, The Game, Floyd Mayweather, Chris Brown, Jamie Foxx, Serena Williams and Ciara on camera. (Side note: It’s accepted that Chris Brown can do endorsements now?)

Using YouTube’s content management system, which Universal has access to as copyright holders, they took the video down. They didn’t own any content in it. They just didn’t like it.

The lawsuit

Now Megaupload aren’t the happiest of campers, and are suing Universal, trying to prevent Universal from interfering with the video, which is now back up, after YouTube appears to have asked Universal as to why exactly they took it down.

The New Zealand connection (read: Universal don’t know what their own artists sound like)

Apart from Kim Schmitz/Kim Dotcom, Chief Innovation Officer at Megaupload having a house here in New Zealand where he also has permanent residency (which he celebrated by giving Auckland a $500,000 USD New Year fireworks display), Universal claimed that they took down the video because it contained content from one of their artists, Gin Wigmore.

Wigmore, of course, doesn’t appear in the video at all, in audio or visual form (but was approached to sing in it), so perhaps Universal have forgotten what their artists actually sound like, and mistook Macy Gray for her.

will.i.am

Two takedown notices were received, the second one from will.i.am (well, his lawyer), who appears in the video, saying “When I’ve got to send files across the globe, I use Megaupload”.

Ira Rothken, lawyer for Megaupload, says that written permission in the form of signed Appearance Consent and Release Agreements were provided by everyone in the video, including will.i.am. will.i.am’s signed form, which you can read here (pdf, will.i.am’s real name is William Adams), is pretty convincing.

The Hollywood Reporter has Ken Hertz, will.i.am’s lawyer, says that he “never consented to the ‘Megaupload Mega Song’”. Because he delivered that line to camera for another reason?

Dotcom says that will.i.am assured him that he “had not authorized the submission of any takedown notice on his behalf”.

Universal’s takedown rights “not limited to copyright infringement”

Universal claim that they can takedown the video under an agreement with YouTube–not the Digital Millennium Copyright Act. In a letter (pdf) to YouTube from Kelly Klaus, a Universal lawyer, says that “As you know, UMG’s [takedown] rights in this regard are not limited to copyright infringement, as set forth more completely in the March 31, 2009 Video License Agreement for UGC Video Service Providers, including without limitation in Paragraphs 1(b) and 1(g) thereof.”

In that case the DMCA’s rules and protections around takedown notices wouldn’t apply. If this is true, YouTube isn’t exactly open about it. They claimed that the video had been taken down by a copyright claim in the message displayed when people tried to watch it:

Mega Song block notice on YouTube

Rothken says “What they are basically arguing, they can go ahead and suppress any speech they want without any consequences. That’s not a workable paradigm”.

 

This is, perhaps, a huge tick in the column against the Stop Online Piracy Act, which is currently being debated.

Streisand effect, here we come.

Image credit: TorrentFreak

Clear Webmail Security: A Series Of Unfortunate Events

When you visit this website, like most others, analytics software on this end records some information about you, including what website brought you here.

Following a link from an email isn’t usually a problem. However, when your provider is Clear/TelstraClear’s and you’re using webmail it is. Or was.

The Clear referring URL lets someone access a customer’s emails by simply clicking on the link (until, I assume, the session is logged out, timed out or the customer’s password is changed).

This applies to virtually any site visited through TelstraClear’s webmail.

Authenticity required

What’s in your emails?

This becomes a very big problem when you think about what someone keeps around in their emails. Google wants to encourage its users to archive everything. Perhaps this post contains a very convincing argument as to why you shouldn’t archive everything, and instead make liberal use of the delete button (or move the emails to your computer).

Here’s some examples of information routinely sent to and stored in email accounts that would be very useful to someone with bad intentions:

  • Unencrypted payslips, with IRD and bank account numbers
  • Shipping notifications, with addresses, phone numbers and courier tracking codes
  • Work emails that have made it into a personal email account
  • Information on utilities and addresses supplied from power company e-bills
  • Broadband or other service activation email, containing usernames and passwords to webmail and/or internet access

Response

A power company told me that the information contained in their e-bills isn’t all that private. They said that their customers like the convenience of not having to log in to access their bill and that they consider all feedback on their services.

TelsraClear said that the issue has been fixed, that “this was the first time the issue has been raised” and that they “take security very seriously”.

Understandably TelstraClear were “not too keen” on this post going ahead as “it might encourage attempts to hack the webmail application” which “might still cause service problems for legitimate users if such an attack was to take place”.

However, maybe a real life example will hit home with people, even if they’re not with TelstraClear.

Because how secure is your personal information?

Update: Christchurch City Libraries responds with why they include addresses in the emails they automatically send out.

Image credit: Dev.Arka

Doing The Government’s Work For Them

Internet surveillance, censorship, and avenues of resistance with anonymity with Jacob Appelbaum, Researcher and Hacker, The Tor Project.

Go watch Jacob’s talk here.
Jacob Appelbaum talkPoints I found interesting:

  • The concept of lawful surveillance. We make it compulsory for telecom providers to make their networks buggable. Would there be outrage if a law was passed that every road must have a camera and microphone on it?
  • If you’re not paying for something, you’re the product.
  • Visualize your cellphone as a tracking device that can also make calls, go on the internet and text people. If the government forced you to carry it everywhere, you’d riot in the streets. They don’t need to; you do their work for them. You carry it with you, willingly.

MPAA Propaganda

Look what I found at the end of the Hoyts ticket counter:

Respect Copyrights leaflet 1

Respect Copyrights leaflet 2

Respect Copyrights leaflet 3

Respect Copyrights leaflet 4It contains some interesting content.

“Remove unauthorised material from your computers”

“While not required under the new law, illegally obtained copyright protected material may still be file shared and therefore should be removed.”

Read: buy the files you downloaded illegally in the past. Helpful advice would be to remove peer-to-peer software from your computer if you’re not using it, or to stop sharing illegally obtained material if you’re doing so (eg. stop seeding).

“What are the risks of P2P file sharing?”

“P2P file sharing can expose your computer to harmful viruses, worms and trojan horses as well as annoying pop-up advertisements. There is also a real danger that private information on your computer may be accessible to others on P2P networks.”

Finding files through moderated sites (which can remove harmful torrents), reading the comments on torrents and having up-to-date anti-malware software all reduce this small risk of harm.

The “real danger” of private information being inadvertently shared is practically impossible with torrenting. LimeWire, FrostWire and friends were possibly deceptive about what user’s folders were actually being shared in the past, but now LimeWire is dead and FrostWire exclusively uses torrents, so it shouldn’t be a problem anymore.

But points for including the relatively unbiased URL of NetSafe’s The Copyright Law, albeit in tiny print down the very bottom on the back page.

Respect Copyrights.co.nz

This site is interesting, especially when you compare its list of legitimate places to buy movies and TV shows to the US version‘s list.

Our list for TV shows is basically the On Demand sites for the free-to-air TV stations, plus iSky. On the movies side we have iSky, the console networks and iTunes, which is also listed as having TV shows, but that’s not the case in New Zealand.

Respect Copyrights New Zealand legal alternatives

In comparison, the US site lists 43 legal alternatives, including iTunes (which you can actually get TV shows from in the US, or by using a US iTunes account), Hulu and Netflix.

Respect Copyrights US legal alternatives

And the MPAA wonder why people illegally download movies and TV shows in New Zealand?

On a plus, Respect Copyrights has removed that ridiculous clause from their Terms of Use stating that no one was allowed to link to their site without their “express written permission”. Their grasp of the internet is growing!

Spotify

Good news on the music front though. Music streaming subscription service Spotify is coming to Australia and New Zealand, possibly around February next year. The downside is that they’re now in bed with Facebook, so you’ll need a Facebook account to use it.

NZ Movies

Jonathan Hunt and Lance Wiggs illustrate how inadequate the sites MPAA lists are. MPAA, NZFACT and friends love harping on how people pirating movies like Boy are harming our movie industry in New Zealand.

But you still can’t download it legally from iTunes.

And I wouldn’t count on it being added either. Remember Sione’s Wedding? You know, the movie released in 2006 that cost “its investors an estimated $1 million” because it was pirated?

It’s not in the New Zealand iTunes store five years later.

Sione's Wedding New Zealand iTunes Store

But of course, it’s in the US iTunes store as Samoan Wedding.

Samoan Wedding United States iTunes Store

Nice one. Perhaps more kiwis would support their creative community, if, you know, you actually made it easy for them?