I’m on holiday and posting this from my phone. Let’s all pretend this site is blacked out.
Image credit: Jed Hastwell
I posted a while ago about a security issue with TelstraClear’s webmail. Mainly that someone could access an email account through the referring URL gathered through visitor analytics tools available for most websites.
This made me think about the personal information that I have in my email account.
The library here in Christchurch includes users’ addresses in the header of all emails that they send out automatically (reminders about due books, holds, etc). I gather libraries around the country do this.
This always struck me as strange, because there’s no need to include this information.
An address isn’t the most private information in the world, but if someone broke into my email account, it’s something I wouldn’t like them to have.
So I asked the library about it. Here’s their response:
“Thank you for your recent query as to why postal address details are included in Christchurch City Libraries customer email notifications.
SirsiDynix, the integrated library system provider used by Christchurch City Libraries, have responded that identical address information is shown on both notification options [email and snail mail] because the reports draw on the same User Address information. Their opinion is that modifying the script to suit emailed notices would harm the report’s ability to print the needed addresses for mailed notices.
Unfortunately in-house report customisation is not currently a viable option because of time and financial constraints but we would certainly re-evaluate should there be further customer demand. We are not aware of any likely changes to the SirsiDynix system in the near future.”
Image credit: Fiona Bradley
PayPal send out emails about policy updates. Here is one of them:
There’s a few strange things going on.
1) I’m not in Singapore but get sent their Singapore address.
2) They link to their site when they could have just said “go to PayPal’s website”. Getting people into the habit of clicking on links asking them to log in, especially ones with weird extensions doesn’t seem good.
3) If you’re going to include a link, at least link to the changes. Why do I have to log in and go to notifications to see them?
4) On the same note, why aren’t the changes just included in the email to begin with?
Here’s one of the changes listed in notifications:
It is the whole PayPal User Agreement. What has changed? Who knows.
To their credit, a more recent January change just has the part of the policy that has changed.
Maybe they’re learning.
Here is a New Zealand Herald article that contains some shitty and some good advice about money.
Buy property young, preferably in your 20s. Move heaven and earth to get the deposit. Rent is wasted money.
Buying a house is not for everyone. Sometimes it doesn’t make financial sense for a particular person. Insurance, rates, money spent on repairs (~$5k~ a year) etc. sometimes make renting a better choice. Run the numbers.
It’s moronic to incur fines. Like the maniac driver in a big red American-style pickup truck who overtook me on State Highway 2 on December 17, just to be pulled over and fined.
Yes, you shouldn’t speed etc. etc., but this doesn’t contain any useful advice if you do get a fine. Actual advice would be to set up an automatic payment account to a ‘Stupid mistakes’ savings account so you have money to pay inevitable fines.
Every dollar is precious. Think before you spend it.
I regret frittering money on coffees and unnecessary eating out. It would be better to direct that money towards savings.
Needs and wants are often confused. This is perhaps the biggest financial mistake that people make.
If you enjoy a coffee a day, buy a coffee a day. If you enjoy eating out, eat out. There’s no point earning money if you don’t spend it on stuff you love. Cut back on the stuff you don’t care about, optimize existing spending (subscriptions and phone/internet/TV/power etc. plans) and/or earn more money.
Track your spending. You can’t budget if you don’t know what you’re spending.
Perhaps the most popular piece of financial advice ever given out. How many people who write this actually do in it in practice, I’m not sure. Tracking your spending by typing into a spreadsheet or basically anything with mainly manual entry is doomed to fail. Xero with BNZ and ASB by itself both offer spending tracking services within online banking. Or, Xero allows the import of other bank’s transactions. Do mainly electronic transactions (because they can automatically coded into categories) and use these.
Credit cards make you look rich. Anyone can live well for a few years, but the debt catches up.
Credit cards with benefits that are automatically paid off each month are excellent.
People are too quick to judge others’ financial decisions, me included.
1) No one wants unsolicited advice. 2) You have your own problems to worry about.
Pay your taxes on time. The IRD has a big stick.
Pay all bills on time. Automate them. The IRD and other companies are always up for negotiation around deadlines.
Spending money on experiences is good spending. I am eternally grateful that I sold all but one of my shares at age 22 (by coincidence in August 1987) and went backpacking through Latin America. It’s good spending if the experience enriches life.
Yes. Also, give experiences as presents instead of physical things.
Save before you buy. A bit of a radical concept in 2011, but it can change people’s financial future.
Interest-free hire purchase deals are for suckers. You still pay ad establishment fee and the majority of people fail to clear the debt on time and pay interest anyway.
These places invariably have great clauses such as charging you if you pay anything over the set monthly amount. Once you’ve finished paying the item off you get mailed offers from the company for ever and ever.
Interest payments on personal loans, credit cards and HP are “idiot tax”. Why throw money away unnecessarily?
Work out how much something will really cost when interest is added before jumping into these. There’s calculators online that will help.
KiwiSaver is good.
Get in it.
Take your advice from people who have been through several cycles. Johnny-come-latelies going through their first financial cycle underestimate the risks.
Ask older people what they would have liked to have known at your age. What would they save for if they could turn back the clock?
You can learn more about money. The easiest and cheapest way to improve your knowledge is to get a book out of the library.
Megaupload uploaded a $3 million+ viral video attempt in the form of a song, The Mega Song, to YouTube. Containing endorsements from many musicians that have contracts with Universal Music Group, they weren’t the happiest of campers.
Macy Gray sings in the video, which features will.i.am, P. Diddy, Kanye West, Kim Kardashian (who comes running whenever someone utters the word “endorsement”), Lil John, The Game, Floyd Mayweather, Chris Brown, Jamie Foxx, Serena Williams and Ciara on camera. (Side note: It’s accepted that Chris Brown can do endorsements now?)
Using YouTube’s content management system, which Universal has access to as copyright holders, they took the video down. They didn’t own any content in it. They just didn’t like it.
Now Megaupload aren’t the happiest of campers, and are suing Universal, trying to prevent Universal from interfering with the video, which is now back up, after YouTube appears to have asked Universal as to why exactly they took it down.
Apart from Kim Schmitz/Kim Dotcom, Chief Innovation Officer at Megaupload having a house here in New Zealand where he also has permanent residency (which he celebrated by giving Auckland a $500,000 USD New Year fireworks display), Universal claimed that they took down the video because it contained content from one of their artists, Gin Wigmore.
Wigmore, of course, doesn’t appear in the video at all, in audio or visual form (but was approached to sing in it), so perhaps Universal have forgotten what their artists actually sound like, and mistook Macy Gray for her.
Two takedown notices were received, the second one from will.i.am (well, his lawyer), who appears in the video, saying “When I’ve got to send files across the globe, I use Megaupload”.
Ira Rothken, lawyer for Megaupload, says that written permission in the form of signed Appearance Consent and Release Agreements were provided by everyone in the video, including will.i.am. will.i.am’s signed form, which you can read here (pdf, will.i.am’s real name is William Adams), is pretty convincing.
The Hollywood Reporter has Ken Hertz, will.i.am’s lawyer, says that he “never consented to the ‘Megaupload Mega Song’”. Because he delivered that line to camera for another reason?
Dotcom says that will.i.am assured him that he “had not authorized the submission of any takedown notice on his behalf”.
Universal claim that they can takedown the video under an agreement with YouTube–not the Digital Millennium Copyright Act. In a letter (pdf) to YouTube from Kelly Klaus, a Universal lawyer, says that “As you know, UMG’s [takedown] rights in this regard are not limited to copyright infringement, as set forth more completely in the March 31, 2009 Video License Agreement for UGC Video Service Providers, including without limitation in Paragraphs 1(b) and 1(g) thereof.”
In that case the DMCA’s rules and protections around takedown notices wouldn’t apply. If this is true, YouTube isn’t exactly open about it. They claimed that the video had been taken down by a copyright claim in the message displayed when people tried to watch it:
Rothken says “What they are basically arguing, they can go ahead and suppress any speech they want without any consequences. That’s not a workable paradigm”.
This is, perhaps, a huge tick in the column against the Stop Online Piracy Act, which is currently being debated.
Streisand effect, here we come.
Image credit: TorrentFreak
Update 28 September 2012: This post was written before I started working for a bank (who I love dearly), and at least some views expressed in this post have changed since then (eg. case-insensitive passwords (and ASB isn’t the only bank that does this) are irrelevant when users are locked out after three incorrect login attempts–Facebook does something similar to this, accepting the actual password, the password with the first letter capitalized (to account for automatic capitalization on mobile devices), and the password with the case of letters reversed (to account for the caps lock key being on), and that a charge for a bank cheque is not so unreasonable in the context of a lot of bank cheques being for a large amount). Also some bank policies have changed since this post was published (eg. ASB no longer charges $2 for automatic payments added/amended online–progress!) There is, however, no way of getting around ASB’s $0.20 fee for a Netcode over-$500-transfer-authorization if you don’t have a token–it is charged even if you call the 0800 number and ask them to release the payment. Except for a note regarding the previous sentence, this post hasn’t been edited from the original form.
And useful (see: next day bank transfers).
I’m with ASB and they are great, however no one is perfect. Here’s some things that I hate about banks in New Zealand. Many of these problems are shared by the entire industry.
Or the fact that ASB keeps trying to convert me to one even though I’m not allowed one.
Here’s mailer number one, received the week of my 17th birthday:
Irrelevant: check. Impersonal: check. You know how to make a guy feel special ASB. (Case in point: I’m not 18 so they couldn’t give me my own credit card even if they really really wanted to).
This is upsetting because I have a feeling tertiary accounts have less fees than youth accounts.
At least, it isn’t emphasized that service fees apply to tertiary accounts like it is for youth accounts on ASB’s fee exemption page. Service fees apply for everyone, see comment from ASB below.
ASB isn’t the only bank that charges stupid fees, but here are some examples of theirs:
“Please note, your password must be eight characters long, and contain at least two letters (a-z) and at least two numbers (0-9). For example, redbus73 and 8cube224 are valid passwords.”
This is ASB’s. I assume other banks are as ridiculous. Would you like a nine character password? YOU CAN’T. MUST BE EIGHT.
Microsoft’s (now defunct) password checker says both of their examples are weak. ASB lets you use both of their examples as real passwords, because security.
Here’s an entry form I picked up from BNZ’s tent at The Show:
Note the classy clause at the bottom: “By providing your details, you consent to use contacting you about our products, services and promotions, from time to time (including via text message without an unsubscribe facility).”
Once you’re in, they have you.
I guess if you rang them they’d remove you from their text messaging scheme, but really, why not let people unsubscribe via text using common keywords like stop, or unsubscribe?
And their annual fees. $10 a year for having the card. National Bank got half of the memo and isn’t charging the annual fee if you have their Freedom account. But you have to be earning $30k+ a year and pumping it into that account. Anyway, I like the image they’re using in their ads for it (see top image).
Sure, debit cards are great if you are under 18 or don’t trust yourself with a credit card. But really, if you can, you should just get a credit card.
Banks (looking at you Westpac and BNZ) seem to love converting people to these debit cards, even if the person already has a credit card with the bank. I don’t understand. Family members have received Visa Debit cards in the mail from Westpac, even though they have a credit card with Westpac. If you already have a Visa or credit card, why would you want a Visa Debit?
It’s a bit of a have, because people naturally think this is their replacement EFTPOS card and start using it, probably not realizing that once they start using it they’re going to be charged an annual fee. If they’re lucky, maybe the fee will be waived for a year or two!
When you go into BNZ to request an EFTPOS card, the tellers like to order you in a Visa Debit card instead*, because, you know, they know best.
*May have happened just once.
That’s Google’s 2-step verification programme.
There’s a number of ways to use it. I have the Google Authenticator application on a couple of devices (it works without needing an internet connection), I can get a code sent to me by text (for [email protected]@) if the application isn’t working, I can use the backup codes if I have to, and I can tell Google that it doesn’t need to ask me for a verification code on the computer I’m using for another 30 days if I trust it.
It works, it’s good, it’s free. And it’s not even protecting my money.
Side note: security has to actually be built-in by design and be compulsory for it to be useful. Kerry Thompson points out that security conscious people probably have limited use for 2-factor authentication systems, because they already take precautions. The people who aren’t security conscious are also the people who don’t think they need 2-factor authentication, they think they’ll be covered by the bank, or won’t use it because of the cost (hi ASB’s 20 cent per text charge).
See also: Google doesn’t have an eight character password policy and Google gives a detailed account of recent account activity (ASB shows the last time I logged in, but I rarely look at it, and out of context it’s kind of useless).
How about encouraging people to set up an automatic payment to a savings account every pay period and sign up for Kiwisaver?
Also, you would think an application that consists of one button would be easy to set up, but Westpac’s Impulse Saver requires you to apply to use it, and makes you wait for a callback from a customer service person.
Westpac and BNZ seem to be the only two banks who try to ban calls from mobile phones to their phone banking numbers. It’s trivial to get around this with Westpac, just call their main 0800 number and press one to get to phone banking. On BNZ it seems like that works too, at least after their call center hours.
Visa and MasterCard aren’t banks, but whatever.
McDonald’s, in association with Visa and MasterCard has the policy of not requiring a PIN or signature for credit card transactions under $35.
How they can guarantee security, I’m not sure, because they just took away the only security of a PIN or signature. I’m not sure why Visa and MasterCard don’t make this opt-in or opt-out.
Zero liability can’t apply if you don’t realize there’s a fraudulent charge on your statement, so good luck everyone.
Or please stop relying on a cron job for transfers.
10 years after one-off payments were introduced, they still take up to the next business day to go through to accounts at other banks. I realize this might require some consultation with the People In Charge Of The Money, but can we please get rid of this? Thanks. Also, could we please do transfers on non-business days to accounts at other banks and get rid of the 10pm cut off for not-my-bank transfers?
When you visit this website, like most others, analytics software on this end records some information about you, including what website brought you here.
Following a link from an email isn’t usually a problem. However, when your provider is Clear/TelstraClear’s and you’re using webmail it is. Or was.
The Clear referring URL lets someone access a customer’s emails by simply clicking on the link (until, I assume, the session is logged out, timed out or the customer’s password is changed).
This applies to virtually any site visited through TelstraClear’s webmail.
This becomes a very big problem when you think about what someone keeps around in their emails. Google wants to encourage its users to archive everything. Perhaps this post contains a very convincing argument as to why you shouldn’t archive everything, and instead make liberal use of the delete button (or move the emails to your computer).
Here’s some examples of information routinely sent to and stored in email accounts that would be very useful to someone with bad intentions:
A power company told me that the information contained in their e-bills isn’t all that private. They said that their customers like the convenience of not having to log in to access their bill and that they consider all feedback on their services.
TelsraClear said that the issue has been fixed, that “this was the first time the issue has been raised” and that they “take security very seriously”.
Understandably TelstraClear were “not too keen” on this post going ahead as “it might encourage attempts to hack the webmail application” which “might still cause service problems for legitimate users if such an attack was to take place”.
However, maybe a real life example will hit home with people, even if they’re not with TelstraClear.
Because how secure is your personal information?
Update: Christchurch City Libraries responds with why they include addresses in the emails they automatically send out.
Image credit: Dev.Arka
Internet surveillance, censorship, and avenues of resistance with anonymity with Jacob Appelbaum, Researcher and Hacker, The Tor Project.
Go watch Jacob’s talk here.
Points I found interesting:
Look what I found at the end of the Hoyts ticket counter:
“While not required under the new law, illegally obtained copyright protected material may still be file shared and therefore should be removed.”
Read: buy the files you downloaded illegally in the past. Helpful advice would be to remove peer-to-peer software from your computer if you’re not using it, or to stop sharing illegally obtained material if you’re doing so (eg. stop seeding).
“P2P file sharing can expose your computer to harmful viruses, worms and trojan horses as well as annoying pop-up advertisements. There is also a real danger that private information on your computer may be accessible to others on P2P networks.”
Finding files through moderated sites (which can remove harmful torrents), reading the comments on torrents and having up-to-date anti-malware software all reduce this small risk of harm.
The “real danger” of private information being inadvertently shared is practically impossible with torrenting. LimeWire, FrostWire and friends were possibly deceptive about what user’s folders were actually being shared in the past, but now LimeWire is dead and FrostWire exclusively uses torrents, so it shouldn’t be a problem anymore.
But points for including the relatively unbiased URL of NetSafe’s The Copyright Law, albeit in tiny print down the very bottom on the back page.
Our list for TV shows is basically the On Demand sites for the free-to-air TV stations, plus iSky. On the movies side we have iSky, the console networks and iTunes, which is also listed as having TV shows, but that’s not the case in New Zealand.
In comparison, the US site lists 43 legal alternatives, including iTunes (which you can actually get TV shows from in the US, or by using a US iTunes account), Hulu and Netflix.
And the MPAA wonder why people illegally download movies and TV shows in New Zealand?
Good news on the music front though. Music streaming subscription service Spotify is coming to Australia and New Zealand, possibly around February next year. The downside is that they’re now in bed with Facebook, so you’ll need a Facebook account to use it.
Jonathan Hunt and Lance Wiggs illustrate how inadequate the sites MPAA lists are. MPAA, NZFACT and friends love harping on how people pirating movies like Boy are harming our movie industry in New Zealand.
But you still can’t download it legally from iTunes.
And I wouldn’t count on it being added either. Remember Sione’s Wedding? You know, the movie released in 2006 that cost “its investors an estimated $1 million” because it was pirated?
It’s not in the New Zealand iTunes store five years later.
But of course, it’s in the US iTunes store as Samoan Wedding.
Nice one. Perhaps more kiwis would support their creative community, if, you know, you actually made it easy for them?
Update: Last rep I spoke to talked over me and implied I just wanted free stuff. First time I’ve lost my cool in a customer service call. But, if all else fails, send an email and a text message to the CEO: “Thanks. I have received the email and I will get it dealt with ASAP.”
Update 2: “I will arrange for a 50Gb datablock to be added to your account, and for your broadband access plan charges for November and December to be credited.” Took a couple of days, but a positive response to a negative situation.
Our internet is currently slowed to dial-up.
This means that some time between February and this month the data block disappeared from the account. It wasn’t used up this month when we used 100% of available data. And it shouldn’t have been completely used up any other month because the last time we used 100% of available data was before the data block was purchased.
I suspect it disappeared when we changed plans at the start of this month.
Slingshot called us about changing to a new plan. They spoke to the account holder first, then spoke to me. I ended up changing the plan, but this wasn’t noted under the account.
I called them about this and they refused to speak to me about it at all because I’m not the account holder, even though I didn’t want them to share any information with me – I have it all up in ‘My Account’ anyway, and I’m calling from the phone number associated with the account (I know, I know, caller ID can be [email protected]#$!!11 but again, I wasn’t asking for personal information).
After I told them I’d just pretend to be the account holder because they were being ridiculous, and proceeded to do so they “terminated” the call and said they’d call the account holder on their cellphone. In an act of hilarity, it ends up that my cellphone number is the one listed on the account. That call was terminated too.
The account holder gets home, talks to them and adds me to the account. He gets lectured by the rep that the reason I wasn’t able to talk to them about it was to protect the account holder’s personal information, even though I wasn’t asking for any personal information (and would’ve been able to tell them the account holders name, address and DOB anyway).
After lots of holding I’m told that they are definitely right and that we have gone well over our data usage (even though that overage would’ve happened on speedy dial-up). I suspect that they can only see what I can see in the history part of billing – the total amount of data used per month: plan + data blocks + free off-peak + zero rated, because past data usage isn’t split up into categories.
Just because it says we used x amount of GB more than our plan doesn’t mean that we actually went over the plan’s allowance, because of free off peak. That’s also supported by a lack of 100% data usage used emails.
The rep said they could email me what they are seeing showing the significant overage. I say great. He says that it will take two days and mentioned printing. I state the ridiculousness of this and ask to speak to whoever he talked to. I get put on hold and he quickly comes back saying they can actually send it within 30 minutes – 6pm.
At 7pm I get an email from tier 2 customer support. Attached is a spreadsheet of our hour by hour data usage over this billing period. Interesting to look at, but not helpful to the situation. The issue isn’t with us using up all of our plan data this billing period, which I’m not debating and I can clearly see from ‘My Account’. What I am debating is that we shouldn’t have been slowed to dial-up because there should have been a data block on the account.
And so the saga continues.
Image credit: Nick Webb