Category: Technology

The Real Wikileaks

Posted on by Matt Taylor 2 Comments

The English version of Wikipedia is the website that tops the search results for a large majority of popular search terms. How do you keep 140,000+ active editors happily producing good content in a neutral way when they all have opposing viewpoints on content and procedure?

“Wikipedia is like a sausage: you might like the taste of it, but you don’t necessarily want to see how it’s made.”—Jimmy Wales

The Arbitration Committee

BWikipedia globe keychainasically the Supreme Court of Wikipedia, the Arbitrators that make up the committee make decisions on Wikipedia disputes that haven’t been able to be resolved through other means or on issues where privacy needs to be protected. Jimmy Wales and The Wikimedia Foundation are essentially the only people above them. They largely conduct business over a private mailing list, potentially to appear in agreement in public. Abd says:

“[the] appearance [of solidarity] was more important than making the whole process transparent, so that the community could understand the logic or reasons behind decisions — for better or worse.”

Arbitrators receive access to the CheckUser and Oversight tools, which gives them access to IP and user agent records and the ability to expunge content from an article’s history, respectively.

List structure and security

The mailing list software emailed each list member their password in plain text every month. Someone gaining access to one of their email accounts, say by using Firesheep over an unsecured WiFi connection, would’ve easily gained access to the private archives. No selective archiving was available in the software, so everything was logged. It doesn’t seem like it would have been difficult for a list member to intentionally leak the contents of the archive (although it appears to be easier for unauthorized users to access the archive than the authorized: “I will take care of that if I can get into the archives, it often doesn’t work for me”). Because of the nature of email it is easy to accidentally send something to the wrong person, illustrated in one of the emails leaked where someone was accidentally carbon copied in on an email about them. Retired arbitrators continued to have access to the list until sometime around 2009. Jimmy Wales continues to have access to the list.

Wikipedia editors generally expect their IP addresses to be protected when they’re logged in and policy supports this assumption (although in reality I’m unsure why IPs are considered such private information). CheckUser records only go back so far so it would be interesting to see what privacy concerns were considered by individuals keeping their own records. It also appears that centralized information on troublesome users is kept on a private wiki.

“Unitanode is formerly known as SDJ (S. Dean Jameson), and has had prior accounts as well. See the WPuser page on the arbwiki.

“The earlier draft would, incidentally, be very handy on ArbWiki as Wpuser:Sophie to provide all the background should this crop up again later (as I’m sure it will, either in the form of appeals or socks).” [emphasis mine]

Security concerns aside, the mailing list structure doesn’t seem to work. Even though list archives are kept, individual Arbitrators are relied on to forward old information.

“Do you have notes from your Feb 7 [CheckUser] of Guido that will help?”

“Does [anyone] have CU notes on Angela Kennedy or Destroying Angela they can forward to me?”

“Thank you for contacting us; the Committee is currently discussing your offer. Developing consensus among 18 or so people via mailing list isn’t terribly efficient, so we appreciate your patience.”

The leaks

A couple of users on Wikipedia Review, a forum critical of Wikipedia, have been posting email threads, largely based on requests. Why care? Actions on Wikipedia can have serious real world consequences. One of the emails details someone with a Wikipedia article being asked in a job interview about something untrue posted about him on Wikipedia. Another email talks about the power Wikipedia has over other search results, “if you were a sugar producer, how much would having [[Aspartame controversy]] be the first Google result for “artificial sweetener” be worth?” If you’ve ever used Wikipedia, as a reader or editor, what happens behind the scenes is relevant.

Note: some of the quoted emails are very old and I may be wrong in the conclusions I’ve drawn from them. Thanks to users at Wikipedia Review who did a great job pulling the interesting bits out of the emails in the forum threads.

Jimmy Wales versus an adminJimmy Wales Roda Viva

A Wikipedia administrator called a user a “little shit” and was blocked from editing by Jimmy Wales for 3 hours. It’s unclear what harm a 3 hour block prevents and probably causes more drama than it solves. Arbitrators on the list raised concerns about Jimmy blocking users because of the attention those users receive as a result.

In emails Jimmy says he’d prefer a private mediation instead of a public Arbitration case:

“Indeed, if we go to a[n Arbitration case], I am going to push for [the removal of your administrator status], because I think you’ve gotten off very lightly so far, and your conduct since the block is very far out of line from what our community standards for admins are.

Whereas if you enter mediation and work with me, I think you’ll end up looking quite good. I am not a man of pride – I am willing to look bad if that will help Wikipedia in some way. Just come and work with me and with someone we both trust, and let’s at least try.”

In an email to the Arbitration Committee on the 22nd July 2009 Jimmy states that he’s giving up the block tool:

“I am hereby permanently giving up the use of the ‘block’ tool. I will remain an administrator so that I can do some other admin things from time to time (most importantly, viewing deleting revisions), so there is no need to do anything technical. I just won’t block anyone ever again.”

However, his actions log shows he performed a block in May 2010.

Threats against arbitrators

Forum user SB_Johnny summarizes an email that was eventually redacted by the leaker:

“Just for the benefit of the curious, a quick synopsis is that some asshole threatened to do harm to the loved ones (including children) of one of the [arbitrators] if the [arbitrator] didn’t do what he wanted. The other [arbitrators] (appropriately and gracefully) gave their moral and [emotional] support to the victim. ‘Nuff said on that.

The only thing that’s really of interest if that there wasn’t much in the way of support from Jimbo or the WMF [Wikimedia Foundation] (at least not in the dox provided), but only interesting in the sense that it was a rather alarming example of the sorts of things WMF volunteers are exposed to, and the WMF’s apparent disinterest in their fates.”

Hiding behind clerks

“Just to note that an anonymous IP (Comcast, Seattle Washington) has now posted an email from Lar (who has been broadly supportive of the proposals, including those relating to Jayjg), which implies that Lar himself is known to canvass. I am inclined to ask a clerk to delete as it is personal communication, but I do not think any of the committee members should do so. Thoughts?” [emphasis mine]

Experienced users versus new users

“Again it would be good enough to be used to justify a sock accusation against a new user, but it would be a world of pain for Arbcom to use it against a functionary who has broad support within the community (e.g. the reasonable recent election given he withdrew, with a growing cloud bearing down on him) and has ties with WMF (I’m not sure of all the details of this).”

Threats and blackmail by an ex-Arbitrator

“On 24 February 2010, FT2 contacted the Arbitration Committee by email to request return of Checkuser permissions for the purpose of participating in a specific sockpuppetry investigation. At that time, an email written by FT2 came to the attention of the entire Arbitration Committee. The email was addressed to an abusive sockpuppeter who had been banned from English Wikipedia and some other WMF projects as a result of a cross-wiki investigation in which FT2 played a significant role. In the email, FT2 threatened to contact family members of the sockpuppeter directly, and laid out a series of conditions including those external to Wikipedia with the threat of contacting employers, government agencies, and others about the nature of the socking.

It was known at the time this email was disclosed to the Committee ”en banc” that the conditions outlined in FT2’s email had not been met, and there was concern that he might proceed with the actions he had threatened in the email. FT2 confirmed that the text of the email was correct and implied that the content had been vetted in advance by a WMF staff member and a WMF board member. Both denied having read the email at any point.”

Here are some parts from that email:

“My conditions to you are simple. I will state them once, below. Failure to take this seriously will lead to the events changing from your rules and WR’s rules, to my rules. Hide one thing now or later, lie or evade once, and the gloves come off. Believe me, you don’t want to test that . That’s the advantage of being a volunteer rather than an employee. My only formal obligation is my own conscience, and the law.

They made errors like confusing your wife and sister. They don’t know about your children, whose names you put in the public domain and used as covers (which would disgust most people including your family). They don’t recognize that the [redacted]’ [his wife’s employer] IP means [redacted]’s [his wife’s] employer is legitimately fair to be brought into the frame to ascertain just what it extended to.

The bad news is, you have a choice: complete abject confession online to your online games, or exposure in your /offline/ world – it goes “real world” as the only way to kill it. You don’t get to keep both. Choose which.

One minute after that, gloves come off all the way, without any further warning, starting with [redacted]’s [his wife’s] workplace for evidence, and the Department of Health, and probably unavoidably, ending with family or someone will inform the police. Do you actually love your family, or need them? Or are they toys too?Sacrifice your fictions, games and abuses for yourself and them. Put right the abuses you have done over the last 3 years and you may survive, or take complete responsibility for any unfortunate results of forcible removal. I don’t know [his wife], but she seems tough, and people don’t like being deceived. I don’t know what settlement you’d get, but I bet it won’t include the things in real life you care most about. Risk it if you like. Your call. And watch me not minding if it hurts you to put this all right.Yes doing this is going to hurt and humiliate you. I couldn’t care less. No, avoiding hurt is not an option in life. You’re about to feel every last person you abused over 3 years, right now. You like editing, you don’t mind others hurting when you edit, so we’re going to edit my way a bit, if you want me to believe in any way that the matter is closed. The lesson here is, a wrong isn’t closed or an abuser off the hook till it’s put right and they commit not to repeat.

Then when that’s done you can fuck off to number 74 to reminiscence with [redacted list of family names] and the family. Or did you think I might be guessing at knowing far more than you thought? You put all that information on the web.By Monday noon EDT (ie Sept 15, 5pm UK, 6pm UTC I think), if you haven’t complied with at least #1 and are visibly in progress on #2 and #3, or there’s one sock you haven’t named, or I ever see one abusive edit after that from you under any name or proxy, the gloves come off for good with no more warning. We can talk as much as you like before then, but when that’s over, we’re done talking and I move on without further discussion if I don’t see a disclosure that I feel is honest and complete.

Others have contacted [redacted] and your workplace — shit happens, too bad, you did expect that, right? As for me, I plan to inform the last major group of victims, your family, not out of malice, but because they are ultimately the only ones who can prevent future abuse here, and recidivism.

You yourself dragged your wife [redacted], her employer [redacted], and your son [redacted] into this by yourself; they are in some ways the biggest victims of all and deserve to no longer be lied to or left ignorant of being taken as victims, as your co-worker [redacted], the beautician [redacted], your boss [redacted], the boudoir’s owner [redacted] whose business you placed at risk, and the rest were.” [emphasis mine]

Kind of takes serious business to the extreme. An Arbitrator says that “half dozen people had been [carbon] copied, including foundation folks. I thought the email was violently objectionable, but no one else seemed to mind. Maybe I’m bonkers?” If this is true, people from the Wikimedia Foundation knew about the content of the message and did nothing.

“No matter what they have done on-wiki, they don’t deserve that. [It’s] still ‘just a website’”—Understatement of the year from an Arbitrator.

Jimmy Wales gets involved and appears to refer to blackmail as “humanitarian kindness”:

“> I don’t know whether FT2 did that due to a momentary slip-up,
> illusions of grandeur, or actual malice. I don’t care whether his
> motivations were good or bad. I simply cannot give my imprimatur on
> him doing any sort of investigation on our site.

Just to be sure I was 100% clear the other day (I’ve been offline for several days due to a computer crash and illness) – I agree with you completely on this.

There are situations in which it could very much be ok to warn a user that continued misbehavior onsite could lead to offsite consequences. My own view is that such warnings should come at the point in which it would already be perfectly ok for us to publish the facts, and should be done as a humanitarian kindness and especially in cases where we think it is likely to be effective.

But this was really not ok at all.” [emphasis mine]

FT2 is still an administrator and has access to the OTRS system. OTRS volunteers deal with emails to a handful of email addresses on behalf of Wikipedia and the Wikimedia Foundation. In his own words:

“OTRS gets numerous emails under real names, describing real issues, legal claims, harassment, threats, and other matters.”

Perhaps concerningly, FT2 appears to actually be working for the Wikimedia Foundation now (from his user page), for time comparison, the above discussion was happening around early 2010.:

“In mid 2010 I was asked to spend time contributing to various projects at the Foundation’s offices, and in 2011 I was invited onto the WMF Communications Committee.”

Predators on my wiki? It’s more likely than you think

Or maybe just trolls and people trying to cause a PR crisis. Here’s the email the Arbitration Committee was going to send to the person in question:

You were asked several times by several Wikipedians interested in your welfare to downplay references to your self-reported age and your reported personal history as a “child porn victim”. Instead, it seems that each time someone asked you to tone things down, you went out of your way to promote yourself as “a little kid”. Your edit notices emphasized that you were “a little kid”, you posted both your age (13) and your reported date of birth on your userpage, and you added an image of a girl even younger than you as “decoration”. This was very provocative, as was explained to you.

The modified screenshot from /b/, an adult-only 4chan forum, that you posted on Jimbo Wales’ talk page again gave the appearance that you wanted to draw the attention of the /b/ editors, known for their vandalism of Wikipedia and their personal attacks directed at our editors. As you frequent the various Wikipedia-related IRC channels, you are well aware of the type of behaviour one can expect from /b/ participants. Your continual demands that people speak to you as if to a young child, posting even on heavily trafficked pages that you were “only 13”, was almost calculated to draw attention to yourself as a very young editor; in particular, your question of a high profile Arbitration Committee candidate, and the request for arbitration that you posted, seemed designed to bring your youthfulness to the attention of an ever-increasing audience. The emphasis on your desire to be spoken to like a child is very unusual behaviour for a 13-year-old girl.

Apart from your behaviour on-wiki, there have been increasing concerns and reports about the stories you have been telling other editors about yourself: that you were kidnapped and forced to do “child porn”; that you are in a witness protection program; that your school burned down so that is why you edit sometimes from [redacted] College, where some of your classes have been moved. (The only school fire reported in the [redacted] area in the past year resulted in the school’s kitchen being out of service for a day.) You have made references to the [redacted].org website, which you say is your father’s website; it’s registered to. He is also the same person who runs the “Help bring Madeline home” pages and you yourself have told me about the HBMH youtube page, which also is run by the same person, and which you say you were involved with.

I note with interest that two of the videos on that site are about internet safety for young people. And yet you would have us believe that your father/parents are oblivious to the fact that you are online until the wee hours of the morning UK time on a regular basis, talking to adult males in private IRC chat rooms, and cruising the 4chan /b/ channel. The moderator of the Youtube page, Steve, says his two daughters were kidnapped for six years, and returned in 2008; I’ve not heard of you mentioning a sister, just a brother, and I also note that there is not a single online news source that corroborates such an unusual case. This combination of stories doesn’t add up very well at all.

User:Sophie, I do not know if you are a 13 year old girl behaving provocatively, or someone pretending to be a 13 year old girl. Either way, the manner in which you have been participating on Wikipedia, starting off with the promotion of the [redacted].org site and now acting as a young child, is not conducive to our primary objective, the development of an encyclopedia.

Additionally “she” offers to provide a photograph of her holding a white board with the date on it to confirm her identity as a 13-year-old, but that she’s “scared of sending it to someone iv not spoken before.”

3. Sophie has presented photo identification to TechEssentials which has turned out to be fraudulent (it’s a copyrighted picture)
<Dusti> 4. In the beginning stages of [redacted].org child pornography was placed on the site.

Just to throw some more weirdness in there.

“Shouldn’t we just be reporting whoever is going around imitating a 13-year-old?”

Yes, great idea!

“Though I’m also aware that there are only two of us in the UK, and I would be reluctant to actually report anything myself, though I think something should be reported.”

No? Oh okay.

But really, predators

A pedophilia advocate was unblocked by the Arbitration Committee with a ban on editing articles about certain topics.

“We tacitly endorsed the continued editing of Davidwr last year. He came to our awareness when he asked permission for topic socks, fearful that editing on local topics could out him. We denied this arrangement, so he continued under his previous deal. He was unblocked a couple of years ago when Fred and FloNight negotiated his return with an unspoken topic ban. Lately, we’re not allowing a topic ban solutions at all. Given the risk of grooming, I think this makes sense.

The only distinguishing feature of Davidwr is that his pedo advocacy was done on an edit-segregated account, and the Davidwr account was swept up by Checkuser. Therefore, there’s no apparent evidence of
advocacy, but does it make sense to rely on this odd fact?” [emphasis mine]

Jimmy Wales Jimmy Wales Black and Whitedoesn’t want to say that pedophiles aren’t allowed to edit Wikipedia:

“At the same time, I am not willing that we should have a witch hunt for pedophiles or anyone else. Nor that we state, categorically, “pedophiles are not allowed to edit wikipedia” — I see no benefit to such a public stance.”

The issues above could have been discussed openly, or dealt with swiftly by actual staff from the Wikimedia Foundation (or wouldn’t have been issues if the ArbCom didn’t exist). In one of the emails Jimmy Wales says:

“To speak of traditionally “law” here, ArbCom is a delegation of my personal powers within the community since day one. I am free to dismiss ArbCom at will.”

Perhaps that’s a good idea.

Image credits: Renato Targa, William Brawley and Cary Bass

Posted in Technology, Worldwide

The Case of the Compulsory iPad

Posted on by Matt Taylor 6 Comments

Decile-nine Orewa College has told parents the iPad 2 will be a compulsory stationery item for all year nine pupils next year.—Stuff

Except that’s not what they said. The letter (pdf) they sent out to parents says a one to one computing device will be required. They list the examples of laptops, netbooks, tablets or iPads.

The decision has been criticized because the college recommends the iPad over the other options and it costs a fair amount of money. The reasons for (pdf) favoring one device—the iPad are clear: teachers and students can support each other easily if they are all familiar with the device, the applications available are vast and battery life is long.

$799?!

One Laptop Per Child BhutanThe lowest priced netbook I could quickly find was one from Dick Smith at $375. Will a student be disadvantaged if they get a cheaper device instead, like a netbook?  I doubt it.

The content from most if not all educational applications in the Apple Application Store will be available somewhere on the Internet. Students will probably end up teaching the teacher how to use his or her iPad. Those without iPads be fine working out their device themselves and Googling solutions to issues as they come up—actually relevant problem solving? Devices with keyboards are arguably easier to type on compared to a device that only offers a touch screen. Issues with battery life won’t be a huge issue—I envision power boards to be plentiful.

iPad 3

How parents deal with updates to the iPad will be interesting to watch, but any update won’t damage the existing features of the iPad 2: strong battery life, large selection of applications and Wi-Fi access.

Usefulness

It has to be said that an iPad isn’t like other stationery. I don’t regularly pull out my compulsory $100 graphics calculator for fun-times around the dinner table. iPads are different. Sharing skills will be tested as everyone in the family wants to use it.

Controversy

What I find interesting is that the first letter is dated June 24th and discussion with parents was going on for 4+ weeks before then. The media are only reporting on this now. It seems like none of the parents involved have had a huge issue with it—no one went to the media straight away.

Orewa College is a decile-nine school, the second highest decile available to schools. It means students generally come from a high socio-economic background. The vast majority of parents won’t have a problem finding the money for a one to one device, and the school has provided options to spread the cost out—“We have enclosed information on purchasing options from Cyclone Computers, that are approximately $10 per week.”

There’s still time for parents to choose for their year eight students to attend a different high school. But it’s a slippery slope when that is the proposed solution to potential issues with a child’s local school and is reminiscent of Brown v. Board.

Congratulations Orewa College for moving forward. Let’s hope that future schools won’t have to go through this when they choose to make one to one devices compulsory.

Image credit: Laihiuyeung Ryanne

Posted in New Zealand, Technology

“Hello, I’m calling from Microsoft…”

Posted on by Matt Taylor 3 Comments

The “computer doctors” have been making their rounds in New Zealand. Consumer Affairs say about 17% of New Zealanders have been targeted by them. They called us, from Djibouti, from what seemed like a crowded call center. They knew our details, just like they’re listed in the phone book. I think they purposely tried to be hard to understand, using the assumption that overseas victims would think it would be rude to ask for clarification a number of times. The address they gave was actually a Border’s bookshop in Auckland. Eventually they hung up after repeated questioning.

Computer doctorThe story

Their story seems semi-plausible, but is fake: they’re calling from Microsoft or a computer repair shop and have noticed some strange activity from your computer. They tell you to go to a legitimate folder or the Windows Event Viewer and say that if there’s a lot of files or entries there (which there will be) that it’s very bad and means your computer is infected. But fear not! It can all be solved for a reasonable price, plus they’ll continue to support your computer. Just give them your credit card number to be charged a recurring fee and they’ll remotely fix your computer for you…

Don’t trust cold callers

NetSafe recommends asking for their company name and phone number and Googling them to see if they’re who they say they are. I haven’t heard of any legitimate tech support companies cold calling for customers and I don’t imagine it would be hard to create a professional looking website and redirecting a New Zealand phone number if someone overseas was truly determined. So I’d say don’t trust cold callers with remote access to your computer or your credit card information at all, even if they seem legitimate.

Legitimate help

If you need help with your computer there are people on online forums like Geeks To Go that will help you for free, or ask friends and family for a recommendation of a quality company you can visit in person.

The NetSafe post has some good links. NetBasics is an animated video series by NetSafe on staying safe online. The real Microsoft has an article on speeding up your Windows computer, another line the callers use. And the Event Viewer might seem confusing, but Microsoft provides a tool to look up what the entries mean.

Symantec’s experience

Symantec investigated a similar scam being run overseas, recorded the conversation and recorded what happened to the computer. The agent “Brian” gets Orla (who’s from Symantec and is pretending to be a novice computer user) to open the Event Viewer and tells her that she has a serious infection. But it’s alright, they can fix it!

A remote connection to the computer is set up using legitimate third-party software and it looks like their technician is doing something important by running check disk, disk cleanup and deleting some temporary files. Brian informs Orla that she has a lot of malicious files on her computer and gets her to sign up for a one year support contract to solve her issues. After receiving her credit card details insecurely via email, as well her name, address, phone number, email address, email password and getting her to fax a copy of her driver’s licence, the bad infection was “removed” by deleting the innocent items from the Event Viewer and turning off event logging. Of course, with unrestricted access to a computer, the people behind these operations have the ability to install malicious software they claim to be removing. The video is below. At the end the business is confronted about their misleading practices.

If you get called by these people, submit a report to NetSafe’s The Orb. Maybe you want to have some fun with them first. A Fair Go viewer said they apparently get very annoyed when after they’ve been trying to pitch you for half an hour you tell them you have a Mac instead of a PC.

Have you been called by these people?

Image credit: Tabitha Kaylee Hawk

Posted in New Zealand, Technology

The Life of a Spam Email

Posted on by Matt Taylor 1 Comment

Cans of spamA group of researchers have published a very interesting paper: Click Trajectories: End-to-End Analysis of the Spam Value Chain (pdf). Using three months of spam data and by purchasing over 100 products advertised by spam emails, the researchers followed the life of a spam email and investigated where the money from purchases actually goes. They found that the people behind 95% of spam-advertised pharmaceutical, replica and software products are using just a handful of banks for their merchant services. Anti-spam efforts focus on the delivery aspect of spam, but there is potential for the quantity of spam to be significantly reduced if the banks the spammers are using are targeted.

Purchasing from spam emails

The researchers collected spam-advertised URLs and data about the hosting infrastructure and DNS of the spammed websites. They grouped the sites by content structure, category of goods and affiliate program and/or storefront brand. The most popular goods advertised in spam: pharmaceuticals, replicas and software were focused on. Pornography and gambling weren’t focused on for “institutional and procedural reasons”.

Purchases were made from each major affiliate program or store “brand” and they tried to order the same types of products from each site to try to gain insights into the differences or similarities in product suppliers that are used. A specialty issuer of prepaid Visa cards teamed up with them and let them use a different card and obtain the authorization and settlement records for each transaction. For legal reasons pharmaceutical purchases were limited to non-prescription goods like herbal and over-the-counter products. Software purchases were limited to products which the researchers already possessed a license for.

120 purchases were made, 76 of which were authorized and 56 of which were actually settled, though half of those failed orders were from one affiliate program which researchers attribute to the large order volume raising fraud concerns.

The honest spammers

A finding I found interesting from the paper is that the likelihood is quite high that you’re not going to be ripped off when ordering through spam emails.

Out of the 56 “successful” orders, 49 of the products were delivered and received. Only seven of the products weren’t delivered. Out of those seven: four sites either sent packages or said they’d send packages after the mailbox lease had ended, one said that the money had been refunded (however the refund hadn’t been processed three months later). Only two “lost” orders received no follow-up email.

The researchers explained the reasoning behind actually fulfilling orders would be so the site would get any potential repeat orders and because their relationship with payment providers could be jeopardized if chargebacks were made by customers who didn’t receive items.

Update: One of the researchers, Stefan Savage, confirmed to me that none of the Visa cards used on the spammed sites were subsequently used fraudulently. It also looks like the pharmaceutical products were legitimate. He says “we only ordered a small subset of goods so any results aren’t representative.  However, we did some limited mass spec testing of a few pills against reference samples and the active ingredient was found to be the same and in a similar proportion — note we only tested for the active ingredient and didn’t look at things like binders, contaminants, etc.” Software was pirated, but malware free.

Research done by F-Secure supports this: almost all of their goods ordered from spam emails were delivered, none of the credit cards they used for orders were “stolen” and email addresses used to order the goods didn’t receive an increase in spam.

New Zealand’s fulfillment role

By volume, most herbal products shipped from the United States, but China and New Zealand were also in the mix.

Spam Shippers

A Christchurch based company turned up in results—Etech Media Ltd. Ironically, this: Etech Email is the email address listed in their whois record.

Perhaps unsurprisingly, the company in question and its owner aren’t new to the spam game. Sole shareholder and director, Shane Atkinson was fined $100,000 in 2009 for sending spam under the name ‘Herbal King’. His occupation listed in the 2005 electoral roll was “pro spammer”. The Herald “understands” that Etech Media’s office was one of the addresses searched in spam raids in 2007. In 2003, Shane admitted to sending up to 100 million spam messages a day, that spamming allowed him to have a nice car and house and said he “had no qualms about it”. “In a later interview, Atkinson said he had given up spamming.”

Perhaps not entirely?

I’ve emailed Etech Media to see if they’d like to comment.

The spam bottleneck

The researchers tried to identify bottlenecks in the spam value chain—stages where few alternative options are available and ideally where switching costs for spammers are high. Which intervention would have the most impact?

For the 76 authorized transactions, there were only 13 banks acting as “acquirers”. Herbal and replica purchases generally cleared through St. Kitts & Nevis Anguilla National Bank. Most pharmaceuticals through Azerigazbank in Azerbaijan and DnB Nord (Pirma) in Latvia. And most software purchases through Latvia Savings in Latvia and B&N in Russia.

Spam BanksThe researchers say that the banking/payment component of the spam value chain is the most critical. Payment infrastructure has “far fewer alternatives and far higher switching cost”.

  • Only three banks provided payment services for over 95% of the spam-advertised goods in the study:

    Spam Bank Stats

  • There are only two main payment networks in Western countries—Visa and MasterCard.
  • The replacement cost of a bank is high in setup fees, time and overhead. Acquiring a merchant account requires a lot of coordination and time. Banks used by the major affiliate programs were either still the same four months later or had changed to another one in the set identified above (only one new bank appeared four months later—Bank Standard in Azerbaijan).

Perhaps a solution is for banks that issue credit cards in Western countries to refuse to settle certain transactions with banks that support spammed goods with specific Merchant Category Codes when the card is not present. All software purchases were coded as Computer Software Stores and 85% of all pharmacy purchases were coded as Drug Stores and Pharmacies. There were some exceptions however “generally speaking, category coding is correct”. “A key reason for this may be the substantial fines imposed by Visa on acquirers when miscoded merchant accounts are discovered ‘laundering’ high-risk goods.” Similar policy has been implemented with MasterCard and Visa not allowing US-based customers to transact with online casinos.

The paper concludes: “the payment tier is by far the most concentrated and valuable asset in the spam ecosystem, and one for which there may be a truly effective intervention through public policy action in Western countries.” However spam is probably profitable for banks and payment processors too, so they might be hesitant to do anything about it.

How much spam do you receive at the moment and how much makes it to your inbox? Do you know anyone who has bought something through a spam email?

Image credit: freezelight

Posted in New Zealand, Technology, Worldwide

A New Normal

Posted on by Matt Taylor 6 Comments

Christchurch Earthquake 22.02.11

A month ago, to the day, a new normal for all of us in Christchurch began. Tap water isn’t drinkable and now smells like bleach. The CBD is a wreck, something like one in three buildings will have to be demolished. The roads are covered with bumps, cracks and silt. And the game of guessing the magnitude of an aftershock has lost a lot of it’s charm. On the morning of the 22nd, school started later because of a teacher’s union meeting. Friends from school posted on Facebook that the school swimming sports weren’t going ahead that day because of the weather. It was looking like an average day.

At 12.51pm I don’t think anyone realized that the quake was going to be any different to the numerous other aftershocks we’ve had. But this one kept going. Everyone in the Chemistry lab we were in safely got under the tables. Maybe surprisingly, no chemicals were spilled or glass broken. After the shaking stopped, I grabbed my bag on the way out and we all went to the field.

About an hour later, still on the field, just after replying to someone on Twitter that they should hold off trying to get in touch with friends in Christchurch via phone because it sounded like everyone was fine, I read a tweet that the quake had claimed lives. We experienced a strong aftershock while at school near the end of last year. I think we all thought that this would be the same: that there would be no deaths, not 166+. That the city centre would be accessible in a few days if it was cordoned off at all, not in months. That boiling water wouldn’t be required at all, not for longer than a month. The 166+ people dead are our people. I completely agree with Moata that it’s unlikely that someone in Christchurch doesn’t at least know someone who knows someone who has had to attend a funeral over the past few days and weeks. No one thought we would have to adjust to a new normal.

“All of my friends and family have been accounted for, though the chances that an acquaintance or a friend of a friend has not been killed is fairly low. There are only a couple of degrees of separation in Christchurch.”

Technology

A few days post-quake, I saw an article about cyberbullying in schools relating to teachers searching phones. I’m not doubting the seriousness of the problem, but one of the commenters suggesting banning cellphones altogether in schools. Without most students having a cellphone, the task of getting everyone home from school with an adult (especially for younger students), with limited access to buildings (and their landlines) until they were checked by engineers would have been made even more difficult. Technology is something that should be embraced everywhere. The uses of it post-disaster illustrate that point perfectly. Garth Bray, a TVNZ reporter, talks about how helpful smartphones were after the Japan earthquake here.

Back at home, a few hours afterward, our place was relatively untouched. The power and water were out and silt made it’s way into the garage, but they were little problems compared to the big picture. With our cellphones, mobile data and battery powered radio, we still felt connected.

In the time it took me to get home, the IT community of New Zealand and beyond already had the EQ.org.nz map up in one form or another, running Ushahidi (I love the name, it is the Swahili word for “testimony or witness”). Over the next two weeks it complemented media coverage by mapping the locations of important resources for Christchurch residents, like available ATMs, petrol stations that were open and what the restrictions on petrol there were, where water, medical treatment and showers were available…. Within a day or two they managed to arrange the short code text service for EQ.org.nz with Telecom, Vodafone and 2degrees, volunteers to man the messages coming in through the website, meetings, a partnership with the Student Volunteer Army and media coverage (the map was mentioned in newspapers, on the TV news, on Teletext(!), Fair Go and by the @CEQgovtnz Twitter account)… If I was in charge of an emergency, I’d want to be working with these guys. The media were great. Fairfax, and in particular Reuben Schwarz liaised with EQ.org.nz and Stuff.co.nz switched from using their own instance of Ushahidi to the EQ.org.nz instance. Google and TradeMe, among others, set up pages to help too.

By now, my sister had walked home from the CBD with colleagues and brought with her the war stories of what town was like. What the Cathedral looked like, the chaos and the people. That the huge window beside her that she climbed out of had luckily burst outward instead of bursting in towards her.

The paper blowing down the street in this video is chilling. The businessmen in suits trying to do what they can to help and office workers turning into rescue workers is heartwarming.

Over the coming days we started to get into the hang of the new normal, which involved filling up bottles of water at my granddad’s house and using his shower. A couple of times we received wrong number calls from people trying to find out if their loved ones were okay. They responded with something along the lines of “oh, I thought you were x and alive”.

The two times I ventured into the cordon with Project7 as a photographer, everyone was friendly, including the army personnel and the other media. The feeling in the cordon was eerie and somber, but still hopeful. Silt that had emerged from beneath the ground had effectively buried cars parked on the streets. Shop fronts were shattered and fluro writing was spray painted on to mark that a building had been checked for people. Cars were crushed by falling masonry. Buildings had collapsed. About a month before the quake I was at the top of the Cathedral’s tower, which collapsed in the quake and near the top floor of the Forsyth Barr building, where the exit stairwells collapsed. I had a slight feeling of guilt that media were allowed in the cordon, but business owners that needed to get essential equipment and documentation out from their buildings were not. I know businesses were starting to be let in shortly after my last trip in, but there is still anger within the business community. I think many probably regret not grabbing some things on their way out.

I have mixed feelings about the memorial service that was held. I didn’t attend, or really watch it, but I have read that many people found it touching. On the other hand I read that some families couldn’t bring themselves to attend because their grief was still too raw. Businesses would have felt the effect of either having to close for another day, or paying employees time and a half plus giving them a day in lieu. Students missed out on another day of school. It sounds like it helped people, which is great, but I think it could have been held at a better time later on.

If the quake did anything, it made everyone stronger. It confirmed what I think everyone knew, that in a natural disaster there are many people who are kind and selfless. Our New Zealand spirit shined. CTV’s building was one of the most badly hit but the message on their channel was “down but not out”. The press conferences introduced foreign media to terms like buggered and munted. Our mayor, Bob Parker, in one of the press conferences talked about one of the main sign language interpreters being given the name “hot Jeremy” by a Facebook fan page. Forgotten time capsules were discovered in town. And a boulder that smashed through someone’s house was sold via a hilarious auction on TradeMe.

You can have a look at my photos of the quake here, here and here.

Posted in New Zealand, Technology