The War On Youth: “Random” Pak’nSave Bag Searches

Trolley outside shop

Update: Pak’nSave responds.

An open letter.

Dear People of Pak’nSave Riccarton,

On 15 December I shopped at Riccarton Pak’nSave with a group of other young people.

After purchasing items at a self-checkout directly in front of one of your staff (really, she was right beside me), she requested to search my bag. I had not touched the bag during my visit so this request was not based on any actual evidence that I had attempted to steal something, like from a store detective or a camera.

It was extremely obvious that this was not a random search, as she called it. It was because of my age. Three other people from our group were selected for a “random” search. I wonder how many women with handbags were searched that day? I know my friend that came through the self-checkout after us wasn’t.

I declined the request.

I waited for the rest of our group and left the store. I was followed by a store manager who put his arm touching up against me, and tried to stop me from leaving. I declined again, which I have the right to do, no matter your signage, and walked away.

It’s disgusting to treat your paying customers like this.

Do you consider that bags contain personal possessions? That most people wouldn’t decline your request to search, because it makes them look and feel like a criminal? That searching personal possessions could reveal, say, a private medical condition?

I wonder what the purpose of these “random” searches are. Say I did consent to the search, I had items in my bag that I didn’t buy or steal from Pak’nSave, but that you sell. I didn’t have the receipt. What would happen then? Would you accuse me of stealing those items? Would you call the police on me? If not, why are you searching young people? Scare tactics? That isn’t the definition of a reasonable search.

If it is your policy to target young people or people with backpacks (read: young people), it needs to change. It is discriminatory and wrong.

If you weren’t the only supermarket at Westfield Riccarton, I wouldn’t shop with you again.

Kind regards

Matt Taylor

Image credit: bfick

Update: Here’s Aliza Eveleigh on bag searches (click for larger version): The Star Aliza Eveleigh bag search

Clear Webmail Security: A Series Of Unfortunate Events

When you visit this website, like most others, analytics software on this end records some information about you, including what website brought you here.

Following a link from an email isn’t usually a problem. However, when your provider is Clear/TelstraClear’s and you’re using webmail it is. Or was.

The Clear referring URL lets someone access a customer’s emails by simply clicking on the link (until, I assume, the session is logged out, timed out or the customer’s password is changed).

This applies to virtually any site visited through TelstraClear’s webmail.

Authenticity required

What’s in your emails?

This becomes a very big problem when you think about what someone keeps around in their emails. Google wants to encourage its users to archive everything. Perhaps this post contains a very convincing argument as to why you shouldn’t archive everything, and instead make liberal use of the delete button (or move the emails to your computer).

Here’s some examples of information routinely sent to and stored in email accounts that would be very useful to someone with bad intentions:

  • Unencrypted payslips, with IRD and bank account numbers
  • Shipping notifications, with addresses, phone numbers and courier tracking codes
  • Work emails that have made it into a personal email account
  • Information on utilities and addresses supplied from power company e-bills
  • Broadband or other service activation email, containing usernames and passwords to webmail and/or internet access

Response

A power company told me that the information contained in their e-bills isn’t all that private. They said that their customers like the convenience of not having to log in to access their bill and that they consider all feedback on their services.

TelsraClear said that the issue has been fixed, that “this was the first time the issue has been raised” and that they “take security very seriously”.

Understandably TelstraClear were “not too keen” on this post going ahead as “it might encourage attempts to hack the webmail application” which “might still cause service problems for legitimate users if such an attack was to take place”.

However, maybe a real life example will hit home with people, even if they’re not with TelstraClear.

Because how secure is your personal information?

Update: Christchurch City Libraries responds with why they include addresses in the emails they automatically send out.

Image credit: Dev.Arka

Doing The Government’s Work For Them

Internet surveillance, censorship, and avenues of resistance with anonymity with Jacob Appelbaum, Researcher and Hacker, The Tor Project.

Go watch Jacob’s talk here.
Jacob Appelbaum talkPoints I found interesting:

  • The concept of lawful surveillance. We make it compulsory for telecom providers to make their networks buggable. Would there be outrage if a law was passed that every road must have a camera and microphone on it?
  • If you’re not paying for something, you’re the product.
  • Visualize your cellphone as a tracking device that can also make calls, go on the internet and text people. If the government forced you to carry it everywhere, you’d riot in the streets. They don’t need to; you do their work for them. You carry it with you, willingly.

John Key, John Banks, the Black Bag, and the Tea Tapes

Update: Teapot tapes have been released, here’s the recording.

There’s a little black box bag, yeah,
somewhere in the ocean on the table,
holding all the truth about us.
It’s a little black box bag,
a record of emotion,
everything that ever was.

You may deny it, deny it,
but when I find it, find it,
I’m gonna play it aloud to the world.

–Stan Walker

Two Johns and a black bag

 Oopsie

Invite media to a bit of political theater starring you and Other John, public figures, in a public Newmarket café.

Kick media out of said event. But leave some media close enough they could have “leaned over and touched the prime minister on the shoulder”.

Forget what is normally on a table in a café. Ignore the large black thing that could contain anything.

Have a wee chat. Maybe about Don Brash and how he might be rolled after the election.

Find out the black bag actually contained a radio microphone and the conversation was recorded. Oh no.

How to turn a little oopsie into a big oopsie

Call contents of recording “bland”.

Don’t give permission for the “bland” recording to be released.

Call the police on cameraman Bradley Ambrose, who allegedly accidentally recorded the conversation (which generally wouldn’t be illegal). Even though you’ve said before, regarding privacy, that “anyone who is innocent has nothing to fear”. Police get search warrants to search multiple media outlets.

Storm out of press conference after media ask questions about recording.

Compare what happened to the systemic hacking of murder and suicide victims’ phones in order to sell newspapers, ie. The News of the World.

Set the recording free

Chief High Court judge Justice Helen Winkelmann declined to make a judgement on whether the recording was public or private because it would be a “mini-trial” which would interfere with an ongoing police investigation.

So no tea tapes before election day on Saturday, unless some devious media outlet releases the recording even though they could face legal action(oh noes!!!@@).

MPAA Propaganda

Look what I found at the end of the Hoyts ticket counter:

Respect Copyrights leaflet 1

Respect Copyrights leaflet 2

Respect Copyrights leaflet 3

Respect Copyrights leaflet 4It contains some interesting content.

“Remove unauthorised material from your computers”

“While not required under the new law, illegally obtained copyright protected material may still be file shared and therefore should be removed.”

Read: buy the files you downloaded illegally in the past. Helpful advice would be to remove peer-to-peer software from your computer if you’re not using it, or to stop sharing illegally obtained material if you’re doing so (eg. stop seeding).

“What are the risks of P2P file sharing?”

“P2P file sharing can expose your computer to harmful viruses, worms and trojan horses as well as annoying pop-up advertisements. There is also a real danger that private information on your computer may be accessible to others on P2P networks.”

Finding files through moderated sites (which can remove harmful torrents), reading the comments on torrents and having up-to-date anti-malware software all reduce this small risk of harm.

The “real danger” of private information being inadvertently shared is practically impossible with torrenting. LimeWire, FrostWire and friends were possibly deceptive about what user’s folders were actually being shared in the past, but now LimeWire is dead and FrostWire exclusively uses torrents, so it shouldn’t be a problem anymore.

But points for including the relatively unbiased URL of NetSafe’s The Copyright Law, albeit in tiny print down the very bottom on the back page.

Respect Copyrights.co.nz

This site is interesting, especially when you compare its list of legitimate places to buy movies and TV shows to the US version‘s list.

Our list for TV shows is basically the On Demand sites for the free-to-air TV stations, plus iSky. On the movies side we have iSky, the console networks and iTunes, which is also listed as having TV shows, but that’s not the case in New Zealand.

Respect Copyrights New Zealand legal alternatives

In comparison, the US site lists 43 legal alternatives, including iTunes (which you can actually get TV shows from in the US, or by using a US iTunes account), Hulu and Netflix.

Respect Copyrights US legal alternatives

And the MPAA wonder why people illegally download movies and TV shows in New Zealand?

On a plus, Respect Copyrights has removed that ridiculous clause from their Terms of Use stating that no one was allowed to link to their site without their “express written permission”. Their grasp of the internet is growing!

Spotify

Good news on the music front though. Music streaming subscription service Spotify is coming to Australia and New Zealand, possibly around February next year. The downside is that they’re now in bed with Facebook, so you’ll need a Facebook account to use it.

NZ Movies

Jonathan Hunt and Lance Wiggs illustrate how inadequate the sites MPAA lists are. MPAA, NZFACT and friends love harping on how people pirating movies like Boy are harming our movie industry in New Zealand.

But you still can’t download it legally from iTunes.

And I wouldn’t count on it being added either. Remember Sione’s Wedding? You know, the movie released in 2006 that cost “its investors an estimated $1 million” because it was pirated?

It’s not in the New Zealand iTunes store five years later.

Sione's Wedding New Zealand iTunes Store

But of course, it’s in the US iTunes store as Samoan Wedding.

Samoan Wedding United States iTunes Store

Nice one. Perhaps more kiwis would support their creative community, if, you know, you actually made it easy for them?

You Seem Confused, Let Me Help

Whaleoil, Catcus Kate and friends have blogged about a letter mailed to prospective voters by Labour.

This is, I assume the abridged version of what someone sent Whaleoil:

“A very ‘classy’ threat from Labour (see attached), it makes me wonder how do they get information about my child… and even if info is accessible, the use of it is rather inappropriate.”

Here it is:

Labour mothers mailer 1

Labour mothers mailer 2

Child’s information

The first time I read it I thought the person meant the child on the front of the mailer was her child, because of the emphasis of her child’s details (careful editing?). That isn’t the case. Labour used the electoral roll’s information on gender, occupation and, I assume age, to target their mailer.

“You won’t be around”

The first time I read the main statement: “Under National you won’t be around to celebrate her 1st birthday”, I thought of death. But in the context of the second page, it becomes apparent that Labour is talking about having to work. If that was intentional, it’s distasteful, but not end of days stuff. Either way it’s a poor choice of words I don’t think illustrates the point well–there’s nothing stopping someone having a birthday party on a weekend instead of a weekday. Mothers who choose to work deal with this already.

One or five?

The second paragraph on the second page is misleading too. “But under National’s new welfare policy, beneficiaries who get pregnant will be forced to find work when their baby turns 1”, but so is Cactus Kate when she says the return to work is actually when the baby is five.

What I think Labour is trying to get at is if someone has a baby and already had a child, under National’s policy they will have to look for part-time or full-time work when the new baby is one.

From National’s fact sheet (pdf):

“Those receiving Sole Parent Support will be expected to look for part-time work when their child is five years old and full-time when their child reaches the age of 14.

Those who have an additional child while on benefit will be exempted from work expectations for 12 months, in line with parental leave provisions. Work obligations will then revert to the age of the youngest child when the parent went on benefit.

For example, a beneficiary with a seven year old, who has another child, will return to a part-time work expectation when their newborn turns one. A sole parent of a fourteen year old who has another child will return to a full-time work expectation after one year.”

More from Cactus Kate

“And lets think from a working parents perspective, if the child has a party during the day they miss the bloody party don’t they as they are WORKING? Imagine picking this out of the letterbox when you know you will miss their birthday as you are working as most parents are. Like they should be guilty for not being there.”

Remember, this is the Solo Parent Support benefit. Why and how as a solo parent would you throw a party you couldn’t attend? If Kate means a couple where one parent is working and the other is throwing the party, it sucks if both parents can’t make it. But there’s nothing stopping the parent trying to get time off of work, or being flexible with the time and date of the party, eg. throwing it on a weekend.

Forced to return to work

I think the key message Labour is trying to push is that there would be no choice for you if you didn’t want to return to work. The intention isn’t to make working parents feel bad for going back to work when their child is one, but that they should have a choice whether to or not.

Jagex’s War On Bots ft. Scare Tactics, Subpoenas and PayPal

Jagex, the makers of RuneScape are suing Impulse Software et al. in relation to their sale of bot software that effectively plays the game for a person without needing much human interaction. It’s part of their crackdown on bots; Jagex claims using bots to play violates their rules, is unfair to other players and ruins the game.

Subpoena

As part of the Impulse court case, Jagex subpoenaed Google and PayPal seeking further information about email addresses, YouTube accounts and PayPal accounts.

The information provided by PayPal included personal information on 70,000+ customers who had bought Impulse’s bot software.

Code on wallDéjà vu

An “outside counsel eyes only” protective order was issued for the information PayPal provided, which meant that the information couldn’t be shared with Jagex employees. Jagex didn’t seem to be happy with this though, so in a different court (U.S. District Court for the Central District of California) and using the same legal counsel, on July, 1, 2011, they subpoenaed for the same information in a different case, Jagex Limited v. John Does, and were allowed to share the results with their employees.

[Quotes used in this post are mainly from a PDF of the case that used to be available at http://www.mediafire.com/?ba2nu8puj96tq5b]

“[The] Plaintiff and its counsel misrepresented the scope of this pending lawsuit by stating that the action involved ‘a developer and seller of Bot software.’ The Notice failed to state that Plaintiff already accused Defendants of having used one or more Bots to allegedly circumvent Jagex’s automated technological measures thus making Defendants a party to both suits.” “Plaintiff and its counsel also failed to inform the court in the Central District of California (CDC) lawsuit of this Court’s Protective Order.”

“Even though Plaintiff and its counsel were bound by the Protective Order entered by this Court and were fully aware that Defendants’ customer information was CONFIDENTIAL-OUTSIDE ATTORNEY’S EYES ONLY, using the subpoena power of the Central District of California, Plaintiff’s counsel undertook a calculated clandestine action to serve a subpoena on PayPal to obtain Defendants’ customer information and turned Defendant’s customer information over to its client who then misused the information.”

Mass email

On October 25, 2011, Jagex sent out a mass email, presumably to those whose information they gained from the PayPal subpoena:

[The forum post is now gone, probably because the very fact that they have to clarify the legitimacy of an email shows that it wasn’t a very effective cease and desist notice.]

26-Oct-2011 06:44:16
Last edited on 26-Oct-2011 06:49:30 by Mod Timo

Hello everyone,

As a part of the update some people will have received the following e-mail communication:

Dear Player,

We have strong evidence that you may have purchased and used botting software in the past, specifically ibot software.

Botting and the cheating it brings is destroying your game, violates Jagex’s rights under the Digital Millennium Copyright Act (DMCA), and any player that continues to engage in botting activity has no place in our community.

As part of bot nuke week we are offering you a 1 time amnesty and settlement lifeline, which is a chance to reform and change your ways. We’d like you to contribute to the community in a positive way, to compete on a level playing field as everyone else does and play in the true spirit of the game, with integrity. All of your accounts, main and otherwise, are now on our watch list and will be monitored for the use of ibot and all other inappropriate third-party software. Regardless of who you are or how long you’ve been with us, if you decide to cheat and bot ever again we will have no hesitation in: (1) permanently removing your account from our wonderful community in order to protect Jagex’s rights under the DMCA, and (2) naming you as a defendant in Jagex Limited v. John Does, which is a lawsuit based on DMCA violations that is currently pending in the U.S. District Court for the Central District of California (Civ. Action No. SACV11-00969-CJC).

Please note that this amnesty and settlement offer is protected under Fed. R. Evid. 408. If you ignore our offer and instead continue use botting software, we reserve our rights to pursue statutory damages against you for between $200 to $2,500 per act of past, present, and/or future botting in accordance with 17 U.S.C. 1203(c)(3).

We do hope you make the morally sound and lawful choice of turning your back on bots. We look forward to seeing you in game having fun in a way that is true to the spirit of fair play and respectful to your fellow players.

Yours sincerely,
Mark Gerhard

I can confirm that this is an official statement from Jagex to the recipient. Please note that there are no website links in the main body of the e-mail. Should you receive any e-mails that contain the above text with website links or additional information, they are likely to be phishing e-mails and should be ignored.

Kind regards,
Mod Timo

Jagex cross referenced those subpoenaed email addresses with their own records, and the next day began sending the same message through the internal Jagex messaging system to individual players.

Interestingly, Jagex recently started giving an increase in bank space, where a player stores items in the game, as an incentive for registering your email address with your account (when RuneScape started, email addresses weren’t required).

Although Jagex claims RuneScape has a large adult player base, it is almost certain that minors received the messages as well. They’re full of legal jargon and are similar to the extortionate letters the music industry (or their lawyers) send. It strikes me as unethical to send threats like that to children.

If Jagex are confident in their bot detection system, how about instead of going from one extreme: no action “we’re watching you”, to another: legal action, they use their in-game powers and just ban accounts if the re-offend. Legal action seems like an unnecessary and scaremongering threat.

Privacy and a chance to response to the subpoena

“In the cases cited by Plaintiff… the individuals… were given a specified amount of time to object to the subpoena through a Motion to Quash and/or Motion to Dismiss… The first time Defendants and their customers learned of the CDC lawsuit is when their customers began receiving a copy of an email from Jagex on October 25, 2011 followed by the message post on October 26, 2011.”

The forum posts I’ve read support this.

Jagex’s counsel say “it was and is our understanding that PayPal would have notified the account owner(s) of the account(s) associated with any email address in the subpoena in order to provide that account owner(s) an opportunity to address the subpoena, prior to releasing the requested information or documents.”

The reply:

You know that PayPal did not notify my clients of the pending subpoena in the Boston suit when you served the first subpoena without first noticing Defendants’ attorneys. Therefore, to now state that Banner and Witcoff understand/understood that PayPal would notify the Defendants is suspect.”

“This lawsuit’s different”

Jagex disagree that they’re focusing on Impulse Software’s customers and say they just want to “identify [our] own customers who [we] believe may be in violation of S1201(a)”.

The reply:

“Your claim that the John Doe action does not involve our clients is illusionary at best. Not only did [you]… seek to obtain permission to subpoena my clients’ records from PayPal, but the identification of the Doe’s in the Complaint filed described my clients as well.”

“Under the discovery requirements in our pending case and the Local Rules… you had a duty to inform us of the John Doe action… Even when we sent you a letter inquiring about a Press Release issued by Jagex suggesting a violation of the Protective Order, you consciously omitted disclosure of the John Doe action.”

The suggestion of the protective order violation comes from this paragraph:

“We are constantly looking into ways of making the game experience the very best possible for all of our players and as part of our on-going programme to rid the game of bots, Jagex is actively pursuing companies that support the macroing market as well as those who bot. As such we are currently pursuing various bot developers through multiple legal channels, although sadly we cannot yet disclose the full details of our actions for legal reasons. Separately, as part of normal legal process and procedure, we have also taken steps to acquire the details of all players who have purchased bots. Once we have the information regarding the players involved we will take action specifically to ensure that these players are not compromising the game’s integrity through the use of a third party programs.”

This is turning into a very interesting case. Maybe it’s not the best time for business for Impulse Software, but if they come out of this in one piece this could turn into the best advertising money can’t buy.

Image credit: Nat Walsh

First Three Strikes Notices & a Centralised Notice System?

First notices

The New Zealand Herald is reporting that the first(?) notices under the new Copyright (Infringing File Sharing) three strikes law have been received by ISPs. They’re from the Recording Industry Association of New Zealand (RIANZ) for songs by Rihanna, Lady Gaga and Taio Cruz.

It would be extremely interesting to know the specifics: what songs were downloaded and what downloading method was used.

Centralised system

The Pirate Bay Street ArtStuff reports that rights holders have been in discussion with ISPs over creating a centralised system to make it easier for ISPs to deal with copyright notices.

Tech Liberty has found two companies, IPSafe and Datacom, that seem to be interested in that centralised system. The letter they received from the Ministry of Economic Development in response to an Official Information Act request is here (pdf).

No word on how a centralised system would ensure the privacy of ISP customers.

Image credit: Jakov Vilović

Red Zone Secrets

Here is something I don’t get. If it is safe for demolition workers to go through the contents of earthquaked buildings before/while/after they’re demolished, why is it not safe for the occupiers?

“Safes found during demolition – there had been only half a dozen – were either opened under police or security firm supervision, or, if they were attached to concrete, dumped.”

Why is this even necessary? Is it that hard to work out that a safe found in the rubble of building X maybe belongs to someone occupying building X? Could we build on that and guess that someone occupying building X would be able to open the safe themselves, without force, even if it is attached to concrete?

ConfidentialScarier, is that computers and files containing confidential information, in this case mental health records are 1) being “thrown out” at all and 2) if they are “water-damaged”, which doesn’t fly with me, aren’t being disposed of securely.

“The items she was most concerned about included files and computer hard drives containing personal information. Securities House, a seven-level building in Gloucester St near Latimer Square, was demolished by March Construction and Shilton and Brown in May. It housed at least nine mental health agencies.

Tenants, tipped off about the demolition, managed to stop a truck leaving the site in the rain and divert it to an empty section where the contents were tipped.

Tenants then spent the next two days retrieving files from the rubbish. The files had been in locked metal cabinets which had been emptied.

Office manager Mark Petrie said he had contacted a project manager at the time of the demolition to be told no chance existed for any records or personal effects to be salvaged.

He was told all records were water-damaged and filing cabinets rusted.

A former Shilton and Brown worker who worked on the Securities House demolition told The Press workers were told to throw files, many of which appeared to him to be in good order, in the rubbish.”

Where have some files gone? Who knows.

“Canterbury Muscular Dystrophy Association office manager Eris Le Compte, whose office was on the first floor of Community House, said she had gone to look for the 230 personal medical files she had in her office.”

Hopefully other businesses are doing better, because it’s not just a couple of buildings in the red zone that are housing sensitive information.

CERA feigns ignorance. Clearly some demolition contractors have no idea what they’re doing (or every idea of what they’re doing). If CERA has no knowledge of specific cases of important belongings going missing inside the red zone they’re obviously not doing a very good job.

“A CERA spokeswoman said CERA regularly and actively engaged with contractors who had a clear understanding of their obligations within contracts and the law.

‘We have no knowledge of the specific cases you refer to and we can’t comment on whether any allegations of loss of goods within the CBD Red Zone are attributed to contractors’ staff or some other person,’ the spokeswoman said.”

What’s been going on inside the red zone raises a number of issues businesses need to be planning for. After an event like the Canterbury Earthquake, how effective will locks, safes, and filing cabinets be at protecting valuable and confidential information through demolition and when 930+ people are left roaming in and around your building for a significant period of time?

Image credit: Jeremy Keith