Drapetomaniac

I'm met several people who aren't too sure what water boarding is. Gnooze.com (The G is silent) is one of my daily news sources. It's like a 2 minute Daily Show. Marta Costello has some brief visual aides for those still wondering what it is and if it's torture.

There seem to be more e-mails coming from Tagged.com. "You've been tagged by..." The first one I got was via a mailing list that wasn't set up properly - one where anyone can e-mail the whole group. I then started getting tagged by strangers.

EWeek did a good walk through of how the program harvests your e-mail after it's aggressive presentation to get people to sign on using their gmail or yahoo identity. It then uses that to scrape your e-mail box and send massive amounts of e-mail. I have seen several people now complain after the fact because they weren't aware they gave away their credentials - or at least found a momentary moment of trust where they felt comfortable doing it.

The more bothersome part is that it is a very profitable business targeting teens.

If you have any inhibitions about sending friends invites for new social networks, don't click on "you've been tagged" messages because you won't have much of a choice once you start their sign up process.

Social virus?

Recently, the FCC ignored public, democratic desire and made it easier for large organizations to monopolize news markets. This means, of course, that information will be coming from fewer and fewer sources. This is an unusual concern for Americans, but when we condemn Cuba for state owned media, this is why. Is there a difference between one government, or three corporations controlling the flow of information in a country?

In the world of reputation, Cox Networks has showed how large networks can make stupid decisions. In Google PageRank, you try to get many reputable links over time and increasing your reputation as a resource. That is helped by gaining links from other sites over a period of time. In this case, Cox registered a new site no December 7th and wants to manipulate it's reputation. So, it can take advantage supposedly reputable sites like the Austin Statesman that it owns and GoogleBomb its links to a higher reputation.

At the bottom of their newspaper pages, you can see that they have added irrelevant links to their site. Most people won't even notice the links at the very bottom where you usually find "About Us" or plain text site maps.

Cox has done on the internet what people fear they will do with their media, which is taint basic reputation and trust.



"What is Capoeira" is always an interesting conversation with people who don't know and usually ends a remaining vacant look or polite change in conversation.

Luckily, this video helps add to confusion.

Live CDs have often been proposed as a solution for online banking security. There may be another solution that requires fewer reboots.

Mozilla Prism is a browser intended to run a single web application.

While it would be open to application attacks, the prospect of receiving an application directly from your bank or even internal corporate intranets would impress upon the user one ideal - change modes when operating with secure items.

Banking and other secure events shouldn't be something that is Web 2.0 or the middle project of a multi-task. This habit is what empowers phishing and social engineers, as well as traditional malware.

I imagine I would have been one of those student radicals they worry so much about. We use to do "Falafel runs" to Mamoun's Falafel after midnight in NYC when I was in college. If they've sifted through his receipts from a decade ago, I'm on the radar.

Let them go through my stomach, I have nothing to hide.

Beware though, some have pointed out that falafel is often called " Israel's national dish. So, of course, the Jews are behind it... the falafel sales that is.

I have worked with predictive data mining applications in retail. It still disturbs me at how good it worked - for determining what someone would by, not who they would attack, how or when. Sorry, but when you're clustering your customer, I don't think you'll end up with a Terrorist Cluster.

If you're in to being on the falafel watch list, this blog has caught my attention recently - Arabic Bites. I drool with every new post.

I originally talked about the BBB data breach here

The Better Business Bureau has announced it is restructuring it's business.

With in those announcements comes the statement:
"The BBB on Oct. 1 launched a new logo and national database consolidating its 130 regional databases at www.bbb.org."

I hoped they would attempt to move to a new system, but after beginning the complaint process, it was apparent the same system is in use.

The Better Business Bureau has repeatedly praised the flexibility of their system and efficiency in posting data online:
"The one part of eBINDr and the Hurdman system that I appreciate the most , is when another Bureau requests a change or a report you get that information too. "

It is often said that security interferes with usability and you have to measure the trade-offs to determine the balance. It doesn't appear as if anyone thought that the ease of posting data online meant it was easily and quickly exposed. Two two linked comments above span two years, so I have to wonder how many years of data are online and by how many branches.

Another Alert

The Better Business Bureau has issues its second phishing alert since being notified they are leaking customer data online.

The information is scarce and it's generic information about trusting e-mails. They do not warn people not to post more personal information than already required by the system and they haven't changed their privacy statement to mention information is publicly available.

They do offer good information for others to follow on id theft and privacy though.

Still no response to my complaints from August or September...

When George Clooney was admitted to a hospital recently, several medical professionals took a peek at his records for curiosity sake.

The workers were suspended for a month, but both Clooney and the hospital union say that the punishment was too harsh. Mind you, they could face jail time for the federal crime they committed, but suspensions are too harsh.

The ethical problems alone are a cause for concern, but this is also a clear violation of the law. Clooney's statement was, "while I very much believe in a patient's right to privacy, I would hope that this could be settled without suspending medical workers." The best thing for people who violate ethical situations is when the victim who spends very little time considering such matters excuses it.

The bigger problem is the union. This is an established organization that is basically forming a thin blue line in the face of criminal activity. At least the hospital is on record

These folks have been suspended and investigations continue. Nobody seems to doubt there was a violation, just how far it went.

I've learned Spanish for heritage reasons, Portuguese for recreational reasons and have recently started learning Arabic to learn a non-western language with a lot of ties to the languages I've already started to learn.

In early interface testing, I would always type in my name with the accented -\xC3\xA1- in order to see if whatever field I was typing in had a weak interface. Often times the program would GPF and would break and other times the letter would get mangled.

Luckily, over the years as the market depended more on non-English speakers, these interface problems started to disappear. I always watch for services that deliver multiple language interfaces and how they perform in that field.

Google has had a decent run at language accomodation although I thought for their capital and reach was still slow.

While following recent language news I found Google encouraging people to explore their growing language features, including changing the entire interface to another language.

I actually do this every once in a while to force myself to language practice a language.

However, google doesn't warn you to be proficient in a language. They say in their entry, "Hyperpolyglotic Gmail", "If you're multilingual, feeling adventurous, or if you just want to test how well you know the Gmail user interface, try changing your account language settings."

My favorite part is the warnign, "Sound a little risky? Don't worry - it's easy." Remember that the next time you're doing something dangerous. "Sound a little risky? Don't worry - it's easy." Walking on the outer edge of a bridge? "Sound a little risky? Don't worry - it's easy." It's as comical as it is bizarre.

Seeing if they had a safeguard in place, I changed my interface to Arabic. Something I really not proficient in. There was no warning, or timed function to revert it back, or any other function to make it "easy" to undo your risk. Luckily, I familiar enough with the interface to change the language back, but it wasn't immediately at my disposal. There wasn't a link on the page back to the language settings after I changed the language. I had to follow the links deep back into account settings.

If anyone ever offers the advice, "Sound a little risky? Don't worry - it's easy - think twice. Google offers advice that probably provided a usability denial of service to at least a handful of their blog readers.

The Better Business Bureau says that for the first time in their history, they serviced over 100 million service requests. Unfortunately, a large portion of service requests appear to be accessible online. When you make an online complaint with the BBB, the following information is kept:

• Complaint filed by:
• Complaint filed against:
• Complaint status:
• Case Description:
• Category:
• Case opened date:
• Case closed date:
• Desired Resolution:

The name and full contact information of the business and consumer, along with a full description of the business transaction, possibly including account numbers or doctors name and care.One of the primary problems is that the BBB sends out email updates and asks that people correspond by clicking on a vaguely obfuscated url. No password and user name is required. And because the e-mail is html rich text, the user doesn''t know what web site they''re visiting. But don worry, because it''s not a BBB domain, but rather a sub-domain of their vendor.For someone wanting to commit fraud, this is a gold mine. Criminals need an element of trust and to take advantage and knowing a complete back story and/or vendor gives the perfect opportunity. Add the BBB brand to the fraudulent pitch and people are more likely to default to trust in the new e-mail.Here is a brief time line showing how this information leak might have been used:

• February 2007 - BBB Warns of widespread Phishing
• May 2007 - 1400 Executives *infected* with a highly targeted trojan
• June 2007 - More widespread phishing
• August 2007 - BBB receives e-mails explaining they are violating their privacy policy and possibly HIPAA when it involves medical care
• Sept 2007 - More widespread phishing

It''s possible the major leak has nothing to the widespread phishing or the target phishing attacks where the criminal likely knew the executive would trust the BBB link.But let''s look at how easy it is to download a massive number of complaint records.

To get the initial url, file an online complaint or Google:
"BBB CASE" "DAY PHONE"

This will bring up about 100 cases. Not a lot at first. You might even notice the urls are slightly secure.

subdomain.vendor.com/complaint/view/########/c/zh9nf9

The last digits zh9nf9, are required to access the url. It''s difficult, but not impossible. What you can do easily is change the ######### to a number higher or lower to get to the next case.

However, there are handy links for downloading the entire complaint as rtf. That link looks more like:
subdomain.vendor.com/merge.php?
title=Download%20Complaint%20Form.cf.rtf
&bid=2396295
&cid=#######

Once you have one of those links, someone can write a simple script to increase and/or decrease the number and download as many records as they want. And they get a new population for every BBB server they find.

I found this simply by being an observant consumer and watching how my vendor was handling my data. Since the Better Business Bureau hasn''t responded for almost two months, at least consumers can make a choice, as opposed to the organization making the choice, about whether or not they want to continue entering data or want to address the information out there already.