The Adventures of Captain X-Ploit:
Another Crack in the Wall
– Part 4.5 of the epic chronicle –
Captain X-Ploit vs. The Bills

            As the heads of zombies rolled and his teammates droned about changing clips and needing med kits, David’s mind wandered. He began to contemplate zombies… and then it just clicked.

David’s character stood still for nearly three minutes and it took his teammates yelling, having lost their sniper support, to bring him back to reality. He hit the chat key responded “I have to go now,” and threw his headset off as he powered down the game and logged online to do a quick confirmatory search.

He didn’t really know what he was onto; he had the first step of a vague plan forming. He could see the beginning but no end. Still something compelled him to throw himself forward into this plan with full force. He reached for his phone and dialed the number on his computer screen.

“Hi, you’ve reached Trustonia Valley Hospital records office how can I help you today?”

“Hi, yes I appear to have been falsely reported as dead.” David responded.

“Oh, dear that is bad! What is your name?”

David scanned the obituary page until he found a suitable sounding name, “I’m Curtis Trent, I desperately need that corrected in all my files as well as a change of address”

“Of course sir, that will just be a minute what address would you like to change it to?”

“1302 Deven Ave, Trustonia. Oh and I have recently changed my name to David Nicholas Stone, if you could update that for me too.”

“Sure thing sir, just give me a few minutes to make those changes.”

About five minutes later David hung up the phone after giving himself a rather ghostly roommate. He then dialed a different hospital and repeated this activity. Continuing in this vein he gave himself over 100 new ghostly roommates, maximizing his time by submitting requests in emails while waiting on the phone.

He then spent the next several hours submitting online requests for unemployment benefits for his new friends who happened to live at the same address as him with the same name.

The day drew to a close and he found himself one step closer to not only paying off his bills but to completing the ultimate exploit. All he had to do was wait for those checks to roll in.

Short but sweet this time and clearly to-be-continued. Our hero continues with his recent penchant for identity theft variants, this time appropriating the identities of folks who are beyond caring what happens to their good name. Now clearly this gambit is only going to work for a short time since even the Trustonia Department of Unemployment, who we assume to be even more inept that the typical real world division of employment, will certainly twig to paying benefits to the deceased with no prior graft arrangement in place. It will be interesting to see what the good Captain has planned with the ill-gotten government benefits of his undead namesakes. Stay Tuned.

The Adventures of Captain X-Ploit:
Matlock rocks my socks off.
– Part 5 of the epic chronicle –
Captain X-Ploit vs. The Bills

A bank is a place that will lend you money if you can prove that you don’t need it. ~ Bob Hope

Foreword:

Since this Captain X-Ploit episode is a continuation of the original saga, and since it’s been a really, really long time since the good Captain has deigned to make an appearance, the following are links to the original episodes so we can all get caught up with the story thus far.

• Captain X-Ploit vs. The Bills
• Captain X-Ploit: Bills + Bagels = BOOYA!!!
• Captain X-Ploit: Cars, candy and girls
• Captain X-Ploit: Banished from Bloodshot
• Captain X-Ploit: The great liberation of the coffee from the oppressive closet of motivation.

David went back to his home. It was a rather pleasant house in a nice neighborhood. Its generic white walls gave no indication that an evil genius might live inside. That was exactly how David liked it and exactly why he had bought it.

As he parked his new prize in the garage he could hear the excited clicking of Nicky’s nails on the tile as she doubtlessly was rushing to see why the garage door was opening. As he walked in he knelt down to pet her affectionately and passed her an oatmeal raisin bagel.

She barked appreciatively and then began to wolf it down. “Oh Nicky, you’re the best roommate a guy could ask for.” That thought gave him pause for a moment. “Roommate,” he re-uttered the word. Perhaps that is the key for today’s adventure he thought. Leaving Nicky to enjoy her bagel, he hastily ran upstairs to hop online and do some research while enjoying his bagel and coffee.

After about ten minutes of useful research and about three hours of watching internet videos, he picked up his phone and called the bank.

“Hello, you’ve reached ‘Stage Coach Banking’, my name is Jenny. How can I help you today?”

“Hello Jenny, My name is David Nicholas Stone and I regret to inform you that I will not be paying my mortgage payment this month.”

“Hmmm… It says here that you have never made a payment and I need to send the police to evict you.”

“Ah, yes, I figured as much. But see, the problem is that I have suffered a bout of extreme aging and I am now over the age of 65 and therefore am exempt from eviction.”

“Oh, goodness! Are you OK, sir?”

Quite. In fact, the senior discounts are very handy and I find myself truly enjoying Matlock for the first time in well… ever I guess.”

“That’s a relief! But you do realize we will require at least a doctor’s note confirming your age, Mr. Stone”

David smiled and joyfully rolled his chair over to the file cabinet next to his desk and fingered through it until his hands landed on the file he was looking for. It was labeled “Nicky’s vet records.” He pulled out the latest checkup. Among the general stats at the top was written “age: 13” and “age in dog years: 65”.

“I have the file here from my medical care provider clearly stating that by a unit of measure I am to be considered 65 years of age.”

“Excellent. If you will just scan and email that file to us we will be forced to leave you be until you die.” Jenny said cheerfully.

“Sure thing. Oh, one last detail. Under age it says “13” that is in reference to the age of my new hip, not my actual age. My actual age is labeled “dog years” but in fact that is a typo, they meant to put “God years,” as in how long it has been since God created my magnificent body.”

“I will make a note of that right here, Mr. Stone, and we will be sure to consider that when viewing your file. Is there anything else you need help with today, sir?” Jenny asked politely.

“No, I believe I have been served quite well, Jenny. Thank you.” He said.

“Well, would like to take a brief survey to rate my…” Click.

“Nice girl,” David thought to himself as he hung up the phone and scanned in Nicky’s vet document. “Well, that takes care of the mortgage, now I just have to deal with electricity, gas, and credit cards.”

David couldn’t help but feel pleased with himself after this solution. The only thing he liked more than a well implemented exploit was one that tied up a loose end for the foreseeable future. He figured he deserved a break to blow the heads off of some zombies before returning to the tiring yet fulfilling task of escaping work.

As he watched the zombie heads bouncing off his HD monitor in time to the resonating sloppy thuds emitting from his surround sound system he couldn’t help but feel depressed that he hadn’t yet cracked the ultimate shell; His ultimate prize and undying desire. This was of course to game the system so completely and so perfectly that he could have his lifelong goal of unlimited money. Until that day he felt like a rank amateur playing at his profession of slacker.

This nagging feeling had plagued him since childhood. His parents had always been on the overbearing side and watched his every move. While the normal kids experimented with drugs, alcohol and sex, he was left to only watch. Stuck between their rock hard force in his life during the times of their explicit presence and their unshakable expectations when there weren’t by his side.

His youth was one filled with angst and rebellion building in an un-manifestable form. It began when he was fourteen; the world opened to him as he realized a non-physical but equally caustic way to vent his adolescent aggression. A way that was invisible to his ever present parents. It was the life of exploits. He could practice this form of rebellion anywhere at any time without accomplices and without raising a single flag to his parents.

And so, with no conscious knowledge or understanding deeper than raw, raging adolescent emotion piloting his brilliant mind toward anarchistic oblivion, the greatest hacking mind was born into the world. The idea that what he was doing was hacking had never crossed his mind. For hacking, you see, isn’t anything more than a label affixed to a mindset. It wouldn’t be until later that the world would forcibly open David’s eyes to the cause he was part of.

It was this evolution of mentality that brought David to this exact tipping point that would thrust him over the edge into a world of politics and aliens. But I am getting ahead of myself. Back to the precipice, back to the original unending quest for the perfect exploit; the exploit that to David consciously meant unlimited money and power, but subconsciously meant so much more.  It meant the quenching of an unquenchable thirst; the scratching of an invisible ever-present itch; the completion of his greatest work of art.

I mention all of this not to ruin the readers surprise, but in hopes of whetting their appetite. This exact day was the day David succeeded in breaking the system so completely that his dream was realized.

So once again David uses his awesome Social Engineering skills, mixed with fraudulent information hacked into the bank records (recall that Nicky the dog’s “legal” name is David Nicholas Stone) to avoid his mortgage payment. This exploit is particularly interesting in that it’s a variation of identity theft where rather than stealing someone’s identity you give your identity to someone who doesn’t know or doesn’t care – like Nicky, David’s canine roommate – such that they are responsible for your debts. Now, granted this exploit only works this well in Trustonia, but I suspect there are variations that work quite nicely here in reality. To the extent that we live in reality.

The last part is an interesting discourse on the hacker mindset from the thinly veiled pen (er… keyboard) of the creator of Captain X-ploit. Certainly something to think about while you are planning your next exploit (er… adventure).

Long, long ago, way back in December of 2011 the latest blog entry appeared in Security For All. What become of the author and his intrepid sidekicks Dr. Security and Captain X-Ploit has been the stuff of no small amount of speculation among the Information Security literati. Actually to my knowledge there has been no speculation at all. Small or otherwise. But I digress.

By way of excuses let me say that a whole bunch of stuff has happened since that last post around Christmas time. Primarily, in January I started  a new position as Software Architect for Trustwave. I could let you guess at my employer like I did back when I first started blogging while working at StillSecure, but anyone can look it up on LinkedIn so the thrill is gone. Also let me point out that Trustwave and Spiderlabs are quite well known in the blogosphere having several excellent corporate blogs. This is not one of them. Whatever I say here is strictly me and they have nothing to with it. Much less approve or disapprove. In any case I’ve been drinking from the firehose since January without much opportunity to do much of anything else.  Thus the reason for the 3 month hiatus of Security For All.

But I’m back. And so is the good Captain. So stay tuned.

[Lendo] calls itself “the first credit scoring service that uses your online social network to assess credit.” The first thing Lenddo asks for is a Facebook account; then it wants access to Gmail, Twitter, Yahoo, and Windows Live. The Observer was given a respectable score of 470. But when we tried to apply for a loan, we were told “you need at least 3 connections with scores above 400 in your Lenddo trusted network.”

The company’s algorithm is proprietary and secret, said CEO Jeff Stewart, but the primary metric is what Lenddo knows about the people you’re friends with. “We think that in the age of the internet you should be able to establish your reputation and your identity through your social graph, through your on- and offline community, and use that to get access to financial products and information,” he said.

If Lenddo sees one of your best Facebook buddies took out a loan and paid it back, there’s a good chance you will too. “Our backgrounds are in machine learning and pattern recognition,” Mr. Stewart said. “It’s some serious math.

“There’s no reason there shouldn’t be thousands of engineers working to assess creditworthiness.”

I should note here that I too have a background in machine learning and pattern recognition but would hardly summarize it as “some serious math” except maybe to US GOP Presidential nominee hopefuls to whom addition is apparently an arcane art, but I digress…

Marketing hype aside, this simply checks to see if your Facebook “friends” are creditworthy and makes the unwarranted leap that you are like them with respect to creditworthiness. Problem with that idea is when you have “friends” with completely fictional profiles on social media sites. Like say me (when I was on Facebook) or Nitrozac and Snaggy. If you had friended me on Facebook, services like Lendo might conclude (not without basis) that you were a total wackjob. Seriously though, there is a very ugly side to this social credit rating business.

In another nifty but nefarious innovation, Lenddo reserves the right to broadcast your loan status if you fall into default. As the site warns: “Failure to repay will negatively impact your Lenddo score, as well as the score of your Lenddo friends. Lenddo MAINTAINS THE RIGHT TO NOTIFY YOUR FRIENDS, FAMILY AND COMMUNITY if the borrower fails to repay, however, this is only done after several notifications to the borrower and an attempt to work out a payment plan.”

“I think Mark Zuckerberg said it best,” Mr. Stewart said. “Every industry will be in fact impacted by social.”

Banks have been curious about using social media to gauge risk for at least a year, said Matt Thomson, VP of platform at Klout, which calculates “influence” based on a user’s social media activity. Determining creditworthiness is not a core product of Klout’s, he said, but banks have approached the startup to ask about it. He wouldn’t name names. “It’s really like the who’s who of banking,” he said.

(Mr. Stewart of Lenddo also said his startup is approached “regularly” by major banks curious about the algorithm.)

So let me get this straight, the same weasels who trashed the global economy with financial instruments that institutionalized fraudulent and unsecured, except by other equally dodgy financial instruments like credit default swaps, mortgages are now using the fact that everyone knows – or is – someone who was victimized in this debacle to further victimize people?

This time I’m not even going though the pretense of some imaginary conversation about privacy being dead, I’ll just throw out this quote and leave it at that.

Media theorist Douglas Rushkoff dismissed the idea that social media credit scoring is a serious erosion of privacy, mostly because there’s nothing left to hide. “We’re already in the nightmare scenario,” he wrote in an email. “They already know everything about you—more than most of us realize. If anything, the addition of social networking information to this data mining will help us come to some understanding of how much more these companies know about us than we know about ourselves.”

And there you have it folks from the lips (or keyboard) of a bona fide Media theorist – social media credit scoring doesn’t invade your privacy because you have no privacy to invade. So if you are still on Facebook you might as well just bend over. Again. Or quit being a tool. I’m just saying.

So thank you for showing me,
That best friends can not be trusted,
And thank you for lying to me,
Your friendship and good times we had you can have them back.
From Thank You by Simple Plan

In 2009, the first year of this blog, in honor of Thanksgiving here in the USA I posted an entry about some things I would have been thankful for in 2009. If they were even remotely true. I’m a collector and, dare I say connoisseur, of Nigerian 419 style phishing messages. Since then it’s become an annual event. So without further ado, here is a sampling of my favorites from 2011. The things I’m thankful for.

I am thankful that the Nigerian Government has finally recognized their negligence and are going to help me get my rightful inheritance at last.

—————————————-ICPC NIGERIA ( An Anti-Fraud Unit)
………………………………we fight against fraud, funds delay and impersonation.
—————————————–Head Office: Plot 802, Constitution Avenue

 A LETTER OF COMPENSATION/SETTLEMENT.

 This letter will definitely be amazing to you because of its realistic value.

Sorry for the inconveniences that was rendered to you in your line of Inheritance Payment transaction with some impersonators some while ago.
I know that this letter will hit you by surprise, but firstly I will like to introduce myself; I am (Mr Emmanuel Ayoola ) the Legal chairman of “ICPC”, (Nigeria’s Anti-Fraud Unit).

On the 1st of October  2000 the former President of The Federal Republic of Nigeria (Chief Olusegun Obasanjo) introduced a Commission named the “ICPC”, (Nigeria’s Anti-Fraud Unit) which is duly registered under the United Nations (U.N.O). Secondly, we are mandated by the United States Government to Settle foreign indebted beneficiaries to satisfactory in other to maintain peace in the world at large and also to create a good relationship with the international bodies.

You are being contacted by this office today because your Case data is the very first File on our Settlement Files Cabinet. From our Intelligent investigations and Probing processes we discovered that you are a victim of  delay.
The “ICPC”, is faithfully under my governance as the Legal Chairman of the great Commission and to this Authority I took an oath of allegiance to settle all victims peacefully.
This Memorandum is to notify you that you will be settled by the Nig Govt from our initial Deposit. Your settlement will be actualized within  three working days after your response to this Official Letter.

I was definitely amazed because of the realistic value. And any organization with the motto we fight against fraud, funds delay and impersonation just has to be legit, right? Although I am worried by the address of the Head Office, Plot 802, Constitution Avenue. Sounds like a cemetery.

I am thankful that the FBI is willing to assist me in transferring my funds from the Central Bank of Nigeria which they discovered through attempting to wiretap the internet.

ATTENTION: BENEFICIARY
FROM: ROBERT MUELLER III EXECUTIVE DIRECTOR FBI FEDERAL BUREAU OF INVESTIGATION WASHINGTON DC.

FBI SEEKING TO WIRETAP INTERNET
The federal bureau of investigation (FBI).Through our intelligence-monitoring network has discovered that the transaction that the bank contacted you previously was legal. Recently the fund has been legally approved to be paid via Central Bank of Nigeria. We the federal bureau of investigation (FBI) Washington Dc, in conjunction with the United Nations (UN) financial department have investigated through our monitoring network noting that your transaction with the Central Bank of Nigeria legal. You have the legitimate right to complete your transaction to claim your fund US$15.5,000,000.00(Fifteen million five Hundred Thousand united states dollars).

First Mr Emmanuel Ayoola finds my missing megabucks and then ROBERT MUELLER III EXECUTIVE DIRECTOR FBI contacts me directly to let me know it’s all legal. How sweet is that!

I am thankful for 22-year-old princesses from Burkina Faso who want not only a relationship but desire my help in investing large sums of money.

Dear Sir / Madam,
How are you today,I hope fine? I am a female student from University of Burkina-Faso, Ouagadougou. I am 22 yrs old. I will love to have a long-term relationship with you and to know more about you. I would like to build up a solid foundation with you in time coming if you can be able to help me in this transaction. Well, my father died earlier 1 year ago and left I and my junior brother behind. He was a king, which our town citizens titled him over sixteen years before his death.I was a princess to him and I am the only person who can take care of his wealth now because my junior brother is still young and my late mother is also late two years ago before the death of my Late father. He left the sum of )Twelve Million Five Hundred Thousand united state dollars ($12.5mUSD) in a Bank. This money was annually paid into my late fathers account from Gold Exploring companies operating in our locality for the compensation of youth and community development in our jurisdiction. I don’t know how and what I will do to invest this money somewhere in abroad, so that my father’s kindred will not take over what belongs to my father and our family, which they were planning to do without my present because I am a female as stated by our culture in the town.Now, I urgently need your humble assistance to move this money from the Bank of Africa to your bank account after which i come over to meet with you. and I strongly believe that by the grace of God, you will help me invest this money wisely. I am ready to pay 40% of the total amount to you if you help us in this transaction and another 10% interest of Annual After Income to you, for handling this transaction for us, which you will strongly have absolute control over. Please if you are interested to help me, then get back to me urgent so that I will give you more details including my picturs.
Yours sincerely,
Princess Ruki Yaya.

As much as I’d like to help Princess Ruki Yaya I’m concerned about the statement I am a female as stated by our culture in the town. I’m only interested in women who are female in all cultures everywhere.

I am thankful for dying rich guys who recognize my humanitarian fervor and want to leave me lots of money.

Subject: Dearest One,
Dearest One, Assalam Allekum, My name is Abul Kalam Azad. I am a dying man who have decided to Donate the sum of $18million dollars. to you for the good work of the Humanity. Please contact me via. Email: aazad@yahoo.cn for detailed information on this noble project of mine. Please note that I have WILLED $18m to you by quoting my personal reference number De/Jds/533/0068/HtrI/33ln/eg. So that i can confirm that you actually received my email notice to you. Wassalam and Regards, Abul Kalam Azad

While I appreciate the generous bequest, what’s up with that “Dearest One” stuff and the Yahoo! China email address?

I am thankful for dying rich women who recognize my humanitarian fervor and want to leave me lots of money.

Goodday,

My names are Mrs. Irene Cesarec. I was diagnosed of cancer about 2 years ago, and was receiving treatment for it, but now the doctors are saying I have a short time to live.   

When I was in better health, I never really cared for any body with no children of my own and a late husband I was a selfish and greedy person. I have decided to donate the sum of $10.8M to you, so you can disburse to charities, widows, orphans and less privileged. I was doing this myself but now my health has deteriorated, I wanted my relatives to do this for me but they only saw it as an opportunity to enrich themselves.

I will be going in for an operation soon, I want this last act of mine to be an offering unto God, perhaps he will have mercy on me. Please contact my lawyer with the below:

Quote my ref # : will/Wlaw/Pn/lr/93/ytx/ when responding.

I am sending him a copy of this message as well so he is aware of my intentions, Please use the funds well and always extend the good works to others.

Stay blessed,

Mrs. Irene Cesarec.

Whoa! It’s like deja vu. Sorry Abul but I’m going to have to go with Irene. Even though she’s only giving me $10.8M  she admits to being a selfish and greedy person. My kind of benefactor.

I am thankful for winning contests staged in places I’ve never been to promote products I don’t buy that I don’t recall entering.

TOYOTA MOTORS CORPORATION INTERNATIONAL PRIZE NOTIFICATION 2011 NEW CARS PROMOTION
We are pleased to inform you of the result of the just concluded annual final draws held on the 1ST OF January,2011 by Toyota Motor Company in conjunction with the Japan International Email Lottery Worldwide Promotion,your email address was among the 20 Lucky winners who won US$1,000,000.00 each on the Toyota Motors Company Email Promotion programme dated as stated above.This is from the total price of $20 million United State Dollars ($20,000,000.00usd)shared among the 20 lucky winners.

The online draws was conducted by a random selection of email addresses from an exclusive list of 35,031 E-mail addresses of individuals and corporate bodies picked by an advanced automated random computer search from the internet. However, no tickets were sold but all email addresses were assigned to different ticket numbers for representation and privacy to make sure the money reaches you.

Uh… Not sure I understand any of that or what it has to do with Toyota, but hey I’ll take the cool mil.

Since 2011 was a terrible year for employment I’m thankful that I’ve received so many guaranteed job offers like this one from a company that respects my awesome database management abilities.

Subject: Database Management Position

We have assessed your curriculum vitae and wish to introduce to you a job opportunity in clerical and administrative services at NHN Team. The ideal applicant must possess outstanding communication skills, be attentive to details, perfect reporting skills, responsible and able to work in a fast paced working environment.
The principal duties of the job include but are not limited to: recording orders for services and merchandise, compiling transaction records, compiling correspondence, performing basic bookkeeping and other clerical duties.
At NHN Group we provide an encouraging working environment. The position offers an attractive performance related commission. Flexible schedules, part time and full time available. If you are interested in entering an organization where contribution matters, please get back to work-dept@nhn-jobs.com and we will forward to you further information on this opportunity.
Best regards,
NHN Team

I’m not even sure what a curriculum vitae is but apparently mine indicates that I would be good at clerical and administrative services which is apparently database management.

On a more serious note there was a marked increase in the number of phony job offer phishing in 2011. I usually get several good ones per year, but in 2011 out of the 60 funny emails I saved, 37 of them – a whopping 62% – were phony job offers. Some were completely silly like the one above, but others were pretty decent CareerBuilder forgeries. So while I mock these ham-fisted attempts at fooling the naive, it’s sobering to recognize that there are a lot of really desperate unemployed folks out there who are willing to try almost anything to get a job. And the slimeballs who are exploiting that nauseate me.

Once again I’m thankful that Google Translate hasn’t improved significantly since 2010.  Otherwise this stuff wouldn’t be nearly as amusing. So Happy Thanksgiving 2011. So long and thanks for all the phish.

You’re building glass houses on the sand
Then you stand around and shake your head
When they all fall down
From Glass Houses by Steel Magnolias

So the big tech and style news this month, in case you missed it, was Apple’s hyperbole laden and new(ish) iPhone 4s and iOS5. This baby boasts everything better, faster and smarter (Siri notwithstanding) than the old school iPhone 4. Including this swell new(ish) app called Find My Friends which is described in Slashgear thusly [emphasis mine].

The free app, which uses GPS to locate your friends and family and, if the privacy settings mash correctly, display them on a map in real-time, can be found here.

But as Aahz the Pervect was wont to say “Therein lies the story”. That deal about privacy settings should be a clue [hint - turn them all off]. There’s even an interesting thread on MacRumors making it’s way around the blogosphere with a tale to make divorce lawyers weep. In agony or ecstasy depending on which side they represent.

I got my wife a new 4s and loaded up find my friends without her knowing. She  told me she was at her friends house in the east village. I’ve had suspicions  about her meeting this guy who live uptown. Lo and behold, Find my Friends has  her right there.

Regardless of the veracity of the post, I posit the following question: Who really thinks it’s a good idea to have everyone know exactly (within 10 meters) where you are at all times? I can think of a number of folks, in addition to suspicious spouses, who love this idea including:

1. Law Enforcement – rounding up the usual suspects has never been easier
2. Burglars who prefer victims to be elsewhere than the location being burgled – saves all that unpleasantness associated with being surprised by irate property owners.
3. Employers who want to verify that employees are actually working from home – or really at the dentist instead of interviewing for another job.

Now certainly there might be situations where this feature would have a non-nefarious or even beneficial usage, like say finding a missing child. I’m just doubtful that would work in a serious situation like say kidnapping. Unless the kidnapper was stupid enough to keep the phone,  like say users of Find My Friends.

You see, here’s the deal – owning a smart phone or other GPS-enabled mobile device is like hiding in a glass house. Unless you take extraordinary measures anyone can find you. At any time.  Problem is most users of the aforementioned devices have no idea how exposed they are by default – not to mention what happens when they use an app like Find My Friends.

About now you may be thinking, “Yeah, well maybe that’s true, but everybody knows that privacy has been dead since 1999 so deal with it”,  channeling Scott McNealy’s infamous comment. Or even “You shouldn’t be worried about privacy unless you have something to hide”.

And that, my friend, is what concerns me. When everyone accepts this truism and becomes willing to trade their privacy – and ultimately their liberty to disagree with whatever authority is currently watching – for slick but useless diversions there will be serious consequences.

We may not be able to do anything about our modern life in glass houses. But at least we can try to hide without constantly screaming our location.

Happy Birthday, now your one year older.
Happy Birthday, your life still isn’t over.
Happy Birthday, you did not accomplish much.
But you didn’t die this year i guess that’s good enough.
From Funny Happy Birthday Song by Adam Sandler

Hard to believe that last month marked the third anniversary of Security For All. Actually the really hard thing to believe is that I actually found time to do this post. Whining aside, this last year has been a corker for everybody. A whole bunch of wild, wacky, wonderful, wasteful, woeful and wicked things happened during the last 13 months. I ‘ll leave it as an exercise to the reader to assign the appropriate W-word to the items in the following list. In no particular order:

• Steve Jobs, co-founder, chairman and former CEO of Apple passed away on October 5th, 2011 after a long struggle with pancreatic cancer. He was just 56 years old. It’s hard to imagine anyone who had a greater impact on technology and society. He will be sorely missed.
• Britain’s Prince William announced his intention to marry long-term girlfriend Kate Middleton on November 16, 2010 , and subsequently followed through on that threat on April 29, 2011 where it was described thusly by USA Today: More than a billion eyes were on Kate Middleton as she stepped out of the queen’s 1977 Rolls-Royce Phantom VI in front of London’s Westminster Abbey on Friday wearing a wedding dress of fairy-tale princess-esque proportions — a dress that will be immortalized in fashion history. There were at least as many spammers and phishers rejoicing over the joyous event.
• Nasa discovered a new lifeform, a bacteria they christened the GFAJ-1 strain, that apparently substituted arsenic for phosphorus, sparking all sorts of extra-terrestrial bacterial visitation speculation. Would have been game-changing if only it had been accurate. Oh well another study for the The Journal of Irreproducible Results.
• The United States Senate voted to repeal the U.S. military’s ‘Don’t Ask, Don’t Tell’ policy of officially sanctioned homophobia. While the law has been in effect for several months now apparently a number of right wing politicians and military cheeses haven’t gotten the memo. Or maybe they just can’t figure out how to use the Reality distortion field that worked out so well for President Bill Clinton and Apple CEO Steve Jobs. The more plausible possibility is that they can’t find anyone on their staff able to read something as complex as a memo.
• U.S. Rep. Gabrielle Giffords was shot in the head by a lone wack-job after being included on Sarah Palin’s ‘Hit List’. But the craziness didn’t stop there. Sales of semiautomatic Glock pistols like that used in the shooting spiked in Arizona and across the nation in the days following the attack. Fortunately Ms. Giffords was able to overcome the staggering odds and appeared in person at her husband, Astronaut Mark Kelly’s retirement from the Navy. Not sure what the moral of this story is but I’m a little reluctant to hang out anywhere near people who disagree with Ms. Palin.
• The now aptly monikered Arab Spring began in January of 2011 with the president of Tunisia being driven from power by violent protests over soaring unemployment and corruption. In the following months Egypt and Libya have seen regime changes with  Bahrain, Syria, and Yemen also seeing civil uprisings. If Desert Storm (U.S. vs. Iraq episode 1) was the first made-for-TV conflict, Arab Spring must certainly count as the first made-for-social-media revolution. Whoever said “The Revolution will not be tweeted” was dead wrong [apologies to Gil Scott-Heron, who also died in 2011, and is maliciously mis-quoted here]. It’s also been argued, debated [no - scratch that - since real debate requires some level of basic knowledge and understanding of the topic which is simply not available in this case] and pontificated on, via traditional and the newly enfrancised social media. Speaking at the e-G8 Internet Forum in Paris, Facebook CEO Mark Zuckerberg downplayed Facebook’s role in places like Cairo, Homs and  Tunis, saying “It’s not a Facebook thing, it’s an Internet thing,” when asked about his site’s influence on the Middle East’s popular uprisings. “There’s no value to Facebook in invading the privacy of folks in those places.” [I made that last quote up - but I'm sure that's what he meant to say].
• A tsunami rammed the coast of Japan following a powerful 9.0-magnitude earthquake causing widespread devastation and essentially shutting down some of Japan’s largest manufacturers including Honda and Toyota. But by far the greatest damage that resulted from this disaster was the meltdown of the Fukushima Dai-ichi nuclear power station in northeast Japan. This part of the tale just kept getting worse each day as the Japanese government and Tokyo Electric Power Co (TEPCO) kept trying to reassure the public and the world that things were under control. Some would argue that it’s still not entirely under control as there have been elevated levels of radiation detected in the Pacific waters as far away as the west coast of the U.S. So now a tsunami caused by a monster earthquake has turned into the worst nuclear crisis since Chernobyl in 1986, costing TEPCO 1.1 trillion yen. So far.
• Osama bin Laden, the mastermind of the 911 attack, was killed in a firefight with [actually he was terminated with extreme prejudice by] United States forces in Pakistan. Turns out he’d been living in relative comfort in Abbottabad. Right under the noses of our Pakistani “allies”. Pakistani officials were “Shocked, Shocked! To find Osama bin Laden living in Pakistan”. [OK, I made that last quote up too].
• On May 22, 2011 a massive EF5 rated tornado tore through Joplin, Missouri, killing over 120 people, carving a mile-wide path of destruction through the city and leaving fully a third of the population homeless. Somehow the people of Joplin, with the help of many other Americans, managed to rebuild enough of the devastated city to open all schools on time for the fall semester. It’s stuff like this that keeps my scant faith in my fellow citizens alive.
• Former Illinois Gov. Rod Blagojevich was found guilty on 17 out of 20 federal corruption charges — including all charges tied to allegations that the Chicago Democrat tried to trade an appointment to fill the U.S. Senate seat vacated by President Barack Obama. Guilty! Thank You, That is all. [Apologies to Mr. Toad's Wild Ride]
• In a frenzy not seen since the televised O.J. Simpson trial, Court TV became the latest reality-TV-cum-spectator-sport. Complete with announcers and color commentators like Nancy Grace. First we had the trial of Casey Anthony, who allegedly murdered her daughter Kaylee, which got better ratings than any Soap Opera and triggered widespread protests when she was acquitted (much to the chagrin of the aforementioned Ms. Grace) and pitted Floridians against each other, some restaurants even refusing to serve jury members. Those jury members later whined that had they been allowed to listen to Nancy they would surely have reached the right decision. Then we had Warren Jeffs, a particularly egregious polygamist, child pornographer, prophet of doom and leader of strange religious cult centered, apparently, around him getting it on with very young girls being tried for that lifestyle choice. This trial was so salacious that even I was taken aback when Dr. Drew Pinsky insisted that it was the right, yea even the duty of the court TV “journalists” to show the videos of the nasty Rev. Jeffs deflowering his youngest “brides”, video apparently being a sacrament in this cult. I’m guessing that the CNN lawyers were offering up their own prayers that the FCC would ignore Dr. Drew’s apparent journalistic fervor and not go after them for child porn. And finally we have the ongoing show trial of Dr. Conrad Murray who allegedly administered the fatal dose of propofol that killed Michael Jackson. This trial is hardly worth the nightly hystrionics of Dr. Drew and Nancy Grace (tag teaming this one) since the worst that can happen to Dr. Murray (other that the fact that the king of pop died before he could get paid) is that he can get probation. He’s already lost his medical license not to mention his credibility with anyone other than celebrities with nasty prescription drug habits. If you don’t think Mark Mothersbaugh was right about ‘de-evolution‘ you should tune in some time.
• Then we had the ‘Spectaular Summer Debt Ceiling Crisis’ starring the U.S. Congress with special guest stars Pres. Barack Obama and Timothy Geitner. This long running polical theater farce, based on the hit ‘Nero Fiddling’ had them rolling in both aisles to the disgust of viewers all over the world. This amazing display of gridlock and political brinksmanship resulted in Standard & Poor’s downgrading the creditworthiness of the U.S. government to AA+ from AAA. What a show.
• In tech and business, Google acquired Motorola Motility, AT&T attempted to acquire T-Mobile but was slapped down by the DOJ. HP released the TouchPad, announced it’s killing the product line, sold the few they had built at a fire sale which was so popular they ramped up for another TouchPad fire sale. WTF? Apparently the notoriously quick on the fire-the-CEO trigger HP board had the same reaction and dumped Leo Apotheker for Meg Whitman of (GOP and E-Bay fame). But not before the stock did a swan dive.
• The Sony Playstation Network (PSN) was well and truly pwned. Fingers were pointed everywhere but in the end it was just good old bad engineering and security hubris that proved their undoing. That and trying to piss off PS3 modders.
• Then there was Anonymous whose DDoS-in-the-name-of-protest efforts were alternately lionized and villified in the media and political circus and managed to annoy pretty much everybody at sometime or another. They didn’t like Sony either and were early scapegoats in the ongoing Sony CYA efforts. Their 15 minutes is waning fast, but those Guy Fawkes masks are totally bitchun.
• Security Bloggers were busy little beavers with Dr. Anton Chuvakin taking a new job at Gartner, Martin McKeay and Josh Corman taking jobs at Akamai,  Ben Tomhave taking a job at LockPath, Jack Daniel moving into a new gig at Tenable after they acquired Astaro and Kai Roer and Mourad Ben Lakhoua editing a great book with articles by Dr. Anton Chuvakin, Margaretha Eriksson, Alistar Forbes, Brian Honan, Alex Hutton, Javvad Malik, Wendy Nather, Rob Newby, Kevin Riggins, Eric Schwab and  Lori Mac Vittie – The Cloud Security Rules: Technology is your friend. And enemy. A book about ruling the cloud.
• Finally Captain X-Ploit went completely off the rails with two spectacular holiday specials. The Halloween Special consisting of four posts: The Devil Walks Among Trustonians, Movies Can be Fun, Nightmare on Dream Street and  28 Stores Later which spoofed the classic horror films Halloween, The Ring, Nightmare on Elm Street and Dawn of the Dead respectively. The good Captain faced crazed mass murderers, lethally cursed movies, dream demons and spam distributing zombies and prevailed with great and hilarious feats of hacking. The Amazing Cross Dimensional Christmas Special was a heartwarming mashup of Fox’s “Fringe”, Dr. Suess’s “How the Grinch Stole Christmas” and Tim Burton’s “Nightmare Before Christmas” where David and President Ted save Christmas. Sort of.

So stay tuned. Maybe we’ll be a bit more concientious about blogging at Security For All. Or not. But it will probably be pretty funny and borderline informational.

Oh and be sure to actually go to the Security For All blog site and check out our annual swell theme change.

And now – what do I do now?
Oh, I don’t know
Oh, I’m leaving
And now, who’s gonna save me next time?
From Now What by Lisa Marie Presley

So there you are just minding your own business and chilling on PlayStation Network when…

Yikes! PSN has been breached! And now you and 100 million of your closest friends have been exposed. Now what?

This post on Credit.com News and Advice has some advice that you might want to check out.

Data breaches are an everyday occurrence affecting millions of Americans each year.

Just ask crafters who shop at Michael’s Stores, Sony PlayStation Network gamers and investors at Morgan Stanley Smith Barney.

They’re all vulnerable to identity theft and other fraud because their personally identifiable information (PII), such as a birth date or Social Security number, for example, was exposed. That information could be used to commit financial fraud.

Here is a condensation of their 6 tips with my comments (you didn’t think you’d get off that easy did you).

1. Review the breached account. Find out exactly what the pwned data losers (and I mean that quite literally) had of yours that might have been exposed. Forget what they ADMIT to losing and assume they lost it all. That includes not only credit card info but your credentials (login and password) to the site.
2. Change all user access credentials. Change your password on the immediately affected site (DUH!) and then change your password on every other site that uses the compromised password. Now would be a dandy time to quit being an idiot and either get a password safe or use another method to choose strong unique passwords for every site and service you use. If you use the same password for PSN, your bank, YouTube, Facebook and Twitter… Uh Sorry. Sucks to be you.
3. Notify existing creditors of the breach. MasterCard and Visa are pretty good about dropping fraudulent charges – if you tell them. The sooner the better. They will likely want to close that card and open a new one. If for some reason you used your debit card online… Again, Sucks to be you.
4. Place a fraud alert on your credit file.Often the miscreant data losers will pony up for some kind of fraud protection in the wake of a breach. If they don’t you can – and should – set something up on your own. Often your creditors will offer at least limited time versions of these services at no charge. If they don’t then consider doing business with someone else. Seriously.
   • Initial Fraud Alerts last for 90 days and require potential creditors to confirm the legitimacy of your identity before granting credit.
   • Extended Fraud Alerts last for seven years. Victims of identity theft who provide credit bureaus with an identity theft report like this one are eligible.
5. Review your credit reports for any unusual activity. Credit.com suggests you use annualcreditreport.com to get free annual credit reports. That’s not a bad idea, but be wary about some of the extended credit monitoring services offered by the credit agencies. I’ve had a less than satisfactory experience with Experian but have had decent luck with Equifax. In any case, no service can substitute for good old due diligence on your part. Pay very close attention to not only your credit card statements, but social security or other government entitlement accounts. In general, make sure you understand every nuance of any statement from any entity that pays or bills you.
6. Consider placing a security freeze on your credit report. This is the nuclear option. Be sure you really understand this before you push that button. Go to ConsumersUnion.org and check out the Consumers Union’s Guide to Security Freeze Protection before considering this step.

So hopefully now you have at least some idea of what to do next. Since there doesn’t seem to be much hope in preventing these epic data breaches. At least as long as the data losers aren’t really penalized for their negligence. And before you start feeling sorry for poor Sony just pay attention to the cost of their services over the next few years after they’ve sucked you back in to PSN to see who really pays. But hey, you can always unplug the PS3 and play monopoly. Or basketball. With no risk of a data breach.

The Adventures of Captain X-Ploit:
Sara and Maxi’s magnificent monetary mischievous maneuver.
– Part 4 of the epic chronicle –
Strangers are just Enemies you haven’t met.

After the alien left, restoring time to its usual single dimensional, flowy self, Max and Sara found themselves at the library. Hunched over a computer, Sara was reading her way through the wiki entries on several celebrities as Maxwell was standing next to her with an awe-filled grin plastered on his face.

“Sara?” he asked, “Yes, Maxi?” Sara responded with a stunning smile on her face. “So like… wow, you’re telling me I can take any of these books and no one would care?” he asked. His fascination with this concept had less to do with the concept of taking things without people caring and more with the concept that other places were supposed to operate differently. Being famous, handsome, and lucky he had never found people to be opposed to him taking whatever he wanted anyway.

“Well, yes… but you have to run them through the little machine over there,” she gestured with a hand, not removing her eyes from the screen, “before you can leave with it.”

“Weird,” Max said trailing off, distracted by a girl walking by. “I think I’ve got all the information I need,” she said snapping Max’s attention back to her.  “So like… what are we doing again?” Max asked, looking confused as Sara began to scribble several notes onto her hand. She smiled at Max without a hint of exasperation even though she’d explained it over thirty times on the way to the library.

Later that day at the bank:

Sara walked in confidently, leaving Max outside to ponder the complex plan. “Hi, I’m Sara Paylyn,” she said to the teller, “and I’d like to withdraw all my monies.”

“Sure thing Mrs. Paylyn, we just need to ask a question. For security reasons, of course.” Sara nodded and the lady began her list of questions.

“What is your pet’s name?”

Sara hastily glanced at her hand and responded quickly “Birstal.”

“Fantastic, Mrs. Paylyn! How much would you like to withdraw.”

Sara pretended to think for a moment before responding “All of it, I think.”

Several moments later:

Sara was standing outside the bank with $4,312,632.13, explaining to Max how she would surely win the contest now, when Max interrupted, “CONTEST!!! Oh man, I love contests… I wanna be a part of it!” Sara smiled at him wondering if every clone had hacking skill.

“Go for it, Maxi! What’s your plan?” she asked.

Max just shook his head, not wanting to reveal his brilliant plan, and walked confidently into the bank. At the counter the teller looked at him and said, “How can I help you, handsome?”

“Ya, hi, I’m some, like, rich dude and I want to, like, get my money… you know, like, for spending.”

“Okay…,” the lady said, her smile wavering for a moment, “What’s your name.”

“Maxwe…,” he stopped himself, “ahh… I mean,” his eyes dashed about wildly for a name he could use, “Trisha Smith” he exclaimed with a smile as he read her name tag.

Her eyes went wide for moment in shock as she responded “That’s my name, sir… what is YOUR name” she said.

His eyebrows furrowed in deep thought before reading another name off the business card on the counter. “Emmet Brown” he responded with a smile.

“You’re not Mr. Brown! Mr. Brown owns this bank and you’re far more handsome than he is.”

“I had plastic surgery…” Max smiled his perfect smile at her.

“Okay, well I have to ask you this question to be sure. What is your favorite color?”

Max puzzled for a moment thinking how to respond before he finally decided to guess at random, “Hot Pink”

Trisha looked astonished, staring at him “Emmet, is that really you?”

“Yes, now, I’d like to take the money please.”

“Of course, sir,” she said shuddering a little, “How much do you need?”

“All of it would be nice,” he responded without hesitation.

“All of the money in the bank?” she asked in amazement.

“Yes.” He responded politely with a smile.

That night at midnight:

Sara and Max were standing waiting for David to appear. Sara couldn’t help but feel a little crestfallen. As much as she liked Max and enjoyed seeing him win, she had only $4 million to her name whereas Max had walked off with the entire contents of the bank. Which happened to be transported at the moment in the truck of a man he had paid $1,000.

At least I can still beat David, that smug jerk, she thought as she saw David and Tedward walking up the street toward her.

At last we’re back to the hacking contest betwixt David and Sara – and Maxwell it seems – with Sara (and Max) using a tried and true exploit against weak authentication. I love the part where Maxi (AKA the stupidest life form in existence) is the one to hit the mother-lode by sheer dumb (and I mean that in the nicest way possible) luck. Much like the “hackers”, script kiddies and others who are routinely publicized by the panic-stricken (and panic-mongering) popular press. It ain’t rocket science folks. But it works. Really, really well. I’m still pulling for David and his mouse minions, though. How can you not be partial to plans involving cohorts like Mr. Biscuits, Señor Sparkles and Dr. Whiskers?

Tryin to ruin my name
Threw me under the bus
Riding all over the town
Spreading rumors around
Threw me under the bus
From Under the Bus by Lolene

In my previous post I explained why I left Facebook. Doing so freed up enough time to actually do another bl0g entry so it’s only apropos that this entry reinforce the idea that Facebook is not your friend. Unless of course your friends are conniving weasels who steal from you and will throw you under the bus in a heartbeat. Like being friends with Casey Anthony (but I digress). If you have friends like that then Facebook is what you are used to. If not then read on.

In this post by the oft quoted (by Security For All at any rate) Sharon D. Nelson, Esq. of the {ride the lightning} blog the following question is asked: How Much Data is Facebook Giving Law Enforcement Under Secret Warrants?

According to Reuters, since 2008, federal judges have authorized at least two dozen warrants to search Facebook accounts to the FBI, the DEA and ICE. The investigations have involved such things as arson, rape and terrorrism.

What interested me most is that these warrants demands a user’s “Neoprint” and Photoprint” – terms I had never heard before which apparently appear in law enforcement manuals and refer to a Facebook compilation of data that the users themselves do not have access to. So much for Facebook’s claim that the “Download Your Account” button gives you everything that Facebook itself possesses.

Facebook doesn’t tell users about the warrants to give them a chance to challenge those warrants legally.

Yikes! Talk about throwing your users under the bus. And without notice. As Sharon points out even Twitter has a policy of notifying users before they hand over anything to law enforcement. But not Facebook.

And then there is this post by fellow Security Blogger Carole Theriault in the nakedsecurity blog that asks Does using Facebook put you at more risk elsewhere on the internet?

The Pew Research Center has shown that the more time you spend on the internet, especially social networks like Facebook and Twitter, the more trusting you become.

Not just on social networks, but everywhere – both online and in real life.

With 30% of the world estimated to be online – about 80% of North America and 60% of Europe – and more than half of these users belonging to some social networking site, an increase in trust could have major impacts on how people interact in the future.

Does this mean that social network users will eventually become a bunch of loved-up hippies? It is really difficult for me to imagine what I would be like if I shed my cynical armour.

I shouldn’t really worry: while I study social networks all the time, I am more of a voyeur than a player. Let’s be honest here – I find them really scary.

Many users of social networks seem completely addicted – they are on there all the time, recording every event of their lives. It just seems so intrusive to me…and compulsive.

So the premise is that people on Facebook are more trusting than other internet users, and MUCH more trusting than non-internet users.

It seems clear me to me that if Facebook users are genuinely more trusting, they are more at risk of online scams, both on and off social media sites.

Maybe research like this proves that social networking sites like Facebook and Twitter need to show greater interest in educating their users about being safe online.

One could argue that they should proactively protect their community against commonly encountered threats.

I agree that it would be swell if Facebook showed a greater interest in educating their users about being safe online but from where I sit I’ve only seen an interest in exploiting their users. But it is a great interest.

To borrow a soundbite (in spite of the lack of audio in this blog) from former First Lady Nancy Reagan, Just say No! to Facebook. Or friend Casey Anthony.