Wednesday, April 08, 2009

Microsoft security: Adobe is the problem

Adobe Flash is buggy and ubiquitous, and Adobe's PDF product also has plenty of issues. On the other hand Microsoft invests heavily in security, and Vista is much more secure than XP.

So it's not surprising Microsoft's biggest headaches come from Adobe ...

MS blames non-Redmond apps for security woes • The Register

... Which flaws feature in attacks, and their severity, are a much better guide to risk than simply counting the number of vulnerabilities. Microsoft-related problems were held responsible for six of the top 10 browser-based vulnerabilities attacked on machines running Windows XP in the second half of 2008, compared to none on PCs running Windows Vista. The most attacked vulnerabilities involved a flaw in Windows graphics rendering engine (MS06-01) and a RealPlayer console vulnerability. An Adobe Flash vulnerability was the single most common way of attacking Vista machines, with the RealPlayer console flaw cropping up at number three...

... evidence from Microsoft suggests that Vista is more resistant to malware. The infection rate of Windows Vista SP1 is 60.6 percent less than that of Windows XP SP3, the software giant reports....

Does the 60% number adjust for OS prevalence?

Flash is a problem for OS X too, but in practice crooks don't bother with OS X. It's the old story. When being chased by a bear, you don't have to outrun the bear. You just have to outrun your friend.

With IE 8 and Vista/Windows 7 new Windows boxes will be much more secure - if Flash is out of the picture. Now if Microsoft can just kill Adobe ...

PS. The problems with Flash security are another reason we don't want Adobe writing a Flash client for the iPhone.

Tuesday, April 07, 2009

AT&T is a partner to phone scams that target the vulnerable elderly

Just because we’re sorting through the wreckage of cosmic financial frauds doesn’t mean the everyday kind has taken a vacation.

Eleven years ago “Webtel” and “Netfill” were two billing entities used in one of the first worldwide large scale small transaction credit card scams. It’s worth noting that the secret of that con was the crooks created a legitimate bank, and used banking authority to pilfer credit card numbers.

The old scam has a companion set of scams that run against phone customers. Once phone companies moved into the financial transaction business, they’re also got in bed with the lice that prey on the elderly (probably using the dial-a-victim services sold by Wachovia Bank and Info-USA). Like MasterCard and Visa, AT&T, of course, makes its dime whether the transaction is legit or criminal.

These phone service scams are known as “cramming”, and the FCC has a resource on how to respond.

In this case two of my elderly relatives are victims of a company that calls itself “OAN Services”. They're not the only victims …
My vigilant aunt noticed a $14.95/month “OAN Services” charge appearing on her AT&T residential phone bill. She was told it was requested by “John Beale on the internet” (unknown to my relatives).

At the same time she found a charge for “Enhanced Services Billing Inc”, also for $14.95. That was supposedly requested by my non-computer-using uncle via email.

Enhanced Services Billing has its share of victims:
AT&T was no help. They claim they're not responsible for these charges, and my aunt should deal with them herself. It’s the same response they give every victim of these scams.

The 2005 ESBI report has the most details on one front of this operation. From that we learn ..
… Enhanced Services Billing, Inc. (“ESBI” or “Company”), a Delaware corporation, whose principal address and telephone number are 7411 John Smith Drive, Suite 200, San Antonio, Texas 78229-4898, (210) 949-7000…

… Enhanced Services Billing, Inc., 10500 Heritage Blvd Ste 200, San Antonio, TX 78216-3631, (210) 949-7000

this site [jf: FCC cramming page] about cramming to be helpful. It even led me to this pdf file here. While I was there, I could read all about Enhanced Services Billing Inc, and the settlement agreement they signed. More specifically, I might note that it was a "Stipulated Final Judgment and Order For Permanent Injunction and Other Equitable Relief." This enjoins the defendants (including Enhanced Services Billing Inc.) from "violating Section 5 of the FTC Act, 15 U.S.C. … 45(a)." Where all the relevant parties have signed, I can see that a man named Joseph W. Webb, at the "John Smith" address above, is the president of the company. The agreement was likely signed by him either May 9th or May 10th of 2001, a date which also seems to fit with the "John Smith" address. You'll see his signature on Page 34 of the pdf. So thanks, FTC, I feel my tax dollars were put to good use.

The FTC comes through again with this article, also from 2001, about how the scam works. Turns out Enhanced Services Billing Inc is a billing aggregator. I'll let the FTC tell you what that is:
ESBI and BCI each served as "billing aggregators." Billing aggregators open the gate to the telephone billing and collection system for vendors, and act as intermediaries between the vendors and the local phone companies, contracting with the local phone companies to have charges on behalf of their client vendors placed on consumers' telephone bills and to have the local telephone companies collect those charges from consumers. Once the charges are collected by the phone companies, the billing aggregators, after taking their fee, pass the revenues back to their client vendors.
Referencing the pdf noted above, to which Enhanced Services Billing Inc stipulated, the FTC asserts the following:
-that ESBI falsely represented that consumers were legally obligated to pay charges on their telephone bills for web sites and other items they had not ordered or authorized others to order for them;

-that ESBI unfairly attempted to collect - or arranged for local phone companies to collect - payment of charges from consumers for web sites and other items they had not ordered and that consumers were unable to prevent ESBI from causing such unauthorized charges to appear on their phone bills;
… Just ask Dr. Leonard Saltzman, whose eight year odyssey against Enhanced Services Billing Inc ended with an October 2005 settlement agreement from the company. To summarize, the fraudulent billings began in 1997. Enhanced Services Billing Inc got a claim for restitution dropped in August 2000. In October 2001, summary judgment was granted in favor of the company, because "knowingly receiving benefits from someone else's fraud was not covered under section 2 of the Consumer Fraud Act." Dr Saltzman appealed, leading to a reversal in June 2004. A fairness hearing for the proposed settlement was held on October 21, 2005.
So this company has been running these scams for 12 years.
12 years.

If you Google on the number “210-949-7000” you find it was also used by “Billing Concepts, Inc” located at “John Smith drive” (recall that the summary judgment above was signed by “John Smith”, a search on “ABRY Partners” and “fraud” is illuminating. I also suggest a search on “Parris Holmes” and “Fraud” which reveals a 1996 SEC civil action against him.
Address:
7411 John Smith Drive, Suite 200
San Antonio, Texas 78229-4898
Telephone: (210) 949-7000
Fax: (210) 696-0270
http://www.billingconcepts.com

Wholly Owned Subsidiary of ABRY Partners LLC
Incorporated: 1985 as U.S. Long Distance Corporation
Employees: 115
Sales: $10 million (2004 est.)
… Utilizing state-of-the-art systems technology, Billing Concepts built a platform enabling the future of billing, clearing and settlement services including authentication and authorization, mediation, invoicing, collection and settlements. Billing Concepts, Inc. (BCI) offers outsourced billing solutions through a wide range of proprietary LEC processing products and wireless Internet clearing and settlement services.
Key Dates:
1985: U.S. Long Distance Corporation founded; Billing Concepts is a subsidiary.
1988: Billing Concepts Corporation is launched as separate company.
1998: Company acquires CommSoft.
1999: Company spins off three divisions as Aptis.
2000: Company acquired by Platinum Equity Holdings; becomes Billing Concepts, Inc.
2003: ABRY Partners acquires company.
2004: Company is merged with ACI Billing Services, Inc., under the ABRY umbrella.
… Billing Concepts, Inc. (BCI) bills itself as the "authentic, proven, trusted" billing clearinghouse for the telecommunications industry. Together with ACI Billing Services Inc., Billing Concepts forms the Billing Services Group of parent ABRY Partners LLC, providing a comprehensive billing system that collects long distance charges from telephone users on behalf of more than 1,300 local telephone companies.
The company also provides these services to wireless carriers and Internet Service Providers (ISPs). One of the fastest growing and most profitable companies of its kind in the late 1990s, Billing Concepts was streamlined and restructured in the early 2000s when its software businesses were divested and the billing operations and company moniker were acquired by the investment firm of ABRY Partners.
While the telecommunications industry was taking shape, in 1985 Parris H. Holmes, Jr., invested $50,000 to start a small pay-phone business in his Houston garage…
… From 1993 to 1995 the company offered enhanced clearinghouse billing and information management services to other businesses, including providers of telecommunications equipment and information, as well as other providers of nonregulated communication services and products (for example, 900 access pay-per-call transactions, cellular long distance services, paging services, voicemail services, and equipment for Caller ID and other telecommunications applications). The billing of nonregulated telecommunication products and services became a significant factor in the successful evolution of USLD's business. Revenues grew steadily reaching $33.16 million in 1992, $46.46 million in 1993, $57.75 million in 1994, and $80.85 million in 1995.
… Holmes remained Chairman/CEO of USLD until June 1997. "I felt like the separation process had been completed," said Holmes in a December 1997 interview with Diane Mayoros in the Wall Street Corporate Reporter. "It was a natural progression to move on to focus my time and energy" as chairman and CEO of Billing Concepts Corporation…
.. On January 30, 1998, BCC distributed a one-for-one stock dividend to its shareholders of record. During the third quarter, actions by the FCC and the Regional Bell Operating Companies on "slamming and cramming" issues led to a temporary interruption in the revenue growth of BCC's business…
… BCI remained the leading force in LEC billing. In August 2004, BCI integrated traffic from its sister company, ACI Billing Services, to a common platform. The result meant that the two companies were capturing about 85 percent of the LEC billing market…
Of course AT&T gets revenue from these companies. They’re not incented to shut them down, and they don’t have the corporate spine to resist. AT&T doesn’t have to actually break the law, they can just sit back and let small fry do their dirty work.

Between SMS spam marketing and rebate scams and this foul business AT&T is very much in the spirit of our age.

Which brings us back to the Depression of 2009, and my 128 posts on fraud.

We have far too much fraud in our world. Big fraud, small fraud and every size between. We know we can’t eliminate fraud – it’s as old as biology! We can’t eliminate it, but somehow, some way, we have to beat it back.

It’s out of control.

Update: Based on what my aunt told me and this article I think one scam may work like this ...
  • Crooks set up a web site that offers "free" shopping coupons in return for signing up with the service by providing a phone number
  • Other crooks (accomplices and freelancers) sign up for the (worthless) coupons and provide a legitimate phone number (in this case, my relatives) and information including fraudulent email addresses, etc.
  • The charges appear on phone bills.
  • If the fraud is not detected, ESBI and other accomplices pocket the money.
It also appears from comments on the 2007 post that you can request a "password" on your AT&T account that will prevent anonymous cramming.

Update 4/10/09: Dustbury.com reveals an important detail; when calling the semi-legit crooks processing the transactions created by other crooks/accomplices and demanding a refund for fraudulent purchases, you request a confirmation number that you then provide to AT&T. AT&T will then recommend filing a police report of identity theft.

Again, AT&T is the corporation we should be going after. They have the power to change this scam.

Update 5/30/09: My aunt has sent on some f/u notes, which I've attached as comments to this post under my name. AT&T continues to point their finger at the FCC.

I'm guessing that's a convenient out for them. I'd be much more impressed if they'd actually lobbied one of their pet Senators to change the law. If they haven't done that they're complicit.

AT&T simply discards any complaint letters they received, so I recommend letters to your state District Attorney and to your state Senator and/or Representative. I also recommend switching away from AT&T if you can. Maybe if Verizon gets the iPhone...

AT&T also tells my aunt that the third party blocks have no effect and they don't are about confirmation numbers provided by the crammers.

Meanwhile the 2007 My Little Corner post continues to receive comments.

What we really need is for a US Senator to start getting cramming charges through AT&T. That tends to get some action...

The Obama difference

It's good to have a leader who's not universally despised ...
Op-Ed Contributor - No Hurt Feelings in Germany - NYTimes.com 
... I can’t remember ever seeing Angela Merkel smile at anyone the way she smiled at him in the photographs from the dinner at 10 Downing Street. Likewise, the images coming out of Baden-Baden on Friday evening make clear that whether she and the president are reviewing the parade together, meeting selected citizens or fielding questions from the press, the chancellor, too, has come down with an unequivocal case of Obama fever...

What stands between us and GD II

If not for what we've learned, we'd now be reliving the Great Depression ...
It’s 1930 time - Paul Krugman Blog - NYTimes.com

.... What Eichengreen-O’Rourke show, it seems to me, is that knowledge is the only thing standing between us and Great Depression 2.0. It’s only to the extent that we understand these things a bit better than our grandfathers — and that we act on that knowledge — that we have any real reason to think this time will be better...
Except it would much worse today. The world population in 1930 was 2 billion, now we're about 6.8 billion. Our resources are more depleted, we're more dependent on agricultural trade. The cost of Havoc, of weapons of mass destruction, is far lower than in 1930.

We're not smarter than the leadership of 1930. We have the advantage of their mistakes, and the fortune that the GOP is out of power.

Sunday, April 05, 2009

The twilight of voice mail

Kudos to the NYT for identifying a dying technology ahead of the commentariat. Voice mail is joining the telegram: For Some, Voice Mail Is Losing Its Allure.

I've always disliked voice mail, but I hadn't realized I had so much company.

Like these people I give corporate voice mail low priority. It's rare to have anything useful there -- typically recruiters. The best messages are from our front desk, reminding me to pick up a package. (Home voice mail/answering machines are still important, but that's where Google Voice comes in.)

Between instant messaging, email, mobile phones, Google Voice, and automated transcription corporate voice mail is obsolete.

Corporate voice mail's passing was preceded by the telegram, is accompanied by the expiration of postal mail and newsprint, and is survived, to the bemusement of horror of geekdom, by the immortal fax machine.

Saturday, April 04, 2009

The danger of the right, and the Canadian solution

Start by understanding that the American right is overwhelmingly driven by white men who see their gender and pigment privileges disappearing. Then remember that violence is as American as apple pie.

Add in 20+ years of economic regression for white men without a college education. Then add loss of home value, collapse of retirement funds, decreasing access to health care, increasing unemployment ...

Now see why we need to be genuinely concerned ...
Pitchforks and Pistols - Charles Blow - NYTimes.com

... At first, it was entertaining — just harmless, hotheaded expostulation. Of course, there were the garbled facts, twisted logic and veiled hate speech. But what did I expect, fair and balanced? It was like walking through an ideological house of mirrors. The distortions can be mildly amusing at first, but if I stay too long it makes me sick.

But, it’s not all just harmless talk. For some, their disaffection has hardened into something more dark and dangerous. They’re talking about a revolution.

Some simply lace their unscrupulous screeds with loaded language about the fall of the Republic. We have to “rise up” and “take back our country.” Others have been much more explicit.

For example, Chuck Norris, the preeminent black belt and prospective Red Shirt, wrote earlier this month on the conservative blog WorldNetDaily: “How much more will Americans take? When will enough be enough? And, when that time comes, will our leaders finally listen or will history need to record a second American Revolution?”...
We need a way to divert or reduce the violent potential of the American right. We should examine the record of aggrieved tribes in other settings. It's easy to come up with example of things going very badly (talk radio was very big there), but are there examples of the alternative?

I'd suggest a close look at Canada.

Whenever Canada has a rage problem, the government appoints a Royal Commission of worthies to tour the nation. They don't wear powdered wigs any more, but they might as well. They're all trained to speak in boring drones, and they can speak and sit endlessly. After months of wandering about, by which time even the most deranged can't keep their eyes open, the Commission drops off a thirty pound document which nobody will ever read. (In fact it's always the same document, but no-one's noticed.)

We need a Commission on the tribal rage of the American right. Let the droning begin.

Update: Other ideas? Rupert Murdoch probably doesn't favor widespread violence. Will he ask his newspapers (including Limbaugh's Wall Street Journal) to provide factcheck.org style refutation of right wing rumors?

Wednesday, April 01, 2009

Best of the day - The Tweeting Guardian

One of the very best of the day's efforts, from the Guardian ...
Twitter switch for Guardian, after 188 years of ink | Media | The Guardian

... A unique collaboration between The Guardian and Twitter will also see the launch of Gutter, an experimental service designed to filter noteworthy liberal opinion from the cacophony of Twitter updates. Gutter members will be able to use the service to comment on liberal blogs around the web via a new tool, specially developed with the blogging platform WordPress, entitled GutterPress.

Currently, 17.8% of all Twitter traffic in the United Kingdom consists of status updates from Stephen Fry, whose reliably jolly tone, whether trapped in a lift or eating a scrumptious tart, has won him thousands of fans. A further 11% is made up of his 363,000 followers replying "@stephenfry LOL!", "@stephenfry EXACTLY the same thing happened to me", and "@stephenfry Meanwhile, I am making myself an omelette! Delicious!"...

Earlier Steven Fry is compared to Madonna.

This one wins for the blend of British humor, topical news (death of newspapers, inane twitter) and good writing. The Guardian is great.

Gmail Autopilot powered by CADIE

Gmail autopilot is one of the half-dozen or so Google CADIE themed jokes today.

They're all very good, including CADIE's 3 post blog (from Panda's to post-singular in 4-5 hours - were the blog comments machine generated?).  Part of what makes them good is they're more credible than I would prefer. On the one tentacle they're obvious jokes, not "are they serious?" teasing. On the other tentacle they're written by people who are thinking about how one would create CADIE.

Gmail autopilot is particularly believable. It's not hard to imagine something very much like it before 2020. Indeed, it may be inevitable. Look for auto-generated Tweets later this year ...

Tuesday, March 31, 2009

Don't take passport forms to Post Office

Our daughter needed a passport renewed. This used to be a small thing, but in its great wisdom Congress decided both parents must be present during renewals.

So the entire family went to our local post office before the start of school. The post office "passport person", unfortunately, was not so prompt. She was late for work. So we aborted that one.

We tried again another day - at mid-day. This time the passport person was out to lunch.

It's not a new problem. Five years ago, in a previous renewal, the "passport person" was on vacation when we drove out to the post office.

Mercifully, the morning of the latest Fail, a friend had mentioned a passport center near our office. So we ended up at a regional passport center. In addition to doing renewals they take pictures; that was fortunate because our daughter wore a headband in her Kinko's passport picture -- and that's not permitted. It had to be retaken.

The bottom line -- don't bother with the Post Office if there's a regional passport center you can get to. If you can get through to the national number (good luck) they supposedly do reservations.

Oh, and bring a checkbook too -- they don't take credit cards.

Lessons from Outlook 2007 Notes colors

Enthusiastic web sites promote Outlook 2007 category colors as a feature for Notes ...

Customize Notes In Outlook 2007 ~ Windows Fanatics

... Another option you have for customizing notes is to categorize them by assigning color categories. If you have a large number of notes, this can be a great way of organizing them...

Clearly the author of this me-too web site never actually used this feature. It's unusable.

Here's why. In prior versions of Outlook color attributes were unrelated to categories. In Outlook 2007 color attributes became a property of a category.

This worked well for most aspects of Outlook. The color attribute is displayed in some parts of the UI, but not in the text field.

Notes, however, get the color background on the text field. The resulting text/background color combinations are hallucinogenic. This means Notes can no longer have categories.

The obvious fix would have been to apply the Category color to the notes header -- but that would have required editing the source code for Outlook Notes. I suspect that code is obfuscated assembler and it hasn't been touched in fifteen years.

Since only uber-geeks and Palm users ever use Outlook Notes, much less assign Categories to them, Microsoft chose to sacrifice the Category feature of Notes.

I have to admit it's a rational decision.

Sigh.

Sunday, March 29, 2009

The cracked Netflix DVD problem

A 2008 Netflix Community complaint about broken DVDs didn't attract much sympathy. The respondents claimed Netflix was blameless, and any problems were the fault of the USPS and the recipient.

I don't buy it. About 15% of our child-audience DVDs are cracked or unplayable, but we rarely see problems with adult DVDs (admittedly a much smaller sample, most of our rentals are for younger children).

If it were the USPS the damage rate would be similar, and we don't handle the disks differently.

I suspect Netflix is skimping on their testing and quality control -- a sure way to save money.

This is a problem. Sure Netflix will reissue a replacement, but that's worthless for us. We just return the broken ones.

So now we're looking for alternatives. I'm not sure there are any when it comes to children's material, but we'll take a second look at Amazon and Apple. We could look at Netflix's streaming offerings, but then we'd be rewarding bad services. Humans are programmed to punish cheaters ...

Why the EU can't do stimulus programs

If Paul Krugman has a weakness, it's that he doesn't work very hard to explain why governments don't want to follow his (well reasoned) recommendations.

The NYT's coverage of the ceremonial G20 meeting has the first justification I've read of why the EU doesn't feel able to do an economic stimulus package ...
Obama Will Face a Defiant World on Foreign Visit - NYTimes.com

... Compounding the problem for Mr. Obama is that the route that he has chosen to lead the United States out of the mess — heavy government spending — is not available to many other countries. European governments, for instance, are far more lukewarm about enormous stimulus programs because they already have strong social safety nets, and more fears of inflation, than does the United States...
Our social safety net has been destroyed by 12 years of GOP obstruction and 6 years of total GOP control. So even rebuilding it partially is a huge governmental economic stimulus. The EU can't double government spending programs because then the government would be most of the economy.

The can do the modern equivalent of printing money, but that may be a lot harder to do with a single currency spread across very diverse nations.

Reporter is tasered - interesting video

A local reporter is voluntarily tasered. If one skips the tedious intro it's a 15 second video demonstration. I don't know if the setting used on her is explained (sorry, skipped ahead) -- I assume it was on the low side.

Hardly novel, but this is the first one I've seen where the volunteer is a middle-aged female. She described it as feeling like a "blowtorch" was turned on her, but claims to return quickly to normal.

Worth seeing one of these at least once. I hadn't realized how quickly a tasered person would return to full power; that might explains some of the repeat tasering episodes associated with injury and death.

Financial Times - Satirical 2020 edition

Via Monbiot, I find: Financial Times 2020 - FT 2020.com. It's an Onion-style (ok, not as good as The Onion) satire of the Financial Times. Monbiot says it will be offline soon, so get it while you can. (In the US I think obvious satire is protected speech, but maybe not in the UK.)