Jean-Jacques Halans ‹› Afterhours

This is the collation of last week’s interesting APWG mailthread on getting “Londoned”, when your GMail/Facebook/… account is compromised and all your contacts get a message like:

Hello!
I’m sorry I didn’t inform you about my traveling… am presently in London, United Kingdom on short vacation and as i write to you now.. its unbelievable am stuck here,got mugged at gun point on my way to the hotel and my money,credit cards,phone and other valuable things were taken off me at gun point, thanking Almighty God for save keeping my passport., i really need your urgent assistance quickly ? I JUST NEED SOME FEW HUNDREDS $$$ TO SORT OUT MY HOTEL BILLS AND i promise to refund it back to you once i get home cause i still have some cash in my account but i cant access any here right now ,already canceled all my cards immediately after the muggers took my things off me!!! still at the public internet library where am making use of the free internet access, i will forever be grateful if you can help me,Waiting to hear from you quickly cos my flight leaves in few hrs but need to sort the hotel bills and please save me from been embarrassed.

Thanks.
<your name>

Names and places change of course.

The advice given:

1. When your email account is compromised, assume all your accounts are compromised. Most often the way to get back a lost password is through your email account.
2. Try to reset as many passwords as you can PLUS reset the password reset questions. If possible give an unlikely answer (but one you can remember). If you get the option to set up your own question, use an unlikely question.
3. Get in touch with the abuse@ teams at any accounts where you know of compromise. Facebook is familiar with these scams and can undo a lot of the messages being send around.
4. Contact your close friends and family to notify them of what happened (mere acquaintances probably won’t send money), since you’d feel foolish if one was conned.
5. If the password was weak, assume it was guessed. Make sure your new password is a lot stronger (test it at this online Microsoft Password Checker).
6. But if the password was strong then it may have been stolen from somewhere else it was used; so you will need to address that. Try to use unique passwords for different services. Your Facebook password should not be the same as your email password for example.
7. If the password was strong and uniquely used, then you need to look for a keylogger somewhere it was used. Think of every machine you logged in from: at home, at work, some pc at an internet cafe? Then reset the passwords from a secure machine! Make sure your update your anti-virus, and run a virus scan (and preferably use a couple of anti-malware scanners too).
8. Time is of the essence. The scammers will try to get as many people to pay up in as short a timeframe as possible. Often they will sell your account information to specialised organisations. And they will try to move the conversation to another email account.

Google then posted an article on how they try to detect suspicious account activity and allow you to deal with it.

A follow-up message might look like:

OMG!!! l’m  so glad to hear back from you.  £950 GBP will cover all my expenses including my taxi fee to the airport, I promise to refund it to you as soon as I arrive home. You can wire it to my name  via a western union agent near you for security reasons cos the name  written below is whats on my passport and that can be a mode of identification to pick up the cash at a western union down the road here  (faster and more secured).

Here are the details you need to get it to me:

Name:<your name>
Address: 5 Irving Street, London WC2H 7AT
Country:United Kingdom.

I still have my passport so I can use it as identification get back to me with transfer details and the confirmation number # to pick up the money with my passport also scan receipt you will receive from the western union canter let me know if you are leaving to WU now.

The value is usually chosen to be below floor limits where strong identification (like a passport) is needed, and as it is sent via Western Union, the address is meaningless, as the money can be picked up at any outlet in the UK.

Hope it may help anyone who fell victim.

I don’t remember who it was they were quoting yesterday morning at Sun’s Let’s Talk breakfast presentation on Cloud computing, but Facebook being defined as “Friendship as a Service” kinda made sense.

In which case LinkedIn would be “Reputation as a Service”, I guess, and as Reputation Management as a business slowly starts to take off (as a specialization of SEO), this service could well be considered “Reputation as a Service” too: SocialRecommendator.com. Give it some information like a name, company name, position,… and it generates a randomised recommendation for use in endorsements on sites like LinkedIn or Xing (refresh to get another one).

It even sort of has an API, returning plain text:
http://socialrecommendator.com/recommend.php?name=aname&gender=M&positionTitle=atitle&positionDescription=adescr&positionType=sometype&companyName=acompany&domain=aspecialtydomain

The Xmas season is upon us, as evident by the Xmas trees appearing in shopping malls, and the Xmas promotions filling up our (e-)mailboxes. One such Xmas promo is PayPal’s (Australia). If you’ve got a PayPal account, you probably received it too. It sends you (after going through their email tracking system on http://email1.paypal.com/) to a motion sickness inducing Flash app, which allows you to scroll horizontally through their promos. Check it out (keep a bag or a bucket at hand)! I do like that scrolling effect on CoolIris, but not so much here. But that’s actually another discussion.

Check out the URL: http://122.201.77.222/paypal-offers.com.au/
You get redirected if you’d go to http://www.paypal-offers.com.au/. Is this really PayPal?
Now, go to http://www.paypal.com.au/, just to make sure you’re at a PayPal site. What, no mention of any PayPal offers or promotions?

There’s a couple of things wrong here:

First of, is it really that hard to configure a server/DNS to get paypal-offers.com.au to show the PayPal offers? Why the redirect (in addition to their email redirect through http://email1.paypal.com/)?

Second, there is no integrated marketing plan, having the PayPal offers linked from the main PP site to this offers site (as of the mailing’s date). Why have a separate and totally different address for the offers to begin with? It dilutes the brand. Why not use offers.paypal.com.au, or paypal.com.au/offers? I know, often the marketing department lives on their own little island within a company, and things outside of their island doesn’t move as fast as they would like it. Still they should have access to this sub-domain, their little corner of the PP site.

But thirdly, an unforgivable, stupendous error, the URL: an IP address,… with the domain appended (for good measure, the same page appears without the append domainname). Djezus people, this is a financial services site. PayPal must be one of the most targeted phishing sites out there. PayPal should not be spreading around these types of URLs. And I can’t verify from the main PP site that it is a PayPal controlled domain either as it isn’t an integrated campaign.

From their own Phishing Guide:

“Fake Links. Many phishing emails have a link that looks valid, but sends you to a fraudulent site that may or may not have an URL different from the link. Always check where a link is going before you click. Move your mouse over the URL in the email and look at the URL in the browser. As always, if it looks suspicious, don’t click it.”

“Deceptive URLs. Be cautious. Some fraudsters will insert a fake browser address bar over the real one, making it appear that you’re on a legitimate website. Follow these precautions: Even if an URL contains the word “PayPal,” it may not be a PayPal site. Examples of fake PayPal addresses: http://83.16.123.18/pp/update.htm?=https://www.paypal.com/=cmd_login_access, www.secure-paypal.com”

Yes, I do think paypal-offers.com.au is a legitimate PayPal offers site, it does not ask for login details, though it does link to the PayPal signup page. Looking through the email’s source code does not reveal fake domains or IP addresses, all links pass through the email1.paypal.com domain. The domain is registered by PayPal Australia Pty Limited, hosted at Net Logistics in Sydney. But it is child’s play to register paypal-specials.com or whatever, show fake offers like they do here, and ask the user to login to take advantage of these offers. It is incomprehensible that an online-only, financial company like PayPal, and their marketing division, would do such a thing.

Be saphe online this Xmas!

PS: I submitted the URL to PayPal as a suspicious URL. The process is confusing, and as of now I still don’t know if my submission got through. I did not receive an (automated) email back (maybe thanking me for taking the time to submit a suspicious URL?).

Poverty manifests itself through different guises. When we think of poverty, we’d immediately recall a homeless person or a malnourished African child, a reflection of economical poverty. Social poverty is the result of lack of social capital. As per J.D. Lewandowski, “the concept of social capital refers to the networks of social trust and social connections that serve to enable individual and collective actions in a given social structure or society.” Social exclusion is often a cause of poverty, conflict and insecurity. Improving social inclusion increases one’s well-being, mentally as well as economically.

The Internet has enabled a way of social interaction and connections which facilitate the kinds of action that “make democracy work” (Robert Putnam). It enables freedom of movement up and down the socio-economic and cultural ladder through social participation and human development. It offers economic opportunities and access to public and social services.

On the Internet, everyone can be anyone, and social division becomes a non-issue (though actually new social divisions are constantly being created, on a different level – are you on MySpace or Facebook?). In fact, “on the Internet, nobody knows you’re a dog” (Peter Steiner’s cartoon). Another joke goes “Give a man a fish and you feed him for a day; teach him to use the Internet and he won’t bother you for weeks.” But that man might rise up to be the next Internet millionaire. Access to the Internet is an instrumental right for the improvement of people’s capability. Missing out restrains personal growth. That’s also why gouvernments provide libraries, and Internet access at libraries. It gives people access to knowledge, but libraries are a less than ideal environment for social interaction. Bringing the Internet closer to the community, closer to home, empowers people to take control of their own social network (online and offline). That’s where Free Sydney Wireless (Free Australia Wireless) fits in. By providing free Internet access, through a shared connection, we try to bridge the social divide in our own community, closest to us. This hardly costs us anything extra, as we already pay for Internet access. This is our small contribution to tackle social poverty.

The growth of social networking and user generated content reflects the deep rooted need of people for self expression, social interaction and peer validation. People sharing without personal financial gain. As they do, others do. Or so we hope anyway.
What are you waiting for, why not get involved?

Looking forward to next weekend already. In just over a week Web Directions South, the major Australian Web development conference, kicks of with 2-day workshops and a 2-day conference at the Sydney Expo in Darling Harbour.

The traditional Port80 pre-Web Directions South (night before the conference) drinks are on again on September 24th, 6.30pm at the Harlequin Inn, with a sponsored bar-tab (thanks Clever Starfish, Radharc and Free Australia Wireless):

Harlequin Inn
Cnr Harris & Union Streets
Pyrmont NSW 2009

After a 12 month hiatus, Webjam v8 is back for a splendid night of quick-fire presentations of new, innovative web projects,  September 25th, the first evening of the WDS conference. If you haven’t registered yet, do it now, ’cause places are limited and sure to fill up quickly! And while you’re at it, why not register to pimp your project! Upstairs at Bar Broadway at 7:30pm.

Bar Broadway
Cnr Broadway & Regent Streets
Ultimo NSW 2007

And Web Directions’ closing night party September 26th, over two big floors, from 5.30 till late, at the Shelbourne Hotel

But first, next weekend, right before Web Directions South, Oz-IA, Australia’s Information Architecture conference, takes place at the Stamford Plaza in Double Bay.

In October SANS is in town again, with some great security training opportunities.

And end of November, the weekend of 29/30, the RuxCon conference is back on in Sydney (UTS), while at the same time in Lilyfield’s The Red Box we have WordCamp on, a WordPress conference. Choices, choices, choices.

Good times!

Technology Review has a special report on 10 emerging technologies for 2008. One is Offline Web Applications, which I’m not going to talk about, it’s kind of obvious (Air, Gears, etc). Others are very “out there” (“Connectomics”, “NanoRadio”, “Probabilistic Chips” anyone…?). Another one though is pretty real: “Reality Mining“.

So what are they talking about? MIT Media Lab:

Reality Mining defines the collection of machine-sensed environmental data pertaining to human social behaviour. Reality Mining measures information access and use in different contexts, recognizes social patterns in daily user activity, infers relationships, identifies socially significant locations, and models organizational rhythms.

It is emerging in a sense that it is only now that recent advances in mobile technology put the tools in people’s hands to actually aggregate large, realistic datasets of measurable information. In the last 6 to 12 months new mobile phone handsets are being combined with Wifi and GPS. The boundary between mobile phone (a phone to make, you know, phone calls and send text messages) and smart phone (a mobile phone with additional business related applications like email, office documents, multimedia) is blurring fast, and mobile data is getting faster and more affordable. But Reality Mining as an academic experiment at MIT has been happening for more than 5 years already (using Bluetooth) and they have collected over 350,000 hours (~40 years) of continuous data on human behaviour (100 subjects at MIT – Sensing complex social systems – pdf).

Only recently several other Reality Mining experiments came to light, like Cityware’s Digital Footprint in the UK and bluetoothtracking.org in the Netherlands. The goal of Cityware is “to develop theory, principles, tools and techniques for the design, implementation and evaluation of city-scale pervasive systems as integral facets of the urban landscape.” But in both projects participants are actually unaware that they are participating, in fact they are covertly being tracked without their consent in a technology experiment using Bluetooth scanners installed at secret locations in offices, campuses, streets and pubs to pinpoint people’s whereabouts. And they have been doing so for 3 years.

More than 1,000 scanners across the world at any time detect passing Bluetooth signals and send the data to Cityware’s central database. Those with access to the database admit they do not know precisely how many scanners have been created, but there are known to be scanners in San Diego, Hong Kong, Australia, Singapore, Toronto and Berlin.

Although anonymous, most Bluetooth devices are given a personal name (Tom’s Blackberry), and the Bluetooth scanners can even pick up full names, email addresses, and address books from poorly configured devices.

Closer to our hearts (as it were), Yahoo! is experimenting with its MyBlogLog service:

MyBlogLog allows users to bind their Bluetooth address to their MyBlogLog account and discover others nearby and find out if they have any shared interests. Meetspace [meat-space?] keeps track of time spent with others so they have a running log of people to meet and things to talk about.”

MyBlogLog uses a mobile Java applet to tie your Bluetooth device to your MyBlogLog account, then polls for new activity every two minutes. There are plenty of other services out there doing the same (Google Dodgeball).

But back to today’s future… and the iPhone. The iPhone for example offers assisted GPS which means you don’t even need a GPS signal for location aware services, cell-tower triangulation can be used, as well as Wifi AP triangulation (which by the way also works nicely on the iPod touch), as long as there are known access points around (known to Skyhook that is). And we happily use those services together with our social network apps. There are already countless social, location-aware apps available on the Apple App store like Exposure and Twinkle, and if our favourite social app doesn’t have a iPhone native app, we’ll happily connect to Brightkite or other Yahoo! Fire Eagle enable service and tell everyone (or only friends and family) where we are and what we do, and who we do it with…

Where previously thousands of Bluetooth enabled device where being scanned and tracked (unknowingly and unwillingly) by ten scanners spread around Bath, UK, now, at the same locations around Bath, or for that matter around the country, hundreds of thousands of users would be broadcasting their doings and location, and do so voluntarily. Though we might not know what is happening with that information. While we try to retain control of (and monetize) our Attention data on the web, will we be able to retain control (and monetize) our Lifestream data?

The mobile phone as a social artefact becomes more and more a personal black box, recording our every move (into the cloud), for later playback. Where we currently see governments worldwide implement retention policies for email, we might see, in a not so distant future, a retention policy on our lifestream. I do hope I’m wrong.

Have a look at this short video interview (4 min) on Reality Mining, with Alex (Sandy) Pentland, director of the Human Dynamics Group at MIT.

BTW, I love my iPhone, and I love location aware applications, but I always have Bluetooth disabled on my phone.

I had to have one. I was just waiting for the UK introduction to see if a new model (with 3G) was being introduced. But it was the same Edge-based model.

So I went looking on Ebay, and there’s lots of them. You can get them fully unlocked ready to go. But part of the fun is going through the ‘hacking’ process, so I went for an original one. I went for a Buy Now at 650 AUD + 50 AUD shipping. At the current 399 USD price though that would have been about 450 AUD, so the seller did make a decent profit from it. Some auctions went for 580 AUD, other up to 800. There were even some on offer for 1200 AUD (unlocked and locked ones). In the end it did take more than three weeks to end up in my hands though. In the mean time the iPod touch was released, and I got me a 16Gb one while waiting for the iPhone, just to play around with the navigation and Safari.

I only bought a new phone a couple of months ago, a Windows Mobile based Dopod D810. Lately I mainly used it as a mobile modem, while we were switching between two ISP’s, during which we didn’t have internet access. I have a 500 Mb plan on Three for 20 AUD, and that went just fine. I connect it to my Macbook Pro through bluetooth and share the internet connection. And also love it’s GPS functionality.

But on to some iPhone hacking. There’s a lot to read up on about ‘jailbraking’ and unlocking the iPhone. As you know, the iPhone is locked to an AT&T sim card, and you can’t add any 3rd party apps to the iPhone either. Fist you need to activate it, without going through the AT&T process. Next you need to jailbrake it, open it up to third party apps. Because this then allows you to add an unlocking application to the iPhone. I wont repeat the steps here, I’ll point you to the right sources. I don’t take any responsibility when thing go wrong!

One thing to look out for: your firmware version. Make sure you use the right procedure for your firmware. I’ll explain. I tried to unlock my phone with a 1.0.2 procedure while it was still on a 1.0 firmware. I spend 3 hours looking for a solution. It was only the next day that a bright light shone, and I upgraded the iPhone to the 1.0.2 firmware version, and from then on it was only 20 minutes to get it fully working. Well, up to the point to make calls and text. Remember, I’m in Australia. I am originally on the Three network.

Let me tell you right away, it doesn’t work on Three. I read about it on eBay, but didn’t want to believe that. But I got a No Service. So I first bought a Vodafone prepaid sim, 2 AUD for the sim card + 20 AUD calling value (-10%, so 20 AUD in total) because I thought that would be the cheapest. The Vodafone sim allowed me to make and receive calls and texts. So I was halfway.

A week later though I bought a Telstra sim, the main national operator. I knew they were the only ones with Edge here in Australie. The Dopod on Three would roam on it whenever outside of the Three network (quite often outside of Sydney). So while in Melbourne I went to a Telstra store. Tried to explain them that I wanted a prepaid sim card with a data plan. I already had gone through their brochure so I could point out what I wanted. I told them I wanted Edge access. Hmmm, unfortunately the sales people aren’t too well informed on the more technical aspects of their network. They only knew about ’3G’. “Is it a 3G phone?” Well, it’s an iPhone. “Oh, that won’t work.” I just told him to give me a prepaid card with a 20 AUD calling value, that I would figure it out myself. But he looked to be intriged. It was his first iPhone he got in his hands, so he wanted me to try it right away. He even activated the data plan on it for me too. Unfortunatly he didn’t know what settings to change to get on Telstra’s Edge network (it was still set to Cingular/AT&T). Their phones are preset to connect to their network anyway. So, right there, in the shop, it didn’t work. In the evening, back at the hotel, using my Dopod D810 as mobile modem, I googled around a bit and I found the necessary settings for Telstra. Mind you, it is the 2G/WAP setting you need to use, the 3G settings don’t work. But in the end, yes, it all works, weather, browsing, email,… right here down under.

Keep on reading.

People have been talking about mobile internet (access to the internet on the go) for a long time. Access is too slow and too expensive, devices are too slow, screens are too small, WAP sucked… But change is coming, finally, in the form of faster 3.5G/4G access, reasonable data plans, and developers getting the standards ‘thing’, making more sites more easily mobile accessible.

So when Three released the X-Series service in the UK end of 2006, I was anxious to see if they would introduce it in Australia too. Because that would tickle my fancy…

I only bought a SE K750i about a year ago. It had a 2M camera, a radio, playes mp3′s and mp3 ringtones, all in all, a nice phone. But I was lacking some ‘power’, picture quality was disappointing most of the time, radio reception not to good, a propriatery headphones connection, limited internet access (improved using the fab Opera mini)…

If I was to have a new phone, it would need to have GPS, and preferably with WiFi. It didn’t need to have a camera, as it remains hard to get decent pics from a phone camera anyway (it needs a good lens, processor, some zoom). It didn’t need to have a radio either (as radio isn’t that good down here). I was looking at the Mio A701 which had been around for a while but was still costing a lot of money, it’s old school technology (except the gps chip which is the best), no 3G, no WiFi, but it is a good GPS device in itself.

Then Three Australia introduced the X-Series plan end of March 2007, with a couple of ‘compatible’ phones, two Nokias, an LG and this Dopod (which at its heart is a HTC Trinity). The plan includes Skype, Google, eBay, MSN Messenger, Yahoo! Messenger, Orb, mobile mail and mobile internet. For 20AUD(16USD) you get 500MB, 1000 Skype-to-Skype minutes, unlimited IM, eBay access, some video channels. For 40AUD(32USD) you get 2GB/4000 minutes. All this over a 3.5G network (HSDPA). In a world where mobile operators charge you 70AUD for 10MB on GPRS, this is a great deal!

Continue reading the article…