Wow — in Nebraska, gas stations are allowed to put any gas price on their signs they want so long as at least one pump at the station is set to that price, even if all the other pumps are set to much higher prices. Of course, most people see the prices on the sign, pull in, and don’t know that they need to check their specific pump’s price, and then find that they just paid a few Hamiltons more than they thought the were going to… what a scam.

Shannon and I have seen the TV ad for LifeLock a few times this weekend; it’s the piece where CEO Todd Davis shows his Social Security number all over the place, and then reveals that the only reason he’s comfortable doing so is because of his ultimate faith in his company’s ability to prevent its customers’ identities from being stolen. Of course, the ad made me curious enough to see whether his gambit has paid off — and unsurprisingly, it looks like someone succeeded in impersonating Davis and getting an online loan. Better still, Davis then coerced a confession out of the alleged identity thief, so Fort Worth police had to drop all charges against the guy and the district attorneys aren’t going to pursue prosecution. And the icing on the cake is that LifeLock’s co-founder, Robert Maynard, Jr., seems to be an identity thief himself, and was forced to resign his role at the company amid the allegations.

You can’t make this stuff up.

For those of you out there who are just starting to wade into the high-definition TV waters, it doesn’t take long to find out that the recommended method of connecting some component or another of yours to your TV is via an HDMI cable. (It’s a single, moderately-thin, simple-to-connect cable that carries both audio and video in a pure digital format.) Let this be a warning to you: when you go shopping for a cable, be very wary of the amount you’re being asked to pay — many retailers look to be charging 300-plus percent markups on the cables, for no reason other than to increase profit margins. Rather than fall for that scam, hop online and grab a cable for under $20… your wallet will thank you.

(One important bit of info to know about HDMI is that the data transmitted by the cable truly is digital — it’s ones and zeros. And that means that digital cables either work or they don’t, unlike analog cables like the other video and audio cables we’re all used to which can degrade the signals they carry if they’re of poor-enough quality. So if a $20 cable works, it’s the exact same as a $100 cable which works… except $80 cheaper.)

Dear Yahoo:

As requested, this week I decided to merge my Flickr old-skool login with my Yahoo account. The process was painless and trivial to do, as advertised, and despite the massive how-dare-you-make-us-merge freakout that’s been flowing across the web, no part of my soul died in the process.

Once I was back in the folds of my Yahoo account, I decided to check my email and found that my account had been deactivated due to disuse. (This is not too surprising, seeing as how that account became a spam vacuum within moments of me opening it however long ago I did so.) What was odd to me was the way in which you offered me the various reactivation options — you did so without warning me in any way, shape, or form that one of the options costs money, and you provided me with no links to pages which might help me discover this fact. In many ways, this felt purposeful, as if you might want people to be lacking this bit of information while making what otherwise would be an obvious choice.

Yahoo's deceptive reactivation options

(Wily as I am, I managed to defeat your Jedi mind tricks by opening another browser tab and using Google to search for the truth before making my choice. And yes, the use of Google rather than your own search engine was purposeful; after all, I figured that not providing the information right there in the context of asking me to make the choice was a clear indication that Yahoo might not have the information to begin with, and thus it was unlikely to show up in your own search engine.) And therein I learned that opting for the first of the two choices would cost me 20 smackeroos, a fact that definitely shifted the balance a bit.

So I guess my point in all this is: while I was certainly glad to give you all the benefit of the doubt on the whole Flickr account merge issue, it didn’t help when you betrayed that trust by trying to trick me into a premium email service by withholding information at the precise moment I would need it in order to make an informed choice. You were this close to having a customer who was solidly baffled by the group of folks who question their ability to trust Yahoo with their Flickr accounts; instead, you managed to make me question whether it’s reasonable to trust you as a company. If you notice me keeping you at arm’s length for the next little while, even as you release cool new services I’m sure I’d love to play with, I hope you understand…


Wow — any respect or relationship I had with Brian Ball and the macZOT enterprise just flew out the window. The basics of the story, for those who don’t have the time or energy to click through, is that Brian signed a contract to buy the application xPad from Garrett Murray for a hair over $5,500, and one month into the ten months of scheduled payments, stopped replying to invoices or emails and eventually proclaimed that it was overvalued and that he couldn’t justify continuing to meet his payment obligations. What an incredibly dirty way to do business; I figure now’s as good a time as any to cancel my macZOT account.

Shannon and I are in London for the holidays, so in an effort to clear off some of the tabs in my browser, here are some of the things I’ve been hoarding in my bookmarks.

  • The guy behind did an amazing job over the past month figuring out the sham behind Noka chocolates, and published a ten-part series reporting his results. It’s an amazing bit of investigation, really.
  • Security expert Bruce Schneier finally weighed in on the Automated Targeting System, the U.S. government system that assigns each of us a score which pretends to predict the terror threat we pose. Unsurprisingly, he finds it a waste of money, time, and effort.
  • For those of you considering buying a .Mac account, you might want to read John Siracusa’s rant — it’s written from the perspective of a developer thinking about implementing some of the synchronization features of .Mac, but he also goes into some detail about his disappointment with the service.
  • Anil’s obit of James Brown is a must-read. So go read it.

Waiting for a flight Thursday evening, I opened up my Powerbook to see if the Gods of Wireless Networking had yet talked some sense into the folks who run Washington’s National Airport. Alas, there weren’t any legit wifi signals available — I specify “legit”, though, because there were quite a few ad-hoc networks set up that looked to be trying to phish and scam their way into information from unsuspecting or naive flyers.

Lookie there at all those scammers!

If you look at that list, what you’ll notice is that all of those networks are running in “ad-hoc” (or peer-to-peer) mode, which almost certainly means that rather than them being bona-fide wireless access points serving up connections to the internet, someone’s computer is advertising its own wireless network as available for sharing, and that person is trying to get you to connect to it. That network named “tmobile” is very unlikely to be run by T-Mobile; that network named “Starbucks” is similarly illegitimate. Instead of T-Mobile providing access to the internet, some schmuck is probably trying to entice you to connect your laptop to his, which means that he can then listen in on all your network traffic (sniffing passwords and other data) with relative ease.

Almost without exception, all trustworthy wireless access points run in what’s called “infrastructure” mode. The list of networks in that screenshot is generated by an awesome Mac app named iStumbler, but the built-in networking stuff in any Windows or Mac computer similarly makes a distinction between ad-hoc and infrastructure networks — the Mac separates ad-hoc networks into their own list (“Computer-to-Computer networks”), and if I remember correctly, Windows shows ad-hoc networks with different icons than infrastructure ones. So if you find yourself looking to use wireless access in an airport, make sure you know how to tell the difference between reasonably legitimate networks and scammers; your credit cards, bank accounts, personal files, and email systems will thank you!

Today, Shannon and I got a bill from RCN for cable and phone service — which struck me as odd, being that our account with RCN was for the services we received in Brookline, Massachusetts, and we cancelled that account as of June 30th. In investigating why we got the bill, I learned that RCN has “a backlog of discontinuation requests,” and as a result, a tech isn’t even scheduled to turn off our services until this coming weekend — more than five weeks after the date we cancelled them and moved out of the house. And RCN’s practice is to continue billing for services until they’re actually turned off, even though they know that you don’t still live there, and that you aren’t receiving the benefits of the services. (Hell, they’re billing us for phone service — local, regional, and long-distance service, call waiting, and caller ID — even though our old phone number is now answered with a forwarding announcement.) Better still, RCN owes us a balance, but says that their policy is to pay that balance only after the service is actually disconnected, even if the delay in disconnection is their fault, and even then “within one to two billing cycles.” And if I want to question this policy, I have to speak to someone in the billing department, coincidentally the only part of RCN that maintains 9-to-5 hours and thus wasn’t there when I got home after work and got the bill.

It’s amazing to me how most service providers these days don’t try to maintain even the thinnest veneer of being ethical or reasonable in their business practices. I’m not much of a conspiracy theorist, but there’s little doubt in my mind that problems like this aren’t unforeseen consequences of tangentially-related business decisions, but rather are conscious choices made with the explicit knowledge that a certain percentage of customers will continue to pay the illegitimate bills (either mistakenly or as a result of not having the energy or time to fight them). In this instance, I’m fortunate (or RCN is unfortunate) that Brookline has an ombudsman who’s specifically tasked with monitoring the city’s contracts with cable companies and solving the problems experienced by residents. I guess I’ll be wasting a bit more time on this tomorrow…

Hmmmm — I wonder how many of these credit card holders are going to call their card issuers to find out whether their accounts have been compromised. “Hi, I’ve made a bunch of online porn purchases over the past few years, but I just heard that the company which billed me went and released information about millions of credit cards onto the internet… am I affected?”

Does anyone remember ChoicePoint, the data warehousing company that gave criminals access to the personal data of over 150,000 U.S. consumers back in 2004? When the story broke about a year ago, I made note of how ChoicePoint itself actually had been part and parcel of the problem, and lamented the way in which the media was portraying ChoicePoint as a victim rather than as a participant in the destruction of privacy. In light of that, I’m superbly happy to see that the Federal Trade Commission agreed with me today, fining ChoicePoint $10 million and noting that the firm had failed to tighten its internal security despite specific federal warnings going back as far as 2001. The firm also has to pay $5 million into a consumer redress fund, establish comprehensive information security programs, and submit to biennial security audits through the year 2026. (Of course, ChoicePoint netted $147 million in 2004, so part of me would have loved to see even steeper fines; that would have been as clear a message as possible that putting American consumers’ personal data at risk is a corporate practice that will effectively lead to the end of your corporation.)

I’m heartened to see that yesterday’s elections swept eight anti-evolution candidates off of the Dover Area School Board, the board in Dover, Pennsylvania that mandated the inclusion of “intelligent design” (read: creationism) in the biology curriculum. That school board is made up of nine members, and eight of the seats were up for election yesterday; all eight were contested by candidates on each side of the evolution debate, with the eight evolution advocates (and election victors) banded together into a group named Dover C.A.R.E.S.. (Interestingly, Dover is in York County, a county that threw 64% of its votes to George Bush in the 2004 election.) As a scientist, it makes me happy to see that the Dover voters seem to want to keep religion and politics out of the classroom; as a citizen, it makes me even happier to see that the backlash I hoped for against religious conservatism in government might be taking place, and taking place at the more local, grassroots level.

In the past, I’ve been a reasonably strong defender of Paypal, a company that a not-insignificant number of people hate (with the fury of a thousand suns) for having what they claim are capricious policies and an impenetrable bureaucracy. (Most recently, I participated in a thread on MetaTalk, the discussion board for MetaFilter, defending Paypal’s general policies and behavior.) I have to say, though, that the experience that the folks over at Something Awful have had with Paypal over the past 24 hours has completely swung me to the other side of the fence. (Unfortunately, the main Something Awful servers are located in New Orleans, and thus are out of commission; the story has unfolded on the temporary server, and you can read the posts as information trickled in.)

As I understand it, the story is this: Rich Kyanka, the guy who runs Something Awful, set up a donation fund via Paypal to collect money for the Red Cross hurricane relief efforts. In under seven hours, he had collected over $3,000 an hour — nearly $20,000 total — and was nearly speechless in his admiration for the members of the site that had given so selflessly. Soon thereafter, though, Paypal shut down the account, claiming that they had received “more than one report of suspicious behavior” from his “buyers.” He was shunted into an automated dispute resolution process that demanded he provide some sort of “proof of delivery” for all the donation transactions; hilariously, Paypal’s web app won’t let a recipient of money proceed with the dispute resolution until he or she chooses one of the people who reported suspicious behavior from a pull-down and then upload tracking information, but the app didn’t list a single person as having made a complaint, so Rich wasn’t even able to proceed with the resolution request. (And the whole time, the $20K was sitting in Paypal’s accounts, not available either to Rich, the Red Cross, or the original donors.)

Rich had a hard time getting an actual human on the phone, and when he did, the woman wasn’t able to explain anything about why he had actually been shut down. (Looking over Paypal’s Acceptable Use Policy, neither can I.) She told him he’d have to send a fax to Paypal with all sorts of personal info (driver’s license, bank statement, credit card statement); after doing some sort of review of that information, they still refused to release his account. It wasn’t for many more hours that he finally received information from Paypal explaining that the only resolution they would agree to was a refund of all the donor’s money to each individual person. Stunning — Paypal’s seemingly-random jackassery means that $20K of money that could and should be going to the relief effort is now being returned.

Yep, I’m at the point where I can admit that perhaps Paypal does suck.

Since I’ve been gone for so long (almost a week!), a few quickies to get ‘em out of the ever-accumulating to-do bookmark list:

  • My parents gave Shannon and me our wedding present early — a Canon EOS 350D (also known as the Digital Rebel XT, reviewed here at Rob Galbraith’s awesome Digital Photography Review) — and this thing is just amazing. I’ve played quite a bit with digital SLRs, and this is the best of the prosumer ones I’ve used; the images (even the compressed JPEGs) are bright and crisp, it autofocuses fast even in low light, the shooting modes run the gamut from letting the camera handle everything to manually controlling every last detail, and between the in-camera memory buffer and the CompactFlash write speed, I haven’t yet found myself in a position where the camera prevents me from shooting in order to catch up. Shannon and I had a blast with it during the Fourth of July weekend, and I’ve started tagging all the Flickr photos I’ve shot using the new toy. Fun fun!
  • I’m with Jason Kottke on this one — Microsoft’s page explaining leetspeak to parents has to be a joke, or at least the result of a bet made by some Microsoft employee about whether or not he could get the article online without anyone noticing.
  • I totally dig these “Charles Darwin has a posse” stickers — they’re cool as hell, and come in a handy PDF version as well!
  • After more than a month of inundation with news about another missing American white girl, I’m pretty much on board with the sentiment behind this op-ed over at Kuro5hin. Arianna Huffington also puts it pretty well, and provides some pretty depressing observations on the media coverage of the Aruban Abomination.

Warning: the following text contains the spoiler to tonight’s Dancing with the Stars grand finale! Highlight the text if you’re OK reading it…

I’m embarrassed to admit that the first reality competition show I’ve gotten into is Dancing with the Stars — but I have to admit it to be able to then say that this is the most rigged piece of crap I could possibly imagine putting on television. I mean, nevermind that Kelly Monaco — who is pretty much a stripper out there — actually got to the finals, but then she got three tens (the only tens given in the entire competition) for her dance in which there were at least two obvious mistakes?!? And then they win it all?!?!? Total, complete horseshit, I tell ya’; they got their asses handed to them out there every night, and the finals were no different. But I guess the 50% of the votes that came from the viewers saw her breasts rather than her dancing. I guess that’s what I get for tuning into reality shows!

Oh, great — there’s word on the IP mailing list that there’s now an eBay phishing scam that actually uses redirecting links which originate on eBay’s own servers, making it that much harder for lay people to know that they’re being taken for a ride.

To explain a little bit more: various web services have occasionally made use of scripts that redirect users to other locations. That is to say, the user visits a URL on website A, and a script running at that URL on website A does some bit of processing and then sends the user on to website B. They do this for any number of reasons; Yahoo does it to gather statistics on how many people use the entries in their directories, Movable Type does it to try to prevent comment spammers from gaining too much worth in search engine listings, and Google does it for a bit of both reasons. (You can hover over those three “does it” links to see that they all originate on the servers of the respective web services; you can click on them to see that they all take you back to this website.) Unfortunately, the nefarious elements of the web — spammers, multilevel marketers, and outright thieves — have taken advantage of these redirection services to try to make their scams look more legitimate; they bank on the fact that more people are likely to click on a link than an link. Some of the redirection services are designed so that it’s nearly impossible to take advantage of them in this manner (i.e., Movable Type); others are designed completely open, and any user can change the URL to change the site that sits as the final destination of the redirection. It’s the latter group that are open to exploitation by thieves and miscreants, and that have been a source of much consternation to IT security people for the past few years.

Well, we learned today that it turns out eBay is running its own open redirector, which means that those emails you get saying that you urgently need to go and “correct” your eBay password and billing information might have links with actual addresses in them. This is obviously a cause for concern, and a sound reason to remember the advice that until the world figures out a good solution to problems just like this, it’s best to avoid clicking on any email links claiming to be from businesses that need to help you verify your account status, payment options, or any other financial information.

I’m so freaking sick of today’s headlines claiming that “hackers” somehow broke into ChoicePoint’s (obscenely comprehensive) consumer databases and obtained information which allowed them to then steal people’s identities. This is a story that’s been discussed on Dave Farber’s Interesting People mailing list since yesterday, and the truth of the matter — reported correctly only by MSNBC thus far — is that a group of criminals managed to create fake businesses and then set up entirely valid accounts with ChoicePoint in the name of those businesses, and then obtained the information about consumers via those accounts.

Notice the difference? If it’s reported that nefarious hackers broke into ChoicePoint and stole the data, then ChoicePoint comes out looking like a victim. On the other hand, if it’s reported that the failure was in ChoicePoint’s internal mechanisms for verifying the validity of an account application, the existence of the company behind that application, and the right of that company to obtain credit information, then ChoicePoint is revealed as a remarkably large part of the problem. Add to that the fact that ChoicePoint is only notifying consumers in the one state that requires them to (hell, there isn’t even a note about it on the company’s news release page), and doing so four months after they sold consumer data to criminals, and the story truly does take on a different character.

In trying to explain the vagaries of how electronic payment transfers work, the banking industry has just made me want to vomit.

This might be the best thing I’ve ever seen: a company named Americas & Americas Inc. runs an online store for synthetic silicone bracelets, and has so many bracelets “supporting” different causes that it needs a color definition chart. According to the chart, the color burgundy signifies awareness of cesarian sections, headaches, hospice care, or multiple myeloma, whereas the color yellow signifies awareness of Amber alerts, bladder cancer, endometriosis, equality, liver disease, missing children, spina bifida, or suicide. (Amber alert? Aside from the fact that it’s hard to imagine a bracelet that one might pull out of the drawer only when authorities declare an Amber alert, wouldn’t the logical color choice for that one be… amber?) And does it get any better than the half-black, half-white “God Bless The Dead” bracelet?

Given how quickly the trend has taken off, I guess it was just a matter of time before counterfeit Lance Armstrong LIVESTRONG bracelets appeared on the scene. There are plenty of other eBay cheats hawking the fake bracelets; once those are all shut down, I’m sure about fifteen dozen others will spring right back up. There have even been a few news articles on the fakes, complete with local investigative journalism angles. You can be sure that not one cent of the money people spend on these goes anywhere but into the manufacturers’ pockets, which is the real shame.

If you’re not put off by the trendiness of it all, want a bracelet, and want to make sure that your money helps fund the cancer research foundation that started it all, remember that there are only three legitimate places to get them: the Lance Armstrong Foundation store and Nike sell the adult- and child-sized ones, and the Build-A-Bear Workshop sells the teddy bear-sized ones (that also conveniently fit toddlers!).

It makes me a little sad that today, I received what could rationally be called the Redneck Primer as an email forward from my very own grandmother. It’s a tract that claims to be an editorial “written by an American citizen, published in a Tampa newspaper,” and goes on to spout beliefs that immigrants should pipe down, speak English, and stop adhering to any cultural norms but those cultivated right here in America. (I guess that means that immigrants should all eat a lot, give up exercise for television, and rip their way through marriages and divorces like it’s going out of style? It’s a little hard to parse this.)

The vagueness of the statement of origin on the essay made me curious, though, so I put in a little bit of search engine time. Doing a Google search for some key words and phrases brought up 38 unique (and 842 total) hits; out of these, most were authored on dates evenly scattered between January of 2003 and the present. I then found one reference which was posted on September 11, 2002 as an email forward, and it stands as the only reference from 2002 (on the Web or Usenet). This made me wonder why the piece seemed to go on a hiatus for the remainder of 2002, and finding that hard to believe, I changed my search string around a little bit. This led to finding another version of the screed with earlier heritage (July 24, 2002); this version didn’t list Portuguese in the group of languages which somehow offended the author, and since it was included as a direct quote in my initial Google string, my first pass had been slanted towards its derivitave. Eventually, I was able to find the original article, not a Tampa editorial but rather a veteran’s advocacy group magazine piece written by an Air Force veteran, originally published sometime around February 13, 2002, and since removed from the magazine’s website. Sometime between then and the end of 2002, the author’s piece was modified in a few ways — the Tampa newspaper bit was prepended, a swipe was taken at Muslim women, and the aforementioned addition of Portuguese was included — and it became the spam chain email that it is today. (I wonder what the Portuguese did to the person who initiated that change?) And of course, after all that, I finally found the Snopes piece that could have saved me all the work.

In the end, I find it interesting how things like this spread and mutate as they wend their way through the ether. That being said, this specific case is much more sad than it is interesting to me. Trawling through the various places that the essay has landed on the internet was frightening; most are shining examples of the complete and total intolerance that has become a defining feature of certain groups in America, and whenever readers were given the chance to respond to the posting, the typical response was something along the lines of “PREACH IT, MAN! GET OUT OF MY COUNTRY, TOWELHEAD!” Knowing that my own grandmother read the essay and felt a resonance with her own beliefs gave me pause, but in the end, I feel OK knowing that she comes from an entirely different generation that began life with a very different worldview, and that most signs seem to indicate that each generation of younger Americans is more tolerant than the last. And it definitely helps to remember that in less than a year, she’s going to be sitting in the front row of seats watching Shannon and I get married underneath a chuppah and standing amongst a wedding party that includes four people who are Jewish, two people who are Indian, one person who’s half-Chinese, and a gay man!