loose wire blog

Accused of spamming: Prerna Gupta, founder of Yaari.com

Look at a social networking site lie Yaari and you can see where the social networking phenomenon may fail, simply by abusing the trust of its users.

Sites like LinkedIn, Plaxo etc rely on expanding quickly by offering a useful service: trawling your address book to find friends and contacts who use the same service. We’ve gotten used to this, and it’s a great way to build a network quickly if you sign up for a new service.

But any service that uses this needs to stress privacy, and put control in the hands of users. Plaxo learned this a few years back. Spam a user’s contact list without them realising and you invite a firestorm of opprobrium on your head.

But surprisingly some services still do it. And in so doing they risk alienating users from what makes Web 2.0 tick: the easy meshing of networks—your address book, your Facebook buddies, your LinkedIn network—to make online useful.

Take Yaari, a network built by two Stanford grads which has for the past two years abused the basic tenets of privacy in an effort to build scale.

What happens is this.

You’ll receive an email from a contact:

It’s an invitation from a “friend” which

• gives you no way to check out the site without signing up. The only two links (apart from an abuse reporting email address at the bottom) take you to the signup page.
• neither link allows you to check out your “friend”  and his details before you sign up.

If you do go to the sign up page you’ll be asked to give your name and email address:

Below the email address is the reassuring message:

Your email is private and will stay that way.

But scroll down to below the create my account button and you’ll see this:

By registering for Yaari and agreeing to the Terms of Use, you authorize Yaari to send an email notification to all the contacts listed in the address book of the email address you provide during registration. The email will notify your friends that you have registered for Yaari and will encourage them to register for the site. Yaari will never store your email password or login to your email account without your consent. If you do not want Yaari to send an email notification to your email contacts, do not register for Yaari.

In short, by signing up for Yaari you’ve committed yourself, and all the people in your address book, to receiving spam from Yaari that appears to come from your email address. (Here’s the bit from the terms: “Invitation emails will be sent on member's behalf, with the 'from' address set as member's email address.”)

You should also expect to receive further spam from Yaari, according to the terms:

MEMBERS CONSENT TO RECEIVE COMMERCIAL E-MAIL MESSAGES FROM YAARI, AND ACKNOWLEDGE AND AGREE THAT THEIR EMAIL ADDRESSES AND OTHER PERSONAL INFORMATION MAY BE USED BY YAARI FOR THE PURPOSE OF INITIATING COMMERCIAL E-MAIL MESSAGES.

In other words, anyone signing up for Yaari is commiting both themselves and everyone else in their address book to receiving at least one item of spam from the company. Users complain that Yaari doesn’t stop at one email; it bombards address books with follow-up emails continually.

Needless to say, all this is pretty appalling. But what’s more surprising is that Yaari has been doing this for a while. I’ve trawled complaints from as far back as 2006. This despite the company being U.S.-based. I’m surprised the FTC hasn’t taken an interest.

So who’s behind the site? This article lists two U.S.-born Indians, Prerna Gupta and Parag Chordia, and quotes Gupta as saying, back in 2006, that to preserve the integrity of the network access is restricted to the right kind of Indian youth. I’m not young, I’m not Indian, and I’m probably not the right kind, so clearly that goal has been abandoned.

Here are some more details of the two founders.

Gupta, who is 26, is an economics major who graduated in 2005, was working for a venture capital firm in Silicon Valley called Summit Partners until 2005. Her facebook profile is here; her LinkedIn profile is here. According to this website she once won the Ms Asia Oklahoma pageant (her hometown is listed as Shawnee in Oklahoma, although she lives in Atlanta.

Chordia, chief technology officer at Yaari, has a PhD in computer music, and is currently assistant professor at the Georgia Institute of Technology, according to his LinkedIn profile. His facebook profile is here.

There’s a video of them here. An interview with Gupta last year indicates that they’re going hell for leather for size:

We are focused on growing our user base and becoming India’s largest social networking site within the next two years. Our goal for the next year is to become one of India’s Top 10 Internet destinations.

What’s interesting is that nearly every site that mentions Yaari and allows comments contains sometimes angry complaints from users. In that sense Web 2.0 is very effective in getting the word out. Unfortunately if Yaari and its founders continue to commit such egregious abuses of privacy, we can’t be sure many people will trust such websites long enough for the power of networking sites to be properly realised.

(I’ve sought comment from Gupta, which I’ll include in this post when received.)

Fired up by Google's move into the crapware domain by foisting an "updater" on customers who want to install (otherwise great) programs like Google Earth, I took another look at what was happening in the updater sphere.

Apple drew some heat for its own bit of underhandedness recently, when its own Apple Software Updater automatically included downloading the company's Safari browser. After a backlash, it dropped the Safari from the "Updates" section to a "New Software" section, but still prechecked it:

In other words, run the updater and not concentrate, and you'll find yourself downloading 22 MB of browser you didn't ask for, and didn't have before.

So no, I don't think Apple did the right thing here. Apple fans can protest as much as they like, but there's a clear move here to get new software to users to install software they didn't ask for and, if they don't actively intervene, will have it installed by default. Browsers, like media players, are particularly significant because they will try to make themselves the default browser, and users once again need to act against the default process to avoid this.

Needless to say, Apple's bid has been modestly successful, apparently at least doubling its modest market share for Safari. Still miniscule, but a start.

Of course, software is one thing, but it has to be used. For that it has to be visible to the user. No point in hiding the program launch icons somewhere they can't be found. On Windows, there are three places you want to be: the desktop, the system tray, or the start menu. Apple is particularly smart about this, ensuring that all its products sit, not in some side-alley subfolder, but in the 'root' menu:

and

as well as on the desktop:

(though not, interestingly, the Updater.)

Of course, Apple isn't alone. Microsoft has long been doing this, as has Adobe.

Folk argue this is all besides the point, that users retain control over their computer and can remove all this stuff if they want. But to me it's worrying that Apple, Microsoft, Google, Sun, Adobe et al think that this is OK, and, like their defenders, fail to understand that for the vast majority of users, installing software is not an everyday experience, and that these sleights of hand merely cause extra stress, confusion and uncertainty. That can't be good.

Sorry to see that Google is going the sleazy route that Microsoft and Apple have ploughed before, namely trying to hoodwink and browbeat users into installing and automatically updating software they don't want via an installer.

Try to download Google Earth now, for example, and you'll be directed to the Google Updater, which will try to persuade you to install software you didn't ask for. (A great write-up of all this is at the Google Operating System blog.)

On top of the inconvenience and sleaze of all this, I was irritated to find that the Updater doesn't actually work: Not only that, but the help pages don't help, and there's no direct link to the original files so you can download them separately. (Fortunately the blog above does.)

All in all, a sure sign that Google is entering the software business, since it's adopting the same bait-and-switch, install-by-stealth tactics of its Apple and Microsoft competitors. Shame on you, Google.

Singapore appears to be the source of a virus cleverly designed to hoodwink U.S. executives by appearing to be an emailed subpoena which mentions them by name, as well as their title.

The SANS Storm Center said three days ago that

We've gotten a few reports that some CEOs have received what purports to be a federal subpoena via e-mail ordering their testimony in a case. It then asks them to click a link and download the case history and associated information.

One problem, it's total bogus. It's a "click-the-link-for-malware" typical spammer stunt. So, first and foremost, don't click on such links. An interesting component of this scam was that it did properly identify the CEO and send it to his e-mail directly. It's very highly targeted that way.

The report says that the server that the trojan reports back to is "hard-coded to an ISP in Singapore at this time," from where, according to Ars Technica, it "steals copies of any security certificates installed on the system."

(This, by the way, is calling whaling, since it is like phishing but is more targeted, and going for bigger phish, so to speak.)

The Inquirer says that the web servers delivering the emails are based in China, and, in language too loose to take seriously, "the cyber ruffians who later nefariously take control of the victims’ computers, based in Singapore."

There's no evidence the "cyber ruffians" are based in Singapore, as far as I can work out. The only possible connection could be the English and errors in the emails, which, John Markoff of the NYT reports, "led several researchers to believe that the attackers were not familiar with the United States court system and that the group might be based in a place that used a British variant of English, such as Hong Kong."

That said, just because an ISP may have been compromised doesn't mean that those involved are physically located in Singapore. Indeed, it would seem very unlikely they are; if they're smart enough to launch an attack like this, you'd have to bet against them being anywhere near the 'command and control' center itself.

Still, it's unsettling that an ISP may have been compromised. So far we don't know much more, though I've put in requests for more information. (The source of the information about Singapore appears to have come from someone at Verisign, whose Asian PR address bounces. So don't expect something anytime soon.)

There's quite a commotion online about a program called g-archiver that promises to back up your Gmail account, but in the process apparently harvests all users' Gmail usernames and passwords, and mails them to a separate Gmail account.

This is indeed scary, although it's possible that the person behind it wasn't collecting the passwords for nefarious purposes. But it highlights some important issues that we tend to overlook in this Web 2.0, mashup age:

• Your online email account is more vulnerable than an offline one (by which I mean, storing your old emails online, rather than downloading them to your computer and deleting the online copy.) In this sense, POP is good, IMAP and webmail bad.
• If you give your username and password to third parties, i.e., those who access your account on your behalf, you need to be more rather than less careful than with the original service. For example, services like Plaxo allow you to access your other accounts but will inevitably require you to enter your username and password, which will be stored on their server.

On top of that, it's intriguing to take a look at how legitimate this one program appears, and how little those websites helping in its distribution have vetted it. I found copies at Download.com (owned by CNET), despite a commenter pointing out it steals passwords, Shareware Junkies, BrotherSoft, Softpedia, ZDNet, Download3000, FreedownloadsCenter, the excellently named Safe Install and Filedudes.

Just out of interest, G-Archiver is apparently the work of a company called MateMedia, which registered the website hosting the software. An interview with the company's president, Russ Mate, is here.

A message on the original blog post purporting to be from Mr. Mate says "MateMedia is a legitimate company and we are absolutely horrified that this has occurred", and will be notifying any download sites hosting the software to "remove it immediately."

That clearly hasn't happened yet, but neither has the company removed it from its own website, at the time of writing. (Seeing the software alongside tools like FriendTools, which automates adding friends and comments for MySpace spammers, or TubeAdder, which does the same thing on YouTube, might give a prospective user pause for thought.)

My rules of thumb:

• Never download software without visiting the author's original site, and finding out who produced it. This applies to Facebook apps as well. (In G-Archiver's case, there is no contact page.)
• Think hard before you give your email password to any service, however legitimate. It's not so much about losing your email password but about all the other passwords and personal data that a bad guy could access inside your email account.

As Web 2.0 involves more and more cross-pollination of information, so we need to be smarter about who we give our passwords to, and what information we store behind those passwords, both in email and in social networking accounts.

Courtesy of ABC Australia IT guru Paul Wallbank, the source of my chat with Veronica Sexy may have been discovered: an automated sex talk service called CyberLover.ru. Paul points to this story from Conor Sweeney of Moscow's Reuters bureau:

A Russian website called CyberLover.ru is advertising a software tool that, it says, can simulate flirtatious chatroom exchanges. It boasts that it can chat up as many as 10 women at the same time and persuade them to hand over phone numbers.

The service, on the surface, appears aimed at guys who aren't able to win over girls online any other way: "It's happened - a program to tempt girls over the internet!" Reuters quotes the site as claiming. "Within half an hour the CyberLover program will introduce you to ... girls, exchange photos and perhaps even a contact phone number," it states. Woohoo. 

But is that all it does? Antivirus and software developer PC Tools says it's much more dangerous than that. “As a tool that can be used by hackers to conduct identity fraud, CyberLover demonstrates an unprecedented level of social engineering,” a company press release quotes Sergei Shevchenko, Senior Malware Analyst, as saying. “It employs highly intelligent and customized dialogue to target users of social networking systems.” The goal, Sergei says: to gather personal information about users and also to lure them to websites, possibly to infect them with malware (a generic terms for software that infects their computer which can then be used as what is called a bot to grab data, infect other computers or send spam.) That doesn't sound like the Veronica I know. 

The website itself denies this, according to the Reuters report. "The program can find no more information than the user is prepared to provide," one of the site's employees, who gave his name only as Alexander, said in an emailed reply to Reuters questions. "It maintains a dialogue with a person, but is not engaged in hacking or any other such schemes, I think this should be obvious," he said.

Well, there's hacking, and there's other stuff that comes close to it. The company or individual behind this product appears to be the same as that which runs Botmaster.Net, both of which are registered to one Alexander Ryabchenko. Botmaster sells a $450 piece of software called Xrumer, which spams websites, forums and blogs to build up a website's profile on search engines (it claims to get past CAPTCHA screens, where users are asked to identify letters in images.) Given the name of the website is botmaster you can't help wondering what else it does. 

So was Veronica Sexy an early prototype of of CyberLover? Well, they're both run by Russians, but beyond that it's not clear. I hope to find out more. What is clear, though is that SkyperSex, the website Veronica was trying to lure me to, is an affiliate of Streamray, a sex website that is one of several just bought by Penthouse Media as part of its purchase of Various Inc (for $500 million). It should make for an interesting bit of research. 

Oh, and if you're looking for automated online chat that's a bit more real, check out My CyberTwin.

Russian computer program fakes chatroom flirting - Yahoo! News

Maybe this is commonplace for others, but I've just got my first sex-chat-spam on Skype. It's from someone called Veronica Sexy, whose profile indicates that it's unlikely to be someone I've met and just forgotten about (as if I would):

Just in case you can't read that last bit, it reads:

can't wait to get real nasty and show off :) IM REAL MISS WEB CAM!

Reply to the message and immediately you're asked to share your contact details (a la Skype.) I didn't risk having Veronica spam all my friends (not sure how that would work, but I've got some nice people on my list, and I'd hate for them to be upset.) But I did reply to her message, and her responses were quick, and, dare I say it, felt a trifle automated:

[8:53:55 AM] Veronica sexy says: Hi are U busy?
[9:03:43 AM] Jeremy Wagstaff says: hi
[9:03:50 AM] Veronica sexy says: How are u ?
[9:04:30 AM] Jeremy Wagstaff says: i'm great. who are you?
[9:04:31 AM] Veronica sexy says: I would love to chat with you, come on http://www.SkyperSex.com !!!

[9:04:36 AM] Jeremy Wagstaff says: no thanks
[9:04:37 AM] Veronica sexy says: I would love to chat with you, come on http://www.SkyperSex.com !!!

[9:04:45 AM] Jeremy Wagstaff says: i'm a bit busy. really
[9:04:47 AM] Veronica sexy says: My internet connection  is very bad come on http://www.SkyperSex.com !!!

[9:04:54 AM] Jeremy Wagstaff says: my internet connection is great!

That was the last I head of Veronica, although her scent lingers on.

The web address, by the way, is pretty much what you expect it will be -- lots of alleged clips of ladies cavorting. The administrator of the website is one Alexandrof Tiberiu in Moscow, who also owns www.yourlivecams.com.

I guess what's interesting here is that Skype don't seem to do much policing of this kind of thing. This could be a sex site spam, or it could be something worse.

(If you want to prevent Veronica getting in touch with you, go into Skype options, Privacy settings, and click on the Show Advanced Options button. Make sure the Allow chats from... option is only people in my Contact List:

Chances are Veronica won't come calling. Frankly, your life won't be the poorer for it.

It's somewhat scary that more than 10 employees of a laboratory that works on security issues (including phishing) could fall for a phishing attack. The Oak Ridge National Laboratory, or ORNL, managed for the U.S. Department of Energy by UT-Battelle, works on science and technology involved in energy production and national security. In late October the lab was targeted from Chinese websites, according to eWeek:

All of the phishing e-mails instructed lab employees to open an attachment for more information or to click on an embedded link. ORNL's investigators now believe that about 11 staff fell for the come-ons and opened the attachments or clicked on the links. That was enough for the attackers to install keyloggers or other types of malware that gave attackers access to systems and the ability to extract data.

The interesting thing here is whether this was a "coordinated attack" and a "cyberattack" as has been suggested in the media. The Knoxville News Sentinel, for example, quotes lab director Thom Mason as saying, involved the thieves making "approximately 1,100 attempts to steal data with a very sophisticated strategy that involved sending staff a total of seven phishing e-mails, all of which at first glance appeared legitimate." Meanwhile this AP article quotes Mason's memo to employees:

The assault appeared "to be part of a coordinated attempt to gain access to computer networks at numerous laboratories and other institutions" in the United States, lab director Thom Mason said in a memo to the 4,200 employees at the Department of Energy facility.

The key here may be that the attackers were after personal information, not military secrets. As John C. Sharp writes:

The headlines keep coming about the news that several high-profile military labs - including some of the world's leading nuclear research labs - have been compromised by phishing scams. Unfortunately, many of these headlines are missing the point.

Example: In one story published today, PC World claims that Chinese Hackers "launched" a coordinated "major attack" on two US Military Laboratories.

This is almost certainly *not* what happened. According to most of the published data, this was a phishing attack, plain and simple.

The fact is that China's computers are so insecure that more or less anyone could use them to do more or less anything, from relaying spam to launching phishing attacks. So it's not proof that China, or even Chinese, were involved just because the IP addresses are Chinese.

Of course, we don't know for sure what happened yet. But if the attack was enabled by employees clicking on an email attachment or link that originated from a Chinese server, you've got to question a) the security training at a place like that, and b) wonder what kind of security filters they have on their servers that would allow such emails to get through, especially given the sheer number of emails that were sent.

Sometimes "China" is a great excuse for all sorts of incompetence and inefficiency, and "sophisticated cyber attack" is just another way of saying "sorry, we haven't got a clue about all this Internets stuff."

Oak Ridge Speared in Phishing Attack Against National Labs

Just because something has the word Wiki, community and/or .org in its name, doesn't mean it isn't a scam. I just received an email from someone called Navin Mirania about Wikimmunity which on first glance sounds like a worthy project: a website designed around local community content. But on closer examination it has the word 'spam' written all over it: 

How are you?  My name is Navin from Wikimmunity.org. I recently tried to contact you by phone regarding your blog/web site Endangered Spaces to see if there was any opportunity for us to work together.  Wikimmunity.org, the local community source, is looking for writers to write about local organizations, groups, attractions, people, places, and more.

We pay a modest fee for writing about places and things that you already know about in and around your local area.  Your idea/topic list is unending. Let me know if we can set up a time for us to discuss further. We’d like to help you to generate additional revenue from your blog.  In the mean time, visit  https://www.wikimmunity.org/affiliate/scripts/signup.php to register.  I’ve also included some other links that you might be interested in visiting below. Thanks and I look forward to hearing from
you NAME HERE

Navin calls himself a "Content Distribution Specialist" which is a new one on me. I guess it sounds better than "spammer who forgot to set the autofiller in his distribution list software".

And what of the website itself? Well, it looks and feels like Wikipedia, until you realize there's no information about who's behind it, and until you start reading some of the entries. Which are, it has to be said, unconsciously amusing. Try this one, for example, about Walmart:

walmart has a lot of people's needs at great prices. they have snacks, electronics, drinks, furniture, sports stuff, music, and many more. they have video games and acsessories and many more. If you want the newest things for a great price go to walmart. They have so much sales and and items you know it is goinig to be a good store all around prices. if you wann visit their online store [1]. they are one of the best stores to go to. they have toys, fishing equipment, tires, and even t.v. so for this holiday that is coming up you must go to walmart for their awesome prices

Copy I'm sure Walmart would be proud of. Or this one on Barnes & Noble:

Alot of people should be Familiar with this store. In case you don't know this is a book store. in this store you can get all kinds of books in this place. they have fiction, non-fiction, realistic fiction, and many more. They also have new releases of books all the time. They also have cd's. the music they have is rock, classic rock, country, rap, and others. this is a good store to get both books and music. They also have drum books. They have Jimi Hendrix cd's!!!

Well, blow me down. Jimi Hendrix CDs?

A few weeks back I wrote about love scams ("You Give Love a Bad Name," WSJ.com) -- how scammers are trawling online dating sites looking for suckers. What interested me about the scam is that in some cases the scammers play a very patient game -- luring the mark in over a period of months before any sting is attempted. 

Sophos, the antivirus people, say they have found a new twist on the same scam, where scammers are apparently luring folk by offering a puppy up for adoption:

The emails, which come from a husband and wife who claim to be on a Christian Mission in Africa say that their Yorkshire Terrier dog is not coping well in the hot weather.

Says Graham Cluley, senior technology consultant for Sophos:

"The criminals are offering the pet puppy in an attempt to gather information from kind-hearted people who jump in to help. If you respond the scammers will try and steal confidential information about you, or sting you for cash. If you fall for a trick like this you'll be the one ending up in the doghouse."

Actually this is not quite new and not completely accurate. The LA Times wrote back in May about how the scam works:

People who responded to the ads eventually were asked to send hundreds of dollars to cover expenses such as shipping, customs, taxes and inoculations on an ever-escalating scale.

Some reported paying fees totaling more $1,500.

A piece in the Pittsburgh Post-Gazette last week said the scam had been going across America for a year and points out that a Google search for "Nigerian Puppy Scam" turns up more than 200,000 "hits." (I must confess I found only 16,000.) Bulldogs and Yorkshire Terriers are favorites. The paper was apparently alerted to the scam when ads were found to be running in its own paper. A month earlier the Toronto Star reported that a local woman had parted with $500 for a 11-week old terrier, after responding to an ad on a free local classified site and complying with requests for three payments to ship the dog from Nigeria. (A reporter called up the scammer, who uttered the immortal scammer's words:

"Are you trying to call me a scam? I'm a family man," he said. "I am a man of God. I am a missionary."

For more detail on scams and how to spot them, check out this page on the IPATA website.

Dogs work because we love them, and are suckers for the sob story. What's interesting here -- and why these scams are in some ways more dangerous -- is that the scam does not play upon people's greed at all, but instead upon their charity and sense of decency.

Two conclusions from this:

• These scams are aimed at throwing a wider, and slightly different, net to the old scams. The victims are going to be people who are moral, not greedy.
• Chances are the scammers are aiming at making less money from these scams, but perhaps make up for it in volume. Perhaps the days are over when scammer aimed to make five-figure sums.

Puppy offered for adoption by Nigerian email scammers

It amuses me that banks talk about security but rarely apply it in a consistent enough way to save people like you and me from getting scammed. Take what just happened to me this morning:

My bank rings me up (the number is a private number so doesn't show up on my screen, but that doesn't seem to be unusual anymore; nearly half of the people who call me seem to withhold their number these days. In any case, it's not hard to fake a callerID.)

The woman on the phone tells me there's been a problem with my last phonebanking transaction. Before she can tell me more, she asks me to key in my six-digit phonebanking ID, she says. I'm just about to do so, eager to sort out the problem, when I realize that I've not confirmed that she is who she says she is. So I ask her:

"Sorry, but I need to confirm who you are first."

"Yes, I am Sheila and I work for the phonebanking division."

"Yes, but how do I know you're Sheila from the phonebanking division, and not Sheila from Phishers 'R' Us?"

Clearly Sheila hasn't faced this kind of situation before.

"Er, well, if you key in your phonebanking ID, I can tell you details about your account, and that will confirm it."

"Well, it may do, or else it would tell me you'd already succeeding in hacking into my account and were now just toying with me."

A pause.

"Yes, but the PIN number goes straight into the computer," says Sheila, a bit nonplussed now.

I try to explain that a) I'm not personally accusing her of being a scammer, only that I have no way of confirming whether she is a bank employee or a clever social engineering fraudster because she called me first and b) that technology makes it eminently possible that someone could capture my six digit PIN if I key into my phone. (A simple decoder attached to the phone will grab the DTMF signals (the beeps when you press a key) and figure out what digits they represent. I didn't tell this to Sheila because she was already beginning to sense I was a 'difficult customer.')

In the end I tell Sheila I'm going to call her back, to which she politely agrees. When I later explain to her that the bank should think about plugging the hole in their security fence, she listens politely, thanks me for my feedback, and says:

"One last thing, Mr. Wagstaff. I don't know if you've been told but we're running a promotion at the moment that for every customer you're able to bring in you get a $200 gift voucher for redemption at Takashimaya Department Store."

A bank with its priorities right, it seems.

What amazes me about this is that banks don't seem to have learned from past mistakes. A few months back I wrote about a scam in Hong Kong which uses exactly this tactic. Fraudsters stole wallets and handbags at a sporting event, removing only the ATM and business cards. The victims then got phone calls the next day pretending they're from the bank informing them they've lost their card, and asking them to approve cancellation of the card by keying in their PIN number.  Voila. If Sheila was Sheila the Scammer, someone would be at least half way into my account by now.

I wish banks would be smarter about this. I wish in particular the banks I use would be smarter about this. Scammers are clever, particular about social engineering -- the art of lulling people into a sense of false security. We ordinary people want to please, and we want to help solve a problem, especially if it's connected to us, so we're easy prey for someone at the end of the phone offering both.

The lesson is the same as the one I'm always trying to pass on: Don't give anything to anyone just because they ask you to. Find out first whether they are who they say they are. A realtor asking for a deposit? Show me the documents that prove you are authorized by the landlord. Here to check the meter? Where's your badge? Valet? How do I know you're not just a guy in a red jacket and jaunty hat about to steal my car?

Authenticate, authenticate, authenticate. And if it's someone like a banker, a real estate agent or an official, be hard on them if they seem impatient with your efforts. It's your money, not theirs.

If you've ever visited Disney World, or some other overpriced resorts (last year I visited Warwick Castle and Legoland in the UK, both appallingly people-traps) you'll have done what I did: vow never to come back. Of course, the companies running these places both know that and don't care -- which is why they are ripping you off royally while they can.

Seethu Seetharaman, an associate professor of management at Rice University’s Jesse H. Jones Graduate School of Management, calls it a variety-seeking market and says it doesn't just apply to tourist attractions:

Turns out that the resorts in Orlando are in a market where consumers want variety. Indeed, if a family is in Orlando for a week or more, there is little chance — at least if parents and children want to remain on speaking terms at vacation’s end — that they’ll do the exact same thing day after day. Instead, they’re likely to visit both Universal and Disney World and take in as many different rides and sights as possible; in other words, they’ll seek variety.

Seetharaman says that the same is true of people who are too lazy to shift brands: what he calls consumer inertia:

Using a mathematical model, Seetharaman, along with his research partner Hai Che, an assistant professor of marketing at the University of California at Berkeley, was able to determine that the impact on price in both variety-seeking and inertial markets is similar. “The main point of the paper is that in markets where consumers seek variety, firms have an incentive to rip them off,” he says. “The surprise is that when markets are characterized by the opposite of inertia, the exact same incentive in terms of price competition that characterized inertial markets goes through as well.”

Basically, we'll pay to go to Disney World whatever it costs, especially if we've already gone to Universal Studios or whatever else is within our daily trip radius. To that I'd add a couple more observations:

• it pays to charge at least what rivals in the neighborhood are charging, because if a family has shelled out once, they're likely to shell out again.
• Secondly, customers may well equate price with the quality of experience; there's no point in trying to undercut your rivals because that would imply the experience you're offering is not as valuable as theirs.
• This doesn't seem to stop these kinds of resorts from trying to gain loyalty. There'll always be some families who want to come back each year, so it makes sense to offer them a steep discount.
• The only problem I see with all this is that while you want to have a boisterous, noisy crowd, if the queues are too long you may scare away some visitors from the whole concept. In that sense the companies are not rivals at all, but are partners in trying to lure more and more families into the idea of vacationing at these places. Which, as an afterthought, raises the question: should we be thinking cartels and price fixing?

Seetharaman concludes:

None of this comes as a big surprise to companies involved in a variety-seeking market. “The firms know this. They know this market is characterized by variety, so they know that they are going to eventually get their competitor’s previous customers,” says Seetharaman. “Knowing this they are actually trying to rip them off.”

Rice University | Explore Rice

For those of you who thought the former Thai prime minister Thaksin Shinawatra was living it up in Europe buying soccer teams, you're wrong. He's having serious financial problems and needs your help, according to this email I just received in his name:

Please see what you can do. Of course, there's an off-chance this could be one of those scams, but I've read it carefully and checked the VOA link, and it rings true to me. Really.

Tags: thailand, scams, 419ers, Nigerian scams, thaksin

A Jakarta pickpocket tries to steal a woman's hair to make keyrings:

Hair today, gone tomorrow for victim of mane mugger

The hazards of riding the city's public buses are many -- pickpockets, gropers, drivers who stop in the middle of the road, wandering musicians plunking away on ukuleles in the hopes of annoying a few rupiah out of passengers -- but until Monday, commuters might have thought that at least their hair was safe.

Certainly Nuryamah, 35, did -- until a thief cut 40 centimeters of her knee-length locks off while she sat aboard a bus going through Senayan.

"It took me six years to grow this," she cried to police while filing a report.

She said she was on the Blok M-Bekasi bus at around 11 a.m. when she felt a tug on her scalp. She touched her hair and realized it had been cut to her waist.

Nuryamah said she saw a man attempting to leave the bus and called "thief", attracting the attention of a nearby police officer, who arrested the man and took him to Jakarta Police headquarters.

The suspect, Agus Setiawan, 27, told the police he intended to make keychains from the hair and had done the same thing last year without being caught.

"I can sell hair keychains for Rp 10,000 (almost US$1) each," he said.

The police detained Agus after questioning him for about three hours. They confiscated his backpack, in which they found the hair.

Agus works as a fried catfish seller at his mother's stall in Warung Buncit, South Jakarta.

Nuryamah, who was born in Pelabuhan Ratu, West Java, said she was accompanied at the time by her mother, 52-year-old Enah, on her first visit to Jakarta.

"I started to grow my hair in 2001 when I was working as a migrant worker in Palestine," she said. (JP/08)

What I like about this story are all the questions it raises:

• What sparked Agus' entrepreneurial spirit -- diversifying from the helping mum sell fried catfish sector to the human hair keychain vending sector?
• Where did he come up with the idea of a human hair keychain?
• Who would knowingly buy a human hair keychain?
• If they didn't buy it knowingly, what did they think they were buying?
• Where did he come up with the idea of covertly cutting people's hair for his supplies?
• How long was Agus looking for someone with such long hair?
• And poor old Nuryamah. It's not clear whether it was her first visit to Jakarta, or her mother's, but you can't help wondering what was going through their minds about city dwellers.
• What did the arresting officer say when she told him her hair had been stolen? "Don't worry, miss. I hear it grows back"?
• What exactly did the police put in their report?
• What did Nuryamah hope to achieve by filing the report? Was she hoping to get her hair back?
• Is this part of a bigger hair racket? Should we all be on our guard for hair thieves?
• If her locks really did go down to her knees, how exactly did Agus cut them off?
• Shouldn't Agus and Nurmiyah go into business?
• Most important, where can I buy one of these rings?

The Jakarta Post - Hair today, gone tomorrow for victim of mane mugger

It's a small bugbear but I find it increasingly irritating, and I think it reflects a cynical intent to mislead on the part of the people who do it, so I'm going to vent my spleen on it: websites which turn links in their content, not to the site itself, but to another page on their own website.

An example: TechCrunch reviews Helium, a directory of user-generated articles. But click on the word Helium, and it doesn't take you, as you might reasonably expect, to the website Helium, but to a TechCrunch page about Helium. If you want to actually find a link to the Helium page, you need to go there first.

I find this misleading, annoying and cynical on the part of the websites that do this. First off, time-honored tradition of the net would dictate a website name which is linked to something would be to the website itself. Secondly, clearly TechCrunch and its ilk are trying to keep eyeballs by forcing readers to go to another internal page, with all the ads, before finding the link itself. Thirdly, because I'm a PersonalBrain user and I like to drag links into my plex (that's what we PBers call it) it's a pain.

Fourthly, it's clearly a policy that even TechCrunch has trouble enforcing. In the case above, the original post had the word Helium directly linking to the website itself, but which was subsequently edited to link to the internal TechCrunch page (as noticed by a reader of the site). If you subscribe to the TechCrunch feed, that's what you'll still see:

TechCrunch isn't alone in this, by the way. StartupSquad does it (a particularly egregious example here of five links in a row which don't link to the actual sites). For an example of how it should be done, check out Webware, which has the word linking to the site itself, and an internal review as a parenthetical link following. Like this, in Rafe Needleman's look at companionship websites. Click on Hitchsters and you go to the site; click on 'review' and you go to a review.

It's a nuisance more than a crime, but to me it still undermines a central tenet of the web: links should be informative and not misleading. If you are linking to anything other than what your reader would expect, then you're just messing around with them.

Good grammar is important, whether you're pitching a story to a journalist or a scam to a dupe.

Here are two examples: how not to and how to. First off, a PR pitch that endangers its credibility with an error in the subject line:

And now, here's an example of getting it right: A scam that not only illustrates good grammar (right down to the correct use of the singular verb with "couple") but also how callous scammers are getting:

<...>

The Foundation is non-profit and Our Mission is to facilitate inspiring, meaningful outdoor experiences for youth who suffer life-challenging medical conditions as a result of HIV/AIDS.

We offer new hope and life skills for adjudicated youth, at-risk youth and those with disabilities and dependencies.These adventure programs build esteem, confidence, and character values that help build the foundation for a family and career.

<...>

We have a couple of Donors in CANADA and USA who has pledged but and we need a Payment/Liaison Agent urgently who will among other functions accept funds on our behalf and we will offer 10% of whatever we get in return.

<...> 

The scam, by the way, is probably seeking a phisher's mule: Someone who will allow their bank account to be used for laundering funds obtained from phishing expeditions. But it may also involve attempting to fleece the individual in time-honored 419er tradition.

I'm not suggesting, by the way, that the text is original. It's lifted from several sources, however, indicating a degree of sophistication on the part of the scammer. Some is from the Tony Semple Foundation for Hope, some from  the Wilderness Outdoor Leadership Foundation. (This explains the apparent non-sequitur from the first paragraph to the second.) The scam has used different names for its foundation, each a variation on the organizations whose words it has stolen: for example, the Foundation of Hope and the OutdoorFun Foundation UK. It seems to have been running about a month.

(This is the text of my weekly Loose Wire Service column, syndicated to newspapers like The Jakarta Post. My thanks to Joe Wein for the information that made this column possible.)

A lot of people think that online scams happen to other people, but they don't. They could happen to you. Or a relative, new to the Internet.

At midday last Oct. 9, the life of Mr. Bhanjee (not his real name) changed forever. Checking his Yahoo! account in his home town in India's Karnataka state, he noticed he had received an e-mail from the UK National Lottery.

The message said he had been randomly selected to enter the online Sweepstakes International program held in Britain three days earlier.

He had won, the e-mail said, stg. 480,204, which would be released to him by the company's London office. He was advised to keep the information confidential "till your claim is processed and your money remitted to you in whatever manner you deem fit to claim your prize."

He e-mailed back his delight. A few weeks later he got an e-mail from the Reverend Nick Robert who confirmed the winnings and said his original certificate of winning had been forwarded to a courier company based in Cardiff, Wales, and told Mr. Bhanjee to contact a Fred Smith. He duly did so.

He was told to send stg. 583.45 toward insurance and courier charges. Belonging to a poor family, Mr. Bhanjee expressed his inability to send this amount. Nothing happened. Then, on New Year's Eve Mr. Smith informed him that the directors of the lottery had decided to transfer his prize directly to him "because of limited time."

He again offered his congratulations and told him to send his bank account details to a Mrs. Jean Lynn of Lloyds TSB in Bately, Yorkshire. The e-mail this time was not from a free e-mail service but an actual website: www.llbukinter.co.uk.

Accordingly, Mr. Bhanjee contacted Mrs. Lynn Jean and gave her all the particulars. He was surprised to receive, in reply, an e-mail informing him his account had become dormant and needed to be reactivated, at a cost of stg. 850. He tried to reason, but to no avail.

Mr. Bhanjee borrowed from friends and relatives and deposited the amount into a personal account belonging to "A1 Medical and General Store" at a bank in Boisar, a small town in India's Maharashtra state, on Feb. 26, 2007.

He was told his money would arrive within 72 hours. Instead he received another e-mail from Mrs. Jean requesting another stg. 650 toward Revenue Commission and stg. 400 Non-Residential Tax. Mr. Bhanjee borrowed more and deposited the amount in two other accounts. He waited.

Another e-mail arrived from Mrs. Jean, asking him to deposit another stg 1,500 towards "COT code" charges. Things were getting desperate. If he withdrew now he would lose all the money he'd put in. But finding more was hard.

"I expressed my extreme difficulty in arranging for any further amount to deposit," he recalled, but Mrs. Lynn Jean turned deaf ears towards my cries." He sold his house, and, in April, deposited the money in another Boisar bank account. Still no money arrived.

Another request came through: Because it had taken so long, his account had been deactivated again. He pleaded with Mrs. Lynn Jean about his critical financial condition. With great difficulty he scrambled together the money and, on May 9, deposited stg. 850 into the personal account of a "Khudrakpam Hemadevi" at a bank in Karnataka State.

Be suspicious of the unknown

By now his relatives were losing patience. "By this time it was already seven to eight months (and) all the creditors started pressuring me for returning their loan amounts and they started to lose faith and confidence in me," he wrote.

They started to call him a cheat. He was in hell: "My mental torture and agony knew no bounds." But it wasn't over. It was then that received an e-mail from the manager of the International Clearance department at Lloyds Bank asking him to send stg. 2,500 toward fund clearance fees. But there was no money left.

Owing more than stg. 4,000 to friends and relatives, Mr. Bhanjee hunted around for help. He found Joe Wein, a German software programmer who runs a website help desk for those duped by so-called 419 scammers, to whom he wrote an e-mail begging for help, his writing an unconscious echo of the style his tormentors used:

"Sir, this is the episode by which I would become bankrupt, frustrated in life and I am left with no alternate other than committing suicide under the pressure of the creditors, mental torture on account of Mrs. Lynn Jean's fraudulent acts which made me a beggar.

"I do not know whether I am going to get the lottery amount or not. I am the poorest man and living with a loaf of bread with my aged mother, having lost everything on account of this lottery and Mrs. Lynn Jean."

(At the time of writing, what happened to Mr Bhanjee in the end is not yet known.)

It's easy to mock those who have fallen victim to such scams. But if you're new to the Internet, new to e-mail, if you've not received one of these scams before, you may easily believe your luck is about to change.

Scammers will try new tricks to drop your guard: One e-mail scam I saw recently informed the recipient the Fundación Germán Sánchez Ruipérez's board of trustees had chosen them as the final recipient for "a cash grant/donation for your own personal, educational and business development".

The scam is always the same, but it often sounds more plausible than you'd expect.

What can you do to avoid being scammed, or having someone in your family fall victim? Well, the obvious rules apply: Don't believe anything you receive from someone that you don't know.

It's an obvious lesson, but one we continually fail to follow: A friend wondered recently whether a spate of recent e-mails saying they had received an e-greetings card from a colleague/friend/relative were real. No, they're not, and clicking on a link will install bad stuff on your computer you'd rather not have.

If you're really not sure about something, delete it. If it's real, the person will find another way of contacting you or will resend it.

If it's from a webmail address (like Yahoo! or Hotmail, or something like that) chances are very high it's a scam. If you want to doubly sure, visit Joe's website Scam-o-matic and paste the contents of the e-mail into a box he provides. Software he has developed will tell you whether or not the contents are a scam.

Bottom line: As more and more of us venture online for the first time, we represent a new generation of innocents that the scammers can target. They won't stop, and they will show no mercy, so make sure all your friends and family are aware.

The Jakarta Post - The Journal of Indonesia Today

You got to give scammers credit where credit is due. This latest wave of e-card spam at least exhibits some imagination on the part of the sender:

At first it was from a friend, then a colleague, then a classmate; now it's neighbors and worshippers sending you ecards. Good on them. I must confess I don't worship that often, and I haven't spoken to my neighbor since the Korean-funded mistress moved out from next door, so they're not likely to dupe me. But they might dupe someone. (If I got one from from a Fellow Technology Columnist, I might bite.)

Which would be bad, because the links contain a variant of the Storm Trojan, according to Urban Legends, which will turn your computer into a zombie and do some scammer's bidding.

All this must be really hurting what is left of the e-card greetings industry (when was the last time you received an e-card? A real one, I mean?) Indeed, a press release from the Greeting Card Association warning users about these scams offers advice to recipients that is so tortured it's hard to imagine anyone would bother following it:

For consumers who are unsure if an e-card notice is legitimate, the Greeting Card Association recommends that they go directly to the publisher's website to retrieve an e-card, rather than clicking on a link within the e-mail.
-- Manually type the name of the card publisher's website URL into your browser window.
-- Locate the "e-card pick up" area on the publisher's website.
-- Take the card number or retrieval code information contained in the e-mail and enter it into the appropriate box or boxes on the publisher's e-card pick-up area.
-- If you are unable to retrieve the e-card, you will know the notification was a scam, and that it should be deleted.

Seriously. Who is going to do all that? My advice: if you care enough about the person, send them a real card. Or leave something on their Facebook wall.

This week's column in the Journal (subscription only, I'm afraid) is about something called the Yoggie:  

This small computer is called the Yoggie Pico, launched May 29 by an Israeli company called Yoggie Security Systems. The idea is that you should protect your computer not by installing firewall, antispyware, antivirus and antispam software on it, but by installing all that stuff outside it. In other words, network traffic gets diverted and screened first by the Yoggie Pico, where it kills off all the bad stuff before passing the clean traffic onto your computer. The thinking, says Yoggie's marketing director Avi Dardik, is that instead of your computer being the battlefield, "the war is being waged outside the laptop."

The review is largely positive, although I did find what I believe were false alarms of weird activity -- not too important since they don't pop up and tell you. But since the review was finished I have noticed some weird behavior that Yoggie is now investigating, and which you may want to consider if you're thinking of buying.

One is that my laptop started failing to reboot -- it would stick on the startup screen and stay there until I removed the battery and let the memory drain. I am not certain the Yoggie was to blame, but it seems the likely culprit. The other thing I noticed is that the password-system is not perfect: I suspect that if you change a password (there are two -- one for the console, one for the enabling) the software may not always remember it. Certainly if you upgrade the drivers the password will reset to the default one. Yoggie say they haven't come across these quirks but have promised to investigate.

Other quibbles I didn't have time to mention: The Yoggie can get warm. And at least on one occasion dangerously hot. I would not want to use it with kids around -- ironically one group of people the product is targeting, with its parental filters. Yoggie said they are aware of this, as they are of the fact that Yoggie does not communicate with Windows' own security controls; so expect Windows to keep telling you you don't have protection even when Yoggie is running.

All that aside, I still think Yoggie is a great product. I think the idea of outsourcing security to a device sitting outside the computer is a natural one, and will, as Yoggie claim, create a new category of security device for ordinary users. Yes, it's absurd that this kind of thing has to be farmed out, but it makes a lot of sense.