Monday, July 31, 2006

Crime and Greed in Las Vegas

There is no such thing as a free lunch. Sometimes when someone is fast-talking and you get caught up in the moment, you forget this. It has happened to all of us. I witnessed this last week in Vegas, where some mark lost $100 to a 3 Card Monte dealer in front of Treasure Island.

The World Series of Poker is going on in Vegas right now. This is the world's largest poker tournament series (45 total events), with the main event consisting of a $70M prize pool. Needless to say there are lots of people in Vegas with money to burn. I have been to Vegas more than 50 times over the past 15 years and I have to say that this trip was the worst when it comes to witnessing crime.

Hookers were everywhere -- and I mean everywhere. The high-priced good-looking hookers hovered mostly at the Rio, where the WSOP events were taking place. They would show up around 10pm in the area outside of the tournament and be very up front about propositions. I saw a few negotiating their terms with tricks up in the food court. The skanky ones were right smack in the middle of the strip, in front of Harrah's and the Flamingo, walking up to cars that stopped.

A guy ran by me when I was outside of Ceasar's Palace. He was clutching a purse. A few minutes later, a woman with a bloody shoulder walked by in a daze asking where she could find a cop or a security guard. The purse was torn from her posession by the assailant. My brother and I almost got jumped by three guys trying to start shit outside of Harrah's at 4 in the morning.

One thing that I saw was a fishy 3 Card Monte game. This is a game where the con man shuffles 3 cards face-down in front of you and you try to pick a card (usually a queen) after he is done shuffling. If you get the card, you win! If you don't, then you lose. There is a team of people involved in the scam. The majority of the scam is based on sleight of hand and misdirection. What this con man was pulling was much less sophisticated.

There was a pretty large crowd around the con man. He would shuffle the cards and just ask a random guy to pick the queen. The random guy didn't need to put up any money, it was just for fun. The guy picked a card and the con man flipped it over, showing that the guy was wrong. It didn't really matter, because no money was exchanged. He did this a couple of times before he found his mark.

He shuffled one more time and had the mark pick a card. The mark picked the card on the right. The con man peeked at the card and said "You got it! Just show me the $100 and I'll let you have it! I can't pay you unless I know you were serious about the bet." At this point, the mark did two serious things wrong. The stupidest thing that he did was pull a wad of cash out in front of strangers on the Vegas strip. You should NEVER do this in Vegas. I am reluctant to let people know how much money I have even when I am buying in at the blackjack/poker tables. The second stupid thing that he did was pull out the five $20 bills and hands them to the con man. At this point I can tell the mark was second-guessing himself. The con man tugged the $100 and you can tell he was resisting. The con man gave one final tug and said "OK, now flip it." The card was NOT the queen and the mark was $100 lighter.

The mark seemed like a normal guy who just got caught up in the moment. There is a lot of craziness going on and first time Vegas tourists get lost in the lights, booze, money and scantilly clad women that they forget what how the real world works. I think there are a few things you can do to make sure you aren't getting ripped off:


  • Figure out how the con man is making money. No one ever gives money away. Sometimes they will lose a few bets in the beginning and hustle you for a ginormous bet at the end, but the con man went for the jugular right from the start.

  • Let someone else go first. Even though the other person might be in on the scam, it doesn't hurt to see someone else take the first punch.

  • Know that you are at the disadvantage in situations like this. This is like when you try to negotiate prices with a car salesman. They are in this same exact situation dozens of times every day and they know all the angles. Unless you spend a fair amount of time analyzing the situation, you should assume you are getting scammed.

Preventing Phishing Attempts

I give props to ING Direct, who is really taking a stand against phishers. ING Direct is a US-based online bank. They just released a new login process which makes the protecting the customer's identity its top priority.

This is their description of their new security feature:


Introducing a whole new way to feel safer.

Our new state-of-the-art security feature is a way to make you feel even more secure when you login.
By adding this new layer of security, you get added peace of mind that you are on the authentic ING DIRECT website (https://secure.ingdirect.com). No other user or website would know what image and phrase you choose – only you and ING DIRECT know.

Here’s how it works.

You will be asked to select an image and create a phrase when logging into your account. Images can be chosen from our library of images and the phrase you enter can be any words you choose, such as “Home Run” or “Dream Car.”

The enrollment process is easy and will take a minute or two. And you will only have to do this once. After enrollment, when you login, your image and phrase will be displayed so you’ll know immediately that it’s safe to enter your Login PIN. To make your login experience even easier, you can “register” your computer with us, so that the next time you login from that computer, we will recognize you.


Their login process goes through the following steps:

  • You type in your customer number and submit the form.

  • The next page will show an image and text phrase that you previously chose. If you do not see the image and phrase that you chose, then you either typed in the wrong customer number, or you are NOT at the real ING Direct web site.

  • If you see the proper image and phrase, then you click on your PIN using a keypad that is on the web page.

  • If you are NOT logging in from a computer that you have registered with ING Direct, then they will ask you one of 5 different security questions (such as "What is the street number of the house you grew up in?").

The image and phrase verification is used to prevent phishing. If someone sets up a fake web site and they are trying to get you to type in your password, then they would need to know your selected image and phrase to get you to continue with the login process. Of course, this assumes that the consumer knows why they are being asked to select an image and phrase. If the person sets up a fake site and just ask for your customer number and PIN and you forget that you were supposed to see the image/phrase, then you are screwed.

The on-screen keypad is there to prevent keyboard logging. This is very prevalent in places where computers are shared or in open areas. When I worked for a K-12 school district in Orange County, this came up much more frequently than you would think. Students are more devious than most adults give them credit for. You can put in a piece of hardware called a keylogger between the keyboard and the computer that will capture every keystroke that the user types in. The hacker later removes the hardware and goes through the stored logs of key presses. If the hacker knows your username, this makes the search easy. They just search for [username]+TAB and then the next set of keystrokes is the user's password.

There are already a few things that a user should expect when logging into a web site. If they do not already expect these things, then no amount of security will protect them:

  • The protocol that the web site should be https instead of http.

  • They should see the yellow padlock in their browser indicating that the communication channel is secure and that the SSL certificate is valid.

  • When they type in their password, the password is not echoed on the screen. It will show up as asterisks instead.



I really think that the login process will dramatically change over the next few years. Most people don't know why they have a CVV number on the back of their credit card, but they learned what it was when online retailers started demanding it. Most people don't know why most websites have email verification as part of their registration process, but they have learned to expect it. Users will need to educate themselves in order to keep their identities private. Phishing is one of the most prevalent forms of hacking that I have seen in the last 5 years. Security precautions like the ones ING is implementing will slowly become a standard across the internet.

Sunday, July 30, 2006

Looking for the special person

For some reason, I found this this spam email quite interesting:


Hello my friend. My name is Sveta.
I am very sociable and clever girl.
I have good sense of humour. I am very like romanticism.
My birthday on Semtember, 6, 1979. I have finished the
state university, a trade the manager.
I work in big low corporation.
I am looking for the person which will not play with me in
games and to ask me erotic photos.! For me it is necessary
simple kind and able to love the main thing the person.
I want serious relations and I dream of the present family.
I am very trustful, naive, but can and take offence if I will
understand that use me. I do not like very much when
someone deceive me. If you this person which I need that
please write to me! =) I will be glad to find out you in
more details. I use the Internet because I want to increase a
circle of search of my second half. The previous attempts
to find the love, have ended with failure. The Internet for me
is a new thing. And except for mail I do
not know as it still it is possible to use, but I hope
I will soon learn. My hobbies equestrian sport to skate.
I very like to float. I love dances Very much! If you want
to comunicate with me, please write me: sveta@moscowlights.com
I shall answer any questions. I wait for your reply very soon.
Sveta.


The interesting thing about this email is that I know it is complete crap, but I still want to email the sender back to see what the deal is. Are they going to follow through if I request pictures and a phone number?

The sender's email address is largw@projekt-suedkurve.de, which is a German domain name. I went to the www.projekt-suedkurve.de web site, and it looks like a small German internet cafe. "projekt suedkurve" translates to "project southcircle," but that doesn't really mean much to me.

The other domain name that this person used was "moscowlights.com," which looks like it is a Russian law firm. The sentence "I work in big low corporation..." must be a misspelling of "law corporation."

It just seems so inplausible that some Russian girl would be sitting at home so lonely that she would buy an email list and proceed to spam everyone on it in search of her better half.

Since the moscowlights.com URL looks legit, I have to believe that sveta@moscowlights.com is a real email address that goes to a real person. I couldn't find anyone named Sveta on the company's "Legal Team" page, so I assume it is a non-lawyer type employee.

Most likely, some disgruntled employee or ex-boyfriend chose the passive-agressive route to getting back at poor Sveta. He got access to some email list and spammed everyone on it with this fake tale of desperation.

Monday, July 10, 2006

eBay buyers commit fraud, too!

Jesus Christ. Internet scams are popping up to the left and right of me. Maybe it's because I make so many transactions online that the law of averages just catches up with me.

I recently sold a T-Mobile Sidekick mobile phone on eBay. The phone was barely used and in near mint condition. I got a pretty good price for it and packed it and shipped it with great care.

After the buyer received the product, she emailed me with the following bullshit message:
Jack, I have been tossing and turning last night, and became nausea because I spend $ on this pager and I am finanically struggling. I am hearing impaired and I live on this pager. The screen isnt working and didnt look right at all. I wouldn't send any negatives on your feedback because I am not that kind of person. I would send everything back to you, the pager, the case, chargers. You have been kind, and I feel upset about this. I need the $ back and look for another pager. I really need one . It might happen during mail? Please respond asap. Thank you. "cuntgal"
I was immediately suspicious because I know I took great care in shipping the product. I took a look at her eBay feedback history. The last positive feedback that she got was for a Sidekick phone back in April (3 months before purchasing my phone). I was pretty confident that she damaged the older phone and planned to scam me for a discount or free phone.

Here was my reply:
The Sidekick that I sent you was in near perfect condition. I packed it very carefully in bubble wrap and I cannot imagine that it got damaged unless you received the box crushed. What do you mean when you say that the screen doesn't look right? Can you send me a picture? What is the IMEI of the Sidekick that you are referring to?
The IMEI number is like a global serial number that spans all mobile phones.

She emailed me the pictures but they were blurry. I could barely read the IMEI on the phone and she never sent it via email. I didn't really want to deal with a big hullabaloo, so I told her I would refund $50 of the purchase (it was not insured) or I would give her $75 if she shipped the phone back to me.

She was both stupid and greedy. She wanted the extra $25 and she shipped the phone back to me. The picture of the phone with the IMEI was not the same unit that she shipped to me. The IMEI in the picture was xxxxxxxxxxx2689. The IMEI of the one she sent back was xxxxxxxxxxx9758.

Also, the phone was registered to the username "cuntgal". You could not see this on the phone because the screen was severely damaged. Since I have a lot of development experience with the Sidekick, I was able to take screenshots off of the phone. She also had a lot of games that I have never purchased still on the phone. This was clear evidence that she used the phone for many weeks before it was damaged.


I can say without a doubt, this cunt was trying to scam me. The most incriminating evidence is that the picture she sent me does not match the phone she shipped me. Guess what, cuntgal? You get nothing!




Some of the differences to note:

  • The IMEIs simply do not match. The one I shipped her ends with 2689. The one she shipped ends with 9758

  • The item she photographed says "Sidekick II". The one she shipped me does not.

  • The item she photographed says "PV-100". The one she shipped me says "Model: PV-100".

  • The item she photographed is not damaged near the camera. The one she shipped me is clearly damaged near the mirror and lens.




Here are some tips you can use to prevent this from happening:

  • Before you ship an item, take a picture of the Serial Number and make that picture part of the eBay posting.

  • Ask the person to send you clear pictures of the item and the damaged box.

  • You can also add a non-damaging mark to your item so if they ever ship you the product back, you will have to confirm this mark.

  • INSURE ALL ITEMS WORTH MORE THAN $100 at the buyer's expense.

  • ONLY offer a refund if they return the item to you. When you receive it, make sure that it is the exact item that you shipped. If the serial number is on a sticker, make sure they did not just peel off your sticker and slap it on the damaged product.



Here's a great link regarding someone else who has run into this issue:
eBay Buyer Scams

Thursday, July 06, 2006

More Social Engineering

I have been on personal high alert regarding phishing and other social engieering scams over the past few months. A few of my associates fell victim to an IM phishing scam a few weeks ago. More recently, a relative of mine was almost fooled by an email con. When I say she was almost fooled, I don't mean she was about to start forking over thousands of dollars; I mean she was genuinely sad because she thought a distant relative had died tragically.

Here is a copy of the email she received:


>From: " Walter Oko" <walteroko@wanadoo.es>
>To: walteroko@wanadoo.es
>Subject: APPOINTED AS NEXT OF KIN TO MR. ACECROFT
>Date: Sat, 1 Jul 2006 15:57:22 +0200 (CEST)
>
>FROM : THE PRINCIPAL ATTORNEY
>OKO & CO (LEGAL PRACTITIONERS).
>11 RUE DU BOULEVARD
>LOME-TOGO
>TEL: 228 9385782
>
>DEAR ACECROFT,
>
>I KNOW THAT THIS MAIL WILL COME TO YOU AS A SURPRISE, PLEASE ACCEPT THE
>CONTENT IN GOOD FAITH. I DO NOT INTEND TO CAUSE ANY GRIEF TO YOU AND
>YOUR FAMILY. THE REASON FOR SENDING THIS MAIL IS VERY FUNDAMENTAL TO
>THE DOCTRINE OF HUMAN PRIVILEGES AND RIGHT. I AM BARRISTER WALTER OKO,
>A SOLICITOR AT LAW, PERSONAL ATTORNEY TO A NATIONAL OF YOUR COUNTRY AND
>A MEMBER OF YOUR FAMILY SINCE HE HAD THE SAME FAMILY NAME WITH YOU MR. M.A.
>ACECROFT, AND USED TO WORK WITH HIS COMPANY IN LOME TOGO. HERE IN AFTER
>SHALL BE REFERRED TO AS MY CLIENT.
>
>ON THE 25TH FEB 2002, MY CLIENT, HIS WIFE AND THEIR ONLY DAUGHTER WERE
>INVOLVED IN A CAR ACCIDENT ALONG NOUVISSI EXPRESS ROAD. ALL OCCUPANTS
>OF THE VEHICLE UNFORTUNATELY LOST THEIR LIVES. SINCE THEN I HAVE MADE
>SEVERAL ENQUIRIES TO YOUR EMBASSY HERE TO LOCATE ANY OF MY CLIENTS
>EXTENDED RELATIVES, THIS HAS ALSO PROVED UNSUCCESSFUL. AFTER THESE
>SEVERAL UNSUCCESSFUL ATTEMPTS, I HAVE REASONED VERY PROFESSIONALLY AND
>I FEEL IT WILL BE LEGALLY PROPER TO PRESENT YOU AS THE NEXT OF KIN OF
>MY DECEASED CLIENT, SO THAT YOU CAN BE PAID THE FUNDS LEFT IN HIS FINANCE FIRM.
>
>I THEREFORE SEEK YOUR CONSENT TO PRESENT YOU AS THE NEXT OF KIN TO THE
>DECEASED SINCE YOU ARE AT AN ADVANTAGE, BEARING THE SAME SURNAME AND
>EQUALLY FROM THE SAME COUNTRY, WHICH THE PROCEEDS OF THIS FINANCE FIRM
>VALUED AT $8.5M CAN BE PAID TO YOU. WE SHALL BOTH SHARE THE FUNDS 40%
>FOR YOU AND 55% FOR ME, WHILE 5% SHOULD BE FOR EXPENSES OR YOUR
>GOVERNMENT MAY REQUIRE TAXES. THE SAID FINANCE FIRM HAS ISSUED ME A
>NOTICE TO PROVIDE THE NEXT OF KIN OR HAVE HIS ACCOUNT CONFISCATED. I
>EXPECT YOUR URGENT RESPONSE INDICATING YOUR FULL INTEREST IN THIS GREAT
>BUSINESS TO OUR BOTH MUTUAL TRUST.
>
>YOUR TELEPHONE AND FAX NUMBER WILL BE NEEDED FOR FURTHER COMMUNICATION.
>
>YOURS IN SERVICE,
>
>BARRISTER WALTER OKO. B, B.L,
>OKO & CO (LEGAL PRACTITIONERS).
>11 RUE DU BOULEVARD
>LOME-TOGO.
>
>Ahora con Amena el CD del futuro es el presente en tu móvil. Descarga
>las canciones que van a hacer historia
>http://ad.doubleclick.net/clk;33438710;7829128;n?http://www.especialesa
>mena.com/minisites/idols/es/



She figured out that this email was not on the up-and-up by herself. In case you missed some of the key clues, here are some of the tip offs:

  • The sender's email address is walteroko@wanadoo.es. If you go to wanadoo.es, it is a Spanish portal site (kinda like the Spanish version of Yahoo!). Receiving an email from this address is akin to receiving an email from someone @hotmail.com. Most likely, it is a throwaway email address that someone created for the purposes of conning marks and not leaving a trail. If the guy were really a lawyer, he would have a respectable email address with his firm's domain name prominantly displayed.

  • The email is from a lawyer, someone who makes a living manipulating the English language. You would think that someone who is this articulate would refrain from using ALL CAPS when delivering their message.

  • Tome-Logo? Where the fuck is that? Google Map it and you will see that it is in West Africa. Why would someone with an email address from Spain have a law office in Africa?

  • "DEAR ACECROFT"? Who addresses someone in a professional letter using their last name (without the "Mr." or "Ms." prefix)?

  • "...PERSONAL ATTORNEY TO A NATIONAL OF YOUR COUNTRY AND A MEMBER OF YOUR FAMILY SINCE HE HAD THE SAME FAMILY NAME WITH YOU MR. M.A. ACECROFT, AND USED TO WORK WITH HIS COMPANY IN LOME TOGO." - I don't even think this makes grammatical sense. Someone is related to me because they have the same last name? My last name is not that uncommon. It took 4 years for you to find me?

  • "Ahora con Amena el CD del futuro es el presente en tu móvil. Descarga las canciones que van a hacer historia" - This translates to "With now Pleasant the CD of the future it is the present in your moving body. It unloads the songs that are going to make history" according to Google translate. It's the imbedded advertisement at the bottom of a wanadoo.es branded email.

  • http://www.especialesamena.com/minisites/idols/es/ is a retarded Flash movie promoting the advertisement in the line item above.

  • http://ad.doubleclick.net? This lawyer needs to use an email service that tracks banner clicks? This is just retarded.

  • 40% for me and 55% for you? WTF? If you're going to screw me, please have the kindness to make me feel like I'm getting the better end of the deal.



I think this guy wanted his hands on the 5% of the $8.5M bounty. That translates to $425,000. Most people don't have this amount of money lying around, but I'm sure that kind Walter would bend over backwards to cover you if you could only pony up $50k.

Barrister Walter Oko, please suck my fucking balls.

Sunday, July 02, 2006

Prison Break Permutation

In an episode of the Fox television show Prison Break, the main character, Michael Scofield, had to punch in an unknown secret code on a 10-key keypad. His whole 5 month plan hinged on his ability to figure out the code in a matter of seconds.

He brought along a container of baby powder that he applied to the keypad. The baby powder adheres to the 4 unique keys that are used in the code. The viewer is made to believe that pressing the keys so often would cause them to retain deposits of oil from the prison guards' fingers (never mind that the guards often wear gloves!).

If you are certain that no number is repeated, then there are 4! = 4x3x2x1 = 24 possible combinations. The flagged buttons were 1, 3, 5 and 8, so he would need to try the following combinations:

1358, 1385, 1538, 1583, 1835, 1853,
3158, 3185, 3518, 3581, 3815, 3851,
5138, 5183, 5318, 5381, 5813, 5831,
8135, 8153, 8315, 8351, 8513, 8531

It took me 75 seconds to type in those 24 combinations. If you were an engineer (like Scofield) and you had to type in these numbers, you would most likely use some algorithm to enter the numbers. This way, you could rifle through the numbers without writing down the already tried combinations. I chose to type in the numbers in ascending order. Instead, Scofield types in these combinations as his first three:
1358, 3581, 8135

It almost looks like he is using some "wrap-around" algorithm for entering the numbers. The only thing is that the third number in the sequence should have been 5813 instead of 8135.

Assuming that he had a method to his combination selection, he should have tried the following combinations (in this order):
1358, 3581, 5813, 8135
1385, 3851, 8513, 5138
1538, 5381, 3815, 8153
1583, 5831, 8315, 3158
1835, 8351, 3518, 5183
1853, 8531, 5318, 3185

This list uses an ascending order for the initial number, then takes the first digit off and appends it to the end. It's not the most intuitive algorithm for entering numbers, but it works.

My point is that I think I can buy the whole baby powder sticking to the keys thing, and maybe he watches the guards with an eagle eye and he was positive that there were exactly 4 numbers in the secret code. The only thing I don't buy is that this guy is a meticulous engineer who executes all his actions in a robot-like manner, yet he punches in the sequence of numbers in a non-sensical fashion.

Beating Netflix

I absolutely hate Netflix. Netflix is an evil company spawned by Lucifer. Netflix employees all have sex with their siblings and they eat their own excrement.

In case you don't know, Netflix is a DVD rental service where you queue up movies online and receive/return them via USPS mail. You pay a fixed amount per month and you can have 2 to 5 DVDs (based on your plan) "checked out" at a time. When you return a DVD, the next available one in your queue is sent to you. Netflix is even courteous enough to pay for your return postage.

In theory, this service is great. If you rent a lot of movies, it can be a very good service. Just pay $18 and you can conceptually rent 20+ DVDs per month. That's less than $1 per DVD with no late fees!

I signed up with them in 2000 when I bought my first DVD player. They started out great. I was getting tons of movies and I was cranking through them three at a time. I probabaly churned 15-20 DVDs a month for the first 4 months of my subscription.

After my 5th month I noticed things started to change. The number of days between returning a viewed DVD and receiving a new one started to increase. In some cases, I never received the DVD at all and I had to fill out a form on their website (and wait several weeks) to resolve this issue. On other occasions, I would receive a damaged DVD and would waste 4+ days returning it and waiting for a replacement. Another big headache was that the "New Releases" would never show up. They would show up in the queue with the text "Long Wait" next to the title.

I suspected that a couple of things a couple of things were in effect (keep in mind that these are just theories):
  • Netflix wants to provide maximum customer satisfaction to new customers. They want the new customers to become satisfied with their decision to use their service. The day the customer decides that online DVD rental is the way to go, Netflix changes gears and lowers the customer's priority in the rental queue. If 100 customers all have the same movie at the top of their queue and there is only one DVD in stock, then the newest customer will have first dibs.
  • Netflix purposely delays shipment of DVDs by one or more days on a somewhat random basis.
  • Netflix purposely delays reporting returned DVDs by one or more days on a somewhat random basis.
  • I believe that Netflix does not necessarily throw away damaged DVDs. If they have a scratched or broken DVD, they would ship it to an unprofitable/low-profit customer with high turnover. I believe it is in Netflix's best interest to provide low customer satisfaction to these customers to encourage them to abandon their service.
  • Netflix may randomly not send out the DVD at all or report the DVD as never received. It will take a few days for the customer to report the DVD as lost in the mail and will result in a slower turnaround rate.
I have seen this pattern happen each of the 3 times that I have subscribed to Netflix. At one point, I was getting the number 12 DVD in my queue. Each time I subscribe, I end up cursing the company and all the bastards that work there. I have read several web postings of other disgruntled Netflix customers with similar experiences.

The most valued asset in Netflix is the New Release DVD. If you are an established customer, it is very difficult to have these DVDs sent to you. Most of the time, you will just see the "Long Wait" message next to your pick. Below is a list of tips you can follow to get these coveted DVDs before the newer members:


  • Subscribe to an feed of new DVD releases. You can use some of the ones listed on http://movies.yahoo.com/rss Make sure you use an RSS reader on a regular basis (I prefer my.yahoo.com). You must know what new releases you want to see BEFORE the DVD is released. DVD releases usually happen on Tuesdays.

  • Figure out how long it takes for your returned DVDs to get to Netflix. Netflix sends you an email the day after they receive your returned DVD.

  • Count backwards from Tuesday (not counting Sunday) and make sure you return your DVDs on that day. If it takes two days, then mail at least one DVD back on Saturday. If it takes three days, try to mail your DVDs back on Friday.



This method has worked very well for me. I now get new releases on a regular basis. This is because Netflix doesn't usually promote new releases until they are available. They will only show up in search results when smart customers like you and me seek them out.