“grandfathered” – You don’t know what it means…

Some ten years ago when I first subscribed to Comcast cable TV, after returning to Denver, they had two basic options. Basic meant the absolute bare bones basic channels (locals), nothing else. For ~ $20 more, the Basic Plus, you got 100 more channels including all the “basic” ones we’re used to. I took the Basic Plus and was content for a long time. Over the years the rates gradually increased and at some point, I realized that the ~ $60 I was paying had turned into ~ $90. That prompted me to call them three or four years ago asking about a lower package.

The representative quickly confirmed that I was paying more than I should, and told me I was on a “grandfathered” package that was no longer available. She offered to switch me to the new package, with the same channels and no additional service, for a much lower rate. I tried to explain the whole “grandfathered” concept, and asked how long I had been paying ~ $30/mo extra, for the same package offered much lower. I don’t recall exactly what she said, but I felt that it had been several years. The conversation went downhill from there as I explained it was essentially fraud. There was no reason to keep charging me extra for the same service offered at a much lower rate. Rather than just taking the normal rate, she offered to give me 6 months at the introductory rate, ~ $30/mo. I argued that did not compensate for years of fraud, and she offered the introductory rate for 1 year. Accepting that, I reminded her that in 1 year I would call and cancel service when they raised the rates. My calendar reminder got set, and I did just that a year later.

Comcast showed no care for a loyal customer. Instead, they charged me extra money every month knowing there was the exact same offering for a better price. When I canceled, I never returned to Comcast. That kind of unethical behavior is not the kind of business I will support.

Jump to earlier this week when I called CenturyLink (who was Qwest when I first subscribed). I called in, as I do every 6 months, asking if a better DSL service was available. I currently enjoy all of 7 megs down, and 80k up. Yes, 80k, not even 1 meg up. Since I routinely trade 5 – 10 meg files with co-workers at the office, that limited upload speed is brutal. Two years ago, CenturyLink put up signs a mile from my house saying up to 40 megs down was available; yet it wasn’t for me. A couple days ago a friend moved 1 block away from me, just 100 yards. His apartment allows him to receive up to 40 megs as well. CenturyLink informed that I was still out of luck.

At this point, the representative said I should bundle services, which he and I both immediately said “wait…”. He realized that I was on a bundled plan, as I knew I was. Like Comcast, he began to explain to me that I was on a “grandfathered” plan, and I started the explanation again. I briefly explained that the term “grandfathered” generally meant a better set of circumstances were held in place, despite newer worse circumstances. In the context of a service provider, it would normally mean that the plan I was on was cheaper than existing, and that due to being a loyal customer, I could keep the original rate. Like Comcast, CenturyLink had it backwards.

A grandfather clause is a provision in which an old rule continues to apply to some existing situations, while a new rule will apply to all future cases. Frequently, the exemption is limited; it may extend for a set period of time, or it may be lost under certain circumstances. For example, a “grandfathered power plant” might be exempt from new, more restrictive pollution laws, but those rules would not apply if the plant were expanded.

In this case, I had the representative ask around since he was new, and he determined that the new plan was only a couple months old. CenturyLink does account reviews every so often and tries to get you to bundle more services. When doing that, they quickly review your account to ensure you are on the correct plan. I am pretty confident that in less than a year, this would have been fixed, where Comcast did no such thing and fleeced me for years. In each case, my “grandfathered” plan had me paying ~ $90, and the newer plan was closer to ~ $60.

The state of customer service continues to disappoint. The only difference is that in the past years, companies seem perfectly content to fraudulently charge long-time customers. Of course, they don’t call it fraud, they chalk it up to bureaucracy and a mishap, every single time. They are even co-opting an old term, and using it to explain this practice.

Advertisements

Oh the Spam I Receive

I’m pretty sure we have all become numb to the unsolicited bulk email (aka Spam) we receive. Well, I should qualify that. There are a few dumbasses out there that still click links, still think Microsoft is giving away 400 million dollars, or that some Prince in Uzbeki-beki-stan wants to leave their fortune to a stranger in a different country.

For the educated masses, it’s an inconvenience; the price of doing business, or pleasure, on the Internet. One aspect that is not written about as often as the amount sent, or where it is sent from, is the services that are leaking or selling our email addresses to spammers. There are a handful of tech-literate people that take measures to track this. By providing a truly unique email address to each service or web site you sign up to, you can easily determine if the site has lost or shared your information with a third party. If that unique email address receives mail from anyone other than the site you used it on, potential problem.

In some cases, the fine print we all quickly agree to without reading will say the site can share the information with commercial partners. Such mails are infrequent, but usually easy to spot. Over the last few years, I have had an interesting number of sites result in pure Spam. Not partner emails, not ‘legit’ third parties that purchased the email address for unrelated business offers. I’m talking about the usual penis enlargement pills or offers of untold millions from Captain John in Iraq who needs help moving 50 million in gold back to the states.

When such a leak happens, it typically means the email addresses were harvested (e.g. enumeration vulnerability, remote information disclosure), or a full on compromise (e.g. system hacked, all information taken including the list of addresses). Either way, it isn’t good for the business, and ultimately you either. Keep that in mind when you consider a few of the sites / domains that had a leak.

  • order.store.yahoo.net – spam received Jul 9, 2011
  • seenon.com – spam received on Feb 8, 2013
  • denverlibrary.org (Denver Public Library) – spam received Oct 7 / 8, 2012 and Jan 21, 2013
  • Tastes Wine Bar (local business) – spam received to first email address, and again on second address on Jul 3, 2011.
  • celebratethemacallan.com / eventbrite.com – spam received Jul 11, 2011 (not sure which leaked)
  • investorshub.com – spam received Jan 13, 2013
  • ameinfo.com – spam received May 29, 2012

It would be interesting if more people could use unique email addresses to track such breaches.

Security News Jumped the Shark, Then Beat It With a Rubber Hose

isn-news

Anything strike you, the seasoned InfoSec professional, as odd about this batch of headlines? For over a decade, I have been speaking out against bullshit news articles when it comes to security and hackers. It got so bad in the past, I had to stop updating the ‘Media’ section of Errata, because so many articles were full of crap. Usually, it is one or two articles a day, some with minor issues that aren’t worth the time trying to explain. After all these years of ignoring, and seeing the same trend, tonight appears to be different. Based on the headlines alone, I know there are serious issues and at least 4 out of 5 are crap. For fun, let me dissect them and see if I am right.

NUMBER ONE

IT powerhouse nurtures elite white hackers

All ‘dong’ jokes aside, you have a five paragraph puff-piece that has absolutely no real information. Skipping past the translation errors, and assuming they mean “elite white hat hackers”, this is a joke. There are two kinds of white hat hackers for the most part; ex-black/gray hat hackers who converted because they like the paycheck and virtually no risk of prison, and the white hat ‘hackers’ who go through training from ISC2 or EC-Council to obtain some laughable certification that says they know security. The latter, are not hackers. I can assure you, “nurturing” exam-crammers will not prepare you for any security incident, let alone the implication of Cyberwar. You want to recruit “students” to do all this? You are doomed already.

NUMBER TWO

New Algorithm Lets SCADA Devices Detect, Deflect Attacks

I read about this earlier yesterday. When I skimmed the article I first read (which I can’t find now), I honestly dismissed it as an Onion parody site. The entire article read as pure science fiction with a healthy dose of humor, because reality was not to be found. Surprise, later tonight it pops back up on ISN, and a search shows several other articles about it.

First, anyone in security for more than a few years have seen this academic shit before. These super-smart fucktards holed up in a lab have magically found a solution for real-world problems! The same problems they have never been subjected to, or been a part of fixing. They get news, and likely grants to do more bullshit research, while the real world suffers. There was an article, pretty sure in Time magazine that illustrates this problem. I can’t find the article because like most companies, Time can’t implement technology correctly and their search engine is absolutely worthless. Anyway, the gist of the article is that doctors fight to get grants, to do pedestrian research that is designed to help them get the next grant. Nothing they do is really designed to cure anything. History shows us that only radical research, a break from the norm, will lead to breakthrough research that may help us dramatically. The same problem exists in academia when it comes to InfoSec. I can’t remember a single time when the ivory tower dipshits actually solved anything.

So looking at this new miracle system, what is really there? They have developed a “watchdog” service that is not new. In fact, it is an old reliable mediocre offering in service. Instead of watching for “attacks” and “deflecting” them, it watches for anomalies. Welcome to 1992 bitches. Your first clue that this entire research is bullshit? Why is this specific to “networked control systems – which are used to coordinate transportation, power and other infrastructure across the United States”? Hint: IT ISN’T. Those systems suffer from the exact same classes of attack as any other system on the Internet. Overflows, DoS via saturation, SQL injection, XSS, etc. Don’t believe me? Go look at a comprehensive list of SCADA vulnerabilities and tell me which one is unique to SCADA.

How sure am I? I just sent off the following email to this “doctor”. Further, I bet that in 1, 3, 5 .. whatever years, we will have the same problems as we do now. Full paper is titled “Convergence and Recovery Analysis of the Secure Distributed Control Methodology for D-NCS“.

flame-mail

And really, many of us in the industry know what all that fancy math crap means. You are either doing pure crypto and it is badass, or it is absolutely theatrics to hide the fact you know shit.

ivory-math
(Credit: unknown. Linked to me by addelindh.)

NUMBER THREE

[UPDATE: I mixed up my ‘million heist’ articles. I thought this was the “How I ‘stole’ $14 million from a bank: A security tester’s tale“. While that article did not go out on ISN, making it 3 out of 5 that were crap, my response is to that article. Oops! Thanks to Oliver Lavery for pointing this out.]

Detangling the $45 Million Cyberheist

Honestly, I wouldn’t have even noticed this one 12 hours ago. That monkey Ira Winkler has been claiming he could steal billions from any company for over a decade, so any fluff in media about dramatic thefts don’t even register. However, shortly after this piece was published, someone messaged on Twitter saying it was bullshit.

bankheistcharlatan

Who is right? No clue. I haven’t been able to vet either of them. But I know that when a news article comes out with some ‘super hacker’, and someone unknown to me that has no apparent reason to lie speaks up, I am likely to believe them, not the media whore. I can’t expect evidence to be produced on that short order, but I told Oliver Lavery that it would require such to document the alleged fraud of Nish Bhalla. I know who I believe, and it isn’t Bhalla.

NUMBER FOUR

Critical Linux vulnerability imperils users, even after “silent” fix

Oh jeez, where to begin. First, let’s put this in the terms more people can understand. This is what has been titled “Linux Kernel kernel/events/core.c perf_swevent_init Function perf_event_open System Call Local Privilege Escalation” by OSVDB, who issued ID 93361 for the vulnerability. Second, notice the date of the article is 2013-05-13, when the actual fix for this vulnerability was released 2013-04-15. Yes, the fix has been out for almost a month. Uh, wait, why is this news? Linux vulnerabilities are a dime a dozen. Thirteen days after this vulnerability was another local privilege escalation.

Uh, squirrels! I lost focus here. Why is this an issue again? Is it because of a “silent” fix? Or is it because developers fix a metric fuckton of bugs, most of them not security related, every single week… and this time they forgot to mention security implications? Why is THIS bug more severe than any other Linux Kernel privilege escalation vulnerability again? If you look the last five similar bugs before this one [1] [2] [3] [4] [5], you see they were fixed same day as far as any mainstream announcement or publication of the vulnerability.

Oh, do you want outrage? Jump back to the vulnerability disclosed on 2013-02-25, that was discovered on 2012-07-14, and fixed a day after disclosure. That breaks the trend of the Linux Kernel group to be sure.

Look, anyone who knows me will verify I am the last to apologize for software vendors. I have been riding their collective asses for over a decade. If I stand up for a vendor, any vendor at all, you should at least examine the evidence. When it comes to transparency, the Linux Kernel team has blazed the trail for many years. They have mail lists and kernel commits and contribute to the oss-sec list. They aren’t interested in politics, or hiding vulnerabilities. If you take the time to read through commits and bug reports for the Linux vendors (p.s. I HAVE), you will see these developers quickly, and publicly take responsibility for their fuckups. They are quick to fix the issue and get things squared away as fast as possible. These are not the developers you should be worried about, when other companies will go over 1,000 DAYS before fixing a vulnerability sometimes.

So really, is this news? Is anyone at risk, more than usual? Any Linux admin who waits on mainstream releases, will be vulnerable for days / weeks anyway. Admins who keep up with the new patches, will be safe. This is BUSINESS AS USUAL IN THE LINUX WORLD.

CONCLUSION

Every single night, I think the InfoSec industry has hit a new low. On a good night, I think the industry kept even. They didn’t improve, they didn’t get worse.

Tonight is evidence that we can collectively sink much lower, in leaps and bounds.

Don’t believe me? Just witness this ivory tower math bullshit that completely backs my wild theory that I have spoken the truth. Call the press!

math2

Welcome to the Internet…

No matter how many articles, news segments, books, web sites, infgraphics, or rumors that warn people about the perils of the Internet, people still flock to this magical Mecca thinking it will bring great entertainment, answers, or whatever else (porn). While I have been in InfoSec for most of the last 20 years, this post is not to warn you about the evil hackers and cybercriminals lurking in every tube. You are basically fucked; your information will be stolen at some point and you will likely be unwittingly involved in fraud. This post is to help you cope with the rest of the Internet. The message forums, mail lists, social media platforms, and comment systems on everything from Youtube to your favorite shopping site.

On a slightly more serious note, you have likely read about incidents of suicide due to “cyber-bullying” [1] [2] [3] [4]. While the news headlines are dramatic, emotional, and full of sorrow, a few fundamental truths continue escape most people. First, a more rational study on so-called “cyber-bullying” finds it is rarely the only thing that caused someone to commit suicide. Second, there is absolutely no comparison to be made between real-world bullying and online bullying. A kid goes to school everyday and may face a bully. There are no alternatives, they can’t just choose to go to another school. Day in and day out, they are forced to be close to the bully. There is also a level of physical intimidation or outright battery against the kid that cannot be compared to a text-based insult. The over-used and ignorant term “cyber-bullying” forgets that if someone is in a confrontation online, they can simply turn the fucking computer off. If someone is in a confrontation and opts to stay online, one must question why. Many adults will stay in the fray because they want the abuse. Either to dish it out themselves, as an outlet for their own frustration, rage, or hate, or because they are a glutton for abuse and fascinated by what these anonymous strangers can serve up. All this hype over cyber-bullying is just that; hype. It may be the straw that broke a few camel’s backs, but it isn’t the root cause of any issue.

On to dealing with the heathens on the Internet! First, understand you are outnumbered, outgunned, outlasted, and most certainly outsmarted. There are legions of people out there that have a single hobby, trolling you. Second, now that you know this, you can be better prepared. Third, there are some rules and laws of the Internet that will help you survive, and flourish. No, these are not actual laws on the books, not found in law libraries, not argued in courts. They exist in a higher power on the Internet; the unregulated masses that somehow manage the content when it suits their needs, along with common sense and just the way humans are wired.
These laws and guidelines will let you navigate this cesspool more safely. These range from the amusing, but true, to the more serious that should have you thinking. Knowing these laws like you know the back of a Twinkie label will help you enhance your calm and traverse the cyber-Wild-West©®™.

Poe’s law:

… is an Internet adage reflecting the idea that without a clear indication of the author’s intent, it is difficult or impossible to tell the difference between an expression of sincere extremism and a parody of extremism.

In the real world, you have hundreds of cues in conversation that you likely aren’t aware of, or do not give thought to. Tone of voice, body language, facial expression, or previous minutes of conversation. Together, they give a whole subset of context that allow you to distinguish between humor and a serious argument. In short, sarcasm relies on these cues. If you can’t distinguish between the two, how does it affect your interaction?

Godwin’s Law:

It states: “As an online discussion grows longer, the probability of a comparison involving Nazis or Hitler approaches 1.” In other words, Godwin said that, given enough time, in any online discussion—regardless of topic or scope—someone inevitably makes a comparison to Hitler or the Nazis.

Hitler and Nazis are offensive! They are the devil! So of course someone will degrade to comparing you or your argument to a dictator and leader of a regime that was responsible for the death of 11 million people. Basically the same, right? That logic is equally infuriating, and they know it dumbass.

Rule 34:

Generally accepted internet rule that states that pornography or sexually related material exists for any conceivable subject.

A Christian rock band dressed as panda bears with little armadillos singing K-pop but dancing to trip-hop while running around stage? Somewhere, someone is jerking off to it. If that exists and is offensive, think about it in the context of your argument and your feelings.

Skitt’s Law:

Any post correcting an error in another post will contain at least one error itself.

Don’t even bother trying to correct someone’s mispelling or grammar. As soon as you do, another person will correct an error in your correction. Instead of looking smart, you will look ironical and dumb. Note: This is also known as Muphry’s Law.

Pommer’s Law:

A person’s mind can be changed by reading information on the internet. The nature of this change will be: From having no opinion to having a wrong opinion.

Perhaps the greatest threat to society, the sheep we’re surrounded by, will read and believe anything and everything, especially if it suits their existing bias. One well written argument, no matter how wrong, can influence many.

Law of Exclamation

The more exclamation points used in an email (or other posting), the more likely it is a complete lie. This is also true for excessive capital letters.

YOU HAVE TO BELIEVE THIS BLOG OK?!!! YOU KNOW I AM RIGHT!!!!!1!!

Danth’s Law

If you have to insist that you’ve won an Internet argument, you’ve probably lost badly.

I’d also include people that don’t so much insist, as they do try to convince you. Some spend more time trying to convince you that they won the argument, than actually presenting facts or arguing the original issue.

Dunning–Kruger effect:

The Dunning-Kruger effect is a cognitive bias in which unskilled individuals suffer from illusory superiority, mistakenly rating their ability much higher than average. This bias is attributed to a metacognitive inability of the unskilled to recognize their mistakes.

I know, I got all fancy on you with psycho-babble, but this is an important one. In very simple and blunt terms, stupid people are not only stupid, they are unable to realize this. They think they are smarter than other people, and as such, are unable to recognize or admit their own mistakes. This is why you will argue with an obvious moron, and wonder if s/he is really that stupid, or trolling you.

Online Disinhibition Effect:

The core concept of the Online Disinhibition Effect refers to a loosening (or complete abandonment) of social restrictions and inhibitions that would otherwise be present in normal face-to-face interaction during interactions with others on the Internet.

This can be boiled down to an age-old insult that strikes to the heart of the matter. “You’re an Internet tough-guy!” This concept is why the 13 year old scrawny geek living in a basement can not only stand up to a muscle-bound jock with a social life, but why one can enrage the other. Put another way, on the Internet, no one knows you are a dog This is also known as the Greater Internet Fuckwad Theory.

Occam’s razor

Occam’s razor .. states that among competing hypotheses, the hypothesis with the fewest assumptions should be selected.

For those of you prone to get into arguments on the Internet, remember this one. Conspiracy theories are all over, some more spectacular than others. This is also good for people who tend to believe anything. No, that Nigerian prince won’t really send you a billion dollars.

Collective behavior:

I’ll leave this one to you. Read the link, which is very academic, and consider it in the context of the words “collective behavior”.

—–

With these rules, laws, and guidance, you are now prepared to withstand the perils of the Internet.


Shortly after publishing, loyal readers pointed out additional laws could, or should be included. Courtesy of Lisa Boals:

Wheaton’s Law

One of the core messages of Wheaton’s speech was the importance of sportsmanship in online gaming, which eventually became encapsulated in the phrase “don’t be a dick.”


Reading a magazine weeks later, ran into another that I forgot to include in this piece. Selective perception allows people to read a rational discussion with facts, and still ignore opposing viewpoints.

Not All Charities Are Created Equal

I support charities. Quite a few of them actually. Maybe it isn’t the best use of the money I donate, as dozens receive small amounts, rather than one or two receiving a sizable donation.

I know that with few exceptions, it seems like my donations are mostly wasted, and it has me questioning my support. In the past, I have taken note of charities and their cost of overhead. However, I haven’t kept up with it and I desperately need to. Before I donate another cent, It is imperative that I research each and every charity that I have donated to, and may donate to again.

If you aren’t sure why I have such a concern, let’s examine two charities that are similar, if not equal, in the eyes of most people. Let’s look at the SPCA International and the Humane Society International. To many, these are both charitable organizations that exist to help animals and prevent cruelty to them. On the surface, this is true.

If you dig deeper, you quickly learn that one of them is not like the other, and is not worthy of your donation. Using CharityNavigator, look at the results:

CharityNavigator – SPCA International
CharityNavigator – Humane Society International

Even a cursory glance shows there are serious issues with the SPCA. It displays a Donor Advisory, outlining past problems and items of interest that should influence your donation choice, as outlined by a CNN article. On the other hand, the Humane Society immediately gives you the current rating, along with important financial information such as the charity spending 79.5% of their money on program expenses (i.e. helping as advertised), 5% on administrative overhead, and 15.3% on fundraising.

Compare that with other well-known charities:

Charity Program
Expense
Admin
Overhead
Fundraising
Michael J. Fox Foundation / Parkinson’s Research 91% 2.4% 6.5%
People for the Ethical Treatment of Animals 84.7% 1.3% 13.9%
American Cancer Society 71.2% 6.8% 21.8%
George Bush Presidential Library Foundation 45% 40.9% 14%
National Vietnam Veterans Foundation 9.7% 2.4% 87.8%

You can quickly see that some charities are not as efficient as others, spending as much as 87.8% on fundraising. Even though they may keep administrative overhead as low as 2.4%, that is a lot of money spent raising more money, that will only be spent to raise more. This ultimately leads to a cycle where huge amounts of money are wasted, rather than spending it on the stated purpose (program expense). In other cases, you have a charity that is only 14% fundraising, but 40.9% goes to administrative overhead, almost as much as the program expenses. This is often a sign that the charity executives are getting paid obscene amounts of money.

When picking a charity, you want to avoid any of them have either a high admin overhead, or a high fundraising cost. These charities are simply not efficient. Using these numbers, you can determine the “fundraising efficiency”, what CharityNavigator.org describes as “The amount spent to raise $1 in charitable contributions, and calculates for you. To calculate a charity’s fundraising efficiency, we divide its fundraising expenses by the total contributions it receives.

Looking at the national charities I have donated to in the last 12 months, it becomes educational:

Charity Program
Expense
Admin
Overhead
Fundraising
American Red Cross 92.2% 4.0% 3.7%
ACLU 86.0% 5.4% 8.4%
Juvenile Diabetes Research Foundation 81.5% 7.0% 11.4%
Dumb Friend’s League 77.8% 8.0% 14.0%
Humane Society of US 77.0% 3.7% 19.1%
World Wildlife Fund 73.0% 6.2% 20.6%
Planned Parenthood 72.8% 8.8% 18.3%
USO 72.2% 10.1% 17.5%
St Jude Children’s Research Hospital 70.3% 9.2% 20.3%
March of Dimes 65.9% 10.9% 23.1%
ASPCA 58.4% 5.2% 36.2%
Wounded Warrior Project 55.0% 8.0% 36.8%
National Law Enforcement Officers Memorial Fund 47.5% 5.5% 46.8%
Paralyzed Veterans of America 33.1% 6.8% 59.9%
National Veterans Services Fund, Inc. 21.1% 3.6% 75.2%
Natnl Cancer Research Center [1] 0.5% 1.6% 97.8%

[1] This is part of the Walker Cancer Research Institute, and has been blogged about before regarding it being a scam. This is why I should have done my due diligence.

There are a few others I have donated to as well. One is a 501(c)(3) but isn’t required to file the paperwork for Charity Navigator to perform an analysis. Several others are legitimate charities, just much smaller so they fly well under the radar of such a site. For example, Lita’s Squirrel Rescue, Ellicott Wildlife Rehab Center, and Cavy Care are such charities.

Based on the chart above, I know that I have donated to one sketchy charity, and not picked so wisely for others. I am not sure what a good ratio is to maintain, but the top percentile is a good guideline. Moving forward, I will only donate to charities that have a good return on investment.

In case you are wondering what prompted this article, it was the relentless snail mail sent by most of these charities. For a few, donating $25 one year led to what seems like solicitations that cost them $50 included pens, calendars, notepads, lapel pins, stickers, address labels, envelopes, cards, stamps, calculators, and more crap. Every time I received one, I wondered why they didn’t use my money to help their cause. Why do they mail me every 10 days asking for more money? This led me to wonder about their fundraising efforts, and as we see above, some charities specialize in it instead of actually helping people.