Adventures in Craigslist

29. October 2011 · Write a comment · Categories: Apple, Hardware, Non-Tech, Rants · Tags: , ,

Recently, after a friend of mine showed off his nice new HP Touchpad (running an early alpha of CyanogenMOD) I decided it was time to make the jump and get a tablet as well. The only problem was, being a broke bloke, it was hard to justify the purchase of one when I really didn’t need it. To solve this dilemma, I decided to sell my laptop, a Late 2009 Unibody Macbook (the 6,1 model) and purchase an Asus Eee Pad Transformer (and the dock).

After checking with friends (who laughed at the prospect of owning a Mac), and spamming the global distribution list at work (no bites there), I restored to posting ads on Craigslist and Kijiji (the latter of which brought in zero perspective buyers). The Craigslist ad, though, prompted a number of replies.

The problem, however, was out of all of the replies I received, only four of them were people who were genuinely interested. I won’t post those replies, but instead, the ones that were almost certainly scams.

So a little background information – when I posted the ad, under all of the specs I very clearly wrote “Cash only – must agree to meet me in person, in a public place that we both agree on”. The ensures that not only do I not have to worry about shipping the thing, but it assures me that I won’t get any fraudulent cheques, money orders, etc…. Unfortunately, the people who tend to perpetrate these scams tend to ignore these warns, as outlined below:

This first example was actually “Sarah”‘s second email to me – the first one was a generic “Do you still have the item for sale?” inquiry.

Hello,

Thanks for getting back to me on time,i will like to buy this item and

Am quite comfortable with the condition of the item since i wont be

making any repairs on it,and i will be very more than happy if you can

help me get this item shipped, and am willing to offer $770 to include

the shipping fees through the USPS Express mail service,and i will be

paying you through my PayPal account so send me your PayPal email

address so i can make instant payment get back to me

…….ASAP….Thanks and GOD bless

Note the “GOD bless” at the bottom – I would imagine they were thinking “If I put that in, they’ll think I’m a god-fearing Christian and they’ll be sure to make the deal!”.

  1. So what was wrong with this offer? Several things:
  2. They ignored my Cash Only – Local Only warning. Never a good sign when they don’t even say “Hey, could you make an exception?”
  3. The sentence structure/grammar are…well…horrible and far too formal. Definitely someone trying to sound on the up-and-up a little too hard.
  4. Offering to pay more than the listed price. I listed the laptop for less than that. All four of the legit, local enquiries first offered less (in one case, far less) than my asking price. By offering to pay more, the scammer is hoping that you’ll be greedy and jump on the offer.

So why wouldn’t I try, take the money, and send it anyway? Well, the problem is that most of these involve stolen Paypal accounts. The person will get the account, not use it, and wait for something like this to come along (a relatively high-value item). They’ll then use that account to pay for it take the item, which they’ll then sell themselves. Meanwhile, the rightful owner of the Paypal account discovers the new unauthorized charge and files a dispute with Paypal. The money gets pulled from my account, and now I’m short both the money and the laptop. Pretty sneaky.

Another “Sarah” (which seems to be a commonly used name for the scammers) contacted me, asking a few more questions (“Do you still have the box”, and “What condition is it in”), before inevitably asking for my Paypal details to send the Payment. I politely replied that as the ad stated, I would only deal in cash and locally because of the chance of a stolen account being used. To this, she replied (in full):

my account is not stolen

Really? Well in that case, sure! I mean, I wasn’t positive, but you’ve managed to convince me!…Not.

Another one (again, the second email after the first “Is it available, what condition, etc…”):

Hello, thanks for your reply. I’m glad you still have the item for sale. Your asking price sounds OK to me. Payment will be make via money order with the shipping fee included. Payment will be deliver to you within 3 to 5 working days. Then pick up will commence immediate by my shipping agent once you have clear the payment in your bank. I will add extra 50$ to your last asking price if you agree to sell this item and hold it for me till you receive my payment. Kindly fill the below data for payment to be mail out tomorrow morning.

FULL NAME :
PHYSICAL ADDRESS :
CITY, PROVINCE :
ZIP/POSTAL CODE :
PHONE/MOBILE NUMBER :
ITEM AGREED PRICE :

I hope to hearing from you soon with the payment information in order to complete the sales asap. Thanks.

Regards,
Edward Parker.

Nope. Sorry.

There were a bunch more, but all were basically the same. In each instance, my typical reply is this:

As you appear to be illiterate, I well try to phrase my payment requirements in a simpler manner – a haiku:

Cash. Only. I mean it.
Must. Meet. In. Person. Okay?
No Exceptions. Thanks.

So that’s about it. I ended up getting a little less than I asked for it, and now I’m the proud owner of an Asus Eee Pad Transformer. Hopefully it’ll be a long time before I decide to sell anything online again.

Streetview Comes to Town

28. September 2011 · Write a comment · Categories: Google · Tags: ,

Google Streetview CarI missed them the last time they were in town, so I was right chuffed today to catch them when I was out for lunch. I…may have followed him down a dead-end street to get this picture….

Sparkies

23. September 2011 · Write a comment · Categories: Hardware, Makes Sense · Tags:

This morning, I was called over to the building we keep our Off-Site Backup NAS at. The new tentants had the local Cable Co. over to do an install, and they needed access to the secure room with all the networking kit in it.

I went over to let them in, and explained where the network drops terminated, where their cable run came from and went to, and answered a few other questions. They looked like they had things under control, so I left.

About twenty minutes later, I was called back over. The techs needed to unplug our UPS so they could put one of those dual-plug splitters in (has six outlets on the front and uses the two in the wall), however they ran in to a problem. At some point in the past, the screw had fallen out of the metal faceplate on that outlet.

When they went to unplug the UPS, they bumped the faceplate and it made contact with one of the legs on the UPS plugs, shorting it and causing lots of sparks.

I got there a few minutes after this happened, and the two were trying to figure out the best way to proceed. One of them had a pair of plyers in his hands, and was saying that he was going to just use those to grip the UPS plug and pull it out quickly. I asked if they’d thought of shutting off the power.

Silence.

So went over to the (of course, unlabeled) breaker panel and told them to yell when the UPS switched to battery power, then I started throwing breakers. After making it through all of them, they hadn’t made a sound. Knowing that the wiring in the building was kind of sketchy, and that there were a few other breaker panels, I told them I was going to go try another one. The one with the plyers then said, “Naw, I’ll just try this again.” and then proceeded to rip the plug out using the plyers. Sparks flew, and then the plug came out. He then used the plyers to knock the faceplate off (which was now scortched and had a chunk burnt out of it), and plugged the UPS back in. It showed “0″ for input voltage.

“I think I killed it.”

On a hunch, I walked over to the breaker panel and, sure enough, one of them was tripped. After resetting it, I heard the UPS go back online. Apparently, when I was throwing breakers, they weren’t paying attention.

So now I’m looking to relocate our Off-Site backups.

On Labeling

21. September 2011 · Write a comment · Categories: "It's a Feature", Hardware, Makes Sense, Networking · Tags: , ,
Plug

What is this? I don't even...

James May Rocks Out

04. September 2011 · Write a comment · Categories: Non-Tech, Tomfoolery · Tags: ,

In Season 13, Episode 2 of Top Gear (staring Jeremy Clarkson, Richard Hammond, and James May), the trio each buy and insure cars for £2500, with the catch that they have to do so under the guise that they’re 17 year olds. Hilarity obviously ensues, and along the way Clarkson and Hammond replace James’ Bach CD with…something else…and glue his stereo controls so he can’t do anything about it. Later in the episode, we see that James has apparently grown to enjoy this new style of music.

James May Rocking Out

Followup: Staples.ca and Plain Text Passwords

01. September 2011 · Write a comment · Categories: "It's a Feature", Makes Sense, Rants · Tags: , ,

I posted an article the other day when I discovered that Staples.ca stores customer passwords in plain text. After a lot of prodding through email, I finally received a reply with some technical detail about how Staples actually stores the passwords:

We do take this issue very seriously.  I contacted another department for a technical explanation of the issue.

Staples.ca stores user profile information in a commerce Binary large object that cannot be selected using SQL and cannot be queried without knowing the actual hash key to parse the XML object. When a password is being requested using the ?Forgot password? feature, the email address and the security question is asked to validate the user and then a backend processing is performed on the request to retrieve the password and send it to the email address on file. The site is on a monthly schedule to be scanned by Qualys (a third party security provider that provides on demand vulnerability management and policy compliance solutions to Staples) which scans for SQL injections, security vulnerabilities, firewall issues etc. We are 100% compliant by Qualys and from the RSA PCI standard institute. In no way you can SQL inject to this website and get any data from the database that is not authorized. The underlying architecture is very secured and strict procedures are in place to not compromise PII information.

Please do not hesitate to contact us if you require further assistance.

Joan, E-commerce Communication Specialist
e-mail: bd.support@orders.staples.com
phone : 1-877-360-8500
fax   : 1-800-567-2260
url   : www.staples.ca/contactus

So there you have it. They are completely convinced that it is impossible for someone to get your plain-text password.

…That is, unless your email account is compromised. Or their server is exploited (Staples.ca runs IIS5 on Windows 2000, according to Netcraft) and someone gains higher-privilege access. Or a staff members rages, dumps the db, then quits.

Unfortunately, I can’t find a way to delete my account, so I’ve nuked all of my personal data (replaced with fake stuff), and then entered a random password. I didn’t bother writing it down, because if I ever do want to get back in to my account, they’ll be more than happy to send it right to me. I don’t even have to choose a new one!

Staples.ca Doesn’t Care About Your Security

29. August 2011 · Write a comment · Categories: "It's a Feature", Makes Sense · Tags: ,

I went to make a purchase at Staples.ca today, however I quickly discovered I had forgotten my password. “No big deal,” I said to myself, “I’ll just use their forgotten password feature.” I entered my email address and, sure enough, a few minutes later had a new message. Opening it, my jaw dropped as I read through the message:

From: bd.Support@orders.staples.com [mailto:bd.Support@orders.staples.com]
Sent: Monday, August 29, 2011 3:32 PM
To: ***REDACTED***
Subject: Your Staples.ca password

Hello,

Your login password is: ***REDACTED***

We look forward to receiving your next order.

Thank You - Staples.ca Customer Service Team.

WTF? So, Staples is storing plain-text passwords in their database. Fantastic. Didn’t they learn anything from Sony?

I’ve fired off an email to their support people, and will post any replies they send.

UPDATE: That was fast! Here’s their reply.

We appreciate your inquiry concerning this issue ***,

Staples maintains reasonable and appropriate standards to safeguard your
Personal Information.

When you enter Personal Information that contains a Social Security
Number, driver’s license number, or credit or debit card number at the
designated and secured sections of our Website, the information will be
encrypted or encoded before it is sent over the Internet. Personal
Information that we collect and maintain is subject to physical,
administrative and technical controls that are consistent with
recognized industry standards.

Please do not hesitate to contact us if you require further assistance.

Joan, E-commerce Communication Specialist

e-mail: bd.support@orders.staples.com
phone : 1-877-360-8500
fax : 1-800-567-2260
url : www.staples.ca/contactus

They completely missed the point of the email. I sent them another reply, this time with a helpful link to the Ars Technica article linked above and a basic explanation of SQL Injection/best practices. Hoping for a more reasonable reply later.

Further Edit: After re-reading the email, it sounds like they’re confusing SSL with hashing/storage encryption. Blargh.

Sage ACCPAC 5.5: Crystal Reports Blues

09. August 2011 · Write a comment · Categories: Makes Sense, Software, Troubleshooting · Tags: , , ,

Our accountant’s computer has been dog slow for the last six or so months, so after going through the lengthy process of spec’ing a new system and getting the purchase approved, I was finally able to get her a replacement. The new system, with massive amount of RAM and a screaming processor (with a nice SSD to top things off) truly is a thing of beauty, however we ended up running in to a rather large problem.

Because the new system runs Windows 7 x64, we had to upgrade our slightly-old copy of Pervasive SQL 10 to Service Pack 3. Although this seemed to work fine with ACCPAC initially, we quickly discovered all was not well.

Case in point, when trying to print an invoice with a custom Crystal Reports template, ACCPAC would simply throw the following error:

not enough memory for operation

Searching Google got me nowhere. The few references to that error and printing only spoke of issues with Terminal Server environments, and none of the suggested steps worked. After a few hours of fighting, though, I had the bright idea to try using one of the stock invoice templates.

Go figure, it worked.

As it turns out, the CR templates we were using dated back at least six years, and had been created with a copy of Crystal Reports 7 (dating from 1999!). So, we downloaded a trial copy of Crystal Reports 2011, re-saved the templates, and the memory error disappeared without a trace. There were a few issues with the templates (some fields refused to populate), but some manual adjustments (read: copy and pasting sections for the working stock ACCPAC templates) solved that as well.

TL;DR Version: If you get the above memory error when trying to print from ACCPAC using custom Crystal Reports templates, try re-saving them with a newer version of CR. Apparently that’s all it takes.

Short: Sticky Group Policies That Just Won’t Leave You Alone

07. July 2011 · Write a comment · Categories: "It's a Feature", Makes Sense, Microsoft, Short, Windows · Tags: , ,

The other day I was testing a Group Policy Object (GPO) on a system and resides in an isolated Organizational Unit (OU) with Block Inheritance set. After I finished testing, I applied the GPO to the production OUs and promptly forgot about it.

Fast forward to today. I was messing around on that system and discovered that I left that one particular GPO in place. I fired up the Group Policy Management tool and removed the link to that GPO, did a gpupdate /force on that system, rebooted and went about my business. A few minutes later, I discovered that GPO was still in effect. I double-checked that the GPO wasn’t linked to that OU anymore, and that inheritance was still blocked, and did another gpupdate /force, but to no avail. A quick check of HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy\History showed that yes, the GPO was still being applied.

I did a little head scratching, and then found the answer. As it turns out, after linking the GPO to the other production OUs, I selected the ‘Enforce’ option. By doing that, even after unlinking a GPO from an OU it will continue to be applied. I simply disabled the ‘Enforce’ option, ran yet another gpupdate /force, and all was well.

TL;DR Version: If you unlink a GPO from an OU, update the system, and the GPO is still being applied, disable the ‘Enforce’ option on that policy and do another gpupdate.

IPv6 over an IPv4 Tunnel on a Dlink DIR-825 Rev. B

27. June 2011 · 1 comment · Categories: howto, Microsoft, Networking · Tags: ,

Although I missed World IPv6 Day, I was bored the other night and decided to finally setup an IPv6 tunnel. To do this, I registered a free account with Hurricane Electric’s Tunnel Broker. The process was a breeze and in no time I had a regular tunnel created. From there, it was all up to the Dlink router.

A few notes:

  1. Make sure you have the latest firmware for your DIR-825 Rev. B. At the time of writing, it’s version 2.05(NA).
  2. You will need to enable “WAN Ping Respond” – this can be found under Advanced -> Advanced Network. You can safely disable this after you finish complete the process and your tunnel is working. This is needed so that Tunnel Broker (TB, from here on out) can confirm your public-facing IP address and link it to your tunnel.

So, that out of the way, once Tunnel Broker has confirmed your tunnel is available, login to your router and do the following:

  1. Under the main Setup tab, click IPv6.
  2. Click the Manual IPv6 Internet Connection Setup button. Do not use the wizard.
  3. For the IPv6 CONNECTION TYPE, choose IPv6 in IPv4 Tunnel.
  4. In the Remote IPv4 Address box, enter the Server IPv4 Address provided by TB.
  5. In the Remote IPv6 Address box, enter the Server IPv6 Address provided by TB.
  6. The Local IPv6 Address is the Client IPv6 Address from TB.
  7. Under the IPv6 DNS SETTINGS heading, choose Use the following IPv6 DNS servers and enter the Anycasted IPv6 Caching Nameserver provided by TB in the Primary IPv6 DNS Server box (TB did not provide me with a secondary DNS address).
  8. Finally, uncheck Enable DHCP-PD under the LAN IPv6 ADDRESS SETTINGS heading.
  9. Leave the settings under the ADDRESS AUTOCONFIGURATION SETTINGS heading as their defaults.
  10. Click the Save Settings button at the top of the page and let the router do it’s thing. It will take some time to ‘measure the internet connection’ – this is normal.

You’re almost done. At this point, if you go to the Status tab and choose IPv6 from the options down the left side of the page, you should see the TB information you entered, and Network Status should say Connected.

The rest of the work depends on your operating system. I use Windows 7 on my main PC, which natively supports IPv6 (as does OS X and most *nix distros). As IPv6 is enabled by default, I simply had to open an Elevated Command Prompt and type:

ipconfig /release

ipconfig /renew

After it finished thinking, ipconfig spat out the new network configuration which included the correct IPv4 and IPv6 addresses. I opened Firefox and browsed to http://ipv6.google.com – success! Everything works! You can also confirm that IPv6 is working by using the nslookup tool from a command prompt like so:

C:\Users\Laslow>nslookup
Default Server:  ordns.he.net
Address:  2001:470:20::2

> xbox.com
Server:  ordns.he.net
Address:  2001:470:20::2

Non-authoritative answer:
Name:    xbox.com
Addresses:  2a01:111:f009::3b03
65.55.42.140

>

As you can see, the IPv6 nameserver came back with an IPv6 AAAA record (2a01:111:f009::3b03) and an IPv4 A record (65.55.42.140) for xbox.com.

« Older articles
Newer articles »