D4D

Slapping the Stupid with Stun-Guns

Archive for the category “Security”

Phoneless

Via an article on Raptitude ( The Simple Joy of “No Phones Allowed”) I came across a company called Yondr whose idea/offering seems simple and pretty brilliant.

Basically, they create “phoneless areas” for concerts (as well as other events, but mainly concerts) by locking them away.  The smart bit is that they’re not stockpiled somewhere (which would be way too tempting for thieves etc.) Instead, they’re put in a pouch that locks, and the phone stays with the owner.

If the phone is really needed, there are unlock-stations outside the concert area, so the bag can be unlocked and the phone used.

But – as per the article, and as per my own experience – people in general are fucking lazy, and even that extra effort of moving twenty yards to unlock the phone to use it is more than most can be bothered to do. And so those people stay in place, watch the concert (or whatever) and aren’t distracted by their phones.

I’ve griped (on several occasions) about concerts now where more people seem to be filming the gig through their phones than actually watching it and how distracting that is for those who actually want to see the performance (although Yondr won’t fix the other issues mentioned there of people constantly chatting to their mates while the show is on, or keep going to the bar etc.)  and this seems like a really good way of reducing that desire.

Yondr don’t say how much their service costs to install – I assume it’s not going to be cheap – but I really do hope it’s something that both venues and artists support and promote.  I know I’d be more likely to go to a gig/venue that was ‘phones-free’…

Current Scams

At the moment, there are a couple of interesting (and fairly well-crafted) scams going around.  I’ve seen/received all of these in the last week or so.

Firstthe ‘we know what you’ve been up to‘ scam email.

It says something along the lines of “I know what you’ve been up to – when you were on that porn site (it’s noticeably non-specific on details) I loaded a screen-grabber to your machine, so we could record your ‘activities’“.  Some of them also have something like “We know your password for the site was [whatever]” – the password is usually an old one that they’ve taken from a record including your email address, and gambles on people using the same password across multiple sites. (In fairness, most people do exactly this)  And then it asks for a ransom “or your shame will be available for all to see” It’s pretty basic, but is apparently enough to scare a certain sub-set of people (AKA gullible idiots) who so far have forked out around $250,000 to the scammers.

Second – and there are two types of this currently bonging around – are the HMRC scams.

These basically draw on the whole paranoia about HMRC losing payments, or trying to take the business owner to court.

I’ve had umpteen emails about “Your payment hasn’t gone through” along with attached links or forms to fill in – always a pretty damn good clue that it’s a scam.  And again, they’re all ridiculously non-specific, don’t mention a company name/details, or what the payment is supposedly for – another warning sign

The second type, which is a bit nastier, is the phone message – I’ve had a couple now, with a message saying “We’re issuing a warrant in order to discuss this matter with you“, and sounding a lot more official.  Still no details though, or anything about what they’re wanting to discuss. (I know, in theory GDPR would also stop them from discussing, but that’s a side point for now)   However, they show the phone number – in my experience, calls from HMRC and the like come through a switchboard, and usually show as “Unknown Number” – and a quick search on that number provides more than enough evidence that it’s a scam.

 

Of course, there are plenty of other scam emails out there – it’s just that these are the ones I’ve noticed specifically this week, and particularly after having received a couple of the “HMRC” calls yesterday and today, so I thought I’d write a bit about them.

Gone Phishing

One of the things about being a techie is that I own a fair number of web domains. Some I’ve got for things like ongoing projects, business names I like, and a bundle of other stupid shit.  A lot are in the “when I get a chance” state of being – the ideas remain, and haven’t been done by anyone else, but for now they’re kind of drifting.

However, one of the other things I do is have a couple of domains that are purely for use when buying stuff.  They’re set to forward everything to my home email account, so it means I can set up anything @ the domain and it’ll do what I want. While it sounds a little bit mental, there’s a very good reason for all this.

For the purposes of explanation, let’s say I own a stupid domain, like myemail.com

So – when I buy something from a new company, I register with them using [company_name]@myemail.com . Any mail there will come to me – it’s a legitimate email address, just not one I’ll ever send an email from. (I can if I need to, but that’s a different point)  Everyone’s happy.

The key, though, is that if [company] starts spamming me, I can block that specific address, rather than having to do any kind of weird and fragile message rules etc.  It’s easy – I just add [company_name]@myemail.com to the ‘bin everything’ list, and there we go, it’s gone.

What I’ve found recently though is another interesting one – I can easily tell when [company] has been hacked, or lost its mailing list somewhere.

This week, I’ve been getting some *very* clever phishing emails (the ones about ‘just log in, give us your details, and we’ll sort this out’) to one particular address. They’re good enough that if they had come direct to my home email, I might’ve clicked on one by mistake. (I haven’t, but I could have)  They’re *that* good.  But I can see that they’ve come to [company]@myemail.com , so a) I know they’re shit mails, and b) I know that [company]’s mailing list is being used.

I’ve let [company] know, although there’s not much they can do about it now. But at least maybe they can notify their customers that their details have been leaked/stolen.

All told though, it’s another interesting reason to have that particular domain, and to use it in this way to keep my own information as safe as possible.

False Flags

Over the last week or so, there’s been an incredible amount of news coverage about the (alleged) ‘attempted assassination’ of an Russian ex-spy in Salisbury.

Today, the news has been full of stuff about how the nerve-agent used ‘points the finger at Moscow’, which just pings all the ‘yeah, but’ bells in my head.

Now, I’m not trying to say “Russia wasn’t involved”, because I simply don’t know.  But… this sort of “well it must’ve been them, they’re the ones who made it” ‘evidence’ and hype always makes me a bit twitchy.  If you extrapolate that, you might as well say that a car manufacturer must be responsible for every accident on the road, “because they’re the ones who made it”.

I don’t know enough on this one way or the other.  But if I were a player on a much larger political stage, and I wanted to (for example) divert public and media attention away from one ongoing political clusterfuck, and point it all somewhere else, I’d be looking at making a Big Bad Enemy that can be blamed for Why You Should Be Afraid. And I’d probably work to either get materials that can be attributed to that Big Bad Enemy, or… well, or just make up all that ‘evidence’. Because of course it’s all ‘top secret’ and ‘in the interests of national security’, so they’re never going to produce that evidence in public anyway.

And it’s impossible to imply that only Russia had access to this stuff.  If nothing else, American scientists (and there’s no way there weren’t security/agency personnel in that entourage!) visited and helped decontaminate the plant where the nerve agents in question were being produced.  If they were approved for Russian military use (and they were) then those nerve agents would’ve been distributed to army installations and so on. All too easy at that point for them to be ‘mislaid’ and/or sold or stolen to anyone else.

All told, this entire story stinks, and rings very much as “A big boy did it, and ran away!”  It’s all just a bit convenient.

Running Into The Flames

Following on from the stories about the terrorist attack yesterday at the Houses of Parliament, the BBC has a piece on the people from St Thomas’s Hospital (literally just over the bridge from the Houses of Parliament) who, on hearing about the incidents, ran to help.  And not just doctors and nurses – I feel a huge dollop of recognition should also be due to Tobias Ellwood, the MP for Bournemouth East, who went to help resuscitate the stabbed policeman.

I don’t care what the hell else is said about those events, but those people are heroes.  Stories like these always remind me of the speech from the West Wing TV Series, (The episode “20 Hours In America, Part II“, if you want to look it up) in the aftermath of another (fictional) terrorist attack …

… and two others are in critical condition, when, after having heard the explosion from their practice facility, they ran into the fire to help get people out. Ran into the fire. The streets of heaven are too crowded with angels tonight.

Gets me every damn time, the people who don’t stand and take pictures, who don’t run away, but instead run towards the danger.  I’d like to think I’m of a similar ilk – but who really knows, until that time comes?

Slack Data

In the car I hired last weekend, it had a load of built-in tech – Ford’s Sync system – that was quite interesting, not least for the fact that it worked really nicely and easily. Connecting my phone to the car was a doddle, the satnav worked well (and better than my usual stand-alone device in several ways) and it all just seemed pretty easy.

However. It’s obvious that it was designed for a standard “family car” scenario, rather than a vehicle that would be hired to many different users. Which makes sense, but leads to an interesting longer-term problem…

Basically, people are lazy – and don’t think about their data. So the convenience of connecting one’s phone to the car system for hands-free calls etc is great, as is the simple download of the phone’s address book to the system. But if you then don’t delete it when you take the car back to the hire place, it’s all available to the next user. The same applies to the satnav system – ‘recent destinations’ is a goldmine of activity, right down to house number and location. (And I suspect, with a bit of work, one could connect the destination to a phone number in that downloaded phonebook)

It just interests me, how little people care (or understand) about their information. I cleared down the whole car system before I returned it, which took less than five minutes all told. So it’s not much work, but it’s still work, which most people don’t seem willing to undertake.

I’ve suggested to the hire company that it should perhaps be part of the car sanitising process when it’s returned (or before it’s hired back out, whichever) although I realise that makes it more hassle for them, and there’s a lot of different setups in the various cars.

Of course, it’d be better if people cleaned up after themselves – or the car tech had a “forget everything” button/process (although that would still be too much effort for most people) that did the job. But that won’t happen until people realise how important this shit can be, and sadly that tends to only happen by negative paths/occurrences/events, and will always be learned too late.

Lockdown (Experimental)

In the interests of – well, really just geekery – I’ve turned on HTTPS encryption on D4D™. It should be an invisible process to users of the site, but I want to know if it actually is or not.

I firmly believe in making all internet connections more secure, for a bundle of reasons I’m not going to go into right now. So I figure I might as well do some testing of it here (as well as on some other projects I’ve been running, or that are coming up and haven’t been mentioned here) to see how it goes.

In other news, it’s been a busy old week again, but I’ll write more about that in a different post.

Post Navigation