Wednesday, July 22, 2015

AT&T Spam

Most companies have just dropped all pretense of pretending to respect their customers. The goal of most companies these days is to grab your attention and get you to buy something before your attention is lost. I'm pretty sure they think you and I are too stupid to remember something like a company trying to trick you into buying their products or clicking on their links. Besides, everyone else is doing it. What phone company, bank, insurance company, etc. treats anyone like a valued customer these days? They treat you like you are a rag to wring out is how they treat you.

And AT&T didn't care if you hated them when they were the only phone company in the country before they were broken up for being a monopoly, and they don't care if you hate them now. So, it's not surprising that they would try to trick their wireless customers, especially the under-privileged prepaid customers.

I got this email with a subject saying "Prepaid: Action Required" and I thought "WTF, I  better read it in case they suddenly think I didn't pay my bill." since they play so many shenanigans with their prepaid non-customers.

The email says:

Because you're a valued customer, we'd like to keep you up to date with announcements and service updates throughout the year. To make sure you're receiving these notifications, we're writing to confirm we have your current email address.

This is so full of wrong. First, they don't even treat me like a customer in the first place. Prepaid is totally different from their main wireless operations--you even pay your bill at a different web site. I don't think I'm technically even an AT&T customer--I think it's "go" something. Second, they know my phone number and already use text messages to give me notifications (and spam).

Just today I got this super awesome notification in the form of a text message, so I know they have no problem reaching me.

Great news! They caved into marketing pressure from their competitors and decided not to screw me out of data I paid for. 

And third, what part of their email required action? 

What I think happened is that they put "prepaid: action required" to scare me, a lowly under-privileged prepaid phone user, into looking at an email that was only confirming they have the right email so they can start sending me email spam in addition to text spam. By the way, I did send "Stop" as a reply to the above text, so we'll see if they honor it.

Tuesday, July 14, 2015

Experian: The Spammer's Friend

Many of you will know Experian as one of the three credit scoring bureaus. This mega-corporation compiles vast amounts of data on every human being it can, all without their permission, and sells this info along with a "score" to show that human's financial worthiness.

But Experian also runs one of the largest email marketing firms, Cheetahmail, which they bought more than 10 years ago!

Here's a quote from their press release:
The acquisition is designed to help Experian, Costa Mesa, CA, bolster its direct marketing services, particularly in aiding clients in sending more highly targeted e-mails to their opt-in subscriber lists. Terms of the deal were not disclosed.
Sweet! Who doesn't love highly targeted emails? Notice above that they said "opt-in" as part of the press release wording.

They have a Corporate Privacy Policy which states that clients are not to send unsolicited spam:
Corporate email client anti-spam policy: Clients of Experian CheetahMail have agreed to not send unsolicited commercial email through our systems. Any client who violates this agreement is subject to privacy review, services termination and potential legal action.
So far, so good, except that I have been receiving spam from one of their clients as detailed in this blog post. I recently sent them an email asking them to look into their spamming client, but it was returned 3 days later as "Undelivered Mail Returned To Sender".

Their email provider, Cheetahmail, does provide a way to report abuse, and I sent them this email.

But now the abuse email bounces back as undeliverable! It's not hard to find others leveling criticism at their operation.

Notice their bounce mail indicates that I should contact the postmaster, but also notice there's no contact info provided. That is my next project: to find someone to report the problem with the abuse mechanism so I can stop being spammed by one of their clients. The "details.txt" attachment from the bounced mail also looked a little wonky. "delivery temporarily suspended" sounds fishy to me. I wonder if I tried again...

I will update this article if/when I get their attention.So far running a Google query on "Cheetahmail Postmaster Address" and I found a couple people saying that Cheetahmail ignores reports to the abuse or postmaster addresses. I'm surprised anyone even knows their postmaster address.

UPDATE 7/20/2015: They contacted me a few days ago and told me that they had me taken of their spammy client's mailing list. Nice. It only took thousands of keystrokes to make that happen. One of my readers commented in the other post that they had the same problem with emails to their abuse department bouncing. Oops.

It just seems really fishy that one of the world's largest email service providers can't properly configure their account that receives notices of abuse about their clients, while their their spammy clients seem to work fine. It's one thing if a hair salon doesn't seem very savvy with email, but this is an email service provider.

It's almost like some of these companies are saying "Oops, we did what was financially in our best interest, even though it was ethically questionable. Oops, we did it again. Oops, we did it again. Oops, our stock price went up." It just seems fishy.

Sunday, July 5, 2015 Spammers

A couple years I did a couple small orders with and I've regretted it ever since. The orders actually shipped and were fine, but I've been constantly email spammed by them since that time, and their emails have been getting progressively more obnoxious. Unsubscribing from their email has no effect.

Not only does unsubscribing from their email offers have no effect, this is one of the few companies I've found that does not appear to have a single contact point that I can find. They get horrible reviews, and I'm not the only one accusing them of being spammers.

Notice below that the email from miniinthebox doesn't even have a return address to their domain.

It has the word 'trust' in the subject line, better open it soon!

On the site, it lists Mini In The Box's reasoning for not having any email address to contact the company:

- Few customers have wanted it
- They simply don't use email for support
- They don't feel email is secure

...and yet they have no problem filling my inbox with email I don't want and have no way of turning off or contacting them to turn off. Smells a little funny to me. I've seen these Chinese super-stores have some pretty nonsensical behavior, but I haven't seen one stoop this low or lay it on so thick.

This is not a good company by any stretch of the imagination and I highly recommend avoiding them like you would an infectious disease.

Notice below that when you unsubscribe, it's not even the same domain, and you can see the second hint of trouble by the wording it gives you. Like "You've unsubscribed but don't worry, you'll still enjoy our spam."

Wait, what?
From this point on I'm going to definitely pay attention and document all the spam they send me, and will try to come back to this article.

Below is the domain registration information for Notice that they have enabled privacy protection to obscure the public information about their web site. Who a web site belongs to has always been public record, until the registrars decided they could milk the shit out of their customers and sell them privacy. Mini in the box is a Chinese company that's definitely not located in Florida with any phone numbers that ring anywhere in America.

A shady company that's done everything they can to make themselves hard to contact, say it aint so!

UPDATE 7/12/2015

Here they are again in my inbox. I'm not going to try to unsubscribe anymore. That ship has sailed. They appear to have a legitimate email provider and I have sent an email to their abuse department to  see what they might think of their client's spammy habits.

UPDATE 7/20/2015: After the email request to Cheetahmail's abuse department bounced and I blogged about it, they contacted me and told me that they took my name off the Miniinthebox mailing list.

Wednesday, June 24, 2015

Your ISP Could Be Using Javascript Injection Attacks Against You

You are sitting at your computer surfing the web like the time waster you are. You click on a web site link and the web site comes up. But another tab opens asking you to take a short survey. Even novice computer users are skeptical these days with all the hacks, attacks and phishing attacks.

But you are not on a shady site. You just got a popup from a legitimate site asking you to take a survey from your local Internet provider. Maybe you close the popup and ignore it. But an hour later, the same popup appears on a different web site.

Are all those companies in cahoots, or is your computer infected? What's going on?

What's happening is that your Internet provider is using hacking techniques on you in order to put that survey tab in front of your eyeballs. When you go to load a web page, your provider gives you the web page you asked for, but injects its own code into that web page, masquerading as part of the page.

Now, your browser doesn't think there's any security issue because that injected code is pretending to be part of the page you asked for. The browser has no way of knowing what should be the legitimate content of that legitimate site you are trying to browse.

You trust your Internet provider to give you the content of web sites you visit. That's the whole point of their service. But your trust is misplaced for several reasons, and one of these reasons is these man-in-the-middle style attacks where they trick the browser into accepting code that's not part of the site you are browsing.

Does it sound like hacking to you? It sounds like hacking to me. I'm not lawyer but I was under the impression that these type of attacks are exactly what the Computer Fraud and Abuse Act was created for, if only for high-value computers. Again, I'm no lawyer, but since the ISP is injecting these surveys into everyone's traffic, doesn't that mean any bank or government employee who sees this survey is a victim of a man-in-the-middle hacking attack under the CFAA?

Other than the recent backbone shown by the FCC comminsioner with net neutrality, when it comes to technology, the law for the most part does not apply to large corporations. It's usually the Aaron Swartz's of the world that technology law applies to.

They threatened Aaron Swartz with 30 years for making copies of public domain documents before he took his own life. What jail time do you think anyone at Comcast will do for using black hat hacking techniques against you in order to show you surveys?

And everything in this post so far ignores the security implications of not being able to verify the authenticity of this on-the-fly injected javascript code. How do I know the difference between this opportunity to tell my provider how much they suck and a black hat attack, trying to steal my identity?

Wednesday, June 10, 2015

Clickbait Must Be Stopped

Early TV was free. If you owned a television set from the 1950's all the way up through the early 1980's, free programming was the norm. Most people understood it was free because sponsors paid large sums to these stations to sell us more beer, soda and cars.

Newspapers traditionally have cost money. They take plenty of money from advertisers, but they have other costs involved with printing and transporting their media around, unlike a TV station that just beams a signal out. Most people understood that it was a decent value to pay a small amount to buy a newspaper.

Enter the Internet, where not just media but all forms of information move at the speed of light. And with it came societal expectations for news more in line with broadcast TV. Now the "signal" is a web site, but conceptually it's similar.

With the Internet, lots of media companies and just companies in general had to change the way they do business. I'm not going to pay a dollar to find out what happened overseas yesterday. I understand that just like for broadcast TV, these media companies are still taking in vast sums of money from advertisers, and seeing ads on a web site doesn't bother me in the least.

...Except that somewhere along the line, the tone of these media companies changed dramatically. Some of them didn't meet their ridiculous estimates to grow to a size big enough to blot out the sun. Some media companies even *gasp* lost  money because they refused to adapt.

Did they blame their own complacency or hubris for refusing to capitalize on what's obviously a lucrative medium like the Internet? Nope. They saw the Internet as bad, and they saw you the customer as a freeloading potential thief.

Since you have the poor taste to try to find out what's happening in the world without having to pay one of a handful of gatekeepers, you are obviously a freeloader trying to steal legitimate content off the hard working backs of the mega-media-corporations.

It should then be no surprise that most of the big media web sites are partners hand-in-hand with click bait, shock photo ad banner farms with no ethics or scruples whatsoever. The "good" ones will put "sponsored" in tiny letters.

Some corporations have grown so big that they just dropped all pretense of caring about their customers or their own conduct as corporate citizens.

I remember reading iconic magazines like Popular Mechanics and newspapers like the LA Times growing up, and none of these proud institutions went out of their way to steer your towards their advertisers by pretending that their ads were content and news articles.

This behavior of throwing you, the reader, under the bus to make a few extra bucks from their uber-aggressive advertisers is shamefully commonplace among even the biggest news sites. I won't even go into depth that most of the new sites these days are clickbait sites.

In my opinion, if the business model of your company involves tricking people into clicking on ads you know they probably don't want to see because they think it's your content, then you are only diluting and devaluing your own content over time. I think many of these huge media corporations are click-baiting themselves out of a job.

My blogs have ads and affiliate links. They pretty much have to, though it barely covers my own expenses of running my sites. I put the ads where Google tells me it thinks I should put them and it looks reasonable to me. For every business decision about my blog, I ask myself "would my mom approve?"

Everyone tells me "You are so good at this stuff-- you should be making millions on the Interwebs." And I say "Yep, I probably could. All I have to do is stop being passionate about writing real content and start cranking out the cat photos and clickbait captions like "12 reasons why these cute kittens will be dead tomorrow" and "Emily Blunt wore what dress?" which take them to even shadier sites, in an increasingly-shameful progression of faux content usually ending in the purchase of a Chinese made waffle iron or similar high margin item. No, I won't do that. But that's OK, because there's only about a million hands up saying "I will!" So: I get to be poor for my ideals--go me.

What will stop clickbait? Well, there are some good news apps for phones and tablets which seem good at filtering it out and showing just bona fide news, eventually you will get linked to something that will spam you with clickbait.

Thursday, May 28, 2015

FM Radio On Your PC For 17 Bucks

Ever since discovering my new favorite toy a month or so ago, the SDR radio USB dongle for my computer, I've been finding all these fun things I can do with it.

Currently I'm living in a cabin in the woods which barely has reliable power and Internet. The big power items are my fridge and desktop computer, all being powered by a long strand of romex to the neighbor's house, and I'd rather not push it with more devices like an FM stereo receiver. I already have a sound system on my PC.

So, finding out that this SDR dongle receives stereo FM was immediately appealing to me. It took a week of playing with it, but I finally have about a half dozen radio stations getting a good signal here in a valley which is known for not getting a reliable signal for anything!

1. Get An SDR Dongle

There's a million of these dongles out there based on the Realtek RTL2832U chipset. They vary in price from about $24 all the way down to $10. I paid about $12 for mine, and I've noticed the price fluctuates a little bit in either direction with every seller almost, so look around before you buy it.

2. Get An MCX Male To Coax Male Connector

This little dongle comes with a tiny antenna which is barely good enough to show you what an awesome device you have. It might even be good enough for an urban area depending on where you are. But I'm in the middle of nowhere, so I need a real antenna. The problem is that most FM antennas are coax, and this dongle comes with an MCX connector.

In order to attach a third party antenna, you'll want to make sure you have the adapter.

Above you can see the special adapter allowing me to plug in the FM antenna

3. Get An FM Antenna

The market is flooded with thousands of different kinds of FM antennas. There's enough antennas to devote an entire blog too, not just an article. But once you have the adapter above, you can connect it to anything coax and even make an old school dipole antenna if you want.

What I ended up doing was using a fancy amplified indoor antenna like this one that my sister gave me. I bought another strand of coax cable to make it longer and ended up mounting it outside. We'll see whether it stands up to the elements. It works awesome and I haven't even connected the little signal booster it comes with.

The flat indoor antenna sitting right below the cellular signal booster antenna

4. Install The Software

Once you have the dongle plugged into a USB port  and connected to a real antenna, all that's left is to install some software. I have personally connected my SDR dongle into Android tablets and even my Raspberry Pi 2, but so far I like running it best on Windows with SDRSharp because it's so easy to use.

Below is a screen shot of what I've heard referred to as "the most complicated way possible to listen to FM radio" but I think it's cool. You also have so many more settings to fiddle with. The taller the wave form, the better the signal.

Notice that it even shows the song and station info if the station supports it

5. Fine Tune Your Antenna

Once it's all setup and you're receiving FM radio, you can move the antenna around and experiment by seeing which stations get a better signal with the antenna in different positions. I picked a spot outside right next to the cellular GSM signal booster where it gets the best reception for my favorite station and also gets good reception for the local police / fire / medical services.

Final Thoughts

Combined with a good sound system, this setup gives me great sound from my favorite station, 97.1 Charlie FM in Portland, OR. It came in at a total cost of about $17: $12 for the dongle and $5 for the adapter. If you can't find an antenna lying around or don't want to build one for free / cheap, then add the cost of an antenna and you're still nowhere near what a good FM receiver costs, and I consider this setup a good FM receiver.

Another thing to keep in mind is that most of the software programs to play FM radio could use a good chunk of your CPU's processing power if you are using an old PC or tablet. My PC is older but it has a 6 core AMD Phenom II inside of it, so there's no problem. My new quad core Raspberry Pi also plays FM radio with no problem, though I have read that older versions could have trouble with certain software.

Friday, May 1, 2015

Adventures in SDR: Software Defined Radio For Cheap

Background (Not For TV!)

My quest originally involved looking for a cheap TV tuner while I stay out in a cabin in the woods, rehabbing my sister's property in a very rural area. I can get satellite but I don't watch much TV. I could stream Netflix or something but I'm lucky to have this semi-reliable, low-bandwidth Wi-Fi connection across a small valley to the neighbor's house.

So I bought this $13 dongle from Amazon which says "TV" in its name. I didn't catch that other identical versions of this product from other sellers had obvious reviews complaining that this USB dongle did not decode ATSC, meaning you can not use it to watch TV in the USA. The only reviews I noticed just mentioned how awesome this device is.

For anyone who doesn't understand, the irony of these USB devices based on the RTL2832U chipset is that they can basically receive anything but TV.

I was about to return this dongle when I did a little research, stumbling on one of the coolest hobbyist toys I've ever owned, and the second most fun I've ever had for 13 bucks.

Software Defined Radio: SDR

It's exactly what it sounds like: a programmable tuner. Mine has the Rafael Micro R820T tuner in it, meaning it can receive radio frequencies from 24 MHz to 1766 MHz, which is a very wide range for something under 20 dollars.

Lucky for us, an electronics enthusiast discovered a fluke (?) in the chipset of these dongles a few years ago, and now there's a whole community and a boat load of software making use of this dongle. There are applications for Linux, Android and Windows which can do everything from receive FM radio transmissions to police scanners and even some exotic things like pick up airplane transponder data and satellite signals.

Magnetic base stuck to a wood screw!

What Can It Pick Up? 

This dongle can basically pick up any signal in its frequency range, which is wide. Not only is the frequency range large, but so are the implications for its use because most of us take for granted all the little wireless gadgets we have.

  • CB: Citizen's Band
  • FM Stereo Radio 
  • Standard Police and Fire Frequencies
  • Weather and Emergency Broadcasts
  • CDMA and GSM celluar signals from phones and towers
  • Family Radio and other store-bought walkie talkie frequencies
  • Store bought baby monitors and similar devices
  • Automotive key fobs and garage door openers
  • Weather balloons
  • Radio Astronomy
  • Airplane transponder data

Jeez, What Can't It Pick Up?

  • American ATSC TV, which it doesn't have the bandwidth for.
  • Ham radio is below its range, and so is AM radio
  • Wi-Fi is above its range
  • Most land-line wireless phones are above its range
  • It obviously can't decrypt encrypted radio transmissions

The Sky Is The Limit

Actually since this thing can pick up signals from airplane transponders and satellites, so the sky isn't the limit. For the most part, the capabilities of this device is limited more by the software than the hardware. It can't fully decode ATSC television signals, though there is an app which can partially decode TV and give you an almost clear black-and-white TV picture ... no thanks.

The great thing about these RTL2832U dongles is that they run on so many platforms. I just ordered a Raspberry Pi 2 kit yesterday and I intend to hook it up to my dongle and put my SDR device on the network.

SDR# Software For Windows

If you are using this device for Windows, which most of us are, then your best best is probably SDR# which is pronounced "SDR Sharp" because it is written in the C# language and is open source. Here is a link to their web site. Once you download the ZIP file, all you need to do is:
  1. Unzip the ZIP file into its own folder
  2. Run the installer batch file and let it download the software
  3. Run the zadiag.exe diagnostic program, list the devices, and install the driver for your dongle
  4. Run SDR sharp and choose "RTL-SDR / USB" for your device
  5. Press the Play button
To listen to FM radio, just tune somewhere between 88,000,000 and 108,000,00 making sure to select "WFM" as your modulation setting. What's nice about SDR#'s built in FM radio is that it picks up the song and station information as you can see in the screen shot below. I've seen it called "the most complicated way possible to listen to FM radio"

There are lots of plugins on their web site, and I use one as a scanner, where I can set the frequency range and cut it loose to listen to local fire, police and medical. Below the scanner stopped to listen to the local police dispatch. 

More Resources for Software Defined Radio

The SDR Wiki Page is a good starting point
RTL-SDR.COM is a good resource
OSMOCOM who are the experts
SDR# is a must if you are using Windows
Hack RF is a powerful but expensive alternative platform
Web SDR radios can be connected to and controlled over the web!
Reddit has a whole community devoted to SDR