Sunday, January 25, 2009

How reliable is DNA identification?,0,1506170,full.story
A discovery leads to questions about whether the odds of people sharing genetic profiles are sometimes higher than portrayed. Calling the finding meaningless, the FBI has sought to block such inquiry.
Lovely that our own FBI actively worked to try to block researchers and defense attorneys from investigating just how unique DNA is using the existing national DNA database (known to fellow CSI fans as CODIS). Don't they care about the truth? Apparently not. There are 6 million DNA profiles in there so far. Staggering.
No one knows precisely how rare DNA profiles are.
That is scary. Harkens back to the fingerprint uniqueness issues that were brought to light in the last few years too. The research shows that there can be many, many matches of 9 loci (locations on the chromosomes) or more. If you get busted by DNA evidence, you should insist on a match of at least 13 loci. But it should still be known just how likely it is for even that to match someone who is not the right person.

Do market analysts really know what the f* they are talking about?

After seeing these headlines in the news and RSS news feeds (many of the AP headlines _changed_ from one day to the next, but thanks to RSS readers every change was logged as a "new" entry so the full history of the headlines was preserved for your enjoyment below), I have to think the answer is "hell no".

How could oil and gas prices both be categorized as rising and falling, rebounding and tumbling, and then the reasons for this ranging from "weak demand" to "supply from OPEC" to "storage crunch" to "Bernanke's comments" to "US earnings"? And that was just within a span of _5 days_.

Jan 16 (Friday)
Gasoline prices on the rise again (seattle PI)
MARKET WATCH: Crude, gas prices fall
World oil prices firm as markets eye OPEC
"Oil prices rebounded Friday as the market tossed between worries over OPEC production cuts and the International Energy Agency's unexpectedly sharp reduction in global demand forecasts."
Oil Prices Rally After Early Losses

Jan 15 (Thursday)
Storage Crunch Weighs On Oil Prices

Jan 13 (Tuesday)
Oil falls to near $36 on weak US crude demand (AP)

Jan 13 (Tuesday)
Oil falls below $37 on gloomy demand outlook (AP)

Jan 13 (Tuesday)
Oil rises to near $39 on Bernanke comments (AP)

Jan 12 (Monday)
Oil tumbles below $38 on eve of US earnings season (AP)

Bluesoleil bluetooth driver annoyances solved!

One annoyance is that, by default, the Bluesoleil driver does not work as a Limited user account.  Since I run exclusively as a limited user on windows XP, that was annoying.  Fortunately, there is a solution:  run it at startup as a higher-priv user.  There are negative security implications to this, especially in light of my blog posting about software/driver rot because OEMs don't get to maintain the latest driver versions, but the risk may be worth the reward.

Windows XP + Limited Accounts + Bluetooth - WiFi-Forum - Wi-Fi Discussion Forum
In registry editor, go to ....HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/Currentversion/single click "Run". On the right side u'll see the softwares which run on system startup. Here u have to put ur Bluesoleil executable in the following way.

"maus right-click"/new/stringvalue/give a name like "Bluesoleil"/maus right-click on "Bluesoleil"/Modify/here give the path of the executable, someting like "C:\Program Files\IVT Corporation\Bluesoleil\Bluesoleil.exe"

Another annoyance was the dreaded "____________" error you often get upon installation or reinstallation or upgrade of the drivers. The vendor's solution is not very helpful "cleanly uninstall before installation", especially if the install had failed so you _can't_ uninstall. But there is a solution gleaned from an International site:

no puedo instalar bluetooth | Ayuda, no, puedo, instalar, bluetooth | 2412322 | 3345 / 5
Right click in HKEY_CLASSES_ROOT. Choose Permissions... Click in advanced. In the new window check the box Replace permission entries on all child objects with entries shown here that apply to child objects. Click OK.

Repeat this to the HKEY_LOCAL_MACHINE. Probably you will receive some denied warnings in this step. This is completely normal.

Again, there may be security implications of doing this so take care.

Another thing that could get in the way is a firewall or anti-spyware program preventing registry modification so watch for that too.

Citibank ATM insecurity

Ahh, doesn't it save so much money to outsource?  Ever wonder why it is cheaper (there _are_ reasons)?  Well, in this case it seems that the company running ATMs at 7-11s that Citibank allowed to put its brand on had a massive security breach.  Does not look like they were very security savvy.  Funny, there's one of these ATMs at the 7-11 right near my house.  And I thought I had to be scared of the tiny, off-brand ones in convenience stores!

ATM-Owner Cardtronics Issues Non-Denial Denial in Citibank Breach | Threat Level from
To recap what we know about the late-2007 PIN theft: Hackers broke into a server that processes transactions from the Citibank-branded ATMs at 7-Eleven convenience stores. The hackers installed some kind of software on the server, and made off with enough account numbers and PINs to steal at least two million dollars from Citibank accounts.

Dead to me: Word 2007 auto-save recovery

You would think that there might be some compelling reason to upgrade from Office 2003 to 2007, or perhaps to consider paying for office instead of the wonderful 3.0 that is totally free.  You would have thought wrong as far as this instance goes.

My wife recently had a problem where the stupid windows auto-updates rebooted her computer in the middle of the night and she had (contrary to normal practice) not saved a new document to a filename.  But fortunately, there were the office Auto Saves, right?

Well, to recap:

* Auto save worked just fine.
* But what if a user is not paying attention when they next launch Word and ignore the auto save recovery window upon recovery?  Uhh, word nicely deletes the autosave file.  Even VIM would err on the side of leaving your auto-recovery file in place.
* Fortunately, I have nightly backups.  So, I was able to recover the .asd file from the temporary directory (strangely %USERPROFILE%\Application Data\Microsoft\Word by default).  Now what?
* It should be as simple as File -> Open, right?  Well, that's what Microsoft's own documentation says you should do.  But this is WRONG.  You get an "Unsupported file type" error or similar.
* It was only after renaming to a .docx file and trying to open it that a helpful message said, "if you are trying to recover a file, open it _this_ way".
* Sheesh, can't the program
a) know how to open and deal with its own damned auto recover files in the first place?  or
b) not require the _user_ to do something different.  Reminds me of Bill Cosby as Noah when god tells him he's got two male animals and he has to go back out and get a female instead, Noah says, "I'm not going to do that -- you change one of them!!" 

* One Internet posting about how to restore this was to use Open Office Writer to open the .asd file and save as a .doc file.  That actually works great.

Open Office can do it the user-friendly way, why not Word?  What exactly do you get for $400 list price again?

Anti-abortion activists: think about implications much?

This is a fascinating video.  Abortion protesters are asked what should be done to the women who would have illegal abortions.  None of them had an answer and none of them had ever thought about it.  It was hilarious to see them come up with arguments as to why women should actually _not_ be punished if they were to have an illegal abortion.  They are quick to make an analogy to abortion and killing a child, but they are very reticent to make the penalties the same.  One even said something to the effect that "it would depend on the situation" and the woman's mental state of mind.  Wowzers.
""Did you know you can stump anti-abortionists with one simple question?"  They know it’s absurd and unfair — which means they know abortion is not really murder."
Pharyngula: This must be a very hard question

Disappointment in BITS public comments on contactless payments privacy and security

The FTC had solicited public comments on contactless payment systems:  The Federal Trade Commission and the Technology Law and Public Policy Clinic at the University of Washington Will Host a Town Hall Meeting on July 24, 2008, to Explore the Growth of Contactless Payment Systems and Their Implications for Consumer Protection  If I had known this was happening in Seattle I would have definitely attended.

They have published various letters received on the website above.

BITS Financial Services Roundtable Comments were a bit underwhelming.
"Thank you for inviting me to participate in the Town Hall on “Pay on the Go: Consumers and Contactless Payment.” Attached are four key summary conclusions."
So, what were the four key summary conclusions BITS provided?
  1. First, contactless payments that have been utilized by financial institutions do not pose a significant security or privacy protection risk to consumers.

  2. Say what? No positive evidence is provided for their safety other than "there are lots deployed and we haven't seen much risk so far". That's not a good argument. How about descriptions of the security and privacy technologies that provide the assurance? We know there have been some really bad deployments so either they don't read the RISKS digest or perhaps even the news?

    How to hack RFID-enabled credit cards for $8 - Boing Boing TV
    Schneier on Security: Skimming RFID Credit Cards
    Black Hat reveals credit data via RFID insecurity
    RFID deployment moving forward despite security flaws

  3. Second, it is vital that the government permit financial institutions and technology
    providers to innovate using new technologies so long as it is done in a safe and sound
    manner and meets the needs of consumers.

  4. Okay, that's an industry-apologist position. And nobody would disagree with the premise but the way that things get done in the industry tends to put the supposed "needs of consumers" ahead of the security and privacy since the mental threat models only look at the bottom line fraud risk and ignore the customer privacy concern.  It would have been better to state, "Financial institutions will commit to developing these capabilities in an open, full-disclosure manner and include security and privacy concerns of customers and security researchers into the design discussion"

  5. Third, it is important for government agencies to work together to address issues that span their jurisdictions.

  6. Basically, "we need big government regulators to tell us how to do security; in the absence of something telling us we're doing something wrong, we'll assume there's nothing wrong with what we're doing"  I've seen this all too often that financial institutions try to do security by committee or in the absence of that, do only what the regulators ask about.  They need to commit to a proactive stance that is based on sound threat models and openly address these issues in any new technology.

  7. Fourth, it is important for government to encourage the private sector to collaborate...[on standards for mobile payments]

  8. Again, security by committee is not the way to go about these things.  And the standards are irrelevant to the design and the principles.  They also did not mention anything about ensuring the standards ensure _minimum security_ and _privacy_ are included -- just that they need "standards".  Look no further than the magstripe PIN block standards for typical "good enough" design that is not necessarily based on the most optimal security.  Same thing happened with WEP...

    Hey, how about also committing to public publishing of the standards?  I can't tell you how difficult it is to even get official documents for ANSI / ISO financial industry standards.  They should be available to anyone with google.
What is most disappointing is that they do not offer any positive claims for why we should not care. This site offers five good tips that perhaps BITS should have recommended each participating company to publish information about. Can Contactless Credit Cards Be Hacked? 5 Tips to Stay Secure  I've added my own to the mix.
  • Publish the security design principles, such as "no customer identifiable information stored on the card or transmitted in the clear", "no reliance on the wireless signal being short-range as a security mechanism", "employing strong encryption and well-known and tested authentication and key exchange protocols", etc.

  • Full disclosure of the data stored on the card and the security protections employed. What information does the card transmit in the clear over the air? What prevents an adversary from querying the card from within your pocket?

  • Which RFID/contactless standards are employed and, if so, how are they exceeded?

  • Full disclosure of the encryption strength employed

  • Ways that the customer can take preventive action (such as providing protective sleeves to block RFID when you are not using your card)

  • Clearly publish the fraud liability information, if it differs from traditional mag-stripe cards

  • Give customers the option of having a non-contactless card
    and even more importantly, ensure that your call centers know how to route those requests and handle them appropriately.

  • Take a leadership role in providing for the government regulators the kinds of controls that they should look for that could impact fraud, identity theft, or personal privacy. I've seen that financial institutions tend to focus on the fraud aspect and often ignore the privacy aspect until someone complains...

  • Adhere to some basic consumer protection standards that would underlie any of the design considerations. Such as the proactive ones listed above. Adhere to open, full-disclosure. Commit that you will not stifle security researchers publishing work in these areas and that you think it is valuable to help improve the technology and keep innovating.

CSS sprites are cool

I just learned about CSS sprites for reducing the amount of HTTP requests it takes to render a page.  Very cool stuff.

Basically, you create a single image that contains all of the small images to use on your site and that is all you need to download.  Then you use CSS and offsets within that image to select that part of the image to display in the page.  There is padding around each image so that you don't get weird renderings with different browser quirks.

EV certs used against us

I happened to notice this in my Spam bucket.  Funny to see the phishers adapting to the trend of increased use of EV certs and the fact that customers are rightly ignorant of what EV certs actually are and why they would be good for them.  It's never as simple as one might think to solve these kinds of problems with technology.  There is that human factor...

Dear HSBC Member,
Due to the high number of fraud attempts and phishing scams, it has been decided to implement EV
SSL Certification on this Internet Banking website.

The use of EV SSL certification works with high security Web browsers to clearly identify whether
the site belongs to the company or is another site imitating that company's site.

It has been introduced to protect our clients against phishing and other online fraudulent activities.
Since most Internet related crimes rely on false identity, HSBC went through a rigorous validation
process that meets the Extended Validation guidelines.

Please Update your account to the new EV SSL certification by Clicking here.

Tuesday, January 13, 2009

The BEAST on Rush

I recently listened to Rush while driving and wanted to reach into the radio and shake him because his delivery is so annoying. He must love to hear himself talk so much he repeats everything ad nauseum. Or perhaps his demographic falls asleep often during his show and needs an instant replay?

This sounds about like the best description of this foul human being. There are some hilarious other entries as well you have to read.

11. Rush Limbaugh

Charges: The father of modern stupidity, Limbaugh spins reflexively, never struggling with issues, because he knows his conclusion must favor Republicans, and his only task is finding a way to get there. In other words, he may or may not actually believe what he’s saying, but it’s beside the point. His job is not to say what he thinks, but to instruct his listeners on what they should think. If the facts don’t agree, he can always change them, as his “ditto heads” are already armed against the contrary evidence with the all-purpose “liberal bias” attack. “Rush is right,” as the slogan goes, and all those nerdy reporters in the “drive by media” are lying, because they secretly love terrorists. It’s this creepily worshipful, breathtakingly infantile abdication of intellect to a blatantly dishonest hypocrite that makes Limbaugh’s audience so goddamn sad. These pathetic, insecure, failures of men look to Rush as the champion of their impotent rage, helping them to externalize responsibility for their own deficiencies, pinning the blame on those darn liberals and their racial and gender equality.

Exhibit A: You have to marvel at the sheer ignominy of someone who coins the term “Obama recession” two days after the election.

Lou Dobbs: Global Warming Denier

Hat tip to FAIR's Counterspin for covering this last week.  I hadn't heard it discussed yet.

What hubris!!  To think that you somehow know more than the consensus of scientific opinion?  Argument from personal incredulity abounds.

And the great hypocritical final quote from Lou himself that he should re-read after reading his own transcript (at the site below)

CNN’s Lou Dobbs: Belief in Global Warming 'Almost a Religion' |
there seems to be such a crowding out of facts and objective assessment of those facts, and as the scientists, the climatologist in your report suggests, there’s such selective choices of data as one discusses and tries to understand the reality of the issues that make up global warming.


Links to several of the places I've been enjoying recently

Funny Website - – American’s Only Humor & Video Site Since 1958

Drew Curtis'

Browser security policies documented and compared

I have often wondered about this kind of thing.  Browsers implement all kinds of "policies" that are largely implemented as undocumented logic in code -- probably in response to a security bug.  Never before that I'm aware of has such a great documentation of considerations for client-side security for browsers been documented.

I've read through the whole thing and it is fascinating reading.  I hope the browser vendors look at this and start a war for who's going to have a more secure browser!

Main - browsersec - Google Code - Browser Security Handbook landing page
This document is meant to provide web application developers, browser engineers, and information security researchers with a one-stop reference to key security properties of contemporary web browsers. Insufficient understanding of these often poorly-documented characteristics is a major contributing factor to the prevalence of several classes of security vulnerabilities.

Although all browsers implement roughly the same set of baseline features, there is relatively little standardization - or conformance to standards - when it comes to many of the less apparent implementation details. Furthermore, vendors routinely introduce proprietary tweaks or improvements that may interfere with existing features in non-obvious ways, and seldom provide a detailed discussion of potential problems.

Dangers of instant runoff voting

Several recent editions of RISKS discuss some evidence of the dangers of IRV (Instant Runoff Voting) systems. Which is a shame since I hoped that they would offer a better approach that could help break the stranglehold of the two-party system.  When they discuss paradoxical results, one is the situation such as if three people vote and the votes are:

A preferred over B
B preferred over C
C preferred over A

What is the solution to this that will result in the "right" person being elected?  There are other paradoxes as well that can occur when people leave the race before it is decided too.

Well, I at least wanted to be able to have a "negative vote" where I could specify a lack of desire for a candidate.  There may still be hope.

Runoff elections are expensive, which has led to various approaches to
avoiding them by having voters express priorities among the various
candidates. However, an important paper by Kenneth Arrow (RAND Corp, 1948)
provides mathematical evidence that no voting system that ranks preferences
among more than two candidates can guarantee logically fair nonparadoxical

A nice example of a "winner-turns-loser" paradox with Instant Runoff Voting
(IRV) is given by William Poundstone, Why Elections Aren't Fair (And What We
Can Do About It), Hill & Wang, 2008, by considering hypothetically what
might have happened in the 1991 Louisiana governor's race if IRV had been
used. I oversimplify slightly (and ignore the political positions that
might have made this logical!):

34% of the voters were for Edwin Edwards, 32% for David Duke, 27% for
Buddy Roemer. Under IRV, Roemer would have been eliminated, and his
votes reallocated -- which could have resulted in Edwards winning.

Suppose Edwards managed to have swung 6% of Duke's voters to have switched
to Edwards. Then Duke would have been eliminated, and the reallocation
could have resulted in Roemer being the winner.

There's a nice review article on Poundstone's Gaming the Vote, and Spencer
Overton's Stealing Democracy: The New Politics of Voter Suppression, Norton,
2008, in *The Nation*, 2 Jun 2008, written by Peter C. Baker.


"In many real-world elections, there is a "Condorcet" winner, ie someone who
is preferred by a majority of the electorate to every other candidate (it
may be a different majority in each case). If there is such a winner, then
electing them fulfills Arrow's theorem. The problem is that in some
elections, preferences are circular (ie A>B, B>C and C>A, where > represents
'is preferred to' rather than the usual 'is greater than'). Where this
occurs, no system can fulfill Arrow's criteria - either the system will
elect someone who would lose in a simple majority two candidate election
(which fails Arrow's dictatorship criterion) or IIA will be breached, as any
proposed winner can be defeated by the withdrawal of one of his opponents."

Constitutional challenge to FISA immunity law: go EFF go!

In Courtroom Showdown, Bush Demands Amnesty for Spying Telecoms | Threat Level from
"Is there any precedent for this type of enactment that is analogous in all of these respects: retroactivity; immunity for constitutional violations; and delegation of broad discretion to the executive branch to determine whether to invoke the provision?," the judge asked.

Carl Tobias, a professor at the University of Richmond School of Law, says the immunity legislation, if upheld, "makes it possible to extend immunity to other areas of the law."

And fortunately, the judge seemed to have some reservations about the statute:

Judge Questions Telecom Immunity | Threat Level from
"In essence that gives the attorney general carte blanche to immunize anyone." Walker said, wondering what odd creature Congress had fashioned. "What other statute is like this statute?"
Here are the EFF's documents on the case:

NSA Multi-District Litigation | Electronic Frontier Foundation
The Electronic Frontier Foundation (EFF) filed a class-action lawsuit against AT&T on January 31, 2006, accusing the telecom giant of violating the law and the privacy of its customers by collaborating with the National Security Agency (NSA) in its massive, illegal program to wiretap and data-mine Americans' communications. In May, 2006, many other cases were filed against a variety of telecommunications companies. Subsequently the Multi-District Litigation Panel of the federal courts transferred approximately 40 cases to the Northern District of California federal court.
And the good news is that Judge Walker has denied the motion to dismiss!

Al-Haramain Warrantless Spying Case Can Proceed | Electronic Frontier Foundation
Today, Chief Judge Vaughn Walker of the United States District Court in San Francisco denied the government's third motion to dismiss the Al-Haramain v. Bush litigation. The ruling means that the case can proceed and the court also set up a process to allow the Al Haramain plaintiffs to prosecute the case while protecting classified information.
"Without a doubt, plaintiffs have alleged enough to plead 'aggrieved persons' status so as to proceed to the next step in proceedings . . ."

iPhone being closed makes it less secure

I was thinking recently about developers wanting to be able to exploit future bugs in systems like the iPhone (and even in windows media player and the like) to gain access to locked content, features or.  I was thinking about how this means they are not reporting security bugs but keep them secret.  Which seems to be an overall negative _for the platform_ since they have created a market through their own actions that thrives on finding and keeping bugs secret.  Not all those who use such vulnerabilities are good guys trying to get their fair use rights back for sure and that is where the danger lies. 

Of course it is also annoying when you have to choose whether or not to apply a security patch that will likely close your fair use access to a system or device.  I typically err on the side of upgrading to close the holes (begrudgingly) lest I get compromised by someone else.  Fortunately my media player can play DRMed WMA files now so I don't have to convert them.  But I did avoid upgrading cell phones in the past so that they would not be able to block my ability to access the bluetooth features that I rightly purchased.

Another thing that worries me (especially due to the remote exploit risk) are the bluetooth dongle vendors who OEM the driver software from someone but that agreement does not allow you to keep current on versions.  I stopped using one that I know has vulnerable drivers and switched to another one that now has different stale drivers.  It will cost 19 pounds to "upgrade" (meaning, buy a current license with upgrade rights).  Good that I got the dongle cheap so I can afford the software.  I think this is irresponsible of both vendors.

Timely: Emergency Radio test in West Seattle

I made the west seattle blog!  West Seattle Blog… » Non-snow news: Neighborhood radio test - talk about timely!

That's myself and some other neighbors from the nearby west seattle neighborhood associations and blockwatch groups.  We braved the chilly pre-storm air to map out signal strength tests and come up with recommendations for purchasing equipment and covering the "dead zones" that were encountered to ensure seamless communications during an emergency so we can relay infromation between affected neighborhoods. 

The west seattle HAM groups are also likely to be reborn to act as a backbone in case of emergency.

And not too soon it seems as right afterward we were hit by the snow and wind and icestorms.  I had my radio tuned to channel 4-11 during the first early snowstorm in case of power outages.

Will have my radio tuned again during the next windstorms.  We only lost power for a half a second the last time.  And we just had our trees trimmed near the power lines in the alley since there was some serious arcing and burning limbs so that should prevent some of the recent brownouts too.

I would like to have known that the stores were completely out of eggs before I risked life, limb, and vehicle to get some next time ;-)  Will check the blog before venturing forth.

Oh, and the West Seattle Blog is one of the greatest resources we have for finding out conditions and emergency information.  They have lots of contingencies there to continue relaying information (many people keep up with RSS feeds on their wireless devices these days, which is another communications channel to keep in mind).  Even many city organizations are experimenting with Twitter as a means of communicating.

Cool!  Marrying new and old technology for emergency preparedness...

Security issue dulls "Chrome"'s luster

Actually, lots of browsers get poor marks overall for how the password management systems function and protect you against malicious attacks.

I'm still floored that Firefox does not have the functionality of the Master Password Timeout extension as a base option.  Otherwise, anyone who walks up to your browser can access any site you visit and log in (if you don't use a master password and/or once you type in the master password once)!  With this extension, you ensure that the exposure is limited to a set time period.  It also helps protect against automated attacks since they can't succeed unless you type your master password in again.

Chapin Information Services
Google Chrome Receives Lowest Password Security Score
Safari Ties for Last Place

Movie plot comes true

Funny, especially in light of watching the season premiere of "24" where Jack shoots out a video camera, which draws the people out to check on it, leaving them vulnerable to attack.  Add social engineering to that and you have a nice attack. 

The danger of false alarms...

Date: Fri, 6 Jun 2008 00:57:29 +0100
From: David Hollman
Subject: Sometimes the computer is right...

Here's a case where social engineering defeated an apparently correctly
working automated security system and allowed a burglary:

"An experienced jewelry thief may have hoodwinked the University of British
Columbia's campus security by telling them to ignore security alarms on the
night of last month's multi-million dollar heist at the Museum of

Four hours before the break-in on May 23, two or three key surveillance
cameras at the Museum of Anthropology mysteriously went off-line.

Around the same time, a caller claiming to be from the alarm company phoned
campus security, telling them there was a problem with the system and to
ignore any alarms that might go off.

Campus security fell for the ruse and ignored an automated computer alert
sent to them, police sources told CBC News."

Full article:

Tracking (and evading) the trackers

A very interesting research paper to read up on.  I'm most curious how they baited the RIAA/MPAA into thinking that printers had been downloading files over bittorrent.

Tracking the Trackers
As people increasingly rely on the Internet to deliver downloadable music, movies, and television, content producers are faced with the problem of increasing Internet piracy. To protect their content, copyright holders police the Internet, searching for unauthorized distribution of their work on websites like YouTube or peer-to-peer networks such as BitTorrent. When infringement is (allegedly) discovered, formal complaints are issued to network operators that may result in websites being taken down or home Internet connections being disabled.

Although the implications of being accused of copyright infringement are significant, very little is known about the methods used by enforcement agencies to detect it, particularly in P2P networks. We have conducted the first scientific, experimental study of monitoring and copyright enforcement on P2P networks and have made several discoveries which we find surprising.

Friday, January 9, 2009

Ripped from Informercials: Spam

So, I'm listening to this story on NPR yesterday and the CEO of the company that brings you the Sham-Wow, Pedi-Paws, Ped Egg, and other cruft for $19.95 was on.  I rarely watch commercials anymore because I don't watch live TV and skip through them.  So why is it that I know of so many TeleBrands products? -- Spam.

That's right.  I have noticed a huge volume of spam for the stupid fscking Pedi-Paws (which sounds like it sucks, BTW).  Now I find out that it's an infomercial-peddled product.  And, I recently started getting Sham-Wow spam.  (aside:  I hate that commercial.  Makes me think I'm at the Puyallup Fair or something.  Also, do they always have to be a horrid Orange color?  Yeah, I'm going to use an ORANGE bath mat.)

It makes me wonder whether the company behind the TV advertising of the products is in some way behind the spam campaigns for its products as well?  Each of the emails I've received have different links at different sites embedded for "unsubscribing".  Most are .info domains.  But the links that do work redirect you to order sites under  Could simply be a way of phishing since to order you have to give your credit card number, name and address.
Infomercials Thrive Amid Downturn : NPR
A downturn in the economy has provided a boom for infomercials. A.J. Khubani, president and CEO of the direct response company TeleBrands, says his company has seen that business booms in bad economic times. He attributes the success to lower TV ad rates.
And just for fun, some reviews of some of the peddled products:

Top 5 Worst Telebrands Products « Just Pazz…