Sunday, December 24, 2006

Could Santa Exist?

Spending Christmas with girlfriend's kids ages 4 and 6 who ask questions about how Santa delivers all these presents to good boys and girls while they sleep on Christmas eve. I say I don't know the answer, but let's figure it out together using some basic math and a few conservative assumptions.

We assume that Santa only delivers presents during the night while you're sleeping. That's why children never see him. So, in order to accomplish that before you (or another child in the same time zone) wake up, Santa must finish all his work in that time zone within about 10 hours.

Tonight, for this Christmas Eve, we're in north Idaho, and luckily for the kids, I happen to have a McNally Road Atlas showing the other places in the same time zone, along with their populations. Other places like Washington (5.8 million), Oregon (3.4 million), Idaho (half of 1.2 million), California (33.8 million), and Nevada (1.9 million). British Columbia, half of Alberta, Canada and a bit of Mexico are also in the same time zone, but we don't need to consider them for this exercise.

If we add them all up, the total number of people living in our time zone is about 46 million. Since it takes 2 adults to create one child, but one adult can create more than one child, and also that some adults have no children, let's make a conservative estimate that only 1/4th of the total population are children. That comes to about 11.5 million children (46,000,000 / 4).

Let's assume that half those children are rotten little goblins and that Santa doesn't stop at their houses. That reduces it down to 5.75 million children (11,500,000 / 2). Lets also assume that on average, there are 2 children to a household, so Santa would only need to make 2.875 million stops (5,750,000 / 2) during that 10 hour overnight span.

All this means that Santa would need to make 287,500 stops every hour (2.875 million / 10 hours). That's equivalent to 71,875 stops every 15 minutes (287,500 / 4). Or 4,791 stops every minute (71,875 /15). If Santa worked at this pace, he would have to slide down the chimney, drop off presents, eat the cookies that you leave out for him, and fly off away again at a rate of (4,791/60) 79 houses per second!

If all these reasonable assumptions are true, and with the distances of thousands of miles, then that would mean Santa moves faster than the speed of light, which Einstein said was impossible. Theory of Relativity aside, how could a man so fat move that fast?

And if he could, on a sleigh built by elves, wouldn't the U.S. military shoot him down and haul all the wreckage back to Area 51? Why wouldn't they? After all, Santa delivers presents to children around the world, including to terrorist states like Iran, North Korea, and Syria. And anyone who provides aid or comfort to our enemies is also our enemy. Even if it's Santa Claus.

So if you still think there's a Santa Claus, then go to sleep!

Wednesday, November 22, 2006

Itiva, quanta, venture capital, snakeoil

Recently came across a startup called Itiva, claiming to have technology to bring high quality media to PC's without bandwidth worries. It involves a lot of long noun chains, new paradigms, and revolutionary but proprietary Quanta™. Sounds like snake oil to me.
"Itiva provides the first scalable, reliable and economic Internet video delivery platform"
False. There are plenty of scalable, reliable video platforms, the latest of which is bittorrent. Apple.com/trailer serves video content all day long and has for years. Google just bought YouTube that serves tons of video.
"patent-pending technology delivers fast, full screen, high quality (DVD or HD quality) video over the Internet without performance compromise"
This is not a compression technology, merely a transport technology. Therefore, I can't see how full-screen DVD quality data can ever be "fast." A movie that fits on a regular DVD is about 4 gigabytes worth of data. That will never be fast no matter how many "quanta" you break it up into.
"highest quality home theatre video experience for millions of simultaneous viewers"
Think about Apple's iTunes and how long it took to struggle for a deal with record companies in order to provide the music content. And all that music content is encoded in a "lossy" format not because Apple doesn't have the bandwidth to serve larger, better quality music files, it's really because the record companies will not allow high quality digital content to be sold like that on the internet. They are too worried about flagging CD sales and digital piracy. That's why every single bit of music for sale in iTunes is of worse quality than the CD you can buy at the store. The videos for sale there are also only about VHS quality and smaller than the resolution of a regular TV, and not because Apple can't handle the traffic. Also, look at the fact that Netflix, the internet movie pioneer, still does not offer movie downloads. It's not because of a technical problem, it's because of a legal problem. The MPAA does not want high quality video floating around the internet. So why will these media companies that own the rights to this content suddenly begin releasing it just because a technology appears that makes mass consumption more feasible? If anything, easy mass consumption will make media companies less likely to release high quality digital material.
"while popular in the illegal file sharing community, [P2P] is not suited for large-scale commercial deployment"
False. torrents are not just a way to steal copyrighted material. Torrents are used to easily distrubute large (800+meg) files such as Linux CD images by big-name vendors like Debian. Many other open source projects that take up a lot of space are being distributed by torrents/P2P. P2P has lots of purposes. And, if one of your peers happens to be on your same network, their traffic does not have to be routed over the internet to you, permitting the ISP to reap the same benefits that Itva says its own product provides (and that I'm guessing an ISP would have to pay for).
"P2P is also very costly to ISPs because it uses tunneling protocols that have a direct impact on bandwidth cost to the ISPs"
Anything that actually uses any bandwidth is going to be costly to ISPs who pay for bandwidth. Unless the data is sourced from within the ISP's network, in which case they are not generating internet traffic in order to serve it. This Itva product seems to involve a little of that but I can't see why I'd be interested in it as an ISP unless I was AOL or MSN. An ISP generally is just a conduit, not a content provider. If they are selecting and providing content, they become legally responsible for it, and why would I be interested in that mess (and losing my DMCA safe harbor) if I make a living selling connections?
"In order to keep these costs under control, ISPs have throttled the P2P protocol by using packet shapers"
And in response, people defeat that by training their P2P programs to travel over port 80 to look like other web traffic. Also, if I pay my local ISP for a 1mb/s connection, I am going to complain if they are shaping my torrent traffic down to 256k just because of the type of traffic it is. They sold me a pipe that was advertised to do a certain speed, and it's wrong for them to discriminate against certain kinds of traffic. This concerns the whole "net neutrality" debate that is going on right now. See Freedom to Tinker articles on the subject.

My point is that ISPs cant sell broadband internet connections and then expect to prevent people from using those connections in order to reduce the ISP's own bandwidth costs. Itva is not really solving a problem, the content I want is most likely not on my ISP's network, and therefore I have to get it from the internet. Breaking bits into "Quanta™" and reassembling them on my computer does not use less bandwidth. If I need a 4gig file, 4 gigs worth of bandwidth ultimately needs to be used, if there is no compression (and Itva is not a compression tool).
"designed to support the volume of rich media and streaming video available. Consequently, the video viewing experience is poor and has not yet reached a point that is comparable with traditional TV,"
and then claims 4 reasons for why that is.

Those stated reasons are part of the story, but can be overcome with current technology platforms if one is intent on overcoming them. The primary reason digital content doesn't compare with traditional content is because the RIAA and MPAA will not allow high quality digital copies to be put in the stream of commerce because they are afraid of copying.

Itva seems to be mostly some kind of proxy caching thing that ISPs are supposed to employ on their own network so that they can serve their users without having to use internet bandwidth. This means also that ISPs are supposed to pay Itva for this product, but I don't see why they would. It's going to be a long time before a good number of internet users reach even T-1 speeds (relatively low speed broadband), and that's only 1.54megabits per second.

1,540,000 bits = 192,500 bytes
1 megabyte ~= 1,000,000 bytes
at T-1 speed:
5 seconds to get 1 megabyte
500 secs (8m) to get 100 megabytes
5000 secs (1.2h) to get 1 gig.

A full screen DVD quality movie will be at least 3 gigs, and therefore take about 3.5 hours to download, even over a relatively fast T-1 or DSL rated at 1.54mbp/s. Even if my ISP has the movie proxy-cached or running special Itva software so they don't have to deliver over the internet, it still takes this long just to get it the last mile from my ISP to me. And most people have connections slower than that and that condition will be a fact of life for most ISP customers for a long time. People don't want huge files, they want small ones. And with the increasing popularity of networked mobile phones with small memory capacity, I think there will be more demad for smaller, not bigger files. See also the Freedom to Tinker article on Last Mile.

I can't see any advantage that Itva would bring. It seems like a middle man adding very little value, and worse, contributing to the proposition that ISPs need not act with "net neutrality," which is a bad thing for all consumers/internet users. Breaking large files into small peices and reassembling? So what?

One of the principals of Itiva has recently started a blog (how can you convince venture capitalists without one?) at http://www.robertarn.com/ that doesnt illuminate much about the product, but a lot about his anti-consumer position regarding "net neutrality."

The blog offers a couple of "widespread beliefs" that I don't agree in the first place are widespread, and then spends several paragraphs debunking those beliefs. Then it talks about broadcast video usage on dumb devices like TVs (and even DVRs, where your recorded content is trapped and you cannot access it except to play it back just on that DVR) and implies that the amount of usage on user-controlled computing devices will soon approach it.

Of course, it wont, because copyright holders won't put the content out there, for fear of copying, piracy, and the total inadequacy of any DRM scheme (if your machine can read the data, and you control the machine, then you can always make the machine record the data). He also spends a lot of time bashing P2P, probably because it accomplishes for free what his product will charge for. He also wrongly characterizes as "theft of services" when a paying ISP customer uses P2P. I don't like his attitude, needlessly referring to the Bittorrent creator as autistic, and for being on the wrong side of the net neutrality debate. Maybe because his product is of no use in a net-neutral environment. There's way too much hype, FUD and self-promotion. Compare it to blogs of legitimate companies, where there is no preaching, fact twisting, or arguing. This guy is after the venture capital and that's all.

Granted, I may just be demonstrating my own ignorance. When the first web browser "Mosaic" came out in 1994, I installed it on my 486, looked at it for a few minutes and said "this is stupid," and deleted it.

Wednesday, September 20, 2006

Paypal module passes STORE_NAME instead of item

The PayPal payment module (paypal.php,v 1.39 2003/01/29) for OSCommerce does not pass a meaningful item description to Paypal as a transaction is processed. Instead, the developer of this module programmed it to send the name of your store instead:
tep_draw_hidden_field('item_name', STORE_NAME) .
The result is that when the transaction completes, Paypal sends the store owner an email notification, unhelpfully describing the item purchased as "[name of your store]".

We will fix this by changing the code in the payment module to send a better description for that field. While we're at it, we'll change the code to better support stores selling multiple items in one transaction because this Paypal module comes "out of the box" designed more for single item purchase. When multiple items are purchased, this module just gives an aggregate description of the whole transaction, without any detail of what exatly was purchased.

To fix both of these problems, use the patch file below, or edit (path to your store)/includes/modules/payment/paypal.php and jump down to this function:
function process_button() {
find the line that looks like:
$process_button_string = tep_draw_hidden_field
and insert a comment marker right before it:
/*
$process_button_string = tep_draw_hidden_field
and then go down a few more lines from there until you get to the one that has a semicolon at the end, instead of a period. After that line, insert an ending comment marker:
*/
Now, after your ending comment marker (commenting out the original code makes it not operate anymore, while preserving it for reference), insert the following:
 # Multiple item payment, P. 86 of 
# https://www.paypal.com/en_US/pdf/PP_WebsitePaymentsStandard_IntegrationGuide.pdf

$process_button_string = tep_draw_hidden_field('cmd', '_cart') .
tep_draw_hidden_field('upload', '1') .
tep_draw_hidden_field('business', MODULE_PAYMENT_PAYPAL_ID) .
tep_draw_hidden_field('handling_cart', number_format($order->info['shipping_cost'] * $currencies->get_value($my_currency), $currencies->get_decimal_places($my_currency))) .
tep_draw_hidden_field('currency_code', $my_currency) .
tep_draw_hidden_field('custom', $order->info['comments']) .
tep_draw_hidden_field('return', tep_href_link(FILENAME_CHECKOUT_PROCESS, '', 'SSL')) .
tep_draw_hidden_field('cancel_return', tep_href_link(FILENAME_CHECKOUT_PAYMENT, '', 'SSL'));

# add individual items and amounts to keep in PP transaction history and notices

$i=0;
foreach($order->products as $key => $arr)
{
$i++;
$process_button_string .= tep_draw_hidden_field("item_name_$i", $arr["qty"] ." ". $arr["name"]) .
tep_draw_hidden_field("amount_$i", $arr["qty"] * $arr["final_price"]);

}
Save the file, and now every payment transaction from your OS-Commerce store that is processed with this payment module will send Paypal the item name and price of each item your customer is purchasing. The "handling_cart" field adds a single shipping fee to the entire order. If you want to charge shipping amount per item, see the manual mentioned in the code comment above and use multiple "shipping_X" fields inside the foreach loop instead.

Once you make this change, the email notices that Paypal sends to the shop owner after each purchase will contain a detailed list of what was bought. Both the customer and the merchant will also have detailed records of the itemized list stored in the Paypal transaction history. This is much better than just one aggregate item with a total price and no Paypal record of what the order consisted of.

Using my patch file to make the above change.
You can skip a whole lot of manual editting if you download the patchfile included below, save it as paypal.patch in the same directory as the original paypal.php file, and then run the following shell command:
patch -b paypal.php < paypal.patch
The -b option will make a backup copy of the original file, just in case.

Tuesday, September 12, 2006

Getting your rental deposit back

My friend gets jammed up a lot. In July it was over his deposit on a residential rental that he shared with some roommates. The landlord stopped by two days before their lease expired to express some very demanding expectations about how her crummy little shack should be returned, otherwise it was coming out of their deposit.

Landlord's list of intended charges included:
  • the brown, unwatered sections of lawn
  • replacing dead landscaping bushes
  • edging and weeding
  • professional carpet cleaning in a damp sub-basement!
  • scrubbing stains out of 60 year old grout with particular cleaning products
  • replacing a stolen freezer

My friend knew this list was going to mean a large chunk of their $1,000 security deposit would be missing when they got it back. The landlord even hired a lawn psychiatrist to come over and pad the bill with exotic plant examinations. So I was asked to be there as a mouthpiece when the landlord returned to check on cleaning progress.

I did, and let her know (in the most helpful and innocent manner) that she really couldn't deduct a thing from the deposit because 1) the property is in the same condition now as it was when she rented it to them, and 2) she never did a written "check-in" sheet documenting the original condition, and without it, the law is not on her side for making deductions from the deposit.

We went back and forth, her pointing out some alleged damage, my saying it was like that when they moved in, her saying it wasn't, and my asking then for the move-in condition of that item on the non-existent "check-in" sheet.

After some tense moments, she left. Then I went to the library to write a pre-emptive letter for my friend to get the landlord to see why I was right and she would have to give back the whole deposit. It's included below, and you may copy it freely for personal use in saving your own security deposit from greedy slumlords.


A couple of weeks later, my friend received a refund from the landlord minus just one deduction, $149 for the landlord's freezer that was stolen from the garage earlier in the year. I'm certain that without my first letter laying out the legal analysis, there would have been many more deductions.

That last $149 still bothered him because he believes the thief was the landlord's son, or someone to whom the landlord gave keys, and because they also stole gear from his truck the same night. So it was up to me to secure return of that last amount, and I had reserved some of my ammo for just such an occasion.

Here is my second letter to the landlord, wherein I prove that white is black, and black is white, according as I am paid. You may freely copy it for personal use in recovering your own security deposit.




(I should also metion that between these two letters, I laid a small trap for the landlord should she have made any deductions for cleaning. Montana law states that before any cleaning charges can be deducted from a deposit, the landlord must give the tenant 24 hours to perform that cleaning himself, in order to avoid charges. I knew that she had already promised the house to another tenant on the same day my friend's lease was to expire, and that even if she knew about that statute, she would not have wanted to go through the inconvenience of following it. If she didn't follow it, then any charges for cleaning would have been easy to recover in court, plus additional damages for intentionaly disobeying the law. In any case, this landlord never made a deduction for cleaning charges.)

The day before my deadline given in the second letter, my friend received this from the landlord, along with a check for $149.00.

I am in receipt of your letter dated August 23, 2006 stating that the freezer was taken from a locked garage, yet you stated to me last fall that the garage door was not locked and that you did not report the freezer theft to the police. Therefore, the freezer theft was due to your failure to lock the garage, and amounts to damage. The refrigerator you offered to leave behind did not include a freezer with similar capacity to the lost freezer. A judge with common sense would agree that you are responsible for the replacement freezer cost. Be that as it may, it is not worth my time to further address this matter, and am enclosing a check for $149.00, the cost of the freezer which was withheld from the deposit.


It's clear from her letter that the landlord still thinks she's right about the freezer, but probably sees that she is wrong about everything else and therefore won't take her chances in court.

Granted, my friend should not have told the landlord that he left the garage wide open, and I wish my friends would consult me by cellphone before making damaging public statements. However, even allowing that he might have left the door open, we would need to debate whether that consituted any comparative negligence in a quiet Missoula neighborhood, and even if it did, my friend's omission was not the proximate cause of the freezer being stolen. The superceding and intervening cause of it's loss was solely the intentional act of an uninvited trespasser. Such a criminal act would break any chain of causation caused by acts or omissions of my client, and render my client not legally responsible for the loss.

An uninvited trespasser could have just as easily set the whole garage on fire, and by the same reasoning, the landlord would not be able to charge the smoking pile of debris against my friend's deposit.

Though there's a small chance she's right about the freezer (very small, don't bet on it), she's almost certainly wrong on the other items mentioned in my second letter which could cause her losses upwards of $3,000.00. That's why it's good to have many arguments, as long as each is strong.

Since this landlord also happened to be a (non-practicing) lawyer, she could recognize her risk, and also her disadvantage in being held to a higher standard regarding knowledge of landlord-tenant law.

If your landlord is just some old codger who doesn't consult lawyers and goes on just as he did in feudal times before tenant protection laws existed, then you might really have to sue him. And you should. It will help improve the quality of landlords and their business practices in your area.

Actually, I am sad that Landlord did not take us on. I was looking forward to splitting the take with my friend, 90% for me and 10% for him.

Friday, September 08, 2006

Windows Key to access Ubuntu Start Menu

I was so used to using the Windows Key on the keyboard to open the Windows Start menu, I just expect it to work on Gnome panels too.

If you don't already have an Ubuntu "Main Menu" item on your panel, you can add one by right clicking on the panel, choose "Add to Panel," then scroll down to "Utilities" and click the "Menu Bar" item and then the "Add" button. If you want to move that item around on your panel, you can figure out how to do that by right clicking it.

Now to bind the Windows Key to that item. Click your panel's "Main Menu" item, then "System," "Preferences," and "Keyboard Shortcuts." Under the "Desktop" group, click "Show the Panel Menu," then press your Windows Key and you will see the associated binding change to "Super_L". Click the "Close" button on this dialogue and you are done.

Now when you hit your Windows Key, it opens the Main Menu, equivalent to the Windows Start button.

Thursday, September 07, 2006

Stop gnome-terminal screen clear

Gnome-terminal (and Mac OSX Terminal.app) clears your screen when you quit a pager or editor and I don't like it. You won't like it either if you need to refer to the thing you were just looking at after you exit back to shell. This happens with man, less, more, pico, vi and others.

Here's an example of gnome-terminal automatically clearing the screen when exiting a pager. This is what needs fixing:



Here's what it does after we fix it. No more automatic clearing:



I used to fix this problem easily in the MUD by setting an environment variable: setenv NO_CLEAR 1

But Ubuntu Dapper is no LPMUD. I searched Google for the fix. Other people had the same complaint. The best source of synthesized info I found was here.

That writer, Akkana, understood the problem and offers some solutions for everything except gnome-terminal:
"...there's no way to tell gnome-terminal to disable the alt screen behavior."
I eventually found my own solution to fix gnome-terminal that I'll share at the end of this post, but first I want to review Akkana's, since her site doesn't accept comments.

First, she correctly identifies that gnome-terminal is the source of my problem. I confirmed that by dropping out of X to a real console (CNTRL+ALT+F2), logging into my shell, and checking my TERM environmental variable:
echo $TERM
On a console, that returns "linux," and quitting any pager on a console leaves the paged info on my screen the way I want it. While in X (CNTRL+ALT+F7 to get back to X), using gnome-terminal, the $TERM variable is "xterm."

This means that I can't solve this problem under X in a way that will break my console. How limiting.

Akkana offered 3 ideas and I tried them all. The first was to create a file in my home directory called .Xdefaults (symlinked to .Xresources, just in case) that contains these lines:
XTerm*titeInhibit: true
xterm*titeInhibit: true
gnometerminal*titeInhibit: true
gnome-terminal*titeInhibit: true
and then launch new terminals both in the real xterm program and in gnome-terminal. Through trial and error, I determined that only the 2nd line above had any effect, and it only stopped screen clearing in the xterm program. That problem persisted in gnome-terminal.

If I would just use xterm, my work would be done. But I do not like xterm.

Akkana's next suggestion is to create a ~/terminfo/xtermnoalt.terminfo file and export a TERM for it into the bash environment. She provides the file, doctored xterm-color terminfo data, but with the ti/te and rmcup screen clearing bits removed. Without those, gnome-terminal is supposed to be tricked into never trying to use those features.

It sort of works, but causes an extra prompt warning that my terminal is broken:
~$ man man
Reformatting man(1), please wait...
WARNING: terminal is not fully functional
- (press RETURN)
I can hit RETURN and get the pager normally after that, and when I quit, my screen does not get cleared, but that broken warning is more irritating than the original problem.

The 'man' utility ultimately uses 'less' to do its paging, and 'less' is actually the program emitting that warning. Even though I always use 'more' instead of 'less,' and 'more' still works fine, I look at man files a lot, and I am not satisfied with these results.

Technically, I could go a bit further and just hack a fix for man. The man file on man (in the --pager option) says that man uses /usr/bin/pager for paging, and that's just a symlink to /etc/alternatives/pager, which is itself another symlink to /usr/bin/less. So I could change that last symlink to /bin/more and then 'man' and 'more' would work fine. But that is a crummy hack that still leaves pico (actually /bin/nano) totally broken:
~$ pico -w sdsd
Error opening terminal: xterm-noalt.
And I use pico a lot, so I'm still unsatisfied.

Akkana's last idea is to use a command option to 'less' to ignore terminal initializations, and yes, I could make an alias for that in ~/.bashrc so that I don't have to remember to type it (alias less='less -X') but pico would still be broken, and you know I need pico.

So I searched around the web trying to learn about termcap and terminfo. And that was hard. So instead, I downloaded all the other terminal emulators I could find, hoping to just dump gnome-terminal (apt-get install pterm aterm eterm multi-gnome-terminal konsole). I tried and hated them all.

In the end, I just got out my sledge hammer and did this:
mv /lib/terminfo/x/xterm /lib/terminfo/x/xterm.orig
ln -s /lib/terminfo/v/vt220 /lib/terminfo/x/xterm
That moves the original xterm definition out of the way, and symlinks the vt220 definition in its place. Vt220's do not do the "alternate screen" feature that makes your page disappear.

This fixes Gnome-terminal which is now being fed a vt220 definition that it thinks is xterm. Really, gnome-terminal should give users a way to turn off the annoying screen clearing feature. You and I are not the only ones that find it a nuisance.

[A reader later posted a much better solution in the Comments that uses infocmp and tic to "fix" the terminfo definition file used by the terminal program. URLs at the end of the Conclusion section.]

If you want to know how I came up with this elegant solution, I just did a 'man terminfo' (lots of websites said this was caused by "terminfo") and at the top of the page it said, "Synopsis: /etc/terminfo/*/*," so I looked in there (ls -l /etc/terminfo) and found a single README file which said that if this directory is empty, ncurses (the library in charge of cursors and terminal-like things) would look in /lib/terminfo/*/*. Looking there, I found all the term definitions and figured one of them would be without silly rmcup. Symlinking by trial and error, I found one that worked.

Conclusion

You can fix your broken gnome-terminal emulator by tampering with the terminfo definition files, and get gnome-terminal to swallow vt220 terminfo that is intentionally mislabelled xterm.

Nay-sayers may point out that vt220 is not the same as xterm and that this could cause other problems, but I haven't noticed any. If there are, they should be less annoying than xterm's rmcups screen clearing. I'm not worried. Vt220's don't have any "dangerous modes" such as those from a vt100 that can lock up a vt220's output to "line printer."

The worst result I've seen from this switch, after using it for 10 minutes, is that the X-mouse won't work in console programs like sysv-rc-conf anymore, because it's designed for an xterm, not a vt220. No big deal.

If you really hate my idea, there may be, after all, some X resources in gnome-terminal for which ti/te can be inhibited that would fix the original problem, but I don't know what else they might be called. I suppose one could read the gnome-terminal source, or email the developer, if one were (subjunctive, condition contrary to fact) very determined.

I do wish gnome-terminal had a few more user-configurable items in its menus. But at least it has a menu. Really, I'm sad that since I said goodbye to Windows, I don't have VanDyke's SecureCRT anymore.

My psychiatrist says that I should just run it under wine.

Benjamin's Reader Comments provided a real solution that fixes the whole problem correctly, rebuilding a custom terminfo definition file:

toward the end or reprinted on his own site.

This solution also works great on Apple OSX in Terminal.app. In my case, on the Mac, I am using the "Homebrew" Terminal profile, which uses xterm-color, so that is the terminal definition that I customized:

infocmp > ~/xterm-color-noclear.src
pico xterm-color-noclear.src
mkdir .terminfo
tic xterm-color-noclear.src
export TERM=xterm-color-noclear
pico .bashrc

Monday, July 03, 2006

eBay Scams Use Good English, Too

One of the comments to my original article said messages from people speaking poor English should be assumed to be a fraud, and that spotting fraud is basically as simple as that.



While that strategy will help one avoid some fraud, it does not permit one to enter a legitimate transaction with non-native English speakers. It also does not protect against attacks that come using good English, like this one:
X-Gmail-Received: 8bc0668f763bd8b5b375a143b754ccbca132c47e
Delivered-To: [my_email_address]
Received: by 10.54.158.8 with SMTP id g8cs39451wre;
Mon, 19 Jun 2006 16:32:19 -0700 (PDT)
Received: by 10.35.50.9 with SMTP id c9mr8941412pyk;
Mon, 19 Jun 2006 16:32:19 -0700 (PDT)
Return-Path: <mileaqw3@yahoo.com>
Received: from mx36.sjc.ebay.com (mxpool19.ebay.com [66.135.197.25])
by mx.gmail.com with ESMTP id w63si924779pyw.2006.06.19.16.32.19;
Mon, 19 Jun 2006 16:32:19 -0700 (PDT)
Received-SPF: neutral (gmail.com: 66.135.197.25 is neither permitted nor denied by domain of mileaqw3@yahoo.com)
Received: from sjcrow08.sjc.ebay.com (sjcrow08.sjc.ebay.com [10.6.67.61])
by mx36.sjc.ebay.com (8.13.5/8.13.5) with ESMTP id k5JNWI9B022604
for <[my_email_address]>; Mon, 19 Jun 2006 16:32:18 -0700
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
by sjcrow08.sjc.ebay.com (8.11.6/8.11.6) with ESMTP id k5JNWIB11820
for <[my_email_address]>; Mon, 19 Jun 2006 16:32:18 -0700
Message-Id: <200606192332.k5JNWIB11820@sjcrow08.sjc.ebay.com>
Content-Disposition: inline
Content-Transfer-Encoding: base64
Content-Type: text/plain; charset="ISO-8859-1"
MIME-Version: 1.0
X-Mailer: MIME::Lite 3.01 (F2.72; A1.60; B2.20; Q2.20)
Date: Mon, 19 Jun 2006 23:32:18 UT
From: mileaqw3@yahoo.com
To: [my_email_address]
Subject: =?ISO-8859-1?B?ZUJheSBTZWNvbmQgQ2hh?=
=?ISO-8859-1?B?bmNlIE9mZmVyIGZvciBJ?=
=?ISO-8859-1?B?dGVtIDQ2NTAzMzI4MDAg?=
=?ISO-8859-1?B?LSAyMDA2ICBLYXdhc2Fr?=
=?ISO-8859-1?B?aSA6IEtMWCAgS0xYIDI1?=
=?ISO-8859-1?B?MFM=?=
=?ISO-8859-1?B??=
X-Mailer: Rest Of World Mailer=ROW::EMail

Ck1lc3NhZ2UgZnJvbSBlQmF5IE1lbWJlciBtaWxlYXF3MwoKCkRlYXIgZmxpZ2h0NTUzLCBZb3Ug
ZXhwcmVzc2VkIGludGVyZXN0IGluIGFuIGl0ZW0gdGl0bGVkIDIwMDYgIEthd2FzYWtpIDogS0xY
ICBLTFggMjUwUyAtIEl0ZW0gTnVtYmVyIDQ2NTAzMzI4MDAgYnkgYmlkZGluZywgaG93ZXZlciB0
aGUgYXVjdGlvbiBoYXMgZW5kZWQgd2l0aCBhbm90aGVyIG1lbWJlciBhcyB0aGUgaGlnaCBiaWRk
ZXIuIEluIGNvbXBsaWFuY2Ugd2l0aCBlQmF5IHBvbGljeSwgdGhlIHNlbGxlciBpcyBtYWtpbmcg
dGhpcyBTZWNvbmQgQ2hhbmNlIE9mZmVyIHRvIHlvdSBhdCB5b3VyIGJpZCBwcmljZSBvZiBVUyAk
MSw4MDAuMDAgLiBUaGUgc2VsbGVyIGhhcyBpc3N1ZWQgdGhpcyBTZWNvbmQgQ2hhbmNlIE9mZmVy
IGJlY2F1c2UgaGUgaGFzIGR1cGxpY2F0ZSBpdGVtcyBmb3Igc2FsZSBvciB0aGUgd2lubmluZyBi
aWRkZXIgd2FzIHVuYWJsZSB0byBjb21wbGV0ZSB0aGUgdHJhbnNhY3Rpb24uIElmIHlvdSBhY2Nl
cHQgdGhpcyBvZmZlciwgeW91IHdpbGwgYmUgYWJsZSB0byBleGNoYW5nZSBGZWVkYmFjayB3aXRo
IHRoZSBzZWxsZXIgYW5kIHdpbGwgYmUgZWxpZ2libGUgZm9yIGVCYXkgc2VydmljZXMgYXNzb2Np
YXRlZCB3aXRoIGEgdHJhbnNhY3Rpb24sIHN1Y2ggYXMgZnJhdWQgcHJvdGVjdGlvbi4KCgo9PT09
PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KClRoaXMgcmVx
dWVzdCBpcyByZWxhdGVkIHRvIGl0ZW0gIyA0NjUwMzMyODAwLgoKaHR0cDovL3d3dy5lYmF5LnBo
L3ZpSXRlbT9JdGVtSWQ9NDY1MDMzMjgwMAoKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09
PT09PT09PT09PT09PT09PT09PT09CgoKTWFya2V0cGxhY2UgU2FmZXR5IFRpcHMgCgpOZXZlciBy
ZXNwb25kIHRvIGFuIHVuc29saWNpdGVkIGVtYWlsIHRoYXQgaW5jbHVkZXMgaW5jZW50aXZlcyB0
byBidXkgb3Igc2VsbCBhbiBpdGVtIG9mZiB0aGUgZUJheSBNYXJrZXRwbGFjZS4gSWYgeW91IGdl
dCBzdWNoIGFuIGVtYWlsLCBwbGVhc2UgcmVwb3J0IGl0IHRvIGVCYXkgYXQgaHR0cDovL3d3dy5l
YmF5LnBoL2hlbHBUU0Zvcm0uCgpOZXZlciBwYXkgZm9yIHlvdXIgZUJheSBpdGVtIHRocm91Z2gg
aW5zdGFudCBjYXNoIHRyYW5zZmVyIHNlcnZpY2VzIHN1Y2ggYXMgV2VzdGVybiBVbmlvbiBvciBN
b25leUdyYW0gLSBzdWNoIHNlcnZpY2VzIG9mZmVyIEludGVybmV0IHNob3BwZXJzIG5vIHByb3Rl
Y3Rpb24gYWdhaW5zdCBmcmF1ZC4KCgo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09
PT09PT09PT09PT09PT09PT0KCgpOb3RlOiBJbW1lZGlhdGVseSBjb250YWN0IFJ1bGVzICZhbXA7
IFNhZmV0eSBodHRwOi8vd3d3LmViYXkucGgvaGVscD9wYWdlPWhlbHBQb2xpY2llcyBpZiBvbmUg
b2YgZUJheSdzIHJ1bGVzIHdlcmUgdmlvbGF0ZWQsIHN1Y2ggYXM6IAoKLSBZb3VyIGNvbnRhY3Qg
aW5mb3JtYXRpb24gd2FzIHVzZWQgZm9yIHB1cnBvc2VzIHVucmVsYXRlZCB0byBlQmF5IGJ1c2lu
ZXNzLCBwdWJsaXNoZWQgb25saW5lIG9yIG9mZmxpbmUsIG9yIHdhcyB1c2VkIGZvciB0aGUgcHVy
cG9zZXMgb2YgaGFyYXNzbWVudC4KCi0gWW91IHJlY2VpdmVkIGNvbnRhY3QgaW5mb3JtYXRpb24g
dGhhdCB5b3UgYmVsaWV2ZSB0byBiZSBlcnJvbmVvdXMuCgpUaGFuayB5b3UgZm9yIHVzaW5nIGVC
YXkhCgpodHRwOi8vd3d3LmViYXkucGgvCg==


As the first article discussed, the Return-Path is wrong for a legitimate Second Chance offer.



The square block of gibberish text is the message payload, base64 encoded. The encoding is probably intended to foil email providers' spam and malicious mail filtering. If so, it's a weak attack since any good mail filter will be capable of base64 decoding and examining the content. In any case, the real eBay does not base64 encode messages, so this is clearly a fake.



The above decodes to the following text in the email client:



Dear [ebay_username],

You expressed interest in an item titled 2006 Kawasaki : KLX KLX 250S - Item Number 4650332800 by bidding, however the auction has ended with another member as the high bidder. In compliance with eBay policy, the seller is making this Second Chance Offer to you at your bid price of US $1,800.00 . The seller has issued this Second Chance Offer because he has duplicate items for sale or the winning bidder was unable to complete the transaction. If you accept this offer, you will be able to exchange Feedback with the seller and will be eligible for eBay services associated with a transaction, such as fraud protection.

===================================================

This request is related to item # 4650332800.

http://www.ebay.ph/viItem?ItemId=4650332800

===================================================

Marketplace Safety Tips

Never respond to an unsolicited email that includes incentives to buy or sell an item off the eBay Marketplace. If you get such an email, please report it to eBay at http://www.ebay.ph/helpTSForm.

Never pay for your eBay item through instant cash transfer services such as Western Union or MoneyGram - such services offer Internet shoppers no protection against fraud.

===================================================

Note: Immediately contact Rules & Safety http://www.ebay.ph/help?page=helpPolicies if one of eBay's rules were violated, such as:

- Your contact information was used for purposes unrelated to eBay business, published online or offline, or was used for the purposes of harassment.

- You received contact information that you believe to be erroneous.

Thank you for using eBay!

http://www.ebay.ph/


Aside from the bad mail headers, additional problems with the content of the offer give it away as a fake. In order of highlighted material above:

  1. The thief did not know my real name, as eBay would if this were a real offer.
  2. A mistaken space between the price and period at the end of a sentence, and the pound sign and item number.
  3. Reference to ebay.ph which is the eBay domain for the Phillipines. I don't shop there.


I write back, agreeing to pay. The thief replies using a Yahoo mail account from an AOL IP address that, combined with the timestamps in the mail headers and a subpoena for billing records, law enforcement could use to track down an actual person.



There is no foreign accent in this message, so you cannot rely on broken English alone to alert you to bad deals.



Hello,



This is John Mitchell, owner of the bike, writing you my terms of sale in order to complete our deal.

The winner of the auction was unable to follow through with the purchase so I decided to use eBay's Second Chance Offer service to contact the other bidders. You are the first one to answer and the selling price will be your highest bid placed on my listing. This will also include the shipping charges to your address. Yes, I will take care of delivery as I have a cousin which owns a shipping company and he will gladly do me this favor.

The bike is in excellent working condition and with clear title. You will receive all the necessary papers to get the bike registered into your name. You have my word that you won't be dissapointed [sic] in this unit.

As for payment, I would like to let eBay handle the transaction, as I am currently out of the country on the Carribean Islands. I am a scenic photographer and I am working for a new project here. So eBay will be the best solution for the both of us. I need your full name and address and also your eBay user id to start the process with them. They will then email you an electronic invoice for your purchase along with the payment instructions.

I will be waiting for your reply in order to conclude this deal as smooth as possible.
Thank you very much for your time.



Best regards,

John Mitchell

Scenic Photographer


  1. Offering you free shipping preys upon the victim's desire to get something for nothing. It also keeps the price set at the amount the victim was last willing to pay. The thief does not want the victim to back out over shipping charges! Of course, if you go back and look at the auction this fraud is referring to, the real seller explicitly states:
    winning bidder pays all shipping charges!


  2. The thief's general promise that all "necessary papers" will be included tends to show that the thief does not know what the necessary papers are, and is therefore, not the real seller. Different states have different titling requirements. A real seller would say, "this comes with a bill of sale because my state doesn't require titles," or, "the title has already been notarized," something more specific, demonstrating knowledge that a legitimate seller would know.

  3. The claim of being a "scenic photographer" is just misdirection and an attempt to lull the victim into a false sense of security. The fact that the thief's signature at the end of the email includes a job title, but no phone contact information shows again that this is a fraud. Anyone with a "signature" that lists a job title will also list a phone number. Besides, if you're about to spend a few thousand dollars, a real seller would give you his phone number to make sure the sale is completed. Thieves won't because they need to hide in the shadows of the internet.

  4. The reason the thief wants your full name and address is because he wants to dummy up a fake shipping Bill of Lading to make you feel like you are actually going to get the merchandise. The reason he wants your eBay user ID is because he needs to generate a fake invoice from eBay that wouldn't look authentic without referring to your eBay user ID, and at this point, the thief doesn't have that because he doesn't know which victim you are.



    He sent many fake offers to multiple victims through eBay's "Contact Member" feature, which only reveals your user ID to him, and not your email address. When you reply to the first fake offer, the thief has your email email address, but no clue which eBay user ID it is associated with. Of course, if he only sent one fake offer and received an answer, he'd know the eBay user ID, but these thieves don't work that slowly. This fraud is taking place on a massive scale.


I reply to this message, providing a fictitious name, address and eBay ID. I confirm my last bid amount, intentionally supplying the wrong amount. His reply, by Yahoo Mail from another AOL IP address:


Ok,
you will receive the payment instructions from eBay first thing tomorrow morning.
please get back to me as soon as you hear from them.
Thank you.


As promised, the next morning, I receive this forgery:

X-Gmail-Received: 61bfa50c689e879991fa8974e1c9b24bd9771fcc
Delivered-To: [my_email_address]
Received: by 10.54.158.8 with SMTP id g8cs1138wre;
Thu, 22 Jun 2006 06:53:33 -0700 (PDT)
Received: by 10.37.18.36 with SMTP id v36mr2024819nzi;
Thu, 22 Jun 2006 06:53:33 -0700 (PDT)
Return-Path: <escrow@ebay.com>
Received: from mbe0.msomt.modwest.com (mbe0.msomt.modwest.com [216.220.25.82])
by mx.gmail.com with ESMTP id 40si955960nzf.2006.06.22.06.53.32;
Thu, 22 Jun 2006 06:53:33 -0700 (PDT)
Received-SPF: softfail (gmail.com: domain of transitioning escrow@ebay.com does not designate 216.220.25.82 as permitted sender)
Received: from findnot.com (mail.findnot.com [202.157.176.101])
(using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits))
(No client certificate requested)
by mbe0.msomt.modwest.com (Postfix) with ESMTP id 12B26D9057C
for <[my_email_address]>; Thu, 22 Jun 2006 07:53:13 -0600 (MDT)
Received: from findnot.com (findnot.com [127.0.0.1])
by findnot.com (8.12.11/8.12.11) with ESMTP id k5MDu3FS010458;
Thu, 22 Jun 2006 09:56:05 -0400
From: "eBay Escrow Service"
To: [my_email_address]
Cc: mileaqw3@yahoo.com
Subject: Invoice for your eBay item #4650332800
Date: Thu, 22 Jun 2006 09:55:54 -0400
Message-Id: <20060622134740.M92493@findnot.com>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=OPENWEBMAIL_ATT_0.141870155780449"


Looking only at the mail headers, the email is clearly a fraud. Although the Return-Path and From fields are nicely forged, the Received headers show that the mail originated from an anonymizing service called findnot.com.



The message portion of this forged email was very sloppy, saying only:


Dear [wrong_ebay_user_id],

Your payment instructions are attached to this message.

Thank you for using our services.

eBay Escrow Team.


The email contained an HTML attachment, which eBay would never send. I viewed it because Gmail will disable any embedded web-bugs and scripting, but normally, you should never open any file attachments unless you asked for them or know what you are doing.



The attached document was an amateurish forgery of an eBay invoice listing the fake Buyer Information that I provided, the wrong price, the thief's false Seller Information, and these instructions:


Please visit your bank and make the payment by wire transfer using the below details of our eBay agent #27:

Account Holder : Joel Rojo
Bank Name : La Salle Bank
Bank address: 68 Stratford Drive, Bloomingdale, IL, 60108
Checking Account #: 5308953453
Bank Routing #: 071000505

Confirm the payment by sending us the bank payment receipt to:
Fax Number (312) 276-8546.


This is a real bank and a real account number (the thief needs to be able to retrieve his money!). In order to open a bank account in the U.S., you need to provide quite a bit of identification. Therefore, it would be relatively easy for law enforcement to capture this criminal by serving a subpoena on the bank for his account records.



Sadly, no law enforcement agencies are interested in pursuing this. I contacted the Illinois Attorney General's Office and got no response. I also talked to an FBI agent on the phone who let me know that his agency could not help unless damages exceeded $100,000.



So again, in a case that was even easier to investigate than the original (the trail in that one led to Germany), no law enforcement agency would take any steps to stop and punish this crime. Meanwhile, the thief continues to try to steal from people (perhaps 10, 50, 500 per day) every day.



Considering that it is well within the thief's ability to contact 100 marks per day using robot harvesters, mass mailing, and other computing power, he could have easily approached over 800 people in the week between the time he contacted me and the writing of this article. If just 2% of victims fall for the scheme (I would bet money the rate is much higher), and the average damage is $2,000 then this thief and others like him can collect (800 * 2% * $2,000) over $30,000 per week -- with no resistance from any law enforcement agency!



In just 4 weeks, this thief can crack the FBI's $100,000 minimum, but because he's stealing smaller amounts from many victims, no single victim will get any help from the FBI, which is probably the only agency technically capable of investigating and prosecuting this kind of crime.



EBay does not pursue reports of this kind of abuse, either. More than a week after I sent them a detailed report about how the person who's eBay user with email address "mileaqw3@yahoo.com" was using eBay's "Contact Member" system to perpetrate fraud, that user still has an open eBay account with which to commit these crimes.

Saturday, June 03, 2006

Second Chance eBay Scams (Part I)

The Con

Online scammers operate in many ways. All of them are designed to get at your personal and account information so they can steal from you. Sometimes, they take this information by force, through viruses or spyware. Other times, they expect you to just gladly hand it over! One setting where you're likely to do that is with big ticket items from eBay that seem too good to pass up.



I had been watching a dozen Kawasaki KLR250 motorcycle auctions on eBay over a couple of weeks. One in particular looked like a good deal. Nice pictures and lots of accessories. The seller had 405 feedback ratings, 100% positive.



If you're expecting a description of how this auction was a sham or this seller was trying to cheat, that's not what the story is about. This was a perfectly legitimate auction, with a fine seller with a fine reputation. This story is about what happens after the legitimate auction closes, and everyone thinks it's over.



It's about scammers trolling ended eBay auctions, and sending each non-winning bidder a fake "Second Chance" to buy the item. All the while trying to misdirect you into thinking that they are the seller who's feedback you checked out during the auction. This story is about how you can put the pieces together and figure it out, without being a network genius, and without losing a few thousand dollars.



The Offer

I bid on this bike day before it closed, so my eBay ID was harvested from the item's bidding history page. Before the auction closed, 5 different people outbid me. In this scam, all of us except the seller and high bidder are the marks.



Six days after the auction ended, I get a "Second Chance" email offering to sell me the item at my last bid amount. In the excitement of being offered a sweet bike for just a fraction of its value, I almost didn't notice that this email was a forgery. The scam that I'm about to introduce you to involves someone - not the real seller - who sends fake "Second Chance" offers to all the non-winning bidders after the auction closes. The object of the scam is to collect a whole crop of bids by Western Union or wire transfer, and then disappear.



It begins with your receiving what looks like a "Second Chance" email for an item you recently bid on but didn't win. This fake offer is not from the real seller. The real seller doesn't know anything about it. In fact, this particular scam would be over right now if you just asked the real seller whether he/she really sent you a Second Chance offer. You can do that easily, by going back to the eBay website, pulling up the item, and clicking "Contact Seller."



But just for exercise, let's go through all the motions of the scam. All except the last one, where criminals get your money.



The Email

The fake offer arrives through eBay's official Message System, and you'll find it in "My eBay" under "My Messages." This might lull you into reduced vigilance for the rest of the scam, since new SPF / Domainkey anti-spoofing mechanisms (if your mailserver supports them and you look at them) will verify that the message did originate at eBay, plus eBay is always touting how all the legitimate stuff will always be in "My Messages."



The sender of your "Second Chance" is a thief who uses an actual eBay account to send this spoofed offer through the eBay message system. His eBay registration will use the same email address where he wants you to reply to the scam. Otherwise he would have to convince you to reply to an address other than the one automatically generated by the eBay message system, and that would be too suspicious. The email address he uses will be a throwaway, anonymous address easily obtained at Hotmail, Yahoo or similar*.
*All it would take to shine the light of day on the scam at this point would be if eBay's Search Items by Seller form would accept a registered eBay user's email address as an alternative to searching by user ID. The Find a Member page works with both, and so should "Find Items by Seller." If it worked that way, you could easily search for auctions by seller using the email address given to you in the "offer," (where the con-man needs you to reply), and the result would show that the person issuing this "offer" is not the seller of the auction where you were bidding.

Suggested to eBay June 3, 2006, 13:07pm

Since eBay doesn't display the seller's email address until you win an auction, it's not immediately obvious that the person you're talking to is not the seller from the auction. But this fake "Second Chance" email has a link to the auction that you bid in, and the key misdirection of the whole con is perfected when you assume that bike you wanted has any relationship at all to the person sending you this email. It doesn't.



Even if you don't have a "known good" Second Chance offer to compare this one to, there are many ways to spot these fakes and eBay discusses them in its official publications. Real "Second Chance" emails that truly come from eBay will also appear in the "My Messages" section of your eBay account, with the exact subject line, "eBay Second Chance Offer for Item..." When you receive one by email, the mail headers will have a "Return-Path" of "SecondChanceOffer@ebay.com" and a trail showing the message originating on eBay's internet address space.



Legitimate Second Chance Headers

X-Gmail-Received: 9110f2803e9cadb7f2bde3d086718b780d839891
Delivered-To: ME@MY_EMAIL_ADDRESS
Received: by 10.70.54.2 with SMTP id c2cs613637wxa;
Sun, 21 May 2006 02:00:44 -0700 (PDT)
Received: by 10.35.66.13 with SMTP id t13mr2998052pyk;
Sun, 21 May 2006 02:00:44 -0700 (PDT)
Return-Path: <SecondChanceOffer@ebay.com>
Received: from mx16.sjc.ebay.com (mxpool08.ebay.com [66.135.197.14])
by mx.gmail.com with ESMTP id k62si633282pyk.2006.05.21.02.00.43;
Sun, 21 May 2006 02:00:44 -0700 (PDT)
Received-SPF: pass (gmail.com: domain of SecondChanceOffer@ebay.com designates 66.135.197.14 as permitted sender)
DomainKey-Status: good (test mode)
Received: from sj-wsyi221 (sj-wsyi221.sjc.ebay.com [10.11.91.32])
by mx16.sjc.ebay.com (8.13.5/8.13.5) with ESMTP id k4L90hW6009393
for <ME@MY_EMAIL_ADDRESS>; Sun, 21 May 2006 02:00:43 -0700
DomainKey-Signature: a=rsa-sha1; s=dk; d=ebay.com; c=nofws; q=dns;
h=message-id:from:reply-to:to:subject:mime-version:
content-type:x-ebay-mailtracker;
b=mPi/egMTt99owdLepuzPZlZtnUDu4SrYNyCE0+Wl0vgEFYHZNBaSAO3MnHcQHDkRd
4ajZR93oVRV4Md9y8GAXukxLkVIVrSb7PRsk/Kj5mPuUn0zI8m5886kz42D7zKctOMf
K+4Jqj07zCVSCKN6/sVwmxK9HM1xhFY5//+urps=
Date: Sun, 21 May 2006 02:00:43 -0700
Message-ID: <1806957536.1148202043441.JavaMail.ebayapp@sj-wsyi221>
From: eBay

Reply-To: SecondChanceOffer@ebay.com
To: ME@MY_EMAIL_ADDRESS
Subject: eBay Second Chance Offer for Item #9730021438: Palm Treo 700w/Treo 700 Verizon Like New, Barely Use
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary=1978973166.1148202042879.JavaMail.ebayapp.sj-wsyi221
X-eBay-MailTracker: 10039.461.0.64355

--1978973166.1148202042879.JavaMail.ebayapp.sj-wsyi221
Content-Type: text/plain;charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

----------------------------------------------------------------------
eBay sent this message to MY_REAL_NAME (MY_EBAY_ID).=20
Your registered name is included to show this message originated from eBay.=
=20
Learn more: http://pages.ebay.com/help/confidence/name-userid-emails.html


When tracing a message's path through the internet with mail headers, disregard the first few lines listing traffic on networks whose IPs begin with 10., or 192.168., or 172.16-31, or 169.254. Addresses in that space are known as "private class" networks. They are not routable over the internet and only explain the mail bouncing around a private network either before or after travelling across the internet.



As in the above headers, when a mail actually originates at eBay, the first publicly routable IP address in the mail header will belong to eBay. When verifying this, don't just take the "resolved" domain name in the header for granted. Actually do an nslookup on the IP to make sure it resolves back to something under ebay.com.



If the Return-Path in the headers is "SecondChanceOffer@ebay.com" AND the 1st public class network listed in the mail headers belongs to eBay, then there's a pretty good chance this is a legitimate email. Mind you, a fraudulent message (like the one I received) can also be sent through the eBay message system, but those will contain a different Return-Path header of "member@ebay.com."



Please don't bank on Return-Path or other header information, though. If in doubt, just forward the message along with the original headers to spoof@ebay.com. They'll reply within an hour and tell you whether the message is forged or not. (Make sure you don't fall for any spoofed confirmations of legitimacy!) Still, even without looking at headers, there are many other clues to alert you. Read on.



Evaluating Authenticity

When you receive an officially sanctioned message, eBay will use your real name at the beginning of the message, "eBay sent this message to YOUR_REAL_NAME (your_ebay_id)." They know your name because you gave it to them when you signed up. A scammer is not going to know your real name at this stage of the scheme, hence, it is not included in your shiny fake Second Chance email.



Real eBay messages also contain warnings and URLs with information to help you avoid falling for spoof emails. Forged ones usually don't. Real ones offer you a link to "Buy it Now" that will take you back to the eBay website where you buy the item through PayPal or another standard/somewhat-safe method. Fake ones ask you to buy by "replying" to email and eventually broach the topic of Western Union and wire transfers.



Real ones will have no errors in the message body. The fake one I got had an extra space between a period and the end of a sentence:

"buy this item or contact seller at wurrammnd@hotmail.com ."


Even without any of the above indicators, we still have plenty more carelessness, errors and inconsistencies warning us this deal is a fraud. All my correspondence from this "Frank Vorus" were lousy with them.



Comparing Samples

First, I noticed that the name he used in email to me (Frank Vorus) bore no relation at all to the seller's user ID on eBay. Although a little "off," by itself, not terribly significant. But these criminals are not very bright, and they leave a lot more clues. Take his first personalized message to me:

"I am glad that you are still interested to purchase my item. As is described on the auction the item is full operational and in proper woeking [sic] conditions."


Notice the stilted broken English. That's nothing by itself either, until the writing sample above is compared with the writing style of the original item description, written by the real seller. The real seller's writing wasn't perfect, but he was clearly a native English speaker. I also compared writing samples from the several emails I received from "Frank" with the 375 feedback messages that the real seller on eBay had "Left for Others."

"EXCELLENT!!!! AWSOME!!!! GREAT TRANSACTION!!!!"

"despite repeated emails-no reply-no payment-never contacted me-LOSER"

"Very fast. Item was in perfect shape. Wonderful transaction"

"neat little item-perfect for me-fast shipping!!! great ebayer"

"Got the item right away-it's neat"

"quick shipping even from Ausieland-nice guy to do business with"



The feedback / item description were definitely NOT written by the same person now sending me emails. Maybe if Frank went to an American high school and had some practice handing in copied homework, he could have pulled this off.



Frank also kept talking about how he would ship the bike. The scam could get messy if I came to pick it up and pay in person:

"You want to pick it up, but first off [sic] all i need to see the payment details, as eBay instructed us. Once i have the payment details i will deliver the bike to your home address."


Those statements are in direct contradiction with the original item description written by the real seller:

"MUST PAY IN CASH OR MONEY ORDER!!!! MUST PAY WITHIN FOUR(4) DAYS AFTER AUCTION DONE. YOU MUST PICK UP-NO SHIPPING."


The Bait

Criminals often offer gratuitous excuses that ultimately give them away. Happens all the time on COPS™. Here's a good example:

"I asked eBay to send you a Second Chance Offer becuase [sic] the winner had some personal problems with the money and couldn't handle the situation at this time."


That's very understanding of him. A little more information than one would expect.

"If you are still interested to purchase the item is still available for sale and you have the opportunity to purchase this item at your last bid price."


Aside from the broken English inconsistent with the real seller's writing style, my last bid price was only 2/3 of the winning bid. This bike could easily sell for more than the winning bid if it was relisted. Why would it be offered to me at this price? Four other people bid more than I did, in amounts much closer to the winning bid. Wouldn't one of them have jumped at this already? That's the part that is supposed to hook you, preying on the victim's own greed, a deal so good, you can't resist.



Of course, the scam would be over right now if I just asked the winning bidder whether he bought the item, or whether he backed out because there was something wrong with the seller or the item. You can do that by going back to eBay, pulling up the auction, clicking the user ID of the winning bidder, and then clicking "Contact Member."



Building Trust

In Frank's second mail, he also asks me for some basic information - name, address and eBay ID, claiming to need it in order to start an "official eBay transaction." It made no sense to me, but all the information seemed harmless enough. In retrospect, this might have been an attempt to get enough information to break into MY eBay account. Many people use their address or zip code as a password. Another possibility is that he just wanted to list my address as the "Shipping Address" on his upcoming forged invoice to make me feel more comfortable about paying.



Speaking of paying, he closes with:

"You'll also receive important guidelines + instructions from eBay regarding our transaction (please go through them exactly). I'll handle the shipping, so this will be free of charge for you ."


Another telltale mistaken space between the period and end of sentence, indicating that the author of this message is also the author of the earlier one that was supposed to have come from eBay. More good deals to motivate me (free shipping for a 250lb motorcycle?!) and buttering me up to follow "exactly" instructions in the forged email that he'll send to me in a few minutes. Too bad his shipping promises contradict both the item description and my email to him explaining that I'd only buy the bike in person.



Later, he sends another email to shepherd me to the fleecing:

"i [sic] have requested that the details of the transaction to be verified and if everything will be ok then the transaction will be guaranteed. Once guaranteed by ebay, the transaction will be safe for both of us. Please wait for ebay's confirmation that the transaction is ok and please read carefully all the instructions that ebay will send to you. It's very important that we follow the instructions."


Yes, very important we follow the instructions. We don't want our mark accidentally sending money to the wrong thief!



Deconstructing the Payoff

One minute later, a forged email dressed to look like it came from eBay arrives, with the subject:

"You must send payment of US $2,200.00 shortly for your Item"


"Shortly for my item?" EBay copy doesn't sound like that. Return-Path in the mail headers lists "aw-confirm@ebaysecondchance.com." A WHOIS on the domain "ebaysecondchance.com" shows it hosted and registered by 1-and-1 webhosting in Germany. That's what happens when a webhost gives away 3 free years of web hosting plus a free domain name. The first internet routable IP network in the mail headers is burnt-tech.com out of Canada, confirmed with reverse nslookup. Headers also show this guy used the burnt-tech webmail program to send this while online himself from an America Online IP address.



Forged Mail Headers, not from eBay:


X-Gmail-Received: 2bb2b2f0ee468534d60ec4a806ba172f2f9e2dae
Delivered-To: ME@MY_EMAIL_ADDRESS
Received: by 10.70.31.11 with SMTP id e11cs34834wxe;
Fri, 2 Jun 2006 08:56:54 -0700 (PDT)
Received: by 10.54.94.16 with SMTP id r16mr2041853wrb;
Fri, 02 Jun 2006 08:56:54 -0700 (PDT)
Return-Path: <aw-confirm@ebaysecondchance.com>
Received: from burntmail.com (burnt-tech.com [66.98.218.53])
by mx.gmail.com with SMTP id 7si1587200wrh.2006.06.02.08.56.54;
Fri, 02 Jun 2006 08:56:54 -0700 (PDT)
Received-SPF: neutral (gmail.com: 66.98.218.53 is neither permitted nor denied by best guess record for domain of aw-confirm@ebaysecondchance.com)
Received: (qmail 10171 invoked from network); 2 Jun 2006 15:56:50 -0000
Received: from unknown (HELO burntmail) (127.0.0.1)
by localhost with SMTP; 2 Jun 2006 15:56:50 -0000
Received: from 172.181.66.214 (unverified [172.181.66.214])
by burntmail (VisualMail 4.0)
with WEBMAIL id 10169;
Fri, 02 Jun 2006 15:56:50 +0000
From: "eBay"
To: ME@MY_EMAIL_ADDRESS
Importance: Normal
Sensitivity: Normal
Message-ID:
X-Mailer: Mintersoft VisualMail, Build 4.0.111601
X-Originating-IP: [172.181.66.214]
Date: Fri, 02 Jun 2006 15:56:50 +0000
Organization: m
Subject: You must send payment of US $2,200.00 shortly for your Item #4641831009
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--=_vm_0011_W634929128_10169_1149263810"

----=_vm_0011_W634929128_10169_1149263810
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable


Second Chance Offer - Buy The Item You Recently Bid On

Dear MY_EBAY_ID,


Tracking the Perp

The mail headers tell me that the IP address of the computer the perpetrator is using is 172.181.66.214. Nslookup tells me that's an AOL (formerly America Online) IP. But I can also compare the geographic location of his IP with the geographic location of the auction as listed on eBay. When I entered the thief's IP address in GeoIP Lookup, it told me that his approximate physical location was somewhere in Germany. A few other GeoIP lookup services estimated Kansas, Florida and Maryland.



Because of the varying results and inherent inaccuraccy of geographically mapping virtual IP space, I corroborated his location using a different method, traceroute. According to tracking done by Visual Trace, the trail toward his IP leads to Frankfurt, Germany before getting lost behind a firewall.



Either way, the person writing me is likely nowhere close to Tehachapi, California where the shiny red motorcycle is supposed to be. By contrast, GeoIP lookup on the real seller's IP address (taken from headers of email communication I had with him) resolves to the location listed in the auction - Tehachapi, CA.



AOL keeps records of all it's users' logins and the IP addresses assigned to each user during the login period. Since these mail headers have both the perpetrator's AOL IP address and exact timestamps, it would be easy for AOL to come up with the identity of criminals based on their service billing records, and provide this to law enforcement. The problem is that most police don't understand how to investigate and prosecute this kind of computer fraud. Local police would rather refer you to the FBI and the FBI can only be bothered with big, important cases with high dollar amounts. As a result, these kind of criminals are free to attempt their crime as many times as they need to, until they succeed. Consider how that would be if police treated attempted bank robberies the same way.



Recognizing Trouble

The purpose of the final forgery is to persuade me to transfer a couple thousand dollars by Western Union -- a payment method the real eBay specifically warns its customers NOT to use in almost every piece of correspondence they send.



The fraudulent message uses comforting words like "insured", "verified," "protection," "refund," and "in association with eBay Inc." to coax me into compliance. I am supposed to "Pay for the transfer with cash at a local Western Union agent."



And, in case I was wavering, wondering whether or not I should send the money, the scammer targets your desire to get something for nothing -- 50% discount on the wire transfer fee!

"Because the fee to send a Western Union Money Transfer is high, compared to other methods of payment, we have arranged with the seller to compensate for half of this fee (i.e. if it costs you $100.00 to send the payment, take $50.00 from the amount insured and send the balance)."


So many elements of a confidence game manipulate the greed or dishonesty of the victim. So remember the old saying, "You can't cheat an honest man."



Closing the Deal

I write him back to tell him that if I am going to buy anything, it will be in person and only after checking out the quality of the merchandise first. I ask him for his phone number, address, real contact points where even clueless police might be able to pick him up. He doesn't go for it. Instead, he appeals to me to just do "as eBay instructed us," invoking their higher authority. It's a tactic con-men use to exploit the comfort most people take in following rules and doing what they're told.



Before closing this case, I warned the other non-winning bidders of this auction and, even though it's nigh impossible to file a security incident report, I reported the situation to eBay. But eBay is busy, and they are not looking into it.



In fact, 6 days after I emailed multiple detailed complaints to eBay (each one answered by just more dull, canned text by CSRs with different first names), explaining how this person was using an actual eBay account to victimize other users by relaying spoofed messages through the official eBay message system, and despite feel-good assurances by eBay representatives like "Ide,"

"I have reviewed your report and have taken appropriate action in accordance with our policies. Such action may include issuing a warning, a temporary suspension, an indefinite suspension or terminating the membership. Out of concern for our members' privacy, we don't discuss the specifics of the actions we take in these situations."


eBay's Member Search page shows that the perpetrator still has his valid eBay account:

"The email address wurrammnd@hotmail.com is used by a valid eBay member with a feedback score of 0 (0% positive). For privacy purposes, it is eBay's policy that User IDs are not revealed to members who are not involved in current or recent transactions with each other."


While I am stuck in a feedback loop with eBay's robot employees, this con-artist keeps his eBay account, and no organized countermeasures are mustered against him. He has been free to run the same scam hundreds more times since my first report to eBay's security group.



If this particular thief ultimately succeeds in stealing someone's money, a good lawyer could make a great case that eBay is negligent for failing to revoke the fraudulent account after having notice of it, and that eBay should be held liable for the damage.



Vigilance

These crooks will always be able to vary slightly from the outline presented here, but they will always make mistakes that give themselves away. They're not that smart. If they were, they wouldn't have to be criminals.



For the volume of confidence scams connected to eBay, the ironic slogan, "bid with confidence" is certainly appropriate.