# Spammer almost fooled me!

I generally manage to recognise spam quite easily. But this email from payments-messages@amazon.co.uk did an almost-excellent reasonable well trick to fool me. And why did it almost fool me? Because I’ve occasionally bought stuff from Amazon, including the British site.

What made it look reliable was the fact that all links to the Amazon website did indeed point to the Amazon website. Most spammers show one URL in the email but hidden beneath it, you get redirected to a completely different website. So, where did it go wrong for this spammer?

Well, I had not ordered anything from Amazon and I definitely did not return anything to them either. So, this message was unfamiliar to me. It was strange, thus suspicious. Still, I did not see anything harmful until I looked down and saw an extra message and an attachment included in the email…

And that was even more suspicious! It is very likely not a document but some malware-thing hidden in a document. I don’t know and I don’t want to know. Opening it will infect my system so it stays closed.

The email claims there’s an “advanced electronic signature” attached to this note and I need to add it as a trusted certificate. Well, never do such a silly thing because someone asks you nicely by email. It can be reasonable harmless and just include advertisements in every webpage you visit from then on. Or, it allows some hacker to do a man-in-the-middle attack with your online banking account. That would cost you a lot of money!

There was a third reason why I knew its fake. I have a whole domain name with the possibility to create an unlimited amount of email aliases. I use a special alias for Amazon and this email was not received by that account.

I also use Google Apps and created a Google group within my domain for those aliases that tend to receive a lot of spam. So, spammers end in this group from where I can collect any data and offer it to anyone I like. And this email arrived in my spam-box! Thus, I knew it was spam before I even looked at it. Still, some emails just make me curious and the Google group is a reasonable safe area to contain this kind of spam.

Too bad, though. I would have liked the extra cash in my bank account.

Still, there are a few more things that should warn you that this is a fake email. For example, the email tells you to download and install Adobe Acrobat Reader but the attached document is a Word document, not an Adobe document. (Not a PDF.) And, the talk about the electronic signature is highly suspicious.

For the technicians among you, there’s even a clear warning signal in the headers of this email:

Received-SPF: fail (google.com: domain of payments-messages@amazon.co.uk does not designate 2.179.101.14 as permitted sender) client-ip=2.179.101.14;
spf=fail (google.com: domain of payments-messages@amazon.co.uk does not designate 2.179.101.14 as permitted sender) smtp.mail=payments-messages@amazon.co.uk;


That’s right! Amazon has a special protection on their domain name and Google will check this SPF thing. And the original IP address from where this email was sent is not a valid IP address that is used by Amazon. In fact, spammers seem to use this IP address for more of their spamming and hacking attempts.

So, what do we learn from all this? Well, first of all the use of email aliases tells me this is spam before I even see it. Second of all, you need to read carefully and see if the email makes some strange suggestions. Third, be careful when opening attachments. Better yet, never open any attachment that you did not ask for!

# Loterijen zijn geldklopperij! (En toch speel ik mee.)

First an apology to my International friends who don’t understand Dutch. Occasionally, I have a topic that’s just more interesting for people in my region than for the whole World. Like this one, where I’m nagging about lotteries in the Netherlands and how they almost force you to buy tickets. I’m especially talking about some lotteries that are mostly known in the Netherlands and target Dutch people so I write this in Dutch. I do know that Google Translate can do an excellent job at translating, though! But if you’re not Dutch then this is probably not so interesting for you.

Heb je wel eens aan een loterij meegedaan? Heb je daarbij ook wel eens wat gewonnen? De meest gehoorde klachten in Nederland is dat het allemaal pure geldklopperij is, dat het vooral de organisatie is die er rijk van wordt en dat als je dan iets is, de prijs meestal niet eens de moeite waard is en vaak niet eens hoger dan je inleg. En ja, zo denk ik er ook over.

Loterijen zijn niet bedacht om geld weg te geven maar om juist geld in te zamelen voor bepaalde doelen. Vaak is het doel gewoon het vullen van de zakken van de organisatoren maar de wetgeving in Nederland heeft daar een redelijk stokje voor gestoken met de kansspel-wetgeving. De Wet op de kansspelen legt strenge regels op aan kansspelen in Nederland en doet dat mede om het risico op een gokverslaving te voorkomen of te verminderen. Maar ook om criminaliteit te bestrijden want met kansspelen kan veel geld verdient worden door de organisatoren. En de organisatoren hebben een zorgplicht ten opzichte van de spelers en moeten hen wijzen op de risico’s, de kansen en vooral ook aangeven wat het doel is van het geld dat de organisator ermee verdient.

Voor loterijen met (grote) geldprijzen is bovendien toestemming nodig van bepaalde overheids-organen en die stellen vaak eisen aan het doel van de opbrengst van deze loterijen. Vandaar dat in Nederland de meeste loterijen zijn verbonden aan goede doelen omdat ze anders gewoon geen toestemming krijgen. Nu kunnen er ook wel loterijen zijn waarbij het doel gewoon het spekken van de zakken van de organisatoren is maar omdat het doel vermeldt moet worden voor de deelnemers is dat iets wat erg onsympathiek over komt en  dus meestal niet als doel wordt gebruikt.

Daarnaast zal bij iedere prijs boven de € 454 ook nog eens 29% kansspelbelasting betaald moeten worden. En dat moet ook aan de deelnemers worden gecommuniceerd! Het is dan best leuk als je dan b.v. € 1.000 wint met de Lotto maar uiteindelijk komt er maar € 710 op je bankrekening. De Staatsloterij is gelukkig zo vriendelijk om de te winnen prijzen te tonen na aftrek van deze belasting maar die kunnen dat makkelijk doen omdat de prijzen vaste bedragen hebben. Bij de Lotto en de Postcodeloterij kan men dat echter niet en rekenen deelnemers zich vaker rijker dan ze werkelijk zullen worden. Van grote geldprijzen wordt vooral de belastingdienst enorm blij omdat ze dan bijna een derde van het prijzengeld ontvangen!

Nu zijn er drie loterijen waar ik aan mee doe. Zo doe ik al decennia lang mee aan de staatsloterij, iets langer dan een jaar aan de Lotto en enkele maanden aan de Postcodeloterij. Ook de Toto heb ik wel eens ingevuld voor de lol en met dit alles heb ik best wisselende resultaten behaald. Maar je verliest er gewoon meer mee dan dat je er mee wint, tenzij je een der gelukkigen bent die een grote hoofdprijs wint. Maar gezien het aantal deelnemers vraag je dan wel om behoorlijk veel geluk.

Ik besloot ooit mee te doen aan de Staatsloterij omdat ik mij bezig hield over hoe alles op deze wereld zo mooi in balans lijkt te zijn en te blijven. En raakt iets uit balans dan vindt het vanzelf een nieuwe balans. En dan hoor je ook nog dingen over Karma en hoe ieders leven eigenlijk ook een kwestie is van balans tussen van alles en nog wat. En ik dacht bij mijzelf dat geluk en pech dus ook een soort van balans met elkaar hebben. Dus heb je geluk met iets dan krijg je pech met iets anders. En omdat ik graag van mijn pech af ben en het best pech is als je de Staatsloterij niet wint besloot ik eraan mee te doen, wetende dat de loterij mijn pech wegneemt en ik iets meer geluk heb met andere zaken. En zo verlies ik iedere maand weer met die loterij en dat brengt mij iedere keer weer een grote glimlach want dan ga ik met iets anders wat extra geluk hebben.

Okay, bijgeloof. Belachelijk om erin te geloven dus echt erin geloven doe ik niet. Maar wat als het toch waar is? Ach, gezien de lage prijs van een enkel lot kan het geen kwaad om gewoon mee te doen en dus doe ik al enkele decennia mee. Het hoogste wat ik daarbij won was € 75 en meestal win ik niets of minder dan mijn inleg. Wat een pech! Maar daar hoor je mij niet over klagen.

Ik ben eventjes met de Toto mee gaan doen tijdens de kampioenschappen en ik moet toegeven dat sport mij totaal niet interesseert en ik niet eens meer weet welke kampioenschappen dat waren. Maar ik deed mee omdat ik toch altijd pech heb met loterijen en dus ging ik bij iedere wedstrijd van het Nederlandse team een tientje inzetten op de tegenstander. Mijn pech zou ervoor zorgen dat ik verloor en dus ook de tegenpartij en dus zou ons Nederlandse team gaan winnen. En eerlijk gezegd kwamen we behoorlijk ver, tot ik een keer vergat in te zetten. Daarna lagen we eruit.

Dus karma bestaat niet,zeg je? Stom bijgeloof? Oh, dat geloof ik ook nog steeds. Ik deed gewoon mee omdat ik sowieso altijd zou winnen. Als ik met de Toto verloor dan zou Nederland kampioen gaan worden. En als Nederland verloor dan had ik een leuk prijsje verdiend om wat leuks mee te doen. Dus ik won iedere keer, behalve die keer dat ik niet had ingezet.

De Toto en de Lotto zijn beiden van dezelfde organisatie dus mijn deelname aan de Toto deed mij ook eens kijken naar de Lotto. Het leek mij wel leuk en je kon je eigen cijfers kiezen en de prijs is ook behoorlijk laag. Best veel trekkingen ook dus veel kansen om mijn pech mee te verliezen. Wel, ik kan wel wat extra geluk gebruiken dus ik besloot mee te gaan doen. En inderdaad, meestal win ik of mijn speltegoed, of een euro of heb ik helemaal geen prijs en daar was ik best tevreden over. Eindelijk wat extra pech kwijt.

En dan heb je een moment dat je het financieel even lastig hebt en wel een extra zakcentje kunt gebruiken om Oktober door te komen. En dan komt het geluk rollen uit dezelfde hoek waar mijn pech naartoe gaat. Ik had opeens 5 cijfers goed, ofwel een prijs van € 1.000 waar dan weer de belasting vanaf moest. Nou, daar hoor je mij dus niet over klagen. Mijn extra pech-verzamelaar heeft dus lekker voor wat extra geluk gezorgd!

Geloof ik in Karma? Nee, echt niet! Maar het wordt mij niet eenvoudig gemaakt…

En in het begin van 2014 kreeg ik bij een bestelling een gratis lot van de postcodeloterij. Even online invullen en je speelt meteen gratis mee. Wel meteen weer opzeggen want anders zit je er voor een jaar aan vast! Ingevuld, meegedaan en meteen weer opgezegd. Ik won niets en had ook niets anders verwacht maar vond dat ik wel die kans had moeten grijpen toen ik deze voor nop kreeg. Enkele maanden later kreeg ik weer een gratis lot dus weer ingevuld en meegedaan en opnieuw niets gewonnen. Tja, jammer maar opnieuw gewoon de kans gegrepen. Alleen jammer dat ik vergat om meteen weer op te zeggen.

Maar dit keer is het mis gegaan met mijn karma. Ik vergat op te zeggen en daardoor speelde ik ook mee met de nieuwjaarstrekking van de Postcodeloterij. En wat zou ik gebaald hebben als ik indertijd wel had opgezegd want de kanjer-prijs viel op de cijfers van mijn postcode! In plaats daarvan werd ik gek toen ik hoorde dat hij op mijn postcode was gevallen, mede ook omdat de letters nog niet bekend waren gemaakt en dit letterlijk een miljoenenprijs is.

Toch is mijn karma nog steeds in balans. Ik had de kerstdagen doorgebracht met een zware griep en een enorm gebrek aan eetlust tijdens het kerstdiner en ik dacht net hersteld te zijn maar het tweede griepje is er gewoon mooi achteraan gekomen. Geluk met de loterij lijkt ten koste te gaan van mijn gezondheid.

En nu wil ik niet eens meer in karma geloven! Dit begint eng te worden.

Maar gelukkig, de letters zijn bekend gemaakt en dat zijn niet mijn letters. Ik hoef de prijs dus niet te delen met een paar andere geluksvogels maar moet hem delen met een groot aantal geluksvogels, waardoor het toch een relatief kleine prijs blijft. (Want zo werkt de Postcodeloterij nu eenmaal.) De kansspelbelasting gaat er ook nog eens van af dus het valt allemaal best mee. Hoe groot de prijs is moet ik nog te horen krijgen.

Maar ik begin bang te worden voor de jackpot van de Staatsloterij die over een paar dagen getrokken gaat worden. Als ik die win dan vrees ik dat mijn gezondheid zoveel pech heeft dat ik in een houten kist afgevoerd kan worden. Dus nee, ik geloof niet in karma want dan kan ik hem toch rustig winnen zonder nare gevolgen…

Tja, ik vind al die loterijen nog steeds geldklopperij die vooral bedoeld zijn om geld te verzamelen voor bepaalde doeleinden. Vrijwel iedereen verliest ermee behalve de belastingdienst en de betreffende doelen. Ennee, karma bestaat niet, behalve in een klein, onzeker hoekje in mijn hoofd dat er voor zorgt dat ik toch maar een lot blijf kopen. Want je weet maar nooit…

# 2014 in review

The WordPress.com stats helper monkeys prepared a 2014 annual report for this blog.

Here’s an excerpt:

The concert hall at the Sydney Opera House holds 2,700 people. This blog was viewed about 12,000 times in 2014. If it were a concert at Sydney Opera House, it would take about 4 sold-out performances for that many people to see it.

# The Hunter: Primal – A game with dinosaurs.

Well, there’s this early access game called The Hunter: Primal which happens to be an interesting game to play. So, while I’m sick in bed with the flu, I decided to just try it. For 20 euro’s it would probably offer me some fun and a small adrenaline rush. It’s new and still under development but the early access is already very promising.

Boy, I was wrong… It’s real great already and really gets your adrenaline pumping! Why? Because you, the player, gets dumped on a strange planet with three prehistoric animals. And two of those will hunt you! And the weapons you have to protect yourself? Well, if you’re lucky you’ll start with an improvised bow and 5 arrows. There are better weapons but you will have to find them. And you’ll have to find ammunition for those weapons too. And possibly find some other useful gear. But it’s most likely that you’ll end up with just that bow for a long time.

This is a game that you can play with friends, if you just open up some ports on your router. Unfortunately, I’m behind a router and port forwarding is set to my web server, not my gaming system so that won’t work for me, unless all players are behind this router. Still, the multiplayer part makes it even more fun. The graphics are great, the sound is eery and you can actually hear the dino’s walking around if they get close. It is not a game you play for 5 or 10 minutes, though. Expect to spend hours trying to find weapons to kill those dino’s! That is, if you survive that long because it happened often enough that I died within 10 minutes…

Right now, there are three types of dinosaurs that you can hunt. The most interesting is the triceratops, a colossal beast that gets scared quite easily. I never had a weapon powerful enough to kill it immediately and to be honest, I’m trying to save my ammo to protect myself against the other dino’s. This huge herbivore makes a nice trophy, though. And so far it’s the only dino that hasn’t even tried to kill me.

Next, the T-Rex. Big, brutal and deadly. Fortunately, they tend to be noisy and when they walk around, they stomp loudly. And that makes some very good warning signals against them. Still, they are very hard to kill and they can kill you with a single bite so I try to stay away from them.

And then there’s the Utahraptor, named after the place where they’ve found their bones. A pack animal and a keen hunter. Not as deadly as T-Rex but still very deadly if you’re not careful. Especially when you meet a complete pack. You might need several shots to kill them, though. But that’s more because you did not aim correctly or tried to hit them in the head. These raptors are more vulnerable in their chests and neck so better aim for those areas. I did manage to kill one with a single arrow shot in the neck so a single shot can kill them. You just need a bit of luck. If you need a second shot, the raptor will be on his way to bite you so you will end up hurt. If you need more shots, you’re likely to be doomed.

So far, I’ve managed to stay alive with one character for more than 5 hours. Real hours, that is! And I still have just a bow and arrow because I’m stuck in an area full raptors and a T-Rex. But what I’ve noticed from all my gameplay so far (16 hours and counting) is that these dinosaurs seem to follow very natural patterns. And by learning those patterns you can try and survive in this environment.

So at first I tried to walk to the coastline and follow it to get to know the island that I was dumped upon. Seemed a wise decision since I expected the dino’s to stay away from the water. So at one point I started wading through the water until I discovered a raptor bathing in the water, right in front of me! It hadn’t noticed me so I considered shooting it, until I looked around and saw two more raptors walking towards the water. Fortunately, not towards me. They seemed to ignore me. That is, until the 4th raptor arrived and he wanted to bathe where I was standing. That didn’t end well. Had a gun, had three bullets and none of my shots hit any vital spots so I became food for 4 raptors…

So, the lesson I learned was that raptors like to bathe in the morning. So in the morning, stay away from the water, including the lakes. I also learned that they really start hunting in the afternoon and early in the night so at those moments they are more in the forest, making the beach and water areas more safe. This is useful to know since you can now estimate their locations based on the time of day!

Then the T-Rex. I had noticed that he spends most of his time on the hills, close to the forests. So I walked downhills towards water in the early morning expecting just raptors. Nope. Even T-Rex likes his bath and he will walk to the lakes too in the night for his morning bath! So we had a brief encounter. Me with my shotgun and T-Rex with his wide smile. And no, one shot doesn’t kill a T-Rex. Don’t know if two shots would have, though. He was chewing on me by then.

Still, I’m trying to learn to evade these dino’s while searching for better weapons. Not so easy when the game dumps you on the wrong side of the island so you have to cross it through T-Rex his domain. How I know it’s his domain? Well, its eggs were there. (Eat them and you have 1 minute to run before T-Rex goes after you!) And it’s an area with not so many hiding places so moving though it is slow. Especially when you take time to discover treasure boxes.

Those treasure boxes is what helps you survive. Since you start with 5 arrows, you would be able to kill up to 5 raptors before the 6th kills you. So you need treasure to get more arrows and other weapons. You can also find other useful things like clothes, small pieces of the world map that you can drag on your pad and healing canisters that you can equip and then use when need be. But the amount of stuff you can carry is limited so you can’t take everything you find.

But what you need most of all are weapons and ammunition. And preferably scopes for your weapons so you’ll aim better. You can basically have a bow, a pistol, a shotgun or a rifle and you can equip two of those weapons if you have them. (But only shoot with one.) But the ammunition for your pistol won’t fit in your shotgun or rifle so what to do if you have a shotgun and only find ammo for a pistol? At one point, you can’t carry more and thus have to decide about leaving things behind. And try to find that pistol you need or the ammunition for the shotgun you need.

Another problem is deciding what to do when you run out of ammunition! I saw a video on YouTube of a player throwing a rock at a T-Rex because the hints of the game suggested something like that. No, don’t throw rocks at dinosaurs because that makes them just pissed off! Find a tree at some reasonable distance and try to hit that tree with your rock! The noise it will make will likely distract the dinosaur into moving away from you. Still, don’t walk away because it uses its ears to hunt too, so if it hears you crawling, it will turn around again, towards you! Stay still, crawl and hope the dino will continue in the direction of your stone throw. Only move when you’re sure it is far, far away.

I also discovered some other useful thing. Part of the forests have these huge, mangrove-like trees with huge roots that tend to have a hollow center. These make excellent hiding places as long as you’re crouching or crawling. I’ve had a pack of 4 raptors roaming in front of some tree that I had hidden myself inside (ran out of arrows) and they did not notice me there. Then again, you can’t move much inside trees so you will need some patience to wait for the raptors to disappear, which could take some time.

Still, I’ve hidden in those hollow trees more often afterwards and even killed raptors by shooting from that hiding place, simply because they were close enough for my aim to be perfect. The one time I did get killed was because I had used a gun from my hiding spot and that sound attracted the three other raptors that were near the one I shot.

This game promises to become a real hit! It is not about hunting since you’re not the hunter. You’re being hunted too. It’s about survival with limited means. Moving from treasure to treasure to collect better weapons and gear, hoping to kill some of the bigger dino’s in this game. And that’s the challenge behind it, because you never know when your character turns around, only to end up face-to-face with a T-Rex…

# Kid programmers?

Well, an interesting (Dutch) article was interesting enough for me to share my opinion about the topic. Commissioner Neelie Kroes suggests that all young children should start programming as soon as possible. Preferably at the same moment when they’re learning to read and write. And I like her and often agree with her opinion about these matters but this time I have some doubts.

I happen to be a “programmer” and I often compare the profession with that of carpenters. It is often quite simple but when things become more serious, you need better-trained professionals. You can give a child Lego blocks and they will build a castle with it. The same with programming. Give them a computer and teach them how to use notepad and they can create HTML and thus they can create their own web pages.

But what if they become overconfident? The carpenter child might decide to start building his own castle from wood. He would do what he did with his Lego and just starts building according to his own insights. And who knows? He might even make something very reliable. But often the result will be disappointing or even unsafe to live in. The use of the wrong materials, forgetting to add a door or window, forgetting to make things fireproof… There are many mistakes that even professional carpenters will make, but those kids are more likely to make them. They need a lot more training if they ever want to build their own house that way.

The same is true with programming. Anyone who is literate can learn to write programs. You just learn the proper syntax, the proper programming language and you start programming. And it will be fine for simple things like a personal website. But when they start thinking they can make some professional websites, a lot of things can go wrong because they’re not trained enough, they they have too much confidence in their skills because they were at the top of their programming class. They should be good programmers, right?

In my experience, knowing a programming language is not enough. Actually, the language doesn’t even matter that much. A good programmer knows how things work together, and knows what the risks are. Just like a good carpenter knows which type of wood and other materials to use, so does a good programmer.

You should first start thinking about what you want to make. Start designing it, documenting your wishes and often just work with pen and paper to get the proper idea and to list all your requirements. If you do this behind the computer, the computer might actually distract you too much into doing other things. (For example, you might already start writing code!) Don’t start writing code in this phase! You need a first design, no matter how simple it is.

The next step is making a risk analysis and specifying all the tasks that your design will perform. The risk analysis is important because your website will be attacked. You need to know how secure your site should be, considering the visitors it gets and the content that is on your site. You need to decide which server to use, which operating system, which hosting solution and most importantly: who will have access to which specific parts.

The next step is choosing the proper development environment and setting up environments for development, testing and (pre)production. This too is often forgotten, mostly because most programmers will just stick to the development that they know already. Not many C# developers would pick C++ with Eclipse on a Linux system to write their code. Yet any experienced programmer should not have many problems with this switch. If it provides the best solution then use it!

And now you can start writing code, designing the web pages and doing the fun parts of programming. And this is where I expect schools will fail. They probably start with the fun part so they teach those kids to start writing code before having taken the previous steps. Those kids will grow up and probably continue to work that way when they’re becoming more professional. They would then have to learn to slow down and start with the steps I’ve mentioned. And if they happen to work for a company that has more experienced programmers then they will indeed adjust and become very good programmers.

But our society is making people more independent and these young programmers might decide to start their own companies or start working freelance. The lack of insight in proper developer rules will hurt their career because their employers are likely receiving bad results from programmers who work too hastily. I’ve seen a few projects fail simply because the programmer did not think properly about the design. Fail enough times and no one will hire you.

So while teaching young kids to program seems to be a good idea, I fear it will generate a lot of bad programmers who think they’re good at what they’re doing. The result will be that a lot of bad projects will be published, like bad carpenters will produce a lot of bad furniture. But is this my biggest fear? Nope…

My biggest fear involves security. Good programmers start with thinking about security from the start. As I said, do a risk analysis and decide upon how to manage users, roles and anything related to this. Security always tend to be counter-productive but it’s like a log cabin with opening instead of a door and windows. Will children learn about from the start? Will they keep in mind that now everyone should have access to some more important functions? Will they realise that there are “bad people” out there who just want to destroy their work?

Just like the little boy making a sand castle at the beach, only to see a bully stomp it back into the beach, so are hackers destroying web sites made by those who don’t know how to protect them. Do they also learn about those bullies and how do you prevent these kids from becoming bullies (hackers) themselves? Because by teaching children to program, you also teach them how other programs work and that helps if you want to get access to those programs.

Already teens are using twitter, Facebook and 4chan to post bomb threads, announce their plans of killing people and to post nude selfies of themselves and their friends. The Internet is full with teens doing bad things online and teaching them to program teaches them to become better at that, too. Learning them to program will make it easier to find top talent amongst them but not all will be top programmers. Some will be top hackers. It’s a double-edged sword, cutting both ways.

Teaching children to program can be fun if they just learn to program devices. For example, Logo would be great for them, since they would learn how to program a computer to make interesting drawings. There’s this nice Interpreter for them to learn so all they need is a web browser that can handle HTML5. It could also be interesting to teach them about Arduino boards with additional hardware so they can make simple robots and learn programming using C++. But please avoid children making web applications because that is way more serious. It will expose them to hackers who will try and destroy their work. It will expose them to some influences that they might not be ready for at that moment.

So, I am in favor of children learning the proper way of programming and allowing them to start with small, simple things at first. Preferably things that are not on the Internet. The Internet is really a more adult environment, like a busy highway. Without proper supervision and guidance, things could go horribly wrong.

For example, your child might see her site replaced by a video of the beheading of some prisoner by some terrorist organisation. Or she notices a banner on their site leading to hardcore porn sites including bestiality and gangbanging. Hackers can and will do such things if they get a chance.

# How you should NOT warn about phishing…

PostNL is well-known company in the Netherlands that specialized in delivering snail mail and packages. And recently, some spammers started mailing fake messages pretending to be PostNL for phishing purposes. So, PostNL responded with this Dutch message:

Since many of you probably don’t know what it says, it roughly translates into a warning about the spammers. Spammers are sending emails claiming a package could not be delivered and you’re asked to click on the provided link. When you do click that link, malware will be downloaded on your system. So, a pretty serious situation and they advice their customers to delete it immediately. And don’t click the link in the email!

Now, the big question: Why this link?

I did some research by clicking the link and ending up at http://subscriber.e-mark.nl/link[snip].html which redirected me to the PostNL website. (Just snipped the link in text, but it still links to the link I received.) So, what is Emark?

Well, Emark is a digital marketing solution, useful for companies that like to outsource such tasks. You can use their services to link to your CRM system and to send mass emails to your customers for all kinds of purposes. Like this warning. Problem is that those emails are sent through the Emark servers so aware customers will notice that PostNL did not mail it from their own systems. Which is one major warning sign for phishing emails. But other marks in the email do suggest it is a real message, not faked by a spammer. The link in the mail is the same domain as the sender, while spammers generally use different domains. And it was sent to the proper alias I use.

So, what is the long page name in the link? Well, that is easy. PostNL uses a CRM solution and that link will most likely contain a unique identifier for every customer in their system. Because I clicked that link, PostNL will now know that I’ve read this email including when I visited their warning page. (Me posting that link here will probably mess up their CRM system if every visitor here will click it! 🙂 Yeah, I’m Evil!) So now they know which customers are reading their emails and who will click the links provided. Normally, those would be the customers who will be more at risk for these kinds of phishing emails since they clicked a link even though they were warned not to.

But I might be mistaken but by doing this without informing the customer that their click will be registered, they might be in violation with the Dutch cookie law. They register that I’ve read a specific email and visited their webpage so they can also register my IP address. They also know when I clicked that link. And this data is linked to my PostNL account without me giving permission for this all. It’s not a very serious violation but still…

So, PostNL is searching for their dumb customers. Well, it seems that way to me. Time for me to report PostNL for phishing…

That’s not a proper way to deal with your customers and it also teaches them very bad habits!

# Just a simple spam overview…

Here is an overview of my recent spambox:

And yeah, it’s time to complain about all my spam again. And what you’re seeing is what I see in my spambox. About 35 different messages received within less than 12 hours. Fortunately, they’re this many because they have been sent to multiple email addresses. Those addresses are all aliases for my mailbox, though.

The interesting one is the one about eFax. I did use eFax once, many years ago when I was working on software for PBX systems. (Has something to do with phones.) So those messages could be true if I would receive them on the proper alias. I did not, so they’re fake. Anything sent to the wrong alias is fake, unless proven otherwise. Also, I am unfamiliar with the phone number in the header and it refers to the British version of eFax, while I happened to use the Dutch version. That’s enough to tell me that these are really, really fake. It’s even funnier when you check out the link, which goes to eliteom.com which happens to be a gun sales website. So, their website has been hacked.

Still, some further investigations direct me to this IP address: 206.253.165.76. By using RobTex I end up at a login site for some shared hosting website running on ZPanel. Still doesn’t tell me much. It would seem the spammer has set up his own host somewhere but the link I found goes directly to a specific page, without a domain name. So, someone is using ZPanel and had their system hacked too. RobTex tells me the ZPanel host is registered by someone in Australia and hosted on servers in the USA. I might be wrong, though, but it seems that there are many layers to peel here.

Moving on, I see spam for fake medicines, a warning about a dangerous parasite that’s probably fake too, a strange invoice that’s clearly fake, some shaving solution, a few naughty messages that just contain links and are hoping I’m curious enough to click and a few more weird messages.

One type of spam is for Ruby Palace, a casino website that seems to hop around on the Internet. According to internet rumours, the registrar for Ruby Palace is located in India where they have no anti-spam laws so they can keep supporting this spammer. Again, RobTex is quite helpful here, telling me that the registrar operates in several countries but not India. So that rumour might not be true. It seems to be Australian, though. One thing to remember, though. Casino spam is offering you great profits, but they make even bigger profits from you spending your money there.

One strange email I received is from a former colleague which was sent to my LinkedIn address. That is, my new LinkedIn address because LinkedIn had already leaked my old one. A direct message to that account is very suspicious in my opinion so I’ve marked it as spam. I’ve anonymized the header to protect my and her privacy a bit. I wonder if Liz really sent this to me, although it does make some sense considering her current employer.

The message itself seems to want to exchange business referrals between members. This is done through a website called referralkey.com which seems a bit spamlike to me. Their unsubscribe page includes ads and they don’t appear to be very reliable. Still, I will just unsubscribe my LinkedIn address and if I continue to receive more spam om my LinkedIn account then I will know that LinkedIn has been hacked again

A few more spam messages, trying to sell me a funeral insurance or give me some interesting dating options. Interestingly enough, I get a lot of spam on an account I used for instantcheckmate.com and that shows you how risky it can be to just subscribe for any website. The use of aliases when subscribing is definitely good advice! Register your own domain, get a Google Apps account for one user and let Google manage your mailbox, including the many aliases you like to create. (Or pick another solution to manage lots of aliases.)

Funny… While writing this post I received two more spam messages…

# The Celebrity Hacks…

For those who are still hiding in some cave, there’s something going on called “The Fappening“. It’s a celebrity scandal that involve ‘selfies‘ taken by some famous people, most of them female and in various stages between clothed and fully nude. People claim that these celebrities should not have taken nude selfies to begin with but I strongly disagree with that opinion. People should just have respect for the privacy of others and this includes the privacy of celebrities.

Unfortunately, we live in a society where the price of a used tampon can be hundreds of dollars worth, if used by someone very famous, like Miley Cyrus or Jennifer Anniston. Preferably with a certificate explaining how it was retrieved and when it was used. Just no respect for their privacy, since people can earn lots of money with it. And that’s also true with these celebrity hacks.

To make matters worse, there are plenty of people out there who will make fake pictures of those celebrities. Some are very obviously fake. Others use a look-alike model to make the photo more real. But in this case, the photo’s seem to be mostly real pictures of those celebrities with maybe a few fake ones to make it appear an even bigger hack.

Now, telling celebrities to stop taking nudies (nude selfies) is like telling people to not use their right of free speech. It would violate their own freedom of expression. Why would the girl next-door be allowed to take nudies while Victoria Justice should not do so? Well, the girl next-door is not as interesting as a target than someone famous. Besides, thousands of girls (and boys) have ended up as victims of the same crime because they shared the nudie with their lover, and that lover would then publish the nudie once the relation ends. (Something called revenge porn.) But those pictures will maybe draw attention from 10 to 20 other viewers while a nudie of Ariana Grande would draw the attention of thousands, maybe even millions, of people.

Basically, exposing nudies of other people without their permission should be considered a criminal offense, almost as criminal as rape. (And as a copyright violation, but that’s generally a misdemeanor and often something for the Civil Court, not the Criminal Court.) So if your ex-lover uploads your nudie to a revenge porn site, he (or she) should be arrested and punished for it. And sites that allow this kind of revenge porn should be considered to be criminal organisations and anyone visiting them or uploading pictures to those sites should face criminal charges too. Harsh? Yes, but our modern society seems to require such hard actions against these offenders. Besides, there are plenty of legal ways to publish nudes. You just need the consent of the model, and plenty of models are willing to pose for such images.

Problem with the Fappening is that no one seems to know how the hacker(s) gained access to these selfies, although it is assumed that iCloud from Apple isn’t secure enough. Most celebrities seem to favour Apple products over Android products and all investigations seem to focus on the iCloud. Since the iPhone camera can synchronize any picture it takes with the cloud, it also explains how those photo’s ended up on the Internet in the first place. Thus, if an iCloud account is hacked, those photo’s can start roaming all over the Internet.

One cause of this leak is the insecurity of the iCloud. It seems as if the photos are stored without any form of encryption on the iCloud servers. I’m not 100% sure about that, but Apple has a good reason to not use encryption: decryption takes time and thus slows down the system. But I don’t know why the phone itself cannot do the encryption or decryption of those pictures.

Basically, the iCloud account would contain a private key and every device that is used to connect to this account will receive a private key, after the user requests for it. When this happens, an email should also be sent to the user account to warn her (or him) that a new public key has been generated. Thus, if a hacker gains access to the account, he will need the public key, which will warn the user.

This public key would then be used when the user is uploading or downloading photos. Thus, the encryption happens in the phone, not in the cloud. So if anyone has access to the cloud data, they still won’t be able to see the pictures. This will generate much more privacy for the user. Besides, the encryption could also happen within iTunes so the user can synchronize with her computer. And all data the user has should be encrypted before the iCloud receives it.

That would be an important security upgrade by Apple, but users should also take some steps to secure themselves. Perez Hilton has an expert naming a few options but I don’t fully agree with those. To start with, he advises that every celebrity start using a new email address. That’s just wrong, because they can’t throw away the old one.

A better option for celebrities is to register their own domain name. Most of them already have one anyways. Use this domain to generate a bunch of email aliases and use each alias for any specific contact or account that you have. For example, your address to register your iPhone would be apple.phone@example.com while your registration for Amazon would be amazon.com@example.com. Or, if you want to keep up some bookkeeping, just use random codes for every contact. For example, bb001@example.com for Apple and bb002@example.com for Amazon. (In which case you could apply filters that will label incoming emails based on those aliases.)

Another advice is to strengthen your security questions. Please don’t do that. Security questions are just a crappy way to make people think they’re secure while it just opens an extra attack vector to your account. It’s easier to just answer these questions with about 20 random letters and quickly forget about them. Just make sure you don’t forget your password.

The third advise is similar to my advice of using a whole domain. The difference is that my option is still a single account and all your mail will be received by that single account. Thus, you can create a lot of aliases and still support them with ease. Creating multiple email accounts will become troublesome once you have over 20 of those accounts. Basically, it means that you have to check 20 accounts every day instead of just one…

And the last advice sucks if you’re a celebrity, but I have to agree with it. Still, if you want to be famous, you need people to talk about you so some private information needs to leak out. Or you should get some reputation as bad Diva or whatever, walking on stage in a dress made of meat, having your nipple pierced and filmed to show on YouTube or start dating a homeless person with a criminal record just to draw attention. (Sitting naked on a wrecking ball seems to help too…)

But other information, like the name of your dog, the names of your family members and even where you’re taking your date out for dinner are things that are better kept private. You can still have a big influence on the Internet without exposing much of your private information. Your fans will continue to follow you no matter how crazy you act online.

Do keep in mind that you need to uphold a large fan base if you want to continue to profit from your fame. Having these nudies exposed to the public is horrific, but it is also an opportunity to get more fame. For example, Paris Hilton made a sex video of herself and her lover that got exposed to the Internet. Before that happened, barely anyone knew her. But the attention of this scandal did increase her popularity and provided her a lot of new opportunities. Some of the actresses who have become victims are already trying to spin the event into new opportunities for the future. They are trying to still get something positive about all this negative attention.

Besides, beneath our clothes, we’re all naked. We all are sexual beings who often do silly things that are better left to our own private information. You, the victimized celebrities have done nothing wrong. The ones who took those pictures from your private accounts are the real criminals. They are the ones to blame, they are the ones who need to be punished for the whole thing…

# You should buy stock in ‘Inspiration Mining Corp’. (NOT!)

Well, it’s about time that I start to nag about spam again. This time someone really would like people to go trade on the financial market. Preferably in mining company called “Inspiration Mining Corp” or simply IRMGF. And yes, this is very important since the spammer wants to make a huge profit from selling his shares to you so the price needs to go up fast.

IRMGF is a so-called penny stock. This means the price of it is so low, it only costs a penny to own a piece of the company. Basically, it’s almost worthless but for some it’s still interesting to trade in. Why? Because if the price goes up just a single penny, those investors will have doubled their investment! So if you buy 100,000 in stock for a penny each and manage to increase the price by just 2 cents, then your $10,000 investment will now be worth$30,000. Which is not bad for a reasonable small investment.

Problem is, with stock you never know if the price will go up or down. So it is interesting to try to manipulate the value of penny stock in all kinds of ways. The simplest way is by making people believe how ‘cheap’ the stock actually is, hoping people will start buying. And sure, some of those buyers will pay about the same as the spammers do, about a penny per stock. But this will also start to increase the value of the same stock, since people want to buy it.

But when the stock price has doubled or tripled, the spammer will immediately sell his stock to those who still continue to buy it. The spammer will earn a nice profit and has almost no risk of getting caught. (Unless it can be proven that he was responsible for the spam.) Since lots of people will buy and sell penny stock it’s just not easy to find the person who has spammed among all those suspects.

So, lets take a quick look at the IRMGF:US stock here at Bloomberg. The price has moved between 4 cents and 16 cents during the whole year. If you bought stock in December 2013 and sold it again in May/June 2014 then you would probably quadruple your investment. Not bad for just a few months waiting. But now the price has dropped to below 7 cents per stock so it is interesting to start buying again, hoping the price will go up again.

Then again, this is how the stock market works. You buy stock as an investment to keep your money safe. If things go well, you should make a small profit on your investment. If not, you should sell before the stock becomes worthless. Most people with money don’t really buy stock to make profits but to make sure their money is reasonable safe. But they will have to check the market continuously to make sure their stocks are stable enough. This is a bit time-consuming and many investors will use computers to watch the stock market for them. And probably hire a financial advisor who does nothing else but trade in stock to keep the invested value stable.

Penny stock is reasonable unreliable because the low price suggests that the company behind the stock isn’t doing so well. If they have to file for a chapter 11 because the company is dead broke, your stock will become worthless. You’d rather invest in something more stable and reliable and start selling it when you expect its value to drop.

Now, why do I start about this spam? Well, simple. For the last 5 days I’ve received hundreds of spam messages on various of my email aliases. This is practical because it tells me which companies have shared my mail address with those spammers. Adobe and LinkedIn are, of course, the usual suspects because their databases have been hacked. As a result, I still receive lots of spam on those aliases. Another company that apparently got hacked is SmithMicro where I purchased my Poser software for the CGI models.

I also noticed strange addresses like waterside__9.jpga@example.com and tayen-usenet-a@example.com which I never even created. I don’t know why those spammers are using those aliases but maybe the person who owned the specific domain before I did used those accounts.

What do the messages look like? Well, like this:

And there have been more variations of this spam.

A few things are easily noticeable. First of all the spelling in both messages is just plain bad. They included other characters in the stock name, spaces are missing in some places, “mining” is spelled wrong and a few more things. This is done on purpose to get around spam filters, although it just doesn’t seem to work with the Google spam filters.

The sender happens to be fake, though. All spammers will use fake email accounts, often collected from their own spam lists to make it seem legitimate. So responding to the sender or anyone else in the email is useless. You’d just be harassing some other innocent person. Yet many people do think it helps so they respond to complain about the spam. Or report the account to their ISP, accusing them of spam. Most providers are smart enough to recognise this, though. They won’t take actions against the fake sender because they know he’s just a victim too.

The email also has several links to make it look more legitimate. But in this case, even those links are fake. They are a combination of the email address (the part before the @ sign) and some gibberish with .com or .org after it to generate a domain. It also includes a path on the fake domain that looks legit but since the domain is fake, the whole link is fake. This spammer just doesn’t want anything that would link back to him.

So, would the IP address in the email header be any helpful? Unfortunately, not much. The computer behind that IP address is most likely part of a bigger botnet. A machine infected by malware that the spammer can use to send his spam. You could report the IP address to the related provider and hope the provider will take the specific user off the Internet until he has cleaned his computer but in general, that’s not going to happen.

Thus, these spam messages are hard to stop. The spammer is difficult to trace since a lot of people will be trading in this penny stock. Some investors might even consider investing in it since they expect the price to go up even further because of this spam. As I said, the price has been over 16 cents at one point and now the price is 11 cents. If it continues to go up, they could still make profit from it.

Nothing in the email will lead back to the original spammer, although it will expose the computers that are part of the botnet. Those computers should be taken offline but doing so is not that easy. To make it more complex, those IP numbers could just be connected to a router and a lot of computers might be behind this router. There could even be an open WiFi connection in the router that happens to be misused by someone else in the area. (Who could be innocent too, but his computer could be infected.)

Penny Stock Spam is a very difficult one to fight against because the spammer can hide himself very well. He doesn’t have to add a link to his webshop or to some infected website that could be closed within a day after it has been reported. There’s almost no trace to the spammer either. The only thing that helps against this kind of spam is to not buy the stock, not even if you’re an experienced investor and still expect some profit. You will most likely lose money on those transactions because you’re just paying the spammer himself.

But if you’re lucky, a bigger moron will still buy the stock and give you some profit. And that’s the worst part of this spam. It’s not just the spammer who will profit but some investors might also have a smaller profit from it. As I said, if it goes up just a cent, they would have made a huge profit already.

# An example of bad development…

I recently received an email from a company that’s doing questionnaires. And well, I subscribed to this and did some of their questionnaires before, so I wanted to do this new one too. Unfortunately, the page loaded quite slow, only to return a very nasty error message. A message that told me that this organisation is using amateurs for developers and administrators.

Let me be clear about one thing: errors will happen. Every developer should expect weird things to happen, but this case is not an error but evidence of amateurs. So, let’s start with analyzing the message…

Server Error in ‘/’ Application.

Timeout expired.  The timeout period elapsed prior to obtaining a connection from the pool.  This may have occurred because all pooled connections were in use and max pool size was reached.

So, what’s wrong with this? Users should never see these messages! When you develop in ASP.NET you can just tell the system to just keep these error messages only when the user is connected locally. A remote user should see a much simpler message.

This is something the administrator of the website should have known, and checked. He did not. By failing at this simple configuration setting the organisation is leaking some sensitive information about their website. Information that’s enough for me to convince they’re amateurs.

This error is also a quite common error message. Basically, it’s telling me that the system is having too many database connection open. One common cause for this error is when the code fails to close a connection after opening them. Keep that in mind, because I will show that this is what caused the error…

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

This is a standard follow-up message. The fact that users of the site would see this stack trace too is just bad.

Exception Details: System.InvalidOperationException: Timeout expired.  The timeout period elapsed prior to obtaining a connection from the pool.  This may have occurred because all pooled connections were in use and max pool size was reached.

A timeout error. A reference to the connection pool and the max pool size. This already indicates that there are more connections are opened than closed and the system can’t handle that correctly. There are frameworks for .NET that are better suited for this to prevent these kinds of errors. That’s because these errors happened to be very common with ASP.NET applications. And with generic database applications written in .NET.

Basically, the top of the error message is just repeating itself. Blame Microsoft for that since this is a generic message from ASP.NET itself. Developers can change the way it looks but that’s not very common. Actually, developers should prevent users from seeing these kinds of messages to begin with. Preferably, the error should be caught by an exception handler which would write it to a log file or database and send an alert out to the administrator.

Considering that I received this error on a Friday afternoon, I bet the developer and administrators are already back home, watching television like I do now. Law & Order is just on…

Source Error:

 Line 1578: Line 1579: cmSQL = New SqlCommand(strSQL, cnSQLconfig) Line 1580: cnSQLconfig.Open() Line 1581: Line 1582: Try

This is interesting… The use of SqlCommand is a bit old-fashioned. Modern developers would have switched to e.g. the Entity Framework or other, more modern solution for database access. But the developers of this site are just connecting to the database in code, probably to execute a query and collect the data and then should close the connection again. The developers are clearly using ADO.NET for this site. And I can’t help but wonder why. They could have used more modern techniques instead. But probably they just need to keep up an existing site and aren’t they allowed to use more modern solutions.

But it seems to me that closing the database is not going to happen here. There are too many connections already open thus this red line of code fails. The code has an existing connection called cnSQLConfig which is already open. It then tries to open and execute an SQL command that fails. Unfortunately, opening that command happens outside a try-except block and if this fails, it is very likely that the connection won’t be closed either.

If this happens once or twice, then it still would not be a big problem. The connection pool is big enough. But here it just happened too often.

Another problem is that the ADO.NET technique used here is also vulnerable for SQL Injection. This would also be a good reason to use a different framework for database access. It could still be that they’re using secure code to protect against this but what I see here doesn’t give me much confidence.

Source File: E:\wwwroot\beta.example.com\index.aspx.vb    Line: 1580

A few interesting, other facts. First of all, the code was written in Visual Basic. That was already clear from the code but this just confirms it. Personally, I prefer C# over Visual Basic, even though I’ve developed in both myself. And in a few other languages. Language should not matter much, especially with .NET, but C# is often considered more professional than BASIC. (Because the ‘B’ in BASIC stands for ‘Beginners’.)

Second of all, this piece of code has over 1580 lines of code. I don’t know what the rest of the code is doing but it’s probably a lot of code. Again, this is an old-fashioned way of software development. Nowadays, you see more usage of frameworks that allow developers to write a lot less code. This makes code more readable. Even in a main index of a web site, the amount of code should be reasonable low. You can use views to display the pages, models to handle the data and controllers to connect both.

Yes, that’s Model-View-Controller, or MVC. A technique that’s practical in reducing the amount of code, if used well enough.

And one more thing is strange. While I replaced the name of the site with ‘example.com’, I kept the word ‘beta’ in front of it. I, a user, am using a beta-version of their website! That’s bad. Users should not be used as testers because it will scare them off when things go wrong. Like in this case, where the error might even last the whole weekend because developers and administrators are at home, enjoying their weekend.

Never let users use your beta versions! That’s what testers are for. You can ask users to become testers, but then users know they can expect errors like these.

Stack Trace:

 [InvalidOperationException: Timeout expired. The timeout period elapsed prior to obtaining a connection from the pool. This may have occurred because all pooled connections were in use and max pool size was reached.] System.Data.ProviderBase.DbConnectionFactory.GetConnection(DbConnection owningConnection) +4863482 System.Data.ProviderBase.DbConnectionClosed.OpenConnection(DbConnection outerConnection, DbConnectionFactory connectionFactory) +117 System.Data.SqlClient.SqlConnection.Open() +122 _Default.XmlLangCountry(String FileName) in E:\wwwroot\beta.example.com\index.aspx.vb:1580 _Default.selectCountry() in E:\wwwroot\beta.example.com\index.aspx.vb:1706 _Default.Page_Load(Object sender, EventArgs e) in E:\wwwroot\beta.example.com\index.aspx.vb:251 System.Web.UI.Control.OnLoad(EventArgs e) +99 System.Web.UI.Control.LoadRecursive() +50 System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +627 

And that’s the stack trace. We see the site loading its controls and resources and the ‘Page_Load’ method is called at line 251. At line 1706 the system is apparently loading country-information which would be needed to set the proper language. Then it returns to line 1580 where it probably opens some table based on information from the language file.

Again, this is a lot of code for basically loading the main page. I even wonder why it needs to load data from the database based on the country information. Then again, I was about to fill in a questionnaire so it probably wanted to load the questionnaire in the proper language. If the questionnaire is multi-lingual then that would make sense.

Version Information: Microsoft .NET Framework Version:2.0.50727.3655; ASP.NET Version:2.0.50727.3658

And here’s one more bad thing. This site still uses .NET version 2.0 while the modern version is 4.5 and we’re close to version 5.0… It would not surprise me if these developers still use Visual Studio 2005 or 2008 for this all. If that’s the case then their budget for development is probably quite low. I wonder if the developers who are maintaining this site are even experts at software development. It’s not a lot of information that I can base this upon but in short:

• The administrator did not prevent error messages to show up for users.
• The use of ADO.NET adds vulnerabilities related to the connection pool and SQL injection.
• The use of VB.NET is generally associated to less experienced developers.
• The amount of code is quite long but common for sites that are developed years ago.
• Not using a more modern framework makes the site more vulnerable.
• Country information seems to be stored in XML while the questionnaire is most likely stored inside the database.
• The .NET version has been out-of-date for a few years now.

My advice would be to just rewrite the whole site from scratch. Use the Entity Framework for the database and MVC 4 for the site itself. Rewrite it in C# and hire more professional developers to do the work.