Discovering the Limits of the Possible

#2 XKCD SNAFU

xkcd rarely puts out a terrible comic, but they did it again today:

The problem, of course, lies with the misguided notion that our rights are something that only the government can suppress. No, sadly, it is anyone in a position of power who may seek to deprive you of your rights. Government is merely a more loathsome oppressor due to their self-granted monopoly on the use of force.

And that power can indeed be abused to silence things like web hosts. It matters not one whit if the order comes from the government directly, or indirectly via "morality" laws (e.g., wholesale prohibitions on gambling and porn sites due to jurisdictional ambiguities), or just hosting providers collectively deciding no "assholes" should be allowed to have their say. When you prevent the potential of there being consequences, you've gone too far.

My impossibly stupid point is that you should not feel you are in the right when you keep other people from hearing something you don't like. No matter how small the forum is, if it has any respect for free speech at all, it should allow people to criticize it. I'm not saying assholes should be given carte blanche for any wild rantings that they vomit up (I, for instance, readily cull the spam comments here), but merely that it is a free speech issue if any X has the power to keep you from saying "Fuck X".

My Kind of Silly

Catching up on some podcasts, I have a new favorite word:

Consilience

Everyone involved gets the Impossibly Stupid Seal of Approval.

Target CC fraud may be even bigger than reported

You probably heard the story about an "issue" with Target's charge card processing. I didn't worry too much about it at the time because I hadn't shopped at Target in the given November 27 to December 15 window. In fact, the last time my records showed I used my credit card there was way back on October 16.

Needless to say, I was quite surprised to find a fraudulent charge on my latest CC statement. It was very similar to what other targeted-Targeters have reported seeing: a charge for $9.84 by FEOSAC.COM. Perhaps coincidentally, or perhaps not, it was made on the 13th and posted on the 16th of December, right around the time the Target breach was being detected and stopped.

I, of course, called my credit card company as soon as I spotted the fraud, but they didn't immediately attribute it to Target because it was outside their given window. It was unclear to me if they would be investigating it further. But if it wasn't taken from Target, that only means that some other data breach is waiting to be revealed . . . and I'd be screwed again if I've used my new card by the time that news hits.

Who is in control at the Los Angeles Department of Water and Power?

It's been a long time since I called out anyone on their bad security practices, but some recent activity has sparked my signal analysis curiosity once again. It all started with a spam attempt from 134.201.250.156 which resolves to:

156.250.201.134.in-addr.arpa domain name pointer wp16vmtmg2.ladwp.com.

The owner of ladwp.com being, of course, the titular LADWP. Given that's a rather important organization in a rather large metropolitan area, I decided to dig deeper. Here is what the log file shows for the time around their access:

217.237.177.6 - - [14/Jul/2013:22:57:31 -0700] "GET /comment/reply/30 HTTP/1.0" 403 561 "http://www.impossiblystupid.com/comment/reply/30" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
217.237.177.6 - - [14/Jul/2013:22:57:33 -0700] "GET / HTTP/1.0" 403 545 "http://www.impossiblystupid.com/comment/reply/30" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
124.207.34.91 - - [14/Jul/2013:22:57:38 -0700] "GET /comment/reply/30 HTTP/1.0" 403 561 "http://www.impossiblystupid.com/comment/reply/30" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
124.207.34.91 - - [14/Jul/2013:22:58:08 -0700] "GET / HTTP/1.0" 403 545 "http://www.impossiblystupid.com/comment/reply/30" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
41.87.131.84 - - [14/Jul/2013:22:58:38 -0700] "GET /comment/reply/30 HTTP/1.0" 403 561 "http://www.impossiblystupid.com/comment/reply/30" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
41.87.131.84 - - [14/Jul/2013:22:59:29 -0700] "GET / HTTP/1.0" 403 545 "http://www.impossiblystupid.com/comment/reply/30" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
112.124.39.177 - - [14/Jul/2013:23:00:28 -0700] "GET /comment/reply/30 HTTP/1.0" 403 467 "http://www.impossiblystupid.com/comment/reply/30" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
112.124.39.177 - - [14/Jul/2013:23:00:30 -0700] "GET / HTTP/1.0" 403 459 "http://www.impossiblystupid.com/comment/reply/30" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
41.87.131.84 - - [14/Jul/2013:23:00:31 -0700] "GET /comment/reply/30 HTTP/1.0" 403 561 "http://www.impossiblystupid.com/comment/reply/30" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
41.87.131.84 - - [14/Jul/2013:23:01:22 -0700] "GET / HTTP/1.0" 403 545 "http://www.impossiblystupid.com/comment/reply/30" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
218.108.170.170 - - [14/Jul/2013:23:02:15 -0700] "GET http://www.impossiblystupid.com/comment/reply/30 HTTP/1.0" 403 524 "http://www.impossiblystupid.com/comment/reply/30" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
218.108.170.170 - - [14/Jul/2013:23:02:16 -0700] "GET http://www.impossiblystupid.com/ HTTP/1.0" 403 508 "http://www.impossiblystupid.com/comment/reply/30" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
54.245.237.153 - - [14/Jul/2013:23:02:24 -0700] "GET /comment/reply/30 HTTP/1.1" 403 561 "http://www.impossiblystupid.com/comment/reply/30" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
54.245.237.153 - - [14/Jul/2013:23:02:28 -0700] "GET / HTTP/1.1" 403 545 "http://www.impossiblystupid.com/comment/reply/30" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
112.124.39.177 - - [14/Jul/2013:23:02:33 -0700] "GET /comment/reply/30 HTTP/1.0" 403 467 "http://www.impossiblystupid.com/comment/reply/30" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
112.124.39.177 - - [14/Jul/2013:23:02:35 -0700] "GET / HTTP/1.0" 403 459 "http://www.impossiblystupid.com/comment/reply/30" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
119.184.214.18 - - [14/Jul/2013:23:02:42 -0700] "GET /comment/reply/30 HTTP/1.0" 403 524 "http://www.impossiblystupid.com/comment/reply/30" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
107.20.91.72 - - [14/Jul/2013:23:03:28 -0700] "GET /http://www.impossiblystupid.com//comment/reply/30 HTTP/1.1" 403 594 "http://www.impossiblystupid.com/comment/reply/30" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
107.20.91.72 - - [14/Jul/2013:23:04:18 -0700] "GET / HTTP/1.1" 403 545 "http://www.impossiblystupid.com/comment/reply/30" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
124.207.34.91 - - [14/Jul/2013:23:05:31 -0700] "GET /http://www.impossiblystupid.com//comment/reply/30 HTTP/1.0" 403 594 "http://www.impossiblystupid.com/comment/reply/30" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
124.207.34.91 - - [14/Jul/2013:23:05:57 -0700] "GET / HTTP/1.0" 403 545 "http://www.impossiblystupid.com/comment/reply/30" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
134.201.250.156 - - [14/Jul/2013:23:07:17 -0700] "GET /http:/www.impossiblystupid.com/comment/reply/30/comment/reply/30 HTTP/1.1" 200 3232 "http://www.impossiblystupid.com/comment/reply/30" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
212.42.116.148 - - [14/Jul/2013:23:07:50 -0700] "GET /http:/www.impossiblystupid.com/comment/reply/30/comment/reply/30 HTTP/1.1" 403 609 "http://www.impossiblystupid.com/comment/reply/30" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
212.42.116.148 - - [14/Jul/2013:23:08:00 -0700] "GET / HTTP/1.1" 403 545 "http://www.impossiblystupid.com/comment/reply/30" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
37.139.3.32 - - [14/Jul/2013:23:08:00 -0700] "GET /http:/www.impossiblystupid.com/comment/reply/30/comment/reply/30 HTTP/1.1" 403 609 "http://www.impossiblystupid.com/comment/reply/30" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
37.139.3.32 - - [14/Jul/2013:23:08:51 -0700] "GET / HTTP/1.1" 403 545 "http://www.impossiblystupid.com/comment/reply/30" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
201.211.233.224 - - [14/Jul/2013:23:09:44 -0700] "GET /http:/www.impossiblystupid.com/comment/reply/30/comment/reply/30 HTTP/1.0" 403 572 "http://www.impossiblystupid.com/comment/reply/30" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
201.211.233.224 - - [14/Jul/2013:23:09:59 -0700] "GET / HTTP/1.0" 403 508 "http://www.impossiblystupid.com/comment/reply/30" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
91.121.34.130 - - [14/Jul/2013:23:10:19 -0700] "GET /http:/www.impossiblystupid.com/comment/reply/30/comment/reply/30 HTTP/1.1" 403 609 "-" "-" 
117.20.61.244 - - [14/Jul/2013:23:12:59 -0700] "GET /http:/www.impossiblystupid.com/comment/reply/30/comment/reply/30 HTTP/1.1" 200 3232 "http://www.impossiblystupid.com/comment/reply/30" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
134.201.250.156 - - [14/Jul/2013:23:13:02 -0700] "GET /http:/www.impossiblystupid.com/comment/reply/30/comment/reply/30 HTTP/1.1" 200 3232 "http://www.impossiblystupid.com/comment/reply/30" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
134.201.250.156 - - [14/Jul/2013:23:13:04 -0700] "GET / HTTP/1.1" 200 42717 "http://www.impossiblystupid.com/" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
89.77.129.234 - - [14/Jul/2013:23:13:58 -0700] "GET /comment/reply/114 HTTP/1.0" 403 525 "http://www.impossiblystupid.com/comment/reply/114" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
89.77.129.234 - - [14/Jul/2013:23:13:58 -0700] "GET / HTTP/1.0" 403 508 "http://www.impossiblystupid.com/comment/reply/114" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
89.77.129.234 - - [14/Jul/2013:23:13:59 -0700] "GET /comment/reply/113 HTTP/1.0" 403 525 "http://www.impossiblystupid.com/comment/reply/113" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
89.77.129.234 - - [14/Jul/2013:23:13:59 -0700] "GET / HTTP/1.0" 403 508 "http://www.impossiblystupid.com/comment/reply/113" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
89.77.129.234 - - [14/Jul/2013:23:13:59 -0700] "GET /comment/reply/112 HTTP/1.0" 403 525 "http://www.impossiblystupid.com/comment/reply/112" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
89.77.129.234 - - [14/Jul/2013:23:14:00 -0700] "GET / HTTP/1.0" 403 508 "http://www.impossiblystupid.com/comment/reply/112" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
89.77.129.234 - - [14/Jul/2013:23:14:00 -0700] "GET /comment/reply/111 HTTP/1.0" 403 525 "http://www.impossiblystupid.com/comment/reply/111" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
89.77.129.234 - - [14/Jul/2013:23:14:00 -0700] "GET / HTTP/1.0" 403 508 "http://www.impossiblystupid.com/comment/reply/111" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
89.77.129.234 - - [14/Jul/2013:23:14:01 -0700] "GET /comment/reply/110 HTTP/1.0" 403 525 "http://www.impossiblystupid.com/comment/reply/110" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
89.77.129.234 - - [14/Jul/2013:23:14:01 -0700] "GET / HTTP/1.0" 403 508 "http://www.impossiblystupid.com/comment/reply/110" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
89.77.129.234 - - [14/Jul/2013:23:14:02 -0700] "GET /comment/reply/108 HTTP/1.0" 403 525 "http://www.impossiblystupid.com/comment/reply/108" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
89.77.129.234 - - [14/Jul/2013:23:14:02 -0700] "GET / HTTP/1.0" 403 508 "http://www.impossiblystupid.com/comment/reply/108" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
89.77.129.234 - - [14/Jul/2013:23:14:02 -0700] "GET /comment/reply/107 HTTP/1.0" 403 525 "http://www.impossiblystupid.com/comment/reply/107" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
89.77.129.234 - - [14/Jul/2013:23:14:03 -0700] "GET / HTTP/1.0" 403 508 "http://www.impossiblystupid.com/comment/reply/107" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
89.77.129.234 - - [14/Jul/2013:23:14:03 -0700] "GET /comment/reply/106 HTTP/1.0" 403 525 "http://www.impossiblystupid.com/comment/reply/106" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
89.77.129.234 - - [14/Jul/2013:23:14:03 -0700] "GET / HTTP/1.0" 403 508 "http://www.impossiblystupid.com/comment/reply/106" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
89.77.129.234 - - [14/Jul/2013:23:14:04 -0700] "GET /comment/reply/114 HTTP/1.0" 403 525 "http://www.impossiblystupid.com/comment/reply/114" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
89.77.129.234 - - [14/Jul/2013:23:14:04 -0700] "GET / HTTP/1.0" 403 508 "http://www.impossiblystupid.com/comment/reply/114" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
89.77.129.234 - - [14/Jul/2013:23:14:05 -0700] "GET /node/114 HTTP/1.0" 403 516 "http://www.impossiblystupid.com/node/114" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 
89.77.129.234 - - [14/Jul/2013:23:14:05 -0700] "GET / HTTP/1.0" 403 508 "http://www.impossiblystupid.com/node/114" "Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10" 

The first thing that jumps out is the main user agent given:

"Opera/9.80 (Windows NT 5.1; Edition Ukraine Local) Presto/2.12.388 Version/12.10"

A quick search turns up a reference to MR SPUTNIK Spam/Hacker Bot, confirming that these people likely lost control of their computers (aka, they were hacked). That's not good news for the Los Angeles Department of Water and Power!

Going down the list, we see entries from Germany, China, Africa, Kyrgyzstan, Netherlands, Venezuela, Indonesia, and Poland. In the United States, we see Amazon's EC2 servers. For the most part, they got back a 403 error, which means that most of them are "repeat offenders", and have been blocked for previous abuse. And I have now blocked LADWP as well.

They're probably all part of a botnet, but given the nature of malware, any one of them could be the root abuser. On that note, one particular entry in the middle was the odd man out:

91.121.34.130 - - [14/Jul/2013:23:10:19 -0700] "GET /http:/www.impossiblystupid.com/comment/reply/30/comment/reply/30 HTTP/1.1" 403 609 "-" "-" 

That IP resolves to gsdn.me which is an anonymizing server in France. Probably not activity from the control node, but extra suspicious nonetheless.

So, NSA, instead of casting a net so wide you trample on the rights of the people who bankroll your indiscretions, why haven't you instead focussed on known problems like these? Why am I, Impossibly Stupid, the one who sees that the LADWP has been compromised? Once the bad guys realize that a hacked machine on the inside of an important organization has more value than sending comment spam to a random blog, things are going to get real messy.

'merica: Yeah!

Well, it's been a couple years since my last Independence Day post, so here we go again. No lamentations from me this time, because I've found a proxy via this recent TED talk:

Eric X. Li: A tale of two political systems

Cryptically Omphaloskeptical

I don't spend time on social networks. Hell, I hardly spend time on this blog, or other sites I maintain. But one of those sites, mainly for the Subsume board game, has an appropriate quote today (in the daily cipher feature, for all you cryptogram/cryptoquote fans) by Cyril Connolly:

Better to write for yourself and have no public, than to write for the public and have no self.

Affinity Plus Federal Credit Union: Widespread Ethical Lapses

It's always disappointing when someone abuses your trust. It's troubling enough when a random business does it, but it is flat out unacceptable when a financial institution proves itself corrupt. I stopped doing business with TD Ameritrade when their insecure handling of my account info lead to me getting spammed. On this very blog I gave my account of how harassing phone calls forced me to cancel my credit card with Citi. Now it seems I have another tale of woe regarding a financial institution that I joined in college, over 20 years ago, known then as State Capital Credit Union (SCCU) but is now named Affinity Plus.

Mon 21 January 2013 Received Employment Spam

This previously discussed email cluttered up my inbox.

Tue 22 January 2013 Reported Spam Using Web Form

Since I didn't know the provenance of the spam, I didn't think it was something that was a high priority. And I also wanted to include a copy of the message, so I used their online contact web form:

https://www.affinityplus.org/support/contact-us

My question to them was fairly straightforward: was this spam someone pretending to be from Affinity Plus, or was Affinity Plus itself actually looking to hire via spam? They promise a response in 2 business days.

Tue 29 January 2013 Requested Status Using Web Form

After a week of waiting, I again used their web form to ask for a status report on the issue.

Fri 01 February 2013 Called Support Line

Still no response. Figuring their online support services are broken, I gave up and called in to the phone support number.

I spoke to someone named Chelsea, and I explained my concerns about this strange spam I had gotten that claimed to be from Sara Pook in HR. Chelsea confirmed that Sara was an actual person at Affinity Plus, and said she would further look into the issue. She then called me back to let me know that she couldn't immediately get ahold of Sara and, it being Friday afternoon, she might not have an answer until Monday.

Mon 04 February 2013 Determined HR Was At Fault

Chelsea got back to me to let me know that the email had indeed been sent on purpose. I let her know that the use of spam was not only unethical, but potentially illegal. I asked to escalate the issue to someone either in the legal department or in IT, those commonly having the best knowledge of why spam is unacceptable and what to do to fix the problem. Chelsea said she would take care of it.

I instead got a call from Sara Pook. From my conversation with her, it quickly becomes apparent that even the head of HR is aware that these emails are being sent, but nobody in the HR department sees it as spam. I again restate my desire to talk with someone in legal or IT, who will know what spam is and will be in a better position to explain to her in detail why it is wrong. Sara says she will take care of escalating the issue.

Tue 05 February 2013 Arranged To Speak With IT

Sara called me back late in the day to inform me that the VP of IT, Cary Tonne, will be able to talk with me tomorrow.

Wed 06 February 2013 Determined IT Was Complicit

Right from the start it became clear that Cary wasn't going to be helpful. His opening comment is that he didn't know what to call the issue we'd be discussing, to which I replied "Spam. Let's call it what it is. It's spam." He refused to acknowledge that spam was at issue, and was more interested in defending Affinity Plus' current practices.

He said that he didn't have a problem with sending these emails because some people might want to see them, and that they (presumably speaking for HR) were happy with the results. That is the same broken logic that all spammers use!

I then further pointed out to him that there are security implications when you hire people who purposefully click on the contents of any random email they receive, and that those are not the qualities you should be looking for when hiring at a financial institution. He, again, saw no problem with that.

When it was abundantly clear that Cary did not recognize the wrongdoing, nor would he inform/help HR fix it, I again asked to escalate the problem to someone who would recognize the seriousness of the issue(s) at hand and would address it.

I was then contacted by COO Keith Malbrue, who left a message saying he would look into the matter further.

Thu 07 February 2013

No response.

Fri 08 February 2013 Requested Status From COO

No response. At the end of the day, I leave Keith a voice mail message asking him how things are progressing. He returns the call later that same evening (leaving a voice mail for me) saying that he would be available to talk early Monday morning.

Mon 11 February 2013 Escalated to Supervisory Committee

I call Keith, and he seems overall rather disinterested in the problem. I informed him that I find it disturbing how widespread these ethical lapses are across Affinity Plus, and that I'm really, really trying to find someone inside the organization who actually understands what is wrong and can fix it. He makes no admissions or offers to do anything himself; I am shocked that a COO would be so negligent and/or powerless. Instead, Keith pushes the matter off to Bill Halloran, a member of Affinity Plus' Supervisory Committee, which was meeting the very next day. I agree to write up the incident (which is substantially what you're reading here) for him to pass along to them.

Thu 14 February 2013 Requested Status Report

Having had no response regarding the Supervisory Committee meeting on Tuesday, late in the day I send another email to Keith asking him what the outcome was.

Fri 15 February 2013 The Wait Begins

Keith responds letting me know that the Supervisory Committee was investigating the matter, and would have their results for me next week.

Mon 25 February 2013 Received Result

I finally receive a letter (actual postal mail) dated February 21st, which I may post in a later entry. The substance of the response is that (surprise, surprise) the Supervisory Committee, too, came to the conclusion that Affinity Plus was not a spamming. They had nothing to say about the fact that HR employees were lying in the messages. They had absolutely nothing to say regarding their security vulnerabilities or improper hiring practices that the messages bring to light. My mention that their contact web form was broken only got a seemingly confused mention.

At no time did they even contact me as part of their investigation to clarify any of the issues I had raised. At this time, I see no evidence that anyone at Affinity Plus had any sincere interest in finding or fixing the unethical, potentially illegal, practices. This is not the outcome I was expecting.

It was on this day I started unwinding my 20+ year history of doing my personal banking through Affinity Plus. All their talk of community and core values appears to be nothing more than a lie these days. As soon as I can be sure that all my automated payments have been transferred to (hopefully) more respectable financial institutions, I will no longer be a member of Affinity Plus Federal Credit Union.

Employment Scam: The Dissection

The job situation in America is still pretty bad, and a lot of unscrupulous people run employment scams that make a bad situation even worse for the gullible targets they find. Here is an example of a recent message that came my way:

Return-Path: <affinity.ma@proactmail.com>
X-Original-To: TheUniqueEmailAddress
Received: from 124-93.rs.smtp.com (124-93.rs.smtp.com [74.91.93.124])
by homiemail-mx7.g.dreamhost.com (Postfix) with ESMTP id 913CFCF3B0
for <TheUniqueEmailAddress>; Mon, 21 Jan 2013 07:15:07 -0800 (PST)
X-MSFBL: bWlubmVzb3Rhd29ya3MubmV0QDFxMjAxMy5zdWJzdW1lLmNvbUA3NF85MV85M18x
MjRAcHJvYWN0cmVjcnVpdG1lbnRzX2RlZGljYXRlZF9wb29sQA==
DKIM-Signature: v=1; a=rsa-sha256; d=smtp.com; s=smtpcomcustomers; c=relaxed/simple;
q=dns/txt; i=@smtp.com; t=1358781306;
h=From:Subject:To:Date:MIME-Version:Content-Type;
bh=+BpE3+2xPuv53JLzfXaenJw0MAsmMQRLiEakwDUnI0c=;
b=vo0u7bqzwTU/f2qBoPPo6Bb5AxyU04FJR45G8LVq2hRfC9IyjZ5wVKGlj7XH31jZ
OF7NgzGRICV4UPHiAbTrlQcBpAJHlnJBDuazwpOo/vy6Edij1NwqVV6x+gUWjB51
TBbC6z9xEC/gachIr7rPh63dAC2lFJ/cdkAfe/WOFLA=;
Received: from [173.8.118.229] ([173.8.118.229:4825] helo=proactmail.com)
by rs-ord-mta04.smtp.com (envelope-from <affinity.ma@proactmail.com>)
(ecelerity 3.3.2.44647 r(44647)) with ESMTP
id 97/7C-28209-A7B5DF05; Mon, 21 Jan 2013 15:15:06 +0000
Received: from adama ([192.168.0.6]) by proactmail.com
with SMTP (Code-Crafters Ability Mail Server 2.71);
Mon, 21 Jan 2013 09:15:06 -0600
Thread-Topic: Member Advisor Position
thread-index: Ac336hf6aTVkpTuBQn60y2G+ByO7Og==
From: <affinity.ma@proactmail.com>
To: <TheUniqueEmailAddress>
Subject: Member Advisor Position
Date: Mon, 21 Jan 2013 09:15:06 -0600
Message-ID: <24C710292B774A3D888964EA64AE754C@Metrisource.local>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0190_01CDF7B7.CD605210"
X-Mailer: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.3959
X-SMTPCOM-Tracking-Number: d460876a-94a8-4749-bbf3-a61bf99a3f5b
X-SMTPCOM-Sender-ID: 81499
X-SMTPCOM-Spam-Policy: SMTP.com is a paid relay service. We do not tolerate UCE of any kind. Please report it ASAP to abuse@smtp.com

This is a multi-part message in MIME format.

------=_NextPart_000_0190_01CDF7B7.CD605210
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

Hello Darrin,

My name is Sara Pook, and I work on the Human Resource Team for Affinity
Plus Federal Credit Union. I recently saw your resume on-line and I feel
that your background along with your experience would be a potential fit
for our Member Advisor position that we have available in our Roseville
Branch. Please review the following information below, and if you feel
you are both qualified and interested, follow the directions below to
apply.

As a Member Advisor, we expect you to connect with our members, assist
them with routine banking needs and partner with them through
significant life events. We expect you to build relationships founded on
trust with our members, which includes making decisions that are aligned
with what is right for each individual member, taking ownership of your
own development and delivering a meaningful experience for our members.
Being a Member Advisor at Affinity Plus is a career where you place
people over profits. Our ideal candidates will have to have an intrinsic
drive to connect with people, an enthusiasm to seek creative ways to
make a difference in each member's life and a tenacity to find solutions
that might not be the ones you have tried in the past. Affinity Plus is
a fast-paced and innovative environment that is both challenging and
rewarding.

A career at Affinity Plus is not for the temporary job-seeker, but it IS
for those who are passionate about impacting the lives of others. If
this position sounds like the fulfilling career you are seeking, please
visit us at http://www.affinityplus.org
<http://www.metrisource.com/Ess/ClickThrough.asp?URL=http://www.affinity
plus.org&ID=1019&CID=8132446> and apply online.

We are an organization that celebrates diversity. EOE.

Thank you,

Sara Pook
HR Specialist | Affinity Plus Federal Credit Union
175 W Lafayette Frontage Rd | St. Paul, MN 55107

Go to http://www.metrisource.com/donotsend/ to be added to the Do Not
Send list and enter CODE: 172-8132446 or you may simply reply to this
email with the phrase REMOVE ME in the subject line.

------=_NextPart_000_0190_01CDF7B7.CD605210
Content-Type: text/html
Content-Transfer-Encoding: 7bit

<html><body><font size=2 face=tahoma>Hello Darrin,<br>
<br>

<p>My name is Sara Pook, and I work on the Human Resource Team for Affinity Plus Federal Credit Union. I recently saw your resume on-line and I feel that your background along with your experience would be a potential fit for our Member Advisor position that we have available in our Roseville Branch. Please review the following information below, and if you feel you are both qualified and interested, follow the directions below to apply.</p>

<p>As a Member Advisor, we expect you to connect with our members, assist them with routine banking needs and partner with them through significant life events. We expect you to build relationships founded on trust with our members, which includes making decisions that are aligned with what is right for each individual member, taking ownership of your own development and delivering a meaningful experience for our members. Being a Member Advisor at Affinity Plus is a career where you place people over profits. Our ideal candidates will have to have an intrinsic drive to connect with people, an enthusiasm to seek creative ways to make a difference in each member's life and a tenacity to find solutions that might not be the ones you have tried in the past. Affinity Plus is a fast-paced and innovative environment that is both challenging and rewarding.</p>

<p>A career at Affinity Plus is not for the temporary job-seeker, but it IS for those who are passionate about impacting the lives of others. If this position sounds like the fulfilling career you are seeking, please visit us at <a href="http://www.metrisource.com/Ess/ClickThrough.asp?URL=http://www.affinityplus.org&ID=1019&CID=8132446">http://www.affinityplus.org</a> and apply online.</p>

<p>We are an organization that celebrates diversity. EOE. <br>
<br>
Thank you,<br>
<br>
Sara Pook<br>
HR Specialist | Affinity Plus Federal Credit Union <br>
175 W Lafayette Frontage Rd | St. Paul, MN 55107
</p></font><p></p><p></p><p><font face=Arial size=-2>Go to http://www.metrisource.com/donotsend/ to be added to the Do Not Send list and enter CODE: 172-8132446 or you may simply reply to this email with the phrase REMOVE ME in the subject line.</font></p></body></html>
------=_NextPart_000_0190_01CDF7B7.CD605210--

Now you may get emails like that every day and just let the filters delete them without a second's thought. But I rarely get such messages due to the way I manage my contacts. But even more significant is the fact that the purported employer, Affinity Plus, is actually the credit union I have been a member at for over 20 years! Clearly I had to look into this further.

Is it spam? Check!

The email address used, for which I substituted TheUniqueEmailAddress, is not the one I've given to Affinity Plus for my regular financial business. Rather, it has been harvested from the resume that I had listed on the State of Minnesota's employment site. And at the exact same time I got the above message, I also got 3 other spam in the same vein (e.g., Sale Position at Farmers Insurance). Nothing could more clearly be unsolicted bulk email. Such use of harvested email addresses may even be illegal under the CAN-SPAM Act of 2003.

Is it fraudulent? Check!

Although the link in the body claims to send you to affinityplus.org, it actually sends you to metrisource.com. It is dangerous to click on such a link, or really to click anything in such an untrusted email. Among the things an employment scam might misdirect you to is anything from a drive-by download to install malware on your computer, to more direct phishing attempts that try to get your personal information with the intent of identity theft.

Is it Affinity Plus?

This became the important question. There were a couple possibilities that came to my mind.

Someone is fraudulently claiming to be Affinity Plus

This possibility is the most straightforward. If someone is pretending to be them on the Internet, I am certain Affinity Plus would take action to end it. All I have to do is contact them to let them know it is happening, and they'll take care of the rest.

Affinity Plus is engaged in the fraud themselves

This possibility is the most disturbing. The body of the spam has a person claiming to have read my resume, but anyone who has actually read my resume would see pretty quickly that I am a software architect and developer, which is nothing like the Member Advisor position offered in this spam (or the Sales positions offered in the other spam). But beyond the ethical lapse of that claim, a more disturbing picture is painted: If Affinity Plus HR is the true source of these emails, that means they are intentionally seeking out and hiring employees that have unsafe, insecure habits when it comes to handling electronic communications. That's not reassuring to me as a member and, because their deposits are insured by the NCUA, every taxpayer has to foot the bill when there is a breach in security.

Either way, I decided to ask them if they knew this was going on.

Which was it?

Stay tuned next week for the post where I reveal my findings.

Update: The timeline is now available.

Democrats Double-Down On Crazy

Republicans take note: when someone raises an insane topic, you are better off not agreeing with them, but instead laughing at them. Or, better, laughing with them.

White House responds to Death Star petition

The only Presidential poll that still matters

Due to recent election results, it looks like I'm able to extend the time of the beard poll for another 48 months. But don't wait! Lame Duck Beard currently has just a 4 point lead, so there is plenty of room for all the oh-so-important undecided voters to step up and swing the results.

Syndicate content