Archive for the 'Rants' Category

Google – putting the “cheat” into escheat

On August 14th, I received an email from Google saying that my Google Pay balance of 38 cents was to be forfeited in 9 days unless I took some specific action:


This image is clickable to display a larger version.

Merriam-Webster defines escheat as “the reversion of property to the crown in England or to the state in the U.S. when there are no legal heirs”

In general, in order to be escheated, property needs to be both unclaimed and the lawful owner is unknown. Neither of these is the case here, as obviously Google knows these are my funds and how to contact me (as well as lots of other data they’ve collected on me and anyone else who has ever used any of their services).

So I clicked on the “contact us” link, which was as unhelpful as ever* – if you or your company aren’t paying Google, you’re a product to be sold, not a customer to be assisted. Inventory doesn’t get to complain.

If I had been able to contact anyone/anything at Google that had even an ounce of common sense, I would have asked for this to be transferred to my Google Play Store account, which gets used several times a month. Instead, Google is presumably going to add my info to a giant spreadsheet, along with everyone else they’re escheating that lives in my state, and send the spreadsheet and a single check to my state.

Just out of sheer orneriness, I’m going to wait for my 38 cents to be processed by my state and then I’m going to request a check be sent to me for the 38 cents. It would be fantastic if enough people did this that someone in one or more states goes “WTF?” and complains to Google that Google is making the state pay to return funds to Google’s customers because Google is too lazy to do so itself. I’d love to see a class action** over this, but that’s being way too optimistic.

At best, someone searching for “google escheat” may come across this page in search results.

* When I ordered a Pixel 3XL phone direct from Google and they reduced the price by $200 before I’d even received my order, their canned response was that I could return it, pay the restocking fee, and re-order it at the new lower price. When pressed, their “official” position was that I should join Reddit, send a direct message explaining the situation to someone named “Ziggy”. Bizarrely, that eventually worked. Ziggy’s email signature read “Ziggy / Platinum Google Product Expert & Mentor / Docs, Fi, and Pixel”. One heck of a way to run a company.

** I’m hopeful that many of the class action suits which don’t return any meaningful funds to the class members still serve as an incentive for the company being sued to stop doing whatever they did that led to the class action suit in the first place. Google seems to hold the opinion that they can pay their way out of their various legal issues with trivial amounts of money (for example, an hour’s worth of profits) and keep on doing what they’ve been doing. Even if the US doesn’t have any taste for a battle with Google, the European Union certainly seems to be spoiling for a fight.

Will the REAL Baofeng please speak up?

There are a huge variety of radios sold under the “Baofeng” (officially, Fujian [Nan’an] Baofeng Electronics Co.) name. Some are probably official private label models, some are outright fakes, and some fall somewhere in between. To confuse things further, Baofeng originally didn’t bother to register their brand trademark in the US. Someone else did some “trademark squatting” by registering it. While this was playing out at the US Patent and Trademark Office (USPTO), Baofeng branded their radios as “Pofung“. Between the Baofeng / Pofung confusion, official private label models and the fakes, it is hard to tell if a particular “Baofeng” radio is legit or not.

To complicate things even further, at least two companies claim to be “the” official United States distributor of Baofeng radios:

https://baofengtech.com (who also refer to themselves as BTECH) state that “We have personally dealt with hundreds of counterfeit listings and have had them removed from marketplaces. Unfortunately, most sites will not prohibit the counterfeiter from creating another listing. The most effective means to stopping counterfeits is to buy direct from a BTECH authorized distributor.”

https://baofengradio.us claims “Baofeng Radio US is the Authorized Distributor of Baofeng products in the United States. All products ship from within the United States.”

In addition to those two, there are a large number of other sellers on Amazon, eBay, etc. who are also selling “Baofeng” radios.

The manufacturer isn’t helping the situation. Their Baofeng Official Website Announcement says “While Baofeng has worldwide distributors and resellers, products are all produced by Baofeng. The concept that radio not sold by one of the distributors is counterfeit is factually inaccurate.” Aside from that statement appearing to claim that anything marked with a “Baofeng” label is genuine, it does not provide a list of “worldwide distributors and resellers” so anyone could represent that they’re a factory-authorized distributor or reseller and the purchaser has no way of telling if that is true or not. To confuse matters further, there are many “Certificate of Authorization” letters allegedly issued by the manufacturer listing dozens (if not hundreds) of entities that are “authorized”. These letters seem to come in a a surprising variety of styles, and every one I’ve examined is expired. You can do a Google image search for yourself by clicking here.

My first experience with this situation was ordering a package of two “Baofeng UV-82HP” radios from Amazon in November 2019. This was a “too good to be true” deal with 2 radios, 4 batteries, 2 coiled combo speaker/microphones, 2 earpieces and two whip antennas. When I received them, there was no FCC ID number on/in the radio (required for them to be legally sold in the US) and after contacting the seller I was given the alleged FCC ID for these radios, which turned out to be for a different model entirely. I returned then to Amazon for a refund, stating that they were counterfeit. I also left a review saying the radios were counterfeit. Amazon approved and published my review and it showed up among several other reviews also stating that the radios were counterfeit. Apparently the seller complained because my reviews and the other reviews mentioning “counterfeit”, “fake”, etc. were removed without explanation. That product listing is still active on Amazon, three and a half years later.

I eventually ordered replacement radios on Amazon from seller “BaoFeng Tech”. This is the same seller as https://baofengtech.com, also known as BTECH. In fact, their Amazon pages show both “Sold by BaoFeng Tech” and “Visit the BTECH Store”. They came with the expected FCC IDs inside and performed as expected. Since then I’ve been making sure to only order products that are sold by BTECH.

You can probably get the same radio from other sellers, particularly if you’re outside the US. But I decided to stop “rolling the dice” and always order from BaoFeng Tech / BTECH.

BTECH themselves are not helping the situation with their multiple brandings. Also, while their radios have customized battery compartment labels with their website listed and they have custom packaging distinct from any other seller I’ve seen, all of their BL-8 batteries had been mis-labeled (along with everyone else’s) as 2800mAh capacity instead of the actual 1700mAh capacity. This continued for many years until they introduced a new version of the BL-8 pack which includes a built-in USB-C charging port in the pack. That pack is correctly labeled as 18mAh. Unfortunately they didn’t change the part number, so a “BL-8” battery might or not might have USB charging depending on when it was made and who sold it. It makes me want to jump up and down and yell “You’re not helping!” regarding confusing naming.

Having said all that, BTECH does seem to be the most reliable supplier in terms of the product being exactly what it is represented to be.

Mini Review – Netgear WAX218 Business AX3600 access point

Executive summary: Utterly unsuitable for the task at hand. NOT recommended. Decent (probably) hardware let down by mediocre firmware.

I purchased a Netgear Business Essentials WiFi 6 AX3600 Dual Band Wall/Ceiling Mount, PoE Powered, Local Management access point for evaluation. I have several dozen older (non-AX) access points spread across a half dozen or so locations that I am looking to upgrade to AX3600. Based on a quick look at the specs, the Netgear WAX218 seemed as though it could be a potential candidate as a replacement model.

Before I go any further, I should mention that this is not a full review with lots of nice graphs showing throughput vs. number of clients, etc. – I didn’t get that far before giving up in disgust and boxing the unit up to return for a full refund.

In my opinion, a “Business” networking product should be able to be configured and deployed remotely, with on-site workers simply running the network cable (if there wasn’t one already), mounting the access point, and reporting the installation as complete so support can remotely configure and test the unit. The WAX218 fails to meet even this expectation. Initial configuration requires an on-site system with WiFi to connect to the special WAX218XXXXXX-CONFIG-ONLY SSID. The password is printed on the bottom of the unit, along with the actual SSID (replacing the X’s in the above example). After entering basic information such as the new admin password, the SSID and passphrase for the first WiFi network, etc. the WAX218 stores those and reboots – which takes an unusually long time. The next thing I did was update the 1.0.1.0 firmware that shipped with the unit to the latest 2.0.1.0 firmware found on Netgear’s support site. After uploading the firmware, the WAX218 goes catatonic for 10 minutes (!), displaying a countdown timer from 600 seconds until 0 seconds when it will resume communicating. This is accompanied with dire warnings not to interrupt the power, close the web session, etc.

With those preliminaries out of the way, I attempted to continue the configuration by connecting to the WAX218’s IP address over the hardwired Ethernet. After accepting my connection, it performed a redirect to https://routerlogin.com which gave me the message “You may not be connected to your Router’s WiFi network. To access routerlogin.com, your device must be connected to your Router’s WiFi network. Check your current connection and try again.” I then tried connecting via WiFi to the SSID I had defined in the initial configuration and got the same error. It appears the only way you can access the web management interface is via the dedicated WAX218XXXXXX-CONFIG-ONLY SSID. That pretty much rules out any remote management of these devices.

Next, I used the web interface to attempt to configure the timezone. The WAX218 allowed me to specify the offset from GMT, but required me to provide a specific start and end date for Daylight Saving Time (DST). It does not even support rules like “second Sunday in March”, so you need to remember to update the config on every WAX218 annually. What makes this particularly galling is that the WAX218 is running Linux as its underlying operating system. Linux comes with a very complete set of timezone rules for the whole world. Another annoying point is that when I clicked “Save” after making these changes, the WAX218 reported it was rebooting. This was a matter of just a few seconds, but config changes that don’t affect user connections should NOT affect user connections by rebooting the device.

I then enabled the SSH server on the WAX218 and logged into it via SSH to see if there was any sort of a decent menu system. There isn’t – it is a very deep tree of commands, none of which can be abbreviated. Other than checking to make sure the timezone setup was equally brain-dead via the CLI and a few other things (including doing a reset to factory defaults before packing it up for a return and refund) I did not experiment with the CLI in depth. There did not appear to be any supported way to get to a Linux shell prompt to investigate if there was a timezone file there at all. Frankly, Netgear would have been better off using a character cell based browser like Lynx to access the WAX218 web server. At least that way the device would be remotely manageable.

I did examine the T-bar / ceiling mount bracket included with the WAX218. It was a flimsy appearing piece of plastic, not something I’d be comfortable to support a 1.75 pound (yes, the WAX218 is huge and heavy) 8 feet or more over my head.

Net Neutrality isn’t the only problem

Today (July 12th, 2017) a large number of sites have joined together to raise awareness of the threats to network neutrality. For example, reddit has a pop-over window that slowly types a message beginning with “The internet’s less fun when your favorite sites load slowly, isn’t it?” This is certainly a valid concern, and many people, including myself, have legitimate concerns about how the Internet is regulated. But there are enough sites raising that point, so I’d like to talk about something different – how sites are “shooting themselves in the foot” with slow-loading (and often buggy) page content.

It all starts when a web site decides they want to track visitors for demographics or other purposes. There are a large number of “free”* tools available that will collect the data and let you analyze it in any way you like. Sure, it comes with some hidden Javascript that does things you can’t see, but hey – it is only one thing on a page of otherwise-useful content, right?

Next, the site decides they’d like to help cover the cost of running the site by having a few advertisements. So they add code provided by the advertising platform(s) they’ve selected. So their page now loads a bit slower, and users see ads, but the users will still come for the content, right? And the occasional malware that slips through the advertising platform and gets shown on their site isn’t really their fault, right? They can always blame the advertising platform.

Somewhat later, the site gets an “offer they can’t refuse” to run some “sponsored content”. The page gets even slower and users are having a hard time distinguishing actual content from ads. Clicking on what looks like actual content causes an ad to start playing, or triggers a pop-under, or any one of a number of things that make for an unpleasant user experience.

Once everyone is used to this, things appear to settle down. Complaints from users are infrequent (probably because they can no longer figure out how to contact the site to report problems). Everyone has forgotten how fast the site used to load, except for the users running ad blockers, cookie blockers, script blockers, and so on.

But one day a SSL certificate becomes invalid for some reason (expired, a site was renamed, etc.) and the users are now getting a new annoyance like a pop-up saying that the certificate for btrll.com is invalid. Most users go “huh?” because they weren’t visiting (or at least they thought they weren’t visiting) btrll.com. Clicking the “close” button lasts for all of a second before the pop-up is back, because that ad site is determined to show you that ad. In frustration, the user closes their browser and goes out to buy a newspaper.

By this point, perhaps 5% of the actual page content is from the site the user was intending to visit. The rest is user tracking, advertising, and perhaps a bit of malware. There is a free tool run by WebPagetest.org which will let you analyze any web site to see what it is loading and why it is slow.

Here is the result for the CNN home page:

Now, that’s too small to be able to read, so this is the first part of it (click on this image for a larger view):

The blue line at 21 seconds shows when the page finished loading, although you can see that Javascript from a number of advertising providers continues to run indefinitely.

Now, let’s take a look at Weather Underground. Surely just serving weather information would have far less bloat than CNN, right? Not really:

Now, that’s too small to be able to read, so this is the first part of it (click on this image for a larger view):

It does manage to load in less time than CNN, but it is still pretty awful.

In the spirit of full disclosure, here is the result for this blog page:

Since the entire report fits, I didn’t need to add an unreadably-small overview image.

If you manage a web site, I encourage you to try WebPagetest.org yourself and see why your site is slow. If you’re just a user, you can also use WebPagetest.org to see why the sites you visit are slow. If you’re using add blocking or site blacklisting software while you browse, the list of hosts that are serving advertisements or other unwanted content will probably be useful to you when added to your block / blacklist.

* As they say, “If you aren’t paying for it, then you are the product being sold”.

Is no crypto always better than bad crypto?

SSL (Secure Sockets Layer, the code that forms the basis of the https:// in a URL) can use any number of different encryption methods (protocols) and key strengths. While all of the protocols / strengths were presumed to be secure at the time they were designed, faster computers have made “cracking” some of the older protocols practical, or at least potentially practical. Additionally, concerns have been raised that some of the underlying math may have been intentionally weakened by the proponents (for example, NIST and the NSA) of those protocols. Perhaps an underlying flaw in the protocol has been discovered. Due to this, web browsers have been removing support for these older, insecure protocols.

Additionally, even if a protocol is still considered secure, a browser may start enforcing additional requirements for the SSL certificate used with that protocol. “Under the covers” this is a rather different situation, but for the purpose of this discussion I will lump them together, since the average user doesn’t care about the technical differences, only that a service that they used to be able to access no longer works.

In theory, this is a good idea – nobody wants their financial details “sniffed” on the way between you and your bank. However, the browser authors have decided that all usage of those older protocols is bad and should be prohibited. They make no distinction between a conversation between you and your bank vs. a conversation between you and another site (which could be a web server, UPS – battery backup, a water heater, or even a light bulb!) in your house or company. Instead, they force you to disable all encryption and communicate “in the clear”.

To add to the complexity, each browser does things in a different way. And the way a given browser handles a particular situation can change depending on the version of the browser. That isn’t too bad for Internet Explorer, which doesn’t change that often. Two other browsers that I use (Mozilla Firefox and Google Chrome) seem to release new versions almost weekly. In addition, the behavior of a browser may change depending on what operating system it is running under. Browsers also behave differently depending on when the host at the other end of the connection obtained its security certificate. A certificate issued on December 31st, 2015 at 23:59:59 is treated differently than one issued one second later on January 1st, 2016 at 00:00:00.

In the following discussion, the terms “site” and “device” are generally interchangeable. I sometimes use the term “device” to refer to the system the browser is attempting to connect to. “Site” might be a more accurate term, but for many users a “site” implies a sophisticated system such as an online store, while an intelligent light bulb is more a “device” than a “site”.

In a perfect world, people could just deal with the browser blocking issue by installing new software and / or certificates on all of the devices they administer. Sure, that would be a lot of work (here at home, I have several dozen devices with SSL certificates and in my day job, I have many hundreds of devices) and possibly expense (the companies that sell the certificates don’t always allow users to request updated certificates for free, and updated software to handle the new protocol may not be free – for example, Cisco requires a paid support contract to download updated software). However, it is not that “easy” – any given device may not have new software available, or the new software still doesn’t handle some of the latest protocols.

This leads to an unfortunate game of “whack-a-mole”, where a browser will change its behavior, a company will implement new software to deal with that new behavior, but by the time the software has gone through testing and is released, the browser has changed its behavior again and the updated software is useless. A number of vendors have just given up supporting their older products because of this – they have finite resources and they choose to allocate them to new products.

The browser authors seem to feel that this is just fine and that users should either turn encryption off or throw away the device and buy a new one. Since the “device” is often a management function embedded in an expensive piece of hardware, that simply isn’t practical. A home user may not feel that replacing a working device is necessary and a business likely won’t replace a device until the end of its depreciation cycle (often 3 or 5 years).

This strikes me as a very poor way for browsers to deal with the situation. Instead of a binary good / bad decision which the user cannot override, it seems to me that a more nuanced approach would be beneficial. If browsers allowed continued usage of these “obsolete” protocols in certain limited cases, I think the situation would be better.

First, I agree with the current browser behavior when dealing with “Extended Validation” sites. These are sites that display a (usually) green indication with the verified company name in the browser’s address bar. In order to purchase an EV certificate, the site needs to prove that they are who they say they are. For example, your bank almost certainly uses an EV certificate. Users should expect that sites with EV certificates are using secure methods to protect connections. If a site with an EV certificate is using an obsolete protocol, something is definitely wrong at that site and the connection should not be allowed.

Second, the current behavior is OK when dealing with well-known sites (for example, amazon.com). This is a little more difficult for browsers to deal with, as they would need to keep a list of sites as well as deciding on criteria for including a site on that list. However, there already is a “master list” of sites which is shared between various browsers – it is called the HSTS Preload list. It could be used for this purpose.

Now we get to the heart of the matter – how to deal with non-EV, non-well-known sites. Instead of refusing to allow access to a site which uses an insecure protocol, a browser could:

  • Display a warning box the first time a site is accessed via an insecure protocol and let the user choose whether or not to proceed.
  • Re-display the warning after a reasonable period of time (perhaps 30 days) and ask the user to re-confirm that they want to use the insecure protocol to access the site.
  • On each page, indicate that the page is using an insecure protocol. This could be done by displaying the URL in the address bar on a red background or similar. Google Chrome does something similar with its red strikethrough on top of the https:// in the address bar. Unfortunately, in most cases Chrome will simply refuse to access a site it deems insecure.
  • NOT require dismissing a warning each time the user accesses the site.
  • NOT require a non-standard way of specifying the site URL in the address bar, bookmarks, etc.

Security experts will probably be thinking “But… That’s insecure!” It certainly is, but is it less secure than using no encryption at all (which is what the browsers are currently forcing users to do)? I don’t think so. In many cases, both the user and the site they are connecting to are on the same network, perhaps isolated from the larger Internet. For example, most devices here are only accessible from the local network – they are firewalled from the outside world.

Technical note: I am only talking about insecure protocols in this post. There is a different issue of bugs (problems) in some particular implementation of SSL – for example, OpenSSL. However, those problems can usually be fixed on the server side by updating to a newer SSL implementation version and generally do not remove protocols as part of fixing the bug. My post is focused on servers that are too old and / or cannot be updated for some reason, which is a completely different issue from server implementation bugs.

What do you think? I’d like to see comments from end users and security experts – feel free to try to shoot holes in my argument. I’d love to see comments from browser authors, too.

Brother Printer Upgrade Follies

“Well, I’ve been to one world fair, a picnic, and a rodeo, and that’s the stupidest thing I ever heard…”
— Major Kong, Dr. Strangelove

That pretty much sums up my feelings about the firmware update “procedure” Brother provides for their printers. Some time ago I purchased a Brother HL-6180DW to replace an aging LaserJet 2200DN which had decided to either feed multiple sheets or no sheets from the paper tray.

I have no issues with the HL-6180DW as a printer – it has worked fine for over a year, does everything I ask it to, and successfully pretends to be the LaserJet 2200DN that it replaced so I didn’t have to update any drivers. However, I went to reconfigure it the other day to change its hostname and was greated by the dreaded https strikethrough in Google Chrome (the “Your connection is using an obsolete cipher suite” error):

“No problem,” I thought to myself “I’ll just download the latest printer firmware.” I discovered that it is nowhere near that simple.

The first thing I did was download the latest updater from the Brother support site. Running the updater produced an un-helpful “Cannot find a machine to update.” error. Searching on the support site, this is apparently because I did not have the Brother printer driver installed. Of course I don’t – the whole purpose of this printer is to emulate printers from other manufacturers so people don’t have to install drivers when replacing the printer.

I then downloaded the printer driver from the Brother support site and ran it. It self-unpacked into a directory tree which contained no documentation. Fortunately, there was only one .exe. Unfortunately, running it appeared to have no effect other than popping up the Windows “Do you want to let this program make changes to your computer” alert box. Back to the Brother support site, where this support document bizarrely states:

“Case A: For users who connect the Brother machine to their computer using a WSD or TCP/IP port

Connect your computer to the Internet.
Connect the Brother machine to your computer with a USB cable.
The driver will be installed automatically.”

So, in order to install a network printer driver I don’t want, I have to find a USB cable and connect the printer to a PC via a USB port? That is downright bizarre… Armed with a USB cable, I do that and lo and behold, a new printer shows up which claims to be the Brother, attached via USB.

Back to the firmware update utility. Hooray! My printer is detected, and after agreeing that Brother can collect lots of information I don’t really want to give them, I finally get to click on a button to start the firmware update. After a long pause, it tells me that it cannot access the printer (which it detected just fine a few screens back). It tells me that I should check my Internet connection, disable the firewall, sacrifice a chicken, and try again. I proceed to:

  • Disable Windows firewall on my PC
  • Disable the Cisco firewall protecting my network
  • Disable IP security on the printer
  • disable IPv6 on the printer
  • Disable jumbo frames on the printer

None of which has any effect whatsoever.

After more flailing around, I decide on a desperate measure – I will change the printer port from USB to TCP/IP in the printer properties. A miracle – running the update utility produces a request for the printer’s management password, after sending my personal data Yet Again to Brother (or is that Big Brother?). After an extended period of watching the progress bar move at a varying rate (and jump from 80-odd percent complete to 100% complete), the update has finished!

After making sure I can still print from the other computers who still think they’re talking to a LaserJet 2200DN, I go back into the PC I used for the updating and re-enable Windows Firewall. Then I re-enable the Cisco firewall protecting my Internet connection. Lastly, I restore all the settings that I changed on the printer.

“All is as it was before…”
— Guardian of Forever, Star Trek

Back to Chrome to make sure this fixes the https strikethrough… no such luck. Hours wasted for no gain.

I have NO IDEA why Brother thinks this is a good idea. Maybe they’re paranoid about people getting access to the firmware images (although anyone with access to the network and a copy of Wireshark could capture it “on the fly”). The update utility messages could be vastly improved, instead of the “Doh!” (Homer Simpson) that it does now. The support documentation could also be improved to actually explain what the utility needs in order to update the firmware.

Of course, my decade-old HP LaserJet 9000DTN came with an add-in network card which has a simple “Download firmware update from HP” button on its web management page (which, amazingly, still works despite HP having rearranged their web site multiple times since that card was new).

In a corporate network where I would have to get IT support involved in disabling my PC’s firewall, or (good luck!) disabling the corporate firewall in order to satisfy the Brother update utility, I think people would simply give up and not update the printer firmware.

And don’t think you can cheat and tell Brother you’re running Linux – the downloads for Linux don’t include a method to update the firmware.

A few more words of advice for used equipment sellers

Today I’m going to expand on the advice I provided in my earlier post, “A few words of advice for used equipment sellers“. Today I’m going to address the issues with “As-Is / Not Working / For Parts Only” listing types. These are terms used by eBay, but this advice also applies to anyone else selling equipment in this category.

In general, this type of item is offered by sellers at a lower price in the hope of recovering some money from a piece of equipment that is either not operating properly or is not able to be tested by the seller. Some sellers are very scrupulous about describing the equipment, providing lots of pictures and as much information as they know about the item. At the other end are sellers who use a stock photograph and product description, perhaps with some words like “Couldn’t power on – didn’t test.”

Any buyer who purchases items in this category is hoping to find a bargain by ending up with a piece of working equipment after performing minimal repairs. [There are probably people who buy this material for other purposes, such as scrap metal recovery, components for artwork, and so on, but I’ll leave those out of this discussion.] As such, you (as the seller) want to provide as much information as possible to potential buyers so you both end up with a good experience.

There are quite a few categories of “untested / not working”, and I’ll go through these from best to worst:

  • Unable to test / Not tested – this means that the seller lacks the ability to test the item, either because it is a sub-component of a larger device the seller does not have, lack of necessary cabling to connect it, or due to it requiring specialized test / calibration equipment. Items in this category are truly untested and may or may not work. This category should NOT be used for items that the seller did test, but were found to be non-operational. It should also NOT be used for equipment with obvious physical defects which would make the unit not fit for use.
  • Tested to power on only – this means the seller was able to apply power to the unit and it did something. Perhaps the seller lacked cabling or test equipment to perform further tests. Any observed behavior (patterns and colors of indicator lights, fans turning / not turning, unusual beeps or other noises, etc.) should be described in detail. Like the above category, it should not have any of the defects noted by NOT.
  • Tested, found defective – this means that the seller was able to perform further testing and determined that there was indeed a problem with the unit. The seller should clearly state the nature of the defect (to whatever extent they investigated), such as “no console output”, “Status light solid red”, “displays fatal error message”, and so forth. Again, any physical defects would bump this to a lower category.
  • Tested, found defective, investigated in depth – in this category, the seller has somewhat more knowledge of the device and has done further investigation. There might be concealed damage or the seller might have disassembled the unit to investigate further. Essential components may have been found to be missing. Any results of the investigation should be included in the listing, and the seller should return the unit to the condition as found (re-installing all components, including case screws, etc.) or note in the listing why this was not done.
  • Physical damage, repairable – the device has some sort of physical damage which renders it partially or completely unusable, such as damaged connectors, bent or broken components, etc. The damage should be described as completely as possible, preferably with good quality photographs of the damaged areas. Buyers should evaluate the usability of the device without using the damaged areas or their ability to repair the damage. Note that modern electronic equipment often uses surface-mount components on multi-layer circuit boards, meaning that the skills and equipment needed to perform the repairs are beyond the reach of most users.
  • Physical damage, non-repairable – the device has obvious physical damage which would prevent it from being repaired or being usable as a complete unit. Sometimes it may be possible to salvage components from the device (power supplies, faceplate, memory, etc.). The damage should be described as completely as possible, preferably with good quality photographs of the damaged and un-damaged components.

Now, I’d like to provide a few examples of actual listings that I’ve purchased, and what I’ve found. I am not naming any sellers here, since it is possible that they received the item from somewhere “up the food chain” and did not investigate it completely.

  1. Catalyst WS-C4948-10GE switch – Listing simply said “Being sold AS IS for Parts or Not working. Power on but no console. No return, No refunds. AS IS!!!“. The listing also included pictures of the device, including one which showed the status LED being red.

    When I received this unit, the first thing I did was open it up to make sure there were no loose parts inside. During this inspection I discovered that 12 of the 14 screws that hold the cover on were missing and that the memory battery backup battery had been ripped off the main board (and was nowhere to be found inside the chassis). I also found that all of the screws holding the main board to the chassis were loose (but at least they were all present). Based on this, I determined that someone had been inside the unit already and had diagnosed it at least as far as removing the main board.

    I contacted the seller and they said they received it that way from the company that was using it, and the company ripped the battery off to erase the config because they were “security conscious”.

    Soldering in a new battery was not sufficient to get the switch working. I suspected the problem might be due to defective memory components soldered onto the main board, as described in this Cisco Field Notice. I ordered a tray of memory chips from a specialist in obsolete components (they are long-discontinued DDR333 parts) and replaced the two chips on the underside of the board. Since the ones on the bottom were made by Micron and the 3 on the top were from Samsung, I guessed (correctly, as it turned out) that the fault was in the Micron ones.

    After reinstalling the main board in the chassis and powering the switch up, I was greeted with the normal startup messages on the console*. After enabling priv mode in ROMMON, I tested the memory for an hour or so and it passed without errors. I then updated the ROMMON and IOS to the latest versions and gave the switch a 72-hour burn-in test, which it passed. Not bad for $255 plus another $10 in replacement memory chips and an hour or so’s work.

    * To my amusement, it appears that the battery on this switch is only used to maintain the date/time, not power the configuration memory. When the switch booted up after I repaired it, it put up a full-page banner with dire warnings about accessing the network without authorization, part of the saved config file that it had retained the whole while.

  2. More items to be added as I purchase them.

IPv4Scan.com – scan or scam?

One of my occasional consulting customers called me in a panic because all of their HP printers printed out the same page at the same time:

GET http://ipv4scan.com/hello/check.txt HTTP/1.1
Host: ipv4scan.com
Accept-Encoding: gzip, deflate, compress
Accept: */*
User-Agent: IPv4Scan (+http://ipv4scan.com)

Now, I have nothing against most network measurement bots. Most are useful, and the rest are usually well-intentioned, even if they are counterproductive. The one thing these have in common is that they have a page that tells you what they’re doing, why they’re doing it, and who to contact if you have further questions.

The http://IPv4Scan.com page does none of those:

Screen capture

There is no contact information provided on the page, there is no statement of how the data is being used (other than that it is “not for sale, rental or release”). The web page source does not contain any useful contact information, either. So they’re collecting this data for their own, unspecified, purposes.

Ok, maybe it is legit, just with a spectacularly bad public relations campaign. Let’s look and see who is behind this:

(0:115) host:~terry# jwhois ipv4scan.com
[whois.internet.bs]
Domain Name: IPV4SCAN.COM
Registry Domain ID: 1824307886_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.internet.bs
Registrar URL: http://www.internetbs.net
Updated Date: 2013-08-30T10:37:11Z
Creation Date: 2013-08-30T10:21:44Z
Registrar Registration Expiration Date: 2014-08-30T10:21:44Z
Registrar: Internet.bs Corp.
Registrar IANA ID: 814
Registrar Abuse Contact Email: abuse@internet.bs
Registrar Abuse Contact Phone:
Reseller:
Domain Status: clientTransferProhibited
Registry Registrant ID:
Registrant Name: Domain Administrator
Registrant Organization: Fundacion Private Whois
Registrant Street: Attn: ipv4scan.com, Aptds. 0850-00056
Registrant City: Panama
Registrant State/Province:
Registrant Postal Code: Zona 15
Registrant Country: PA
Registrant Phone: +507.65967959
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: 5230a6158jiing35@5225b4d0pi3627q9.privatewhois.net
Registry Admin ID:
Admin Name: Domain Administrator
Admin Organization: Fundacion Private Whois
Admin Street: Attn: ipv4scan.com, Aptds. 0850-00056
Admin City: Panama
Admin State/Province:
Admin Postal Code: Zona 15
Admin Country: PA
Admin Phone: +507.65967959
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: 5230a6157t3qutyb@5225b4d0pi3627q9.privatewhois.net
Registry Tech ID:
Tech Name: Domain Administrator
Tech Organization: Fundacion Private Whois
Tech Street: Attn: ipv4scan.com, Aptds. 0850-00056
Tech City: Panama
Tech State/Province:
Tech Postal Code: Zona 15
Tech Country: PA
Tech Phone: +507.65967959
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: 5230a615n285uy95@5225b4d0pi3627q9.privatewhois.net
Name Server: ns-canada.topdns.com
Name Server: ns-usa.topdns.com
Name Server: ns-uk.topdns.com
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2014-04-29T05:00:41Z <<<

Ok, so they're hiding behind a privacy service, but seem to be located in Panama. Let's see if the IP address they're using matches:

(0:116) host:~terry# host ipv4scan.com
ipv4scan.com has address 93.174.93.51
ipv4scan.com mail is handled by 5 smtp09.topdns.com.
ipv4scan.com mail is handled by 5 smtp01.topdns.com.
(0:117) host:~terry# jwhois 93.174.93.51
[whois.ripe.net]
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
% To receive output for a database update, use the "-B" flag.

% Information related to '93.174.93.0 - 93.174.93.255'

% Abuse contact for '93.174.93.0 - 93.174.93.255' is 'admin@ecatel.net'

inetnum: 93.174.93.0 - 93.174.93.255
netname: NL-ECATEL
descr: ECATEL LTD
descr: Dedicated servers
descr: http://www.ecatel.net/
country: NL
admin-c: EL25-RIPE
tech-c: EL25-RIPE
status: ASSIGNED PA
mnt-by: ECATEL-MNT
mnt-lower: ECATEL-MNT
mnt-routes: ECATEL-MNT
source: RIPE # Filtered

role: Ecatel LTD
address: P.O.Box 19533
address: 2521 CA The Hague
address: Netherlands
abuse-mailbox: abuse@ecatel.info
remarks: ----------------------------------------------------
remarks: ECATEL LTD
remarks: Dedicated and Co-location hosting services
remarks: ----------------------------------------------------
remarks: for abuse complaints : abuse@ecatel.info
remarks: for any other questions : info@ecatel.info
remarks: ----------------------------------------------------
admin-c: EL25-RIPE
tech-c: EL25-RIPE
nic-hdl: EL25-RIPE
mnt-by: ECATEL-MNT
source: RIPE # Filtered

% Information related to '93.174.88.0/21AS29073'

route: 93.174.88.0/21
descr: AS29073, Route object
origin: AS29073
mnt-by: ECATEL-MNT
source: RIPE # Filtered

% This query was served by the RIPE Database Query Service version 1.72 (DBC-WHOIS3)

So, they're using an IP address allocated to Ecatel in the Netherlands. Not exactly close to Panama, is it? Let's see if that address is actually in the Netherlands:

(0:118) host:~terry# traceroute ipv4scan.com
traceroute to ipv4scan.com (93.174.93.51), 64 hops max, 52 byte packets
[snip]
8 be2094.ccr21.bos01.atlas.cogentco.com (154.54.30.14) 20.530 ms
be2097.ccr22.bos01.atlas.cogentco.com (154.54.30.118) 19.664 ms
be2095.ccr21.bos01.atlas.cogentco.com (154.54.30.38) 20.657 ms
9 be2387.ccr22.lpl01.atlas.cogentco.com (154.54.44.166) 85.582 ms 85.667 ms
be2386.ccr21.lpl01.atlas.cogentco.com (154.54.44.162) 85.388 ms
10 be2183.ccr42.ams03.atlas.cogentco.com (154.54.58.70) 95.882 ms
be2182.ccr41.ams03.atlas.cogentco.com (154.54.77.245) 95.035 ms
be2183.ccr42.ams03.atlas.cogentco.com (154.54.58.70) 97.517 ms
11 be2311.ccr21.ams04.atlas.cogentco.com (154.54.74.90) 130.510 ms
be2312.ccr21.ams04.atlas.cogentco.com (154.54.74.94) 94.574 ms
be2311.ccr21.ams04.atlas.cogentco.com (154.54.74.90) 101.849 ms
12 149.11.38.179 (149.11.38.179) 101.548 ms 118.302 ms 102.141 ms
13 server.anonymous-hosting-service.com (93.174.93.51) 98.234 ms 97.335 ms 96.958 ms

Ok, the server is in Amsterdam, Netherlands. But hiding behind anonymous-hosting-service.com seems suspicious. Let's see where they are:

(0:119) host:~terry# jwhois anonymous-hosting-service.com
[Querying whois.verisign-grs.com]
[Redirected to whois.onlinenic.com]
[Querying whois.onlinenic.com]
[whois.onlinenic.com]

Domain Name: anonymous-hosting-service.com
Registry Domain ID:
Registrar WHOIS Server: whois.onlinenic.com
Registrar URL: http://www.onlinenic.com
Updated Date: 2014-04-06 03:14:38
Creation Date: 2009-09-08
Registrar Registration Expiration Date: 2015-09-08
Registrar: Onlinenic Inc
Registrar IANA ID: 82
Registrar Abuse Contact Email: onlinenic-enduser@onlinenic.com
Registrar Abuse Contact Phone: +1.5107698492
Domain Status: clientTransferProhibited
Registry Registrant ID:
Registrant Name: Laura Yun
Registrant Organization: Vindo International Ltd.
Registrant Street: Oliaji TradeCenter - 1st floor
Registrant City: Victoria
Registrant State/Province: Mahe
Registrant Postal Code: 5567
Registrant Country: SC
Registrant Phone: +248.6629012
Registrant Phone Ext:
Registrant Fax: +248.24822575500
Registrant Fax Ext:
Registrant Email: anonymous.client@vindohosting.com
Registry Admin ID:
Admin Name: Laura Yun
Admin Organization: Vindo International Ltd.
Admin Street: Oliaji TradeCenter - 1st floor
Admin City: Victoria
Admin State/Province: Mahe
Admin Postal Code: 5567
Admin Country: SC
Admin Phone: +248.6629012
Admin Phone Ext:
Admin Fax: +248.24822575500
Admin Fax Ext:
Admin Email: anonymous.client@vindohosting.com
Registry Tech ID:
Tech Name: Laura Yun
Tech Organization: Vindo International Ltd.
Tech Street: Oliaji TradeCenter - 1st floor
Tech City: Victoria
Tech State/Province: Mahe
Tech Postal Code: 5567
Tech Country: SC
Tech Phone: +248.6629012
Tech Phone Ext:
Tech Fax: +248.24822575500
Tech Fax Ext:
Tech Email: anonymous.client@vindohosting.com
Name Server: ns1.anonymous-hosting-service.com
Name Server: ns2.anonymous-hosting-service.com
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2014-04-06 03:14:38 <<<

Well, this is definitely fishy. No legitimate survey would be hiding behind so many levels of indirection.

I used the site's form to "opt out" 0.0.0.0/1 with an email address requesting they contact me about their project. I've also sent email to the abuse contacts shown above, pointing them to this blog entry, in the hope that they can get some sort of explanation from their customer.

In the meantime, you may want to fine-tune your firewall rules to prevent this type of probe. That would (at a minimum) include blocking all outside connection attempts on ports 80 (http) and 443 (https) to anything on your network that is not intended to be a public web server. I cannot recommend using their opt-out form as there is no indication of what they do with the information. For all I know, it has the same effect as sending "unsubscribe" in response to a spam email - it just targets you for more spam.

If I receive any information from my inquiries, I'll update this blog entry accordingly.

Does your bank care about online security? Mine (Citibank) doesn’t…

Updated March 4th, 2021 to change some long-dead links to copies at the Internet Archive
Updated July 16th, 2013 to document further idiocy – see the bottom of this post.

Today provided yet another indication that Citibank (and by extension, MasterCard) have absolutely no clue about online security, and past events have shown that they simply don’t care.

As background, I’m sure you remember all the warnings your bank / credit card company gave you about never giving out information to unknown entities, to always make sure that the name of the bank / credit card company is in the URL, and so forth. It sure would be nice if they’d take their own advice…

Today’s experience was triggered by an order on newegg.com. After clicking on the “confirm order” button, I was told that I might be redirected to my bank’s web site to confirm the order. So far so good – I’ve had experiences in the past where every single Newegg order caused my card to be flagged for fraud. But then I was greeted with a web page claiming to be “MasterCard SecureCode”, but with a URL showing “securesuite.net”, which demanded a bunch of sensitive info, including the last 4 digits of my SSN and my billing Zip Code. What the heck? Looks like an obvious phishing site. I let the page sit there while I contacted Citibank MasterCard. The agent said that it was obviously a fake and that I should never enter any info into an online form like that (a statement I strongly agree with). I clicked the “cancel” button and figured that I’d just place my order somewhere else. However, Newegg told me my order had been placed successfully and subsequently sent me an email letting me know that my credit card had been charged.

I then decided to investigate what this “securesuite.net” site was. There aren’t many useful search engine hits, but there is history going back at least seven years, all of which points out the confusing nature of that site. For example:

For an actual scholarly paper about this problem, I suggest reading “Verified by Visa and MasterCard SecureCode: or, How Not to Design Authentication“.

If you browse to https://www.securesuite.net, you get (as of this writing) a blank page – it doesn’t even return any HTML headers. If by some chance you happen to find https://www.securesuite.net/csi/docs/contact_support.jsp, you’ll find a singularly uninformative page which contains such gems as “Call us at your Financial Institution’s support phone.” To be fair, that may just be a generic template page not intended to be shown to users.

The main point is that after telling us to never trust unknown web sites, the banks and credit card companies are sending people to just those sorts of sites. Talk about mixed messages!

Compounding this, if you do get a call from the Citibank Fraud Department, it will show up as “Unavailable” or “Private” in Caller ID. While it’s true that Caller ID is easily faked, I’d be more inclined to answer the phone if it didn’t look like a random telemarketing call. For added security, that automated call could simply say “This is a fraud warning about your Citi MasterCard ending in 1234. Please call the number on the back of your card immediately.”

This is not a new problem – I’ve been reporting Citibank’s own email to their anti-phishing department becase my mail server (correctly) flags it as fraudulent due to forged headers. In particular, they like to send out email with the subject “Important information regarding your statement”. It is actually just a canned solicitation to switch to online billing, not “Important information”. But Citibank doesn’t send it themselves – instead, they use companies called bigfootinteractive.com and epsiloninteractive.com. As I said in my unacknowledged complaints to Citibank, “Imagine you got an email claiming to be from the IRS entitled “Important information about your tax return”, where the email was sent from a Yahoo account through a GMail account to you. Wouldn’t you be suspicious? You’re doing the exact same thing with the mail you send out.”

These companies should require the use of their own domains and SSL certificates rather than apparently-unassociated third parties, or at least correct information when users call them and ask if the third-party site is legitimate.

It’s a sad day when I have to admit that PayPal does a much better job with this sort of thing than Citibank does.

This total disregard for security isn’t just in their online communications, either. Citibank started sending me unsolicited “balance transfer” checks in the mail again, despite my having gotten them to stop some years ago. I had to call yet again and have my account flagged to not receive them. I said to the phone rep “Who in this day and age thinks sending blank checks in the mail is a good idea?” and she agreed with me. She apparently gets lots of calls about this.

Update as of July 16th:

As I wrote yesterday, I canceled the “MasterCard SecureCode” window and Newegg apparently processed my order, notifying me that they’d received the order and later that it had been successfully charged to my credit card. That’s where things were at the time I wrote the above post.

Last night I received email from Newegg telling me that my order had shipped and tracking information was available, and that I could expect to receive the order on the 17th. That’s excellent service, considering that I had used the “free 4-5 day shipping” option. I figured everything was all set. Little did I know…

Today at 6:37 PM (note that this is at least 12 hours after my Newegg order shipped – talk about “locking the barn door…”) I get the usual “Unavailable” Caller ID phone call from the Citibank Fraud “Early” Warning Department, telling me that my card has been frozen and asking me to confirm that my Newegg purchase was legitimate (oddly, they had no problem with my Amazon purchase later that same day). I told the agent it was, and explained that I’d received the phony-looking SecureCode page and after contacting the same department she was calling me from, who told me it was bogus and to never provide information on that sort of suspicious page, I clicked “cancel”.

The agent proceeded to tell me how important the SecureCode was. She was unable or unwilling (perhaps due to the “script” they’re required to work from) to understand that her department was the one who told me to never provide that information. We went around in circles for about 10 minutes as I tried to get her to understand that, and also to get the point across that they are the ones who say to never provide information to an untrusted 3rd party.

It’s easy enough to dismiss this as “somebody else’s problem”, but the banks, card companies and merchants are covering the losses they incur due to their own stupidity by charging everybody a little more. So it’s everybody’s problem – I just wish the bank could see that it is a problem entirely of their own making.

President Obama, you make me ashamed to be an American…

As my long-time readers know, I don’t make my views on politics, religion, etc. known. That’s because I’ve seen too many message boards (and friendships) torn apart by disagreements between people with different points of view. However, recent events compel me to speak up. As long as the comments remain civil, I’ll leave comments enabled on this post. If things get out of control, I may lock this post temporarily or permanently, or delete the whole thing. With that out of the way…

“They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.” – Benjamin Franklin

I’m stunned by the revelation that the NSA is continuing to monitor all phone calls, collecting and storing for an indefinite length of time the phone numbers of both parties, the locations of both parties, and the starting time and length of each phone call. [Reference].

Even more troubling is President Obama’s statement that “In the abstract, you can complain about Big Brother or how this is a potential program run amok, but when you actually look at the details, then I think we’ve struck the right balance.” [Reference]

Apparently Congress was informed of this and yet not a single member appears to have raised any objection.

On the heels of that revelation, further information was published showing that a different data collection operation is in progress, sending everything from email to photos to VoIP phone calls, etc. to the NSA. [Reference]

Next, it was revealed that the NSA is also receiving details of credit card transactions. [Reference]

President Obama, I voted for you (twice!) because you campaigned on a platform saying you were different from President Bush and would repeal the “surveillance state” legislation passed as a knee-jerk reaction to 9/11. Not to mention your promise to “Close Guantanamo Bay”. Instead, this is what we get? You make me ashamed to be an American.

“People should not be afraid of their governments. Governments should be afraid of their people.” – V, “V for Vendetta”