So finally I managed to get in the NSFW Corporation beta – after some back-and-forth involving a mysterious bug that caused my email to not make it in the beta on time. I have one word to start off this review: awesome.

It’s hard to describe what it is – my best description, aside from the official line of being “a news-weekly that’s published daily“, is that it’s a mix of witty articles on a variety of topics, complimented with an audio podcast (Lord, do I hate that word – if you have a better one, let me know, Paul!). NSFW is Paul Carr’s brainchild, founded after a string of startup failures and literary successes, and is showing promise. The first literary success is ironically based on the string of startup failures, but I digress.

Two articles from the pilot issue are titled This is Why They Hate Us: The Meat Monster, a funny take on why the rest of the world hates the United States and 10k-kcalorie burgers, and Best Practices For: The New Secret Service, which includes tips such as “An agent should now wrestle his partner to the ground at the first hint of an erection“. It is hilarious and entertaining reading, with a touch of political incorrectness that I witnessed only in UK media while I was living there, plus the right dose of swearing. It’s not called NSFW for nothing.

NSFW Live is the audio part of the site, with Paul and Josh Ellis, a contributor with a deep, movie-trailer voice, which reminds me of Beau Weaver (check out his free In A World ringtone). Josh makes the intro, and the back-and-forth with the guest begins. In the first episode, Patrick Sauer is invited to opine on whether Ron Paul masturbates to ‘Atlas Shrugged‘. A touchy subject if there is one (no pun intended… sort of). The clips last for around 30 minutes, and are highly entertaining.

Once it becomes live to the general public, a yearly subscription will cost $26, which is very good value for money. Right now, content is optimized for the iPad, but you can still read it in a desktop browser such as Safari or Chrome – Firefox was quirky at times, with random Javascript events being triggered for no apparent reason. Maybe it’s Firebug, but I didn’t investigate further.

Grumpy old git – things that could improve

As I’m an anal-retentive asshole when it comes to user interfaces and usability, I have a few constructive criticisms to make. First, on being iPad-optimized, and the very first thing you see when you arrive at nsfwcorp.com – the login form.

Before digging in, one curiosity for those technically-minded: there is almost no “normal” HTML in the site’s source. Each page is a collection of Javascript includes, which generate content dynamically. This has one advantage in being able to adapt to user browser & device specifics without much server-side heavy lifting, for example, by making use of jQuery’s deviceAgent.match (in this case, to send iPhone users to comingsoon.html – bastards!).

So without further ado, here is the Javascript-generated login form:

Nothing really much to it – however, this is the HTML source for the two fields:

<input name="username" id="loginUsername" placeholder="Email" type="text">
<input name="password" id="loginPassword" placeholder="Password" type="password">

So by now you must be thinking “yeah, you really are an anal-retentive asshole, what about those?!“. Simply put, they are not iPad – or more exactly, iOS – optimized. One of the neat things Mobile Safari gives web developers is extra form field tags, which make the device aware of the type of input being sought, so it can adapt the keypad accordingly. This is how the login form looks on an iPad, once you tap on the ‘Email’ field (click for large version):

There are two issues here: first, we capitalize the first letter of the user’s email address, which is not really A Bad Thing™, but doesn’t look pretty. The second, and most important, is regarding usability. By using type=”email” instead of type=”text” in the form field, the user gets to see this:

which is how iOS optimizes itself for email address entry. Depending on your particular concoction of underscores and dashes, this can save you some time. The whole list of supported form types can be found here.

My second irk is the amount of screen space the header graphic takes once you get in:

Of course, you can scroll down right away and see the various articles, but having the titles of the first two cut off doesn’t look that good.

The third issue has to do with scroll position between page transitions. If you scroll down, say about half-way down, and want to read Who’s The Leader Of The Club That’s Made For You And Me (if you’ve seen Full Metal Jacket, the answer is of course Mickey Mouse):

you are dropped just below mid-page into the article, thus:

instead of here:

If you’ve read the article, the answer is, of course, Walt Disney’s head filled with blue water, a sort of eerie Magic 8 Ball.

The final issue has more to do with strategy and people’s spelling abilities – or lack thereof. Allow me to explain: how many of you have typed nswfcorp.com in your browser and have landed in a “server could not be found” page? OMG! Someone has registered that already by the time I’m typing this, I hope it’s not a spammer trying to take advantage of those who cannot spell or type that well, a-la-holders of .cm domains. Or a pissed-off ex-girlfriend of Paul’s who re-directs the domain to goatse or meatspin or worse.

Worry not, as I was typing this, I thought I’d do Paul a favor (OK, maybe he doesn’t give a shit, so maybe not) and register the domain, which I’ll transfer to him for free. When I started Whisher, it didn’t occur to me that a competitor could buy wisher.com (the correct spelling) and redirect it to his own site – a point our first VC painfully reminded me of, and which cost us $30k and convincing the Wisher sisters, owners & operators of a real estate agency in the US, and owners of the domain.

In all, nothing extremely hard to fix – I’m really looking forward to the next issue!

This is a short post distilled from hours of frustration at the mangling of App logos by Facebook. Basically, if you want this:

instead of this:

make sure you flatten your image in Photoshop, and save as a 75×75 pixel GIF, with the dithering applied in “Save for web…”. Otherwise, Facebook will take your nice, transparent PNG and convert it to GIF with whatever dithering they choose, with results usually quite crappy. Feed the right GIF, and no conversion is required nor performed.

After frustration with FreeBSD’s ports system on a slow box such as the net6501 (it took literally 7 hours and endless “continue” buttons to get subversion installed), I decided to try and install Ubuntu. No clear instructions can be found on the net as to how to do it over a serial terminal, the only option available with the Soekris, so after some mix & match of various hints and pointers, I managed to do it. Here is how.

1. My setup

My particular net6501 is the mid-range version, with a 1GHz processor, 1Gb of RAM, and an internal Transcend 16GB flash drive. I also got the case & power supply, of course.

2. Get the Ubuntu Server ISO

Easy, just grab it here (32-bit version).

3. Create a bootable USB drive

You will need at least a 1GB flash drive, 2GB is recommended. I use Sandisk or other well-known brands, less likely to give headaches. The easiest way to create the bootable USB drive is to use Ubuntu’s own Startup Disk Creator, found under System in your standard Ubuntu desktop distribution. I use Macs so I run mine inside Parallels, with no issues at all.

4. Edit the boot menu configuration

You need to find a file named txt.cfg in your bootable USB drive and open it in a text editor. You will find a line that reads:

kernel /install/vmlinuz

The line after that begins with append – it needs to end up like this:

append console=ttyS0,19200n8 file=/cdrom/preseed/ubuntu-server.seed initrd=/install/initrd.gz

You need 19200 as that is the default speed on the Soekris serial port.

5. Connect a serial cable to the Soekris

A null-modem cable is needed. I use a DB9 adapter male/female adapter and a normal serial cable.

6. Open a serial terminal

The terminal needs to support VT100 emulation. Unfortunately all terminal apps for Mac that support this are payware and suck. I ended up using Hyperterminal in a Windows XP Parallels VM. It was rock solid throughout the procedure.

Set the terminal to 19200/8/N/1, no flow control, VT100 emulation.

7. Connect the bootable USB to the Soekris

The external USB port next to the DB9 will do fine.

8. Boot up the Soekris

Once you see the 5…4…3… countdown, hit Control+P, and then type

boot 81

and hit enter. Check that 81 is your USB drive, it should appear at the start of the boot log in the terminal. Adjust as required. You should now see a boot: prompt, type “install” and enter – an Ubuntu text-based install should follow, continue with the normal setup procedure after this.

That’s all folks – the toughest part was to find the terminal settings for the menu, if you get errors related to unknown video modes, you have not edited the right file or have done so incorrectly. Enjoy!

For the record, apt-get installed subversion on the same box in 30 seconds flat. FreeBSD needs to fix its package management system. Vim on FreeBSD requires over 500 individual file downloads with over 500 fixes/patches to the base version – ridiculous!

This is a quick post – let’s compare Dropbox new TOS lines about the license you give them when you upload “stuff” to the service:

We sometimes need your permission to do what you ask us to do with your stuff (for example, hosting, making public, or sharing your files). By submitting your stuff to the Services, you grant us (and those we work with to provide the Services) worldwide, non-exclusive, royalty-free, sublicenseable rights to use, copy, distribute, prepare derivative works (such as translations or format conversions) of, perform, or publicly display that stuff to the extent reasonably necessary for the Service. This license is solely to enable us to technically administer, display, and operate the Services.

with Box.net’s same lines about the same license you give them:

By registering to use the Services, you understand and acknowledge that Box.net and its contractors retain an irrevocable, royalty-free, worldwide license to use, copy, and publicly display such content for the sole purpose of providing to you the Services for which you have registered. In the event that you give Box.net the right to distribute your content, additional terms may apply to Box.net’s usage or distribution of this content.  You continue to retain all ownership rights in any User Content you provide and shall remain solely responsible for your conduct, your User Content, and any material or information transmitted to other Users for interaction with other Users.  Box.net does not claim any ownership rights in any User Content.

Box.net is asking for a license to use, copy and publicly display your content, whereas Dropbox goes much further, asking for rights to distribute (which is not the same as copy), prepare derivative works, and perform (eg. play in a concert!?). The wording in bold on Box.net’s TOS is key, however, as it clearly states that this license is used for the sole purpose of providing the service you ask for. Dropbox, in turn, says extent reasonably necessary, which is extremely vague.

You said everyone else

Indeed, let’s take a look at Amazon S3′s TOS, where clause 8.2 states:

Your Submissions will be governed by the terms of the Apache Software License, unless you specify one of our other supported licenses at the time you submit Your Submission.

Does this mean your uploaded content becomes open source somehow? I’m not entirely sure how to read this one, maybe a lawyer could chip in.

Finally, a snippet from one other large cloud storage provider, Apple, and its MobileMe/iDisk TOS:

Except for material we may license to you, Apple does not claim ownership of the materials and/or Content you submit or make available on the Service. However, by submitting or posting such Content on areas of the Service that are accessible by the public, you grant Apple a worldwide, royalty-free, non-exclusive license to use, distribute, reproduce, modify, adapt, publish, translate, publicly perform and publicly display such Content on the Service solely for the purpose for which such Content was submitted or made available. Said license will terminate within a commercially reasonable time after you or Apple remove such Content from the public area. By submitting or posting such Content on areas of the Service that are accessible by the public, you are representing that you are the owner of such material and/or have authorization to distribute it.

This one is probably the one I’d be most comfortable with, as it specifically mentions that the license applies only to content placed in areas accessible to the public, such as your “Public” folder, and that the license is solely for the purpose for which the content was uploaded, eg. sharing it with the rest of the world.

To be honest, this smells of a lawsuit gone bad resulting in bulletproofing a service, maybe someone noticed his files were being served from servers in another country and sued the storage provider on non-permission to copy/distribute grounds. Then, every other lawyer copied the TOS to match. Remember that case with a woman spilling hot coffee on her lap, resulting in all take-away coffee cups showing large “this stuff is hot” labels? Yeah, exactly. There are some great posts on this topic on J. Daniel Sawyer’s blog, and on UtestMe here.

I’m going to keep this short and simple. Apple is going to buy Twitter  – here’s why:

1. There have been very few cases of such a deep level of integration into iOS with a service provided by a company many orders of magnitude smaller than Apple.
2. When such integration has taken place, but Apple didn’t acquire the company, it eventually replaced its service. Example: Skyhook & Google Wi-Fi based geolocation, now replaced with Apple’s own database.
3. Apple needs a secure way to counter-balance Facebook (thanks @om for that one!). If Twitter remains an acquisition target much longer, Facebook or Google could reel it in.

Now I just wonder if @jack will want twtrr.com back… (yeah, out of a freak coincidence, I own that one!).

This post is triggered by a Twitter exchange started last night with Glenn Fleishman on the subject of how heat affects wireless communications. His initial tweet was:

I’m not getting the love. How does high temperature prevent Wi-Fi signal propagation?

followed by others,

Ok, the stupid “temperature affects Wi-Fi” story? I read the report. The report is talking about all tower-based wireless comm (1/2)

and it says that heat could affect transmission distance (implies this), but also that heat might damage towers/backhaul (2/2)

It referenced an article on The Telegraph which quotes Caroline Spelman, UK’s Environment Secretary, saying:

The signal from wi-fi cannot travel as far when temperatures increase. Heavy downfalls of rain also affect the ability of the device to capture a signal.

The first statement is misleading and even FUD-like, while the second is true – I have personally witnessed a statewide TETRA network go down (over 200 base stations) when a heavy thunderstorm sat on top of the SwMI, with rain curtains killing all outbound wireless links (hint: star topologies with a central switching node are a no-no).

Quoting the report itself (click for larger version), four things are notable:

The first being:

Location/density of wireless masts may become sub-optimal as wireless transmission is dependent on temperature.

Cellular service and hot air

The phrase above, in my view, implies wireless services that rely on frequency re-use as part of their inherent design, such as cellular telephony and TETRA, for example. These networks are called cellular for a reason, as they are designed in individual cells with shape and coverage made to fit into a puzzle. A graphic explains this much better:

Here, we are using four frequencies to serve a total of eight cells. As can be seen, no neighboring cells use the same frequency, so the spectrum usage efficiency is doubled in this particular case. In designing cellular networks, one can increase the density of cells by decreasing their coverage, and thus increasing the capacity of the network. In a city it’s common to find cells covering 300m, whereas in rural areas I’ve been registered on cells as far as 27km away.

The coverage of each cell is configured by careful handling of parameters such as power output and sectorization using panel antennas. The following graphic illustrates how sectorization and power management helps shape a cell’s coverage (source: University of Washington in St. Louis)

With all this in mind, how could heat possibly affect the arrangement of cells in a way to make their location and density “sub-optimal”? Take a look at this:

The heat output from the chimney is causing visible light to refract, as the density of air above it changes with temperature. This is an extreme example, but illustrates the idea of the report’s claims. Visible light falls on the high end of the radio spectrum, so if it can be affected by air density, so can lower frequency wireless signals. To make a point clear,

Heat doesn’t affect electromagnetic radiation (wireless signals), density does.

A very interesting observation can be found on Rob Flickenger’s Wireless Hacks, published by O’Reily:

This displays radio data for a one-mile link, averaged over several days. You can see that in the middle of each day, the signal drops by as much as 6 dB, while the noise remains steady … The repeating pattern we see indicates the effect of thermal fade.

What they did was control the signal strength of a one-mile wireless link over several days, and noticed that during periods of higher temperature (and thus lower air density) the signal strength dropped considerably.

Thermal fading could end up being a problem in cellular networks. Refraction by density variations could affect the path of wireless signals, causing interference not by ‘range’ changes but by interference on the same frequency. Secondly, decreased density due to increased temperature could result in coverage ‘holes’ at the edge of cells, which if compensated simply by increasing output power, could then result in interference with other cells when the density decreases.

Let’s go with the second one:

Reduced stability of foundations and tower structures.

Frankly, having studied materials engineering, I fail to see how an increase of even a few degrees could compromise a tower structure.

Third:

Increased damage to above ground transmission infrastructure.

This ties in with the previous one, the only obvious issue being the increased ventilation requirements for wireless infrastructure. They have cellular networks in Dubai, which is way hotter than the UK will ever be…

And finally:

Possible reduced quality of wireless service.

In turn, this ties with the first issue – the fading problems discussed can indeed affect the quality of cellular networks.

However

Your home Wi-Fi will NOT be affected by thermal fading significantly enough for you to notice. Temperature gradients inside a home are not capable of bending your Wi-Fi signal towards the neighbor and away from your laptop.

The report, while mentioning possible issues in wireless services, fails to mention them again, and fails to provide any deeper analysis of the issues listed, or possible solutions.

Finally, Glenn later said:

Range, not re-use.

The problem, in my view, is with systems that re-use frequencies. On a single-site system, you can just increase power to compensate for any losses due to density variations, and you’re done. On a cellular system, you simply cannot do that. I feel Glenn admits to this when he tweets

@alfwatt Anyway, she said Wi-Fi, but the report is talking about cellular infrastructure.

Cheers!

After reading about Sony’s major clusterf… cock-up on their PSP network breach, and how up to 77 million accounts could have been stolen, including credit card data, I propose a method to cure the generic problem of storing customer payment details for recurring billing, such as subscriptions or subsequent purchases.

Step 1. Payment gateway provides business with an individual public encryption key

Upon setting up a payment gateway for processing credit card payments, the business, in this case, Sony, would be issued a public key – be it by the bank if they deal directly with them, or a payment gateway such as RBS.

Step 2. Business encrypts credit card data with public key before storage

PCI DSS specs for storing credit card data securely call for very strong access control, encryption and accountability, but this is not viable against sloppy employees, loss of encryption keys that protect the card data, and so on. Once you have a break-in, if you keep the keys to the safe in the office your valuables are completely naked. With a public key, you are effectively storing the safe’s keys somewhere else. This is how the process works, schematically (click for large size):

Step 3. User makes a purchase

Once the user decides to make a purchase, or has to be billed for the month’s service, the business pulls the encrypted credit card data off its database, combines it with the purchase price and other required information, and sends it to the payment processor for authorization. The payment processor can decrypt the credit card data with its private key, and can thus process the transaction normally:

What does all this solve?

• Users only hand over their credit card data at the start of the relationship, and the data is never stored by the business/merchant.
• Merchant doesn’t keep credit card data that can be recovered, even by a corrupt employee or full-blown data breach.
• Encrypted card data cannot be used in replay attacks in other places, or by other merchants, as the public-key is issued per-merchant.
• If a breach takes place, all the payment gateway needs to do is to revoke the public key and destroy the private key, thus card data cannot be compromised.

All this would obviously cost time and money to implement, but in my view it would be a big step forward in keeping customer credit card data secure.

It appears that GoGrid has suffered a security breach, which has resulted in exposure of costumer information, including credit card data. I have just received this from GoGrid’s CEO John Keagy via email:

Dear Valued Customer,

In the normal process of reviewing our system activity, our Security Team discovered that an unauthorized third party may have viewed your account information, including payment card data [my emphasis]. We immediately took action to protect our customers, including notifying federal law enforcement authorities, who have since seized the computing equipment and records of the single individual suspected of this misconduct. The criminal investigation is ongoing, and we will continue to assist the authorities in working toward a successful prosecution.

The security and reliability of our platform is fundamental to our business, as is the trust and faith that our customers place in us. We have completed a rigorous audit conducted by a leading security firm. There were three important findings that lead us to believe the situation has been contained:

1. The method utilized by the suspect to gain access has been identified and remediated.
2. It appears that the suspect’s sole motive was to acquire free services from us. We have no evidence suggesting that the suspect was targeting customer infrastructure or payment cards.
3. We have no indication that any customer information was shared with any other unauthorized parties or that there has been unauthorized use of any cardholder’s data.

In addition, we are instituting a series of new measures designed to further enhance security. Any information that you may need in order to comply with these measures will be communicated through the user portal and the support ticketing system. As an added precaution, affected cardholders will receive a letter in the mail offering credit monitoring services at our expense.

Client privacy, confidentiality and security are central to us. We greatly value your business and apologize for any inconvenience this causes. If you have any questions related to any of the above, please contact our Customer Service Team at [phone # redacted] or [phone # redacted] or via email at [email redacted].

This would be rather worrisome were it not for the fact that I signed up using a virtual credit card, specifically, a MasterCard issued by my local bank, La Caixa. What is more worrisome is that during the signup process, I had to endure a series of checks and verifications so that GoGrid would accept this virtual card as a method of payment.

Round 1

After signing up, which requires entering your credit card details, and taking up their offer of $100 free credit towards a virtual server and storage service, I received this email:

Dear Customer,

Thank you for choosing GoGrid!

Your order has been queued pending verification of your contact information.

Please Reply to All with the following information:
1. Business Name:
2. Full Contact Name:
3. Telephone Number:
4. Billing Address:

Once your information is verified, your order will be processed. Feel free to reply to this message if you have any questions.

Nothing out of the ordinary, so I replied with the required details, and waited. A few hours later, I emailed to enquire about the status of the process, and received a reply as if they hadn’t received my original answer. Second copy of the questions sent, more wait time.

Round 2.

Continue Reading…

I’m writing this in response to VeriFone’s “open letter” regarding the security, or lack thereof, of the Square credit card reader device, as I hate seeing a good-natured startup get bashed by a competitor worried that it may catch up or even overtake its business. The whole thing has been commented on TechCrunch and GigaOM already, and it’s making rounds in Twitter. First, an analysis of the VeriFone statement.

An open letter?

Today is a wake-up call to consumers and the payments industry.

No, the wake-up call came when the first carders started hitting the credit card industry years ago.

In less than an hour, any reasonably skilled programmer can write an application that will “skim” – or steal – a consumer’s financial and personal information right off the card utilizing an easily obtained Square card reader.

Why would anyone waste the time to do so? There are ‘skimmers’ designed exclusively for the task of stealing credit card data, and what’s even more curious, they’re available right on eBay (more on this later).

A criminal signs up with Square, obtains the dongle for free and creates a fake Square app on his smartphone. Insert the dongle into the audio jack of a smartphone or iPad, and you’ve got a mobile skimming device that fits in your pocket and that can be used to illegally collect personal and financial data from the magnetic stripe of a payment card. It’s shockingly simple.

A criminal doesn’t need to sign up for anything, he can just buy a purpose-built skimmer, and start “working”. Skimmers are used, for example, by bartenders, in parallel to the legitimate POS tool that processes the payment. It takes a second to swipe the card through the skimmer, so any time the card is away from the owner’s sight, makes it ripe for stealing. It is logically stupid to have skimming device and legitimate payment processing device in the same device. Let me write that bigger, as it is an important point.

It is universally stupid to place skimming and legitimate readers into the same device.

As an example, one would think – why haven’t bank-issued POS devices been hacked to skim cards while performing their legitimate duty? Same would go for the Square solution – the reasons:

1. The corrupt employee needs to dump the skimmed card data. He needs to take the device away with him, or connect it to a PC for download. It looks mighty suspicious to connect your restaurant’s POS terminal, or the iPhone given by your employer, to a PC, never mind walking away with it every night.
2. Legitimate devices come with tamper-evident seals, upon inspection by the bank or a maintenance agency the game will be up.
3. Criminals need to duplicate the legitimate functionality, which means connecting to the payment gateway. This requires testing to verify functionality, which generates noise – and attention – during development.
4. In many cases, to duplicate the legitimate functionality, the criminal would need to extract signing and/or encryption keys that verify authenticity against the payment gateway. This is a PCI requirement in every implementation I have seen, and would mean the keys themselves have been compromised.
5. If the skimmer is the owner of the business, which moots some of the above points, he is so dumb he deserves to be caught. And he will.

[Update] Some say that skimmers have been found inside POS devices, true – but this is different from modifying their logic, one can add a card reader in parallel, which is then removed via an access door and taken away, or add cables that take the card data to a secondary remote device.

The issue is that Square’s hardware is poorly constructed and lacks all ability to encrypt consumers’ data, creating a window for criminals to turn the device into a skimming machine in a matter of minutes.

Repetition – also, the note about being poorly constructed is a highly objective observation. It is cheap and no-frills, but this doesn’t mean it is poorly constructed too.

And because anyone can get their hands on these Square readers, anyone can masquerade as a legitimate business or vendor and swipe your payment card.

This is false – just like a restaurant cannot masquerade as a fake restaurant, complete with plastic food, just to skim cards. Nobody in their right minds will give the card to a stranger, unless it is involved in an actual payment. An actual payment requires at least some level of background checks on those receiving the payment. Matching skimmed cards to a source is extremely easy once a pattern of payments vs. skims is established. Many skimming employees get caught this way, and they are using other devices to skim – the rate would go up if they used the method proposed by VeriFone!

Consumers who hand over their plastic to merchants using Square devices are unwittingly putting themselves in danger.

Unless they take the same precautions as they do when they hand over their plastic at any other location.

Today we are handing a copy of the application over to Visa, MasterCard, Discover, American Express, and JP Morgan Chase (Square’s credit card processor), and we invite their comments.

Square has most likely already gone through PCI audits and checks to become a payment gateway. This includes a full description of their operation, which is no different than many POS terminals using COTS readers that dump card data over RS232 or USB links. I have personally implemented such a system, and it was accepted under PCI rules and put into service. The security isn’t between the reader and the application, but between the application and the rest of the system. If the application itself is corrupt, it is very easily caught and dealt with.

Secure payment systems, like those provided by VeriFone and other credible providers which adhere to the highest level of security practices, are critical in protecting consumers, merchants and banks.

Ah! Finally, the real motive of the “open letter” – none other than to remark that VeriFone is a competitor and provides secure payment systems. And that it is scared about competitors like Square.

There is great promise in the future of mobile payments and our innovations will help drive the industry forward.

Even more self-promotion, not in the spirit of an open letter. An open letter is open precisely to promote commentary and criticism, not to sell one’s own products or ideas.

Security by FUD

The “open letter” also has an elaborate video attached, with careful editing and effects, something that has taken time and effort. It looks like one of those ads thrown by politicians when they get into mud-slinging matches before elections, while not bringing anything new to what is said in the letter. [Update] The video has been removed by YouTube due to TOS violations. VeriFone has re-uploaded it to Brightcove – showing further intent on causing damage to a competitor, rather than making the industry more secure.

In addition, VeriFone has gone through the trouble of registering a custom domain name, sq-skim.com, which was registered through GoDaddy, and even further, uses GoDaddy’s Domains By Proxy privacy service to cloak who is behind the domain. VeriFone should note that should a slander lawsuit be brought up, these privacy services are worth nothing, as the original records can be requested by the court. It looks really bad to register a domain name, which in part contains your competitor’s abbreviated name (“sq” for Squared), and joins it with a word full of criminal intent such as “skim”. It would appear that Square is selling skimming devices, and not a payment solution that competes with VeriFone’s.

Finally, the letter lists “resources”, which are nothing but a bunch of links to marketing papers, articles negative towards Square, and “news” regarding skimming. The final touch is a “Be Secure Now” box with a big blue button that reads “Sign up for PAYware Mobile”. All this makes the whole thing stink even more of a mud-slinging in an attempt to kill a competitor.

Wait, skimmers for sale on eBay?

Yep. There are skimmers for sale on eBay. Search for “card skimmer” and you’re presented (albeit with no direct results) with related searches such as “bank skimmer” or “credit card skimmer” (click for large version):

Search instead for “portable card reader”, and you’re presented with a wide selection of small, battery powered magnetic stripe readers, such as this one (click for large version):

It’s an irony that eBay provides buyer protection against an item designed to scam buyers at physical retail locations.

The listing is even so helpful as to show a picture of an actual Bank of China credit card being swiped through the reader, showing its really small size!

Major selling points and features are listed, but some are particularly striking for something that would pretend to have a legitimate use:

512 K bytes memory for storing more than 2,000 records of data

OK, so we can fit 2000 credit cards into this tiny thing. Useful.

3-track version can collect all three tracks data…

Meaning all the information needed to make a physical clone of a credit card, including the CVV1.

Password Protection defends user

… from law-enforcement officers trying to see what the waiter or gas station attendant had dumped onto the device, surely. Useful to deny criminal use of the thing. A self-destruct or auto-wipe button would be even better.

Transfer data to MSR206, MSR605 and MSR606 directly

This is a real kicker – transfer the skimmed credit card data directly to the magnetic stripe encoder models of choice in the carder “industry”! This means you don’t even need a computer to make physical copies of stolen credit cards, just connect the two devices and go!

Bi – Directional

So it’s eyes-free, battery powered, no need to pay attention while you swipe the customer’s card under the counter while he’s not looking.

My question to VeriFone – why don’t you write an open letter to eBay about the blatant trading of what are evidently skimming devices? None of the above ‘features’ can be found on Square’s device. Maybe register ebay-skim.com in the process. I just checked on GoDaddy, and it can be yours for just $11.99:

If you are positive that your UPS is correctly connected (check System Profiler etc.), then look for a ‘dummy’ kext installed by apcupsd, an alternative UPS monitoring tool, here:

/System/Library/Extensions/ApcupsdDummy.kext

If found, simply

sudo rm -rf /System/Library/Extensions/ApcupsdDummy.kext

and reboot your Mac.