WhiteHat Consulting

I recently bought some furniture from Art Van in Saginaw, Michigan. As most furniture stores go, after you make the purchase you need to drive to the side or rear of the store to pick up your order. To my surprise, I was asked for my name, address, and driver’s license number for verification of who I am. I have a big problem with that…mainly the driver’s license number bit. However, apparently out of the (approximately) 30 people on the list, only myself and one other person did not give them our driver’s license number.

First – I never gave them my driver’s license number to begin with, so how would that verify who I am. Especially since they didn’t actually LOOK at my driver’s license or the driver’s license of the guy behind me.

Second – Why is the number written down? I can understand if you want a photo ID so that I can prove who I am, but to actually write down that information? I don’t think so…

Third – After the number is written down, where does that sheet go? From what information I gathered (social engineering alert!), it gets “filed” somewhere. Umm…where, for how long, and most importantly – WHY?!

Lastly – When the files are finally purged, what happens to the papers? Are they shredded? How do I or any other customer know that personally identifiable information is kept secure?

This is wrong on so many levels and Art Van should be ashamed of themselves. There is absolutely no reason for them to request anything other than a visual check of a photo ID so that they may match the customer name with the merchandise. They certainly couldn’t deny me the merchandise – after all, I had my receipt in hand – so what was the point of attempting to obtain my driver’s license number?

This reminds me of when Hollywood Video used to (still might, I have no idea) ask for a Social Security Number as identification when you open a new account. Even worse, when you were opening your new account they would verbally ask for a customer’s SSN in front of other customers…in addition to their name, phone number, and address.

DCECU ATM issue still ongoing. Power box has a padlock, but it can still be turned off by anyone who decides to pull up and flick the switch. I called DCECU a few months ago (in addition to almost two years ago) telling them of the issue and they said they’d send someone out to see what they can do.

I no longer do business with DCECU as of April of 2009. The way I see it, they can send someone out to grab and drop off cash from a remote ATM, but they can’t put a lock on the power switch to prevent misuse. Seriously? Normally I would just say “oh well”, but it’s been almost two years now and the problem still exists. So now that I have moved my money and loans elsewhere, now I’ll say “oh well”.

I thought I’d write this up so others don’t have to search all over for it. I have recently switched from a Palm Treo 700P to a Motorola Droid. Verizon employees couldn’t figure out how to move my contacts from the Palm to the Droid, but I did and thought I’d share. Here’s how to do it.

You have a couple of options – either have the Verizon people do it (which didn’t work in my case), set up a GMail account and export all of your contacts there (why give Google access to all of that info?), OR you can export all of your own contacts from your Palm Desktop application into the Droid itself without the middleman. Be sure to follow these steps in the order in which they are written.

-Sync your Palm to make sure all of your contact information is up to date
-Open the Palm Desktop application
-Go to the Contacts section, click on Edit -> Select All
-Once all contacts are highlighted, click on File -> Export -> Export as VCard
-Connect the Droid to your computer
-When prompted on your Droid, select Notifications -> USB -> Mount
-Your Droid should show up as a new drive on your PC at this point
-Copy your VCard file (should end in “vcf”) that you exported to the Droid “drive”
-Unmount and then disconnect the Droid from your PC (important)
-Open Contacts on your Droid and choose Import/Export from the options on the menu
-Choose to Import from SD Card
-After importing, go to Contacts and chose Display Options from the menu
-Expand your gmail account menu and check everything that has “System Group:” by it. In my case, for example, it was “System Group: My Contacts”, “System Group: Friends”, “System Group: Family”, “System Group: Business”
-Done

The export to vCard will bring your numbers, emails, and addresses for each contact, in addition to notes you may have written about each contact. The only issue I had is that it didn’t like to import all of the pictures from the Palm so I had to edit the VCard file slightly by hand. Other than that, smooth as silk. I’ll also be posting this to my own web site along with a full review soon…

UPDATE: Just another bit of information – you can export contacts in VCard format from a variety of email applications including Outlook and Evolution. The whole process basically works the same way whether using Windows, Linux, or a Mac.

I just happened to see this one night when driving up to the drive through in Taco Bell…kinda funny. “I’ll take a 5 layer beefy burrito, a taco supreme, a large pepsi…and can I get a scandisk with that?”

Last summer I went to two of the most beautiful state parks I have ever visted. One of which was Myrtle Beach State Park in South Carolina. While visiting, I noticed that the park had free WiFi in the main office for park visitors. While this is very convenient, I’m not exactly sure why they decided a password was required. Especially when they post the password publicly for anyone to see on the door to enter the main office. Sorry, but having a password is pointless if you’re going to show it to everyone. Just make the WiFi connection open and be done with it. While you’re at it, for the love of God, block connections to MySpace. I hate trying to see what the weather is going to be like while all the teenagers in the campground are trying to stay in touch with people at home and clogging up the router with hundreds of useless gif images downloading. “ZOMG! I’M AT TEH CAMPGROUND TOTALLY CAMPING!!1!”.

Materials: Kodak Digital Camera (C743).

I’m still not quite sure why they require web-based password authentication on the wireless network at the Myrtle Beach State Park.

Seriously…what’s the point?

They change it once a week, they post the password in plain view for anyone to see, and there is no other type of security method in place (including encryption for MY protection). So why not just ditch the password and keep it open?

Oh well. I still have to appreciate the fact that they offer free wireless. They’d be better off ditching the password and implementing WAP2 though…just my 2¢…

I love this campground! There’s on-site washing machines and dryers, a nice little store in case you forget something at home, and a beautiful beach. The cherry on top? Free wifi for geeks like me! Woohoo!

Unfortunately, the wifi area is full of teenage girls on the armpit of the internet (MySpace) at all times. Such bandwidth hogs…Ugh! Luckily there are ways of “throttling” this type of misbehavior…

>From Slashdot:

“It turns out the Pre periodically uploads detailed information about the user to Palm, including the names of installed apps, application usage (and crashes), as well as GPS coordinates. This, of course, is without user consent or control. The only way he found to disable the uploads was to modify system files.”

This is very disturbing, and very unfortunate news. Blackberry has always been the “king” of smartphones and accepted for business use just about everywhere. Personally I love my Palm Treo and have been shopping around everywhere looking to upgrade. It was down to the Palm Pre, the Blackberry Curve, and the Blackberry Storm.

I’m actually glad this story broke when it did. Unfortunately, it looks like I’m about to become another Crackberry user.

Shame on you Palm…

I happened to be traveling through Scottsdale, Arizona today and came across a sign I had never seen before. It makes one wonder… Do they really put cars worth stealing (or breaking in to) in their parking lot or is it a security theater? With times being tough like they are, is it *really* in the budget to park cars that tempt would-be thieves to break into them? I highly doubt it.

If you’ve been to any store with a bottle return, chances are you’ve seen these before.

About a year ago, I had noticed that most Meijer stores leave the front doors of these bottle returns unlocked. This means anyone can open up the door, cause damage to the machine, or even steal the paper used for bottle returns to create their own slips at home. Most Wal-Mart locations are also guilty of leaving the front door open. When I had asked an employee why they would leave them unlocked, the answer was disappointing. It was so they didn’t have to “find a key” in their “back room”. What’s the point of even having a lock then?

The employee also stated that they have had issues in the past regarding forged bottle return slips. Nice eh?

With school slowing down again for the moment along with the workload, expect more posts in the near future. Thanks for hanging in there…

A couple of weeks ago I was sent a package in the mail that kind of took me by surprise. It was addressed to me, but wasn’t something I would order, expect, or even consider ordering. However, I was sent several Scantron-style sheets, some brand new plastic bags labeled “biohazard”, and other information including an account number for supplies for a medical office. Trying to do the right thing, I did a lookup on the company that sent the package and they swore up and down that they had the correct address and told me I was a specific Doctor. After a quick lookup of previous owners of the address this package was sent to (I have more than a few addresses), there was no record of any Doctors living at this specific home.

So I called the company back. This time, I was greeted by someone that appeared to be a bit grumpy. Apparently, the company was looking for a specific Doctor. After asking a few questions, I found out the doctor lived at an address in Minneapolis, Minnesota that was…well…not really very close to the one on the package. Numbers were switched around, the street name was a bit scrambled, and our names were not close at all. However, the address on the package was definitely one of mine. The last place this Doctor practised was in Saginaw, Michigan, but this company had discovered that the Doctor moved to Midland, Michigan. Since they couldn’t find him, they asked if I knew him. Not knowing what everything was all about, nor what they wanted with the Doctor, I told them I did not know him. Then the ignorance started – they told me that I “need” to find the Doctor and give him the package. Apparently I’m a delivery service and didn’t know it. Needless to say, I let them know I wasn’t about to do their detective work. They then had told me that I need to return the package, but I would need to pay for postage. Again, I refused. They then had threatened to call the police and I reminded them that the mail was addressed to me and is legally mine (I did this out of spite at this point) and hung up the phone.

Two days later, they called my phone asking for the Doctor they were looking for. I told them that there was no Doctor at this number. They had then told me that I need to give the Doctor a message to call them. I reminded them again that there is no Doctor at this number and they hung up. I haven’t heard back since then, but decided that this encounter was worthy of a write-up.

Now I can assure you, I’m not a Doctor (especially a Medical Doctor) by any stretch of the word. Imagine what the possibilities are having the supplier’s name, address, number, and the account number of this Doctor as well as his name thanks to the company disclosing his name and information. I’m still shocked that something this sensitive landed in my lap out of the blue like this. I can only imagine how often something like this happens, or the consequences of when something like this happens. Do HIPAA laws come into play here? Any other privacy laws? This is similar to if a bank statement ended up being sent to me that was really someone else’s account. And yes, that happened to me too about two years ago.

After checking with the post office, since this was sent to me at one of my addresses, this piece of mail is mine and they don’t have the right to ask for it back.

Materials used:  Nothing – this just ended up being sent to me via snail mail.

This is old news, but it’s still relevant today as XP isn’t exactly “being left in droves” for Windows Vista. Hopefully these tips help some of those that are less technically inclined, but not complete newbies either. Either way it’s for people who want their Windows machines patched without being nagged with this “feature” bestowed upon us by the folks from Redmond.

For the more advanced users, you can always run your own WSUS server. This lets you control exactly what does and does not get installed, and WGA isn’t even available through WSUS (although Office Genuine Advantage is). If you have more than two computers running Windows 2000 or later, WSUS is a big help for saving bandwidth and assuring you get patched up-to-date quickly. It can be (sort of) compared to your own linux package repository.

Unfortunately, it requires Windows 2003 Server to run, but it is completely free (as in beer). So yeah, sort of pointless, but it will satisfy your inner geek who likes to tinker 

The easier WGA workaround:

This is actually pretty easy to defeat. Just boot into safe mode (XP Home) or regular mode (XP Pro or Media Center). Find the files in C:\WINDOWS\SYSTEM32 called ‘wgalogon.dll’ and ‘wgatray.exe’. Bring up the file properties, go to the security tab and remove the inherited permissions from the files (don’t copy them, strip them completely). Answer yes when it asks if you’re sure about this. Reboot and WGA will never bother you again. I’ve done this on dozens of machines and it just skips the update because its too stupid to fix permissions. The only exception to this is the Service Packs or repair installs.

Of course nobody should have to do it in the first place but this is an example of corporate-think at it’s best from our fiends in Redmond. If XP is so dead why should they be developing new WGA tricks for it anyways? Sounds to me like its them getting a bit nervous about how many people are jumping ship from Vista and pointing at ‘hackers’ as the problem. Again. =)

Dell actually uses a different key on their recovery discs than the one that’s on the side of the computer.

If you open d:\I386\winnt.sif The key is listed in there somewhere. That key also works, and I believe that in the past when I rolled my own discs, that was the one I’d use. IIRC I took the disc from my brother’s computer and enter Dell’s registration key. That generally worked just fine.

But that was years ago, and I don’t really deal with Windows much these days.

For a good time, type :% into the Chrome address bar. Down she goes! I guess some Google beta products are more beta than others. It usually crashes before you hit enter too. So much for each tab on a different process as well. That and the memory usage is through the roof – worse than IE 8 beta!

Thanks, but I’ll stick with Firefox for the stability and extensions. 

To keep things in order chronologically, I have posted a few wardriving videos that ran from 7-19-2008 to 7-26-2008 (still have a few more to post), but backdated them to their actual dates rather than post them using the current date as I put them together. You might want to take a peek back if wardriving interests you…enjoy!