As if we didn't see this coming

So all that time I spent warning people about OnStar seems to have been completely justified.

OnStar was recently admonished by several senators for its plan to spy on people (even non-customers).

OnStar is apparently hoping to create a new revenue stream by collecting data about the movements of OnStar-equipped cars. Obviously, this data set will be more comprehensive—and, therefore, more lucrative—if it includes data from former OnStar subscribers as well as current ones. In an announcement e-mailed to subscribers earlier this month, the company said that, starting December 1, it would continue collecting data from subscribers even after they cancel their service. OnStar also said it reserved the right to sell aggregated and anonymized data to third parties.

Whoever somehow assumed that a big company with the capability of knowing where you are at all times wouldn't abuse that power was pretty short-sighted. Sorry.

If you're with Citibank, then YOU'RE WITH STUPID!

When I teach, I explain how most of the breaches and problems you hear in the world aren't about clever hackers or sophisticated attackers, but instead about weak and pathetic security. This has just become my new go-to example.

Basically after you logged into your account as a Citi customer, the URL contained a code identifying your account. All you had to do was change around the numbers and boom, you were in someone else's account.

What that means is that if you were to look at the address in your bar at the top of the browser, it contains the name of the website you're on and (as is typical) a whole lot of other junk like this:

http://www.citibank.com/account.asp?were=dumbascrap&we=shouldhaveknownbetter

One of the values in the "lots of other junk" area told Citibank who's account to show. If you just entered any random number, the website would think you were the user with that ID and show you their page. Even when this kind of problem was new over a decade ago, it seemed pretty dumb for major websites to be this sloppy. To think that a site run by such a large (and rich) company would make this kind of mistake would be laughable if it weren't so contemptible.

Citi, TJX wants to thank you from the bottom of their hearts for finally doing something so stupid that we can forget about their horrible mistake (at least just a little).

Source

You're kidding, right?

So…

Wait.

What now?

A Yahoo article says that because women's cloths sizing is hard, they're going to nude scan them to figure out what they can wear. Seriously!?

Ms. Shaw, the entrepreneur, is chief executive of a company called MyBestFit that addresses the problem. It is setting up kiosks in malls to offer a free 20-second full-body scan — a lot like the airport, minus the pat-down alternative that T.S.A. agents offer.

Lauren VanBrackle, 20, a student in Philadelphia, tried MyBestFit when she was shopping last weekend.

“I can be anywhere from a 0 at Ann Taylor to a 6 at American Eagle,” she said. “It obviously makes it difficult to shop.” This time, the scanner suggested that at American Eagle, she should try a 4 in one style and a 6 in another. Ms. VanBrackle said she tried the jeans on and was impressed: “That machine, in a 30-second scan, it tells you what to do.”

That's cute. A strip search in the name of getting something to wear? So instead of wasting millions on this disrobing plan, why not standardize women's clothing and use inch measurements like men's clothes? How's that for an idea?

How long until someone hacks these poorly protected machines to record copies of all women scanned and the photos show up on the Internet? Will you put your teenage daughters in them?

This is so, so stupid, I can't believe it's actually true. I really hope this doesn't catch on because if it does, my faith in humanity will suffer yet again.

As anyone who reads much of my site knows, I'm not a fan of how RFID is being implemented. However, I'm not against the technology itself as it has many practical uses. For example, some hotels have begun putting washable RFID in the towels and bathrobes to keep people from stealing them.

Since the RFID towels have no privacy invading purpose at all and serve deter self-entitled punks who think it's ok to take hotel items, I will offer my tentative support for this. The main concern is feature creep meaning that depending how they implement this, they may also know which towels you used and when. I can't really see the hotels bothering to do so, but if they did, that would be crossing the line big time.

Source: http://intransit.blogs.nytimes.com/2011/04/11/gee-how-did-that-towel-end-up-in-my-suitcase/ (H/T to The Consumerist for the link)

Sony has been going crazy trying to keep clever users from unlocking the PS3 to run homebrew (like the Wii hack which I love!).

First of all, companies are trying everything they can, but in the end it won't amount to much. Consider that all it takes is one person anywhere in the world to figure out the encryption codes (not the real name, but it's simpler) who then shares it online (like in this hilarious example where a user tricked a Sony spokesperson into sharing a PS3 related code to his audience of thousands on Twitter!).

And yet companies get increasingly difficult and stupid about trying to protect their games which only makes things harder for the legitimate users (obligatory comic referencing this concept). All I can say is good luck Sony.

Surprise, surprise. A company has giant data breach due to negligent security, but not to worry! They'll protect you by offering you credit monitoring for one year free!

It would be nice if people could spot this B.S. easily by now, but I'm guessing there are a lot that won't so let me spell it out. Credit monitoring is a waste of your time and is likely only offered to make it seem like they're doing something for you when they probably don't. I wouldn't be surprised to find out that the credit monitoring companies have a "data breach plan" where companies can get a bulk discount by offering monitoring to all their victims.

It's a classic win-win-lose. The breach company wins PR points, the monitoring companies continue to make money for not providing any real service, and we all lose.

If you're worried about id theft, just freeze your credit reports!

Liar, liar...

Would it surprise you to know that sugary cereals really aren't healthy? Sure! They have a vitamin or two and probably some kind of grain buried under all the fat and sugar and chemicals, but why pay attention to that?

Instead, Kellogg's corporation has been busy touting the healthy benefits of their kid's breakfast "foods":

Kellogg has agreed to expand a settlement order that was reached last year after the FTC alleged that the company made false claims that its Frosted Mini-Wheats cereal was “clinically shown to improve kids’ attentiveness by nearly 20%.”

At about the same time that Kellogg agreed to stop making these kinds of false claims in its cereal ads, the company began a new advertising campaign promoting the purported health benefits of Rice Krispies, according to the FTC. On product packaging, Kellogg claimed that Rice Krispies cereal “now helps support your child’s immunity,” with “25 percent Daily Value of Antioxidants and Nutrients – Vitamins A, B, C, and E.” The back of the cereal box stated that “Kellogg’s Rice Krispies has been improved to include antioxidants and nutrients that your family needs to help them stay healthy.”

What did they get for such a misleading and blatantly manipulative campaign? An order from the FTC to stop making claims without proper scientific backing. Ooooh! Burn!

While I don't support downloading music and movies instead of buying them, I also don't support abusing the legal system to bully people and make money. The RIAA has been doing just that for a long time according to several consumer groups.

In this case, the The American Civil Liberties Union - ACLU and the The Electronic Frontier Foundation (EFF) are arguing that when the The RIAA - Who They Are In a Nutshell sues thousands of "infringers", they have to file thousands of separate lawsuits and not just one.

Filing one is cheaper and easier, but makes it harder and is unfair for the victims… er, I mean defendants.

If the court adopts the approach suggested here, the costs of the current anti-P2P litigation strategy could become untenable. If each anonymous defendant requires several hundred dollars in filing fees, individual paperwork, individual subpoenas, and detailed information on their alleged distribution, settling for a mere $1,500 doesn't sound so hot.

Let's hope for the best. Leave people alone and worry about pirating organizations and criminal groups instead.

Source: Ars Technica

I have a bit of a love/hate relationship with Amazon.com, but this season, it's more hate. I found the gift I'd been looking for on Amazon for about $10 cheaper than my normal favorite, Newegg.com.

However, I suppose nothing cheap comes without strings attached, not at Amazon anyway. Check out this BS:

Are you kidding me? (click for the full picture)

So not only are they saying that with more than 20 days lead time, they can't get me this item by Christmas and it's not free shipping as was promised, but there's hope! If I sign up for "AMAZON PRIME" I get not only free shipping, but it comes on time. It's only 80 FREAKING DOLLARS should I somehow forget to cancel.

Ok, so I could just sign up and cancel right away, but I shouldn't have to jump through goofy hoops just to buy something and this smacks entirely of deliberate obstacles for the sake of pushing me into their "premium service". I don't do deceptive.

For $10 more, I just kept my business at Newegg.com which has been the most consistently excellent source of electronics research and prices all while maintaining excellent customer service. Be sure to take your business there too.

Update: It's the 11th and my gift already arrived. I wonder why Newegg's free standard ground shipping managed to get me my item in less than 5 days, but somehow Amazon just couldn't do it in less than 20 unless I signed up for Amazon Prime… Hmmm…. It's a mystery.

Source here

It is every blogger's sworn duty to heap mounds of scorn on the things that bother or irritate us. Ok, so we're not actually sworn in, but based on the way most people blog, it seems like that were the case.

My point is that while complaining about the ills of society and bringing attention to stupidity and abuse are vital (and fun) activities, it is equally as important for us to band together and promote the positives by saluting those who are actually doing it right.

Today, the company that deserves our praise is Nordstrom's. Check out this sign found outside one of their stores:

Christmas creep is a problem of greed and of commercialization of holidays. It's an assault on our peace of mind and of the very few American traditions that we have. Or put simply, Christmas creep ruins Christmas. No music, no decorations, no nothing until AFTER Thanksgiving. It has always been and will always be that way in my house and I respect and support any company with the guts to keep to the same policy.

Nordstrom's, for today at least, you are my friend.