The Hacker Factor Blog

According to news reports, China is now the world's second largest economy. However, I still equate their exports with cheap plastic, consumables (the opposite of durable goods), and low quality network exploits.

That's right: low quality network exploits. I mean, seriously, if the domain is hosted in China and is not a ".gov.cn" domain, then it is likely a scam site -- spam, phishing, malware, or cheap knockoffs. Sure, there are a few legitimate .cn domains that are not ".gov.cn". For example, www.google.cn, baudu.cn, and kaixin001.com come to mind. However, legitimate sites are the extreme minority. In contrast, I can immediately name hundreds of non-Chinese .com, .us, and even .ru sites that are legitimate (even if I don't include PayPal in the list).

Then again, maybe I just have a biased viewpoint. Having spent decades tracking spam, scams, phishers, and the like -- and constantly seeing China in the loop -- I cannot help but have this bias.

Network Attacks

My web site, like most other web sites, is constantly under attack. Most of the time, the attacks are blind scans. The attacker tries an exploit without first checking if the site is vulnerable. If the attack fails, they move on. If the exploit succeeds, then the automated attacker will quickly compromise the server.

Most attacks use one or two queries. For example, I'll see in my logs a query for "/login.php" and then a second query for the same non-existing file. However, if the attacker comes from China, then I can see 40 or more of the same query coming from an entire subnet of hostile systems. I consider this to be a stoopid attacker: if it didn't work 39 times, then the 40th time probably won't work either.

What likely happened is that some kiddie has a subnet of attack bots and told all of the bots to attack one URL rather than having them each attack different sites. Stupid attack x 40 = very stupid attacker.

Directed Attacks

I've had a couple of groups try to hack my web site for the purpose of stealing my image analysis source code. I know this, because they did blind guesses for things like "sourcecode.zip" and "imagesrc.tar.gz". For the record: I do not keep my source code on this web site. Never have, never will.

Most of these attacks came from China, and I strongly suspect the Chinese government. The attacks began last November, a few months before China was accused of hacking Google. At one point, I uploaded a zip file of hard-core Chinese porn and used a regular expression to match their query and feed them the file. Suffice to say, they stopped their attack for a few months.

The Latest Sad Attempt

I recently had a comment posted to my blog that was so unbelievably obvious as to make me wonder: How much of an idiot do they think I am???

In reference to: http://www.hackerfactor.com/blog/index.php?/archives/317-Backhanded-Apology.html
User IP-address: 205.209.142.173
User Name: louis vuitton
User Email: chenchen21621@hotmail.com
User Homepage: www. louis vuitton handbags. org WARNING: Do Not Visit! Possibly hosts malware. Spaces added to deter people from clicking on it.

Comments:
Thanks for your posting; I really appreciate your ideas. Hope you can keep going.
This is a really great website, and I really like your essay. Thanks for your sharing.

So let's count everything that is wrong:

1. While I have had some big names write into my blog, I kinda think that Louis Vuitton would know how to capitalize his own name.
   
2. I doubt that Louis would use an email address of "chenchen21621@hotmail.com".
   
3. The IP address traces to Fremont, California.

However, it is the claimed homepage that is the true joke. For example, all over the web site they spell the name "Louis vuitton" (forgot to capitalize the surname). The domain for the real "louisvuitton.com" site is registered to "Louis Vuitton Malletier" in Paris, France. But this faker's domain name is registered to some guy in China:

louisvuittonhandbags.org has address 63.223.106.237
Domain ID:D159724340-LROR
Domain Name:LOUISVUITTONHANDBAGS.ORG
Created On:23-Jul-2010 09:43:49 UTC
Last Updated On:23-Jul-2010 09:43:53 UTC
Expiration Date:23-Jul-2012 09:43:49 UTC
Sponsoring Registrar:Bizcn.com, Inc. (R1248-LROR)
Status:CLIENT TRANSFER PROHIBITED
Status:TRANSFER PROHIBITED
Registrant ID:orgfl79878227718
Registrant Name:fang li
Registrant Organization:bai shen ke ji
Registrant Street1:wenshanzhuangzuzizhiqu
Registrant City:wenshanzhou
Registrant State/Province:Yunnan
Registrant Postal Code:663000
Registrant Country:CN
Registrant Phone:+86.8762654874
Registrant FAX:+86.8762654874
Registrant Email:zhucepo9@163.com
Admin ID:orgfl79878228061
Admin Name:fang li
Admin Organization:fang li
Admin Street1:wenshanzhuangzuzizhiqu
Admin City:wenshanzhou
Admin State/Province:Yunnan
Admin Postal Code:663000
Admin Country:CN
Admin Phone:+86.8762654874
Admin FAX:+86.8762654874
Admin Email:zhucepo9@163.com
Tech ID:orgfl79878228397
Tech Name:fang li
Tech Organization:fang li
Tech Street1:wenshanzhuangzuzizhiqu
Tech City:wenshanzhou
Tech State/Province:Yunnan
Tech Postal Code:663000
Tech Country:CN
Tech Phone:+86.8762654874
Tech Phone Ext.:
Tech FAX:+86.8762654874

The web site itself appears to be a functional shopping site, but it is certainly a scam. They say the site was established in 2007, but the copyright says 2008 and the DNS registrations says... last month! (Created On:23-Jul-2010 09:43:49 UTC)

Going through their check-out process is equally fun. The only shipping option is "USPS" (United States Postal Service), and the system seems to hang before transferring you to some third-party web site (that I've never heard of) for handling credit card payments. Unfortunately, the link failed... probably because I use the NoScript plugin and it identified a possible XSS attack.

Even more offensive... Why would a site called "Louis Vuitton Handbags" carry items from competing designers like Gucci, Burberry, Coach, and Prada? And why would Vuitton offer fashion items that are a few years out of style? (This is a fashion faux pas that is criminal!) The IP address used by this site also hosts luxurybags-mall.com, salestiffany.com, saletiffanyjewellery.com, and shoptiffanyjewellery.com.

This site is a scam. Most likely, they will take your credit card information (if they ever fix their link) and go for identify theft. I wouldn't rule out malware. At best, they might actually sell you a cheap, counterfeit knockoff made by some kid in a sweatshop.

I think that the US Postal Service is finally nearing the end of its death spiral. The USPS recently asked Congress to alter the existing laws: they only want to deliver mail five days a week (instead of six) and they want to increase stamp rates, again.

Online Bill Pay

The postal service has a couple of serious issues. First, they are not generating enough revenue to cover their operations. Postmaster General John Potter estimates that the USPS faces a cumulative loss of $238 billion over 10 years. I don't doubt the numbers -- it's probably in the ballpark.

The second issue is a competitive disadvantage. With nearly all banks and utilities offering online bill pay services (and usually for free), people have realized that they don't need to use stamps. Why should I pay $0.44 a month to pay a bill, when I can pay it for free! I have my cable bill, phone bill, long distance phone bill, cell phone bill, credit card bill, electricity, water, gas, and sewage bills. That's 9 bills per month at $0.44 cents per bill. Paying online saves me $47.52 per year in stamps that I no longer use! Four years ago, I used up a checkbook each year. Last year? I wrote a total of 8 checks. That's an additional savings of $15 per year since I no longer have to order replacement checks!

In addition to the dwindling number of bill payments sent through the post office, there is also the dwindling number of personal letters. Email, cell phones, SMS/texting, blogs, twitter, and other social media services have effectively made personal letters obsolete. The only time I really see personal letters anymore are when they are accompanied by birthday and holiday greeting cards.

How can the USPS compete against on-time bill payment services and personal communications that are near real-time and effectively free? They can't.

Spreading Out

Most companies learned long ago that vertical markets are limited. It is too easy for a competitor to cut off your customer base. With the postal service, they first faced competition from professional package delivery companies like UPS and FedEx. Then they met the Internet, which effectively made most USPS services obsolete.

The USPS has tried a couple of ways to enter other markets. They came up with home-stamp printers, so you don't need to buy stamps at the post office. I only know two small companies that bought these, and they stopped using them because the ink was too expensive. And while the idea of creating custom stamp pictures was cute, I haven't seem them used with the exception of one wedding invitation. Frankly, the price of $5-$10 over the cost of the stamps was just too expensive.

Not all of the USPS ideas have been bad ones. For example, they offer flat-rate packaging. Regardless of the item (up to 70 lbs), if you can fit it into their 12.5"x9.5" envelope then you will pay $4.90. They also have small, medium, and large flat-rate boxes. These are ideal for those eBay packages, or for shipping off computer supplies! The prices are very competitive compared to UPS and FedEx.

Thinking Small

Unfortunately, the USPS has been unable to think beyond "mail delivery". For example, ten years ago they proposed an offering to forward your postal mail to your email address. Uh, why? Why pay for a conversion service when I can just ask the sender to email it directly? And more importantly, who will be typing in the letter? I don't want anyone else to read my mail!

As with any industry, there are only three ways to increase revenue: create more offerings, increase prices, or decrease costs. The USPS has clearly failed to create more offerings. The services that they currently offer are, for the most, not competitive. (We don't call it "snail mail" for nothing!) Thus, they only have two other options.

Last year, the USPS suggested reducing mail delivery from six days a week to five. They just brought up the idea again. I can see the pros and cons to this. On one hand, most businesses shut down over the weekend. There is no real reason to deliver mail on Saturday to companies that are not open. And I don't think most residences will really care if no mail is delivered on Saturdays. As with banks, you can still do transactions over the weekend (mail letters), but the transaction will no complete until the weekday.

On the other hand, 5-day-delivery puts the USPS at a serious disadvantage. Both FedEx and UPS have Saturday delivery options. If it absolutely needs to be there, then the USPS goes from a weak option to no option.

Finally, there is the option to increase prices. The USPS began seriously increasing prices in the early 1970s, and the practice has since become a run-away process. Each of the last four years has seen a price increase.


Why are the early 1970s important? That's when the USPS went from a government-run organization to a semi-independent corporation. So the USPS went corporate and began increasing stamp prices. At the same time, they failed to address the growing threat from the Internet. Every time they increase stamp prices, they reduce the number of people sending letters and force more people to use online services that do not use the USPS.

Thinking Outside the (Flat-Rate) Box

It still isn't too late for the USPS to recover from this massive loss. But they need to think differently. For example:

• Free Services. Every FedEx and UPS package includes a tacking number. In contrast, the USPS charges extra for tracking. They need to provide free tracking in order to remain competitive. I want the option to mail an untracked letter, but I also want the option to track letters for free. That blurry stamp with an unreadable postmark is no longer a viable option. I want to go to usps.com and get a tracking number, write it on my envelope, and mail the letter! I want to see that it was picked up at 9:45am and delivered four days later.
  
  
• Simplify Services. If I want to send a letter, I need to write the address on the letter. If I want it insured, then I need to fill out a form. If I want it certified, then I need to fill out another form. Compare this with UPS and FedEx: one form and check what you want. Why is the line at the post office so long? Customers are constantly filling out additional forms! The USPS needs to simplify this process. Simplification will lead to faster service, happier customers, and less cost overhead.
  
  
• Usability! My local post office has four teller windows (of which, only 1 or 2 are usually staffed at any given time, leading to long lines) and two automated package mailing systems. The two automated systems are virtually unused. One automated system may have one customer at it, while the human tellers will have a line of 30 or more customers. This is a massive waste of a good opportunity.
  
  
• Additional services! The USPS needs to branch out! Offering a PO Box address is great! How about a service to email me when the mail has been delivered to my box? Maybe even an email about any packages that arrive or when the PO Box is overflowing? I want to be able to set an alert, so anything from California or Amazon immediately generates a notification to me! And why can't the USPS sign for my UPS or FedEx packages? I'd rather have the packages sit in the post office than in plain sight on my front porch.
  
  
• More locations! If I want to mail a package, then I need to go to the post office. (Assuming I cannot weigh it myself, compute the postage amount, and fit it into my tiny out-going mailbox.) The USPS only has five post offices in Fort Collins. In contrast, FedEx and UPS have lots of locations where I can ship packages. Besides the official FedEx and UPS buildings, I can go to MailBoxes Etc, Postal Plus, Kinkos, and even the grocery store! Most big companies have scheduled FedEx/UPS pickups, and I can even call them up and schedule a pickup. My time costs money. I'm willing to pay a little more for the convenience factor. (If I earn $60/hr, then a 30-minute wait in line at the post office costs $30. I can ship a huge package via FedEx and have them pick it up for less.)

In effect, the USPS needs to give me a reason to want to use their services. Without a new reason, they cannot compete against UPS, FedEx, and the Internet. If they don't change their ways, then snail mail will become obsolete.

The Down Side

So let's say that the USPS goes out of business. (From 6-day delivery to 5-day, to 3-day, to none.) What's the problem with that? Well, here's just a few issues:

• Anonymity. You cannot mail a letter anonymously through FedEx or UPS. Sure, you can put down a fake sender address, but that isn't the same as leaving it blank. Got a hot tip for the police? Want to complain about your boss? Need to mail a ransom letter? The USPS is your best option for anonymity.
  
  
• Slow Down. Sometimes you don't want next-day delivery. Mailing home stuff you collected at a conference or bought on a trip? You don't want it to arrive before you do. Want to float a check so it gets delivered the day after you get paid? The USPS is a great option if you do not want it to arrive immediately. While some auto-pay systems do allow you to schedule the delivery date, you usually cannot schedule a payment when you have insufficient funds. And FedEx and UPS don't have an option to "deliver it next month". (For next-month delivery, use USPS bulk/book rate.)
  
  
• Hold mail. Going away on a trip? I really like the "hold my mail" yellow forms. I only wish that there was a way to tell FedEx and UPS to hold delivery until next Tuesday.
  
  
• No Internet. The best advantage for the USPS is that I don't need Internet access. If they go away, then there is no good option for paying bills without an online bill-pay service. If, like my grandmother, you don't have Internet access, then you lose the ability to pay bills and contact relatives. Requiring online access places more power into the hands of the telcos. As long as there is a non-Internet option, the telcos must remain competitive. Remove the non-Internet option and Internet providers become a necessity -- watch them increase their rates.

While the USPS does have unique offerings, their management seems hyper-focused on the vertical delivery market. If they want to survive, then they need to offer more services and lower their costs -- not cut services and increase prices.

Two weeks ago, USA Today featured an article titled, "Cybercrooks stalk small businesses that bank online". This article discusses some keylogging malware (banking trojan) that watches for when people login to their banks. However, it includes the following text in the first paragraph:

The American Bankers Association and the FBI are advising small and midsize businesses that conduct financial transactions over the Internet to dedicate a separate PC used exclusively for online banking.

This is amazingly bad advice.

• If a small or midsize business (SMB) doesn't have a dedicated administrator to manage one system, then how can we believe that these same SMB can easily manage two computers?
  
  
• People are going to copy data between systems. If they are connected over a local network, then the malware will spread. If a USB drive is passed from one computer to the other, then the malware will spread.
  
  
• If the antivirus software on one computer does not notice the malicious code, then you can be certain that the same ineffective antivirus software is running on the other computer!

Two computers is not a solution.

The Paper Trail

While I have always been critical of the FBI, this level of bad advice is very surprising. I tried to identify the source of this statement (since USA Today does not cite the actual source). Here's what I found:

• The USA Today story came out on 30-Dec-2009. However, neither the FBI nor the ABA released any kind of press statement around that date. In other words, this was a filler-story.
  
  
• On 3-Nov-2009 (nearly two months earlier), the FBI released a press release concerning malware that targets SMB companies and online banking accounts. (The IC3 released a similar statement on the same day.) The description from the press release matches the general malware description found in the USA Today article.
  
  
• The FBI press release references a US-CERT paper from 2006 (that was revised in 2008). On Page 4, the paper says:
  

  Avoid situations where personal information can be intercepted, retrieved, or viewed by unauthorized individuals.
  
  You should conduct online bank transactions in locations that are not subject to public monitoring. When you are entering login information, you should avoid using unsecured or public network connections (for example, at a coffee shop or library). As a general rule, you should avoid using any computer that other people can freely access; the end result could be unauthorized access of your financial information. Remember, it is possible for your account information to be stored in the web browser’s temporary memory.

Now keep in mind, the US-CERT paper, FBI press releases, and ABA press statements never says to use two different computers. In fact, I could find no reference that gives the bad advice found at USA Today. I would not be surprised if USA Today just made it up. (In industry, we call it "MUS"; Making Up Sh*t.)

The advice from the FBI and US-CERT is good, but not great. Their advice is to not use public computers or anyone else's computer. (It's the same concept as washing your hands to stop the flu.) In other parts of the paper they advise people to be vigilant and take action when you see something incorrect with your online banking account.

While these tips are good, they overlook one significant item: they put the onus of keeping your bank account safe on the end-user. However, banks should share the responsibility.

Interest-Free Banking

The banking industry has never been known to take proactive security measures. They didn't start using vaults until after people stole the safes. Alarms were introduced after burglars began robbing the vault after hours. And banks did not even begin using HTTPS until after there were compromises by packet sniffing the HTTP connections. (I remember being told by a major credit card provider that they were not interested in anti-phishing solutions because phishing was not a big enough problem.)

Requiring non-technical users to monitor and prevent online banking theft is idiotic. We don't ask investors to stand guard at the bank's front doors, so why should we ask users to stand guard online? Banks should take a proactive approach. With a well-designed security solution, users should be able to bank safely even if their computers are infected with a virus. Here are just a few ideas that can lead to more secure online banking:

• HTTPS. SSL (Secure Sockets Layer) is a security framework. HTTPS is simply HTTP with SSL. The way we normally use it, the client authenticates the server but the server does not authenticate the client. Banks need to issue client-side certificates. By tying the banking session to the certificate, they reduce the exposure from compromised login credentials. An infected system may still be remotely used to access the bank, but credentials offloaded to a system in Russia will be useless. (There are many caveats here, such as the horrible browser interfaces for installing client certs, how to transfer the cert to the user, and cert theft, but these issues can be worked around.)
  
  
• Hardware tokens. A better solution than client-side certificates for SSL is the use of hardware token generators, like SecurID cards. These handy devices generate random numbers. Even if you know my login and password, you won't be able to generate the correct random number -- so my account will be safe. The best part is: if banks could standardize this, then you won't need one SecurID card per account; you will just need one. The same SecurID card could be registered with every bank account you own.
  
  
• Dongles. If SecurID cards are too complicated, then how about a hardware dongle? Even something simple that takes a numerical challenge and computes a hash is better than nothing. (Ideally, every client gets a different hash computation. The easiest method is to seed a random number generator with a combination of a serial number and account number.) Without the dongle, an attacker will be unable to access the bank account.
  
  
• User-managed credit cards. The last few digits on your credit card is a checksum. It is algorithmic and computed. Not only that, but the LUHN Algorithm is well known. The checksum was needed back in the days when vendors took carbon images of your credit card. Since the image could be hard to read, the checksum was used to identify errors. (That's not the only reason, but it gets the point across.) Today, cards are scanned (and in some cases, a human types in the checksum value). The checksum is not essential.
  
  Rather than using the same non-essential checksum, credit card providers can leave those digits blank. Allow users to select the numbers. When you swipe your card, you will type in the last digits rather than the cashier. (The same use model as a PIN number, without the pain of changing your PIN number. Also, PINs are only used with debit cards; all cards should require them.)
  
  When users are concerned about a potentially compromised card, they contact their banks (via phone or online or text message) and change the last four digits of the card! While the decision is still up to the user to decide when to make the change, at least users still have the option. (I would buy more things online if I had the ability to change my credit card number after making purchases with smaller vendors.)
  
  Moreover, card providers could link the digits to a SecurID or hash-based token. Since transactions already record the date and time, this is not an additional burden on anyone except the bank. Now, if someone steals your credit card number, they get nothing. This is much better than building RFID chips into credit cards since the RFID chips can be easily compromised.

The idea here is two-part authentication: something you have (a cert, token, or dongle) and something you know (password). With two-part authentication, it does not matter if the user's computer is infected with malware. An attacker cannot hijack your account since -- at best -- they will only have one of the two parts. They may capture your login credentials, but they won't be able to login if they cannot access the cert, token, or dongle.

If the banks were really interested in protecting accounts, then they would take proactive measures and not put the responsibility on the consumer. In this kind of consumer utopia, we would not have to worry about infected computer systems, or mass media outlets promoting bad advice.

There is an old saying that systems are as secure as the weakest element. However, the weakest element is not always the human. In this case, the infrastructure around account management and online banking is weaker than the human element. With a minor amount of effort, credit card and online banking can be made significantly more secure without blaming the customer for account compromises.

We like to believe that there is a distinction between legitimate companies and scams. Legitimate companies are honest. Legitimate companies will exchange currency for products. Legitimate companies obey the law. Legitimate companies don't intentionally try to con their customers.

Of course, there are plenty of examples where real companies straddle the line between legitimate and scam. For example, car rental companies will use fast talk to get you to buy insurance or upgrades that you don't need. (I've even had rental companies try to slip them onto my rental agreement without asking.) And don't get me started on the pharmaceutical, medical, and health insurance industries...

I always grow a little concerned when legitimate companies alter their methods to look more like a scam. For example, real emails from many legitimate banks used to look legitimate. However, some banks have changed their formats to look more like easy-to-copy phishing scams. In fact, many of the examples of real emails in the SonicWALL Phishing and Spam IQ Quiz look fake.

PayPal is another example. First they restricted my account unless I provided them with more personal information that they do not need and would be unable to validate. (Do I dare say blackmail?) Then they promised to delete my account if I did not comply. Well, it's been over a year and my account is still sitting there, and still access restricted.

Et tu, YouTube?

It has long been said that television makes us stupid. (Whether this is true or not.) I think this may apply to online videos as well. Specifically, it appears that the "Do No Evil" company has forgotten their motto.

I recently received an email from YouTube that appeared to contain a gracious offer:

Subject: Apply for revenue sharing for your video Al Qaeda and the Fly
From: YouTube <no_reply@youtube.com>
To: drhackerfactor

Dear drhackerfactor,

Your video Al Qaeda and the Fly has become popular on YouTube, and you're eligible to apply for the YouTube Partnership Program, which allows you to make money from playbacks of your video.

Once you're approved, making money from your video is easy. Here's how it works: First sign into your YouTube account. Then, complete the steps outlined here: http://www.youtube.com/ivp?v=[redacted]. Once you're finished, we'll start placing ads next to your video and pay you a share of the revenue as long as you meet the program requirements.

We look forward to adding your video to the YouTube Partnership Program. Thanks and good luck!

The YouTube Team

Wow... My video is finally popular! And they want me to join their partner program!

Flatliners

As with most scams, if it sounds too good to be true, then it probably is. Let's start with their first statement: "Your video Al Qaeda and the Fly has become popular on YouTube". Really? YouTube provides viewing statistics for videos. Here's the statistics for my video:



According to this, there was an initial spike when I first mentioned this video in my blog. And then? Totally flat. According to their own statistics, this video is not suddenly popular.

I began to go through YouTube's partnership tutorial. I'd elaborate, except Lance Ulanoff at PC Magazine has a great write-up of the process already.

Deal or No Deal

Basically, there are some very disturbing aspects.

1. The tutorial makes it very clear that "You should own all rights to the video!" Well, technically Al Qaida owns the rights to the video I posted. (Who do I write to in order to get permission to use this video snippet? "Dear Bin, Please let me use your video.") More interesting is the word "should". I "should" own all the rights. Not must, not will, not can... should.
   
   The next page of the tutorial becomes more threatening: "If you don't respect these rules, your video will be deleted from the site. No exceptions."
   
   
2. Their rules do not permit you to use anyone else's content, even if you have permission or are clearly under the Copyright Fair Use clause. (I believe this video clip is clearly Fair Use.) This actually makes partial sense since they cannot turn a profit using the Fair Use clause; profiting from someone else's works violates Fair Use.
   
   
3. They say that you will make money by allowing them to show ads. Ugh... more ads. I hate ads on web sites. Why would I want them to attach ads to my video?
   
   
4. There is one part of the tutorial that says "DO NOT submit any TV shows, music videos, music concerts, or commercials without the express permission of the producer, unless they consist entirely of content you created yourself." This is interesting since two pages back they said that I had to own it. Now they say I can profit if I have permission.
   
   
5. But here's my favorite part:
   

   Processing your video can take time. Please be patient!
   Once processed, one of the following will happen:
   * If approved, advertising will appear with the video.
   * If rejected, the video will be deleted from YouTube. You will receive an email notification if your video is rejected.

   
   So if I want to participate and obey all of their rules, they might still delete the video if they don't want to advertise on it. Real companies would just reject your application. YouTube will delete. As Google wrote in their FAQ:
   

   Not all users and videos are suitable for YouTube's Partnership program at this time. In addition, there are a variety of reasons why your application or revenue share request may not be approved. Please read through our qualifications for partnership and Terms of Use for more information.

   
   In other words, if your video won't make for a good advertisement, then they might delete it as a useless piece of tripe.
   
   But it does not end there... Buried in the fine print, Google also says that a rejection will mean a mandatory ban for two months, even if the denial was unjust.
   
   
6. Payment will be made through a Google AdSense account. (You need to make an account, but at least it isn't PayPal.) However, there are plenty of blogs that report of scam-like activities with AdSense. All of the problems with PayPal appear to be associated with AdSense as well.

We'll Be Right Back After These Important Messages

What I could not find anywhere were the terms of license. Can YouTube use the video anywhere they like? Can they share the video with third-party partners? Since they say that the video must be at least 30 seconds long, that sure sounds like a TV commercial segment. (The implication is that shorter videos will be deleted out of hand and you will be banned for two months.)

At face value, Google's YouTube service wants to advertise on my video. At this point, I have two options. I can become a partner and risk having them delete my video, or I can pass on the offer and continue using it under Copyright's Fair Use clause.

However, I think PC Magazine really sees an interesting twist. As Lance Ulanoff wrote:

Let me get this straight. YouTube invites me to be its partner and then turns around and uses the invitation to see if I'm a copyright infringer. That's what's happening here, isn't it? As I'm sure YouTube sees it, the only reason you'd be rejected from this program is if you ripped off someone else's content. That's a violation of policy, so they zap the video. I guess that automated system isn't working as well as YouTube would like. Now it has resorted to this.

Is YouTube trying to entrap potential copyright infringers, or bullying amateur filmmakers into an advertising scheme? Whatever happened to "Do No Evil?"

These are some issues that burden popular people like me...

I recently heard from two people who have received surveys from the census bureau. And I must say, the information they wanted to collect was pretty alarming.

Ring... Ring...

Neal: Hello?
Bum: Hey bum, I just received some mail and want to know if it is a scam.
N: It came over email? It's a scam.
B: No -- it came through the post office. It's snail mail.
N: Tell me about it.

What he described was a letter addressed to him (not a "To current resident" letter) that claimed he was randomly selected to fill out a survey. It even contained a threat: Compliance is required by law! But it didn't cite any laws. The questions in it were extremely personal: when in your birthday, what is your annual income, how much is your mortgage. Sure sounds like a scam, like some kind of phish. The letter didn't even have a postmark on it.

But there were a few odd things about this being a scam. For example, the survey was 28 pages long! And it had a pre-paid return envelope.

It turns out, this was probably legitimate. I ended up finding the form at http://www.census.gov/acs/www/Downloads/SQuest09.pdf.

Legitimate?

Well, kind of. Section 2 of the 14th Amendment (ratified in 1868) gives congress the right to count (enumerate) US citizens.

2. Representatives shall be apportioned among the several States according to their respective numbers, counting the whole number of persons in each State, excluding Indians not taxed. But when the right to vote at any election for the choice of electors for President and Vice-President of the United States, Representatives in Congress, the Executive and Judicial officers of a State, or the members of the Legislature thereof, is denied to any of the male inhabitants of such State, being twenty-one years of age, and citizens of the United States, or in any way abridged, except for participation in rebellion, or other crime, the basis of representation therein shall be reduced in the proportion which the number of such male citizens shall bear to the whole number of male citizens twenty-one years of age in such State.

Now, I'm not a lawyer and this is not legal advice. Perhaps there is some legal nuance that I'm missing. But giving congress the right to count its citizens does not strike me as being the same as requiring citizens to help with the counting. Granted, this same lack-of-required duty is the reason we cannot prosecute people who watch a crime and don't try to stop it.

Moreover, I can't find any record of any law that says you must provide information about your income or mortgage. Title 13 Chapter 5 of the United States Code covers the census. Section 141 covers population, housing, and unemployment. I can see that information about the number of people living in a house being covered by this. I can also see them wanting to know age, but nothing mentions date of birth. (Knowing someone is 29 is not the same as knowing someone was born on April 21, 1980.) However, I can find nothing regarding income or mortgages.

Interestingly, Title 13 Chapter 7 Subchapter II Section 221 of the United States Code makes it illegal to refuse to answer or give false answers. You also must cooperate with their census agents. But a census agent is not the same thing as a mailed letter. In fact, the letter wasn't even mailed certified. So how do they know that you received it?

Contradicting Documents?

The survey was accompanied by a letter claiming legal obligation. However, the last paragraph on the back page of the survey contradicts this obligation.

Respondents are not required to respond to any information collection unless it displays a valid approval number from the Office of Management and Budget. This 8-digit number appears in the bottom right on the front cover of this form.

The very first page has an OMB number. So they want your name, age, and number of people who live there. But no other pages contain an OMB number.

More interesting is that "valid approval number" part. I don't know about you, but I have no means to authenticate whether the number is valid. I couldn't find a web site that lists all of the valid OMB numbers for comparison. There is a phone number to call, but if the OMB number is not valid, then why should I believe that the phone number is valid?

Dealing with the Census

Advice I received years ago: If someone comes to you with a lawyer, get your own lawyer. Don't debate, don't be cocky. Say nothing and get a lawyer.

If you get a letter threatening you with legal action if you do not respond to it, and the letter was not certified, then how do they know that you received the threat? I'd ignore it, but that's just me. If it were a real legal threat, then it would be certified mail (proving delivery) and I would take it to my lawyer.

Similarly, if a census agent appears on your doorstep and threatens you with that "legally obligated" stuff, tell them that you are not a lawyer and you will consult your attorney. (You do have an attorney, right? I have mine already programmed into my cell phone. Seriously, you should at least know an attorney you could call.) And if you really want to get them riled up, ask them if they have arresting authority or a subpoena.

A Better Census

As anyone in law enforcement will tell you, people make for poor witnesses. We don't remember things correctly, we fail to notice details, and we jump to conclusions based on partial information. It's not our fault; we're programmed that way.

For example, when questioning people, there is always the urge to sound better or become more protective. (That "fight or flight" trait.) So if you ask someone how much they earn, they will either over-estimate, under-estimate, or ask why you want to know. This is really a stupid question to have on a census survey.

Here's a better idea: why doesn't the census contact the IRS? The IRS already knows your name, age, address, number of dependants, and your income. Do they really think that people who don't pay taxes are going to declare their income on a census form? If they want to know the cost of your house, why not contact your city government? The amount that you paid for your house is public record. (If you can't find it in a general database, then check if your city has the records available online. Most do.)

How about mortgage payment? There are three big credit bureau agencies that store this information. They know exactly how much you paid on your mortgage and when you last paid it. Then again, your taxes also ask for information about mortgage payments. So the IRS seems like a great one-stop-shop for all of the census information.

Somehow the government thinks that people will know these answers and be willing to share it. I find this ironic since some members of congress don't know how many homes they own or forgot how much they earned.

If the government needs the information, then they should look at where they already collect it. The current census form reads like an elaborate phishing scam and collects far too much personal information. Moreover, the introduction of "you are legally obligated" without citing the appropriate laws seems more like a scam and something that will put off recipients than a real legal threat. And is a legal threat the best way to win over citizens and have them honestly complete a survey?