UPDATE: It appears the site is offline now. The people listed below (and possibly others) still exposed their information to an unknown number of people and should take the necessary precautions. However, no new victims should be able to fall for this now.

Today I received one of those typical “Your PayPal account has been locked and you need to submit all your personal information to us to reset it” phishing emails.  Because I’m a geek, I investigated it to see what it was trying to do with my info.  I found that the submitted information was stored in a plain text file accessible to the general public.  I found that 11 people had already submitted a bunch of their personal information (name, address, phone number, mother’s maiden name, date of birth, Social Security number, and credit card number).  While submitting this to a phisher is bad enough, this phishing site is so simple that anyone with a little bit of technical knowledge can see everything that was submitted.

ATTENTION:
James Sanders
Jose Gonzalez
Susan Townsley
Lisa Siders
Lejsek Antonin
Jonathan Donald
Fred Grothe
Judy Stump
John Howard Sanden
Valerio Varela, Jr.
Robert Hastings
Janice Dawson
Marc Farley
Julie Luckasen
Horst Albert Gunter Kranz
Mellie Cran
Steven Swift
Dave Smith
Miguel Montano
Ed Longanecker
Wesley Kitten
RoyAnne Neely-Morrison
Tom Niebur
Cristina Bernar
Verlee Sanneman
Mike Roark
Jeff Richker
Holly Fuller
Thomas Mannino
Kathleen Shea
Rick Bodenschatz
Judith Foster
James Zimmerman
Genie Bost
Elizabeth Smith
Ann M Condit
Pamela Clement
Priscilla Khanoyan
Gardner Brooks
Larry Thompson
Scott Smartt
Christina Gietzen
Lance Kepler
Dr. P. Rory O’Neill
Linda Nickell
Neil Yontz

It appears you received an email that looked like this:

The attached form looked like this:

The information you submitted is now in the hands of scammers, as well as anyone savvy enough to examine the phishing email. At the very least, those credit card numbers should be cancelled immediately. Unfortunately, the rest of your info can’t simply be cancelled out like that. You should follow the advice at http://www.antiphishing.org/consumer_recs2.html for taking care of the compromised information.

http://gaming.invisibill.net/wow/torrents/WoW-3.0.9.9551-to-3.1.0.9767-enUS-Win-patch.torrent is a link to the BitTorrent metadata for today’s 3.1.0 patch (enUS). Using this .torrent will cause you to pool with all users of the official Blizzard downloader, as opposed to pooling with only the users of a separate Torrent site’s users. For example, using a .torrent on TPB will cause you to pool only with other TPB users.

With this, you can use your own existing BitTorrent client to download the patch files directly from the Blizzard swarm. All the benefits of the BitTorrent protocol without the flaws of Blizzard’s downloader. No need to open a ton of ports that might be in use for other things or other PCs, just use your regular BitTorrent client’s settings.

If your BT client asks where to save it, choose C:\Program Files\World of Warcraft\Patches\ to have it use your existing pre-downloaded data. If you installed WoW in another location, you should obviously use that location instead of C:\Program Files\.

Note that with BitTorrent, your download speed is limited only by the total of everyone else’s upload speed. Downloading the patch from a hundred cable modems will be much faster than fighting a million people for a regular HTTP download off a single file server. The more people you have using BitTorrent, the faster it becomes (the exact opposite of regular file servers).

If you just want a fast, secure download, click on the link at the top and start sharing your bandwidth. If you’re interested in the technical info behind this (and some general BT tips), http://gaming.invisibill.net/wow/patcher.html is a page I made in 2005 explaining the issues with the Blizzard patcher. If you don’t know what BitTorrent is and don’t have a BT client installed, either read up and install one, or find another download method. =(

Disclaimer: I created this .torrent file containing metadata related to the WoW patch files. My file does not contain any parts of the patch itself or other Blizzard files.

After a very long wait, it appears that invisibill.net has been migrated to a new Site5 server hosted at ThePlanet. The migration was not without its issues.

I received the first email Tuesday around 11 AM stating that they were starting the migration on my server. The email stated that I would get another email when they started on my own account, and that I should avoid changing things after that point until I received the third “all clear” email. I received the second email around 1 PM. I got my IP changes ready with my DNS provider, just waiting on that third email before I submitted the changes.

And I waited. And I waited. I checked the new IP Tuesday evening and it seemed to be functional, but I waited for the final email. And I waited. Before going to bed Tuesday night, I changed my DNS to point to the new IP, to avoid having new mail sent to the old server.

Wednesday morning, the main website which was working Tuesday night had stopped working. I checked the Site5 forums which stated that only by submitting a ticket to Support could you find out if your migration had actually been completed. I submitted my ticket around 11 AM. I asked if my migration would be finished soon, and explained that the site seemed to be working the night before, but was now treating PHP files as downloads and returning the default Apache page for subdomains.

I received a response a few minutes later stating that they had updated my DNS to point to the new server. After giving it some time for the change to propagate, I should let them know if I still had problems. Huh? I’m pretty sure that my PHP problems in Apache aren’t related to my DNS settings. My first message implied that I used external DNS (as people using the default Site5 DNS don’t need to make any manual changes) but didn’t explicitly state that, so I replied and let them know. I waited for an hour or so, but had other things to do.

Approximately half an hour after that (based on the system-generated email), they stated they were doing an emergency DNS overhaul and that I would be able to access my sites again after the DNS refreshed. This morning when I got the message, my site still didn’t work, trying to download the PHP file rather than displaying the HTML.

I compared my settings on the old server to the new server. Both servers had an Apache handler and MIME type of “application/x-httpd-php” specified for .php files, which is what the download was showing as. I removed the MIME type on the new server, and the downloaded PHP file started showing without a MIME type. I removed the Apache handler as well, and I started seeing an old HTML file rather than the current PHP file. I renamed the HTML file, and it properly displayed the current PHP as the default file. I then went into my .htaccess file and used the DirectoryIndex option to give the .php file priority over the .html file.

To sum all that up, it appears that my account was transferred over bit for bit, but that my existing settings didn’t match up perfectly with those on the new server. Things that were needed on the old server for proper operation actually made it not work on the new server. Site5’s support was pretty quick to respond, though I ended up fixing it myself in the end. Other than a disk failure one time, I never really had any problems with the old server. My site isn’t exactly huge, so I doubt I’ll notice much difference on the new server’s beefier hardware. In the end, it feels like a lot of work for no real gain.

Out of all of this, Site5’s communication seems to be the weak point. That’s unfortunate, as Site5 has always been pretty good about letting users know what’s going on. I have yet to receive the final email notice, or even verification from Support that the migration was completed. There was no recent notice that they were even planning to migrate my server, so this caught me off guard (away from home without my personal laptop). Their support was quick to respond, but ultimately not very helpful. I still think Site5 is great. I’ve been with a number of webhosts and so far Site5 has been the best for what I need. I just wanted to point out that there’s still room for improvement (just like everything else out there).

Near the end of last week, T-Mobile offered the Linksys WRT54G-TM router for $19.99.

I ordered two on the 13th, with plans to upgrade my and my girlfriend’s routers.

On the 17th, I received an email stating that the router I had ordered wasn’t available and that they were sending me a different router instead.

Subject: Your T-Mobile order
Date: Wed, 17 Dec 2008 12:44:12 -0800
From: Orders <Orders5@T-Mobile.com>

Dear T-Mobile Customer,

Thank you for ordering the T-Mobile @Home® Linksys router. Due to high demand, this router is currently out of stock.

We will be upgrading your order and shipping you the T-Mobile @Home® HiPort™ router instead. You should receive your order on or before Tuesday, December 23. We’ll send you an e-mail once your order has shipped, so you’ll know it’s on its way.

We thank you for your patience and apologize for any inconvenience.

Sincerely,

T-Mobile Customer Care

When I got home from work a few hours later, I replied that I only wanted the specific router I ordered.

Subject: Re: Your T-Mobile order
Date: Wed, 17 Dec 2008 19:28:19 -0500
From: Bill XXXXXX <invisibill@invisibill.net>
To: Orders <Orders5@T-Mobile.com>

I was looking for that specific model of router. If the router I ordered (order XXXXXXXXX) is no longer available, please cancel my order rather than sending a different router in its place.

Thanks,
Bill

On the 18th, I received a shipping confirmation email for the substitute router.

Subject: T-Mobile Shipping Confirmation
Date: Thu, 18 Dec 2008 13:19:45 -0800 (CST)
From: T-MOBILE <service@T-MOBILEORDERS.COM>
Reply-To: T-MOBILE <service@T-MOBILEORDERS.COM>
To: William XXXXXX <invisibill@INVISIBILL.NET>

Dear William XXXXXX,

Your order from T-Mobile has been shipped.

Items Shipped
The following items from your order number XXXXXXXXX have been shipped.

Item

Quantity
LKS KIT RJ11 T-MOBILE @HOME HIPORT

2

If any items from your order are not listed above, please follow the link below to check the status
of your order number XXXXXXXXX for more information.

>> https://securecheckout.t-mobile.com/b2c_tmoc/tmoc/orderstatus.do

If this link doesn’t open in a new window, please copy and paste it into your browser.

The package tracking shows that it will be delivered on the 22nd. My card was charged on the 19th. Throughout the week, the order status page has shown a number of different totals for different people, including the full price of the substitute router and upgraded shipping charges. Mine showed only upgraded shipping charges and tax, with no actual product listed, making the total less than that of my original order. However, the charge on my card was for the originally stated total, and there was only one charge. Others have reported multiple charges, often with different amounts.

Here’s where it gets bad for T-Mobile.
A Business Guide to the Federal Trade Commission’s MAIL OR TELEPHONE ORDER MERCHANDISE RULE

When you learn that you cannot ship on time, you must decide whether you will ever be able to ship the order. If you decide that you cannot, you must promptly cancel the order and make a full refund.

Ok, they should’ve cancelled the order. But they’re sending me an “upgraded” router (which won’t actually do what I want it to)…

Q: If a customer orders an item which is backordered, can we substitute an item of similar or better quality without the customer’s consent?

A: For backorders, the Rule provides only two ways of responding to a properly completed order for mail or telephone order merchandise: obtain the customer’s agreement to delayed shipment or provide a full and prompt refund. Unless the customer expressly agrees to the substitution beforehand, you do not have the option of substituting merchandise that is materially different from your advertised merchandise. The term “materially different” means that the merchandise differs in some manner that is likely to affect the customer’s choice of, or conduct regarding, the merchandise. Any product feature would be deemed material if it is expressly mentioned or depicted in advertising. Differences in design, style, color, fabric, or promoted end use also would be deemed material.

Oh. Guess they can’t do that. Oops.

Some people have stated that T-Mobile reps have said that the packages will include return shipping labels, so that the substitute routers can be returned if you don’t want that one instead.

However, since the merchandise wasn’t actually ordered, it might be legally considered a gift.

Whether or not the Rule is involved, in any approval or other sale you must obtain the customer’s prior express agreement to receive the merchandise. Otherwise the merchandise may be treated as unordered merchandise. It is unlawful to:

1. Send any merchandise by any means without the express request of the recipient (unless the merchandise is clearly identified as a gift, free sample, or the like); or,
2. Try to obtain payment for or the return of the unordered merchandise.

Merchants who ship unordered merchandise with knowledge that it is unlawful to do so can be subject to civil penalties of up to $11,000 per violation. Moreover, customers who receive unordered merchandise are legally entitled to treat the merchandise as a gift. Using the U.S. mails to ship unordered merchandise also violates the Postal laws.

How they treat me once I actually receive the package will determine how I handle this.

I just put up a bit of a HowTo on getting iTunes 8 installed on XP x64. As linked from the HowTo, http://yukichigai.googlepages.com/iphonex64 deserves most of the credit for the magic to make the installer work. However, I couldn’t find a direct download link for iTunes864Setup.exe and I did spend quite a bit of time on that part of it. Hopefully it will help someone else out too, even if it’s just getting the direct download link.

With gas being so expensive now, people are looking for that magic fix that costs $10 and gives them a 500% increase in gas mileage.  As usual, there’s no such thing.  Popular Mechanics tested a number of gadgets and all of them turned out to be snake oil.  Most had no discernable effect on power or efficiency.  A few actually decreased efficiency.  One started an engine fire.

A lot of the comments posted to the article state that these devices did work, despite PM’s experiments showing that they didn’t.  Some state that the magnets were the wrong type or not installed “in phase” and such.  However, the fact that gasoline is not magnetic seems to be a much stronger indicator of how much these magnets can actually help.

It’s very possible that some people did experience mileage improvements after installing the devices.  However, in some cases, people actually stated that they altered their driving patterns or did other work to the car as well (sometimes suggested in the gadgets’ instructions).  A test with two variables can’t prove that variable A is what actually caused the results, especially when variable B is known to produce similar results on its own.  For example, the Fuel Saver 7000’s instructions state that a bad oxygen sensor won’t return accurate readings and therefore you won’t see as much improvement from the FS7K.  What they neglect to mention is that a bad O2 will also result in bad readings and lower mileage even without the FS7K.  Installing the FS7K and a new O2 might give you better gas mileage, but you might have gained just as much from installing the O2 without the FS7K.

Here’s a comment that I posted to the article regarding the FS7K (not yet published).

Looking at the Fuel Saver 7000 “how it works” page (http://www.fuelconcepts.com/how.htm) and the installation instructions (http://www.fuelconcepts.com/install.pdf), there is very little to indicate that it will have much effect on power or efficiency.  You splice a line into your fuel source (either at the schrader valve on the fuel rail or elsewhere in the fuel line) and splice the main unit into your PCV-intake hose.  You calibrate it to a certain number of drips/min depending on your engine size.  The fuel drips down into the main unit and “secondary vaporization chamber”.  The drops of gas (purple dots) and the “light emissions” (blue dots) from the PCV valve “are vaporized through a 3-Stage ‘cold vaporizing vacuum system'” (blue swirly).  This appears to be nothing more than the regular intake manifold vacuum sucking them in (red dots).

Essentially, you’re sucking gas in from an alternate source, which is supposed to be vaporized more fully than the gas from the injectors.  The computer lowers the amount of gas sent in via the injectors to compensate for the gas from the Fuel Saver 7000.  Overall, you’re still burning the same amount of gas, but a portion of it is coming in via the Fuel Saver and is supposed to burn better.

However, there are downsides to this setup.  The Fuel Saver’s “oxygen intake” appears to be just a hole in the canister.  If so, your engine is now sucking in a (tiny) amount of unfiltered air, which could allow foreign materials in (but would most likely be ok).  Because the Fuel Saver is spliced into the PCV line and has its own oxygen intake, there is less vacuum on the PCV valve itself, which means you’re reducing the ability of the PCV system (http://en.wikipedia.org/wiki/PCV_valve), which could possibly lead to engine wear or damage.  They mention tapping a new port in the manifold if you don’t have a PCV line available, and I think it would probably be better to route the Fuel Saver into its own intake manifold port to avoid interference with the PCV system, but that adds a lot of complexity since most engines aren’t going to have extra vacuum ports available.

The whole idea of adding vaporized fuel to a random port on the intake manifold may or may not work well also.  Most modern cars have direct port fuel injection, and the manifold is engineered for flowing only air.  For example, it took a lot of different design attempts to make the upper intake in my GMC Syclone work well with an EGR port.  Introducing things other than plain air into a manifold designed for air simply may or may not work well, depending on the exact design of the manifold.  If the hose carrying the fuel vapor from the Fuel Saver exits in a certain way, the vaporized fuel could condense and simply drip down the intake, which is much worse than the vaporization that the regular injector would provide.

The schrader valve on the fuel rail is designed for temporary fuel pressure testing and such.  Certain fuel rails are known to crack with the added weight of a fuel pressure gauge or other device attached long term.  Another case where it would probably be ok, but it’s safer to permanently attach this to a regular fuel line than to use the port on the fuel rail.

Now on to the actual math behind this.  The L36 3.8L V6 in the Pontiac Firebird uses 22lb/hr injectors.  Figuring that gas weighs 6 pounds per gallon and there are 6 injectors, the injectors can put out a total of 132lb/hr or 22 gallons per hour.  I don’t know the average duty cycle in a real 3.8L car, but let’s assume that they don’t like to go over 80% to avoid stress on the circuitry, and we’ll take half of that – 40%.  Obviously, the amount of fuel going through the injectors will vary, but we’ll just use this as a mid-point guesstimate.  40% of 22 gallons is 8.8 gallons, which is 1126.4 ounces per hour.  That equals 18.773 ounces per minute of gas through the injectors.  The Fuel Saver instructions say that a 3.8L should use 38-42 drips per minute.  A quick test with water from the kitchen faucet showed 40 drops to be about 12cc.  One ounce is 29.57cc.  We’ll figure in some error and just say that the Fuel Saver should be set to half an ounce for the 3.8L.  With a normal flow rate of 18.773oz/min through the injectors, using the Fuel Saver you’re sending 2.66% of your fuel through it rather than the injectors.  At higher RPMs, there will be a lower percentage going through the Fuel Saver (more through the injectors but the same amount through the Fuel Saver), and a higher percentage at lower RPMs (less through the injectors but the same amount through the Fuel Saver).

While the idea of using a device that vaporizes the fuel more thoroughly should increase the combustion efficiency, I don’t think this device can absolutely guarantee that it will even help at all on every single car.  A lot of engineering goes into designing intakes, and a particular intake may or may not work well with this setup.  Also, interfering with the existing PCV system could possibly affect performance or even cause damage over a prolonged period.  This is only theory, and not actual product testing, but I doubt that sending <3% of your fuel through this device can give you a 50% improvement in gas mileage.

There is a line in the patent that states “An advantage of the present invention is that the delivery of a fuel rich air mixture into the PCV system is shown in improve the rate of fuel consumption in the engine.”  However, a quick Google search didn’t turn up anything related to that idea, other than the patent itself.  The device seems to be based on the fact that shooting a rich mixture into the PCV port will improve fuel consumption (lower it?), but there doesn’t seem to be a lot of support for this “fact” that I can find.

Feel free to let me know of any errors you see.  I tried to be as accurate as possible without having 100% exact numbers.  I’m not doing any self-promotion here, and I’d love to see something like this work, but the numbers just don’t seem to support it.

Hopefully that lets you see that there are a whole lot of variables involved with these things.  Depending on a specific car’s design, one of these gadgets might help or it might drastically hurt.  At the very best, it’s a crap shoot whether or not one of these devices will help you at all.

While I know for a fact that the manufacturers don’t give us the very best that they come up with (their designs are subject to cost and mass production), I’m pretty sure that in these days of car companies reporting huge losses, they would most certainly use any amazing new technology they found to boost gas mileage.  While big oil does have its fingers in a lot of places, and I’m sure there’s some mutual back-rubbing going on, I think Ford would much rather double their MPG and have every single person wanting to buy one, than stick to status quo and keep losing sales in order to appease the oil companies. If there were a cheap device out there that could reliably provide these amazing gains, I’m pretty sure we’d see them (possibly toned down some) from an OEM before too long.

LDN – Body found in PM Lake
9&10 News – Missing Ludington Man’s Body Found Near Mason Co. Car Ferry

More details to come as I get them…

IE8 May Not Pass the Acid2 Test After All

This basically states what I said about IE8 yesterday. The author of Acid2 made a post about this topic. He is very unhappy with the idea, and states several possible ways of handling the situation and the probable outcome of each.

Therefore I recommend not including the meta tag, or, if you are forced to include it, making sure it says “IE=7”, even once IE8 ships. This seems to me to be the best way to show your support for an open, interoperable Web on the long term.

Even if IE8’s rendering engine can properly handle all the stuff that Acid2 tests for, it might not end up working simply because IE8 will default to IE7-mode unless the special meta-tag is in the page. Based on Hixie’s comments, it’s pretty much guaranteed that the Acid2 page won’t include any special tags just for IE8. MS could put some tricks into IE8 to force it to use the new rendering engine when it encounters the Acid2 test, including hardcoding the URL and looking at a “fingerprint” of the page to see if it matches Acid2. However, these could be very easily worked around, by something as simple as hosting the page elsewhere or obfuscating the page in order to change its fingerprint. It would be pretty funny to watch MS trying to explain why it passes Acid2 on this site, but not on that site…

As stated before by myself, Hixie, Opera, Mozilla (continued), Webkit, and even WaSP members, this is not the way to fix the problem. Even Eric Meyer, who supports the IE versioning idea, spent an hour trying to convince a member of the IE team that the default should be “latest” rather than “IE7” (which is the part I have a problem with). I plan to publish standards-compliant code (or at least make my best effort) and not include any extra special notes so that a single browser knows that I really, really, really mean what I wrote. If the new “standards-compliant” IE8 can’t handle that, then I guess it isn’t really standards-compliant.

Microsoft Confirms IE8 Has 3 Render Modes

The IEBlog has some info about IE8. It will be super-duper standards-compliant. If that page happens to have a special IE tag added to it.

Back in the day, there was this great idea to use the DOCTYPE to determine if the author actually knew their way around HTML, or if they were clueless. The idea was that the ones that used perfect code would have a proper DOCTYPE, so the browser would render the page in Standards mode. The ones that didn’t have a valid DOCTYPE (i.e. just “HTML”) would be rendered in Quirks mode, where the browser would be more lenient. Simple, effective plan.

However, in an effort to be standards-compliant, HTML generators and well-meaning people started using proper DOCTYPEs without using standards-compliant code. They told the browser to render it one way, but used code that would render a different way. In short, the pages are incorrect. Think of it as telling someone to use “Correct Math” mode instead of “One-Less Math” mode. When you say 3, it means 3. In One-Less mode, saying 3 meant 2. People put in the DOCTYPE for Correct Math mode, but still left One-Less code in there. That made things look screwy.

With IE8, Microsoft is continuing to improve standards support. It’s been reported that IE8 can even properly render ACID2. However, they’ve chosen to undo all their progress by having IE8 default to the old rendering engine, unless you add a specific meta tag to the header of your page. In order to get IE8 to use its most standards-compliant mode, you have to add a non-standard tag. Since there are so many pages that have the Standards mode DOCTYPE, but aren’t really standards-compliant (i.e. poorly coded sites), they’re cutting current Standards support in favor of old broken code.

Instead of forcing authors of old broken code to fix their stuff, Microsoft is forcing authors of new unbroken code to “fix” their stuff. They’re doing so by claiming that the DOCTYPE system is broken, and implementing a new version of the DOCTYPE system which will suffer the exact same issues when the next version comes out. The root cause of this issue is bad code and their system promotes it rather than doing anything to discourage it.

A while back, I discovered spamd. It’s essentially a fake mailserver whose purpose is to tie up spammers. It throttles down the connection which makes the spammer wait a very long time to actually pass on their message. Once the spammer sends the email to spamd, it then responds to the spammer that there was a problem and to try again later.

It used to be that spammer programs didn’t retry in cases like that. They would just write it off as a failure and move on to the next target. People used this fact against spammers and graylisting was born. In general valid mailservers would retry and spammers wouldn’t, so the trick was just to have your mailserver tell everyone to try again. Valid mailservers would try again in a few minutes and the email would be delivered, while the spammers would simply give up. Email was delayed a few minutes, but it stopped a lot of spam.

In the continual cat and mouse game, spammers realized this and made their programs smarter. They made it so that their spam programs would also retry just like a real mailserver, getting around graylisting. However, that makes them even more vulnerable to spamd. After the spammer finally hands off his message to spamd, he’s told to try again later. Rather than giving up, the spam program tries again later, once again getting caught in the spamd trap.

Annoying spammers with pf and spamd explains how you can set up a pretty fancy system to cause questionable traffic to get routed into a spamd trap, while legitimate mailservers are allowed to deliver mail directly to you. Hitting back at spammers with OpenBSD and spamd is similar, but describes how to set up a blacklist-only spamd to trap connections made to a non-mailserver. You don’t use any filtering or classification, because it’s at an address that shouldn’t get any mail (therefore all connections are spam).

Anyway, spamd has been ported to FreeBSD. I have a FreeNAS box, which is a minimal version of FreeBSD. I was able to get spamd installed on my FreeNAS with those two pages, plus a little Googling. I have to say, it’s pretty neat. I’ll try to get a more complete tutorial up soon, so that others can do this as well. Rather than just neutralizing spam by filtering it, this actually hurts spammers by sucking up their time and keeping them from sending other spam. In the example above, a spammer spent over two hours trying to send a single email. For comparison, bulk emailers brag about being able to send hundreds of emails per minute (one program showed almost 1500 emails sent in 3 minutes). At 500 spams/minute, his spamd just stopped 60,000 spams.

Here is a video (4.4MB, codec) of just how long it takes to send an email to spamd. Because it throttles down the connection, spamd is never really dealing with much of a load. Despite putting a huge dent in the spamming operation, it won’t stress your system. If you have the means to run it, I suggest you do. For spam to stop, it must be made unprofitable. This is a great way to cut into spammer profits.