New U.K. Report on Mass-Marketed Scams

Today, the United Kingdom Office of Fair Trading (OFT) issued a study on the impact of mass-marketed scams (i.e., scams using direct mail, telemarketing, email, and the Internet) on U.K. consumers. Here are some of the OFT's more intriguing findings:
- An estimated £3.5 billion to scams each year, including estimated losses of £1.17 billion to holiday (vacation) club scams, £490 million to high-risk investment scams, £420 million to pyramid and get-rich-quick scams, and £260 million to foreign-lottery scams. The total equates to about £70 per year for every adult living in the United Kingdom.
- The mean amount lost per scam is £850, but the median is only £14. This means that the distribution of losses is highly skewed, as the mean is increased dramatically by “the relatively small number of persons who lost large amounts of money to scams.”
- Nearly half the U.K. adult population (about 23.5 million people) is likely to have been targeted by a scam, and 6.5 percent of the U.K. adult population fall victim to scams every year.

Q&A: E-Waste

Think that those old PCs you've been dropping off for "recycling" are really getting recycled properly?. Not necessarily. E-waste, as a recent BBC News report put it, "is thought to be the fastest growing part of municipal waste in the developed world."
The United Nations Environment Programme (UNEP) estimates that as much as 50 million tons of waste from discarded electronic goods is generated each year.
E-waste is particularly problematic for certain West African nations, such as Nigeria and the Cote d'Ivoire. The BBC recently described Nigeria as "increasingly the world's PC dumping ground." Although Nigeria reportedly has a thriving second-hand computer industry, one Nigerian industry representative estimated that up to 75 percent of the PCs exported to Nigeria are outdated and unusable. Jim Puckett of the Basel Action Network, a nongovernmental environmental organization, has stated that unscrupulous brokers and exporters take machines that their former owners intended to be recycled, but do not recycle and instead commingle working and nonworking machines that are exported.
Is there recycling once the unusable computers reach nations like Nigeria? Yes, but not in the way you'd imagine or want. For example, around Lagos, which has no regular computer recycling facilities, e-waste computers reportedly "build up in huge piles" at dumps around the city. Children scavenge these dumps for the waste computers' contents, from which they can earn about US$2 per day, but also expose themselves to serious health risks in the process. Hazardous waste products in the computers include lead, arsenic, and mercury, as well as heavy metals such as nickel, cadmium, and chromium which leach into the soil and end up in plants and in people who consume vegetables.
Are there measures for international cooperation to combat e-waste? Since 1989, the Basel Convention on the Control of Transboundary Movements of Hazardous Wastes and Their Disposal (Convention) has offered a basic legal regime for international action. While other G8 members have ratified or approved the Convention, the United States has not yet done so. The State Department's explanation of the U.S. position is that "before the United States can ratify the Convention, there is a need for additional legislation to provide the necessary statutory authority to implement its requirements." (As a point of reference, the U.S. Senate gave its advice and consent to ratification in 1992.) In the meantime, the State Department also notes that, "with respect to classifying used and scrap electronics, the current Basel system for controlling international shipments of hazardous waste makes trade in many of these materials difficult, and in some cases impossible. The U.S. supports consideration of alternative systems of control for 'e-waste' under the Convention."
Is there consensus about what those alternative systems should be? Not yet. The electronics industry and government officials are far from unanimous on what to do about e-waste. Proposals range from making manufacturers take back used electronics to imposing recycling fees on consumers and establishing cost-sharing arrangements between manufacturers, retailers, and consumers. Earlier this month, the Convention member governments issued an "urgent call for action" on e-waste, with priorities on "launching pilot projects to establish take-back systems for used electronic products, strengthening global collaboration on fighting illegal traffickers and promoting best practices through new technical guidelines."
What can individual consumers do in the meantime? Among other things, whenever you plan to recycle a computer or peripheral, start by asking the manufacturer if it has a recycling program, and ask for details that provide some assurance that they do what they say they'll do. Also, ask organizations like the Sierra Club or the Environmental Defense Fund for recommendations on reliable recycling companies or groups.
In some ways, the problem of e-waste is like the problem of conflict diamonds. No one person or company in the distribution chain is solely responsible for the problem, and most people would agree that the commodity is undesirable, yet under current legal regimes even a comparatively small number of unscrupulous enterprises can profit from its sale at the expense of innocent people. Perhaps, like conflict diamonds, e-waste needs its own "Kimberley Process," in which companies certify that they will recycle the electronics that they receive and will not ship them elsewhere for profit. Such a process could create incentives for reducing e-waste and provide a basis for concerted action by industry and governments in reducing the international spread of e-waste.

Cooper v. Universal Music Australia - Full Text

For those interested in yesterday's ruling by the Australian Federal Court in Cooper v. Universal Music Australia -- which found the operator of mp3s4free.net and an ISP guilty of authorizing copyright infringement, by providing a search engine that enabled Internet users to illegally download MP3 files -- the Sydney Morning Herald provides what more online news reports on significant judicial decisions should include: a link to the full text of the decision.

Say Nyet to Time Webstore

Australian authorities have expressed concern that a website purporting to offer iPods and plasma TVs at below-market prices may be fraudulent. The website, www.timewebstore.com, lists physical and P.O. Box addresses in Darwin in the Northern Territory. As The Sydney Morning Herald first reported, however, the timewebstore.com domain is registered to a Vladimir Hotovksy in Moscow.
Other facts in the Herald article strongly suggest the fraudulent nature of the site: customers have complained that they did not receive the goods they ordered; the street in Darwin where the Time Webstore's head office is supposedly located does not exist; and the bank account used to pay for a $17,000 newspaper ad directing people to the website was false. Also, for what it's worth, the administrative and technical contact for the company hosting timewebstore.com's servers, hqhost.net, is a Sergey Sabatyev in New York City, and hqhost.net has numerous links to Russian websites, including porn sites.
As of this writing, www.timewebstore.com is still up and running.

New Recipe for E-Commerce Down Under: Kiwis?

A new Nielsen Media Panorama report states that more than 1.25 million New Zealanders have shopped online in 2006 -- an increase of more than 400 percent since 2001. What e-commerce sites should find even more interesting is that more than 400,000 Kiwis had made at least six online purchases in 2006 - a 700 percent increase since 2001.

Unauthorized Hacking - NZ$7500. Chutzpah - Priceless.

Not many reports about cybercrime issues are likely to induce a triple-take, but yesterday's New Zealand Herald included a report that could do just that. According to the article, one Gerry Macridis, described as a "security consultant," admitted that he had accessed the New Zealand Reserve Bank's computer-controlled telephone system without authorization. Macridis is now threatening the Reserve Bank with legal action if he is not paid NZ$7,500 for the information he gave the Bank about security flaws in the phone system.
The fact that Macridis lacked authorization to access the system is apparently both insignificant and irrelevant, as he claims the Bank then used his information to fix the security flaws he found. Macridis reportedly had taken the trouble to send the Bank a report that detailed the security flaws (although the Bank did not request it), and had called the Bank asking for payment for his unsought advice.
Now for the triple-take: Because of his unauthorized access to the Bank's system, Macridis was prosecuted in Wellington District Court, and pleaded guilty to the unauthorized access. Yet the judge -- after hearing from Macridis that "the bank's phone system was the worst he had seen in 11 years as a consultant and was vulnerable to tapping from overseas" -- discharged Macridis from conviction. The judge reportedly stated that Macridis "had acted honourably and a conviction would be disproportionate to the crime."
This ruling does not bode well for law enforcement or IT security departments in New Zealand. Under this court's apparent reasoning, any self-described "security consultant" can hack a computer system, and present the system owner with information on the vulnerability along with a bill for unrequested "services" (at least, as long as he is careful not to threaten harm to the system if he is not paid). One can only hope that Kiwi courts will give any legal action by Macridis short shrift, and perhaps recognize, as future Macridises less come along, that unauthorized access to computers -- far from being "honourable" behavior -- is criminal conduct that deserves to be recognized as such.

List vs. List?

A recent TechNewsWorld.com article ascribes to Robin Bloor, a partner with a consulting and research firm, the view that antivirus software is "irrelevant" to computer security, as it represents a reactive and ineffective approach to malware. It also attributes to him the view that "[t]he correct solution to the problem" is a whitelist (rather than blacklist) approach, authenticating software before it runs.

While the article goes on to note that others concerned with online security also see virtues in whitelisting, it inadvertently sets up a false dichotomy, by suggesting that enterprises must choose between whitelist and blacklist approaches in selecting security solutions. Perhaps the competing claims of vendors that offer different solutions has something to do with this. Nonetheless, CIOs who select and implement network-security measures should put themselves in the shoes of Ansel Adams. Adams never relied on a single hue -- black, white, or gray -- in composing his masterworks, and neither should an IT department in choosing security solutions. The "right" solution may require a variety of security "shades" -- blacklist, whitelist, graylist, or a combination thereof -- as well as other elements that create a fully integrated approach to security.

More Juki Net Developments

Just 11 days after the Osaka High Court allowed a suit challenging the constitutionality of the Juki Net network, the Kanazawa District Court of the Nagoya High Court overturned a lower court ruling that had found Juki Net unconstitutional. The lawyer for the 28 plaintiffs in the Kanazawa case indicated they plan to appeal to the Supreme Court. The Japan Times article reporting on the decision contains a number of excerpts from the presiding judge's opinion in the Kanazawa case.

New Woes for Juki Net

In the latest setback for the Japanese Government's efforts to implement Juki Net -- the national data network that links Japanese citizens' personal data at local residency registries, such as a person's name, sex, address and date of birth, to an 11-digit identification number assigned to every Japanese citizen -- a three-judge panel of the Osaka High Court declared on November 30 that the entry of personal data into Juki Net without residents' consent was unconstitutional. The court directed three Osaka Prefecture municipalities that were defendants in the case "to remove data on four of their residents from Juki Net." The mayor of one municipality in indicated that he supported and would accept the court's decision, but two other municipalities reportedly plan to appeal the decision to the Supreme Court. Since 2002, several municipalities have opposed participation in Juki Net because of concerns about the risk of data leaks.

Phony Telephony in Japan?

This week, the Japan Times has run two Kyodo News stories reporting that earlier in the week, Japanese police searched the offices of KDDI Corp., a leading telecommunications service provider, and Kinmirai Tsuushin, an Internet telephony company that had leased circuit capacity from KDDI. Kinmirai reportedly had taken in about 40 billion yen (US$348 million) from approximately 3,000 investors, promising what Kyodo News termed "unrealistically generous returns from their investments, which it claimed were being used to build a proprietary server network."
Kinmirai reportedly "had advertised that it had set up servers with state-of-the-art voice encoding technology around the globe for its Internet protocol phone service." However, during a government inspection in November 2006, Kinmirai "admitted that only seven of the 2,466 servers it claimed to have installed at 123 locations in Japan and elsewhere were operating." That same month, KDDI canceled its contract with Kinmirai after Kinmirai failed to pay KDDI approximately 32 million yen (more than US$278,000). Kinmirai also had stopped paying "returns" to investors, and shut down most of its and its subsidiaries' operation on November 20.
The article also notes that "[m]uch of the 'investment returns' are thought to have been funded by money paid in by new investors," though it does not make clear whether the thoughts are those of the police, regulators, investors, or others. Although Japanese investors have encountered larger Ponzi schemes before, in the form of "Special Purpose Vehicles" and Martin Armstrong's "Princeton notes", the possibility of a massive Ponzi scheme in a cutting-edge sector like VOIP would be unwelcome news throughout the Japanese IT and electronics industries.