Wednesday, September 28, 2011

iphone-unlock.com won't unlock your iPhone

Wiki vandalism recently brought my attention to the apparent scam site iphone-unlock.com

Beware of iPhone Unlock and Jailbreak Scams. It's a clear cut case of buyer beware. These sites advertise chiefly through spam posts and Wiki vandalism. A search for "iphone-unlock.com" scam reveals people complaining that they paid for the "unlock" software, only to learn that the unlock software didn't work with their specific phone. If the site had offered refunds as a result of failing to provide the service they advertised, this wouldn't be a problem in and of itself, but it appears people do not get a refund after the software sold by iphone-unlock.com fails to unlock their phone.


The article Another Company Purports to Unlock iPhone 3.1.2 IPSW, Charges Money has a nice summary of problems with iphone-unlock.com. These include but are not limited to:
  1. The service itself is probably illegal
  2. They claim 24/7 support but don't actually offer it.
  3. They're selling services that are available free of charge and most likely only providing the exact same tools that are available for free.

Here is a sample complaint:

the-iphone-unlock.com SCAM

People beware of the-iphone-unlock.com is a Scam. I paid close to 50 dollars for lifetime access membership, trying to find an easy way to unlock my Iphone. The thing is that they say that they could unlock the 3g iphone whith the 2.2.1 firmware, once I paid went in and bOOm, "Unlock will NOT work with the baseband version (02.30.03)". Tried getting a refund or getting support and after 3 weeks I am still waiting for an answer. I know it is my fault for trying to get things the easy way, but I just want to let people know that IT IS A SCAM! The worst part is that they advertise in MacRumors Forums!

iphone-unlock.com is just another in a long list of fly-by-night iPhone unlock scams. They claim to unlock phones they can't unlock and do not appear to offer refunds when they fail to unlock your phone.

Check out this article about the forms of iPhone unlock scams for more information.

Monday, September 26, 2011

Payday Loan Scam Site cornerstonepayday.com

I'm a sysop for the Freakipedia, a small Wiki dedicated to Distorted View, a hilarious, juvenile podcast that makes Howard Stern look like Pat Robertson. The bulk of my responsibilities amount to deleting spam. This once took about 5 to 10 minutes every few days. One day the podcast host, Tim Henson, announced that his father had terminal liver cancer and that the show would go on hiatus for a while. Within 48 hours of that announcement, the Wiki received more spam posts than it had gotten in the previous two to three months. The pattern was predictable. There would be an initial rash of posts linking to the spamvertised site and other vandalized Wikis, which would in turn link to the scam site being advertized at the moment. One URL kept cropping up more often than the others, cornerstonepayday.com. I decided to do a little research.
As the following text will show, cornerstonepayday.com is probably not a legitimate business. If the site itself will not try to steal your identity, it's designed to process your data with absolutely no security between you and their server. The site uses none of the security it claims when receiving your data and will not protect you in any way, shape or form. Even if by some miracle the site is legitimate, their fee structure results in interest rates that are no better than a cash advance through your credit card company.

If you need money badly enough to consider the services of cornerstonepayday.com, get a cash advance or loan from your credit card company.

The first thing I noticed was that when you try to leave cornerstonepayday.com you get a bevy of popups trying to get you to stay.
These come up after trying to leave home page. You haven't even entered any data and the site is trying to warn you not to leave. It does this repeatedly. Right off the bat we have a major red flag. Legitimate sites do not harass you about leaving.

Let's go on. Below the "Apply Now" button you see this text:
OK, that's nice, but the site hasn't loaded over SSL.

Even if the server itself is configured to support a secure connection, your data won't be encrypted unless you load the page using HTTPS and not plain, unencrypted HTTP. The "Apply Now" form asks for a first name, last name, email address and the amount of money you want to borrow. I filled it out with fake data and was immediately taken to a form asking me for my bank information, birthday, social security number and address, that still wasn't encrypted. It's not that hard to redirect web visitors to the secure version of your site if one exists. The popups trying to keep me from leaving the page take more technical skill than redirecting visitors to the secure version of a site. Even a lazy developer could at the very least have the form submit the data you enter over a secure connection, even if the form doesn't load over one. I took a look at the source code behind the form submission, and even the from asking for your social security number and birthday wasn't submitted to a secure page. The URL http://www.cornerstonepayday.com/apply.php was hard-coded into the page. This means even if you manually enter through a secure connection your data will be routed to an unsecured connection when you try to submit it.

I decided to try manually loading the page over a secure connection to see if one even exists.This is easy to do, you just change the HTTP to HTTPS in the browser's address bar.

The moment I hit enter I got the same list of popups I got when I tried to leave the site in the first place. Grand.

The next thing I saw was yet ANOTHER red flag.
What the Hell?

To understand why this is a problem, you need to know a tiny tablespoon of information about SSL. SSL, the encryption that protects data in your web browser when using your bank, amazon.com or other sites uses a secure certificate. This certificate is "signed" by a root certificate vendor, such as Verisign or Godaddy. These root certificate vendors have the job of making sure the people who buy certificates are in fact who they say they are. Without this system a random hacker anywhere in the world could buy a certificate claiming to be, for example, Microsoft. A self-signed certificate in this situation means the people behind cornerstonepayday.com couldn't cough up a hundred bucks or so and wait a day or two for the certificate vendor to verify their identity. This is not the behavior of a legitimate business, but of a scammer who knows that the process of validating his business would reveal him as a con artist. There are legitimate uses for "self-signed" certificates. Intranet sites within a business for example will often use them. They're also common in development environments. Putting one into production as cornerstonepayday.com has done is, at best. rank incompetence. You do do NOT want these people handing your personal data. Even if a legitimate business they appear to lack the computer skills to secure your identity information.

But wait, there's more! Check out the text "The certificate is only valid for Parallels Panel". What does this mean? Glad you asked. Parallels allows you to run other operating systems in a virtual environment. The use of a Parallels Panel certificate means whoever put it on the web server didn't even bother to generate their own Self Signed certificate but stole a random certificate from a different product.

Remember that hard-coded URL in the form asking for your social security number, bank routing information, home address and birthrate? Even if you used this invalid SSL connection to load that form, your data would STILL be submitted unencrypted. This is pretty much an identity thief's wet dream. If you wanted to design a site that would maximize the risk of someone stealing the data submitted, then cornerstonepayday.com would be the perfect example.

I'll use a home security analogy to explain what's going on here. Imagine your bank's web site is a house. It has a security system, auto-locking doors, censors on all the windows and doors, motion detectors and a guard on duty. There are signs on all the windows and doors warning that the home is protected by a security system.

Cornerstonepayday.com has windows with missing panes and a door made out of balsa wood. The locks that are present were stolen from a nearby shed and the people behind cornerstonepayday.com don't have the keys, but that's OK to them because the locks fall open again the moment you try to lock them. There's a piece of cardboard out front. Scrawled on it in crayon are the words "guud sekurity sistem. yur moneys saf with us."

Both the bank and the shack your name, birthday, home address and social society number

The final nail in the coffin comes in the form of their fees.
This translates into a 15% to 26% interest rate on the loan. That's on the initial rates they advertise to get you to apply!

Don't do business with cornerstonepayday.com. They advertise through online spam posts and vandalism, their web site has NO security to protect your data when you submit it, the site design has a number of major red flags for scam activity and their rates are no better than using your credit card anyway. Why risk becoming the victim of identity theft for no financial benefit over using your credit card?

Saturday, September 17, 2011

Hate is an ugly thing

There are people who have used the 10 year anniversary or 9/11 to hate all Muslims as if every single one of them were personally responsible for the actions of the 9/11 terrorists. Hating an entire religion or ethic group because of the actions of a radicalized few is the kind of thinking that lead the 9/11 terrorists to hate all Americans in the first place.

The people below have more in common with the 9/11 terrorists than I think they would ever admit.

Thanks again to Openbook for making it so easy to locate people talking about how they want to Nuke Mecca.


Aaron Nicol I WANT TO FOLLOW PROPHRT WHO MARRIES AND FUCKS 9 YEAR OLD GIRLS LIKE MUMMAHED FROM THE CHILD RAPIST RELIGION OF ISLAM! AND I WANT 10 BRIDES THAT I OWN AGAIN ISLAM AND AN ONE WHO IS NOT OF MY TYPE OF ISLAM I MUST KILL. ISLAM = SATAN MUMHAMED = EVIL FUCK THE KABBAHA FUCK MECCA LETS NUKE THE SAUDIS


Tony Aiello We should wait for all the Islamists to go to Mecca and then drop a nuke on all of them. I still wont feel like we're even.


Joe Nicoletti THIS IS HOW WE SOLVE THE TERRORIST ISSUE. WE GET OUT OF THE MIDDLE EAST... YOU WILL NEVER CHANGE CAMEL JOCKIES. YOU CANNOT CIVILIZE UNCIVILIZED MORONS.. ONCE WE LEAVE, WE NUKE EVERY MAJOR CITY IN THE MIDDLE EAST INCLUDING MECCA. PROBLEM SOLVED!!!!!!!!! WE MAKE THEM SUBMIT.....................................


Aaron Nicol
TO DEAR OLD UNCLE SAM... IT HAS BEEN 10 YEARS SINCE THE SAUDI AL QUEDA TOOK THE TOWERS DOWN IN NYC IF WE GET HIT AGAIN LETS USE OUR NUKES ON MECCA AND MAKE THESE IGNORANT SAVAGE CAVE DWELLING SCUMFAGGOTS REALIZE YOU FUCK WITH THE USA YOU LOSE!!!!
Share · September 11 at 2:32am · Privacy:

Rollin Paramount likes this.
William H. Hensley And shoot their children in this country.;
September 11 at 2:33am

Remember, these are the posts they make publicly. One can only wonder what they say in private.

Friday, September 16, 2011

Dr. Oz is a jackass

The terms "organic arsenic" and "inorganic arsenic" are not trying to describe two different kinds of the element arsenic. They are describing the other elements to which the arsenic atoms are bound. Arsenic is a highly reactive element and as a result you don't find it in a pure form in nature.

Organic arsenic is arsenic bound to hydrogen and carbon. This is the kind that passes harmlessly through the human body. The stable carbon and hydrogen bonds keep the arsenic atoms securely locked into molecules that will not react with the rest of the body.

Inorganic arsenic is generally bound to atoms that are more volatile, such as chlorine, sulfur and oxygen. These molecules tend to break apart in the human body, allowing the arsenic to actually react.

The test Oz did failed to differentiate between these two kinds of arsenic containing molecule, making the results meaningless for evaluating the safety of the juice.