This poll appeared on one of the most popular Russian IT social blogs – Habrahabr. The question was simple – now that Windows 7 RC has expired as of March 1, what is your next move? 47% of respondents answered that they already run a stolen (pirated) copy of Windows 7 or will do so now. Below is a screenshot of the poll with English translation. If you want Russian wordings (although dimmed out) hit the cut.

50% of Russian IT Workers Admit They Are Thieves

50% of Russian IT Workers Admit They Are Thieves

Russian court found the owner of AllOfMP3 not guilty of breaching the copyright. Now, if I can only go to Russia and open a video store, something like AllOfDivX…

Given how much publicity the case with Russian teacher Ponosov got (here’s the link to the latest on Wired) I think I also have to shed some light on it, given that most people don’t really understand what’s really going on. However, bear in mind – I am not a lawyer, so whatever you may find below is my personal perception based on knowing the situation in Russia just a bit better then folk on this side of ocean.

Is a nutshell – the principal (called director of school, basically the administrator who runs whole 11-grades establishment between kindergarten and university/college) got apprehended by Russian authorities for having a classroom with computers without Windows licenses on them. As the case unfolded, it was established (judging by information from public sources) that he bought computers with Windows already preinstalled.

Now, this is a spot where I need to stop and make some things clear. Most of schools in Russia don’t have computers, let alone money to pay for the software. However, as it was uncovered in this case, the problem was that Ponosov allegedly bought computers from some third-party that installed unlicensed copies.of operating system. Where did the difference in money go, of course, was not disclosed. Again, it wasn’t Microsoft who chased the guy, it was Russian authorities for good solid reason.

Next thing you know – Mikhail Gorbachev (when did he surfaced?) asks Bill Gates to intervene, Putin is personally overseeing the process, Microsoft (as always) gets all the blame, Ponosov claims he’s not guilty even after he was offered to settle things outside of the court and then – boom!, case dismissed.

Now why would anybody want to have a process like that? Personally, I see several goals of such thing, even though at first glance the whole thing looks like an exercise in moronity:

• Putin shows to the world that he fights piracy in his country. The fact that in real life in Russia nobody cares about piracy is somehow gets forgotten. No, really, you think someone with salary around $200 – $500 a month could afford buying an OS that costs about that? Plus the Office? Especially when pirated copies cost around $5 – $10 per CD with every possible version of Windows on it? Give me a break.
• (whoever was behind this idea) got the message out very loud and clear – stop using Windows proprietary/commercial in Russia. Why? Because you never know if and when authorities will come after you. However, with Linux/OpenOffice combo, there are no licensing fees to pay, no restrictions, therefore it’s just plain safe to use.
• this puts additional pressure on software companies that sell their products in Russian market to lower the price. Not because Russian companies cannot afford it, but because Russian consumers don’t want to pay for it. In simple language – they wouldn’t buy the product if there is any way they can steal it. Practically no amount of meetings, agreements and even discounts would change that type of psychology any time soon. Of course, with larger companies the situation is different, but on the end-consumer market it is considered plain old idiocy to pay for Windows.

First two bullet points are pretty obvious to anyone who have been following (anti)piracy news from Russia. Third one has a very long history, which I have neither time nor wish to go through. Just to summarize the whole thing – it seems very interesting how Russian-produced PR actions get a lot of people very emotional. Looks like they got some kind of gurus back there in Moscow. Nice job, guys.

They found me again!

Today I found several e-mails that were sent to me by payment gateway that several cheap hosting package purchases were declined. Well, $5.95 is not an amount that would send you all the way through bankruptcy court, but when after certain silence you get few declined transactions (and I don’t advertise the fact that I am selling hosting, selling hosting alone proved to be much more headache then doing what I do now) it kind of raises the suspicion. Well, I though, this could be some poor kid trying to get his CS clan up (all “client” e-mails were same), so I went to examine the transaction details.
All of them were – of course – from totally different people, living in totally different places. So that rules out mom and dad’s cards. Next step – the IP addresses, it turned out to be from Amsterdam, Netherlands. Right, that’s where most Americans live and that’s where they conduct their business from. Smoking pot and buying cheapest web hosting plan that was pretty much there for sorting out spammers and scammers… Third sign was that transaction came in every two minutes, which looked like the guy had all the credit cards in front of him. Quite unlikely… I mean you see the six-dollar transaction gets declined you would first get angry and then go after next card… but not so here.
All this leaded me to shut down automatic payment processing. After all, I don’t think now that I have valuable clients on server it would be a good idea to let some greedy kid run his stolen credit cards through my gateway, as well as having constant disputes with stupid PayPal people… but that’s whole another story.

Tonight someone was trying 4 different credit cards on my merchant account. Different names, different numbers, although single IP (vietnamese), same e-mail address and same amount – $150. Interesting, now I know what carders think is a safe amount to check the card with.

Don’t you just love people who are about to social engineer you having no skills and being very stupid? I mean – everyone can fall for a lier if he’s good at it, but some morons lack brains and talent, yet they try to persuade you they’re legit.

Here’s this guy how have been on and off sending me “hello” and “hi” and “can I ask you a question” over and over. Didn’t seem like he needed an answer, so I didn’t mind. I get that a lot.

So yesterday at night he finally managed to talk to me. He asks if he can get a free hosting account. I suggest that he sends the letter through the web form so we can review it. So he does, but it’s not a paid account and it’s 3:12am on a clock, so I decide to look at his letter next day (i.e. today).

Which I certainly did, paid or not, he’s a potential client, so I must pay him due respect unless proven that he’s a fraud. So I went to all his web sites that he sited in his e-mail. First one was empty folder (not even index.html) on something like 1234.net.ru This triggered the alarm, since as far as I know .ru zone belongs to Russia and people there prefer to use free hosting resources of their own country (it has to do with providers paying for traffic from abroad – long story). Then there was a passage that I simply loved. The large red siren blared over my head “Social engineering shmuck is on the way!”. It was so hilarious, I can’ thelp but cite it all here – for all the people who read this. This is dumb!

“And my current website is http://*****.info

I will upload great templates and images to the good hosting and I wish you could wise enough to reply me.”

I went to this site, that had some unspeakable bunch of letters .info. Given that you can get a .info domain for free these days, it didn’t really raised the caution, but added to the suspicion. There was an empty forum about some music, with approximately ten posts total. I thought – yeah, I can set up something like this in 10 minutes. And since it’s already set up – why would you need another hosting? But nevertheless, I kept looking.

At this time the guy went on IM again and accused me of lying on my web site. He said he went to other resource that lists free hostings and there is no feedback about us. My response was that a) we just started offering free hosting less then a month ago and b) he didn’t try us to say we’re lying. I also added that most of people who contacted us wanted to host for free because they were planning to set up illegal download sites. “I would never do that“- he said. Riiight. “If you were a good hoster,YOu may replyed my 2 letters and told me my application was denited,But you never did” - he said. Ah, here comes the mask of “almost angry customer”. At this point I was almost sure that he’s a fraud, given that his info from the e-mail listed “Address: BEijing Normal University,ZHuhai Campus,Uk“… Not sure about Zhuhai, but I doubt the Beijing is in UK… Then there was one last check. I went to whois info to see who owns the .info domain the guy wanted to use. Surprise!

Domain ID:D7724977-LRMS

Domain Name:******.INFO

Created On:12-Oct-2004 02:59:11 UTC

Last Updated On:15-Oct-2004 03:14:10 UTC

Expiration Date:12-Oct-2005 02:59:11 UTC

Sponsoring Registrar:R183-LRMS

Status:ACTIVE

Status:OK

Registrant ID:C6823054-LRMS

Registrant Name:dsfs

Registrant Organization:fs adfsa

Registrant Street1:d fsa

Registrant City:fsd

Registrant State/Province:sdf sd

Registrant Postal Code:24234

Registrant Country:VC

Registrant Phone:+1.24234

Registrant FAX:+1.23424

Registrant Email: hotadv@yahoo.com.cn

Given that the TLD .cn belongs to China, I know no respectable asian person would agree to name dsfs. I suggested that the person should look elsewhere, which he did, eventually, making it look like he was dissatisfied. Ofcourse he was, since his lies got exposed.

Having thought it all through, I think the subject of online credit card fraud deserves the specially written article. But before jumping the water, I think it would be worth to at least try to gather as much information as possible. So I set up a small survey, which I ask anyone who reads this blog to participate in. There are only 12 questions and it doesn’t take more then 5 minutes to fill out.

Here’s the URL:<deprecated>

Please, do not fill it more then once.

Thank you.

Yeah, the election day is tomorrow and nobody seem to care about anything anymore. Personally I’d like to see someone else winning then some Texan cheater, but hey, that’s not even up to me.

During this weekend talked to some other folk to see if I was right about the attitude I was getting from the Russian guys and was totally supported. Nice to see the business is not only about making money, but also about making a good impression.

Strange thing about other guys who bid on my project. Where it clearly states that the budget is fixed, they nevertheless put their own price on things. Fun part is they feel discriminated when I tell them I have a budget. Cheapskates.

Some teams are so anxious to get the job, once they get my e-mail, they started sending me their ideas on the web site WITHOUT EVEN HAVING THE SPECS! That’s funny, because if I don’t like their ideas I’ll turn to others and they don’t even want to have a chance to look at what I, as a client, may want. This activity looks like premature ejaculation of some sort. C’mon, guys, save it for a proper moment. You’d please much more then.

Continuing on a subject of carding. I have bookmarked the carders’ web site last year. Yesterday went to it – it’s still up and perfectly running. Either web hosters who keep the site on their servers couldn’t care less or there’s some major twist in people’s minds that I totally missed. I mean – no matter what they tell you about not paying by stolen cards you may as well be their next victim. Not sure if banks would go for this, but I have a plan. It sort of like hiring ex-hackers to harden security that they themselves had breached. Instead of paying high insurance premiums and reimbursements, why not secretly purchase all those stolen credit card numbers and silently alter the accounts affected. It would cost much cheaper then making up for it, at least from my prospective. It would also give banks the edge on alerting insecure vendors that they have security flaws. All in all it would benefit both consumers and banks. If any bank wants to implement such a security measure I’ll be happy to do the research for them.

After some thought-sharing with friends, I’ve got some links to visit and some things to read. Results were petrifying, to say the least. It’s not like it’s the end of the world, but it does raise the concern of outsourcing in a whole.

The web forum I had a chance to visit (no url here for obvious reasons) is dedicated to carding. You don’t know what this is? Oh, that’s easy – carding is when you open your monthly statement honestly believing that you’ve paid off this credit card last month and then – mwa-ha-ha (aka evil laughter) you see that you have spent quite some money ordering stuff you had no idea about and that goods were shipped somewhere you also have no idea of. That’s it, you just have been carded. Meaning – your credit card’s number have been stolen by someone else and all the money used for ordering some goods that were shipped across the country.

But how is this possible? – you might want to ask. And here’s where the concern arises. Some credit card numbers are stolen by bad guys who invade large companies, steal large amounts of numbers. Banks usually are aware of this, take charge and change your number and pin almost immediately. This is bad for the banks, but simply an inconviniece for you.

What’s worse – is when numbers are stolen from small merchants. The following example is actually a real-world example that I have found on the above mentioned forum. No names were given, so unfortunately I cannot warn the owners of the card or other people who might be affected. The credit card information that was stolen included credit card numbers, CVV2 codes, billing addresses, phone numbers – pretty much all the information you need to make an order on an merchant web site. The interesting thing is – how it got stolen. It was not from a security breach (which would be understandable), however it was from the scripts that were developed by outsourcing vendor. Apparently someone didn’t review the code after it was submitted by programmers from Russia. The trick is that some vendors keep the credit card information in their databases (God knows why). So, when user pays for service or goods the credit card info gets submitted to the database. The programmer only had to make one additional PHP line that e-mails him same data that gets transmitted to the merchant’s credit card processor. This way the process of stealing credit cards gets automated…

Back from article mode. When I outsource things there are two requests that must be met. First – I must see the source code. Second – I myself will install all the scripts. This usually weeds out those, who wish to plant their “seeds of evil” in otherwise perfectly working scripts (and they must work properly, because otherwise the owner or clients would suspect the problem). Ofcourse it doesn’t totally guarantee the security, but it assures at least some additional level of protection for customers.

On the other hand – there’s no way that owner of the store can protect himself from the chargeback if someone makes a purchase with a stolen credit card. Unfortunately…