This year marks the second decennial census since widespread use of the internet began in the 1990′s. The bulk of census activity takes place during the time when people are traditionally preparing taxes and vying for an infusion of cash  from their tax return.  The evil peoples of the interwebs will be out in force to take advantage of  the under-informed.

Keep these simple rules in mind:

• No one from the IRS or the Census bureau will ever email you about your taxes or the Census. Ever.
• No one from the IRS or the Census bureau will call you and ask for your address, social security number, and bank account information. Ever.
• No one from the IRS or the Census bureau will ask for money, a donation, passwords, or pin numbers over the phone or via email. Ever.

If you get a phone call from the IRS and do not feel comfortable with the questions they ask to identify you, the real IRS is always willing to accept a callback. Their phone number is 1-800-829-1040 (800-TAX-1040). Doing this callback will (almost) always ensure you are talking to the IRS.

This is a good rule of thumb for any unsolicited phone call. If the questioning or “verification process” makes you feel uncomfortable or involves revealing sensitive information such as a mother’s maiden name, social security number, driver’s license number, bank information, or credit information, get a callback name and number. Anyone can spoof an outgoing phone number, so caller id is no protection here. In the case of official agencies, it’s fairly easy to verify the listed phone number before making the callback, and legitimate businesses will never try to goad you into giving information.

If you are struggling with confrontation, all legitimate businesses will also be willing to conduct business via mail. Specifically in cases of debt collection or IRS matters, request the correspondence be provided via US mail instead of the telephone. Legitimate agencies will comply with this request, anyone who doesn’t you can safely hang up on.

Further Reading:
Census on Scams
IRS on Scams

Microsoft SQL Server

Microsoft announced a new security vulnerability affecting almost the entire Microsoft SQL Server product line. The warning verifies a vulnerability allowing remote code execution on systems running:

• Microsoft SQL Server 2000
• Microsoft SQL Server 2005
• Microsoft SQL Server 2005 Express Edition
• Microsoft SQL Server 2000 Desktop Engine (MSDE 2000)
• Microsoft SQL Server 2000 Desktop Engine (WMSDE)
• and Windows Internal Database (WYukon)

Note: Systems with Microsoft SQL Server 7.0 Service Pack 4, Microsoft SQL Server 2005 Service Pack 3, and Microsoft SQL Server 2008 are not affected by this vulnerability.

From the advisory:

Microsoft is aware that exploit code has been published on the Internet for the vulnerability addressed by this advisory. Our investigation of this exploit code has verified that it does not affect systems that have had the workarounds listed below applied. Currently, Microsoft is not aware of active attacks that use this exploit code or of customer impact at this time.

In addition, due to the mitigating factors for default installations of MSDE 2000 and SQL Server 2005 Express, Microsoft is not currently aware of any third-party applications that use MSDE 2000 or SQL Server 2005 Express which would be vulnerable to remote attack. However, Microsoft is actively monitoring this situation to provide customer guidance as necessary.

…

Customers who believe that they have been attacked can obtain security support at Get security support and should contact the national law enforcement agency in their country. Customers in the United States can contact Customer Service and Support at no charge using the PC Safety hotline at 1-866-PCSAFETY. Additionally, customers in the United States should contact their local FBI office or report their situation at Internet Crime Complaint Center.

Microsoft recommends that all users keep Windows updated and apply Microsoft Security updates regularly.

The Wall Street Journal reports this morning the SEC (Securities and Exchange Commission) has filed Insider Trading charges against Mark Cuban. The charges reportedly stem from unloading shares of Mamma.com (after learning of a private offering funding).

The SEC believes that Cuban allegedly sold his 6% ownership just before a public announcement which saw shares of Mamma.com drop 10%. The sale of shares saved Cuban around $750k.

For more info, go directly to the source and read the Wall Street Journal’s post.

Mark Cuban is the owner of the Dallas Mavericks and Chairman of HDNet. Appropriately, his post recent blog post is titled, “I hate to lose.“

News.com (CNET.com for those who kick it old school) posted a great article about privacy, encryption, and security with instant messaging (“How safe is instant messaging? A security and privacy survey“). Not only did CNET.com make a nice, pretty chart of their findings, they actually talked to the most popular IM choices and some of the answers are really intriguing.

Among the many questions asked by CNET.com were:

• Does your service keep server-based logs of the content of communications, meaning what a particular user sent and received?
• Have you ever received a subpoena, court order or other law enforcement request asking you to turn over information about a user’s IM account?
• If so, how many law enforcement requests have you received?
• Have you ever received a subpoena, court order or other law enforcement request asking you to perform a live interception or wiretap, meaning the contents of your users’ communications would be instantly forwarded to law enforcement?

The standard answer to these questions was the ol’ standard that communication with Law Enforcement is not discussed — aka, we fully comply. Skype though gets huge points from us for many reasons.

First, they don’t do the whole duck and cover non-answer answer. Skype actually answers a question completely and honestly. We love it! For example, when Skype was asked if they ever received subpoenas from law enforcement, they said:

Yes. We co-operate with law enforcement agencies as much as is legally and technically possible

They don’t say they won’t discuss these issues, they flat out say, BAM! We get a subpoena and we do whatever we can. An honest answer makes us trust a company a heck of a lot more than an evasive one.

Now, here’s the VoIP aspect. When asked if they had ever received a subpoena to wiretap or intercept communications, Skype said:

We have not received any subpoenas or court orders asking us to perform a live interception or wiretap of Skype-to-Skype communications. In any event, because of Skype’s peer-to-peer architecture and encryption techniques, Skype would not be able to comply with such a request.

Wow. So, this means that by using peer-to-peer, skype conversations (according to skype at least) are made outside their control and not able to be trapped by their servers for interception. Skype has always claimed that calls and instant messages between skype users were encrypted using AES 256-bit encryption. 

Now, we should mention here, if you’re using Skype to call a regular POTS line, your calls will not be encrypted. This means they will be susceptible to wiretapping. 

The voip insider blog has a great article about Craigslist and VoIP.

Craigslist is using a calling system to help reduce their fraud. In a nutshell, basically they call you and give you a code. When you enter the code back into their website, they are happy and allow you to post on their website.

Well, the system they use to reduce fraud is automatically assuming numbers listed with VoIP carrier companies such as Level3 are fraud. Level3 happens to be one of the largest VoIP carriers in the world; handling traffic for almost every major VoIP company.

So, if you were happy with your new VoIP provider and ported your number, would Craigslist still assume you were a bad person?

With all of the people switching to VoIP service, we’re sure this oversight will be corrected shortly.