In Canada, there are two places to send a request to:

TransUnion – Send a letter with your information
Equifax – Fill out the form

This report from the Canadian privacy commissioner details a case that shows some of the rights that Canadians have about access to the information that banks use to make decisions about them.

Apologies to the non-Canadians in the crowd, if someone has information on the policies in other countries please let me know or post it and send a trackback.

(update: How to get a free credit report for Americans)

a

Geek News is the latest site to flip their lid. Parts of his comments below, because I think they point to why people don’t get it.

(you may also want to read StopScum, where I originally began my thoughts on the issue.

1st, I want a way to prevent your Autolink feature from creating your advertising links on my website.

AutoLink allows the user to get more information regarding items on a page. For instance, if an address is shown on a page, the user can click on the AutoLink button and it becomes a link to Google Maps, MapQuest, or Yahoo! maps, whichever the user chooses. A FedEx code gets changed to a link to FedEx’s tracking page. An ISBN gets changed to an Amazon link.

So, how do you prevent these links from happening?

First, provide the information the user is looking for in the first place. If the user is looking for a description of the book, they won’t use autolink if the information there already. Provide a link to a map of your building if you provide an address. If the user uses AutoLink to find this information then you have failed the user and don’t deserve the traffic.

Secondly, if you don’t want to let users use the AutoLink feature to get the information you are obviously failing to provide, make a link yourself. I’ve tested books and addresses — AutoLink will not override a link that’s already specified in the HTML.

2nd, if you are not going to give us a way to block Autolink I want you to pay me every time you cause traffic to leave my website by a reader clicking on one of your links not mine. Along with that I want independent auditing of those click aways.

Again, the user has made a choice. You failed to provide the information. The user clicked the autolink button and left.

3rd, I suspect that you may be violating my copyright and creative commons license. That will be up to a copyright lawyer to determine.

Do you make the same threats to people who run ad blockers? Blind people who have your page read to them through a text to speech converter? Users who override stylesheets? It’s all the same, since they all change the way the page is displayed.

As far as I’m concerned, the writer owns the content of the site, not the layout. HTML is simply markup. If you want absolute control of the web site then publish in PDF or print. If I, as a reader, choose to do things after the fact, then you have no cause to complain. Especially since in this case the page is only changed after the user clicks a button with the express purpose of getting more information.

a

I’m not worried about anything in particular, but identity theft has started to become more common place. I even know someone that this happened to and the results weren’t pretty. Furthermore, I just want to make sure that the information is current, as in the past couple of years I’ve bought and sold a house, and paid off loans.

So, I encourage everyone to request a copy of their credit report on March 15th (or thereabouts), and make sure everything is on the level.

In Canada, there are two places to send a request to:

TransUnion – Send a letter with your information
Equifax – Fill out the form

This report from the Canadian privacy commissioner details a case that shows some of the rights that Canadians have about access to the information that banks use to make decisions about them.

Apologies to the non-Canadians in the crowd, if someone has information on the policies in other countries please let me know or post it and send a trackback.

a


$ /usr/sbin/traceroute bell.ca
traceroute: Warning: bell.ca has multiple addresses; using 198.235.69.11
traceroute to bell.ca (198.235.69.11), 30 hops max, 38 byte packets
1 24.76.8.1 (24.76.8.1) 18.182 ms 24.737 ms 29.504 ms
2 rc2nr-ge3-0-1.wp.shawcable.net (64.59.179.3) 13.917 ms 11.477 ms 9.825 ms
3 rc1so-pos13-0.cg.shawcable.net (66.163.76.85) 24.159 ms 28.756 ms 28.183 ms
4 64.230.231.137 (64.230.231.137) 43.666 ms 96.202 ms 31.247 ms
5 bells-network-has-lots-of-security-holes-to-exploit.bell-nexxia. (206.108.101.137) 26.419 ms 41.213 ms 57.043 ms
6 bells-network-has-lots-of-security-holes-to-exploit.bell-nexxia. (206.108.97.97) 77.389 ms 152.741 ms 72.578 ms
7 64.230.242.194 (64.230.242.194) 262.986 ms 147.784 ms 82.894 ms
8 bells-network-has-lots-of-security-holes-to-exploit.bell-nexxia. (206.108.97.2) 163.480 ms 81.812 ms 83.038 ms
9 bells-network-has-lots-of-security-holes-to-exploit.bell-nexxia. (206.108.98.246) 91.211 ms 120.517 ms 82.995 ms
10 bells-network-has-lots-of-security-holes-to-exploit.bell-nexxia. (206.108.104.30) 91.331 ms 90.077 ms 105.208 ms


Checking out their name servers:


$ host -t ns 104.108.206.in-addr.arpa
104.108.206.in-addr.arpa name server taz.bell-nexxia.net.
104.108.206.in-addr.arpa name server pluto.bell-nexxia.net.


Taz accepts telnet from anywhere

$ telnet taz.bell-nexxia.net
Trying 216.113.193.252...
Connected to taz.bell-nexxia.net.
Escape character is '^]'.
^M
FreeBSD/i386 (rotting.deadmime.com) (ttyp2)

login: login:
telnet> close


It appears they are doing web hosting on the same box, too. http requests to the box get prompted for authentication for an admin screen. My money is on someone with a stupid password opened up the box to attack.

Trust a telco to do things the Wrong Way. Just another of the many reasons I don’t trust my provider with my mail or DNS.

a

First of all, the paper details some excellent troubleshooting, starting off with “something seems odd”, and getting down to sniffing networks and looking at processes. If nothing else, the paper is worth reading for that reason.

More importantly, it shows that spammers are using more complicated vectors than the traditional open relays, and that blacklists aren’t going to help. (It also shows that if you’re going to run any sort of server on the Internet, even for fun, take responsibility for it!)

I’ve read potential solutions, from a sender-pays strategy, to an all-out whitelist. I still believe that anything that limits the open nature of the Internet isn’t good.

I’m trying to think of a system based on trust, such as PGP’s Web of Trust. Most of the email that you get is from someone you know, or at least within a couple of degrees of freedom, right? I’m also thinking that for scaling purposes, and technological reasons, it should be done on the MTA level rather than the user level.

That’s about it for now. An email just arrived, someone named “NICOLA.BARIBEAU” apparently had a great time this weekend, I’d better give it my full attention.

a