Drapetomaniac

When George Clooney was admitted to a hospital recently, several medical professionals took a peek at his records for curiosity sake.The workers were suspended for a month, but both Clooney and the hospital union say that the punishment was too harsh. Mind you, they could face jail time for the federal crime they committed, but suspensions are too harsh.

The ethical problems alone are a cause for concern, but this is also a clear violation of the law. Clooney’s statement was, “while I very much believe in a patient’s right to privacy, I would hope that this could be settled without suspending medical workers.” The best thing for people who violate ethical situations is when the victim who spends very little time considering such matters excuses it.

The bigger problem is the union. This is an established organization that is basically forming a thin blue line in the face of criminal activity. At least the hospital is on record

These folks have been suspended

I’ve learned Spanish for heritage reasons, Portuguese for recreational reasons and have recently started learning Arabic to learn a non-western language with a lot of ties to the languages I’ve already started to learn.

In early interface testing, I would always type in my name with the accented -xC3xA1- in order to see if whatever field I was typing in had a weak interface. Often times the program would GPF and would break and other times the letter would get mangled.

Luckily, over the years as the market depended more on non-English speakers, these interface problems started to disappear. I always watch for services that deliver multiple language interfaces and how they perform in that field.

Google has had a decent run at language accomodation although I thought for their capital and reach was still slow.

While following recent language news I found Google encouraging people to explore their growing language features, including changing the entire interface to another language.

I actually do this every once in a while to force myself to language practice a language.

However, google doesn’t warn you to be proficient in a language. They say in their entry, “Hyperpolyglotic Gmail“, “If you’re multilingual, feeling adventurous, or if you just want to test how well you know the Gmail user interface, try changing your account language settings.”

My favorite part is the warnign, “Sound a little risky? Don’t worry – it’s easy.” Remember that the next time you’re doing something dangerous. “Sound a little risky? Don’t worry – it’s easy.” Walking on the outer edge of a bridge? “Sound a little risky? Don’t worry – it’s easy.” It’s as comical as it is bizarre.

Seeing if they had a safeguard in place, I changed my interface to Arabic. Something I really not proficient in. There was no warning, or timed function to revert it back, or any other function to make it “easy” to undo your risk. Luckily, I familiar enough with the interface to change the language back, but it wasn’t immediately at my disposal. There wasn’t a link on the page back to the language settings after I changed the language. I had to follow the links deep back into account settings.

If anyone ever offers the advice, “Sound a little risky? Don’t worry – it’s easy – think twice. Google offers advice that probably provided a usability denial of service to at least a handful of their blog readers.

The Better Business Bureau says that for the first time in their history, they serviced over100 million service requests. Unfortunately, a large portion of service requests appear to be accessible online. When you make an online complaint with the BBB, the following information is kept:

• Complaint filed by:
• Complaint filed against:
• Complaint status:
• Case Description:
• Category:
• Case opened date:
• Case closed date:
• Desired Resolution:

The name and full contact information of the business and consumer, along with a full description of the business transaction, possibly including account numbers or doctors name and care.One of the primary problems is that the BBB sends out email updates and asks that people correspond by clicking on a vaguely obfuscated url. No password and user name is required. And because the e-mail is html rich text, the user doesn”t know what web site they”re visiting. But don worry, because it’’s not a BBB domain, but rather a sub-domain of their vendor.For someone wanting to commit fraud, this is a gold mine. Criminals need an element of trust and to take advantage and knowing a complete back story and/or vendor gives the perfect opportunity. Add the BBB brand to the fraudulent pitch and people are more likely to default to trust in the new e-mail.Here is a brief time line showing how this information leak might have been used:

• February 2007 – BBB Warns of widespread Phishing
• May 2007 – 1400 Executives *infected* with a highly targeted trojan
• June 2007 – More widespread phishing
• August 2007 – BBB receives e-mails explaining they are violating their privacy policy and possibly HIPAA when it involves medical care
• Sept 2007 – More widespread phishing

It’’s possible the major leak has nothing to the widespread phishing or the target phishing attacks where the criminal likely knew the executive would trust the BBB link.But let’’s look at how easy it is to download a massive number of complaint records.To get the initial url, file an online complaint or Google:
“BBB CASE” “DAY PHONE”

This will bring up about 100 cases. Not a lot at first. You might even notice the urls are slightly secure.subdomain.vendor.com/complaint/view/########/c/zh9nf9

The last digits zh9nf9, are required to access the url. It’’s difficult, but not impossible. What you can do easily is change the ######### to a number higher or lower to get to the next case.

However, there are handy links for downloading the entire complaint as rtf. That link looks more like:
subdomain.vendor.com/merge.php?
title=Download%20Complaint%20Form.cf.rtf
&bid=2396295
&cid=#######

Once you have one of those links, someone can write a simple script to increase and/or decrease the number and download as many records as they want. And they get a new population for every BBB server they find.

I found this simply by being an observant consumer and watching how my vendor was handling my data. Since the Better Business Bureau hasn”t responded for almost two months, at least consumers can make a choice, as opposed to the organization making the choice, about whether or not they want to continue entering data or want to address the information out there already.