Online Issues

NSA gets patent on Internet tracking

2005-12-10T12:28:00.000-08:00

Declan McCullagh of CNET has reported on a patent recently granted to the NSA that allows it to map where someone might be accessing the Internet from. The article describes the process this way:

"The NSA's patent relies on measuring the latency, meaning the time lag between computers exchanging data, of 'numerous' locations on the Internet and building a 'network latency topology map.' Then, at least in theory, the Internet address to be identified can be looked up on the map by measuring how long it takes known computers to connect to the unknown one."

It’s not really clear just how scary or helpful this tech is going to be. There are some limitations to the algorithm that the CNET article points out (dialup service users are tougher to find). In addition, other commercial companies are coming up with their own ideas for geo-location that they are selling to advertisers wanting to show geo-specific ads or credit card companies wanting another weapon in the fight against online shopping fraud.

What’s notable is:

1) that it is the National Security Agency that applied for the patent – since they don’t post that many ads online, we can only imagine what purpose the tech will be used for and

2) that a government agency is getting a patent at all. As Daniel Brookshier (A.K.A. Turbogeek) suggests in a post on p2pnet, the government shouldn’t be patenting any technology that tax dollars have funded.

The learning from all this for us average folks is that the business of tracking where we are continues to expand…

More Malware

2005-10-06T09:03:00.000-07:00

Recent news suggests that the use of malicious spyware is on the rise…

Security Vendor Aladdin Knowledge Systems says 15% of spyware is successfully stealing passwords and logging keystrokes.

The creator of a program marketed as a way to keep tabs on whether your significant other is being unfaithful has been convicted and is on the run. In the three months before skipping out, he sold 1000 copies.

Sunbelt Software has reported that it has identified a keylogger that records password login information for up to 50,000 financial and bank sites. The malware sent recorded info to ring of identity thieves. Victims unwittingly installed the software through downloads from selected porn and hacking sites, or simply by visiting such sites with older, unpatched versions of Windows.

IM Phishing

2005-09-27T10:32:00.000-07:00

Yahoo Instant Messenger users are being targeted with a new phishing scam. Unsuspecting users are sent IM’s (or emails) from someone claiming to be a friend who wants to share photos from a vacation or party.

By clicking on the link, message recipients are taken to a phishing site where they are asked to enter their user id and password. However, following the fake login, users are automatically forwarded to the actual Yahoo Photos page where the phishers’ code completes the legitimate login behind the scenes. In other words, it’s very difficult for users to know that they have done anything wrong because the end result appears completely legit.

As phishing attacks get more sophisticated, the basic common sense rules still apply:

Don’t click on emails that come from an unknown source or are unexpected. If you know the sender, doublecheck with them first. If you don’t know the sender, hit delete.

Another source for Spam

2005-07-02T12:53:00.000-07:00

In discussion of various ways to spy on someone else’s computer in my April newsletter, I talked about how you might check in on what files someone had shared over a P2P network. A surprising number of folks don’t restrict what is shared – some even make their entire hard drive available.

Turns out, spammers are taking advantage of exactly the same thing - except they are focused on mining for email addresses. They connect to computers on file sharing networks and search the shared files hoping to find anything labeled “email” or “Outlook” in addition to the owner’s collection of underground Electronica.

Case in point: Blue Security, an anti-spam company, tried a little experiment. They set up 500 new email accounts, listed the addresses in a file which they put in the shared directory on a PC connected to the Gnutella and eDonkey 2000 file sharing networks. Within a single day, the addresses began getting bombarded. These new and heretofore unused accounts were getting 100+ messages per day.

If you are on a P2P network, be warned. If you send email to anyone on such a network, there isn’t a whole lot you can do but hope.

"Shred" Your Hard Drives

2005-07-02T12:45:00.000-07:00

A German data recovery company did a fun experiment: it bought 200 hard drives on eBay to see what it could find on them. What it got was a treasure trove: 70% contained sensitive or personal data. They found 40,000 Word documents, 15,000 Excel spreadsheets and about 50 complete email inboxes.

Information included marriage documents, scanned credit cards, performance evaluations and – in the most egregious example – credit ratings from a bank’s old computer.

Before disposing of your hard drive, think the way you think about bills you throw away. Don't just dump it. Erase and reformat the drive first.

Here's a similar version of the same story:

In Denver, a woman went to Circuit City to buy a new computer. At the same time, she brought in her old computer and asked the staff to transfer the contents from old to new. They did by first copying the content of her computer onto a floor model as an intermediary. Unfortunately, the staff never erased the files on the floor model and it was sold a few days later. The computer’s new owner called the woman and told her all about it.

The woman is suing Circuit City, but the company defends its actions saying that they “were under no legal obligation to protect her privacy since she did not specifically ask for protection.” It is unlikely the case will get to court so we probably won’t get a read on the strength of an argument like Circuit City. But the tale is a cautionary one. Too many people are unaware of the dangers in an information driven society. If you don’t demand fair and safe treatment, you are unlikely to get it.

Phishers using Better Bait

2005-06-13T12:56:00.000-07:00

In a recent newsletter, I talked about hosts file hijacking, where phishers try to overwrite a critical file on your PC to redirect you to fake, but real looking versions of websites you normally visit. That sounded bad enough. Recent reports suggest that phishers have added a new, even scarier trick to their arsenal.

c|Net reports that a security firm named Cyota has uncovered a scheme in which phishers buy information on bank customers on the black market and then use that information to send personalized emails with correct account details to their unwitting victims. This form of targeted phishing makes detecting a false communication even more difficult because some of your biggest clues (lack of a personal greeting or only a generic reference to your account) are missing.

Remember, no bank will ask for your account information online. If you get an email that makes you think something is up, the safest bet these days is to pick up the phone.

More on Desktop Search

2005-04-30T16:03:00.000-07:00

Nice article from Anick Jesdanun (Associated Press) evaluating three different desktop search programs. Yahoo, Microsoft and Google have all created tools to allow you search absolutely everything on your computer – from what you think you saved there to that mysterious data trail your computer collects automatically. Using these programs, you can find – among other things - documents and email, webpages you surfed past oh so quickly and even IM conversations. The result is pretty powerful.

On the other hand, used incorrectly, desktop search could offer someone else some pretty invasive profiling. As noted in a post last October, Google promises not to tie your desktop search info to your activity at their website. Amazon, which launched a similar product called A9, doesn’t offer the same reassurance.

Still another danger with desktop search is noted in a recent writeup in USA Today which includes a discussion of how these tools can increase the dangers from hacking.

If you’re interested in a good desktop search tool, it is a good idea to make sure you know what you’re getting first. For a comprehensive comparison of your options, check out the Goebel Group’s matrix.

Player Privacy

2005-04-30T16:01:00.000-07:00

In researching how webcams can be commandeered without your knowledge, I came across a very interesting webpage on the Flash site. Turns out Flash can be pinged for a number of different reasons either to store or retrieve information on you - unless you tell it not to. If you use Flash more than once in a blue moon, or if you have a webcam that you don't want turned against you, it’s worth reading this page for instructions on how to do just that...

For Microsoft fans who use Windows Media Player, this privacy page offers similar information that should interest you. About.com’s Douglas Ludens steps you through finding and saying no to the question "Allow Internet sites to uniquely identify your player?" in this tip.

Safe Sites

2005-04-21T18:13:00.000-07:00

In the midst of what seems like an endless stream of stories about how companies are compromising our personal data, no one in the business watchdog community seems to be defining a mechanism to inform consumers of what companies are doing a better job of data protection than others. (I've suggested the Better Business Bureau or Truste develop a certification program.)

Feeling the same frustration, Jay Cline has published a nice summary in Computerworld with his own thoughts on how to evaluate the likelihood that your data will be protected by websites that you visit. According to Cline, the safest sites come from technology and financial companies. The top five were: Verizon, Hewlett-Packard, Microsoft, eBay and Apple. See the full list, as well as an explanation of Cline’s criteria.

Online Shopping

2005-04-18T11:04:00.000-07:00

Amazon is feeling some heat over a new technology which tracks who you use the website to send gifts to. Be warned that you may be giving your loved ones more than a book. You may be giving them a profile on Amazon. Critically, this might include youngsters that Amazon couldn’t legally collect information from directly.

Some have raised concerns about how Amazon is amassing lots of different data on people - through its A9 search engine, 43 Things and of course, your browsing and purchase history on its own site - in their mission is to turn you into the perfect shopper, unable to resist their enticingly accurate pitches…

And those folks might be right. Here is an artful and chilling take on what happens once Amazon hooks up with another information megalith, Google: EPIC.

Cookies are Child’s Play Compared to This

2005-03-16T20:53:00.000-08:00

When we worry about online tracking, we talk a lot about how someone knows what websites we visit. What we don’t talk about so much is how our computers can be used to film what we do.

As many as 13% of American households have a webcam attached to their computer. Cameras each have IP addresses and if they are not placed behind firewalls, just like anything else with an IP address, they can be searched and the images they capture accessed over the net.

As Patrick di Justo reported in the New York Times, this was particularly problematic for a middle school in Tennessee which placed a webcam in a girls locker room. The cam was not behind a firewall and images of the young women disrobing were apparently accessed by unknown hackers…although the skill required to get at the images hardly warrants the term 'hacker'.

The truth these days is that for unexpected voyeurism opportunities, you don’t even need to know what an IP address is. A quick search on “webcams” on any major search engine brings up lists and directories pointing to cams all over the world. Malls, parking lots, ski resorts, you name it and you too can get caught in an embarrassing moment for anyone loading a webpage to see.

The Tennessee school case is in court now.

FollowUp to Host File Hijacking

2005-02-08T09:50:00.000-08:00

More info on the new threat of host file hijacking as a followup to this month's newsletter (also posted below):

Anonymizer has just announced a product specifically designed to combat this problem. Their website also offers more detail on how host file hijacking can occur and links to a handful of articles on phishing.

Can spyware sabotage my online shopping?

2005-02-07T11:56:00.000-08:00

(excerpted from the February issue of my newsletter)

Spyware is a catch-all term for a variety of software products that do everything from serve popup ads to log your keystrokes. Some spyware is included with commercial software to tell developers about bugs - or, as HP has recently admitted, to report on how you use your computer. You might inadvertently install spyware when you download freeware, when you click on a link in a spam email or when you visit a malicious site designed to infect vulnerable computers (more rare, but it does happen).

Since early last year, Earthlink (in conjunction with Webroot) has scanned approximately 3.2 million PC's and found roughly 83.4 million spyware programs - or 26 spy programs per PC. That's a lot. To see how you stack up, you can try Webroot's free spyware audit.

Until now, despite the scary sounding name and ample reporting in computer magazines, spyware on individual computers has mostly been about showing popup ads. Your online shopping excursions may have gotten bogged down, but they've been perfectly safe. A very, very small fraction of the spyware found on computers like yours and mine - less than 1 percent - is the truly nasty kind designed to steal our credit card numbers or other data.

Unfortunately, nothing in technology stays the same for very long and there have been recent, sporadic reports of a new and very nasty type of spyware which could not only put a damper on your online shopping but scupper your online banking and bill paying, as well.

Security companies, such as MessageLabs, have reported intercepting emails that contain a program designed to alter the "hosts" file on your PC which associates a website's URL with the numerical IP address actually used to find the right website. This new spyware overwrites key IP addresses and tricks your browser into connecting you to sites controlled by crooks. If the fake sites are good enough, you may never know that typing in www.mybank.com is actually taking you to a site in Brazil. What's worse, simply opening the email is enough to infect your machine.

Scared yet? Okay, here's what you do. Because Microsoft products are used by the biggest chunk of Internet surfers, Windows and Outlook and Internet Explorer are typically the target for any malicious code. Crooks want the best odds of catching victims. Writing code that compromises non-Microsoft products simply doesn't offer the biggest bang for the buck which is probably why hosts file hijacking has only been documented against Microsoft software so far. If you're not already infected, your simplest solution may be to get a Mac or at least install and use a non-Microsoft browser and email program like Firefox. About 5% of Internet surfers appear to have switched to Firefox already.

If you want to keep your current Microsoft setup, the best protection against this problem - and others almost assured to morph out of it - is to keep your software products up to date (get patches) and install and use a decent anti-spyware program. Some of these programs even allow you to lock your Hosts file or monitor it for changes: WinPatrol;
SpyBot - Search & Destroy; and Microsoft Windows XP AntiSpyware.

Whatever you do, be warned: all indications are that this is the year that spyware will turn from a nuisance into a nightmare.

NEXT ISSUE: How to find the black box in your car that tracks your driving.

Subpoenadefense.org – you never know when you might need it

2005-02-07T11:46:00.000-08:00

We all know that what we do online can be tracked. And we’ve watched as Internet Service Providers have battled court requests for customer information when tracking showed that that customer might have done something wrong. Most notably, the Recording Industry Association of America has been trying to identify suspected music file sharers.

The U.S. District Court in Pennsylvania has issued a ruling that cleans up the situation a little: before an ISP can release customer information, that ISP must first inform the suspected wrongdoer and offer him the change to fight the charges. The court offered a sample notice that included a list of resources available to the target.

One of those resources is subpoenadefense.org. In today’s world, where anyone can be sued and records on what we all do exist everywhere, this URL might be a good one to remember indeed.

Websurfing Profiles Redux

2004-12-26T07:38:00.000-08:00

In the chapter on Internet issues, I talk about how your online behavior can be tracked, especially through an ad network like DoubleClick. Now there is a new network we should keep an eye on.

Tacoda, a New York based company, has just announced the creation of a new network – currently including 60 of the biggest websites that touch about 75% of Internet surfers. This network will track the surfing behavior of each computer as it moves among sites in its network and display ads that are thought to be of interest based on what you are doing.

The key difference between what DoubleClick was doing and Tacoda’s approach is that the new company neither collects nor shares any personally identifying data. Only what sites your computer has visited. This sounds like a great balance between devising a system that can tailor content without creating a massive profiling opportunity that might be misused. Any of the 60 sites who DO track personal information – by asking you to register for site content, for example – are currently unable to tie that data to the surfing history collected by Tacoda and Tacoda has stated that it will not allow this to happen.

Good enough for now. But worth keeping an eye on.

For more information on what sites have signed up to be a part of the Tacoda network, visit the Tacoda customer page.

California Defines Spyware

2004-11-15T14:17:00.000-08:00

On January 1, 2005, spyware will become illegal in California. The Consumer Protection Against Computer Spyware Act, signed on last month, officially makes it illegal to install software on someone else's computer to track what they type and what sites they visit or to read their hard drive. The U.S. House and Senate are working on a similar law for the Federal level.

Downloading unwanted programs to unwitting computers has been a relatively benign, albeit irritating phenomenon. Until now, these unwanted programs have mostly been about showing popup ads. The California law effectively distinguishes this type of adware from the more "intentionally deceptive" spyware programs and doesn't stop companies from downloading adware...as long as you give your permission.

Since the beginning of the year, the ISP Earthlink (in conjunction with Webroot) have scanned approximately 2.1 million PC's and found roughly 54.8 million adware and spyware programs – or 26.5 programs per PC. Of this dauntingly huge number, a small fraction - a little more than 1 percent - were the truly nasty kind of spyware. Somewhat reassuring. The potentially scary news is that in raw terms, the number of trojans found almost doubled from a scan in Q1 to Q2...so we may not have seen the worst yet.

Reality Check

2004-10-29T16:14:00.000-07:00

Quick! Which of the following scenarios are most likely to happen to you?

1) You will win the lottery.
2) You will be audited by the IRS.
3) You will be struck by lightening.
4) You will be hit by a cyber attack.

Ready for the answer? First, let's just take a moment to realize that although about 70% of respondents surveyed by the National Cyber Security Alliance got the answer right, that still leaves a miserable 30% who are holding out for their Mega Million Winnings.

1) Chances you will win the lottery...far less than 1%
2) Chances you will be audited by the IRS...0.5%
3) Chances you will be struck by lightening...far less than 1%
4) Chances you will be hit by a cyber attack...70%

The same study also scanned the computers of the 329 resondents. While, according to the survey answers, only 6% thought they currently had a virus on their computer, the scan showed that fully 19% of them did. One machine was infected with a whopping 213 viruses!

Use anti-virus software. Keep it updated. Really.

The Furor Over Desktop Search

2004-10-22T13:57:00.000-07:00

There have been a number of articles lately either praising or damning Google's new desktop search tool. An AP article on CNN talks about how horrible it is. David Pogue of the New York Times sings its praise.

In a nutshell, you can use Google's new utility to search files on your hard drive, your email, webpages you've surfed, just about anything. The ability for other people to search the same things is what has some folks concerned.

While one must note the "sponsored by Google" just under the title, Danny Sullivan of ClickZ has raised a number of very good points in an article last week. In paticular, Sullivan notes that many of the security concerns raised by Google search can be addressed by the same, simple security procedures we should all be adopting anyway - like password protecting your computer access and using a firewall.

There is also a way to restrict what elements of your computer are searchable (by you and by extension anyone else), although many tech writers have noted that a similar product by Copernic is easier in this regard.

The unfortunately reality, however, is that indexing your computer's activity means tracking everything you do online and on screen. Although Google doesn't transfer this data back onto its own computers (with a few minor exceptions), another uber search engine from Amazon, A9, apparently does...and it correlates what you do with what you've bought on Amazon to send you better ads.

The fears that we all had when we were first learning about cookies are finally coming true. These new search engines are very, very useful tools but it is absolutely worth our while to make sure that the data that is indexed (like every webpage we visit) isn't used in ways we don't explicitly agree to.

Email Isn't Private

2004-10-11T14:00:00.000-07:00

There has been a fair amount written lately about how email isn't private. In particular, a ruling in a recent case relied on a technicality in a law (and laws governing email are even more confusing than most) to allow an email provider to read the correspondence of his users. This ruling is being challenged by an unusual coaltion of civil liberties groups and the Department of Justice, so it's very likely we will continue to hear more about the issue for a while.

While the particulars under debate are important, we shouldn't confuse a fairly specific relaxation of a wiretap standard to mean that email has suddenly gone from private to public.

The truth of the matter is that email has never had any great claim to privacy to begin with. Although it is illegal to read or share the contents of email, the protective laws have always contained a handful of absolutely huge loopholes:

*Employers monitoring employee email accounts aren’t covered (technically, they own the computer, the network, and the software, so they have a right to access the things they own).

*If the person you send the email to consents to share it, they don’t need your permission to show it to whomever they please.

*Anytime you send an email from point A to point B, it goes through any number of Internet companies on its way. Each company has its own set of privacy policies and its own interpretation of its obligations and rights. You can’t even be sure that the companies are all governed by U.S. law.

*But the biggest and most important exception is that email is considered private only when it is in transit. Once the text resides on a computer somewhere it enjoys less protection...and that's what this latest ruling has been making clear.

All of these exceptions mean that if someone really wants to, he can most likely read your email. Practical obscurity, the fact that there are too many emails from too many people to make yours worth caring about, will probably protect you in all but the most unusual circumstances.

But the safest bet is not to count on it. No matter what happens with the case you've been reading about.

We Are ALL Online Shoppers, Bankers and Bill-payers

2004-10-04T14:03:00.000-07:00

If you are concerned about giving your credit card number to a website, here's a new way to think about what it means to buy something in the modern world.

The next time you visit a local retailer and buy something with a credit card, ask him if 1) the credit card number get stored on his own computer and 2) if he has an internet connection from that computer. If the answer is yes to both questions (a good bet), you have just shopped online!

The same is true for banking or paying bills. You go to the bank, you give the teller your account information. The teller types your info into the computer sitting at her window. Think that computer doesn't talk to a bunch of other computers using a network that at some point crosses the Internet? Think again.

What about your utility bill? You drop a check into the mail. At the utility company, your check is scannd by, guess what?, a computer. As with your bank, that computer is linked to the Internet at some point. You might as well save yourself the 37 cents and pay the bill online.

Heard of SPIM?

2004-08-27T10:51:00.000-07:00

Technologists seem to take special delight in new acronyms. But this one should bring delight to no one.

SPIM, taken from SPam for Instant Messaging, looks to be the next bugaboo in online communication. That's right, get ready for messages peddling viagra wannabes and Nigerian investment schemes popping up on your screen.

In reality, the term isn't brand new. Thanks to WordSpy, Paul McFedries' wonderful website on neologisms, we know that SPIM was probably first used in a Chicago Tribune article on August 5, 1999.

It is fair to say, however, that the danger SPIM represents is a little more real now than it was 5 years ago. Although it's still pretty far from going away, spam is getting a little more difficult to pull off thanks to recent crackdowns by law enforcement and technology companies. And since nature abhors a vaccuum, the time is probably right for the next problem to emerge.

How does SPIM work? Software creates messages and automatically sends them to IM addresses that have been harvested or simply guessed.

And what can we do? Alyn Hockey, an tech guru from Clearswift, offered the following advice on a BBC radio show recently:

"Don't accept connections from people you don't know, don't download attachments from people you don't know; and keep your anti-virus software and operating system up-to-date."

In other words, you may not be able to do much at the moment to keep the annoying messages from getting through but you can make sure you don't get tricked into downloading a virus or worse by clicking on a link sent to you in an IM.

The best and worst anti-phishing tip I've ever heard

2004-08-14T12:09:00.000-07:00

Consumer Reports just posted an article on phishing. It is a good summary of much of what we already know but did include one tip that I hadn't seen anywhere else:

"When prompted for a password, give an incorrect one first. A phishing site will accept it; a legitimate one won't."

Of course, this is absolutely horrible advice if it encourages you to give your password to someone who has emailed you. (DO NOT DO EVER THIS - contact the company who is supposed to have emailed you by some other route...call customer service or type the company's URL directly into a new browser window).

However, if you want to have a little fun, it's one way to mess with whoever is messing with you...

The Real Danger of Shopping Online

2004-08-06T08:11:00.000-07:00

An online pharmacy operating from Winnipeg, Manitoba was hacked. Its customer list was stolen. And now a Florida company is allegedly offering the list for sale to the highest bidder. The list, containing the names of more than 32,000 US-based customers, demonstrates the real danger of online shopping. Forget about someone stealing your individual information as you type it into a webpage. The databases that store your information along with everyone else's is what thieves profit from.

The question to ask isn't "Is online shopping secure?" but "Is online shopping with this particular website secure?" Tips on how to evaluate the safety of any particular website can be found in my book.

Send Spam to the FTC

2004-08-05T12:35:00.000-07:00

The FTC has a new address for complaints about spam: spam@uce.gov

Good Advice From eBay

2004-08-04T11:55:00.000-07:00

eBay, whose name has been used in a lot of phishing scams, has posted a very user-friendly tutorial for the average Interent user.

But their best piece of advice is remarkable for its simplicity.

"If you have any doubt about the authenticity of an eBay or PayPal email, simply open a new Web browser, type in www.ebay.com or www.paypal.com and perform the requested activity."

In other words, don't ever follow links in an email. Just go straight to the source.

Some of My Favorite Phish

2004-08-04T11:49:00.000-07:00

Gone are the days when fake email was written in English so broken you could barely figure out what the con-men wanted you to do (like this one).

Today's phish are pretty sharp and not all that obvious. Here are some of my favorite examples, courtesy of the AntiPhishing Working Group:

US Bank (8/4/2004)...reports more than 5 failed attempts to log on to your account; notable for the elaborate effort to fake the URL in the browser window. Big mistake on this one is that the webpage for info input is described as secure but the familiar lock symbol is missing.

eBay (7/27/04)...good spoof but the title is something of a giveaway "Udate your informations" (not information).

Citibank (7/2/04)...Personally, I got this one three times. The title of the sender is a dead giveaway. How many business cards have you seen with "Head of..." on them?

The Anti-Phishing Working Group maintains an excellent archive of still more rotten phish if you want to read more. All you have to do is update your bank account information here first...

Phishing Facts

2004-07-31T11:44:00.000-07:00

In case you've been living in a cave for the past few months, here's how the Anti-Phishing Working Group (APWG) succinctly descibes phishing:

"Phishing attacks use 'spoofed' e-mails and fraudulent websites designed to fool recipients into divulging personal financial data such as credit card numbers, account usernames and passwords, social security numbers, etc. By hijacking the trusted brands of well-known banks, online retailers and credit card companies, phishers are able to convince up to 5% of recipients to respond to them."

The latest scoop from the APWG is that the problem is growing very, very fast. June saw the launch of 1422 separate phishing scams - that's about 47.4 a day or 300 each week. Consider that the number of phishing scams in January numbered only 176 and words like "order of magnitude" come to mind.

Other amazing facts:
1) VeriSign reports that most phishing emails are sent out between 9pm and 4am, presumably when there are fewer customer service folks to pick up your telephone call about the email.
2) APWG reports that most scam websites are live for 2.25 days. The bad guys move fast.
3) Gartner estimates that phishing has accounted for $2.4 billion in fraud. Falling for phishing costs about $1,200 per victim.

The best cure, of course, is to exercise common sense. But as we all know too well, common sense often isn't common. Read the next few posts for more on what to do...