Blog: December 2015

Most of these posts were originally posted somewhere else and link to the originals. While this blog is not set up for comments, the original locations generally are, and I welcome comments there. Sorry for the inconvenience.

Charity fundraising

Dear Charities1 That I Already Support,

I sent you a sizable donation this year. Recently, even, because I mostly do that at year-end when I know where the annual finances ended up. You acknowledged receipt.

So stop bombarding me with email asking for donations, will you? If I weren't inclined to support you the repeated appeals would not change that -- in fact they would drive me away, as they've done with some of your predecessors. And even though I am inclined -- I like you and support you, after all -- I'm starting to weary of this. It feels like the left hand doesn't know what the right hand is doing. Get your fundraising people in sync with your receipts people, please. I want to support you, but your methods are growing frustrating.

1 Yes, the use of the plural is correct. I have gotten several email requests this week from each of two organizations I have a long record of supporting with single, annual donations.

Holiday lights

In my neighborhood a minority of houses have Christmas lights (which makes sense; we're about 50% Jewish, I think). Of those, a majority are tasteful and a few are over-the-top. But Friday night on my way to services I saw one that was both under-stated and remarkable.

Four posts, about three feet high, were arranged in a diamond and wrapped in lights -- three red, one purple. It took me a moment to parse: advent candles. Somebody actually managed a religious light display that didn't involve statues of people. That's pretty cool.

On Saturday, in daylight, I noticed that there was another post, white, in the center. I didn't know its significance without Google; Wikipedia says this is an optional additional candle that's lit on Dec 24 or 25, though it was not lit on Friday night.

Revelation for RPGs series (Worldbuilding)

Several weeks ago I wrote about a series of blog articles I was starting over on the Worldbuilding blog called "Revelation for RPGs". This is a series of posts about techniques GMs can use to build, and reveal to players over time, interesting and rich worlds. I'm basing this series on a game run by Ralph Melton years ago and chronicled in ralph_dnd.

I've added a couple more posts since then. Here's the list so far:

Revelation for RPGs I: Setting the Stage

Revelation for RPGs II: The Written Word

Revelation for RPGs III: Your World is Made of People

Revelation for RPGs IV: I Can See Clearly Now

I'm telling (in high-level outline) the story of the game as I talk about how it was played. We're about halfway through the campaign now; the latest article shares the "big reveal" of that part of the game. (Those who remember the game should know what I mean by that, and for the rest of you, I don't want to spoil it.)

I have a few more planned for this series.

What's the deal with this phish?

I see a lot of phishing attempts and more than a few spear-phishing attempts, but a recent one is leaving me wondering what the phishers were trying to do.

A couple days ago I got email, purportedly from eBay, acknowledging my new account. The email came to my Gmail address, which I don't publicly use but is easily guessable. The account had a goofy name starting with the first few letters of my email address.

Whenever I think there could be an unauthorized account in my name on a real service I try to reset its password, just in case. So I fired up an incognito window and went to eBay (really eBay, not using the link in the email), went to the login page, gave that account name, and clicked "forgot password". This generated email to me -- which means, I think, that an account of that name really was created (not by me). I reset the password.

While I was there I checked the transaction history and looked for private information. That was all clean. I initiated an account-deletion request, choosing "concerns about identity theft" from their menu of reasons. (Aside: eBay's short list of deletion reasons includes "concerns about identity theft"!) eBay holds such requests for a week to ensure that transactions close, even if there are no transactions (I consider the latter a flaw). I set a reminder to check back in a week.

A day later (just about 24 hours, in fact), I got password-reset email, identical to the email my own reset request had generated (other than the specific link).

Now if the phishers tried to log in and clicked "forgot password", they should already know that that would only work if they could intercept that email. I am as confident as I can be without server access that my Gmail account has not been compromised (I'm very careful about that), but I nonetheless changed my password and reviewed recent access logs. No new devices had accessed my account in this timeframe.

It is always possible, of course, that I am dealing with somebody who is just inept. But if this is a viable attack vector, what's the deal? How is it supposed to work? How does creating an account on eBay attached to an email address you can't access help you?