[sf-lug] Don't you hate it when ... / GIGO ... and a PDF and zip code tip

Michael Paoli Michael.Paoli at cal.berkeley.edu
Sat Aug 19 23:11:43 PDT 2017


Don't you hate it when ... / GIGO ... and a PDF and zip code tip
Don't you hate it when ... /
Garbage In, Garbage Out (GIGO)
... and a PDF and zip code tip

Yes, whole 'lot 'o "power" with computers 'n huge amounts of data,
but ... among other things, only as good as the data,
and ... a lot of it isn't very good.

E.g. annoyance of the day ... have repeatedly gotten some
not-my-bills ... not the first time that's happened.

They were coming electronically, ... I'd been blowing 'em off as spam.
After a while, eventually, seem just a wee bit too regular,
check a bit more, and ... not exactly spam - though definitely
spam/nuisance to me.  Looks like legitimate sender but someone
screwed up (typo or whatever) and sending to wrong email address -
a legitimate email address - but not for the content - company I've
never dealt with - never even lived in the area they provide service.
So ... that's their first mess-up.

So ... to stop that annoyance (and besides, their customer might
actually want the data going to them, rather than someone else).  Is
there some simple "unsubscribe" with these emails that might actually
work?  No such functionality or even any mention of "unsubscribe" in the
email.  That's their second mess-up.

But it's got web address for dealing with customer service (or similar)
and issues of that nature, etc.  Okay, subtract half a mess-up.

But, egad. damn web site ... add about 2 (or more) more mess-ups.
Do they give you an email address?  Of course not.
Do they give you a simple useful form?  No, forms yes, but wants all
kinds of data that's not relevant ... like pick "my" (US) state ... but
selections are limited to the company's service area.  Much etc.

Add a few more mess-ups.  They send bills, with some arguably sensitive
customer information.  Subtract about half a mess-up - they send it as
an encrypted PDF.  But, what do they use as password and state right up
in clear in the email?  5-digit zip code ... and to further restrict
keyspace, only so many 5-digit zip codes in service area of the company.
So, yeah, maybe add about another 1/4 mess-up on that one - quite weak
security.

So, useful PDF tip ... Linux and adding/removing password from PDF, or
decrypting:
pdftk encrypted.pdf input_pw password output clear.pdf
And with very weak constricted keyspace for password, that
takes little time to decrypt.
Of course it's also very handy for other useful PDF manipulations.
E.g. one PDF I was dealing with - perfectly readable - but I wanted
to separate out a range of pages.  Well, very handy for that, are:
pdfseparate(1)
pdfunite(1)
But alas, turned out the pdfunite failed, as the PDFs were encrypted!
Not exactly something I was expecting.  But, alas, handily, only
highly trivially "encrypted" - with a null password (no idea why
someone even bothers to do that).  Anyway, quick "decryption" of
those PDFs (which were only encrypted with null password anyway),
and then easy to finish the putting together of the selected pages.

semi-random zip code tip - definitely not supercurrent nor recently
updated, but some good zip code database stuff can be found under:
http://federalgovernmentzipcodes.us/
... that quickly much further reduced my keyspace search and
better optimized ordering.

So ... didn't take long at all to get the clear content of those
bills.  And with that, I then had enough information to navigate
the dang customer service web pages - like picking a relevant
state, etc.  But ... egad, ... more mess-ups.  An annoyingly
difficult to use web page, they really provide no other - at least
electronic - ways to report issue/problem.  Yes, they've got a
phone number ... but hours convenient to them, not me ... called
it ... and they don't even have an option to leave 'em a voicemail
message ... have to navigate the tree just to be told by machine to
call at a time of their convenience.  Anyway, navigate the dang
web site, fill out the relevant information ... but they make it
annoyingly difficult - not only a "I'm not a robot" thingy,
but the dang thing keeps rather quickly timing out and making one
do the "I'm not a robot" thing yet again.  So, yeah, more of a
mess-up.

It would be really good to have a general and fairly visible contact
for a company, like, e.g. security ... but no, they make it relatively
difficult to contact them.  (some companies do better, ... some much
*much* better).

And, they could've included a footer in the email, something roughly
like: "If you are not the intended recipient, please destroy this email
and contact: <email_address>" ... but no, nothing of the sort.  Nothin'
that says, "Hey, this is confidential for intended recipient only."
It's more like, "Hey, we made this easy - you just need your 5-digit zip
code to open it".  Egad, pity the poor customer that uses their 5-digit
zip code as part of their email address.  I bet that foolish company
didn't think 'o that one.  Or ... the zillions of ways it's often pretty
dang trivial to match an email address to a 5-digit zip code ... of
course that would actually "work" more if they were sending to their
intended recipient, instead of me.

And yes, more mess-ups, looks like they opted their customers into this,
without doing diddly to verify the customer's email addresses or even
that the customers wanted this!  They just sent the stuff, and with
poorly protected customer information in the emails they sent.
So, yeah, no confirmation ... looked back over the emails and the
first was like "welcome to this trial program thingy",
and after that they just keep sending away.
There's not even anything in there that implies the customer
said something like "please put me on electronic billing",
or "as you said you'd signed up and wanted to be notified to
try some of our new features" ... nothin' like that at all.

So, yeah, looks like the company's own behavior probably in fact
violates their own privacy policy (which they do at least
provide link to).  Only possible exception to that may be the case
that they didn't screw that up, is if the customer actually
gave them the incorrect email address and told 'em or gave
'em permission to use it - and for billing or such data.
Who knows, ... some company rep may have mistyped something
the customer gave over the phone - so dear knows where the
erroneous data came from.

And, speaking of GIGO ... yes, my email address does also show up
in some other not me places.  E.g. like some folks with matching
first and last name - that might well explain some of the cr*p
email that I find hits my inbox/bulk/spam locations ... e.g. for
local political/election/voter stuff for state(s) I've never
lived in - some I've never even set foot in.

Hmmm, ... seems - especially where in many cases email is
used for "verification", might be possible to do "interesting"
things.  <sigh>

But yeah, GIGO ... whole lot 'o cr*p data out there.  A whole lot
of companies really ought do much better job of checking/verifying
their data.  And often the cr*p data tends to float around for a
*very* long time ... if not forever.  E.g. one address I corrected some
while back on my credit report(s), was an address that does not exist
and never existed.  A teensy bit of inspection made it clear that this
was a gross truncation of an actual address where I'd lived.  It's not
too hard to check/validate stuff like that ... but a whole lot of
companies, etc. never do - and just keep on passing it along, and only
possibly remove it maybe if someone actually challenges it.




More information about the sf-lug mailing list