Everyone heard about the Hell Pizza database leak, but what is only now showing up in the media is a story that seems to be developing for more than twelve months. Back in August 2009 some Geekzone users reported receiving spam on email addresses used only with Hell Pizza's online ordering system.
At the time someone posted in our forums on behalf of Hell Pizza saying "we don't sell email addresses (very bad), nor have we been hacked (our web servers are behind dedicated, monitored firewalls). We use software from interspire and I'm not aware of any security vunerabilities in the latest version we have installed."
Fast forward thirteen months to this week and blog Risky.Biz published "I know what you ate last summer" where it reveals that "multiple intruders have compromised Hell Pizza's 400mb (sic) database. While it does not contain any credit card information, it does contain in excess of 230,000 rows of customer entries."
It continues "When contacted by Risky.Biz, Hell Pizza co-owner Stuart McMullin said he was unaware of the data breach. He offered no comment when a list of questions was e-mailed to him, beyond acknowledging the contact from "concerned customers" in 2009.
"I have spoken to my IT staff and they are not aware that our site was hacked or any records lost," McMullin wrote in an e-mail to Risky.Biz. "There were a couple of 'customers' that thought it was the case last year who emailed us - perhaps these are the sources you are referring to - but not to our knowledge."
The New Zealand media found the story, and the NBR published "Hell Pizza: customer database could have been hacked". Chris Keall contacted Hell Pizza director Warren Powell who said "Everybody gets hacked into, even the Pentagon." He also added "The potentially stolen data was "of no value to anyone."
That's the problem. The data is valuable to spammers and for anyone who would like to try any of those 230,000 passwords in other sites - it's a known fact that many Internet users simply reuse the same password in different sites. This can potentially lead to identity theft. This is serious business.
According to a story on Stuff "Hell's director Warren Powell told NZPA he is unaware of any breach in security, and IT staff have so far found nothing proving information has been stolen."
Now comes the interesting part... Mr Warren Powel said to Stuff "If there is breach of security it will appear, data would have been removed and therefore it would appear as a download. We'll be able to find out the day and the computer it was downloaded to and we'll be able to prosecute this person if they exist."
They won't find anything. If Risky.Biz is correct, the old Hell Pizza ordering system was developed with poor attention to security, and the application running on the user's browser was communicating directly with the database.
This means any connection to the database would be considered valid, therefore those "dedicated, monitored firewall" wouldn't do any good.
It also means anyone could issue commands to the database and receive a response with that data - in which case it wouldn't appear as a download at all, but as a normal web request in the web server logs.
I tried contacting Hell Pizza via email but received no reply.
People on Geekzone noticed the Hell Pizza Ireland website could still be running the old, apparently vulnerable version of the ordering system. Currently both Hell Pizza Australia and Hell Pizza UK are returning server errors, with messages that lead us to believe they too were running the apparently vulnerable site version until recently - perhaps taken down to prevent further access to data?
I was alerted by one of the Geekzone users of further evidence that there was a vulnerability on the old Hell Pizza ordering system, and a Google search reveals the existence of a script that was there only to execute SQL commands - so vulnerable in fact that even Google found it and cached a result:
In an email sent to customers this week, Stu McMullin, Hell Pizza Director says "Whilst we are still investigating the matter, we can confirm that the information was obtained without our knowledge and we have approached the New Zealand Police with a view to lodging a formal complaint. Hell recognises the importance of protecting customer information and additional security measures were implemented earlier this year when our new website was rolled out (again, we reiterate that this is not an issue affecting the new website). As a further security measure your may wish to consider changing your passwords on other sites if they were the same as the old Hell Pizza website."
How long since Hell Pizza had knowledge of this security breach? Or did they only realise something was happening after Risky.Biz contaced them? If they did have knowledge, why wasn't it disclosed before? Will we see other New Zealand companies working to improve their IT security practices after seeing this happening?
The Apple iPad (first generation) works on 850 MHz and 2100 MHz WCDMA bands. We have two mobile operators offering 3G in New Zealand, with a third one coming very soon.
Telecom New Zealand operates a 3G network in the 850 MHz band. Telecom does not operate a 2G network - wherever you get coverage it will be 3G.
Vodafone New Zealand operates a mix of 2G and 3G networks. It also operates a 3G network in two different bands, that is 900 MHz and 2100 MHz. Vodafone deployed 2100 MHz 3G in the main centres and larger towns, covering 70% of the population. The 900 MHz 3G band is available elsewhere.
This means that if you have an iPad and use Telecom New Zealand then you will have 3G access wherever you have Telecom XT coverage, because Telecom operates a 850MHz which is compatible with the iPad 850MHz 3G.
If you insert a Vodafone New Zealand SIM on the same iPad you will have 3G coverage only in its 2100 MHz 3G network. It means that where Vodafone offers the 900MHz 3G flavour you will be out of luck. Depending on coverage the iPad may operate in the much slower 2G (GPRS) network. How much slower? Think dial-up speeds, with much higher latency.
The maps below tell the story:
Telecom New Zealand 3G coverage page:
Vodafone New Zealand 3G coverage page (remember to check only 3G, not 3G extended):
Obviously coverage changes over time, so make sure you visit their coverage pages to check the current status.
If you are using Orcon Mobile, your 3G coverage will be similar to Vodafone New Zealand, because Orcon uses Vodafone for their network.
When 2degrees Mobile launch their 3G service, total coverage will be similar to that of Vodafone New Zealand, because while 2degrees has their own network in Auckland, Christchurch, Queenstown and Wellington, the rest of the country will be serviced by a roaming agreement with Vodafone New Zealand.
UPDATE: you can see both 3G coverage in a larger image here.
Our Geekzone forums have been very busy this week with reports of 2degrees making their new 3G network available for public use throughout New Zealand the last week or so. 2degrees is New Zealand's third mobile operator, with its own mobile network in the main centres and elsewhere using Vodafone New Zealand's network.
Today I met with 2degrees and was briefed in what's happening. This is the summary:
3G network is lit in most places, for testing. Their own technicians have been around the country doing their tests but they wanted more accurate usage patterns to start - so they have it running.
For example Wellington CBD was lit yesterday and they noticed 13% of the connections automatically switching to 3G. This is interesting because they currently don't sell 3G handsets.
The sad part is... 2degrees will be locking it down from end of next week. And we don't have a date for when the service goes live.
Their 3G network is paired with their current 2G network (meaning where you have a 2G site there will be a 3G site). Obviously different loads will make coverage different.
The 3G network is available in Auckland, Wellington, Christchurch and Queenstown, covering 48% of the population. Other areas, as we know is going to be covered by a roaming agreement with Vodafone.
There are plans in progress for additional network coverage, with Hamilton and Tauranga town planning in progress. Due to resource consent times and 3G release this won't happen until next year though.
No commercial details are available - plans, packs, national roaming.
New 3G handsets will come out (surprise) and Android devices. Micro SIM will be available "soon".
I was given a Huawei USB modem with a SIM card to test, but it will stop working when the network is locked again next week.
And that's all I have to say - nothing else was disclosed.
John Cleese explains the difference between those two sports, in an excerpt from The Art of Football...
For example 83% of European households have a mobile handsets, but only 56% access the Internet regularly. Also 33% of European citizens have no Internet access (which I assume refers to landline Internet connections).
So what's the solution? "[Vodafone] have the potential to deliver the digital revolution to 500 million European citizens".
The interesting thing here is that Europe is probably the second biggest battleground (after China and India) in the mobile competition. Vodafone is up against O2, T-Mobile, Telefonica of Spain, all fighting for a share of those 500,000,000 customers.
What I would like to see though is what is Vodafone New Zealand's take on this aspect? Competition here is not as strong as in Europe. Does it make it less likely we could see such initiatives, or see price drops coming from the local operators?
Any insight you want to share in comments?
A friend of mine sent an email asking to point my readers to a survey on SMB purchasing habits. If you could answer that, it should take only a couple of minutes...
"... We have reason to believe that SMB owners/decision-makers act much more like consumers in their choice of the online information resources that subsequently affect their purchasing decisions. Further, we want to expose important new insights into how SMBs' habits differ from those of general consumers, defining and understanding them better. The expected outcome is to help ourselves, our clients and you create more effective marketing campaigns targeted at SMBs, and also to boost your value as a blogger by providing evidence of your influence on this critical segment. "
They are aiming for a minimum of 400 complete responses. And respondents fully completing the survey and providing a valid email address will be eligible for a prize. Seeing they expect to close the survey at 400 complete entries, there's a good chance to win something.
The prizes are:
1. Grand prize: One Lenovo A70z all-in-one PC
2. Second prize: Five prize packages, each containing one of each of the following three devices:
o One LG Bluetooth headset (HBM-210)
o One LG Bluetooth stereo headset (HBS-250)
o One LG Bluetooth Solar Car Kit & Emergency Charger (HFB-500)
I am told email addresses will only be used to contact eligible winners and WILL NOT be retained once prize selection has occurred. Contact data will not be shared, neither any respondent will be contacted as a result of this survey.
The link for the survey is http://www.surveymonkey.com/s/SMB_purchase_decision-making. Have in mind this is a U.S.-based survey when answering any questions regarding money (which are optional anyway).
Prizes are valid worldwide... Good luck!
Earlier today I was informed by ICONZ that our IPv6 addresses have been added to their firewall and routing configuration.
I have now added DNS information that allow users to visit Geekzone through an IPv6 connection. We decided to keep it simple and continue to use the current www.geekzone.co.nz URL for both IPv4 and IPv6 connections.
If you visit Geekzone through an IPv6 connection (native or tunnel) then you should see this logo:
If you want to make sure your connection can "see" our server, visit http://ipv6.geekzone.co.nz/ and the default page will show your IPv6 address. The ipv6.geekzone.co.nz test server does not accept connections from IPv4 addresses and it's only a test page.
Also note, this is probably one of the first New Zealand sites in the top online properties to go IPv6.
One of the best geek jokes I've seen...