My window to the world

Hell Pizza Hell: database security was lacking?

By Mauricio Freitas, in , posted: 26-Jul-2010 01:56

Everyone heard about the Hell Pizza database leak, but what is only now showing up in the media is a story that seems to be developing for more than twelve months. Back in August 2009 some Geekzone users reported receiving spam on email addresses used only with Hell Pizza's online ordering system.

At the time someone posted in our forums on behalf of Hell Pizza saying "we don't sell email addresses (very bad), nor have we been hacked (our web servers are behind dedicated, monitored firewalls). We use software from interspire and I'm not aware of any security vunerabilities in the latest version we have installed."

Fast forward thirteen months to this week and blog Risky.Biz published "I know what you ate last summer" where it reveals that "multiple intruders have compromised Hell Pizza's 400mb (sic) database. While it does not contain any credit card information, it does contain in excess of 230,000 rows of customer entries."

It continues "When contacted by Risky.Biz, Hell Pizza co-owner Stuart McMullin said he was unaware of the data breach. He offered no comment when a list of questions was e-mailed to him, beyond acknowledging the contact from "concerned customers" in 2009.

"I have spoken to my IT staff and they are not aware that our site was hacked or any records lost," McMullin wrote in an e-mail to Risky.Biz. "There were a couple of 'customers' that thought it was the case last year who emailed us - perhaps these are the sources you are referring to - but not to our knowledge."

The New Zealand media found the story, and the NBR published "Hell Pizza: customer database could have been hacked". Chris Keall contacted Hell Pizza director Warren Powell who said "Everybody gets hacked into, even the Pentagon." He also added "The potentially stolen data was "of no value to anyone."

That's the problem. The data is valuable to spammers and for anyone who would like to try any of those 230,000 passwords in other sites - it's a known fact that many Internet users simply reuse the same password in different sites. This can potentially lead to identity theft. This is serious business.

According to a story on Stuff "Hell's director Warren Powell told NZPA he is unaware of any breach in security, and IT staff have so far found nothing proving information has been stolen."

Now comes the interesting part... Mr Warren Powel said to Stuff "If there is breach of security it will appear, data would have been removed and therefore it would appear as a download. We'll be able to find out the day and the computer it was downloaded to and we'll be able to prosecute this person if they exist."

They won't find anything. If Risky.Biz is correct, the old Hell Pizza ordering system was developed with poor attention to security, and the application running on the user's browser was communicating directly with the database.

This means any connection to the database would be considered valid, therefore those "dedicated, monitored firewall" wouldn't do any good.

It also means anyone could issue commands to the database and receive a response with that data - in which case it wouldn't appear as a download at all, but as a normal web request in the web server logs.

I tried contacting Hell Pizza via email but received no reply.

People on Geekzone noticed the Hell Pizza Ireland website could still be running the old, apparently vulnerable version of the ordering system. Currently both Hell Pizza Australia and Hell Pizza UK are returning server errors, with messages that lead us to believe they too were running the apparently vulnerable site version until recently - perhaps taken down to prevent further access to data?

I was alerted by one of the Geekzone users of further evidence that there was a vulnerability on the old Hell Pizza ordering system, and a Google search reveals the existence of a script that was there only to execute SQL commands - so vulnerable in fact that even Google found it and cached a result:

Hell Pizza SQL Query on Google

In an email sent to customers this week, Stu McMullin, Hell Pizza Director says "Whilst we are still investigating the matter, we can confirm that the information was obtained without our knowledge and we have approached the New Zealand Police with a view to lodging a formal complaint.  Hell recognises the importance of protecting customer information and additional security measures were implemented earlier this year when our new website was rolled out (again, we reiterate that this is not an issue affecting the new website). As a further security measure your may wish to consider changing your passwords on other sites if they were the same as the old Hell Pizza website."

Juha Saarinen reminded us, via Twitter, of the Privacy Commisioner's Privacy Breach Guidelines.

How long since Hell Pizza had knowledge of this security breach? Or did they only realise something was happening after Risky.Biz contaced them? If they did have knowledge, why wasn't it disclosed before? Will we see other New Zealand companies working to improve their IT security practices after seeing this happening?

Where can you get 3G coverage for your new Apple iPad in New Zealand?

By Mauricio Freitas, in , posted: 23-Jul-2010 20:01

The Apple iPad was launched today and I've seen some comments on Twitter about 3G coverage. First thing to understand where you will get 3G coverage is to know which "type" of 3G the iPad can "see".

The Apple iPad (first generation) works on 850 MHz and 2100 MHz WCDMA bands. We have two mobile operators offering 3G in New Zealand, with a third one coming very soon.

Telecom New Zealand operates a 3G network in the 850 MHz band. Telecom does not operate a 2G network - wherever you get coverage it will be 3G.

Vodafone New Zealand operates a mix of 2G and 3G networks. It also operates a 3G network in two different bands, that is 900 MHz and 2100 MHz. Vodafone deployed 2100 MHz 3G in the main centres and larger towns, covering 70% of the population. The 900 MHz 3G band is available elsewhere.

This means that if you have an iPad and use Telecom New Zealand then you will have 3G access wherever you have Telecom XT coverage, because Telecom operates a 850MHz which is compatible with the iPad 850MHz 3G.

If you insert a Vodafone New Zealand SIM on the same iPad you will have 3G coverage only in its 2100 MHz 3G network. It means that where Vodafone offers the 900MHz 3G flavour you will be out of luck. Depending on coverage the iPad may operate in the much slower 2G (GPRS) network. How much slower? Think dial-up speeds, with much higher latency.

The maps below tell the story:

Telecom New Zealand 3G coverage page:

Vodafone New Zealand 3G coverage page (remember to check only 3G, not 3G extended):

Obviously coverage changes over time, so make sure you visit their coverage pages to check the current status.

If you are using Orcon Mobile, your 3G coverage will be similar to Vodafone New Zealand, because Orcon uses Vodafone for their network.

When 2degrees Mobile launch their 3G service, total coverage will be similar to that of Vodafone New Zealand, because while 2degrees has their own network in Auckland, Christchurch, Queenstown and Wellington, the rest of the country will be serviced by a roaming agreement with Vodafone New Zealand.

UPDATE: you can see both 3G coverage in a larger image here.

2degrees 3G network live - sort of

By Mauricio Freitas, in , posted: 22-Jul-2010 16:00

Our Geekzone forums have been very busy this week with reports of 2degrees making their new 3G network available for public use throughout New Zealand the last week or so. 2degrees is New Zealand's third mobile operator, with its own mobile network in the main centres and elsewhere using Vodafone New Zealand's network.

Today I met with 2degrees and was briefed in what's happening. This is the summary:

3G network is lit in most places, for testing. Their own technicians have been around the country doing their tests but they wanted more accurate usage patterns to start - so they have it running.

For example Wellington CBD was lit yesterday and they noticed 13% of the connections automatically switching to 3G. This is interesting because they currently don't sell 3G handsets.

The sad part is... 2degrees will be locking it down from end of next week. And we don't have a date for when the service goes live.

Their 3G network is paired with their current 2G network (meaning where you have a 2G site there will be a 3G site). Obviously different loads will make coverage different.

The 3G network is available in Auckland, Wellington, Christchurch and Queenstown, covering 48% of the population. Other areas, as we know is going to be covered by a roaming agreement with Vodafone.

There are plans in progress for additional network coverage, with Hamilton and Tauranga town planning in progress. Due to resource consent times and 3G release this won't happen until next year though.

No commercial details are available - plans, packs, national roaming.

New 3G handsets will come out (surprise) and Android devices. Micro SIM will be available "soon".

I was given a Huawei USB modem with a SIM card to test, but it will stop working when the network is locked again next week.

And that's all I have to say - nothing else was disclosed.

More Visual Studio 2010 videos

By Mauricio Freitas, in , posted: 10-Jul-2010 11:21

In a previous blog post I presented some of the video advertising Microsoft is running in the UK. Here are some new videos, from Microsoft Tech Days. Jason Zander (GM, Visual Studio, Microsoft) gives a tour through some of Visual Studio 2010's new features, and building Windows 7 apps: Mike Ormond, from Microsoft's Developer and Platform Group, gives a session on the top 10 items that developers might be interested in learning more about in Visual Studio 2010 and Jason Zander as part of his presentation for Visual Studio 2010 demos how to build Windows Phone 7 mobile apps for Azure: Ian Griffiths of Interact Software unveils new and useful features in Visual Studio:

The difference between football and American football (not soccer)

By Mauricio Freitas, in , posted: 9-Jul-2010 09:28

John Cleese explains the difference between those two sports, in an excerpt from The Art of Football...

Vodafone and Digital Europe

By Mauricio Freitas, in , posted: 7-Jul-2010 10:18

A new video clip released by Vodafone Group PLC, about the mobile trend in the EU, access to Internet through mobile devices and policy making/lobbying. There are some interesting statistics in this video.

For example 83% of European households have a mobile handsets, but only 56% access the Internet regularly. Also 33% of European citizens have no Internet access (which I assume refers to landline Internet connections).

So what's the solution? "[Vodafone] have the potential to deliver the digital revolution to 500 million European citizens".

The interesting thing here is that Europe is probably the second biggest battleground (after China and India) in the mobile competition. Vodafone is up against O2, T-Mobile, Telefonica of Spain, all fighting for a share of those 500,000,000 customers.

What I would like to see though is what is Vodafone New Zealand's take on this aspect? Competition here is not as strong as in Europe. Does it make it less likely we could see such initiatives, or see price drops coming from the local operators?

Any insight you want to share in comments?

Answer SMB Survey, be in to win...

By Mauricio Freitas, in , posted: 5-Jul-2010 15:02

A friend of mine sent an email asking to point my readers to a survey on SMB purchasing habits. If you could answer that, it should take only a couple of minutes...

"... We have reason to believe that SMB owners/decision-makers act much more like consumers in their choice of the online information resources that subsequently affect their purchasing decisions.  Further, we want to expose important new insights into how SMBs' habits differ from those of general consumers, defining and understanding them better.  The expected outcome is to help ourselves, our clients and you create more effective marketing campaigns targeted at SMBs, and also to boost your value as a blogger by providing evidence of your influence on this critical segment. "

They are aiming for a minimum of 400 complete responses. And respondents fully completing the survey and providing a valid email address will be eligible for a prize. Seeing they expect to close the survey at 400 complete entries, there's a good chance to win something.

The prizes are:
1. Grand prize:  One Lenovo A70z all-in-one PC
2. Second prize:  Five prize packages, each containing one of each of the following three devices:
o One LG Bluetooth headset (HBM-210)
o One LG Bluetooth stereo headset (HBS-250)
o One LG Bluetooth Solar Car Kit & Emergency Charger (HFB-500)

I am told email addresses will only be used to contact eligible winners and WILL NOT be retained once prize selection has occurred.  Contact data will not be shared, neither any respondent will be contacted as a result of this survey.

The link for the survey is  Have in mind this is a U.S.-based survey when answering any questions regarding money (which are optional anyway).

Prizes are valid worldwide... Good luck!

Geekzone IPv6 is here!

By Mauricio Freitas, in , posted: 29-Jun-2010 10:24

Earlier today I was informed by ICONZ that our IPv6 addresses have been added to their firewall and routing configuration.

I have now added DNS information that allow users to visit Geekzone through an IPv6 connection. We decided to keep it simple and continue to use the current URL for both IPv4 and IPv6 connections.

If you visit Geekzone through an IPv6 connection (native or tunnel) then you should see this logo:

If you want to make sure your connection can "see" our server, visit and the default page will show your IPv6 address. The test server does not accept connections from IPv4 addresses and it's only a test page.

Also note, this is probably one of the first New Zealand sites in the top online properties to go IPv6.

Test, disregard!

By Mauricio Freitas, in , posted: 28-Jun-2010 15:58


Movie trailer: Java 4ever

By Mauricio Freitas, in , posted: 27-Jun-2010 10:01

The movie trailer of the year: "Java 4ever" is a journey of discovery for a young hacker who questions his family use of .Net technologies. From the director of "Javatar" and ".Not":

One of the best geek jokes I've seen...

freitasm's profile

Mauricio Freitas
New Zealand

I live in New Zealand and my interests include mobile devices, good books, movies and food of course! 

I'm the Geekzone admin. On Geekzone we publish news, reviews and articles on technology topics. The site also has some busy forums. Also worth visiting is TravelTalk NZ, a community for travelers!

Subscribe now to my blog RSS feed or the Geekzone RSS feed.

If you want to contact me, please use this page or email me Note this email is not for technical support. I don't give technical support. You can use our Geekzone Forums for community discussions on technical issues.

Here's is my full disclosure post.

A couple of blog posts you should read:

Find more about Business Transformation | Enterprise Content Management | Customer Relationship Management

Social networks presence

View Mauricio Freitas's profile on LinkedIn

My Blog by tags...

State of Browsers...
Viral Marketing...
Web Performance Optimization...
Windows Phone...

Other recent posts in my blog

Google crawling Geekzone HTTPS...
Geekzone gone full HTTPS...
Microsoft Ignite New Zealand, ...
If the headlines indicate the ...
Geekzone data analytics with P...
State of browsers Geekzone Mar...
2Cheap Cars discussion...
Now with more fibre...
Unlimited is not unlimited: Vo...
How bad is Vodafone cable at t...

New posts on Geekzone