In a nutshell, Honda Village lied to us when we bought our car, lied to us after the fact, ignored our complaints, sent us (and others) intentionally misleading junk mail and refused to stop when asked, sent us lots of spam and refused to stop when asked, and did mediocre auto-body work for us which took multiple attempts to get right (this last point was Village Collision, another business within the Village Automotive Group umbrella of which Honda Village is a part).

Nevertheless, Honda Village is where we bought our Honda Odyssey minivan, and they are the closest Honda dealership to our house, so when we need service done that is warranty- or recall-related and/or inexpensive and hard enough for them to screw up, we take our van there. Or so I thought.

A number of months ago, I brought our van to Honda Village for some simple service or recall or something; I forget the details. After looking up our van in the computer, the associate informed me that I had to speak to the service department manager about something. I went into the manager’s office, where he informed me that Honda Village would not service my vehicle.

Honda Village has never apologized for any of the things I complained to them about. They have never acknowledged doing anything wrong, unless you consider it an “apology” when they paid me the refund I demanded for the warranty which they convinced me to purchase by outright lying to me about its coverage (fraud!).

Their response to my legitimate complaints was not to acknowledge them and try to improve. No, their response has been to continue on with business as usual and refuse to serve me.

Judge for yourself whether this is a business which deserves your patronage.

P.S. I just realized that I never got around to posting what happened after my last letter to Honda Village’s lawyer. So, for those who are curious… Their lawyer sent back a response asserting that the precedents on which I was relying were out-of-date, and citing a newer precedent which he claimed precluded my filing a Chapter 93a claim against Honda Village. After reviewing that newer precedent, I thought he was probably right, and in any case didn’t have any more time to waste on it, so I dropped it.

I have been in conversation about this with a high-level employee at Brave New Foundation, and I am now able to report the following important information:

• Brave New Foundation does not sell, share or rent their email lists.
• There is a Brave New Foundation employee with access to their lists who has a relative who works for Nation of Change.
• Brave New Foundation believes that this Nation of Change employee made unauthorized use of his/her relative’s access to copy an as yet undetermined subset of Brave New Foundation’s email lists for Nation of Change’s use.
• Brave New Foundation does not believe its employee was complicit in this unauthorized access. In fact, s/he was unaware that it had occurred until I brought it to Brave New Foundation’s attention.
• Brave New Foundation considers this breach of their data to be extremely serious, and they are actively investigating it.
• Brave New Foundation is considering legal action against Nation of Change both to prevent any further use of the copied email addresses and to obtain financial compensation for the damage to Brave New Foundation’s reputation and the time and resources spend investigating this incident.

All of this information, as well as some additional off-the-record supporting information that I cannot report here, was provided to me directly by an employee of Brave New Foundation. I have no reason to believe that employee is lying, and what s/he told me is consistent with my suspicions and impressions about Nation of Change. However, in the spirit of full disclosure, I want to be clear that I have not seen any hard evidence supporting any of Brave New Foundation’s allegations against Nation of Change.

When you combine these new allegations against Nation of Change with all the other issues I raised in my first posting about them, it seems doubtful that this is an organization which deserves anyone’s support.

I asked a lot of questions about Nation of Change, and thus far they’ve failed to respond to any of them. Here’s what has happened instead.

In response to my complaint, a representative of Nation of Change informed me, “I was unable to find your address: [elided] in our system.” I sent back a reply in which I included the entire header of the spam from Nation of Change, showing clearly that they had sent email to that address. They did not respond.

Much more significantly, several days later I received a “Thank you for Signing Up!” email sent to the same tagged email address from a different progressive web site, CommonDreams.org. When I complained to them, they claimed that someone had entered the address into the subscription form on their web site.

This is certainly not coincidence. It looks very much to me like whoever is behind the unauthorized transfer of a list of email addresses from Brave New Foundation to Nation of Change is trying to cover their tracks by making it look like I’m lying about the privacy of the email address in question. Either that, or they’re just being vindictive and trying to make my life difficult because I exposed their actions.

In January 2010, Oracle completed its acquisition of Sun. The Sun developer web sites were eventually decommissioned and are not active today. Since the completion of the acquisition, I’ve received no email at the tagged email address I gave to Sun. Until today, that is.

Today, I received this spam sent to that tagged email address:

Received: from mail.recruitingbee-agent8.com (mail.recruitingbee-agent8.com [184.172.232.199])
	by jik3.kamens.brookline.ma.us (8.13.8/8.13.8) with ESMTP id p7BNER5P022529
	for <[elided]>; Thu, 11 Aug 2011 19:14:27 -0400
Received: from find ([127.0.0.1]) by recruitingbee-agent8.com with MailEnable ESMTP; Thu, 11 Aug 2011 18:14:39 -0500
MIME-Version: 1.0
From: "Tech-centric Jobs" <noreply@recruitingbee-agent8.com>
To: [elided]
Date: 11 Aug 2011 18:14:39 -0500
Subject: Technology job openings
Content-Type: text/plain; charset=us-ascii
Message-ID: <EF440C500DF841B3AE10C51197A0EA91.MAI@recruitingbee-agent8.com>
Content-Transfer-Encoding: 8bit

**********************************************************************

Find the latest software & programming jobs http://www.tech-centric.net/

**********************************************************************

A good programmer is someone who always looks both ways before crossing a one-way street. ~Doug Linder

The latest programming jobs are available: http://www.tech-centric.net/

If however you are not interested in exploring programming jobs at this time please optout:

http://www.recruitingbee.com/unsubscribe.aspx?email=[elided]&token=[elided]

All the best,
The Health Medical Job Site
1350 E Flamingo Rd
Las Vegas NV, 89119

It looks like either Oracle sold the email addresses of sun.com web site users to a third party, or somebody stole them. Neither of these casts Oracle in a particularly good light.

I am, of course, going to do my best to contact someone in Oracle who might be willing and able to look into this, but I am rather skeptical that I will have any success.

Let me tell you about a little strategy I use to find out who’s buying and selling my email address… When I give my email address to an organization or Web site, I “tag” it to make it unique to that site while still ending up in my inbox. So when that site decides to sell or share my address, I know who did it.

When I put my address on a petition created by Brave New Films (now the Brave New Foundation) during the 2008 presidential campaign, I did not give Brave New Films permission to give it out to others. Guess what, folks, that’s spamming, and it’s evil, and I don’t support organizations that spam or help others spam. By giving out my address and others without permission, Brave New Foundation has permanently lost my support, and by using my and others’ illicitly obtained addresses, so have you.

But that’s not the end of it. Because I’d never heard of your organization before receiving your spam yesterday, and because it was sent to an address that should not have been shared, and because something looked a little, well, iffy about it, I decided to do a little research and try to learn more about you. And I can’t say I liked what I found.

It’s not because you’re advocating positions with which I disagree. I haven’t actually looked carefully at your positions, but from what little I glanced at, I didn’t see anything I found particularly shocking or offensive. No, what’s bothering me is that I get the distinct impression that you’re trying to lie and deceive people. And if you think I want to see progressives emulating the Koch Brothers, boy, you’ve got another think coming.

Let me give you some examples of what I’m talking about.

The email you sent me yesterday was the first one I’ve ever received from you, and yet there was no acknowledgment of that fact in the email. You made it look like it was just business as usual, as if you were someone I’d been corresponding with all along, just another political organization clamoring for attention in my inbox. That’s just wrong. If you’re going to start spamming people without their permission, then the least you can do is introduce yourselves and give them the opportunity to recognize that you’re someone new and they should make a conscious decision about whether they want to keep hearing from you. Trying to slip in under people’s radars is deceptive and slimy.

Like your email to me, your Web site is clearly and unequivocally designed to give the impression that you’re an entrenched, established organization. There’s nothing on the site about the fact that you’ve just launched, nor is there any historical information about you. Where did you come from? How long have you been around? What was the impetus for the creation of your organization? How long have you been working in progressive journalism? What are your progressive credentials? What are your journalism credentials? What are the biographies and qualifications of your leadership team and board of directors (neither anyone on your board nor your executive director have any easily found information about them on the Web)? All of this information is needed for people to be able to properly evaluate the credibility of your organization. Maybe after you’ve been around for a few years, your work will speak for itself, but it’s deceptive and slimy to pretend that it does when it really doesn’t.

How do I know that you just launched? Because when I searched yesterday, there wasn’t a single link to your Web site anywhere on the internet that isn’t controlled by you (i.e., your Facebook page, Twitter feed). Did you think nobody would notice that you sprang out of nowhere?

When I look up the whois information for Brave New Foundation, just as an example, I see real contact information about real people who work for that organization. In contrast, when I look up your whois information, I see:

Registration Private
Domains by Proxy, Inc.
15111 N. Hayden Rd., Ste 160, PMB 353
Scottsdale, Arizona 85260
Phone:+1.4806242599
FAX:+1.4806242598
Email:NATIONOFCHANGE.ORG@domainsbyproxy.com

What (or who) are you trying to hide?

If you think I’m going to want to have anything to do with an organization that proudly lists Noam Chomsky as one of its authors, you’re very much confused. He’s a nutcase and a crackpot, and any progressive who thinks he’s anywhere near on the same page as Chomsky is a progressive I want nothing to do with, thank you very much.

Your Web site claims, “We are directly funded by small donations from the public whom we serve. We believe that this distinction is essential to the production of reliable journalism and truly independent thought.” However, since you just sprang yourselves on the world yesterday, clearly none of the “public whom [you] serve” has had the opportunity to donate yet, and yet you’ve somehow managed to find the money to hire a staff, build a kick-ass Web site hosted in the Amazon cloud (which isn’t free), and do a big email blast which also isn’t free. Who bankrolled the creation of your organization? Who’s continuing to pouring money into it until it is really able to support itself from “small donations,” if indeed that ever occurs?

As far as I can tell, your mailing address is a private home within a housing development. What’s up with that?

Your Web site makes reference to your Bylaws, but said Bylaws are not published in full anywhere on the site.

Your Web site claims that you are a 501(c)3 organization, but neither Network for Good’s nor GuideStar’s database of all registered 501(c)3 charities lists you (at least not under the name “Nation of Change”, and rather than providing your EIN on your Web site, you say, “Your donation email receipt will include all relevant tax information, including the NationofChange Tax EIN number.” Again, what are you trying to hide? Why haven’t you published your EIN on your Web site?

Are you aware that BBB standards for charitable accountability require a minimum of five voting members? Your board has only four, one of which is your executive director, an arrangement which is discouraged by the BBB and charity watchdogs for reasons which should be obvious.

Should we be concerned about the fact that your Director of Development has the same last name as your Executive Director? Are they both paid positions? Nepotism is a big problem in poorly run charities.

For all I know, a year or two from now I will be awestruck by the good your organization has done after springing from out of nowhere. But right now, I’m not awestruck. Instead, I’m suspicious. Really, really suspicious. Is that the first impression you wanted to make on your potential supporters?

Sincerely,

Jonathan Kamens

[Simulblogged.]

Therefore, I’m blogging what I know, in the hope that perhaps someone else will be able to look at the facts and point out something I missed about why this is going on.

A few days ago, I received an automated email message from the “Starwood Preferred Guest” program which began, “Thank you for contacting Starwood Preferred Guest.” Except I hadn’t.

I assumed that a spammer had sent spam with my return address to Starwood, so I just ignored it.

However, later that day, I received this message from Starwood:

Dear Jonathan Kamens,
Thank you for contacting Starwood Preferred Guest. I hope this email finds you well.
I must apologize but I am unable to determine exactly what your inquiry is regarding. If you would please reword your question or add more detail we would be pleased to assist you.
We are always available to assist you; feel free to chat with us online, have us call you, or if you prefer, simply reply to this email. Have a lovely evening.

Best Regards,

[name elided]
Specialist, E-Communications Department
Starwood Hotels & Resorts Worldwide

Original Message Follows:
————————
SPG Number: *******24
Subject: Benefit Clarifications
Comments: In the moment two persons must give me money they are Ingrid Betancourt and Guy André-Kieffer these two persons must give me two milliards [sic] of dollars.
First Name: Diallo
Last Name: Mamadou Oury
Email Address: jik@kamens.brookline.ma.us
Membership Level: E

Note that whoever wrote to Starwood (through a form on their Web site, I suspect) gave the name “Diallo Mamadou Oury”, but when Starwood wrote back to me, they used my real name! I thought at the time that they must have looked up my name from my email address, since I was at one point a member of the Starwood program, but I just called their customer server number and asked them to look up my account by name or email address, and they were unable to do so. I just sent them an email message asking where they got my name from; I will update this blog entry when I hear back from them about it.

Note also that Ingrid Betancourt and Guy André-Kieffer are real, prominent people. Bizarre!

Anyway, I wrote back to Starwood and told them that somebody was clearly just misusing my email address, and they should ignore it. I thought that was the end of it.

Now it gets crazy.

Earlier today, I got this from Google:

Congratulations on creating your brand new Gmail address,
ibsondao.mamadou331@gmail.com.
Please keep this email for your records, as it contains an important verification code that you may need should you ever encounter problems or forget your password.

You can login to your account at http://mail.google.com/

Enjoy!

The Gmail Team

Verification code: [elided]

If you didn’t create this Gmail address and don’t recognize this email, please visit: http://mail.google.com/support/bin/answer.py?answer=62400

WTF? What benefit would someone get from creating a Gmail account and using someone else’s email address as the recovery address?

Thinking fast, I immediately used the fact that this person listed my email address for recovery to change the account’s password and security question. So whatever he was intending to do with this account, which I honestly can’t imagine, he isn’t going to be able to.

Note that whoever created the Google account gave the name “Diallo Mamadou”, which matches what he gave to Starwood, but doesn’t match the email address he chose, where he instead used the name “Ibso Ndao Mamadou”.

So, does anybody have any ideas about what’s going on here?

About six months ago, I started getting spam from an email address that I had only used in one place: signing up one of my kids for a Scholastic, Inc. book club through their web site back in 2007.

I contacted Scholastic and told them that either they were selling my email address and it needed to stop, or they had suffered a data breach of at least customer email addresses, if not more.

In response, Scholastic’s CISO informed me that Scholastic doesn’t sell email addresses to third parties; their children’s book club business was sold to Sandvik Publishing in 2008; the email address in question was no longer in Scholastic’s database; and I should contact Sandvik if I wished to pursue the matter further.

I sent a reply to the CISO which read as follows:

I don’t recall ever being asked whether I considered it OK for Scholastic to sell my PII to another company. This is especially disturbing since at that point I was no longer a customer of Scholastic’s for the business that was sold.

Granted, your privacy policy gives you the legal right to sell any information you collect to anyone you want. The fact that you are legally permitted to do that doesn’t make it right.

Your privacy policy also says, “Scholastic ensures that all personally and non-personally identifiable information that it receives via the Internet is secure against unauthorized access.” Alas, you apparently do not consider it your responsibility to ensure that the third parties to whom you sell PII keep it as secure as you claim to do yourselves. That is rather disappointing.

I will contact [Sandvik] as you have suggested. However, if I were in your shoes, I would be extremely concerned that a third party to whom Scholastic had sold PII allowed it to be compromised, and I would consider it my responsibility to investigate the issue myself, rather than leaving the wronged (former) Scholastic customer entirely on his own.

I received no further response from Scholastic.

I then contacted the president of Sandvik. He insisted that Sandvik also does not sell email addresses, and that it was simply impossible that my address could have been leaked through them, since the only place they have it is on a USB drive locked in a safe. They said it was more likely that the address was stolen by someone from my mail server or computer.

I explained in response that the the only place this address could be found on my computer was in a three-year-old, compressed email archive in a totally non-standard location in my home directory, and that I ran my own Linux mail server which I actively monitored on a daily basis, which had never shown any evidence of any sort of successful intrusion, and which in any case was hardly an attractive target for spammers to go to the trouble of harvesting email addresses from, since it serves only the people in my family.

For this, and various other reasons I pointed out, it was far more likely that the address had been stolen at some point from Sandvik. I also pointed out that the data breach laws in many of the states in which Sandvik does business would seem to require Sandvik to initiate an investigation into the breach and/or to report it to various state governments. At this point, Sandvik, too, stopped responding to my emails.

There’s really no way of knowing whether my email address was actually stolen from Scholastic or Sandvik. I don’t save mail server logs back far enough to know when I first started getting spam at that address, and even if I did, there’s no guarantee that spammers would have started using the address immediately after getting their hands on it, nor is there any guarantee that Scholastic completely destroyed the data immediately after selling the business to Sandvik. Scholastic and Sandvik both refuse to acknowledge the possibility that email addresses and possibly more PII were stolen from them, and it’s unlikely that a nobody like me would be able to convince them to take this more seriously, so I stopped trying.

I’d like to contrast the poor handling of the email address breach by Scholastic and/or Sandvik with an email message I just got from Brookstone:

++++++++++++Important E-Mail Security Alert++++++++++++

Dear Valued Brookstone Customer,

On March 31, we were informed by our e-mail service provider that your e-mail address may have been exposed by unauthorized entry into their system. Our e-mail service provider deploys e-mails on our behalf to customers in our e-mail database.

We want to assure you that the only information that may have been obtained was your first name and e-mail address. Your account and any other personally identifiable information are not stored in this system and were not at risk.

Please note, it is possible you may receive spam e-mail messages as a result. We want to urge you to be cautious when opening links or attachments from unknown third parties.

In keeping with best industry security practices, Brookstone will never ask you to provide or confirm any information, including credit card numbers, unless you are on our secure e-commerce site, Brookstone.com.

Our service provider has reported this incident to the appropriate authorities.

We regret this has taken place and for any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.

Sincerely,

Brookstone Customer Care

It turns out that the provider who leaked Brookstone’s address list was Epsilon, and they also leaked the lists of a bunch of other clients, many of them more frightening (because of the risk of spear phishing attacks) than Brookstone. See Krebs on Security for details.

It’s unfortunate that Brookstone allowed a breach of email addresses and the first names associated with them, because spammers will use the first names to help them evade people’s spam filters and execute more convincing and successful phishing attacks. Having said that, Brookstone deserves a great deal of credit for sending out this notification. Furthermore, if the timeline in the notification is true, then they sent it out two days after being notified about the breach, which is all the more impressive.

Update [4/5/2011]: I’ve now also been contacted about the Epsilon breach by 1-800-FLOWERS.COM and Walgreens. Woohoo!

Update [4/6/2010]: Add Chase to the list. It’s sort of sad that it took Chase, a bank, three days longer to notify me than Brookstone, a high-end luxury toys merchant.

It looks like the good guys are successfully shutting down some big botnets!

I’ve had run-ins of varying magnitude about this with numerous organizations over the years. The ones that I post about here are the worst of the worst. They have either overtly refused to accommodate my requests, or claimed repeatedly, but falsely, that they had done so.

Today, I am forced to add Yad Sarah to this disreputable bunch. I am sorry to do this, because the work Yad Sarah claims to do is important, and because they appear to be respected by other organizations which I respect and tend to trust. However, after my experience with them, I must wonder how efficiently and effectively they use the money entrusted to them by donors to perform their mission.

I have had to ask Yad Sarah to stop spamming me on no less than four separate occasions, in July 2004, August 2004, May 2005, and most recently July 2010. Each time I made the request, they claimed that it had been acted upon. Each of the first three times, it turned out that it had not. Although I give them credit for managing to stop spamming me for over five years after my May 2005 request, I must ask which part of “You must remove my e-mail address from any and all of your mailing lists, immediately and permanently,” which is what I wrote to them in July 2004, they are incapable of understanding.

I had similar trouble getting their American fundraising arm, Friends of Yad Sarah, to remove me from their postal mailing list. I wrote to them on three separate occasions, first by email and then twice by fax, before I finally got a response. The person who responded claimed, “This is the first request we received,” which means that either she was comfortable implying that a donor is a liar, or the organization is so shoddily run that they lose track on a regular basis of attempts by donors to contact them. At least they seem to have done the right thing when they finally responded — I haven’t received any junk mail from them since April 2009.

I encourage those who value Yad Sarah’s work and might choose to support them to seek out better run organizations that will put your money to better use.

Here’s the letter I’ve just sent Maddox:

Dear Mr. Maddox,

You got my email address, either directly or indirectly, from Robert Wexler. I gave him this address in 2008 when I donated to his campaign.

I have asked him and his office staff REPEATEDLY since then to stop spamming me and stop giving my email address to other people. He and his staff have completely ignored me.

Now, I can no longer ask him or his staff, because he has resigned and his Congressional staff has been disbanded.

I am writing to ask you:

1. Please remove my email address, [elided], permanently and completely from your database.

2. Please tell me from whom, exactly, you got my email address and how, exactly, I can contact them, so that I can do my best to stop them from giving my address to anyone else.

It is SHAMEFUL that you and your fellow politicians are still batting around my email address, like bullies taking away a kid’s toy and throwing it around despite his repeated requests, “Give it back!” What is WRONG with you people?

Sincerely,

Jonathan Kamens

]]> http://blog.kamens.us/2010/05/18/spam-rape-from-robert-wexler-continues-this-time-via-scott-maddox/feed/ 0