Slashdot Mirror

I got one of these and did some Google searching on some of the phrases used in the e-mail. After I got no hits, I searched for the phone number. No hits. So I searched Google for "Paypal Phone Number". The first hit is to a faq explaining to go to the Help Center. Clicking there, you find a link which takes you to their phone number, which happened to be in a different area code than the number I was sent via the phishing e-mail.

So it actually isn't all that hard to get a phone number for Paypal. For the record, from their home page, click "Help" then "Contact Us" to get to the same page I mentioned above.

Er, yes, they do.

Paypalsucks.com is a front for a group which claims to be a paypal competitor. Guess what? They're a scam quite like the one being discussed in the article. The difference? They're selling something real but useless: a merchant account that literally nobody accepts. So, when you try to go get your seven hundred dollars back, the bank tells you "well, they haven't actually done anything illegal, so, no."

Caveat emptor.

That Google had started Google Checkout. Perhaps since it's new eBay will be sure to give it a 'really close look' before they approve it, you know, for the benefit of the (ummm) users. You can trust them, they have a lot of good in house knowledge of Internet payment.

2.9% + $0.30 USD (0-3k$ of transaction)
2.5% + $0.30 USD (3k-10k$ of transaction)
2.2% + $0.30 USD (10k-100k$ of transaction)
1.9% + $0.30 USD (100k$+ of transaction)

https://www.paypal.com/cgi-bin/webscr?cmd=_display -receiving-fees-outside&countries=

Of course, that is maybe legitimate to charge when it is from credit card, but they can do way better when the money doesn't come from credit card (they can, but still their business model take advantage of this and it is one choice like another, if people are paying...)

I would like to get a good mainstream micro-payment service, please.

One thing I haven't been able to find after a cursory look at Checkout is an option for subscriptions and recurring payments, something that Paypal does offer. I can't think of an easy way to charge users monthly, for instance, as with a magazine subscription. Sure, they can prepay for a year, but does Checkout offer something to auto-renew such subscriptions? Paypal also offers a neat 'trial period' option where there are no payments within the first xx days and the user can cancel at any time during that period.

PayPal already does this: https://www.paypal.com/IntegrationCenter/ic_microp ayments.html

5% plus 5cents. Not quite ready for $0.001 transactions, but it's a good start for anyone selling stuff for $5 or less.

The 1,9% and $0,30 rate for Paypal is if you recieve more than $100,000 to your account and you have a merchant account!

Normally, it's 2.9% + $0.30 USD. https://www.paypal.com/cgi-bin/webscr?cmd=_display -receiving-fees-outside

This reply was modded insightful?! Since when is ignorance insightful? PayPal offers 'Buyer Protection'. PayPal SAYS that you are PROTECTED against FAILED DELIVERIES. Admittedly, this protection is little more than lip service and a marketing tool (the eligibility requirements are high and they deduct a $25 processing fee from whatever funds they MAY recover...), but it is there...

Personally, I can't wait for some service (hopefully 'do no evil' Gbuy) to pee in PayPal's cereal. PayPal truly sucks in so many ways (just Google PayPal sucks...hey, wait a minute....), but they're absolutely essential for doing business on eBay. And to be honest, despite their suckiness, I prefer making payments via PayPal instead of littering my credit card info all over the web...

So looks like micropayments are off the table for now. Oh, and notice the misleading part about "lowest published rate"? IIRC their rate for smaller transactions is 2.9%*, further gouging you on small amounts. The 1.9% rate only applies if you have over 100k in monthly sales.

* https://www.paypal.com/cgi-bin/webscr?cmd=_display -receiving-fees-outside

Google could make a real boom if it supported more countries and made itself a more diverse market. I know it's a problem with banking and tax laws but there's money to be made with it :)

Your credentials are not sent in the clear. The login form's action url is https://www.paypal.com/ so when you click submit on the form, the stuff you send is encrypted.

PayPal tells never to click on a link to log in to their site. They say always type the url: https://www.paypal.com/

Paypal site is slow. Plus, it has nagware pages everytime you log in directly. Plus, if you want to find something a few days old, it's a pain since you have to to history and hit next and remember the amount and all, and did I mention the site is slow?

It's like saying when you contact AT&T, always call the main number and carefully select the options till you get to the technical assistance department instead of just directly calling the technical assistance department.

The bottom line is that Paypal doesn't lose anything from these sucessful phishing attacks and don't do anything to help make life easier.

To answer your question, in short the attack doesn't work if you visit http://paypal.com/ manually.

What an attacker can do is craft a URL that *is* to paypal.com but contains the injected material (i.e. script) inside the URL. In short the paypal.com servers suffer from a vulnerability which allows the execution of this material (passed as an argument in the URL) -- and thus executes the script on the victim's browser. Because of this, the SSL connection is correct, but it appears that paypal is telling you that you need to go to another website to change your credentials.

You still have to get someone to click on the crafted URL for this to work though (hence why phishers are doing this, they're sending emails, or whatever.) so it's not going to work for people who don't click on the URL in phishing emails.

What I'm wondering is why someone would click on a link in a scam and then worry that the SSL certificate is genuine! Someone who knows enough to check the certificate is probably clever enough to ignore phishing scams...

• PayPal will always include your full name in any e-mail correspondence, not "Dear PayPal Member/User/etc."
• PayPal tells never to click on a link to log in to their site. They say always type the url: https://www.paypal.com/

Maybe they have some kind of bad forwarding system set up? At my company you could do the equivalent of: http://www.paypal.com/redirect.php?NEXT_PAGE=%5Bht tp://10.6.6.6/hackers%20fake%20page.html%5D Our stuff does internal redirection to make things faster, so to the user it'll still look like he's seeing something on paypal.com.

How are hackers injecting this code into a legitimate paypal website??

Cross-Site Scripting.

False. The terms of agreement between PayPal and its users state that PayPal is only payment processing service, not a bank, and as a consequence, are not subject to the same regulations as banking services.

See the PayPal User Agreement, which states among other things, the following excerpt:

2. The Legal Relationship between You and PayPal. 2.1 Agency Relationship. PayPal acts as a facilitator to help you accept payments from and make payments to third parties. We act as your agent based upon your direction and your requests to use our Services that require us to perform tasks on your behalf. PayPal will at all times hold your funds separate from its corporate funds, will not use your funds for its operating expenses or any other corporate purposes, and will not voluntarily make funds available to its creditors in the event of bankruptcy or for any other purpose. You acknowledge that (i) PayPal is not a bank and the Service is a payment processing service rather than a banking service, and (ii) PayPal is not acting as a trustee, fiduciary or escrow with respect to your funds, but is acting only as an agent and custodian.
PayPal will pool your funds together with funds from other Users, and will place those funds in accounts at one or more FDIC-insured banks ("Pooled Accounts"). Those funds may be eligible for FDIC pass-through insurance.
...
By initiating and sending payments through the Service or adding funds to your balance, you appoint PayPal as your agent to obtain the funds on your behalf and to transfer the funds to the recipient that you designate or to a Pooled Account, subject to the terms and restrictions of this Agreement.

Well that only accounts for part of phishing emails. However just like some people aren't as bright, or as educated in detecting fake emails, there are phishes who aren't as bright as disguising their fake email. Part of the problem is companies not bothering to make things easier for customers.

For example, when just logged into ebay a moment ago it directed me to a page with a contest where i could $500! The link to enter looks like this:
http://srx.main.ebayrtm.com/clk?%5Bmore junk]
So one could go register ebayrts.com or something similar and send some fake emails saying you could win $500! and direct people to a fake log in page. Now a majority of people would probably be suspicious and not fall for it but we know #1 ebay sends email to it's members about promotions, #2 ebay doesn't always use the same domain name. One could follow the advice you lay out and still fall for the email.

Example 2: How about paypal, they send out an email when someone sends you money. Scammer sends email saying you just received $153.21. The link in the email is https://www.paypal.us/com/cgi-bin/webscr?cmd=_acco unt where the real papal link is https://www.paypal.com/us/cgi-bin/webscr?cmd=_acco unt. (Note Paypal.us is registered by someone in Poland and is currently used for ad squatting) Once again you just have to fall for the simple url and enter your account info. It's not so simple as hey look some 12.34.56.78 is asking me to enter my credit card info.

Real life used examples from Millersmiles.uk, an archive of phishing emails.
http://www.millersmiles.co.uk/report/2661
http://www.millersmiles.co.uk/report/2681
http://www.millersmiles.co.uk/report/2678

Those examples are not going to work 100% of the time and still aren't undetectable but it just requires one lapse where you can easily fall victim. There seems to be a sort of apathy when it come to actually educating people. Most shrug and say it's their own fault for being scammed while companies continue to provide scammers with more ways to fool people. There is a good paper on host naming and url practices in pdf form at: http://www.ngssoftware.com/papers/NISR-BestPractic esInHostURLNaming.pdf
I would imagine phishing schemes would be less effective with just a marginal effort of education end users and following and sound practice by the company.

Gmail routes everything phishy to my spam box and puts a red bar over it. They are batting nearly 100% at spam blocking too. I get about 20 per day, and 1 or 2 slip through every other day on the average.

The Phishes they catch are faily subtle, they are burying their evil link in HMTL which renders OK, and only the phony grammar of the message gives it away:

"Once you have updated your account records, your
PayPal=AE session will not be interrupted and will continue as normal. Go to the link below.

 
http://www.paypal.com/cgi-bin/webscr?cmd=3D_login- run

Leaders / Space

Back to the future
Apr 12th 2006
From The Economist print edition

Don’t race China to the moon, especially if you have been there already

IMAGE (NASA)

JUST before China’s president, Hu Jintao, visits the United States, a new front has opened up in the growing rivalry between today’s superpower and tomorrow’s aspiring one. Not content with bashing China over trade, jobs and its military build-up, several Republican congressmen are worried that the Chinese may try to get to the moon before America does. In apparent seriousness, they fear that America is caught up in a new space race—and that it is losing.

The facts, as laid out last week to a congressional hearing for NASA (itself a lunar veteran), are that China has put two manned vehicles into orbit, is planning a third by 2008, and would like a space laboratory. The politicians were alarmed by China’s scheme to visit the moon in 2017—and they want America to spend up to $5 billion to get there first.

The Americans are certainly right to keep a close eye on what China is up to in space—especially when it comes to military programmes. But the idea that there is a new space race to get to the moon is ludicrous—and not just because Neil Armstrong won that competition in 1969. Look at the details: the Chinese, it turns out, are sending the moon a robot, not a taikonaut. And why on earth (or in heaven) would America want to send people back to the moon anyway?

The reason—and this will come as no surprise to aficionados of China bashing—is a powerful domestic lobby. Racing a Chinese robot to the Sea of Tranquility might be batty, but it is a neat way to milk additional funds for NASA from the American public. You might wonder how Tom DeLay, the ousted majority leader, could warn his colleagues with a straight face that “the advanced state of the Chinese space programme represents a 21st century Sputnik moment.” But his logic becomes much clearer when you realise that NASA is a big employer in his Texas district.

Over the years, America’s politicians have injected the country’s space programme with so much spin, politics and greed that it is now bloated beyond belief. The price of launching a single American shuttle would run the entire Chinese space programme for a year, paying for the work of all its 200,000 scientists and engineers.

Strong arm
More than money is at stake, however. The idea of a space race with a huge communist country dredges up memories of the 1960s—which is precisely why it appeals to some conservatives in Congress. But even in those difficult times, Jack Kennedy had started to think that co-operation with the Soviet Union in civilian space programmes might be a better idea. China should be encouraged to participate in the International Space Station. If the mission to the moon is supposed to be multinational, then the Chinese should be involved in that, too. When governments compete for glory in space, the winners are the contractors and the losers are the taxpayers.

The irony is that the fuss in Congress comes at a time when the real race in space has moved to the private sector. At present, four companies have said they will build sub-orbital vehicles for space tourism. Elon Musk, who made his fortune with PayPal, an online payments system, is trying to shake up the satellite-launching business (and perhaps also the orbital-transport business) with his cheap—but not-quite-working—rocket, Falcon 1. Those are the kind of space races that benefit us all. Long may they continue.
 
::: yfnET

I would say that this problem needs to be treated more like spam. The spam filters on most browsers now-a-days associates the contents of e-mail messages to previous e-mail messages which you have gotten.

With phishing, this needs to be taken one step further. The filter needs to change a bit so that it can associate certain key words within the e-mail message and to place an alert status line at the beginning of the e-mail message. For instance:

If you were to receive a Paypal phishing scam e-mail to your inbox yet the http link was something like "http://my.website.com?who=you&where=paypal&etc... ", then that is a good indicator that this is a phishing scam.

This same type of scanning of an e-mail message holds true for eBay, Chase, and several others which I have received. The two main ingredients always appears to be that there is a call line for a link of some sort (button, hyperlink, whatever) and that link will contain the word (such as Paypal) in it but it is not the proper link (ie: Not http://www.paypal.com./ Further, the rest of the document's text will contain the company's name in it (ie: Paypal, Chase, eBay, Washington Mutual, etc...).

Thus, if just this simple change were instituted, many of the phishing scams would be twarted and caught as such.

But let's go one step further. Why not automatically forward these e-mails to the proper authorities rather than just stopping them? Since, the program would (or should) catch these things - why not ask the user "This e-mail appears to be what is called a phishing e-mail. One intent on obtaining your private information such as credit card numbers, bank accounts, or other sensitive information. Would you like to forwards this to the appropriate company so they can invesitgate this matter?" And give the person the chance to help defeat the phishers.

And, of course, in any event, the message should be deleted or sent to the trash afterwards.

Now, of course, there is always the chance of incorrectly identifying an e-mail as a phishing exercise. Like other filters - there should be a way to edit the phishing filter. This would allow for mistakes to be corrected manually by the user.

Just my $0.02 worth. :-)

Ha Now I see https://www.paypal.com/row/cgi-bin/webscr?cmd=xpt/ cps/mobile/MobileFAQ (you may have to login) "you can send money from your PayPal account to any phone number or email address within the U.S., Canada or the U.K." Dear paypal. There are people living outside UK and US ..

PayPal has had a mobile interface for years, via WAP.
http://www.paypal.com/cgi-bin/webscr?cmd=p/gen/mob ile-outside

Info from the PayPal site, since there's only a screen capture at mobilecrunch:

How do I activate my phone to send and receive mobile payments?
You can activate your phone for use with PayPal by following these steps:

    Here's How:

Go to https://www.paypal.com/mobile
Click the Activate button.
Log in to your PayPal account or sign up for a PayPal account.
Select or add a phone and create a mobile PIN.
Click Continue.
PayPal will call and prompt you to enter your mobile PIN to confirm that you have possession of your phone.

Somebody needs to set up a site where we can donate money to the OpenBSD project through PayPal or some other convenient method.

From: http://openbsd.org/donations.html

We can also accept donations via PayPal

Next excuse?

The times they are a changin'
That old MP argument is not going to hold up forever:

PayPal Announces Micropayment pricing:
http://www.paypal.com/activate_micropayments_5pct_ plus_5cents_new_account_pricing

On August 31st, 2005, PayPal announced new Micropayments rate of 5% + $0.05 per transaction.

The rate is available now, to U.S. merchants who sell digital content to U.S. customers, when PayPal is the sole payment solution offered to customers for micropayments transactions.

Merchants who wish to use PayPal's micropayments pricing will need to open a new PayPal account through the account registration link at the bottom of this note.

Each PayPal account is associated with only one merchant processing rate. That rate determines the fee that's applied to funds received into that account (additional information on PayPal's Standard Fees is available at: http://www.paypal.com/cgi-bin/webscr?cmd=_display- fees-outside ). For example: if your Premier/Business Account rate for receiving funds is 2.9% + $0.30, using PayPal's 5% + $0.05 micropayments rate would reduce the total transaction fee charged to payments received below the value of $12 (per payment). However, if you accept payments that are greater than $12, you would pay a lower processing charge by accepting the payment into the account set with the 2.9% + $0.30 rate.

If you wish to leverage PayPal's micropayments pricing, please open a new browser window and paste the link below into the URL field to open your new PayPal account with micropayments pricing of 5% + $0.05.

The times they are a changin'
That old MP argument is not going to hold up forever:

PayPal Announces Micropayment pricing:
http://www.paypal.com/activate_micropayments_5pct_ plus_5cents_new_account_pricing

On August 31st, 2005, PayPal announced new Micropayments rate of 5% + $0.05 per transaction.

The rate is available now, to U.S. merchants who sell digital content to U.S. customers, when PayPal is the sole payment solution offered to customers for micropayments transactions.

Merchants who wish to use PayPal's micropayments pricing will need to open a new PayPal account through the account registration link at the bottom of this note.

Each PayPal account is associated with only one merchant processing rate. That rate determines the fee that's applied to funds received into that account (additional information on PayPal's Standard Fees is available at: http://www.paypal.com/cgi-bin/webscr?cmd=_display- fees-outside ). For example: if your Premier/Business Account rate for receiving funds is 2.9% + $0.30, using PayPal's 5% + $0.05 micropayments rate would reduce the total transaction fee charged to payments received below the value of $12 (per payment). However, if you accept payments that are greater than $12, you would pay a lower processing charge by accepting the payment into the account set with the 2.9% + $0.30 rate.

If you wish to leverage PayPal's micropayments pricing, please open a new browser window and paste the link below into the URL field to open your new PayPal account with micropayments pricing of 5% + $0.05.

Fake Email/Website (Spoof, Phishing)

Paypal, eBay, Amazon, etc all have pretty good security centres. I am surprised that abuse@paypal.com gave that automated reply, but if you visit their website the security centre is prett yeasy to find. You might not get a personalised response to your report because they get so darn many reports, but they do follow through on all reports.

Rich-content e-mail is just another one of the results of the battle between Netscape and Microsoft. They both added programming languages to HTML (JavaScript and VBScript). I hold Netscape just as responsible for the ensuing damage to the network.

One of these days I'm going to see if I can rig Thunderbird to alert on any attempt to fetch a URL from an e-mail tries to go to a host which differs from the From address. So spoofers can still send out "account-confirm@paypal.com", but they'd have to find an XSS exploit because all their links would have to go to http://something.paypal.com/. Just a "Hey, did you mean that" alert, so friends can still mail URLs to each other.

This is basically like Paypal. Has the existence of Paypal forced mail servers to be more secure or risk spam zombie installers taking over their machines? No. Emailing someone information that tells them how to collect a payment opens no technical vulnerabilities that aren't inherent in emailing them any other type of information people are already emailing anyway. The email simply contains the address of the micropayment company and the purchase number (or whatever you want to call it) of the micropayment. Your computer checks the URL of the micropayment company top be sure it's a valid one from your list (it starts with http://www.paypal.com/ , or whatever), then it uses something such as HTTP to contact that address and make sure the payment number provided is in fact valid. How does this open a mail server to vulnerability, when your computer parses a URL and checks to see if a payment is valid? Again, this simply automates a process people already go through every day with Paypal and many other online transactions, and I haven't heard of it creating a single exploit yet.

I recently stumbled across a website that was using paypal for purchases... Interestingly, they required their customers to agree that they would never reverse the charges, in any circumstance, and some other shady stuff... Basically abusing/violating Paypal rules and possibly Federal Trade regulations.

And the website appeared to be a very-thinly pyramid scheme.

I sent a detailed email to Paypal voicing my concerns.

The response from paypal?


Thank you for contacting PayPal.

Unfortunately, we are unable to assist you with your account specific
question. To guarantee the security and privacy of your personal and
financial information, you must log into your PayPal account. To submit
your question securely, please click https://www.paypal.com/wf/f=default
and enter your email address and password into the Member Log In box.

If you have any further questions, please feel free to contact us again.

Sincerely,
(name withheld)
Protection Services Department
PayPal, an eBay Company


WTF?!?!?!?!? I'm trying to report that criminal fraud is going on and they want me to login first???

I do not see how from this table http://pages.ebay.com/help/sell/fees.html, near as I can figured that is a 1.99 fee for 50 dollar sale. then lets say shipping is 5 dollars for usps, then for receiving funds in paypal is 1.9 to 2.9 % plus 30 cents. so if you are making under 3000 a month it is 1.90 for the paypal fee. Now that is 4 dollars total. to avoid paypal, do money orders. Pay pal listing of fees http://www.paypal.com/cgi-bin/webscr?cmd=_display- fees-outside I do selling for friends all the time and never get bit on the fees by just following these calculations. For ebay you need to watch the listing fees.

nternet Explorer and Firefox will display http://www.stealyourpassword.com/paypal as http://www.paypal.com/ while Safari will show it's true address. It's to avoid forwarding addresses that are spoofed.

+5 interesting? WTF?

I have not heard of address spoofing like this in firefox. I see no relationship between the issues the article is talking about and address spoofing.

Can you give us the slightest bit of evidence about what you're talking about? Or is this yet another case of the apple fanboys modding up a nice (but irrelevant) comment about wonderful apple software?

This is not a bug but a feature in Safari. Internet Explorer and Firefox will display http://www.stealyourpassword.com/paypal as http://www.paypal.com/ while Safari will show it's true address. It's to avoid forwarding addresses that are spoofed.

Can you imagine how greatly this would help international phishing schemes? Say that someone manages to register paypal.com.ro. I go to Romania for the weekend, and being a naïve Internet user, simply go to http://www.paypal.com./ I'm in romania so I get sent to http://www.paypal.com.ro/ which is some third party fool. That would not be good.

Didn't you get the memo? They already are:

On August 31st, 2005, PayPal announced new Micropayments rate of 5% + $0.05 per transaction. The rate is available now, to U.S. merchants who sell digital content to U.S. customers, when PayPal is the sole payment solution offered to customers for micropayments transactions. Merchants who wish to use PayPal's micropayments pricing will need to open a new PayPal account through the account registration link at the bottom of this note. Each PayPal account is associated with only one merchant processing rate. That rate determines the fee that's applied to funds received into that account (additional information on PayPal's Standard Fees is available at: http://www.paypal.com/cgi-bin/webscr?cmd=_display- fees-outside ). For example: if your Premier/Business Account rate for receiving funds is 2.9% + $0.30, using PayPal's 5% + $0.05 micropayments rate would reduce the total transaction fee charged to payments received below the value of $12 (per payment). However, if you accept payments that are greater than $12, you would pay a lower processing charge by accepting the payment into the account set with the 2.9% + $0.30 rate. If you wish to leverage PayPal's micropayments pricing, please open a new browser window and paste the link below into the URL field to open your new PayPal account with micropayments pricing of 5% + $0.05. http://www.paypal.com/activate_micropayments_5pct_ plus_5cents_new_account_pricing If you have further questions about the micropayments pricing, you can send questions to: micropayments@paypal.com

Didn't you get the memo? They already are:

On August 31st, 2005, PayPal announced new Micropayments rate of 5% + $0.05 per transaction. The rate is available now, to U.S. merchants who sell digital content to U.S. customers, when PayPal is the sole payment solution offered to customers for micropayments transactions. Merchants who wish to use PayPal's micropayments pricing will need to open a new PayPal account through the account registration link at the bottom of this note. Each PayPal account is associated with only one merchant processing rate. That rate determines the fee that's applied to funds received into that account (additional information on PayPal's Standard Fees is available at: http://www.paypal.com/cgi-bin/webscr?cmd=_display- fees-outside ). For example: if your Premier/Business Account rate for receiving funds is 2.9% + $0.30, using PayPal's 5% + $0.05 micropayments rate would reduce the total transaction fee charged to payments received below the value of $12 (per payment). However, if you accept payments that are greater than $12, you would pay a lower processing charge by accepting the payment into the account set with the 2.9% + $0.30 rate. If you wish to leverage PayPal's micropayments pricing, please open a new browser window and paste the link below into the URL field to open your new PayPal account with micropayments pricing of 5% + $0.05. http://www.paypal.com/activate_micropayments_5pct_ plus_5cents_new_account_pricing If you have further questions about the micropayments pricing, you can send questions to: micropayments@paypal.com

Just send me a some money via paypal using the url below.
https://www.paypal.com/cgi-bin/webscr?cmd=_xclick& business=wescotte%40earthlink.net&item_name=Make%2 0Wescott%20happy&no_shipping=0&no_note=1&tax=0&cur rency_code=USD&bn=PP-DonationsBF&charset=UTF-8

This is really a blind test on how much disposible income slashdotters really have because Taco is looking for some marketing research on his new slashdot products to compete with google.

I suggest you donate way way to much so Taco had very inaccurate figures and when Slashdot.com finally launches it will be sure to fail right away and uh.. ok I think this has gone to far..

Just send me some damn money.. please

Let me see if I understand. Only people who already have an iPod should expect to understand the web page offering to sell them? If I already had one, why in the world would I want to buy another? (Not to transfer files between, evidently.)

"Shut up troll ... you're too stubborn and arrogant to support a popular standard ... I don't bitch at Sony ... People just like to bitch ... "

The reply started out so helpfully ... I guess it's not just Apple. I wonder which got it from whom. I always thought if you paid for something, you had a right to look into what you were getting. I thought it reasonable to check if useful features missing from previous models, and that wouldn't cost anything to add, might show up in a later model.

Maybe I'm just not worthy to host the sublimity that is iPod during its short visit to Earth. Or maybe I'll make a donation to BJ at http://ipodlinux.org/, wait a bit, and see what happens.

For more details, see: thieving bastards.

IN fact, if I was paypal, I would contact someone at the Red Cross and setup a account for this purpose

you mean, like this one

Have already done this - and have been posting the following message on every forum and messageboard I am a member of: Subject: Paypal robs Red Cross of $20000 ______________ http://www.somethingawful.com/ Comedy site Something Awful recently organised a Paypal donation drive for the survivors of Hurricane Katrina (they could not use their normal credit-card processing as their servers are located in New Orleans). Because there were over 3000 dollars an hour flooding in, Paypal suspected fraud and have suspended the account, which then stood at over twenty thousand dollars. Paypal do not usually release funds on suspended accounts. They look set to keep the lot (on top of the 2.35% fees they charge anyway). Please contact Paypal at this link http://www.paypal.com/cgi-bin/websc...contact-gene ral to ask them to forward the funds to the Red Cross immediately, and reinstate the account so people can continue donating. Thanks for your help P.S. feel free to copy to other forums or forward by email

Contact Us page at Paypal.

Send them an email and ask about this, with a link to this Slashdot page.

Please click:
http://www.paypal.com/

Have this on their website: http://www.paypal.com/cgi-bin/webscr?cmd=xpt/cps/g eneral/PayPalKatrinaReliefEffort-outside By the way, the Red Cross was a poor choice of charity to give money to. They are just as bad as PayPal.

You've almost definitely been had. Please visit these links for more information:

How can I tell the difference between a real PayPal email and a fake one?
What should I do if I receive a fake email?

You've almost definitely been had. Please visit these links for more information:

How can I tell the difference between a real PayPal email and a fake one?
What should I do if I receive a fake email?

Today I received a standard phishing email, except this one was different in one important way. The link to "please to update your details" went to http://www.paypal.com/ (not even any i18n tricks in there). I thought maybe the spammer had made a mistake, but after reading this, it all falls into place.

I'm assuming your study took place in the US, if that assumption is wrong then I wouldn't be as confident in my assertions. That said:

The seminal study that made the "ecstasy"/neurotoxicity link was actually with methamphetamine-- that's a pretty big mistake. [View the retraction.] Unfortunately it's a mistake which is easily upheld against anecdotal evidence of recreational users due to the high frequency with which pills are sold as "ecstasy" which are meth (in addition to DXM, ephedrine, etc.) While these people may believe they used MD(M)A, more than likely they were reporting repeated, high-dose methamphetamine usage.

It would be prudent for everyone- especially researchers- to be made aware of the large discrepancy between what your subjects SAY they have taken, and what they have most likely actually ingested, particularly in the case of ecstasy/MDMA.

[For more info on how one faulty study getting a therapeutic substance on emergency Schedule I, read the story at MAPS, and give a few dollars while you're there.]

yup completely useless.

a solution is a verification service with a newer implimentation of https.

I.E. https that REQUIRES the ip address as well as domain name be present in the certificate and validated at a authintication server.

spoofing https://www.paypal.com/ becomes impossible as the browser would return an error stating "site invaild, this is more than likely a spoofed site desigend to steal your personal information, please enter the website's name you desire by hand ."

unless they hack the auth server and/or write a virus that modified the browser to not check it will stop most of them.

Absolute best solution is for the banks to stop being cheap assholes and give out smartcards to the customers and cheap readers that has their pseronsal encryption key used to access their account. want to check on your Visa platinum? you gotta plug that card in the smartcard reader to access the account.