Wednesday, October 30, 2013

How to use Google Authenticator with OpenBSD, OpenSSH, and OpenVPN--and why you might not want to

I thought that Google Authenticator might be a quick and easy two-factor authentication solution for VPN access to my personal network, so I did some Google searches to see if that were so.  I found quite a few sources describing how to set it up with systems that use Linux Pluggable Authentication Modules (PAM), but very little about using it with BSD Authentication on OpenBSD.

The most promising link I came across was to an implementation of Google Authentication for OpenBSD that was last updated in early 2013, based on Google's PAM code, but I couldn't get it to work.  It compiled and installed, and the googleauth code for generating a secret (and a very insecure way of generating a QR code to use to import it into the Google Authenticator application) worked fine, but I couldn't successfully use it for console login, OpenSSH login, or OpenVPN login.

I also found the standard OpenBSD port for openvpn_bsdauth, which compiled, installed, and worked successfully for password authentication by adding these lines to my OpenVPN configuration:
script-security 2
tmp-dir <path to dir writable only by _openvpn user>
auth-user-pass-verify /usr/local/libexec/openvpn_bsdauth via-file

This also requires that the authenticating user be put into the _openvpnusers group.

I was unable to get the via-env method to work, however.

I next tried the standard OpenBSD port of login_oath, which implements the OATH toolkit, which uses the same time-based TOTP protocol that Google Authenticator uses.  This turned out to do the trick.  Once installed, you create a secret key that the server authentication will check against and store it in your home directory (one thing I liked about googleauth is that it stores the shared secret in a system directory to which the user doesn't have access; better still is the suggestion of keeping the secrets on an auth server as totp-cgi does).  The documentation recommends creating the secret (which the user doesn't need to know except for the initial configuration of the Google Authenticator client application) by doing:
openssl rand -hex 20 > ~/.totp-key
I then needed to convert this from hex to base32, which is simple enough to do with the method the documentation recommends, which is using the perl module Convert::Base32 (OpenBSD port p5-Convert-Base32) and a short script like:
#!/usr/bin/perl
use Convert::Base32;
open (FILE, "/home/vpnuser/.totp-key");
$secret = <FILE>;
close (FILE);
$code = pack ('H*', $secret);
print encode_base32($code)."\n";
The resulting code can be manually entered into Google Authenticator.

To use Google Authenticator as a login method, I updated the login class for the user I wanted to use in /etc/login.conf so that its last two lines were:
:auth=-totp,passwd:\
:tc=default:
This allows either Google Authenticator or password authentication at the console, but only Google Authenticator via OpenSSH or OpenVPN as I configured them.  Instead of using "-totp" you can also use "-totp-and-pwd" which requires the entry of both your Google Authenticator code and your password (in that order, with a slash in between them) in order to authenticate.

For OpenSSH, I added the following lines to my sshd_config:
Match User <vpnuser>
     PasswordAuthentication yes
     AuthenticationMethods publickey,password:bsdauth
I don't allow password authentication at all for other users; for this user, an SSH public key must first be used, then Google Authenticator must also be used before a successful login. [Updated 1 Nov 2013 to add:  After a reboot, this ssh config failed with a log message of "fatal: auth2_update_methods_lists: method not in AuthenticationMethods".  Removing the ":bsdauth" made it work again (it works since the "password" authentication method will use BSD Authentication by default), but this looks like an SSH bug.]

So why might you not want to do this?  While Google Authenticator ensures that what is used over the network as a password is better than a typical user-selected password, it effectively stores a shared secret in plaintext at both ends of the connection, which is far less secure than SSH public key authentication.  If the device where Google Authenticator is present gets compromised, that secret is compromised.  And as the above link about totp-cgi points out, if you use Google Authenticator with the same secret across multiple machines, that secret is only as secure as the least secure host it's stored on, and using different secrets for different machines doesn't scale very well with the application.  A password safe with randomly generated passwords, stored in encrypted form, is probably a better solution in most cases. [Updated 2 November 2013: Authy uses the same TOTP mechanism as Google Authenticator, but encrypts the secret key on the client side.  That encryption is really more obfuscation than encryption since the key is based on phone attributes and can potentially be reverse engineered.]

As I've set it up, I'm still relying on SSH public key authentication for SSH logins, and on certificate authentication for VPN logins, in addition to Google Authenticator.  For the case of logging into my VPN from my laptop and having Google Authenticator on a separate mobile device, it does seem to be a security improvement (though I welcome anyone to show me that the gains are illusory).

UPDATE (July 31, 2019): Note that you should make the .totp-key file in the user's home directory owned by and only readable by root, or else you're effectively permitting that user to do passwordless doas/sudo, since passworded doas/sudo will use the TOTP mechanism for authentication. That won't stop the user from removing the .totp-key file and replacing it with their own, but at least that action becomes detectible. To prevent removal, on OpenBSD you can set the file to be immutable (schg flag) and run at securelevel=2. But a better solution would really be to put those secrets somewhere outside of the individual user's home directory.

UPDATE (October 22, 2019): The OpenVPN authentication with 2FA is broken in OpenBSD 6.6, it now leads to user/password authentication failures. Not sure why yet.

UPDATE (October 22, 2019 #2): Looks like it may have been user error, it works now, though I did update my _openvpnusers group to the new number (811) from the old one (596), but the number itself shouldn't be hardcoded in openvpn_bsdauth, so that shouldn't have had an impact.

UPDATE (30 October 2022): Also see Solene Rapenne's blog post on this same topic.

UPDATE (18 June 2024): Note that Authy (and probably any other authenticator app) treats manual secrets entry as case-sensitive even though base32 is not, and secrets must be entered in uppercase.

Friday, April 05, 2013

Matt Dillahunty and disbelief by default

In his recent talk at the American Atheist convention on skepticism and atheism, Matt Dillahunty states (at about five minutes in) that skepticism does tell us what to believe in the case of untestable claims--that the default position is disbelief.

But no, the default position has to be nonbelief, not disbelief.  To disbelieve in a proposition is to believe in the negation of the proposition, to believe that the original proposition is false.  And Dillahunty already said that (a) we should proportion our belief to the evidence and that (b) the proposition in question is untestable, meaning there is no evidence for or against it.

The position he describes is logically inconsistent.

We know that there are untestable propositions that are true.  We shouldn't believe that they are false simply because they are untestable. We should only believe they are false if we have good reasons to believe they are false; in the absence of that we should be agnostic.

(Added 5:36 p.m.: What are the implications for the above argument if it is the case that untestability does not entail lack of evidence or reasons?  What about if we distinguish evidential from non-evidential reasons?  And if we take the latter course, what does that say about proposition (a), above? Left as an exercise for commenters.)

Saturday, March 09, 2013

Isaac Funk and the Widow's Mite

One of the more interesting and better documented cases of surprisingly accurate information from a spirit medium that is described in Deborah Blum's fascinating book, Ghost Hunters: William James and the Search for Scientific Proof of Life After Death (2006, Penguin Books), is the case of Isaac Funk and the Widow's Mite (pp. 260-262).

Funk, of Funk & Wagnall's Dictionary, had been visiting a medium in Brooklyn, New York in February 1903.  About his third visit, he subsequently described the following (in Isaac K. Funk, The Widow's Mite and Other Psychic Phenomena (1904, Funk & Wagnalls), pp. 159-160, now in the public domain due to copyright expiration):
About eleven o'clock the control named "George," in his usual strong masculine voice, abruptly asked: "Has anyone here got anything that belonged to Mr. Beecher?" There was no reply. On his emphatic repetition of the question, I replied, being the only one present, as I felt sure, who had ever had any immediate acquaintance with Mr. Beecher: "I have in my pocket a letter from Rev. Dr. Hillis, Mr. Beecher's successor.  Is that what you mean?" 
The answer was: "No; I am told by a spirit present, John Rakestraw, that Mr. Beecher, who is not present, is concerned about an ancient coin, 'The Widow's Mite.' This coin is out of its place, and should be returned. It has long been away, and Mr. Beecher wishes it returned, and he looks to you, doctor, to return it." 
I was considerably surprised, and asked: "What do you mean by saying that he looks to me to return it? I have no coin of Mr. Beecher's!" 
"I don't know anything about it except that I am told that this coin is out of place, and has been for a number of years, and that Mr. Beecher says you can find it and return it."
I remembered then that when we were making "The Standard Dictionary," some nine years before, I had borrowed from a gentleman in Brooklyn--a close friend of Mr. Beecher's, who died several years ago--a valuable ancient coin known as "The Widow's Mite."  He told me that this coin was worth hundreds of dollars, and, under promise that I would see that it was returned to the collection where it belonged, he would loan it to me. ... 
I said to the control, "The only 'Widow's Mite' that has ever been in my charge was one that I borrowed some years ago from a gentleman in Brooklyn; this I promptly returned"; to which the control replied: 
"This one has not been returned." And then, after a moment's silence, he said: "Do you know whether there is a large iron safe in Plymouth Church?" 
I answered: "I do not." 
He said: "I am impressed that this coin is in a large iron safe, that it has been lost sight of; it is in a drawer in this safe under a lot of papers, and that you can find it, and Mr. Beecher wishes you to find it." 
I said: "Do you mean that this safe is in Plymouth Church?" 
He said: "I don't know where it is. I am simply impressed that it is in a large iron safe in a drawer under a lot of papers, and has been lost sight of for years, and that you can find it, and Mr. Beecher wishes you to find it. That is all that I can tell you."
Funk goes on to inquire of his business manager, who insists that it was returned, and of Mr. Wagnalls and Wheeler, who knew nothing of the coin, but Wheeler, a skeptic, suggests that it's a good test.  Funk asks a cashier, who remembers the coin, but also says that it had been returned, to investigate.  After twenty minutes, the cashier returns with an envelope containing two "Widow's Mites," which was located in one of two safes (the large iron one), in a drawer under papers.

The two coins are a smaller light-colored one and a larger black one, and Funk recalls that the smaller one was used for the illustration in the dictionary and that it was the genuine article, while the other was a fake.  He returns to the medium, and asks which coin is the right one.  Contrary to his belief, the medium (as "George") says that it is the black one, and that the friend of Mr. Beecher's to whom it belongs is a man associated with a large ladies' school in Brooklyn Heights.  Funk recalls that it was borrowed from Prof. Charles E. West, head of a ladies' school in Brooklyn Heights.

Funk sends both coins to the Philadelphia Mint for examination, and they determine that the medium is correct, the black one is the correct one, and the wrong one was used for the illustration in the dictionary.

Funk notes that the preface of the dictionary notes, regarding the illustrations, contains the description "The Widow's Mite (which was engraved from an excellent original coin in the possession of Prof. Charles E. West of Brooklyn, N.Y.)."

Funk's book provides a number of affidavits supporting the recounting of events, including that only two people present with the medium knew of Funk's connection to the coin (Funk and Irving Roney, the latter of whom provided an affidavit), that no one knew that the coin had not been returned, and that the cashier staff had no knowledge of the coin which was in the safe in their office.

The coin was returned to West's son, who also provides an affidavit stating that he was unaware that the coin had not been returned and assumed that it had been.  Funk says he dined repeatedly with the elder West prior to his death, and the coin was never brought up.

Funk proceeds to list a series of facts about the case and some possible explanations (pp. 168ff), and finds difficulties with fraud, coincidence, telepathy and clairvoyance, and spirit communications as explanations, though he appears to favor the last of these.

Funk presented the case to a number of eminent scientists of the day, including William James, Alfred Russell Wallace, and William Crookes, of which those listed were all associated with the SPR or ASPR and each suggested spirits as a possible explanation.  Many of the other scientists and philosophers, however, suggested fraud or deception (see table in Funk's book, pp. 177-178).

As presented in Blum's book, this case seems more impressive than it does with all of the details in Funk's account.  What I find suspicious are that the medium is located in the same city as the person from whom the coin was borrowed, that the connection between the owner of the coin and the illustration was published in Funk's dictionary (omitted by Blum), and that although the son had forgotten about the coin being loaned out, he thought "it altogether likely that his father told at the time other members of his family, and possibly some persons outside the family" (Funk, p. 174).  All that it would take for the fraud hypothesis would be that the medium had heard, second-hand, about the never-returned coin, and speculated that it had been forgotten and was kept in a safe (and perhaps offered a guess about which coin was genuine; that information has no clear source from the details recounted).  Funk infers that because West never brought up the coin that he had forgotten about it, but that is an assumption on his part--perhaps West made periodic complaints about it not having been returned, but didn't mention it to his son.  Funk suggests, based on class distinctions, that no one in the medium circle other than himself would have known that West even existed, which seems a highly questionable assumption.

Wednesday, March 06, 2013

The Decline (and Probable Fall) of the Scientology Empire

My talk from January 19, 2013 to the National Capitol Area Skeptics is now online!

Thanks very much to the NCAS for professionally recording and editing this video.

I've included some notes and comments below.


  • 0:50 & 42:29 "Advanced Teachings" available at all Advanced Orgs are up to OT V. Advanced Orgs can deliver through OT V; OT VI & VII can only be obtained at the Flag Service Organization (FSO) in Clearwater, FL, and OT VIII can only be obtained on Scientology's cruise ship, the Freewinds. See: http://www.xenu.net/archive/ot/
  • 8:01 German U-boat -- I should have said Japanese submarine
  • 9:14 Photo is often claimed to be from 1968 but is really from 1959-60, so Cleve Backster probably wasn't the source of Hubbard's claim, as I originally said in the talk (also see my previous blog post on this topic).
  • 10:53 Aleister Crowley is pronounced "crow-lee," not "craugh-lee" (I have apparently have not broken a bad habit of following Ozzy Osbourne's pronunciation).
  • 13:59 the Fraser Mansion, though referred to by Scientology as the "founding church" from the 1970s to 2010, wasn't the original building. The original building, at 1812 19th St. NW, is now a museum called the L. Ron Hubbard House (though his house was across the street), which the church acquired in 2004. The Fraser Mansion is now Scientology's National Affairs Office.
  • 14:11 The first use of the name "Church of Scientology" was by the Church of Scientology founded in Camden, N.J. in Dec. 1953; the first Church of Scientology corporation was in Los Angeles (Feb. 1954, which became the Church of Scientology of California in 1956), the Church of Scientology of Arizona was incorporated that same year. Hubbard's organization while he lived in Phoenix was the Hubbard Association of Scientologists, International (HASI), founded in Sep. 1952. All HASI assets were folded into the Church of Scientology of California in 1966.
  • 31:07 "Division 20" should have been "Department 20."
  • 32:43 "bad status" -- Scientology "conditions" are a scale, like the tone scale, that your "ethics" are in, which are positive or negative. For each condition there is a "conditions formula" you are supposed to apply to get to the next better condition. Those assigned to the RPF are put in a condition of "liability" (the rag on arm mentioned is a sign of the condition of liability). See: http://www.cs.cmu.edu/~dst/Library/Shelf/wakefield/us-11.html
  • 41:07 PIs following the Broekers--mainly Pat Broeker; after one apparent attempt to leave (described in Lawrence Wright's book, Going Clear), Annie Broeker remained in Scientology until her death. Tony Ortega describes the testimony of the two PIs, who spoke out for one day before their lawsuit with Scientology was settled: http://tonyortega.org/2012/11/29/scientologys-master-spies/
  • 43:22 Lawrence Wright's book says that "Int Base" and "Gold Base" are two different bases at the same location; "Int" being the international headquarters and "Gold" named after Golden Era Studios.
  • 1:05:35 "dog was drowned" -- Judge Swearinger's dog, Duke, a miniature collie, drowned, it's not certain that it "was drowned."
  • 1:07:10 "unable to attend uncle's funeral" -- Hubbard died on January 24, 1986; the Challenger explosion was January 28, 1986.
  • 1:17:43 St. Louis Ideal Org.  The pictured Masonic Temple is not the St. Louis Ideal Org, which is still under construction. (Thanks to ThetanBait on YouTube for this correction.)
  • Narconon's drug purification program involves vitamin (esp. niacin) megadoses, but "injections" is not correct.

Tuesday, January 01, 2013

Books read in 2012


Books read in 2012:
  • Scott Atran, In Gods We Trust: The Evolutionary Landscape of Religion
  • Andrew Blum, Tubes: A Journey to the Center of the Internet
  • Henry A. Crumpton, The Art of Intelligence: Lessons from a Life in the CIA's Clandestine Service
  • Robin Dreeke, It's Not All About "Me": The Top Ten Techniques for Building Quick Rapport with Anyone
  • David Edmonds and John Eidinow, Rousseau's Dog: Two Great Thinkers at War in the Age of Enlightenment
  • Bart D. Ehrman, Did Jesus Exist? The Historical Argument for Jesus of Nazareth
  • Misha Glenny, DarkMarket: How Hackers Became the New Mafia
  • Grant Foster, Noise: Lies, Damned Lies, and Denial of Global Warming
  • Torkel Franzén, Gödel's Theorem: An Incomplete Guide to Its Use and Abuse
  • Andy Greenberg, This Machine Kills Secrets: How WikiLeakers, Cypherpunks, and Hacktivists Aim to Free the World's Information
  • James Hannam, God's Philosophers: How the Medieval World Laid the Foundations of Modern Science
  • Sam Harris, Lying
  • Joseph Heath, Economics Without Illusions: Debunking the Myths of Modern Capitalism
  • Edward Humes: Monkey Girl: Evolution, Education, Religion, and the Battle for America's Soul
  • Ronald Kessler, The Secrets of the FBI
  • Susan Landau, Surveillance or Security? The Risks Posed by New Wiretapping Technologies
  • Declan McHugh, Bloody London: A Shocking Guide to London's Gruesome Past and Present
  • Robert A. Melikian, Vanishing Phoenix
  • Mike McRae, Tribal Science: Brains, Beliefs, and Bad Ideas
  • P.T. Mistlberger, The Three Dangerous Magi: Osho, Gurdjieff, Crowley
  • Evgeny Morozov, The Net Delusion: The Dark Side of Internet Freedom
  • Eduardo Obregón Pagán, Historic Photos of Phoenix
  • Parmy Olson, We Are Anonymous: Inside the Hacker World of LulzSec, Anonymous, and the Global Cyber Insurgency
  • Bruce Schneier, Liars and Outliers: Enabling the Trust that Society Needs to Thrive
  • Ali H. Soufan, with Daniel Freedman, The Black Banners: The Inside Story of 9/11 and the War Against Al-Qaeda
  • Neal Stephenson, REAMDE
  • Cole Stryker, Epic Win for Anonymous: How 4chan's Army Conquered the Web
  • Tim Weiner: Enemies: A History of the FBI
  • Jon Winokur (compiler & editor), The Big Curmudgeon
  • Tim Wu, The Master Switch: The Rise and Fall of Information Empires
I made substantial progress on a few large books:
  • Ross Anderson, Security Engineering: A Guide to Building Dependable Distributed Systems (2nd ed)
  • Mark Dowd, John McDonald, and Justin Schuh, The Art of Software Security Assessment: Identifying and Avoiding Software Vulnerabilities
  • Stephen Pinker, The Better Angels of Our Nature: Why Violence Has Declined
  • James C. Scott, Seeing Like a State: How Certain Schemes to Improve the Human Condition Have Failed
  • Michal Zalewski, The Tangled Web: A Guide to Securing Modern Web Applications

(Previously: 2011201020092008200720062005.)

Saturday, September 22, 2012

Capitalist vs. socialist bombs

While reading Ross Anderson's massive tome, Security Engineering: A Guide to Building Dependable Systems (second edition), I came across this paragraph in section 19.7 on "Directed Energy Weapons" (p. 584):
Western concern about EMP grew after the Soviet Union started a research program on non-nuclear EMP weapons in the mid-80s.  At the time, the United States was deploying 'neutron bombs' in Europe--enhanced radiation weapons that could kill people without demolishing buildings.  The Soviets portrayed this as a 'capitalist bomb' which would destroy people while leaving property intact, and responded by threatening a 'socialist bomb' to destroy property (in the form of electronics) while leaving the surrounding people intact.
This reminded me of a science fiction story I read in Omni magazine at about the time in question, which Google reveals was "Returning Home" by Ian Watson in the December 1982 issue.  In the story, the Americans and the Soviets attacked each other, the Americans using neutron bombs which killed all of the Soviets, and the Soviets using some kind of bomb which destroyed essentially everything except the people.  The ending twist was that the surviving Americans ended up migrating to the Soviet Union and adopting the Soviet culture.

Friday, August 10, 2012

The myth of fingerprints

I've been reading Ross Anderson's epic tome, Security Engineering: A Guide to Building Dependable Distributed Systems (2nd edition, 2008, Wiley), and have just gotten into the chapter on biometrics (ch. 15).  Section 15.5.2, on Crime Scene Forensics, points out three major criminal cases where fingerprint matches have been in error, including the Brandon Mayfield case which I wrote about at this blog back in 2007.  Anderson points out that law enforcement agencies have claimed to juries "that forensic results are error-free when FBI proficiency exams have long had an error rate of about one percent, and misleading contextual information can push this up to ten percent or more" (pp. 470-471).  It's probability at work:
Even if the probability of a false match on sixteen points [the UK standard, the U.S. has no minimum] were one in ten billion (10-10) as claimed by police optimists, once many prints are compared against each other, probability theory starts to bite. A system that worked fine in the old days as a crime scene print would be compared manually with the records of a hundred and fifty-seven known local burglars, breaks down once thousands of prints are compared every year with an online database of millions. (p. 471)
One of the other two cases Anderson discusses is that of Scottish policewoman Shirley McKie, who was prosecuted on the basis of a 16-point fingerprint match found at a murder scene and could not find any fingerprint examiner in Britain to defend her.  She found two Americans who testified on her behalf that it was not a match (Anderson shows the crime scene print and her inked print on p. 469; the crime scene print is heavily smudged).  McKie's own fellow officers tried to convince her to give false testimony about her presence at the crime scene, which she refused to do.  She was acquitted, but lost her job and was unable to get reinstated.

The third case Anderson mentions is Stephan Cowans, who was convicted of shooting a police officer after a robbery in 1997.  He was convicted, but argued it was not his fingerprint.  After Cowans was able to get crime scene evidence tested for DNA which was found not to match, a re-examination of the fingerprint also found that there was no match.  So six years after his conviction, he was acquitted on appeal.

Further evidence of the errors which can arise from fingerprint examination comes from two studies by psychologist Itiel Dror which Anderson describes.  In one study, five fingerprint examiners were each shown a pair of prints, allegedly the falsely matched prints from the Mayfield case, and asked to point out the errors.  Three examiners gave explanations for the non-matches, one said that they did, in fact, match, and one was uncertain.  In fact, the pairs of prints were each purported matches by the corresponding examiner from a recent criminal case, so only one of the five was still certain that a match testified to in court was in fact a match upon re-examination with a skeptical mindset.  In a second study, Dror gave each of six experts eight prints that they had matched in previous cases, and four of the six gave inconsistent results.

Anderson points out that belief in the infallibility of fingerprint evidence has the effect of promoting carelessness by examiners, not giving proper critical scrutiny to the method or its assumptions in changing conditions (e.g., the increase in the number of fingerprints to match against in the age of the computer), and increasing the negative consequences of cases of failure.  In the McKie case, Anderson points out, "there appears to have arisen a hierarchical risk-averse culture in which no one wanted to rock the boat, so examiners were predisposed to confirm identifications made by colleagues (especially senior colleagues).  This risk aversion backfired when four of them were tried for perjury." (p. 472)

Itiel Dror's two papers (references from Anderson, p. 923):

IE Dror, D Charlton, AE Péron, "Contextual information renders experts vulnerable to making erroneous identifications," in Forensic Science International 156 (2006) 74-78

IE Dror, D Charlton, "Why Experts Make Errors," in Journal of Forensic Identification v 56 no 4 (2006) pp 600-616; at http://users.ecs.soton.ac.uk/id/biometrics.html

(Previously, which includes reference to Simon Cole's book on fingerprint evidence which shares the title of this post.)

Sunday, May 27, 2012

"In God We Teach" documentary

Now on YouTube, "In God We Teach," a documentary about Matt LaClair's exposure of his U.S. History teacher's proselytization in the public school classroom.

Tuesday, February 14, 2012

Document leak from the Heartland Institute

Documents leaked from the Heartland Institute reveal its funding sources (including Charles G. Koch and an unnamed single donor providing about 20% of their total revenue) and recipients of funding (including $5,000/mo to Fred Singer and a plan to raise $90,000 for blogger Anthony Watts in 2012).

The Heartland Institute is essentially the Tobacco Institute for climate change denial.  See previous posts as this blog with the Heartland Institute tag.

UPDATE (February 18, 2012): It appears that one of the documents, the one with the most embarrassing statements, was a forgery--but the statements I've made above all appear to be confirmed.

UPDATE (February 21, 2012): Climate scientist Peter Gleick has confessed to being the leaker of the documents, but claims the apparently forged document was mailed to him anonymously and he scanned it in before distributing it with the others which he obtained by subterfuge after receiving the anonymous mailing.  The oddities and errors in the forged document, however, strongly suggest Gleick himself forged the document after receiving the others.

Saturday, February 11, 2012

Work-at-home scams

I was asked earlier today if I could give my opinion on whether the work-from-home opportunity advertised at the domain onlineprofitmasterssystem.com is a scam.  A quick bit of research produced some interesting results, my conclusion is that it is almost definitely a scam, by people with a history of promoting scams.

First, the domain registration:


Registrant:
   Phillip Gannuscia
   1780 W. 9000 South
   #315
   West Jordan, Utah 84088
   United States

   Registered through: Go Daddy
   Domain Name: ONLINEPROFITMASTERSSYSTEM.COM
      Created on: 04-Nov-11
      Expires on: 04-Nov-12
      Last Updated on: 29-Nov-11

   Administrative Contact:
      Gannuscia, Phillip  nate@essentmedia.com
      1780 W. 9000 South
      #315
      West Jordan, Utah 84088
      United States
      (801) 803-5769      Fax --

The very domain and URL and web content of the page are already screaming red flags, and there are more to be found in the above data.  It's a recently registered domain, and the contact physical address appears to be a private mail drop service.  Both the address and telephone number listed are associated with multiple other companies (e.g., BBB F-rated eVenture International, run by Richard Scott Nemrow, who was cited multiple times by the Utah Division of Consumer Protection in 2009) and domain names (e.g., makerichesfromhome.com, educationtrainingsonline.com, executivelearningonline.com, learningresourceontheweb.com, and lightlifemaster.com) which also look like scams,.  This particular company, Online Profit Masters, has an F rating from the BBB.  The named contact, Phillip Gannuscia, has an email address with someone else's name, nate@essentmedia.com, apparently Essent VP Nathan L. Kozlowski, a former Mormon missionary.  Does Gannuscia even exist, or is the name just an alias for Kozlowski?  The company whose domain is used here for the contact email address, Essent Media LLC, another Richard Scott Nemrow company, has a corporate registration which expired in 2010.

I'd steer clear of any business with these guys.  And if you come across this blog post because you've already been ripped off by them (like this guy reports), I suggest you file a complaint with the Internet Crime Complaint Center as well as contacting your local law enforcement agency.