Lenovo Y410P Update

Since my last post over the weekend, the whole “#LenovoGate” situation has exploded.  On Monday, a #MediaMonday campaign was started on Twitter to raise media awareness of the issue and it succeeded – I was contacted by Sean O’Shea at Global News who interviewed me for a story about the scandal and even used quotes from this blog in a piece they posted online (Link).  Today things got even crazier – I was contacted by the CBC and a few other news outlets to speak out about the problem but due to work related travel commitments I wasn’t able to speak with them nor was I really able to stay on top of all the developments of the day and boy was today busy.

Apparently today was the day Lenovo decided to finally end their vow of silence and respond to the Canadian media, with Milanka Muecke (LinkedIn Profile) talking to Global News (link to theGlobal news coverage) where they “generously” offered to give the affected customers a  $100 coupon to use towards a future, but not until after May 28th, after the current “DOORBUSTER” sale has already ended.  During the interview, Ms. Muecke is also quoted as saying “some customers were opportunistic, in some cases purchasing hundreds and hundreds of them”.

I’m going to start with the “generous offer” of a $100 coupon and then address Ms. Muecke’s comments.  Let’s assume the average, customer agreed to take Lenovo up on this offer and buy a Y410P laptop after May 28th.  Looking at the Lenovo website today, we see the Y410 listed as “web price: $1,389.00″ and then the current “DOORBUSTER” eCoupon bringing the price down to $799.00.  The current “DOORBUSTER” isn’t even a door buster in any sense of the word – the Y410 has routinely been for sale on the Lenovo site for $849 this year, meaning the door buster is really on a $50 savings.  So what, if any, savings is a $100 coupon going to get the average consumer when the current promotion is done?  My guess?  None.  Lenovo will list the Y410P as something like “web price $899″ so any customer attempting to use the “amazing” Lenovo coupon offer will only get the laptop for $799 or maybe a bit less.  This is a far cry from the original $279 and by no means is it any form of compensation for the the affected customers.

As for Ms. Muecke comments about some customers being “opportunistic” she’s right – some people likely were.  But this is a distraction from the real issue.  In any large group situation there are always going to be outliers – people who’s actions deviate from the norm and  Lenovo is attempting to “spin” this debacle in a focus on those few bad actors rather than the thousands of Canadians who just wanted a good deal on a laptop.  As consumers need to make sure we make it clear that while a few people might have done that it wasn’t the norm.  I know personally I only ordered one laptop for personal use and I wasn’t being “opportunistic” I just saw a great deal from (what I thought was) a reputable online company and ordered from in good faith.

We also have to remember that this isn’t Lenovo’s first price fixing mistake in Canada – in the past they have canceled orders for a tablet over a $50 price differential error and even turned back shipments over a similar mistake for a ThinkPad X-series laptop back in 2012. It’s clear through all of this that Lenovo is a company that can’t manage their website, can’t manage their media relations, and apparently can’t even price their own products correctly – who knows if they can even handle giving us $100 coupons!

The point is that as a consumer I want to be able to shop online with confidence knowing that the price a retailer posts is the price I’m going to pay and that when I get an order confirmation email that I’m going to get the product I ordered at the price I expected. Period.  In my opinion, Lenovo needs to stand behind laptop offer as posted ($279) and deal with the “opportunistic” customers by limiting it to one laptop per customer.  It’s that simple.

Anything short of that and we as consumers will have lost.

 

My letter to the Competition Bureau about Lenovo

For those of you who are unaware, Lenovo Canada (@Lenov0_Canada) posted an online “door buster” sale this week listing some of their products as up to 80% off.  The link for this sale obviously spread like wildfire around the internet as some of the deals were amazing, including a Lenovo Y410P laptop for $279 CAD. Like a lot of people, I ordered one of these laptops assuming this was (as the promo code said) a “door buster” sale.  Less than 24 hours later, I got an email from Lenovo that my order was canceled “due to a pricing error on our website” with an invitation to call them as they “would like to help you place a new order”.

This, of course, is a classic “bait and switch” – get customers to your store with amazing deals and when they actually try to buy the product tell them it’s not in stock and attempt to upsell them to a more expensive one.  The only difference here is that in this case Lenovo accepted my money, gave me a confirmation number, and charged my credit card before realizing their mistake.  So this is bait, sell, cancel, then switch – great twist on a classic marketing stunt.

Like many consumers (#LenovoSucks is currently trending on Twitter in Canada) I was outraged by this situation and so I wrote a complaint to the Competition Bureau (http://www.competitionbureau.gc.ca/eic/site/cb-bc.nsf/eng/h_00130.html) to have them review what is obviously a case of “bait and switch” or at least a case of false selling price representation, both of which are offences under the Competition Act in Canada.

Here’s a copy of what I submitted – if you were affected by Lenovo’s failure to live up to their advertised prices I suggest you do the same.

On Thursday, May 22nd, 2014, Lenovo posted an online “door buster” sale on their website (http://www.lenovo.ca) listing a  laptop computer for $279 CAD, a screenshot of which is posted on my website at http://mgamble.ca/lenovo/Lenovo-279-promo-2.jpg

The website promotion clearly states “With eCoupon: $279.  You save $600″.  While normally I would assume this was a pricing error, the fact that the promotional code for the offer was “DOORBUSTER” lead me to believe this was in fact a “door buster” sale.  As a consumer, I’ve come to expect that during a doorbuster sale, a particular item or a selection of items is given at a special discount price for a limited period at prices that are often very attractive, so I assumed this was a special sale and ordered the product on Friday, May 23rd, 2014.

At 2:10 PM on Friday Lenovo tweeted that this was a “pricing error” and that the sales team would reach out to “affected customers” (https://twitter.com/lenovo/status/469918191117152256)

However, despite claiming that the sale was a pricing error the Lenovo website continued to offer the product for the $279 price as late at 10PM EST on May 23rd as you can see from this screenshot – http://mgamble.ca/lenovo/Lenovo-279-promo-4.png.  If this was in fact a pricing error, and Lenovo knew about the “error” as early as 2PM EST then why were they still offering the product for sale 8 hours later at the incorrect price?

On Saturday, May 24th I received the following email from Lenovo:

Thank you for your recent Lenovo purchase. Due to a pricing error on our website, we will have to cancel your order. We sincerely apologize for the inconvenience this has caused, and would like to help you place a new order.

We invite you to visit our website at www.lenovo.com or speak with a Product Specialist at 1-855-253-6686 opt1, opt1 as we have updated all current pricing and configurations

The above email indicates that the sale was a “pricing error” but then suggests that I should contact them to place a new order. To me this is classic “bait and switch” pricing or at least a false selling price representation under the Competition Act.  Had this been a genuine error a customer would not expect the following:

  1.  The website to have a promotional code (DOORBUSTER) that implied a lower than expected price
  2. The website to continue selling the product at the incorrect price for 48 hours
  3. The vendor to continue to sell at the incorrect price for an extended period of time after discovering the “error”
  4. The vendor attempting to “upsell” customers to a newer product when they would not honour the original pricing.

Please investigate this matter to the fullest extent possible.  A large number of Canadians placed orders for this product in good faith and have now had their orders cancelled without valid cause.

Enhanced version Originate application for Asterisk 11.5+

The other day I was playing with the Asterisk “Originate” dial plan application which lets you originate an outbound call and connect it to a specified extension or application.  For those who know Asterisk, this is basically the same as the AMI (Asterisk Manager Interface) Originate command, but with one major exception – unlike the AMI Originate command, the originate application does not allow you to pass along the calling line ID name or number for the outbound call, nor does it let you pass any channel variables.  Because of this limitation, all my outbound calls from the dial plan were coming out as from anonymous.

To resolve this, I’ve posted an updated version of the originate application to GitHub (https://github.com/matthewmgamble/asterisk-originate-2) which allows you to pass CLID Name, CLID Number, and channel variables as optional arguments.

Nothing earth shattering, but I hope someone else finds it useful!

 

 

Patch for AST-2013-005 & Asterisk 1.6

Recently the Asterisk Security Team announced two new security security issues – AST-2013-004 and AST-2013-005, both for remote crash vulnerabilities in the Asterisk SIP stack.  While the Asterisk Security Team provides patches for Asterisk 1.8 & 11, they no longer provide updates for older Asterisk releases such as 1.6.2, which went EOL on 2012-04-21.

While it’s best practice for everyone to update to the latest stable releases, sometimes that isn’t possible, and since I still have one Asterisk system in my lab running 1.6.2 I figured I should investigate if it was vulnerable to these issues.  Conveniently, the Asterisk Security Team provides a basic Asterisk configuration and sipp scripts to reproduce both security issues, so testing Asterisk 1.6.2 was actually quite simple.

For AST-2013-004, I couldn’t actually reproduce the issue on Asterisk 1.6.2.24.  Testing an unpatched Asterisk 1.8 I could reproduce the issue and generate a segmentation fault, but it looks like Asterisk 1.6.2.24 is not affected.  I would still strongly recommend that anyone running 1.6.2.x still test this issue themselves as I didn’t do any extensive testing.

For AST-2013-005 I reproduced the issue on Asterisk 1.6.2.24 and triggered the expected crash.  By reviewing the patch provided by the Asterisk team in the security advisory, and the Asterisk 1.6 source code, I created a new patch (AST-2013-005-1.6.2.24.diff) to address the issue.  After applying the patch and recompiling the issue appears to be resolved.

So for anyone still running Asterisk 1.6.2 I strongly recommend you upgrade to a later release, but if that isn’t an option for you then the patch above should allow you to resolve the remote crash vulnerability that exists.

I hope this helps anyone still running an older asterisk release!

Introducing iaxproxy – a simple IAX2->SIP Proxy / Protocol Converter

Every once in a while some of the work I do @ Primus is allowed to be released back to community and so I’m very happy to be able to announce the release of a project I’ve been working on in my spare time for the past few months – iaxproxy.org.

IAXProxy is an open source IAX2 to SIP Back-to-back Protocol Adapter (B2BPA) based originally off the source code for the Asterisk PBX project. The goal of IAXProxy is to allow anyone the freedom to integrate IAX2 based end-points seamlessly into a SIP environment. Previously interconnecting IAX based devices to a SIP based network was challenging at best, requiring the network operator to run dedicated Asterisk PBX’s to connect these devices. The result was that IAX2 based users were always “second class citizens” in a SIP environment – the SIP “core” was not aware of the device state of an IAX2 endpoint (registered/unregistered), etc. IAXProxy changes that by providing “surrogate registration” type functionality for IAX2 devices. When an IAX2 end point connects to IAXProxy the endpoint information is looked up in an internal in-memory database and assuming the IAX2 device passes authentication then a SIP Peer and SIP Registrar are created on the users behalf. When the IAX2 endpoint becomes unreachable the SIP Peer & Registrar are deleted. This allows the SIP network to be fully aware of the state of IAX2 devices and features such as Call Forwarding Unreachable to be provisioned at the SIP Server level.

The software is currently very “alpha” but it does work and allows you to make and receive calls using IAX2 devices to a SIP network and I’m continuing to do testing / bug fixing, etc.  I’m currently looking for anyone interested in assisting with this project – I need help with testing, documentation, etc so if you are interested please let me know. You can download the initial release from http://www.iaxproxy.org or directly from GitHub (https://github.com/primuslabs/iaxproxy)

As you can tell, I’m very excited about this initial release and look forward to the community feedback.  It’s a very niche project that only a very small number of people will find useful but for me I get a great sense of satisfaction in knowing that my creation is now free for anyone else to use / extend / improve.

Phishing by Phone

Today I had the most interesting experience – someone attempted to “hack” my PC by phone.  Around 3PM I got a call from “9-1227″ who claimed they were from my “PC Support Department” who informed me that my PC was running slow due to “corrupt files” and that they could help me diagnose and fix the problem.  The caller got me to open “Event Viewer” (I had to lie about where I was clicking since he assumed I was using XP) and then informed me that every “error” and “warning” inside there was a record of a corrupt file and that my PC was dying.

This is where the fun started as he thought he had an idiot user on the phone and told me he would connect me to his senior tech who would help me solve the problem.  At this point I started capturing the RTP from my phone.  Here’s the audio from that call transcoded from G729 to MP3.  If you listen to the call, you will hear how I play dumb for the entire time while he attempts to get me to go to “logmein123.com” and enter a code to let the repair person “fix” my PC.  I let them connect to an XP VM I had lying around for a few minutes and they started to download some spyware application, so I killed the VM when the download was about 50% complete.  They then called me back several times to try to get me to reconnect, but I explained that I was having internet issues and kept getting “Page Cannot be Displayed” to waste more of their time.  In the end, I think they spent close to an hour trying to get me to let them on my PC.

What amazes me is that the value of hijacking a single PC is worth an hour of some random hackers time – I’ve never heard of this type of scam before and I’m sure that if I was an average PC user who wasn’t technically savvy I might believe that someone from the “support department” of the “PC company” was calling to help speed up my PC.  So if you have any non-technical users in your life alert them to this new trend before they let some random person access their PC.

PS – logmein.com – you need an abuse department.

Crowd sourced network security

For the past month or so, there has been a large discussion on the  Toronto Asterisk Users Group mailing list about SIP security and the increase in “brute force” attacks against hosts running Asterisk.  The generally accepted solution is to use something like fail2ban to monitor log files and and block the offending hosts.  This is a great way to add a layer of security to a server, but it’s reactive security, not proactive.

To help make things a bit more proactive, I’ve started a new project call CrowdSecure which aims to take intrusion attempt reports from users, aggregate the data, and produce a “blacklist” of hosts to proactively block at the firewall level before they even get a chance to start an attack.

The other benefit of the system is that unlike existing solutions (such as blockhosts) it is protocol agnostic, allowing users to report and obtain firewall rules for any protocol (HTTP, SIP, IMAP, SSH, etc).  As an added benefit it supports real time lookup of data about an IP via an easy to use REST interface which will allow blog or other website owners to check a host submitting data (say a blog comment) in real time.  For non-realtime applications, the system supports downloading of a list of hosts and the associated score, allowing system administrators to build firewall rules based on their own criteria.

I’m really excited about this project, and I hope I can get some momentum behind it.  I am currently looking for people to assist with development, web design, and other aspects of this project, so let me know if you are interested in helping out.

Using the Acer Revo as a MythTV frontend

Over the weekend I decided it was time to add another frontend to my existing MythTV setup so we could get live tv on our other TV.  For a bit of background, my MythTV setup is using the Silicon Dust HD Homerun to deliver OTA HD content.  So the requirements for the new front end were:

  • Must support 1080P output
  • Low power
  • Capable of running Myth Frontend and XBMC (I still prefer XMBC for non-live content)
  • Cost effective – the total build price needed to be sub $300

Previous to this upgrade, our living room TV was hooked up to an AppleTV and ran XBMC for playback of stored content.  The system worked, but with events like the Olympics, the Oscars we were getting tired of having to watch them on the basement TV which was hooked up to the Myth backend.  So with my requirements and goals in mind, I started researching for a new box that would meet my needs.

After doing a lot of research I found the Acer Aspire Revo AR1600-E910L which has an Intel Atom 230, 1.6Ghz, 1GB DDR2 SDRAM, 160GB, Nvidia ION LE Graphics with HDMI, HD Audio, eSATA, Wireless 802.11b/g/n, Gigabyte LAN and a Card Reader.  This box turned out to be a perfect fit – $250 at Canada Computers and the Nvidia ION Graphics gave me the ability to run VDPAU support in MythTV to accelerate the HD playback.  The other cool thing I didn’t realize is that the box comes with a wireless keyboard and mouse included – nice for the times when you have to do some tuning of the setup that can’t be done over SSH.

The first task after getting the box home was to install Mythbuntu on the machine.  I tried using the ISO to make a USB stick, but the machine didn’t want to boot off a USB drive.  I found a thread on the Ubuntu forums where someone had the same issue.  I tried the suggestions in the thread, but nothing would get the machine to boot from USB.  Luckily I had an existing server in my house and was able to Netboot the system.  I won’t get into all the details of how to do that, but Ubuntu has great “How to Netboot” wiki page.

After getting Mythbuntu installed the only issue I had was “jumpy” playback of HD TV.  After playing with the MythTV settings for playback I found the following changes made things perfect:

My settings:

Under TV Settings->Playback
Page 1: Enable OpenGL vertical sync for timing (This resolved the “Jumpy video” issue)

Page 3: I added a simple profile, with one setting for all resolutions
Decoder: NVidia VDPAU acceleration
Video Renderer: vdpau
OSD Renderer: vdpau
Primary Deinterlacer: One Field (1x, Hw)
Fallback Deinterlacer: Advanced (1x, Hw)

And everything was perfect – the live TV is streaming from my HD Homerun to my MythBackend and then to my new Revo frontend.  I’ve still got some work to do like setting up the media center remote, but my first impressions are that this box really has what it takes to be a killer Myth frontend.

XMLBeans and Axis2 – or how I wasted a week of my life

For the past week I’ve been trying to write a Axis2 service that generates XML output that conforms to a set of XSD files.  The first challenge was to get the XSD files into a “Java friendly” format, which I solved by using XMLBeans. I’m new to XMLBeans but it was pretty easy to pick up and within an hour or so I had all of my XSD files converted to some nice Java JARs that gave me access to the XML entities as objects and let me quickly create the XML output I was looking for.  Given my initial success I figured it would be pretty easy to just insert the XMLBean generated JARs & code into my web service project, however every time I ran my code as part of my Axis2 webservice the output was missing xsi:type elements.

So at first I thought I’d done something wrong in XMLBeans with the XMLOptions, the JAR generation, or maybe even my XSD files, but after hours of trying different configurations and options my code was still dropping the xsi:type elements from my output.  To debug the problem, I figured I’d try writing a simple java command line program to see if I could debug the issue, but when I ran my code as a standard Java application the output was what I was expecting:

<?xml version=”1.0″ encoding=”UTF-8″?>
<c:BroadsoftDocument protocol=”OCI” xmlns:c=”C”>
<sessionId>000000001</sessionId>
<command xsi:type=”AuthenticationRequest” xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance”>
<userId>admin</userId></command>
</c:BroadsoftDocument>

However, when the exact same code was run under Axis2 & Tomcat in a servlet I was getting:

<?xml version=”1.0″ encoding=”UTF-8″?>
<c:BroadsoftDocument protocol=”OCI” xmlns:c=”C”>
<sessionId>000000001</sessionId>
<command>
<userId>admin</userId></command>
</c:BroadsoftDocument>

This of course isn’t valid – the xsi:type of the “command” element is stripped when the code is run under Axis2/Tomcat.

I then wrote a simple servlet application to remove Tomcat as a suspect and my hunch was confirmed – the corruption only happened when running the code as part of an Axis2 web service.

Having finally narrowed down the issue to Axis2, I did some googling for that and found an exact post that mentioned a CVS checkin to resolve xsi:type issues with Axis2: http://marc2.theaimsgroup.com/?l=axis-cvs&m=115946726426905&w=3

After reading the post and discovering the “ServiceTCCL” option I had my solution – adding “<parameter name=”ServiceTCCL”>composite</parameter>” to the services.xml of my Axis2 project everything started to work as expected.

So now with a solution at hand I can actually get down to writing some code – it’s just too bad I had to jump through so many hoops to get there!

The Saga Continues – my Equinox keeps having issues

After the last round of issues with my 2010 Equinox stalling back in November the dealership finally resolved the issue after doing numerous oil changes to remove the debris from the engine block.  With that problem behind me I though it would be smooth sailing going forward, but alas my car continues to have new and exciting issues.

The week before Christmas the HVAC control system turned itself off while I was driving and I couldn’t adjust the heat in the car – annoyed and now cold I called OnStar.  The rep checked the GM database and he informed me the fix was to unplug the unit or restart the car.  After restarting the car several times the unit finally came back on.  I called my dealership the next day and they told me the same thing – there is no fix for the issue, just restart the car when it happens.  Later that week a friend sent me a link to a US recall for the issue – but so far there is no recall for Canada.

Then on Christmas day my “Check Engine” light came on.  Not wanting to drive the car with a potential issue we were forced to rearrange our Christmas plans to work around the vehicle issues – I’d like to personally thank GM for messing up my Christmas.  After Christmas I got the car to the dealership who found the issue – it was with the air intake manifold and was a simple fix already in the GM database.

But I’m still stuck with the HVAC system randomly going off – it’s happened several times now and with winter conditions in Canada its not very safe to have your defrost and heating controls go offline while you’re driving.  I talked to my dealership about the US recall, but since there isn’t a Canadian recall for the issue yet they can’t do anything.  Wonderful.

I’ve got a call in to GM Canada to see if they can give me an ETA on when to expect a recall but I’m not holding my breath.  At this point I’m just completely frustrated with my Equinox – every day I have to wonder what’s going to go wrong next.