COVID-19 Scams Spread Like Their Own Virus

It’s a sad fact of life that within moments of any tragedy there is a scammer scheming to turn a profit on it. These sick fucks are the bridge between sociopaths and homeopaths; willing to sell their own sick grandmothers distilled water on their deathbeds with a sick smile on their faces. Or, as in the case of Unichem Royal Oak Pharmacy in Auckland New Zealand, they’ll sell you a cardboard card on a lanyard and tell you you’re safe from COVID-19.

To the rest of the world, New Zealand is a beacon of hope. As a country, we used science to guide the response to COVID-19 and have beaten it back like no other country. But while the rest of the world looks on in wonder at our success, there is still an undercurrent of fear and ignorance that scammers can latch on to. As an example, this sponsored post popped up in my Facebook feed yesterday:

It is a link to a Youtube video promoting the virtues of a card you can wear on a lanyard that creates a ‘one-meter protection zone’ against viruses and bacteria. This is, of course, absolute bullshit. Really, if I have to explain this to you, how are you even functional in the modern world?

I filed a complaint about this video on Youtube, but I don’t expect it to be taken down. This isn’t your standard user-submitted video. This is a paid-to-be-hosted video on Youtube. Want to know what gives it away? No matter how many times you watch it, there’s never an ad. When’s the last time you saw that on one of your videos?

As you can see above, I felt compelled to comment. That comment has been deleted, and I’ve been blocked from commenting on any of Unichem Royal Oak Pharmacy’s posts.

So, I made a post instructing people on how to file a scam complaint. You can do it too, if you’d like to participate in the exercise. First visit their post, and then follow these steps:

It will be interesting to see what happens if a lot of people report it for the scam that it is. Sad to say, I won’t be surprised if Facebook leaves it up. They have a surprising amount of tolerance for hosting scams when the poster is a paying customer. Here’s the response I received:

As you can see, Facebook’s acceptable community standards include selling people quack ‘quack virus shields’.

Never Give Someone Your Secret Keys

You didn’t need me to tell you that, though. Right? It goes without saying, as it’s right in the name. Secret Key. You give people the other half, the Public Key. I think they teach that in kindergarten these days.

So, why am writing a post about such a simple topic? Let me tell you a story…

I’ve been using keybase.io for years.

I probably haven’t been using all its features, but it serves as another way of verifying some ways of communicating securely with me.

keybase.io was bought by Zoom, and we don’t know what that means yet. Will it stay free? Will it get shut down because all Zoom cared about was the crypto skills and tech?

One thing that is happening is that at least one ‘competitor’ has already popped up. Yesterday I received an invite from Cyph to sign up. They’d conveniently scraped my public info at keybase.io and populated an account that was ready for me if I accepted the invite. All I had to do was click the link and provide a new password and PIN. What the heck, I’ll sign up and make sure I get the name Ghostwheel before Scott in Atlanta grabs it.

There’s a reason I put ‘competitor’ in quotes is because there is something very phishy about Cyph. The website at cyph.app wants me to prove I own the pgp public key they scraped from keybase.io by… uploading my private key to their servers.

That. is. not. going. to. happen.

That’s now how it works. That’s not how any of this works!

You want me to prove I own the secret key? Give me a random blob of text to sign, and you verify it with my public key.

You want to compromise any pgp/gnupg encrypted communications I have ever had? Yeah, that’s when you ask for my secret key.

Now that I’m taking another look at the invitation email, it isn’t even properly signed. It has a signed.asc but it’s malformed. Looking more phishy by the minute.

We’re supposed to move from keybase.io to a website that wants us to add our secret keys to their keystore, and where the CEO can’t send a properly pgp signed email?

Yeah, nah.

Making sense of the Kiwiburn map. :)

Having never been there, and having no frame of reference, you wouldn’t believe how much time we all spent trying to figure out how the town map fit against what we saw in Google Maps. It didn’t help that the Town Plan map was rotated 90 degrees, and that Google Maps shows the address on Cooks Road fairly far away from where it really is. Now it all makes sense. 🙂