Frequently Asked Questions

15 March 2012

CRTC CASL Regulation Summary

[originally posted at Emailkarma. Written by CAUCE Director Matt Vernhout]

We have found what appears to be an official version of the Canadian Radio-Television and Telecommunications Commissions (CRTC) Canada's Anti-Spam Law CASL regulations on the Canadian Employment Pension Law website along with a brief overview of the regulations.

Here is a quick summary:

Information to be included in an email message has been clarified to included these key identifiers: CEM’s need to be the name by which the person sending the message conducts business, for third party messages you should use the name by which the third party carries on business, and include a statement indicating which person is sending the message and which person on whose behalf the message is being sent.

Contact and mailing address has also been clarified to be; the mailing address of the sender and either a telephone number providing access to an agent or voice messaging system, an email address or a web address of the person sending the message or the person on whose behalf the message is sent.

When it is not possible to include unsubscription information in the CEM you may included that information on a page on the World Wide Web that is readily accessible by the person to whom the message is sent at no cost to them by means of a link that is clearly and prominently set out in the message. This is a big deal for Mobile* messaging and Social Media messages as these platforms and character limitations do not always allow for all of the previously required information… I can’t ever see this being an issue for an email message though.* Mobile Keywords STOP will remain a requirement

All unsubscribe mechanisms referred to in paragraph 6(2)(c) of the Act must be set out clearly and prominently and must be able to be readily performed.

A request for consent has been clarified to include oral or written consent and must be sought separately for each channel (SMS, Email, etc…) of the Act and must include the key identifiers listed above (point 1) along with a a statement indicating that the person whose consent is sought can withdraw their consent at any time.

Computer programs that perform one or more of the functions listed in subsection 10 (5) of the Act [causing a computer system to operate contrary to reasonable expectations] must have a separate consent sought from any other information provided in a request for consent and the person seeking consent must obtain an acknowledgement in writing from the person from whom consent is being sought that they understand and agree that the program performs the specified functions.

What’s Next with CASL?
We are still waiting on the regulations from Industry Canada that will hopefully clarify a number of the outstanding issues and questions that they received during last years comment period. We are expecting to hear from them in the next couple of weeks (Maybe early April) when a new 30 day comment period is scheduled. After these comments are reviewed final regulations will be presented and an enforcement date will be set.

The big question is still outstanding – When is CASL coming into force?

Latest word on this will be at or near the end of Q3 2012 (around October), but the regulations from Industry Canada will clarify this.

Download the CRTC’s Regulations HERE [PDF]

Posted by on 15 March 2012 in Canada, Frequently Asked Questions, World | | Comments (0) | TrackBack (0)

| | | |

11 April 2011

Facts & Tips for Consumers about the Epsilon Breach

Epsilon Interactive, who sends commercial email on behalf of hundreds of companies, admitted to a security breach that they detected some time in March. Epsilon and its parent company, Alliance Data, have posted two press releases about the breach.

How many companies’ customers' email addresses were lost?

Epsilon has not revealed any statistics beyond ‘2% of our clients’, of which they reportedly have 2,500.

Journalists covering the story have collected notifications sent by about 70 companies, including many financial institutions. The names of these companies have been published at:

What information was lost?

Epsilon has stated that the names and email addresses of their clients' customers were taken. Presumably the attackers were also able to access the names of each client.

What does this mean for consumers?

If you received a notification from one of Epsilon's clients, the thieves know your name and email address.  Depending on which company had your information, the thieves may also be know the hotels you may stay at, which credit cards you may use, or where you buy stuff online. If your email address shows up on several of these lists, the criminals can draw together a pretty accurate profile of who you are, and what you typically do, and can guess your income level. Ironically, that is what companies like Epsilon do with the data, too.

Do the criminals have any more information about me?

While it's common for the contents of an email message to include more personal information than your name and email address, as far as we know, this information was not stolen. Often times, different data is stored in different places, and the thieves may have not been able to access the contents of previously sent messages. There is a pretty good explanation of the way these marketing databases generally work here

My address was lost in the Epsilon breach; CAUCE says the only way protect myself against phishing is to change my address. Isn't that is a rather extreme approach?

Sadly, it may not be extreme enough.  The Anti-Phishing Work Group reports that there are about 360,000 unique phishing sites, annually [2010].

Anti-virus software catches new malware about 20% of the time, leaving computer end-users exposed to a tremendous amount of viruses, keyloggers, and spyware, and other bad things. Anti-spam software does a pretty good job, getting well upwards of 90% of all spam, but some trickles through. We know that phishing attempts were successful at companies, ESPs, who were on high alert for the attempts.

While some phishing attempts are obvious, almost silly, others can be extremely difficult for end-users to recognize. Our friends at Word to the Wise took apart a legitimate email from an Epsilon client-company, and even email experts had a hard time determining if the email was real. See their article ‘Real. Or. Phish?’.

If your email was lost by a client company of Epsilon, we stand by our suggestion that changing your address is the best way to avoid receiving and having to deal with the phishing emails and other spam that will inevitably come from this data theft. Even if you don't want to abandon your current address entirely, this would be a good time to set up a new address and move your important communications there.

I unsubscribed from a customer list at Epsilon, and still received a notification from them. Isn’t this illegal?

It is arguably illegal under some laws, but it makes good sense that they did mail you. It doesn’t mean you weren’t unsubscribed. Here’s how it works: When you unsubscribe from an emailer’s list, they put your address into what they call a ‘suppression list’. The criminals presumably stole these too. The companies did the right thing by alerting you to the fact that your address was stolen.

How can I unsubscribe from everything at Epsilon?

Epsilon maintains a list of places where you can unsubscribe from a variety of their clients' newsletters.

We do not know if this will ensure that another of their clients will not upload your address to Epsilon in the future, and of course there are many other ESPs out there.

 Are the authorities involved? Can I sue someone?

Epsilon is reportedly working with the Secret Service, presumably because information related to bank and credit card clients was lost. Previously, some of the companies who were targets or victims of the previous series of breaches (which, again, may not be connected to the Epsilon incident) have been working with law enforcement.

The Australian Communications and Media Authority and Australian Privacy Commissioner are aware of the attack, having been alerted to it by Dell Australia, whose data was stolen. The breach may prompt an investigation by the UK Information Commissioner's Office, Connecticut Attorney General George Jepsen and Consumer Protection Commissioner William Rubenstein are investigating, and have written a letter to Attorney General of the United States asking him to investigate. Leaders of the House Energy and Commerce panel in the United States have written to the CEO of Alliance Data, Epsilon’s parent company, asking for more details on how many customers were affected and how the breach occurred.

You could try to sue someone: the company holding your data, or Epsilon, or both. There may be class action lawsuits coming out of this, as well as lawsuits by Epsilon’s client companies. If you do file with a class-action, you should not expect a large financial settlement, as these are generally quite small.

CAUCE suggests that if you live in a relevant jurisdiction, you can file a complaint with the local authorities about the breach:

 If you have incurred a financial loss as a result of any phishing attack, or see suspicious activity on your bank account, contact your financial institution to alert them and report your credit card stolen immediately. Then, call your local and federal police forces to file a complaint (the bank will not do this for you).

BACKGROUNDER

How was the hack accomplished?

Epsilon has not released details about the mechanics of the breach. If it is similar to the hacking attempts targeted at ESPs last year, the hackers may have used social engineering and spear-phishing techniques, leading to an employee mistakenly typing their username and password into a web page controlled by the hacker.  However, at this time, we do not know what happened or whether there's any connection to the previous attacks.

Has Epsilon been hacked before?

Maybe. Epsilon has not publicly admitted to any previous attack, but their customer Walgreens has indicated that this is the second time they have lost data by way of Epsilon.

“After the incident last year, Walgreens requested that Epsilon put a number additional security measures in place. Apparently, that expectation was not fully met.” – Walgreen spokesperson, via databreaches.net

Is the Epsilon breach part of the previous series of attacks on the ESP industry?

These attacks appear to have begun as early as November 2009, the first victim being a company called aWeber.

Typically, the criminals would hack into an ESP by sending an employee an email that infected them with keylogger spyware, take over one of their client accounts, and send spam for fake Adobe or Skype software. More than a dozen different ESPs, including Epsilon, were targets or victims of these attacks in 2010.

It is impossible to say if this is the same as what happened to Epsilon more recently. Adobe or Skype spam was seen during previous breaches. This did not happen with the current breach with Walgreen or any other Epsilon customer.

This could have been the same group, using the same point of attack. It could have been a copycat using the same tactics, or an entirely different approach. We do not know, and there are too many variables for anyone to say they know definitively — though if Epsilon were to share what they know with the security community, it's likely that we could understand quite a bit more.

Did Epsilon have lax security?

We do not know what changes they made after their first breach, so it is impossible to say.

Were there things they could have done to improve security?

Obviously — they were hacked, after all. Epsilon will presumably address whatever let the hackers get into their systems this time, but any security professional will tell you that security is never perfect. What appears secure today may be exploited tomorrow.

There are many steps ESPs can take to much improve their security related to client lists and outbound email – we have listed them here

I heard that someone warned ESPs about breaches in November.

They did. Return Path provides services to ESPs, blogged about their own breach, and those at ESPs in November 2010. In fact, the ESP industry was becoming aware of this series of breaches all the way through 2010, as they were happening.

Security isn’t 100%? Why?

Software, and the way it interacts with various web applications is very complicated. Many sites do not, or cannot update all components that go into a web application, because to do so may break functionality on the site, or they are negligent. Home computers are pretty much the same. Microsoft, for example, issued 67 updates this past ‘Patch Tuesday’. Have you updated your computer?

Who is the real victim here?

You are. Epsilon suffered the initial attack. Their clients suffer as well, losing consumer trust. There may also be marketing or advertising agencies involved. But as far as CAUCE is concerned, the people who stand to suffer the most are the regular Internet users who trusted that the major brands whose products they enjoy would keep their email addresses and other personal information safe and secure. If these companies do not take immediate, public actions to prove that they deserve our trust, then they do not deserve our business.

Posted by on 11 April 2011 in Canada, Frequently Asked Questions, Press Releases, United States, Warnings, World | | Comments (0)

| | | |

04 April 2011

Epsilon Interactive breach the Fukushima of the Email Industry


Marketing as Usual? Not a chance. – Epsilon corporate catch phrase

A series of attacks on the Email Service Provider (ESP) community began in late 2009. The criminals spear-phish their way into these companies that provide out-sourced mailing infrastructure to their clients, who are companies of all types and sizes.

Upon gaining access to an ESP, the criminals then steal subscriber data (PII such as names, addresses, telephone numbers and email addresses, and in one case, Vehicle Identification Numbers). They then use ESPs’ mailing facility to send spam; to monetize their illicit acquisition, the criminals have spammed ads for fake Adobe Acrobat and Skype software.

On March 30, the Epsilon Interactive division of Alliance Data Marketing (ADS on NASDAQ) suffered a massive breach that upped the ante, substantially.  Email lists of at least eight financial institutions were stolen. 

Thus far, puzzlingly, Epsilon has refused to release the names  of compromised clients. CAUCE has drawn the a list of  from news reports (below)

The obvious issue at hand is the ability of the thieves to now undertake targeted spear-phishing problem as critically serious as it could possibly be.

What to do?

CAUCE is calling on the ESP industry and ISP and Email Receivers to implement these measures across the board, to protect the PII of end-users everywhere. What follows are best common practices that have existed for many years. It is time to take a stand against the data-thieves, and begin to properly protect end-users, without fail.

ESP & Senders

  • Security must be the top corporate priority. Both Silverpop and Epsilon Interactive were either breached repeatedly, or failed to fully mitigate their initial security lapse in December.  I was told by one ESP security staffer that he hadn’t been given sufficient resources to affect all the appropriate changes. That is at best lamentable.
  • Two-factor authentication must be implemented for ESP system access for both staff and clients.
  • Senders and ESPs must sign all email with DKIM, and authenticate all mailing IPs with SPF.
  • ESPs must check all outbound content against domain blacklists such as SURBL and the Spamhaus DBL before deployment.
  • ESPs must adopt and embrace a culture of transparency and commit to cooperative full disclosure
“Epsilon has refused to provide additional details on what other brands may have been affected.” – Security Week

“SilverPop did not respond to requests for comment” – Krebs on Security

While it is the instinctive corporate reaction to be secretive, such a strategy exacerbates the frustration of the other set of victims of data-theft, namely the end-users. A complete list of breached clients is fundamental to protecting end-users, and allowing them to protect themselves.

Receiving Systems

We need desperate measure for desperate times, CAUCE calls upon the receiving community to better their protection of end-users.

  • Email receivers must deploy DKIM and SPF checking, and treat messaging failing such checks accordingly by labeling the subject line, placing it in a spam folder, or blocking it entirely.
  • Email receivers must deploy checks using URI blacklists like SURBL and Spamhaus on message headers and content domains.
  • Email receivers must take extreme measures, even if there are false positives. Better safe that sorry, and given the potential damage these breaches can cause to a recipient, far better that there are false positives (legitimate email refused or sidetracked to the bulk folder) than false negatives (illicit email delivered to the inbox).

The list of breached companies

 

Posted by on 04 April 2011 in Canada, Frequently Asked Questions, Technology, United States, Warnings, World | | Comments (0) | TrackBack (0)

| | | |

24 January 2011

I don't really want to stay in touch on LinkedIn

Imagine my surprise (I imagine yours to be similar), when whilst sitting around watching t.v. on a cold Sunday afternoon I was fiddling with my new iPad, and decided during a commercial to cross-check my gmail contacts to my LinkedIn contacts.

I was shown a short list of contacts, with no scroll-bar, (deselected a few, actually) and hit 'ok'. I saw no results, iPad did its thing where pages disappear then relaunch. Then, I tried my other gmail account.

Sigh.

The rest, as they say, is history. I'm not certain if it is because I've been on LinkedIn for a long time, have a business account, have a lot of existing contacts or some combination of these factors, but somehow LinkedIn determined I was a suitable candidate to upload two address books (yes, I overtly OK'ed this step), and invite them all to 'get in touch', or to join LinkedIn.

Included in this wonderful offer were anti-spam mailing lists, people I'd decidedly not prefer to stay in touch with, for example, spammers about whom I've complained. LI also wrote to abuse desks to whom I've complained about said spammers, and at least one (literally) dead friend, a dead email list I used to run (or, at least, I thought it was decommissioned), the billing alias for my telephone company, a whole Smörgåsbord stuffed into a cornucopia of ill-placed messaging.

I do have no small number of people who accepted my offer (my dead friend didn't). As, well, I received no small number of complaints, a total that will undoubtedly mount as people will probably complaint to abuse@cauce.org, linkedin.com and elsewhere, justifiably so.

I'm uncertain if this was due to poor UI, generally or UI that only displays on the iPad, and lousy policy regarding address book uploads at LinkedIn and the way that Google aggregates contacts; I will reiterate here what has always been my recommendation regarding such things: Limit inviatation sends to a maximum of 100 at any time, and should an uploaded list have role accounts, the send be held until the validity can be humanly verified. Neither of those things happened.

My two gmail accounts date back to 2006 and 2004 respectively, and I didn't overtly add many of these addresses to my contact list.

There you have it, a case in point and an object lesson in how powerful the tools we use actually are, and the laxity in privacy that is pervasive these days.

Of course, I apologize profusely for the intrusion.

Atypically, I've kept the comment section open for this post, feel free to stay in touch here! ;-)

--
Neil Schwartzman
Exectuive Director
CAUCE

Posted by on 24 January 2011 in Frequently Asked Questions, Technology, Warnings | | Comments (0) | TrackBack (0)

| | | |

15 August 2010

How Your Privacy Is Exploited Online and How To Protect Yourself

I spotted a disturbing headline which reminded me to repost a recent series about online privacy in the Wall Street Journal.

Suit alleges Disney, other top sites spied on users - CNET News

A lawsuit filed in federal court last week alleges that a group of well-known Web sites, including those owned by Disney, Warner Bros. Records, and Demand Media, broke the law by secretly tracking the Web movements of their users, including children.

...

Among the laws that were allegedly violated by Clearspring and the other defendants are the Computer Fraud and Abuse Act, California's Computer Crime law, and that state's Invasion of Privacy Act.

(CNET uses trackers themselves. Using the Firefox plugin Ghostery, we see that they monitor using Twitmeme, Comscore Beacon, Revenue Science, Yahoo Buzz, Facebook Connect, Google Analytics, and Chartbeat to monitor your surfing)

The article above references a multi-part series I highly recommend you read if you care about your online privacy (just for the record, the Wall Street Journal uses the following trackers: Facebook Connect, MSN Ads, Chartbeat, Peer39, Fox Audience Metrics,  Google Analytics, Omniture, WoprdPress Stats.

CAUCE uses Google Analytics and Bit.ly, and Typepad, where we are hosted, inserts Quancast tracking into our posts.).

The New Gold Mine: Your Personal Information & Tracking Data Online - WSJ.com

How to Outsmart Tracking Cookies on the Web - WSJ.com

What They Know About You - Personal Information Tracked Online - WSJ.com

Analyzing What You Have Typed - WSJ

Posted by on 15 August 2010 in Frequently Asked Questions, Warnings, World | | Comments (0) | TrackBack (0)

| | | |

03 May 2010

Resources for Cleaning Your Network

spam puzzle: solved!Image by dr.jd via Flickr

The first step (but certainly not the last) towards saving the internet from spam, malware, and other abuse is to keep your own network clean.

A friend of CAUCE, who wishes to remain anonymous, offers these tips and resources to help you identify problem traffic emanating from your network, and clean it up.  Though primarily written for ISPs, many of the items below should apply equally well to any network owner.

Zero-point: Problems which aren't identified don't get fixed. So...

First and foremost, proper identification of the ISP's IPs in both RIR (APNIC) and rDNS. Along with that, working and properly processed Abuse e-mail contact for APNIC and "abuse@domain" for the generic rDNS primary domain. Correct domain whois goes hand-in-hand.

Then, in no particular order...

Block port 25 on dynamic ranges, as recommended by MAAWG.

Complaint Feedback Loops and other abuse reporting mechanisms: Spamhaus and Word To The Wise both have links to get started on those, and ISPs serious about cleaning up should subscribe all their IP ranges to as many of those FBLs as they can handle. (The best for spam detection would be subscribing to all of them but volume can get quite high so they may wish to pick and choose what fits their needs the best.)

That includes SpamCop, but it's worth its own mention. Unlike most other FBLs, SpamCop reports spamvertised URLs as well as spam source. Note that it has both direct spam reporting and "Summary" reports which provide IP-by-IP reporting for a subscribed range on an hourly or daily basis.

www.abuse.net can help them direct spam reports to the right place.  SpamCop seems to look at Abuse.net, too.

CBL offers rsync of its data within terms of use posted on its website. An ISP with that data can use grepcidr across its IP ranges to identify currently active spam-bot IPs.

Spamhaus PBL provides participating ISPs with CBL's list bots in the respective ISP's IP ranges, so that's another easy way for ISPs to get that same data.

Botnet C&C and malware related IPs identified by the FIRE group can be
found by ASN with http://maliciousnetworks.org/ .

Senderbase.org, Trustedsource.org and Senderscore.org websites all have searchable reputational information which can help an ISP corroborate reports they get with a wider sample of traffic...very useful.

I'm sure there are more such resources, I'd be interested in them and I hope others will chime in, but for an ISP which is already overrun with spam issues, those websites should at least give them grist to start grinding away at the problems. I suspect the more difficult challenge will be to get them to actually back the effort.

Any ideas?  Post them in the comments, and maybe our anonymous friend will join in too.

Related articles by Zemanta

Posted by on 03 May 2010 in Frequently Asked Questions, Technology | | Comments (0) | TrackBack (0)

| | | |

18 March 2010

T'is the Season for Apartment Rental Scam Spams - Consumer Alert

Summer tends to be moving time here in Montreal, as it is elsewhere. This year, I have decided to move, and thought it would be an opportune time to share a warning about some scams that are related to this seemingly harmless activity.

First off is the 'Too good to be true' Craigslist posting (or Kijiji, or any other public listings site!). Last time I moved, I went searching on CL for a new place, as so many do. I found a nice listing, and emailed the purported landlord. I got an email back from someone claiming to be on missionary work in Africa, and if I would just send him or her some money, the place was mine; I could pick up the key when the cheque cleared.

I researched a bit further, and found that what the scammers had done was re-post a previous listing on CL from a few weeks past, dropping the price enough to make the offer seem great, but yet remain credible. A call to the landlord and an email to Craigslist Abuse had the listing and a few others taken down.

Scam two: Advance Fee Fraud - I am now subletting my place, and today, a very nice lady ostensibly in Benin is offering to send me money to reserve my flat, sight unseen. No doubt, it will be a cheque, which I would deposit. Then, complications will arise, she will ask for her money back, less a fee for the hassle. The cheque would take some time to clear, but by then, the money would be safely in the hands of the scammers.

Bottom line: Never rent an apartment or house from someone who isn't present to show you around, and pay with a cheque noting the address, and the date of the first month of rental. Here in Quebec, we have government issued lease forms available everywhere, always use them, and make sure the person renting has the authority to do so. Otherwise, come moving day, you may find yourself without a place to live.

Never pay out money from cheques you receive before your bank has had time to clear the payment, and are 100% willing to state the transaction is legitimate. Otherwise, you will find yourself on the hook for the money.

As always, the old saw 'if it seems too good to be true, it probably is' applies. Remain skeptical, especially in your online dealings.


Neil Schwartzman
Executive Director, CAUCE

Posted by on 18 March 2010 in Canada, Frequently Asked Questions, United States, Warnings, World | | Comments (0) | TrackBack (0)

| | | |

21 April 2008

I need a job, and just got some spiffy email about a new job site!

Posted on behalf of: Neil Schwartzman, Executive Director CAUCE

A friend of mine just wrote to me about a new service called NotchUp.com so I looked them up on DomainTools.

Now, why would a company obfuscate their domain registration? I can't think of a good reason why. That isn't to say that NotchUp.com is not a fine upstanding company, I don't know, but having correct and open information in your domain registration means you are taking responsibility for your online conduct.

Unemployed folks, and others looking to change jobs should be very careful when joining a job recruitment site; they can be real hornet's nest. For one, job applicants are giving out a tremendous amount of personal data that can be misused to the ends of personal identity theft. As well, many of them are not worth the bother, or can be out-and-out malicious.

Another friend was the victim of a drive-by virus-infected when someone ostensibly reached out to him about a VP-level job, one for which he was suitable (he's a sales guy, so it might not have been entirely targeted).

The CAUCE advice?
  • Stick with the biggies - to name a few; Linkedin, Monster, Workopolis, Craigslist
  • Check out new companies and new job sites from the comfort of your own browser!
  • Run the domain through DomainTools
  • Get yourself a copy of the great tool from McAfee Site Advisor, a plug-in that works for both Internet Explorer and Firefox, and check out their reviews.
  • Use the Alexa Firefox plug-in to check out if the site has a reasonable amount of traffic.
  • Use your favourite search engine on the name and the domain name of any potential job site or employer. Then search again and add the qualifier + spam. Or + scam
  • Never respond to Unsolicited email
  • If the job seems too good to be true, (especially if you are desperate!), stay away!
For example, LinkedIn currently has many 'work at home' jobs touted, money-laundering for 419 and phish-stolen money. Getting involved in those schemes helps sustain spamming, and you can be arrested. (LinkedIn are doing a fine job of deleting these as fast as they come in, but the bad guys slip through, nevertheless)

Good luck with your job search, don't let the bad guys swindle you!

Posted by on 21 April 2008 in Frequently Asked Questions, Warnings |

| | | |

03 April 2008

Q&A: Talking Points Against spam

Q:
Dear CAUCE,

I need your help. I work for an organization that sends an email newsletter once a week. Someone in my office came up with the bright idea that we should auto-subscribe every person in our offline database and let them "opt-out" if they don't want to get it. While this email is not necessarily of a commercial nature, I personally still consider this unsolicited email to be spam. Can you provide me with a white paper or talking points on why this is a terrible idea so that I can make this case to my bosses?

Continue reading "Q&A: Talking Points Against spam" »

Posted by on 03 April 2008 in Frequently Asked Questions |

| | | |

19 November 2007

Should I send CAUCE copies of the spam I recieve?

Please do not send us any copies or samples of the spam you receive. As a group we receive thousands of spam messages every day, as individuals we receive hundreds to our personal accounts.

We are an advocacy group, not a spam reporting service or the "internet police." We do not hove the resources or the authority to assist you with individual spam messages.

For help reporting, please talk to your internet service provider or use the current tools provided to you by your web mail providers (i.e. Junk button in Hotmail, or the "Report spam" button in Gmail).

Posted by on 19 November 2007 in Frequently Asked Questions |

| | | |

Older »

CAUCE North America is financially supported by our organizational and individual members.

REPORT SPAM

Recommended Resources
On Guard Online (United States)

Get Cyber Safe (Canada)

Categories

Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported