Bad spammer neighborhoods

I've been collecting data about IPs that have been attempting to spam my mail server for the past few months, and today I decided to take a look at what neighborhoods of /24 networks are the most heavily populated with spamming IPs.

Here's the list of the top ten "worst neighborhoods" trying to send me spam, mostly with dictionary attacks against my domain. These are all blocked by the CBL, so none of this spam actually gets through, but it ties up my bandwidth.

I've put an asterisk (*) next to the ranges that are probably actually smaller than /24s based on the distribution of IPs.

Does anybody have a tool that already exists to identify likely bad ranges to block based on the distribution of known bad IPs? All I did here was count IPs within a /24, but it would be nicer to identify the likely ranges of badness at both a more fine-grained and broader level.

Note that these bad neighborhoods may be neighborhoods of poorly secured machines, or they may be neighborhoods of malicious machines. Either way, the providers are not doing a good job of cracking down on malicious activity from their networks.

1. 64.32.26.0/24 (25 IPs)
45 46 51 52 54 66 68 73 81 90 100 102 104 111 113 126 155 157 163 168 194 199 204 236 242
AS 46844 | 64.32.26.0 | ST-BGP - SHARKTECH INTERNET SERVICES
Upstream provider: AS 7922 | 64.32.26.0 | COMCAST-7922 - Comcast Cable Communications, Inc.

*2. 89.232.105.0/24 (24 IPs)
21 24 29 32 48 57 59 63 64 68 76 89 93 94 97 101 103 107 114 117 126 129 137 139
AS 28840 | 89.232.105.0 | TATTELECOM-AS Tattelecom.ru/Tattelecom Autonomous System
Upstream provider: AS 6854 | 89.232.105.0 | SYNTERRA-AS SYNTERRA Joint Stock Company 64.32.26.0

3. 208.84.243.0/24 (20 IPs)
13 30 63 68 78 92 99 123 148 150 175 176 179 185 196 199 216 219 226 250
AS 40260 | 208.84.243.0 | TERRA-NETWORKS-MIAMI - Terra Networks Operations Inc.
Upstream provider: AS 22364 | 208.84.243.0 | AS-22364 - Telefonica USA, Inc.

*4. 83.149.3.0/24 (17 IPs)
5 6 12 14 16 18 21 22 25 28 30 40 42 47 48 51 63
AS 31213 | 83.149.3.0 | MF-NWGSM-AS OJSC MegaFon Network
Upstream providers: AS 12389 | 83.149.3.0 | ROSTELECOM-AS JSC Rostelecom
AS 20485 | 83.149.3.0 | TRANSTELECOM JSC Company TransTeleCom

*5. 76.164.227.0/24 (16 IPs)
138 155 159 174 182 186 194 199 202 206 210 218 222 230 238 246
AS 36114 | 76.164.227.0 | RDTECH-ASN - R & D Technologies, LLC
Upstream providers: AS 6473 | 76.164.227.0 | WCIXN4 - WCIX.Net, Inc.
AS 35937 | 76.164.227.0 | MARQUISNET - MarquisNet LLC

6. 76.164.232.0/24 (15 IPs)
13 21 24 33 36 38 40 43 48 57 198 206 218 232 234
AS 36114 | 76.164.232.0 | RDTECH-ASN - R & D Technologies, LLC
Upstream providers: AS 6473 | 76.164.227.0 | WCIXN4 - WCIX.Net, Inc.
AS 35937 | 76.164.227.0 | MARQUISNET - MarquisNet LLC

7. 77.120.128.0/24 (15 IPs)
20 37 50 85 93 104 107 112 159 162 187 232 239 248 252
AS 43011 | 77.120.128.0 | DATASVIT-AS ISP Datasvit AS Number
Upstream provider: AS 25229 | 77.120.128.0 | VOLIA-AS Volia Autonomous System

*8. 78.138.170.0/24 (12 IPs)
66 68 77 78 160 166 178 189 190 193 202 211
AS 28840 | 78.138.170.0 | TATTELECOM-AS Tattelecom.ru/Tattelecom Autonomous System
Upstream provider: AS 6854 | 89.232.105.0 | SYNTERRA-AS SYNTERRA Joint Stock Company 64.32.26.0

9. 77.232.143.0/24 (12 IPs)
33 37 40 63 69 104 175 182 190 215 218 251
AS 42145 | 77.232.143.0 | BSTV-AS OOO Bryansk Svyaz-TV
Upstream provider: AS 20485 | 77.232.143.0 | TRANSTELECOM JSC Company TransTeleCom

*10. 95.154.113.0/24 (12 IPs)
140 178 181 185 193 195 197 206 218 246 248 254
AS 44724 | 95.154.113.0 | OCTOPUSNET-AS Octopusnet LTD
Upstream provider: AS 34470 | 95.154.113.0 | PTKOM-AS PortTelekom Autonomous system

How Twitter got compromised

TechCrunch has published "The Anatomy of the Twitter Attack," a detailed account of how "Hacker Croll" used people's password-selection habits, use of multiple online applications, publicly available online information about people, and flawed "I forgot my password" mechanisms to gain access first to individuals' personal webmail accounts and then to Twitter's internal systems.

It's a good idea to use randomly generated passwords, stored in a password safe, so that they're different with every service you use. It's also a good idea to split personal and corporate accounts. Lately I've taken to using randomly generated information for my "I forgot my password" answers, as well, and keeping that in my password safe just like another password.

The "secret questions" for password recovery are a vulnerability when so much personal information is being shared on the Internet. That's how Sarah Palin's email account was compromised last year, as well.

DHS still a mess, five years on

One of the main points of the creation of the Department of Homeland Security in 2004 was to centralize oversight over a wide array of agencies with responsibility for the safety and security of the United States and its territories. The 9/11 Commission made 41 specific recommendations to Congress, and one of those was "create a single, principal point of oversight and review for homeland security." But that's one that hasn't been accomplished--DHS oversight by Congress is through 86 separate committees and subcommittees (see chart below, click on it for the full-sized image).

The Center for Public Integrity and the Center for Investigative Reporting have joined forces to investigate the effectiveness of the Department of Homeland Security's efforts since its creation, and will be publishing a series of reports over the next several months which should prove quite interesting.

Bad military botnet proposal still being pushed

I just came across an April 2009 BBC story which shows that USAF Col. Williamson is still promoting his idea of building a U.S. military botnet to engage in offensive denial of service attacks against foreign targets on the Internet.

But I haven't seen him respond to any of the criticisms of his bad idea, including in the online forum of the journal where he published it.

I think a more effective idea would be to adjust the computer crime statutes to provide immunity to prosecution (or at the very least an affirmative defense to criminal charges) for private responses to attacks that meet certain criteria, so that ISPs, security researchers, and competent individuals could engage in offensive actions against compromised machines to disable malicious software or take them off the network. Perhaps some kind of licensing or bonding would do the trick, and ISPs could put an exception into their acceptable use policies for entities that met the criteria.

That's also my partial response to this more recent BBC story about "what rules apply in cyber-wars" which led me to find the Williamson article.

Tracking cyberspies through the web wilderness

Yesterday's New York Times has an interesting article about how security researchers at the University of Toronto have helped uncover online spy activity, apparently conducted by the Chinese government, against the Dalai Lama's office in India.

One odd comment in the article: "And why among the more than 1,200 compromised government computers representing 103 countries, were there no United States government systems?"

I find this particularly odd in that I've seen compromised U.S. government systems plenty of times in my information security career, including spam issued from military computers. I don't find it plausible that the U.S. government has recently improved the security of all of its computers and networks so that there are no more compromised systems.

In the context of the article, it's discussing more specifically compromises due to the particular spy ring being monitored. The preceding sentences point out that they weren't able to determine with certainty who was running it, and the immediately preceding sentence asks, "Why was the powerful eavesdropping system not password-protected, a weakness that made it easy for Mr. Villeneuve to determine how the system worked?"

The question should actually have asked why it wasn't encrypted, rather than "password-protected," but the possibilities suggested to me here are that (a) this particular activity is being run by amateurs or (b) this particular activity was intentionally detectible as either (i) a distraction from other, more hidden activity or (ii) to put the blame on China by somebody other than China.

The Cybersecurity Act of 2009

There's FUD spreading about Sec. 14 of the Cybersecurity Act of 2009, maintaining that it amounts to an effective repeal of the 4th Amendment for the Internet. That's not so--the scope is restricted to "threat and vulnerability information" regarding the Internet, which I interpret to mean network service provider knowledge about compromised systems, botnets, etc., much of which is no doubt already being voluntarily shared with the government as is permissible under the Electronic Communications Privacy Act of 1986, when, in the course of a provider's normal service monitoring, it becomes aware of possible criminal activity.

I expect I'll have more to say after I have a chance to read through the whole bill (PDF).

The U.S. Nazi dirty bomb plot

Remember how the press was all over the story of the 29-year-old millionaire white supremacist and fan of Adolf Hitler in Maine who was building a dirty bomb that he planned to set off at Obama's inauguration, but it didn't happen because his wife shot and killed him?

Me neither, but James G. Cummings of Belfast, Maine, had (quoting Wikileaks) "four lots of one gallon containers of bomb-grade hydrogen peroxide, uranium, thorium (also radioactive), lithium metal, thermite, aluminum powder, beryllium (radiation booster), boron, black iron oxide and magnesium ribbon" which he somehow planned to set off at the inauguration. Personally, I don't think that volume of material could have been easily smuggled in anywhere near the inauguration activities without raising suspicion.

Why no press coverage of this story, apart from the Bangor Daily News?

Wikileaks has a summary; Wonkette has summarized that; the Washington D.C. Regional Threat and Analysis Center report (PDF) is here.

PATRIOT Act NSL gag order unconstitutional

For a second time, a U.S. appeals court has found unconstitutional the provision of the USA PATRIOT Act which forbids recipients of National Security Letters from disclosing that they have received them. After the first time around, Congress amended the law to introduce some minimal judicial review, but maintained the burden of proof on the recipient if the government claimed there were national security reasons for the NSL to remain secret. The courts have ruled that this burden needs to fall on the government.

If this continues to stand, then perhaps the rsync.net warrant canary will become superfluous.

White House may be forced to recover "lost" emails

Lawsuits by the National Security Archive of George Washington University and the watchdog group Citizens for Responsibility and Ethics in Washington (CREW) have won a ruling from a U.S. district court judge that the White House can be forced to recover the five million "lost" emails that were deleted between March 2003 and October 2005. Those emails were required to have been preserved under the Presidential Records Act. Another set of emails from the office of Vice President Dick Cheney from September 30, 2003 to October 6, 2003 were found to be "lost and unrecoverable" by an Office of Administration investigation.

65,000 backup tapes have been preserved as part of the litigation, and those tapes will apparently be available for review to recover some of the five million lost emails.

More details at IntelDaily.

Criminal activity by air marshals

Looks like the air marshals have a problem similar to the TSA and the Border Patrol:

Shawn Nguyen bragged that he could sneak anything past airport security using his top-secret clearance as a federal air marshal. And for months, he smuggled cocaine and drug money onto flights across the country, boasting to an FBI informant that he was "the man with the golden badge."

Michael McGowan used his position as an air marshal to lure a young boy to his hotel room, where he showed him child porn, took pictures of him naked and sexually abused him.

And when Brian "Cooter" Phelps wanted his ex-wife to disappear, he called a fellow air marshal and tried to hire a hit man nicknamed "the Crucifixer."

Since 9/11, more than three dozen federal air marshals have been charged with crimes, and hundreds more have been accused of misconduct, an investigation by ProPublica, a non-profit journalism organization, has found. Cases range from drunken driving and domestic violence to aiding a human-trafficking ring and trying to smuggle explosives from Afghanistan.

More details at USA Today.

UPDATE (8 March 2015): Another air marshals scandal:

What began as an internal investigation into allegations of harassment and threats stemming from a spat between ex-lovers has expanded into a criminal inquiry focused on the Federal Air Marshal Service’s dispatch hub in Herndon, Virginia. More than 60 federal employees are under scrutiny as investigators look into whether flights considered at risk of hijacking or a terrorist attack were left without marshals on board, sources with knowledge of the investigation told Reveal.

Behind the scenes during the election process

Newsweek reports some interesting tidbits from behind the scenes of the election process in both the McCain and Obama campaigns:

• Both the McCain and Obama campaigns had computers compromised by "a foreign entity or organization [which] sought to gather information on the evolution of both camps' policy positions." And that entity was successful in collecting such data, apparently.
  
• Palin's shopping spree was more extensive and expensive than has previously been reported: "While publicly supporting Palin, McCain's top advisers privately fumed at what they regarded as her outrageous profligacy. One senior aide said that Nicolle Wallace had told Palin to buy three suits for the convention and hire a stylist. But instead, the vice presidential nominee began buying for herself and her family—clothes and accessories from top stores such as Saks Fifth Avenue and Neiman Marcus. According to two knowledgeable sources, a vast majority of the clothes were bought by a wealthy donor, who was shocked when he got the bill. Palin also used low-level staffers to buy some of the clothes on their credit cards." The spending was allegedly tens of thousands of dollars more than reported.
  
• McCain rarely spoke to Palin during the campaign, and although she wanted to speak in Phoenix along with McCain for his concession speech, this was vetoed by McCain's campaign strategist, Steve Schmidt.
• The Secret Service reported "a sharp and disturbing increase in threats to Obama in September and early October, at the same time that many crowds at Palin rallies became more frenzied."
• Palin attacked Obama about his connection to William Ayers before the campaign had finalized its plan about that issue--McCain had not given his approval, and a top advisor was resisting it.
• Hillary Clinton was on much better terms with McCain than with Obama, and McCain feared that Hillary Clinton would be named as Obama's VP, and was glad when he chose Biden.

There are lots of other interesting bits in the article, as well.

TSA airport security is a waste of time and money

Jeffrey Goldberg explains why in The Atlantic. The check for whether you're on the no-fly list is at the time of ticket purchase and check-in; there is no validation of your actual ticket against your ID at the TSA checkpoint (you can easily print and use a fake boarding pass at the TSA checkpoint); there is no check of ID when you board the plane. The checks for substances and items at the TSA checkpoint are easily subverted, with the restrictions on liquids probably the most absurd and pointless.

We're throwing away billions of taxpayer dollars per year on security theater.

(Hat tip to John Lynch.)

(Previously, previously, previously, previously, previously, previously.)

EFF sues the NSA, Bush, Cheney, Addington, etc.

The Electronic Frontier Foundation has filed Jewel v. NSA to try another tactic in stopping unconstitutional warrantless wiretapping of U.S. residents. Their previous lawsuit against AT&T, Hepting v. AT&T, is still in federal court as the EFF argues with the government over whether the telecom immunity law passed by our spineless Congress is itself constitutional or applicable to the case.

Jewel v. NSA names as defendants the National Security Agency, President George W. Bush, Vice President Dick Cheney, Cheney's chief of staff David Addington, former Attorney General Alberto Gonzales, and "other individuals who ordered or participated in warrantless domestic surveillance."

Sarah Palin's Yahoo account hacked

Sarah Palin has apparently been using a personal email account for State of Alaska business (perhaps following Republican precedent on how to avoid subpoenas?), and it's been compromised.

Wikileaks has the documents.

UPDATE (September 19, 2008): The screenshots used by the attacker showed that he used ctunnel as his web proxy, and contained enough information to identify his source IP in ctunnel's logs.

As pointed out by commenter Schtacky, it looks like they've identified the culprit, who used some Google research and Yahoo's password recovery feature to change the password on the account to break in.

This shows the problem with choosing "security questions" for password recovery that have answers which are easily publicly available.

I hope that this kid's actions don't sabotage the corruption case against Palin that may have been supported by evidence in her Yahoo email, evidence that is now tainted by the fact that it was compromised (and subsequently deleted).

Virginia Supreme Court strikes down anti-spam law

Spammer Julian Jaynes now gets off as a result of a bad decision from the Virginia Supreme Court, reversing its own previous decision from six months ago.

The court ruled that the Virginia anti-spam law's prohibition of header falsification constitutes an unconstitutional infringement of the right to anonymous political and religious speech, suggesting that it would have been acceptable of it was limited to commercial speech.

The court's decision was predicated on the assumption that header falsification is a necessary requirement for anonymity, but this is a faulty assumption. All that is needed for anonymity is the omission of identity information that leads back to an individual, not the falsification of headers or identity information. That can be done with remailers, proxies, and anonymously-obtained email accounts, with no header falsification required. I previously made this argument in more detail in response to the arguments given by Jaynes' attorney in the press.

I also disagree with the court's apparent assumption that commercial speech is deserving of less protection than religious or political speech. What makes spam a problem is its unsolicited bulk nature, not its specific content.

When t-shirts, coffee tables, and screws are munitions

One of my prized possessions, now in a box in a closet somewhere, is a T-shirt that says on its front "This T-shirt is a munition." Underneath it is some machine-readable barcode that encodes the RSA public-key encryption algorithm expressed in Perl. As the seller of the shirt advertised, "it's machine washable and machine readable."

When I bought and regularly wore that shirt, taking it out of the country was a crime punishable by up to a $1 million fine and 10 years in federal prison. This is because U.S. rules under the International Traffic in Arms Regulation (ITAR), then enforced by the Department of Commerce, ruled that strong encryption qualified as a munition subject to export controls and requiring a special license for export. After the Dan Bernstein case was decided in 1996, computer source code printed in a book (human readable format) was not subject to export controls, but computer source code in a machine readable format, such as on my shirt, still was. So I could wear my other T-shirt with RSA Perl code on it, which had a program in the shape of a dolphin, out of the country, but not the machine readable "This T-shirt is a munition" shirt. The implication was that you could take a copy of Bruce Schneier's Applied Cryptography out of the country without an export license, but not a disk containing the very same code fragments printed in the book. This website authored by Adam Back, written at the time, proposed some possible motives for government restrictions on cryptography.

What the ITAR regulations on cryptography did for Internet software development was prohibit web browsers and server software from implementing the strong encryption necessary to protect electronic commerce from being exported from the United States. The result was that this development work simply occurred offshore. There were no barriers to importation of the software into the U.S., only to export it out. So the software was developed and sold by companies in places like Canada, Russia, and Estonia, which had no such inane restrictions.

Finally, in 1999, the U.S. wised up and relaxed the ITAR restrictions on encryption, allowing export without a license to most countries (the exceptions being countries with links to state-sponsored terrorism).

But ITAR is still around, and still having the unintended effect of pushing business out of the United States. The current victim is commercial satellite production. In 1999, ITAR authority over satellite technology export was shifted from the Department of Commerce to the Department of State, and since that time the U.S. share of commercial satellite manufacturing has dropped from 83% to 50%. The company Alcatel Alenia Space, now known as Thales Alenia, took steps in the late nineties to eliminate all U.S.-manufactured components from its satellites, with the result that it has subsequently doubled its market share to over 20%. The European Space Agency, Canada's Telesat, and the French company EADS Sodern, that makes satellite control and positioning systems, have all been phasing out their use of U.S.-supplied components. They've done this because dealing with U.S. vendors increases costs (due to regulatory compliance costs) and causes unpredictable delays in the supply of parts.

Nevada's Bigelow Aerospace delivered an aluminum satellite stand to Russia in 2006, which Robert Bigelow described as "indistinguishable from a common coffee table." But because it's associated with a satellite and officially part of a satellite assembly, it is covered by ITAR and had to be guarded by two security guards at all times. Even commodity items like screws and wiring, when part of a satellite, are covered by ITAR regulations.

The purpose of ITAR is to prevent key U.S. technologies with military applications from being leaked out to other countries that might be hostile to the U.S. But the effect of its overly broad application has been to shift the development of that technology to other countries and reduce the ability of U.S. companies to compete in the commercial satellite business.

Congress should look to reform ITAR--when export controls are so badly broken as to have nearly the opposite of the intended effect, they clearly need to be relaxed.

(Satellite and ITAR info via "Earthbound," The Economist, August 23, 2008, pp. 66-67.)

Military botnets article

I'm quoted in Peter Buxbaum's "Battling Botnets" article in the August 20, 2008 Military Information Technology. It didn't really fully capture the points I made in the interview, and I don't remember saying the statement at the end about using botnets as an offensive measure as "a nuclear option." I said that nullrouting is a much better method of denial of service for network service providers than flooding attacks, and made a point similar to Schneier's about military attacks on the infrastructure of another nation that the U.S. is at war with--it would be more useful to obtain access to their systems, monitor, and disrupt than to just shut off access completely, but those points weren't reflected in the article.

I've written more about military use of botnets at this blog.

The Case Against Bruce Ivins

The Smoking Gun has a collection of documents about the government's case against suicidal government bioweapons researcher Bruce Ivins that is fascinating. Apparently he engaged in an "edit war" on the Wikipedia entry for the Kappa Kappa Gamma sorority (which my mother belonged to). He regularly posted negative information there, and became angry when it was deleted. He claimed that KKG had labeled him an "enemy" and issued a "fatwah" against him, and he broke into a KKG sorority house to steal a KKG handbook during his postdoc fellowship at UNC Chapel Hill.

The documents also show ties between Ivins and the American Family Affiliation, a conservative Christian group known for threatening boycotts against companies that do things like support gay rights, and with pro-life groups.

He was a regular user of pseudonyms and multiple email addresses.

The documents show that he was clearly a very disturbed individual.

(Previously.)

UPDATE (August 9, 2008): Ivins' coworker Meryl Nass lays out the case for reasonable doubt about Ivins' involvement at her blog.

Hume's Ghost points out in the comments that the anthrax attacks were used to help justify the invasion of Iraq on the grounds that the anthrax apparently originated there. One of the Glenn Greenwald articles Hume's Ghost alludes to, about false claims that the anthrax contained bentonite which tied it to Iraq, may be found here. A nice quote from that article:

Critically, ABC News never retracted its story (they merely noted, as they had done from the start, that the White House denied the reports). And thus, the linkage between Saddam and the anthrax attacks -- every bit as false as the linkage between Saddam and the 9/11 attacks -- persisted.

We now know -- we knew even before news of Ivins' suicide last night, and know especially in light of it -- that the anthrax attacks didn't come from Iraq or any foreign government at all. It came from our own Government's scientist, from the top Army bioweapons research laboratory. More significantly, the false reports linking anthrax to Iraq also came from the U.S. Government -- from people with some type of significant links to the same facility responsible for the attacks themselves.

Surely the question of who generated those false Iraq-anthrax reports is one of the most significant and explosive stories of the last decade. The motive to fabricate reports of bentonite and a link to Saddam is glaring. Those fabrications played some significant role -- I'd argue a very major role -- in propagandizing the American public to perceive of Saddam as a threat, and further, propagandized the public to believe that our country was sufficiently threatened by foreign elements that a whole series of radical policies that the neoconservatives both within and outside of the Bush administration wanted to pursue -- including an attack an Iraq and a whole array of assaults on our basic constitutional framework -- were justified and even necessary in order to survive.

ABC News already knows the answers to these questions. They know who concocted the false bentonite story and who passed it on to them with the specific intent of having them broadcast those false claims to the world, in order to link Saddam to the anthrax attacks and -- as importantly -- to conceal the real culprit(s) (apparently within the U.S. government) who were behind the attacks. And yet, unbelievably, they are keeping the story to themselves, refusing to disclose who did all of this. They're allegedly a news organization, in possession of one of the most significant news stories of the last decade, and they are concealing it from the public, even years later.

They're not protecting "sources." The people who fed them the bentonite story aren't "sources." They're fabricators and liars who purposely used ABC News to disseminate to the American public an extremely consequential and damaging falsehood. But by protecting the wrongdoers, ABC News has made itself complicit in this fraud perpetrated on the public, rather than a news organization uncovering such frauds. That is why this is one of the most extreme journalistic scandals that exists, and it deserves a lot more debate and attention than it has received thus far.

Greenwald goes on, in a series of updates, to point out that several of the pieces of evidence of Ivins' unusual behavior that is now pointed to as evidence of his guilt were already published in newspapers in 2004.

In a followup, Greenwald writes about whether journalists should expose sources who lie to them. I think I good case can be made that they should, in cases where the source is lying as opposed to being used as a dupe, and the journalist has good evidence to that effect. Being exposed for such lies would act as a disincentive for such lying to take place.

UPDATE (July 30, 2009): The New York Times reports that the National Academy of Sciences has assembled a 15-member panel to review the scientific work done by the FBI to identify Ivins as the culprit. The process is expected to take a year and a half to complete.

UPDATE (November 27, 2009): Glenn Greenwald argues that the case on Ivins shouldn't be closed, and cites various mainstream sources that agree.

Bush pressured FBI to blame anthrax on al Qaeda

White House officials pressured the FBI to blame the 2001 anthrax attacks on al Qaeda, even after it was already known that the anthrax was a strain that came from U.S. Army laboratories, according to a retired senior FBI official.

Just another example of Bush administration deception.

Prosecution target for anthrax attacks commits suicide

Upon learning that he was about to be the target of a prosecution for the 2001 anthrax attacks that killed five people, U.S. government biodefense researcher Bruce Ivins killed himself on Tuesday with an overdose of Tylenol with codeine.

Ivins became a suspect after it was discovered that he had failed to report anthrax contaminations at his lab at Fort Detrick, Maryland, in 2002. In late 2008, he was ordered to stay away from a social worker who had counseled him, Jean Duley, who would have testified against him at his trial. In Duley's application for a protective order, she said that Ivins had stalked her and threatened to kill her.

Ivins worked at the same lab where a prior "person of interest" in the case, Stephen Hatfill, also worked. Hatfill was cleared of involvement with the attacks and won a $5.8 million settlement from the Justice Department after he sued for harassment and privacy act violations. Hatfill also won a $10 million libel judgment against Vanity Fair and Reader's Digest for an article by Donald Foster which claimed that Hatfill's writings and travels connected him to the anthrax attacks.

Ivins' attorney claims that he was innocent, but if that were the case, wouldn't his response have been more like Hatfill's? Perhaps, perhaps not. Private investigator and former CNN reporter Pat Clawson, who was also a spokesperson for Hatfill,

said on Friday that news organizations and the public should be “deeply skeptical” about any notion that Dr. Ivins was the anthrax killer unless and until solid evidence is brought forth.

“Everybody is jumping to the conclusion that because this guy committed suicide, he must be the anthrax killer,” Mr. Clawson said. “That is a lousy premise. The pressure of these F.B.I. investigations on individuals is phenomenal, and it is quite likely that this guy cracked under that pressure but had nothing to do with the killings.”

Ivins was a church-going Catholic and a married father of two.

(Hat tip to Greg Laden.)

UPDATE (August 7, 2008): The government's case against Ivins includes tracing the strain of anthrax to his specific lab, the fact that he worked long periods alone in a secure lab that housed that strain and could not account for his activity, that when asked to provide spores from his laboratory to investigators he gave them different spores and then lied about it, that he sent an email to an associate after 9/11 saying that terrorists have "anthrax and sarin gas" and have "decreed death to all Jews and Americans," language similar to statements in threatening letters included in the mailed anthrax envelopes. All of the spores used in the anthrax attacks came from a single flask in Ivins' lab, RMR-1029. That's probably the most conclusive evidence that Ivins was behind the attacks.

Apparently Ivins also engaged in an "edit war" on the Kappa Kappa Gamma sorority's Wikipedia page, repeatedly posting negative information there, and thought that the group had declared a "fatwah" on him. (Via The Agitator.)