Spam email from Christine Jones for governor campaign

I received the following spam email today (a link on the email claims, falsely, that I opted in for it in October 2013) from the Christine Jones for governor campaign.  Jones is a former GoDaddy executive who looks like a terrible candidate for governor of Arizona.

Dear James,

        As a Republican candidate for Governor, I am frequently

asked where I stand on the issues important to our state-issues

ranging from immigration and education to economic development

and healthcare.

        At a recent forum I was asked one of the single-most

important questions that a candidate for political office can

face. The question was, "Where does your moral compass come

from?"

        At three years old, I climbed onto the Sunday School bus

that drove the neighborhood kids to the local evangelical church.

It was there that I learned about God and His Son, Jesus. Since

then, I have let my personal relationship with Him be my moral

compass.

        One of my life phrases is, "Do the right thing because

it's the right thing to do." I am not interested in making

excuses or politicizing important issues. I am interested in

doing things based on conviction and personal belief. As

Governor, I can promise you that I will adhere to my moral

compass.

        If you would like to hear more about my story and why I

am running for Governor, I invite you to join me Tuesday, April

29th, from 6:30-8:00pm at New Life Community Church of the

Nazarene in Show Low. I hope you can make it!

        Best,

        Jones for Governor, Inc · Primary

        PO Box 13087

        Phoenix, AZ 85002-3087, United States

        Paid for by Jones for Governor, Inc.

Virginia Supreme Court strikes down anti-spam law

Spammer Julian Jaynes now gets off as a result of a bad decision from the Virginia Supreme Court, reversing its own previous decision from six months ago.

The court ruled that the Virginia anti-spam law's prohibition of header falsification constitutes an unconstitutional infringement of the right to anonymous political and religious speech, suggesting that it would have been acceptable of it was limited to commercial speech.

The court's decision was predicated on the assumption that header falsification is a necessary requirement for anonymity, but this is a faulty assumption. All that is needed for anonymity is the omission of identity information that leads back to an individual, not the falsification of headers or identity information. That can be done with remailers, proxies, and anonymously-obtained email accounts, with no header falsification required. I previously made this argument in more detail in response to the arguments given by Jaynes' attorney in the press.

I also disagree with the court's apparent assumption that commercial speech is deserving of less protection than religious or political speech. What makes spam a problem is its unsolicited bulk nature, not its specific content.

Food tasting

Via Stranger Fruit.

1. Venison
2. Nettle tea
3. Huevos rancheros
4. Steak tartare
5. Crocodile
6. Black pudding (in Buenos Aires)
7. Cheese fondue
8. Carp (fish allergy)
9. Borscht
10. Baba ghanoush
11. Calamari
12. Pho
13. PB&J sandwich
14. Aloo gobi
15. Hot dog from a street cart
16. Epoisses
17. Black truffle
18. Fruit wine made from something other than grapes
19. Steamed pork buns
20. Pistachio ice cream
21. Heirloom tomatoes
22. Fresh wild berries
23. Foie gras
24. Rice and beans
25. Brawn, or head cheese
26. Raw Scotch Bonnet pepper
27. Dulce de leche (in Buenos Aires)
28. Oysters
29. Baklava
30. Bagna cauda
31. Wasabi peas
32. Clam chowder in a sourdough bowl
33. Salted lassi
34. Sauerkraut
35. Root beer float
36. Cognac with a fat cigar
37. Clotted cream tea
38. Vodka jelly/Jell-O
39. Gumbo
40. Oxtail
41. Curried goat
42. Whole insects (chocolate covered ants/grasshoppers/crickets)
43. Phaal
44. Goat's milk
45. Malt whisky from a bottle worth £60/$120 or more
46. Fugu
47. Chicken tikka masala
48. Eel
49. Krispy Kreme original glazed doughnut
50. Sea urchin
51. Prickly pear
52. Umeboshi
53. Abalone
54. Paneer
55. McDonald's Big Mac Meal
56. Spaetzle
57. Dirty gin martini
58. Beer above 8% ABV (Elephant beer at Carlsberg Brewery in Copenhagen)
59. Poutine
60. Carob chips
61. S'mores (last night)
62. Sweetbreads
63. Kaolin
64. Currywurst
65. Durian
66. Frogs' legs
67. Beignets, churros, elephant ears or funnel cake (Beignets at Cafe du Monde in New Orleans)
68. Haggis
69. Fried plantain
70. Chitterlings, or andouillette
71. Gazpacho
72. Caviar and blini
73. Louche absinthe
74. Gjetost, or brunost
75. Roadkill
76. Baijiu
77. Hostess Fruit Pie
78. Snail
79. Lapsang souchong
80. Bellini
81. Tom yum
82. Eggs Benedict
83. Pocky
84. Tasting menu at a three-Michelin-star restaurant
85. Kobe beef
86. Hare
87. Goulash
88. Flowers
89. Horse
90. Criollo chocolate
91. Spam
92. Soft shell crab
93. Rose harissa
94. Catfish
95. Mole poblano
96. Bagel and lox
97. Lobster Thermidor
98. Polenta
99. Jamaican Blue Mountain coffee (I'd rather try Kopi Luwak)
100. Snake Fried rattlesnake at Rustler's Rooste

The Amazing Meeting 6 summarized, part four

This is part four of my summary of The Amazing Meeting 6 (intro, part one, part two, part three, part five).

Phil Plait
Astronomer Phil Plait of the Bad Astronomy blog began by saying that the Internet is "a system for rapidly distributing sewage," but also for distributing astronomy. His talk went through the solar system from Mercury to KBO 2004 XR 190 a/k/a "Buffy," with interesting photographs and facts about various planets and moons along the way.

Mercury: The 2004 MESSENGER probe took photographs of the Caloris basin, the single biggest feature on Mercury, originally thought to be 1300 km in diameter but revised upward to 1550 km based on those photos. Because Mercury spins twice for every three times it revolves around the sun, this basin is directly under the sun, every other orbit. It's a gigantic impact crater that's 3.8 to 3.9 billion years old.

Venus: The hottest planet, a hell hole about the size of earth and with about the same amount of carbon and just a little bit closer to the sun, but it suffers from a runaway greenhouse effect. It's been photographed by the Russian Venera probes from 1962 to 1982 and by Magellan in 1990.

Earth: Plait spoke of an HD movie of Earth shrinking into the distance as MESSENGER departed.

Phobos: This moon of Mars has a giant crater--had it been hit by anything bigger, Phobos would have disintegrated. Phobos is apparently a captured asteroid, which orbits backward from other moons in the solar system. Unlike Earth's moon, it is gradually getting closer to Mars, and will collide with it in about the next 50 million years, causing an impact greater than the asteroid that created the Yucatan basin.

Jupiter's acne: The Great Red Spot (Cassini, named after Jean-Dominique Cassini, who first observed it in 1655), a 400-year-old hurricane, has now been joined in 2000 by another little spot. The new spot was white but has now turned red and is known as Oval BA (or Red Jr.)--it is as large as the Earth.

Iapetus: This moon of Saturn has one light hemisphere and one dark, and was recently discovered to have a 20 km high ridge almost perfectly around its equator. (I remarked that it looks like a Death Star.)

Uranus: It's tipped 98 degrees on its side in its orbit, likely as a result of an impact from something very large, perhaps Earth-sized.

Neptune: The other blue planet, it contains lots of methane and emanates 1.6 times the heat it receives from the Sun. It has 2,200 kph winds. Where is that energy coming from?

Pluto: It's not a planet, so we don't care about it.

KBO 2004 XR 190 a/k/a "Buffy": This is an odd trans-Neptunian object--where almost all objects in the solar system have very elliptical orbits, it is an object 8.5 billion km from the Sun--twice the distance from the Sun of Neptune--yet its orbit is circular.

Plait concluded by noting that he hasn't even talked about the Sun, Milleomeda (what the galaxy will be after Andromeda and the Milky Way collide), or countless other things that we don't understand. But this lack of understanding doesn't mean we know nothing. "The universe is cool enough without making up crap about it. That's why I'm a skeptic."

Adam Savage
Adam Savage of "Mythbusters" brought a box of about 1,000 ping pong balls which were used to raise a boat from the bottom of Monterey Bay, and gave them out to members of the audience, and signed his autograph on many of them. He then gave a talk entitled "My Maltese Falcon," about his obsession with recreating a precise replica of one of the two lead sculptures from the movie of the same name. He did extensive research into its measurements, even paying to purchase used auction catalogs from Christie's to examine photographs. Joseph Warner gave one of the two lead ones to Joseph Conrad, one which Humphrey Bogart dropped and put a dent in. He sculpted one based on photographs, sprayed it with 75 coats of auto primer, then buffed and sanded it. He freeze framed every still from the original film in a scene where the statue was rotated. Someone offered to cast it in bronze for him, and he had two made--but the casting process caused it to lose size, and so his bronze model is 3/4" shorter in height at the beak, with the result that he hates it. At a conference he met the man who purchased William Conrad's lead statue, which he hopes to be able to scan and use to make the most accurate replica ever, which he'll report back on next year.

He showed a couple of world premiere viral videos--one in which he and Jamie simultaneously solved Rubik's cubes, one while blindfolded and the other with his feet. The footage was actually reversed--they started with solved cubes and then just messed them up. In a second video, he inhaled some helium and spoke with a high voice, then inhaled some sulfur hexafluoride (which he informed us is very expensive) and spoke with a deep voice, and everyone laughed. He said that someone (a producer?) thought that the cube video was cool, but that the balloon stunt was obviously faked.

He took questions and answers from the audience; a few highlights were that they want to do a full 60 minute show on the JFK assassination, Discovery has said no to "21 grams" (do we lose weight when we die), the Cheney shooting, vinyl vs. CD, and speaker cable vs. coat hanger.

His segment concluded with some footage of "explosion porn" from the show.

Matthew Chapman
Matthew Chapman, great-great grandson of Charles Darwin, screenwriter ("The Runaway Jury" and nine other films), and author (Trials of the Monkey and 40 Days and 40 Nights, the latter of which, about the Dover trial, I am currently reading), spoke about three things: Science Debate 2008, his love of America, and "Darwin, creationism, etc." He began with his love of America, noting that he had grown up in the 1950s and 1960s, raised by parents who read the New Yorker and were fans of Woody Allen, Mort Sahl, and Lenny Bruce, and so he always wanted to be an American. He moved to the U.S. to get into the film business, and went to L.A. A woman he knew to be educated asked him what his sign was--he thought she was kidding, but she was not. Ever since he has been fascinated with Americans' fondness for pseudoscience. He was invited to a "shack" (of the $5 million variety) in Malibu to see someone channel "Basha," and he couldn't help but laugh out loud. A woman present asked the channeler, "I have a potential development deal at Warner Brothers. What is Basha's advice?"

When he expressed indignation at such expressions of irrationality, he was told, "Oh, you're so rational" or "you're so British." He felt alone until he came across the Skeptical Inquirer magazine, and he promptly purchased and read every back issue. (I had a similar experience in my life--I read Skeptical Inquirer while still a religious believer, and also ended up purchasing and reading every back issue from cover to cover.) He became enraged by Scientology, UFOs, spontaneous human combustion, crystals, telepathy, Shirley MacLaine (who he's met), Nostradamus, pyramid power, etc. etc. While in an elevator with James Randi at an event in UCLA, he asked Randi if he'd heard of some Brazilian paranormalist (a psychic surgeon?), and Randi responded by pulling a pen out of his ear.

Despite the far more voluminous "loony bullshit" in the U.S. than in Europe, he still loves it here, and became an American citizen.

He next spoke about creationism. His book Trials of the Monkey was about his visit to Dayton, Tennessee to learn about the Scopes Trial, and he found that the people there today are much the same as they were back then. His newer book, 40 Days and 40 Nights, was written during and after his observation of the entirety of the Kitzmiller v. Dover trial, which he witnessed from the jury box (where the press sat, since it was a non-jury trial). Through the Dover trial, he learned that it is possible to make science interesting to non-scientists.

Finally, he talked about Science Debate 2008. As the political debate season began, he watched all the debates, expecting to see questions about ozone, ocean health, climate change, etc., but only saw questions about lapel pins, religion, etc. There were more questions about UFOs than about global warming. He suggested the idea of a debate on science at the Atheist Alliance confernece, and Chris Mooney, who he had met earlier, got on board, along with his fellow Intersection Science Blogger Sheril Kirshenbaum. Soon thereafter, John Rennie of Scientific American became a backer, and Lawrence Krauss of The Physics of Star Trek (Chapman inadvertently said "Star Wars") also joined. They ended up starting an organization and collecting over 50,000 signatures, including the support of 51 colleges, 5 museums, 10 magazines, 112 science organizations, 14 Congresspeople, 7 presidential science advisors, 143 CEOs of science and technology companies, 28 Nobelists, 102 college and university presidents, PBS, Nova, the Franklin Institute, the National Academy of Sciences, the American Association for the Advancement of Science, and even Newt Gingrich. A Harris poll says that 85% of voters would like to see a science debate.

But so far, all of the candidates have said no or failed to respond at all. Chapman said that McCain was the most polite in saying no, and seemed to leave the door open.

They've now developed 14 questions and are preparing a new invitation to be sent to Obama and McCain.

Chapman then took questions, and someone asked if there was any opposition from scientists on the grounds that this is politicizing science. Chapman said he's had negative reactions from about three scientists, one of whom was present at this conference.

After Chapman's talk, I had a chance to speak with him briefly (he noticed the NCSE Grand Canyon trip T-shirt I was wearing, and commented on what great people Genie Scott and Nick Matzke are), as well as with his wife, Denise, who was also present at the conference. Denise Chapman, a Brazilian who has acted in television and film (including "Kiss of the Spider Woman" and Woody Allen's "Radio Days"), is the daughter of composer and musician Humberto Teixeira, started Baiao music and was the composer of the popular Brazilian song "Asa Branca" ("White Wing"). She was pleased to hear that some friends of mine named their African grey parrot "Asa Cinza" ("Grey Wing") in honor of that song. She has been working on a documentary film about her father that will be premiering later this month at MoMA.

Richard Wiseman
British psychologist Richard Wiseman spoke a little bit about his book Quirkology, presented a few optical illusions, and commented about his obtaining a videotape of Indian "God-man" Sai Baba in which he was caught engaging in sleight of hand, which he then showed to us. (Sai Baba was debunked well in a book by Dale Beyerstein titled Sai Baba's Miracles: An Overview, which describes some other instances of Sai Baba being caught in trickery.

He then showed his now-famous viral video of the "colour changing card trick," and followed it up showing a video of how it was made (it took many takes to get it right; he showed some amusing failures). This video, which has had over 2.5 million views, demonstrates the phenomena of "change blindness," and they've used eye-tracking to study viewers of the video to see if they are not looking in the right place or simply failing to register the changes, and it seems to be the latter. This video has apparently now inspired a routine in Penn & Teller's show.

This was followed up by a spoon-bending lesson from an expert--Teller. Teller explained that there is a method, the trick that deceives the eye, and there is misdirection, the trick that deceives the mind. The spoon-bending trick is based on a pre-stressed spoon, but to allay suspicion he only does the trick about once every five times he creates a pre-stressed spoon, because he waits for an opportunity to swap the spoon with a neighbor, and then only does the trick if the conversation happens to turn in a direction that makes it seem appropriate. He told the story of how Danny Hillis (of Connection Machine and Long Now Foundation fame) was invited to a posh party at the home of Courtney Ross (widow of Steve Ross, CEO of Time Warner). At dinner, the conversation turned to Rupert Sheldrake. Hillis had pre-stressed his neighbor's spoon, and put his own spoon on a plate so that the waiter took it away. Hillis borrowed his neighbor's spoon and did the trick, bending and breaking the spoon and dropping it into his wine. His hostess said, "I can't believe you did that." He made a comment to the effect that it was a trick, and she said, "No, I can't believe you did that." She was horrified that he had destroyed one of a fixed number of identical place settings by some famous designer which she had painstakingly collected over the years. And that, said Teller, made it funny.

Wiseman then came back and said that we would now make the world's largest spoonbending video for YouTube. We were given one run-through of the simple script, and then did it on video, all 900 of us (though there were only 800 pre-stressed spoons, so the 100 in the back had to mime). The video will make its debut at www.spoonscience.com (which as of this moment still says "coming soon").

Panel discussion on the limits of skepticism
Goldacre, Daniel Loxton, Radford, Savage, Novella, Hrab, Randi, Banachek, and Saunders assembled on stage for this panel discussion, which I don't recall actually addressing a subject that I'd characterize as the limits of skepticism. Instead, it seemed to be pretty much a free-for-all Q&A about skepticism.

At one point, someone spoke of "winning the war" against irrationality, and Banachek said he preferred to think in terms of making a mark rather than winning a war.

Randi commented on the famous quotation attributed to him by Dennis Rawlins' "sTARBABY" that "I always have an out," suggesting that his then-$10,000 and now $1 million reward for the successful demonstration of a paranormal event is not fair. He stated that this quotation was out-of-context, and that what he actually said was "I always have an out--I'm right." Dennis Rawlins, however, says that this is untrue, and that Randi has only recently started appending "I'm right" to this quotation. In 2000, when Matt Kriebel made his "sTARBABY mini-FAQ," Randi had a different explanation, stating that the "out" was about his stage act rather than his challenge.

Adam Savage observed that at the last TAM he mentioned that he was an atheist, and now that's appeared on his Wiki page.

In answer to a question about what's the worst thing you've ever been called, Richard Saunders said he had been accused of being "a mouseketeer of evil."

Savage made the statement that "You might think the world has color before critical thinking, but when you start thinking critically, it goes to HD."

It was mentioned that skeptical materials are appearing in other languages--"Mythbusters" is now in 145 countries and 9 languages, and Benjamin Radford is editor of the Spanish-language skeptical magazine, Pensar, along with the Skeptical Inquirer.

Sunday conference papers
The final session of the conference, Sunday morning until noon, was for presentation of conference papers.

John Janks on the Marfa Lights: I regret that I missed this, since I published two papers on the Marfa lights in The Arizona Skeptic when I was editor, but I made the mistake of assuming the session would begin at 9 a.m. like previous days--nope, it was 8:30 a.m.

Don Nyberg on "What Every Student Needs to Hear from Every Science Teacher": Nyberg, a physics professor who apparently plays a mean game of poker, said that he attacks pseudoscience, and especially "religious pseudoscience," in his classroom. Unfortunately, his talk didn't bother to define what he meant by this term, and his talk was a series of arguments by assertion, arguments from authority, and ad hominem that I thought was embarrassingly badly argued. He seemed to be arguing that anyone with a degree in science who expressed support for religion should have their degrees revoked, which prompted the moderator Ray Hall to ask Nyberg whether he thought that biologist Kenneth Miller, whose testimony helped produce the proper outcome in the Kitzmiller v. Dover case, should have his degrees revoked. Nyberg responded that yes, he should, if he's promoting his religious beliefs in the science classroom (a qualifier which hadn't been included in his earlier statement). I'd like to obtain a copy of Nyberg's actual materials to review, to see how they compare to his talk.

Steve Cuno: The head of an "evidence-based marketing company," he gave an excellent talk about myths in marketing. Such myths include:

• We control your mind.
• Creativity is magi.
• No one reads long ads.
• Awareness creates sales.
• Focus groups are predictive.
• Sales went up because of ads.

He gave some examples associated with each of these, and described some of the tests that his company had performed to test marketing campaigns to find what causes responses to direct mailings and what leads to conversions to sales. He suggested the classic book Tested Advertising Methods, and pointed out that he has his own book coming out in December, with an intro by Michael Shermer, titled Prove It Before You Promote It.

One of the questions asked was "is Seth Godin full of shit?" Cuno tactfully said that no doubt some of what Godin says is speculative.

Tracy King: She gave a talk on "The Most Popular Science Video in the World - How to Make Your Message Famous." She talked about Wiseman's "colour changing card trick" video, which got 80,000 views in the first two weeks and 2 million views by 18 weeks, and has now been seen by 80 million people on South American Globo TV, used in classrooms, and recreated by students.

She looked at other science videos that have been viral hits, such as the Diet Coke and Mentos videos, the first of which was uploaded in 2006 by Fritz Grobe, a juggler, and Stephen Voltz, a lawyer. They chose Diet Coke for its strong brand, and when it became a viral hit they received funding from Mentos to make more, and ultimately got a sponsorship deal from Coca Cola.

King pointed out that a lot of viral techniques are now illegal in the UK--you must be explicit about being paid to produce videos, for example.

She talked about the bogus popcorn/mobile phone video, which is one that would be in violation of the UK law today. It was created in multiple versions--English (where they're drinking orange juice), French (where they're drinking beer), and Japanese (where they have miso soup). These videos were made for Cardo Systems, a bluetooth headset manufacturer, and are clearly designed to encourage the idea that cell phones are dangerous to hold near your head. (Someone should make a viral video about bluetooth headsets.)

So what makes a successful viral video? There is no formula, but there are common themes--humor, surprise, fear/scaremongering, emotion, skill, embarrassment. One thing she didn't mention which I think was a factor in the success of the "colour changing card trick" video is that there were already multiple videos spreading widely with the exact same name, where the focus really was on that card trick. The Wiseman video was an interesting twist on what was already spreading virally, with the element of surprise and humor at the end. In essence, that video caught the wave of the other card trick videos, and then took it much farther. When I first saw the Wiseman video, I thought I was just seeing another version of that same trick.

And why do we pass on viral videos?

• Reflected glory.
• Being the first to know.
• Being part of a crowd with similar tastes.
• Being part of a shared cultural experience.
• (Participating in the formation of) the language of your generation.

She mentioned Ray Comfort's "The Atheist's Nightmare" as something which has effectively spread virally, but didn't exactly get the desired message across.

She ended by encouraging everyone to make videos promoting skepticism and critical thinking, and offered the following suggestions:

• Identify what your message is--don't be preachy or superior, which is a turnoff.
• Determine what your objectives are--to build website traffic, tell friend, etc.? If you don't have a call to action, your message may be lost.
• Find a creative concept--it may be explicit, subtle, or obscure.
• Make the video.
• Promote the video--it's not going to circulate itself, and professional seeding (e.g., making use of a company like hers that has relationships with bloggers, forum participants, etc. to promote things in a subtle, unobtrusive, and unspammy way).
• And finally, she explicitly listed: don't spam.

She ended by saying that while she can't recommend or encourage a "Jackass" approach to skepticism, it's something she'd certainly like to see.

On to TAM6 summary, part five.

Jeremy Jaynes loses appeal on spamming case

Jeremy Jaynes, the spammer who was convicted and sentenced to nine years in prison in 2003 for violating Virginia's anti-spam law, has lost his appeal before the Virginia Supreme Court in a 4-3 ruling. Several of the dissents claimed that Virginia's anti-spam law, which criminalizes unsolicited bulk email with falsified headers, even if it is political or religious in content rather than commercial, is a violation of the First Amendment. The quotations from Justice Elizabeth Lacy and Jaynes' attorney Thomas M. Wolf both state that the law has diminished everyone's freedom by criminalizing "bulk anonymous email, even for the purpose of petitioning the government or promoting religion."

Both Lacy and Wolf misrepresent the law, which makes it a crime to "Falsify or forge electronic mail transmission information or other routing information in any manner in connection with the transmission of unsolicited bulk electronic mail through or into the computer network of an electronic mail service provider or its subscribers."

There is a difference between forging headers and sending anonymous email--the latter does not require the former, and the latter is not prohibited by the law. Jaynes wasn't just trying to be anonymous--he was engaged in fraud, and falsifying message headers and from addresses to try to avoid the consequences of his criminality. He wasn't using anonymous remailers to express a political or religious message, and if he had been, he wouldn't have been able to be charged under this law.

UPDATE (September 12, 2008): The Virginia Supreme Court has reversed itself and struck down Virginia's anti-spam law as unconstitutional, on the grounds that prohibiting false routing information on emails infringes upon the right to anonymous political or religious speech. This is a very bad decision for the reasons I gave above. There are ways to engage in anonymous speech without doing what Jaynes did, falsifying message headers and domain names. The court's argument that one must falsify headers, IP addresses, and domain names in order to be anonymous is factually incorrect. Anonymity doesn't require header falsification, it only requires *omission* of identifying information.

Canada busts 17 in botnet ring

This morning Canada arrested 17 people of ages ranging from 17 to 26 years old for running botnets containing "up to one million computers" in 100 countries. They face charges that could result in up to 10 years in prison.

This barely scratches the surface of online criminal activity. Niels Provos of Google did a study (PDF) that found that of 4.5 million websites scanned between March of 2006 and February of 2007, 450,000 of them attempt to load malware on visiting machines. Sophos' similar survey in July of last year that found that 29% of websites host malware, 28% host porn or gambling content, and 19% are spam-related. Drive-by malware installations (where merely visiting a website causes malware to be loaded onto your machine) are definitely the method of choice for creating botnets today. I recommend using Firefox with the NoScript plugin and the MyWOT plugin to help prevent getting infected by such sites.

Tomorrow, I'll be attending a New Mexico InfraGard conference at which I hope to learn more about recent malware trends (and get my copy of Catch Me If You Can and/or The Art of the Steal autographed by their author). This is another one open to the general public, so I expect no talk about "shoot to kill" powers except in jest.

UPDATE (February 22, 2008): I'm quoted in Brian Jackson's article on the Quebec botnet hacker bust on itbusiness.ca. I'm not entirely happy with the quotes attributed to me--I didn't say "tens of millions," though I said there have been botnets with more than a million hosts, and there are multiple millions of compromised hosts out there. If tens of millions is not accurate today, it will be in the future. The other quotation about IRC got a little bit garbled, but is not far off--I made the point that the bots of today have evolved from a combination of IRC bots of the past combined with denial of service attack tools, remote access trojans, and other malware, and many of them still use IRC as their mode of communication.

"Anonymous" launches "war" against Scientology

In a press release yesterday that cites an article I co-authored in Skeptic magazine, a group referring to itself as "Anonymous" has announced that it has declared war against Scientology. The stated justification for the "war" is the Church of Scientology's attempts to keep a video of Tom Cruise off the net. That video, which is still viewable at Gawker.com, was made for a Scientology awards ceremony. The longer video from which it was taken is also now viewable there. Gawker.com responded to a cease and desist letter with a refusal to remove the video, which it considers to be fair use for news and comment, but I'm not so sure that it has a good legal case for putting up more than short excerpts. (In case you're wondering about all the Scientology jargon in the Tom Cruise video, MTV has done a good job of explaining it. Actor Jerry O'Connell has also put out a good parody.)

The "war," which is described at another site under the name "Project Chanology" (a reference to 4chan, a popular message board, where most posts are made by people who don't login and are thus attributed to "Anonymous"), calls for denial of service attacks over the Internet, prank phone calls, spam emails, and personal visits involving vandalism and harassment. Apparently Scientology's main website was down due to denial of service for at least part of the day yesterday.

The press release cites a number of web pages for further information about Scientology, the second of which is the article "Scientology v. the Internet: Free Speech & Copyright Infringement on the Information Super-Highway" which Jeff Jacobsen and I wrote for Skeptic magazine in 1995 after Scientology effectively declared war on the Internet. (A much lesser-known sequel to that article, published only on the web, is "Scientology v. the Internet: An Update and Response to Leisa Goodman.")

I completely disagree with the tactics being used here--Scientology has as much right to free speech and protection of their copyrights as anyone else, though I also condemn Scientology's habitual misuse of copyright to try to suppress fair use of information. To the extent this is a prank designed to get media attention, well done. To the extent it gets taken seriously, though, it's something that may not end well. Read the material, watch the videos, have a laugh, and tell others about the absurdity and abuses of Scientology. But please, don't launch attacks on their websites, harass individuals, or engage in vandalism.

"Anonymous" previously received coverage for attacks on MySpace accounts on Fox 11 in Los Angeles on July 26, 2007.

BTW, the press release gets its facts wrong when it claims that the alt.religion.scientology Usenet newsgroup was "shut down." Scientology attorney Helena Kobrin issued an rmgroup message, but almost all news servers ignored it. The accurate facts may be found in Jeff's and my Skeptic article.

UPDATE: Wikinews and Xenu.net have more.

Notorious major spammer indicted

Alan Ralsky, at one time believed to be the top spammer in the world, has finally been indicted today by a federal grand jury. His home was raided back in 2005, and he's now been charged along with ten other people in "a wide ranging international fraud scheme involving the illegal use of bulk commercial e-mailing." Those indicted include James E. Bragg, 39, of Queen Creek, Arizona.

The indictment alleges that Ralsky's spam gang "tried to send spam" through botnets and engaged in a "pump and dump" stock scam for Chinese companies. The Detroit Free Press's coverage reports: "Prosecutors described Ralsky, 52, of West Bloomfield, as one of the most prolific spammers in the nation. Until 2005, when federal agents raided his home and seized his computers, his operation sent tens of millions of unsolicited email messages daily to Internet subscribers, hawking everything from sexual enhancement drugs, weight loss products and worthless stock, the government said. In the summer of 2005 alone, prosecutors said, his operation generated $3 million."

The DOJ press release is here.

Creation Ministries explains settlement breakdown

Creation Ministries International has put up a web page explaining the breakdown in settlement talks with Answers in Genesis:

Unfortunately, the actions of AiG-US since the ‘Hawaii handshake settlement’ have meant that, barring a near-miraculous change of heart on their part, the situation appears to have broken down once more.

The terms of settlement were, in the understanding of all parties present, effectively finalized and agreed upon in Hawaii in mid-August (see two ‘stop press’ announcements below) by duly authorized and empowered representatives of the ministries—even though Ken Ham was not present, although we had been led to believe that he would be.

The only thing left was to discuss the details of how to commit the handshake agreement to writing. Both sides agreed to reconvene in Hawaii 60 days later (at the latest), if absolutely necessary, if we failed to finish the process of committing it to writing.

The page goes on to explain that this has not happened, because AiG waited until after the 60 days was over to respond to CMI's written proposal based on the verbal agreement, and AiG's response was to invent an entirely new agreement which omitted conditions that had been verbally agreed to and inserted new conditions which had not been agreed to.

CMI proposed that they move forward by meeting again in person in a neutral country (such as Singapore or New Zealand) with an independent Christian arbitrator and hammering out an agreement in writing. AiG's lawyers responded with a rejection.

At the same time, John Mackay's mailing list in Australia has been ratcheting up the assault on the alleged "spiritual problems" of CMI, which CMI has responded to by sending out this email:

From: CMI INFObytes
Sent: Wednesday, November 14, 2007 7:53 AM
Subject: Serious slander issue against CMI

Serious slander issue against CMI

A short time ago, we were in receipt of a very vicious document circulating from a professing Christian ministry (which not many are aware is operated by an unrepentant church excommunicant) that made astonishing allegations against CMI-Australia and in particular its Managing Director, Dr Carl Wieland.

We did not react at the time, because the vendetta has been in operation for some 20 years now, and we assumed that surely people would have sufficient discernment to contact us to check the veracity of these allegations. However, we are concerned that some might think there might be some substance to the allegations, without understanding that they are clearly designed to undermine the confidence of the Christian public, and to thus attack CMI's ability to do outreach.

We have prepared a written response which makes it plain that these are falsehoods, documentable as such by eyewitness testimony. In it we have challenged the perpetrators to 'front up' and make these claims openly in a proper Christian forum, instead of by slanderous gossip techniques.

If you know of any person who has been in receipt of this particular 'spiritual-sounding' slander, or if your church leaders have heard these unfortunate allegations, please encourage them to email us at [mail at creation.NOSPAMinfo -- edited to prevent spam harvesting -jjl] and request our response to the article in question. If after reading that response, they have any further questions, we will be pleased to answer them. It is a real pity that we cannot just continue our ministry in peace and safety without such distractions.

If you are unaware of any such contemplated move against CMI in your circles, please just pray for this situation in general terms. Your ongoing support of the outreach is much appreciated.

Yours in Christ,

Gary Bates
Head of Ministry, CMI-Australia

It will be interesting to see if AiG makes any public comment.

Spammers and criminals for Ron Paul

From metafilter:

When Ron Paul email spam started hitting inboxes in late October, UAB Computer Forensics Director Gary Warner published findings on the spam's textual patterns and the illicit botnet used to spread it -- findings which were picked up by media outlets and tech websites like Salon, Ars Technica, and Wired Magazine's "Threat Level" blog, the latter in a set of followup posts by writer Sarah Stirland: 1, 2, 3.

The Ron Paul fan response was swift and decisive: clearly the botnet was the work of anti-Ron Paul hackers trying to discredit his campaign, and Rudy Giuliani had paid Stirland (and not UAB Computer Forensics) to do a smear piece -- as claimed by a YouTube video pointing to posts on RudyGiulianiForum.com. Thus proving, once again, that the Ron Paul campaign's greatest liability is not so much his far-right conspiracy-driven antifederal libertarianism, but rather the spittle-flecked anger of his own noisiest supporters.

There are definitely a lot of nuts among Ron Paul's supporters. Meanwhile, he raised $3.8 million yesterday (apparently a number revised downward from $4.3 million) in the largest one-day online political fundraiser ever. Intrade currently shows Paul as the third most likely GOP nominee, after Giuliani and Romney.

A few other Ron Paul-related blog posts that I realize I've neglected to mention here, from Dispatches from the Culture Wars:

"Is Ron Paul a Dominionist?" Argues that Paul appears to have much in common with some theocrats.

"Sandefur on Ron Paul" Doubts that Paul is a dominionist, but suggests he might be a Thomas DiLorenzo-style neo-confederate who thinks we don't even need a federal government (in which case he wouldn't really be the supporter of the Constitution that he seems to be) and that the U.S. Civil War wasn't about slavery (which is pernicious nonsense).

I also just came across this story, which says that Paul would like to see the U.S. Constitution amended to remove the subject of abortion from the purview of the courts, which is yet more anti-constitutional insanity.

Operation Bot Roast

Yesterday, the Washington Post reported on the FBI's "Operation Bot Roast," which busted several criminal users of botnets:

_James C. Brewer, of Arlington, Texas. He was indicted Tuesday on charges of infecting more than 10,000 computers globally, including two Chicago-area hospitals operated by the Bureau of Health Services in Cook County, Ill. The computers at the two hospitals were linked to the health care bureau's mainframe system. They repeatedly froze or rebooted from October to December last year, resulting in delayed medical services, according to the indictment. Brewer was released on a $4,500 bond, court records show.

_Robert Alan Soloway of Seattle. When he was arrested last month, he was described as one of the world's top spammers for allegedly using botnets to send out millions upon millions of junk e-mails since 2003. Soloway continued his activities even after Microsoft won a $7 million civil judgment against him in 2005 and after Robert Brauer [they mean Braver -jjl], the operator of a small Internet service provider in western Oklahoma, won a $10 million judgment. Soloway has pleaded not guilty to all charges in a 35-count indictment.

_Jason Michael Downey, of Covington, Ky. He was accused in Detroit last month of flooding his botnet-linked computers with spam for an 11-week period in 2004 and causing up to $20,000 in unspecified losses, according to court records.

This is just the tip of the iceberg, and follows on the heels of last year's prosecution of Jeanson James Ancheta of Los Angeles, or "botmaster," as he called himself. Like Brewer, he was prosecuted for the damage he caused to hospital computers, so botherders and spammers should beware of making use of hospital computers for their botnets.

Soloway, who was arrested on May 30 in a bust that already got a lot of press, was probably the biggest fish of these so far. His case follows the historically more common pattern--being tracked down and civilly prosecuted before being criminally charged.

Clark Adams, RIP

I received the unfortunate news this morning that Clark Adams has died, and that he took his own life.

Clark was a long-time board member of the Internet Infidels (and for many years its public relations director) and a frequent speaker and attendee at atheist, freethought, humanist, and skeptical events. He was a jovial, funny man whose talks about atheism in popular culture were always crowd-pleasers. He was not particular about what label to put on his nonbelief, and was supportive of all groups that promoted rationality and critical thinking, including the "brights"--though he did not care for what he called "religion without the god stuff."

In a recent posting in which he gave his opinion of last month's celebration of 30 years of Humanist chaplaincy at Harvard University, he described himself as a "conference junkie," noting that he attended "upwards of a half dozen atheist, humanist, skeptic and freethought conventions a year." He frequently spoke to freethought and atheist groups on college campuses, and was an active promoter of student freethought groups like the Secular Student Alliance and the Campus Freethought Alliance. He was one of the founders of the Secular Coalition of America and regularly helped organize the annual July gathering at Lake Hypatia, which is where I first met him. The frequency of his speaking schedule can be seen in an April 2006 posting on the Internet Infidels Discussion Boards, which showed him giving six talks in April, June, and July, which included talks on "How to Prevent Your Freethought Group From Looking Like a Funeral" and "Godless Role Models."

Suicide always provokes questions about the cause. Given Clark's activism in support of atheism, I won't be surprised to see opportunistic speculation on the part of some advocates of religion that Clark's atheism was why he killed himself, but there's no evidence to support that.

He attended a performance by his favorite comedian, Doug Stanhope, on Sunday evening, and was found by a friend and his ex-wife in his apartment after the friend did not receive her expected daily call from him. She announced Clark's death on the Internet Infidels Discussion Boards, where his friends have left their condolences.

Clark has left a mark on the world in the lives of people he's met at these conferences, and communicated with online. He's left an extensive record of postings, which he usually closed with "THOUGHTfully Yours, Clark," which includes the story of his deconversion to atheism in the south.

If anyone has a video record of any of his presentations, it would be great to see them made available online.

Clark will be missed.

UPDATE: Cathe Jones has put up a tribute to Clark, with some links to some of his writings. She has put up a more extensive blog entry now, as well.

UPDATE: Friends are also leaving tributes on Clark's MySpace page, and there are blog tributes from Friendly Atheist and Mark Vuletic.

UPDATE (May 24, 2007): The American Humanist Association has issued a tribute to Clark.

UPDATE (May 25, 2007): Information about a memorial service for Clark will be posted at the Las Vegas Freethought Society website. His ashes will likely be scattered at Lake Hypatia at the June 30-July 2 event he was scheduled to emcee.

UPDATE (May 27, 2007): Raul Martinez has put up a story about an amusing experience with Clark a few months ago.

UPDATE (May 31, 2007): There will be a memorial service for Clark from 2-4 p.m. on Sunday, June 3 at the Unitarian Universalist Congregation of Las Vegas, 3616 E. Lake Mead Blvd. There will also be a memorial service at the Lake Hypatia event mentioned above, at 12 noon on Monday, July 2.

UPDATE (June 7, 2007): Eric Pepke has put up a tribute to Clark.

UPDATE (May 25, 2008): Clark's MySpace account has been deleted, but this story in the Las Vegas Weekly reports what happened after Doug Stanhope heard about Clark's death:

---
A few days later, he receives word that longtime fan Clark Adams killed himself the night after the Tommy Rocker’s performance. Not that it pushes him over the edge; more apparently, it provided a high note upon which to take his leave. In Adams’ MySpace “Heroes” box, he’d included Doug Stanhope under the heading, “People I Admire that I’ve Had the Honor of Meeting.”

There’s a bit on 2002’s Die Laughing: “Life is like animal porn. It’s not for everybody. ... Life is like a movie, if you’ve sat through more than half of it and it’s sucked every second so far, chances are it’s not gonna get great right at the very end and make it all worthwhile. No one should blame you for walking out early.”

And there’s a new entry in Adams’ Comments box from one Doug Stanhope:

I don’t believe in Heaven but I have a strong faith that there is MySpace in the afterlife and we will all be checking our comments.

May your eternity be free of Macy’s gift-card spam.
Run amok, dear sir.

life is like animal porn ...

Even if he’s not the best man for the job of deregulating their lives, Stanhope clearly empathizes with those regular people he speaks for, if not always with. He may be solely in it for him, baby, but whether he’s flitting from Vegas to Bisbee or Edinburgh to the Oval Office, he’s pushing the physical and mental and comedic boundaries for all those Joe Schmoes out there who can’t. No drunken goof about it.

---

At a show in Indianapolis, Stanhope started to talk about Clark Adams (at 4:26), but got distracted and didn't come back to it (at least in the first three of twelve parts on YouTube).

The economics of information security

Ross Anderson and Tyler Moore have published a nice paper that gives an overview of recent research in the economics of information security and some open questions (PDF). The paper begins with an overview of the relevance of economic factors to information security and a discussion of "foundational concepts." The concept of misaligned incentives is described with the now-standard example of how UK and U.S. regulations took opposite positions on liability for ATM fraud is given--the UK held customers liable for loss, while the U.S. held banks liable for loss. This led to U.S. banks having incentives to make their systems secure, while UK banks had no such incentives (and the UK has now reversed its position after this led to "an epidemic of fraud"). other examples are given involving anti-virus deployment (where individuals may not have incentives to purchase software if the major benefit is preventing denial of service attacks on corporations), LoJack systems (where auto theft plummets after a threshold number of auto owners in a locality install the system), and the use of peer-to-peer networks for censorship resistance.

The authors examine the economics of vulnerabilities, of privacy, of the deployment of security mechanisms including digital rights management, how regulation and certification can affect system security (and sometimes have counterintuitive adverse effects, such as Ben Edelman's finding that TRUSTe certified sites are more likely to contain malicious content than websites as a whole).

They end the paper with some open issues--attempts to develop network protocols that are "strategy-proof" to prevent cheating/free-riding/bad behavior, how network topologies have different abilities to withstand different types of attacks (and differing vulnerabilities), and how the software development process has a very high failure rate for large projects, especially in public-sector organizations (e.g., as many as 30% are death-march projects).

There are lots of interesting tidbits in this paper--insurance for vulnerabilities, vulnerability markets, the efficacy of spam on stock touting, the negligible effect of music downloads on music sales, and how DRM has moved power from record labels to platform owners (with Apple being the most notable beneficiary), to name a few.

(Hat tip to Bruce Schneier's blog, where you can find links to a slide presentation that covers the highlights of this paper.)

Hate mail from a defender of telemarketing

Today I received the following email from John Martin of Phoenix (whose email address begins with "satguys01"), who was apparently set off by my web page reporting my record of lawsuits against telemarketers, which he came across about 30 minutes earlier while doing a Google search for "arizona telemarketing attorney" (could he be in need of one?):

Date: Sun, 28 Jan 2007 08:12:22 -0800 (PST)
From: John Martin
Subject: Get a life

You are just as bad as the telemarketers that call you.
Just like a scummy attorney that profits from filing
frivolous lawsuits. You raise the cost of doing business
for companies, raise taxes by overburdening the courts,
and therefore raise the cost of goods for consumers in the
marketplace.

What do you care? You made a dollar.

Telemarketing is critical for the economy to function. The
wheels would stop turning if there were no phones or business
conducted on them.

The Federal and State do no call list is just another angle
for the Fed and State to make a buck.

Just ask yourself, why is it legal for politicians to contact
and harass millions of citizens with automated messages and
call people on the so called do not call list? So its OK for
them to fund raise and get re elected (profit) using
unscrupulous methods. But a legitimate business offering
legit goods or services is restricted.

Are there Marketers that take advantage of people yes. Like
any other business there are bad apples. But most offer legit
goods and services.

Does your mailbox get full of junk mail? Do you watch
commercials on TV? or even now at the movies? Why not sue
them? Junk Mail does more damage to the environment than
anything else. But the US post service make money on it so
that will never stop.

Screen you calls, that's what caller id is for, hangup on
automated messages and telemarketers. And stop with the lame
lawsuits.  Do you really suffer any damages by listening to a
message or having a dialer hang up on you? Or are you just an
other greedy opportunist like you EVIL telemarketing
counterparts just out for a quick buck?

I sent the following reply:

From: "James J. Lippard" [my email addr]
To: John Martin
Subject: Re: Get a life
In-Reply-To: <400549.50780.qm@web62015.mail.re1.yahoo.com>

The difference, John, is that they are knowingly violating
the law, and I'm not.  None of my lawsuits have been
frivolous, which is why I have a 100% record of success.
I'm only raising the cost of business for companies that are
blatantly breaking the law; my impact on the courts is
negligible--I always offer to settle out of court for the
minimum statutory amounts before filing a lawsuit, and I
always file in small claims which minimizes the paperwork.
The money I collect is specified as damages in the statutes,
and serves not only to compensate me for the violations but
to act as a deterrent to further violations.  It has worked
pretty well--I don't get many such calls any more.

If you think the law is wrong, petition to have it changed.
But if you violate it, be prepared to get sued and to lose.

What's your interest that motivates you to send a nasty email
to someone you don't know?  From your email address, I would
guess that you're in the satellite dish resale business,
which is well known for its sleazy violations of
telemarketing law.

Are you a regular violator of the TCPA, John?

BTW, I have a nice life.  What kind of life do you have that
you seek enjoyment out of sending such an email as this?

For the record, I don't watch television commercials (thanks, TiVo!) and I'm also very opposed to spam (and much of my professional life in the Internet industry has been devoted to combatting it). We also don't go to see movies in the theater anymore except on rare occasion; we rent DVDs. I'm an advocate of permission-based marketing to individuals, not indiscriminate broadcast advertising.

Skeptical information and security information links sites

I've got a couple of websites of hierarchically organized links that I've maintained for quite some time, though I haven't really worked on them much lately. I currently get more spam link submissions than genuine link submissions to each, so I'd like to request contributions of legitimate entries.

One is my skeptical links site, which is fairly extensive, especially on a few topics such as Scientology, creationism, the websites of skeptical groups, and critiques of organized skepticism.

The other is my security links site, which is much less extensive, but still has some useful links, mostly on security and hacking tools and security standards.

Contributions are welcome--just go to the appropriate area and click the "add a site" link at the top of the page.

The ineffectiveness of TRUSTe

The TRUSTe program is supposed to certify that a website has a reasonable privacy policy. But Ben Edelman has cross-referenced TRUSTe certifications with SiteAdvisor ratings, and found that sites with TRUSTe certifications are twice as likely as those without to be listed as "untrustworthy" in SiteAdvisor's database--meaning that they send out spam, distribute spyware, etc.

Edelman calls out four particularly notorious sites that have or have had TRUSTe certification: Direct-Revenue.com, Funwebproducts.com, Maxmoolah.com, and Webhancer.com. All four are heavily involved with spyware. Direct Revenue and Maxmoolah have had their TRUSTe certifications revoked, but should never have been certified in the first place if TRUSTe was doing the validation they should have been doing.

TRUSTe has long been criticized by anti-spammers for giving certifications to organizations that don't deserve them.

Ryan Singel has raised similar questions about TRUSTe's reliability.

A version of net neutrality I can endorse

In an attempt to offer something constructive, here's a version of network neutrality--let's call it Lippard Network Neutrality--that seems to me to be reasonable, providing me with what I want as a consumer of Internet services and what I would want if I were managing security for the provider of those services:

1. Nondiscrimination

Companies that provide facilities-based wireline broadband (i.e., those who own the last-mile wires) to residences must provide unrestricted Internet access to their customers who wish to purchase Internet access, allowing the use of any Internet service or application that does not violate any laws or cause degradation or disruption to the service or other customers. The provider may engage in filtering for consumer-grade service in order to prevent the spread of malware and the sending of spam, including (for example) SMTP filtering or redirection to the provider's mail services, but must allow the purchase of business-grade service under which customers may operate their own mail servers. The provider retains the right to suspend service or quarantine users that send spam, become compromised with malware, or engage in illegal activity or activity that disrupts the service.

2. Unbundling

Providers must unbundle Internet access from other services sold over the same connection, so that a customer may use the entire capacity of the circuit for Internet access.

These two requirements would give me what I want as a customer, as well as give the provider the ability to recover their costs, provide services that use QoS, provide additional filtering to protect their network and the rest of their customer base from malware, and so on. I think it's quite reasonable for a basic consumer Internet service to do port 25 filtering, force the use of the provider's mail servers, and to do network-based filtering of malware--but I would like the ability to pay extra for completely unfiltered Internet service and take steps to protect myself. And in fact, that's what I'm currently paying Cox for today--I pay for business-grade service to my home in order to run my own servers here, though I could put those servers into a colo facility and get the same effect, which is what I would do if Cox decided to discontinue offering business-class service to residences. Because that option exists, it would not be necessary to mandate that providers must provide business class service as I described above, but I'd still want to be able to ensure that I could access my remotely hosted services from home.

How this differs from what many network neutrality advocates are arguing for:

1. I don't prohibit QoS or tiering, as that is a genuinely useful network feature where I expect to see future innovation of services that depend on it.
2. The nondiscrimination provision is written to allow some kind of less-than-full-Internet walled garden service at low cost--so long as customers can still purchase real Internet service. (I think such a service would be under competitive pressure to allow access to the full Internet, for the same reason AOL ended up allowing full Internet access--otherwise the service wouldn't attract enough users to be a successful product offering.)
3. I don't prohibit differential pricing for different services and classes of service.
4. I don't set any restrictions on contractual arrangements (apart from these two restrictions), including interconnection agreements or who pays. I think that should be left to private negotiation and competition.
5. I don't extend these requirements to other types of Internet providers such as backbone providers or those providing business services, as those are areas with plenty of competition.
6. I don't extend these requirements to wireless providers, because I think that with sensible market-based allocation of spectrum, there could be plenty of independent competition with much less capital expenditure than for wireline deployment.

I could possibly be persuaded that there is a place for common carriage requirements, especially for access circuits to businesses, which is where the last-mile providers could really engage in anti-competitive behavior against backbone providers that don't own a lot of last-mile wires (e.g., Level 3, Global Crossing, Sprint), now that the major telco last-mile providers have each merged with a major backbone provider themselves (Qwest/U.S. West, AT&T/SBC/BellSouth, Verizon/MCI). This requirement currently exists in the law for telcos, and unlike the common carriage requirement for DSL, is not planned to go away next year.

I would not put the above into the purview of the FCC, at least not with their current dispute resolution procedures which favor the telcos. Paul Kouroupas at Global Crossing (also my employer) has been arguing for "baseball-style" or final arbitration dispute resolution, where each side submits their best and final offer to an arbitrator, who chooses the best. This provides incentive for each side to try to reach the best agreement up front, as well as a process that can proceed quickly, without any government involvement or expense. This suggestion is the second point of Global Crossing's proposed REFORM legislative agenda. (Unbundling and common carriage of bottlenecks such as last-mile access circuits are the sixth point.)

Comments, criticisms? I should add that I believe what I've spelled out above is pretty close to what I've heard is in Sen. Stevens' telecom reform bill, though I haven't read it and I suspect he applies the nondiscrimination and unbundling requirements more widely than to residential broadband.

When private property becomes the commons

While thinking about Jonathan Adler's presentation at the Skeptics Society conference, it occurred to me that the problem of botnets is, in effect, a tragedy of the commons. The private personal computers of consumers which are connected full-time to the Internet and are not kept up-to-date on patches have, in effect, become a commons to be exploited by the botherders. The owners of the computers are generally not aware of what's going on, as the bots generally try to minimize obtrusiveness in order to continue to operate. The actual damages to each individual are typically quite small (with some notable exceptions--botherders can steal and make use of any data on the machine, including personal identity information and confidential documents), and the individual consumer doesn't have sufficient incentive to prevent the problem (say, by spending additional money on security software or taking the time to maintain the system).

Similarly, the typical entry-level casual blogger may not have incentives to keep their blogs free of spam comments. Neither, for that matter, does commons-advocate Larry Lessig, whose blog's comments are full of spam, making them less useful than they otherwise would be--I think this is an amusing irony about Lessig's position in his book Code. He argues that we need to have some subsidized public space on the Internet, but it seems to me private companies have already created it largely without public subsidy, and I think Declan McCullagh has the better case in his exchange with Lessig. (By contrast, Blogger does have incentive to prevent spam blogs, which consume large amounts of its resources and make its service less useful--and so it takes sometimes heavy-handed automated actions to try to shut it down.)

Bruce Schneier has argued that the right way to resolve this particular problem is by setting liability rules to shift incentives to players who can address the issue--e.g., software companies, ISPs, and banks (for phishing, but see this rebuttal). I agree with Schneier on this general point and with the broader point that economics has a lot to teach information security.

Adler on federal environmental regulation

At the Skeptics Society conference on "The Environmental Wars," Jonathan Adler gave a talk on "Fables of Federal Environmental Regulation." Adler's talk made several points, the main ones among them being:

* Federal regulations tend to come late to the game, after state and local regulations or private actions have already begun addressing the problems. The recurring pattern is that there is an initial recognition of a problem, there's state and local regulation and private action to address it, and then there's federalization. I can add to Adler's examples the development of the cellular telephone industry, where private actors stepped in to allocate licenses through the "Big Monopoly Game" (a story told in the book Wireless Nation) when the FCC proved incompetent to do so itself; federal anti-spam legislation, which came only after many states passed anti-spam laws; and federal law to require notification of customers whose personal information has been exposed by system compromise (which still doesn't exist, though almost half the states now have some kind of hacking notification law). (In a related point, industries regularly develop products that completely sidestep federal regulations, such as the SUV, interstate banking, credit cards, money market accounts, and discount brokerages. The development of the latter financial products is a story told in Joseph Nocera's A Piece of the Action: How the Middle Class Joined the Money Class.)

* The causes of federal regulations are not necessarily the problems themselves, but are often rent-seeking by involved entities, which can create a barrier to other alternative solutions. Adler listed four causes of federal environmental regulations: increased environmental awareness (by the voters and the feds), increasingly nationalized politics (political action at a national level), distrust of states and federalism, and rent-seeking. He gave examples to illustrate.

* We don't see (I'd say "we tend not to see") environmental problems where we have well-defined property rights; the environmental problems occur in the commons (cf. Garrett Hardin's "The Tragedy of the Commons"). I disagree with making this an absolute statement since there are bad actors who disregard even well-established property rights (or liability rules).

Adler's intent was to raise skepticism about federal regulation on environmental matters on the basis of several points:

* History shows the problem already being addressed effectively in a more decentralized manner.
* Federal regulation tends to preempt state regulation, creating a uniform approach that doesn't allow us the benefits of seeing how different approaches might work--we can miss out on better ways of dealing with the issue.
* The rent-seeking behavior can produce unintended consequences that can make things worse or impose other costs.

While I'm not sure I agree with the implied conclusion that federal regulation is never helpful, I agree that these are good reasons to be skeptical.

The preemption issue in particular is a big one. The federal anti-spam law, CAN-SPAM, was pushed through after years of failure to pass federal regulations against spam after California passed a tough mandatory opt-in law. The federal law was passed largely through efforts by Microsoft and AOL (whose lawyers helped write it) and preempted state laws which mandated opt-in or any requirements contrary to the federal law. I don't think it's cynical to believe that preventing the California law from taking effect--which would potentially have affected online marketing efforts by Microsoft and AOL--was a major cause of the federal legislation passing.

The benefit of preemption is that it creates a level playing field across the entire nation, which reduces the costs of compliance for those who operate across multiple states. But it also reduces the likelihood of innovation in law through experimentation with different approaches, and reduces the advantages of local entities in competition with multi-state entities. It also prevents a state with more stringent requirements from affecting the behavior of a multi-state provider operating in that state, when the requirements get dropped to a federal lowest common denominator. As regulation almost always has unintended consequences, a diversity of approaches provides a way to discover those consequences and make more informed choices.

Another issue is that many federal regulations provide little in the way of enforcement, and the more federal regulations are created, the less likely that any particular one will have enforcement resources devoted to it. If you look at the FCC's enforcement of laws against illegal telemarketing activity (such as the prohibition on prerecorded solicitations to residential telephones, and the prohibition on telemarketing to cell phones), it's virtually nonexistent. They occasionally issue a citation, and very rarely issue fines to telemarketers who are blatantly violating the law on a daily basis. In this particular case, the law creates a private right of action so that the recipient of such an illegal call can file a civil case, and this model is one I'd like to endorse. I've personally had far more effect on most of the specific telemarketers who have made illegal calls to my residence than the FCC has. Federal laws and regulations can be effective when they are applicable to a small number of large players who can be adequately policed by a federal agency (but in such cases those large players tend to also be large players in Washington, D.C., and have huge influence over what rules get set) or when the enforcement is pushed down to state, local, or even private levels (e.g., using property or liability rules rather than agency-based regulation). Otherwise, they tend to be largely symbolic, with enforcement actions only occurring against major offenders while most violations are left unpunished.

The most effective solutions are those which place the incentives on involved parties to voluntarily come to agreements that address the issues, and I think these are possible in most circumstances with the appropriate set of property and liability rules. A good discussion of this subject may be found in David Friedman's book, Law's Order: What Economics Has to Do With Law and Why It Matters.

There seems to be a widespread illusion on the part of many people that many problems can be solved merely by passing the federal legislation, without regard for the actual empirical consequences of such legislation (or the actual process of how it's determined what gets put into such legislation!). From intellectual property law, to environmental law, to telecommunications law (e.g., net neutrality), good intentions can easily lead to bad consequences by those who don't concern themselves with such details. Friedman's book is a good start as an antidote to such thinking.

Information Security Index

This post is an index to posts at The Lippard Blog on the subject of information security. This is probably not a complete list; I've tended to exclude posts labeled "security" that don't specifically touch on information security and may have over-excluded.

"Richard Bejtlich reviews Extreme Exploits" (August 16, 2005) Link to Richard Bejtlich review of Extreme Exploits, a book I was the technical editor on.

"Sony's DRM--not much different from criminal hacking" (November 2, 2005) Summary and link to Mark Russinovich's exposure of the Sony rootkit DRM.

"Defending Against Botnets" (November 3, 2005) Link to my presentation on this subject at Arizona State University.

"Sony DRM class action lawsuits" (November 10, 2005) Comment on the Sony rootkit class action lawsuits.

"Another Botnet Talk" (December 11, 2005) Comment on my December botnet talk for Phoenix InfraGard, with links to past botnet presentations.

"Major flaw in Diebold voting machines" (December 23, 2005) A flaw that allows preloading votes on a memory card for Diebold voting machines in an undetectible way.

"The Windows Meta File (WMF) exploit" (January 3, 2006) Description of an at-the-time unresolved Windows vulnerability.

"New Internet consumer protection tool--SiteAdvisor.com" (January 25, 2006) Report on SiteAdvisor.com tool (now a McAfee product).

"Pushing Spyware through Search" (January 28, 2006) Ben Edelman's work on how Google is connected to spyware by accepting paid advertising from companies that distribute it.

"Database error causes unbalanced budget" (February 17, 2006) How a house in Indiana was incorrectly valued at $400 million due to a single-keystroke error, leading to wrongly increased budgets and distribution of funds on the expectation of property tax revenue.

"The Security Catalyst podcast" (February 18, 2006) Announcement of Michael Santarcangelo's security podcast.

"Controversial hacker publishes cover story in Skeptical Inquirer" (February 19, 2006) Critique of Carolyn Meinel's article about information warfare.

"Even more serious Diebold voting machine flaws" (May 14, 2006) Hurst report on new major flaws found in Diebold voting machines.

"Botnet interview on the Security Catalyst podcast" (May 23, 2006) Link to part I of my interview on botnets with Michael Santarcangelo.

"Part II of Botnets Interview" (June 4, 2006) Link to part II of my botnets interview.

"'Banner farms' and spyware" (June 12, 2006) Ben Edelman's exposure of Hula Direct's "banner farms" used to deliver ads via spyware.

"When private property becomes the commons" (June 12, 2006) Consumer PCs as Internet "commons," economics and information security.

"Network security panel in Boston area" (June 12, 2006) Announcement of a public speaking gig.

"Identity Crisis: How Identification is Overused and Misunderstood" (July 6, 2006) Quotation from Tim Lee review of book by Jim Harper with this title.

"9th Circuit approves random warrantless searches and seizures of laptops" (July 28, 2006) Bad decision granting border police the right to perform full forensic examination of the hard drives of laptops carried by people wanting to cross the U.S. border.

"Is it worth shutting down botnet controllers?" (August 18, 2006) A response to remarks by Gadi Evron and Paul Vixie that it is no longer worth shutting down botnet controllers.

"The ineffectiveness of TRUSTe" (September 29, 2006) A larger proportion of sites with TRUSTe certification are marked as untrustworthy in SiteAdvisor's database than of those that don't have TRUSTe certification.

"The U.S. no-fly list is a joke" (October 5, 2006) The no-fly list has major flaws, listing people who aren't a threat and not listing people who are--and presuming that terrorists will be identifiable by their names.

"How planespotting uncovered CIA torture flights" (October 20, 2006) How an unusual hobby allowed for traffic analysis to uncover CIA torture flights.

"Point out the obvious, get raided by the FBI" (October 29, 2006) Chris Soghoian gets raided by the FBI after putting up a web page that allows generation of Northwest Airlines boarding passes.

"Electronic voting machines in Florida having problems in early voting" (October 31, 2006) A report on voting machines registering votes for the wrong candidate due to touch screen calibration issues.

"The Two Faces of Diebold" (November 5, 2006) The difference between the public and private versions of SAIC's report on Diebold voting machine vulnerabilities.

"FBI eavesdropping via cell phones and OnStar" (December 4, 2006) Reports of vulnerabilities in newer cell phones that allow them to be used as listening devices even when powered off.

"Time to Stop Using Microsoft Word" (December 7, 2006) New unpatched malicious code execution vulnerability in most versions of Word.

"Staffer for Congressman tries to hire hacker to change grades" (December 22, 2006) Todd Shriber's failed attempt to retroactively improve his college career.

"My bank is on the ball" (January 6, 2007) My bank prevents theft of my money.

"Skeptical information and security information links" (January 23, 2007) Promotion of my security links and skeptical links sites.

"Schoolteacher convicted on bogus charges due to malware" (February 4, 2007) Connecticut teacher Julie Amero successfully prosecuted for showing porn to kids, when in fact it was the result of malware on a machine the school district refused to pay for antivirus software on.

"McCain proposes an unfunded mandate for ISPs" (February 7, 2007) McCain sponsors a bill to force ISPs to scan all traffic for and report child porn images they find.

"Warner Music: We'd rather go out of business than give customers what they want" (February 9, 2007) Warner Music says no way to DRM-free music.

"The economics of information security" (February 13, 2007) Ross Anderson and Tyler Moore paper on the economics of infosec.

"How IPv6 is already creating security problems" (February 19, 2007) Apple AirPort allows bypass of firewall rules via IPv6.

"Windows, Mac, and BSD Security" (March 8, 2007) Amusing video parody comparing the OSes.

"Bob Hagen on botnet evolution" (March 9, 2007) My former colleague on trends in botnets.

"The rsync.net warrant canary" (March 25, 2007) How rsync.net will communicate whether it receives a National Security Letter without breaking the law.

"FBI focus on counterterrorism leads to increase in unprosecuted fraud and identity theft" (April 11, 2007) The law of unintended consequences strikes again.

"Banning the distribution of AACS keys is futile" (May 3, 2007) You can't stop the communication of a 128-bit number as though it's proprietary.

"CALEA compliance day" (May 14, 2007) Commemoration of the day that VoIP providers have to be CALEA-compliant.

"Spying on the homefront" (May 14, 2007) PBS Frontline on FBI misuse of National Security Letters and NSA eavesdropping.

"The bots of summer" (June 6, 2007) Report on some media coverage of my botnet interview with the Security Catalyst from 2006.

"Microsoft's new Turing Test" (June 12, 2007) It's not often I get to combine animal rescue and information security topics, but this is one--using animal pictures to authenticate.

"Operation Bot Roast" (June 14, 2007) FBI prosecution of some botnet people.

"Google thinks I'm malware" (July 13, 2007) Google stops returning results to me in some cases because my behavior looks like malware activity.

"Asking printer manufacturers to stop spying results in Secret Service visit?" (July 14, 2007) MIT Media Lab project to get people to complain to printer manufacturers about their secret coding of serial numbers, which got one person a visit from the USSS.

"A marketplace for software vulnerabilities" (July 29, 2007) WabiSabiLabi's abortive attempt to create a market for the sale and purchase of vulnerability information.

"Another Sony rootkit" (September 5, 2007) F-Secure finds another Sony product that installs a rootkit--the Sony MicroVault USM-F memory stick (now off the market).

"Anti-P2P company suffers major security breach" (September 16, 2007) Media Defender gets hacked.

"Microsoft updates Windows XP and Vista without user permission or notification" (September 17, 2007) Nine executables get pushed to everybody even if Windows update is turned off--except for corporate SMS users.

"Lessons for information security from Multics" (September 19, 2007) Paul Karger and Roger Schell's paper on Multics gets attention from Bruce Schneier.

"Hacker finds vulnerability in Adobe Reader" (September 24, 2007) The era of attacks on applications rather than OS's gets a boost.

"Break-in at CI Host colo facility" (November 4, 2007) The role of physical security for websites.

"Spammers and criminals for Ron Paul" (November 6, 2007) Botnets used to send spam promoting Ron Paul.

"Macintosh security lags behind Windows and BSD" (November 8, 2007) Rundown on new Mac security features, some of which are negative in effect.

"Multics source code released" (November 13, 2007) Multics becomes open source.

"Untraceable looks unwatchable" (December 18, 2007) A post that generated a huge amount of response, about the Diane Lane movie that flopped at the box office, before it came out.

"Notorious major spammer indicted" (January 3, 2008) Alan Ralsky may actually get what he deserves.

"Boeing 787 potentially vulnerable to passenger software-based hijacking" (January 8, 2008) Passenger Internet access for the Boeing 787 is physically connected to the network for communication and navigation.

"'Anonymous' launches 'war' against Scientology" (January 22, 2008) Denial of service attacks and other pranks against Scientology.

"Tinfoil hat brigade generates fear about Infragard" (February 8, 2008) Response to Matt Rothschild's article in The Progressive claiming that InfraGard members have the right to "shoot to kill" when martial law is declared.

"FBI responds to 'shoot to kill' claims about InfraGard" (February 15, 2008) Commentary and link to the FBI's response to Rothschild.

"Malware in digital photo frames" (February 17, 2008) Viruses in unusual digital storage locations.

"Canada busts 17 in botnet ring" (February 21, 2008) News about law enforcement action against criminals in Canada.

"More InfraGard FUD and misinformation" (February 23, 2008) Response to Gary Barnett's InfraGard article at the Future of Freedom Foundation website.

"New Mexico InfraGard conference" (February 24, 2008) Summary of the New Mexico InfraGard's "Dollar-Gard 2008" conference.

"Pakistan takes out YouTube, gets taken out in return" (February 25, 2008) Yesterday's events of political and/or religious censorship gone awry in Pakistan.

"Jeremy Jaynes loses appeal on spamming case" (March 1, 2008) The Virginia Supreme Court upholds Virginia's anti-spam law.

"Software awards scam" (March 25, 2008) Many software download sites give out bogus awards.

"Scammers scamming scammers" (April 7, 2008) Marco Cova looks at what some phishing kits really do.

"Bad military botnet proposal" (May 13, 2008) A response to Col. Charles Williamson's proposal to build a military botnet.

"MediaDefender launches denial of service attack against Revision3" (May 29, 2008) Anti-P2P piracy firm crosses the line and attacks a legitimate company.

"San Francisco's city network held hostage" (July 19, 2008) Some actual facts behind the hyped charges against the city's network administrator.

"Did Diebold tamper with Georgia's 2002 elections?" (July 20, 2008) Some troubling information about Diebold's last-minute patching on Georgia election machines.

"Expert tells China visitors to encrypt data as U.S. announces policy of laptop seizure" (August 1, 2008) Concerns about privacy in both China and the U.S.

"Military botnets article" (August 28, 2008) Peter Buxbaum's article on "Battling Botnets" in Military Information Technology magazine.

"Virginia Supreme Court strikes down anti-spam law" (September 12, 2008) Julian Jaynes goes free as Virginia's anti-spam law goes away.

"Sarah Palin's Yahoo account hacked" (September 17, 2008) Palin's Yahoo account is hacked, and the contents published.

"TSA airport security is a waste of time and money" (October 18, 2008) Link to Jeffrey Goldberg's article in The Atlantic.

"Behind the scenes during the election process" (November 6, 2008) Both major party presidential nominees suffered computer compromises.

"White House may be forced to recover 'lost' emails" (November 14, 2008) Lawsuit may require recovery from backups.

"Criminal activity by air marshals" (November 14, 2008) Multiple cases.

"PATRIOT Act NSL gag order unconstitutional" (December 19, 2008) Recipients of National Security Letters now can't be gagged without court order.

"The U.S. Nazi dirty bomb plot" (March 15, 2009) A little-covered story about a real terrorist plot.

"The Cybersecurity Act of 2009" (April 4, 2009) It's not as bad as it appears.

"Tracking cyberspies through the web wilderness" (May 12, 2009) How University of Toronto researchers have tracked online spying activity.

"Bad military botnet proposal still being pushed" (June 26, 2009) Col. Williamson's proposal to build an offensive U.S. military botnet is still being promoted by him.

"DHS still a mess, five years on" (July 16, 2009) Center for Public Integrity review of DHS.

"How Twitter got compromised" (July 23, 2009) TechCrunch gives the anatomy of the attack on Twitter.