Taipei 101's 730-ton damper ball

The world's tallest building is the 1667-foot Taipei 101 in Taiwan. One of its features is a 730-ton steel ball, made of 41 steel plates, that acts as a damper against swaying motions of the skyscraper due to wind.

On May 12, 2008, the damper, which sits between the 87th and 89th floors of the building, got a workout from the earthquakes that hit China's Sichuan province. And a YouTube user was there to get footage:



(Via deputydog, which has more information about the damper. Hat tip to Dan Noland on the SKEPTIC mailing list.)

Health quackery for your car

Just like quack magnetic therapy for improving human health, Alan Archer's product claims to improve fuel efficiency for your car. According to a ridiculously skepticism-free article on ABC15's website:

The gas blaster clamps to your car's fuel line. Two powerful magnets change the molecular structure of gasoline causing it to burn cleaner and more efficient.

Archer, whose company's name isn't mentioned in the article (but it's Adaptive Energy Solutions, LLC according to their website, a company incorporated in September 2003), guarantees that the product will improve gas mileage by at least 10% or your money will be returned. He's probably banking on the fact that most people won't have carefully measured their gas mileage before using it, and the fact that a 10% gain for a car that gets 25 mpg is only 2.5 mpg, well within the range of normal mileage variability given normal variations in driving conditions. There's a quote in the news article from an individual who says "(Ten percent) is a lot when I only get ten miles to the gallon." No, it's only 1 mpg difference, and I bet his 10 mpg is already variable by more than 1 mpg.

Archer's claims for this product, an "adaptive gas blaster," are identical to claims that have been made for similar fuel line magnet products for decades. All of them that have actually been tested have been found to have no measurable effect on gas mileage, and no doubt the same is true of Archer's hokum.

What I find remarkable is that the media continue to uncritically give a forum to hucksters to promote their nonsense. In this case, ABC15 even helpfully provides a link at the bottom of the page where you can click to order a $48 (plus shipping and handling) "adaptive gas blaster."

The money-back guarantee lasts for 60 days, doesn't include the shipping and handling fee, is available for only a limited time, and requires that you have the device installed by an "ASE" (I think they mean AES) mechanic or the guarantee is only for 30 days--I suspect there's a nonrefundable installation fee if they do it for you.

Save your money--you can save gas more easily without buying a bogus product by driving less often and more efficiently.

(Hat tip to Gridman for bringing this to my attention.)

Why it's dangerous to put a cell phone in the microwave

(Via jwz's blog.)

Peter Gabriel's new filtering website

The Filter, officially debuting tomorrow but already available today, is a website that asks for some basic information about your tastes in film and music, and then makes recommendations about other things you'd like--music, movies, web videos, and TV. It's not clear from the CNN coverage how it compares to Amazon.com's recommendation engine or to sites like Pandora, but it looks interesting.

CIA operatives on trial in Italy

26 Americans, mostly CIA operatives, are currently on trial in absentia in Italy for the kidnapping and "extraordinary rendition" of a radical Muslim cleric, Abu Omar, who was taken to Egypt to be tortured. On Thursday, Italy's top counterterrorism official, Bruno Megale, explained in court how they identified the CIA operatives responsible for Omar's kidnapping:

Megale obtained records of all cellphone traffic from the transmission tower nearest the spot where Abu Omar was abducted, for a 2 1/2 -hour period around the time he disappeared. There were 2,000 calls.

Then, using a computer program, Megale was able to narrow down the pool by tracing the phones that had called each other, in other words, an indication of a group of people working together. Seventeen phone numbers, which showed intensifying use around the time of the abduction, were pinpointed. By following all other calls made from those phones, the investigators ultimately identified 60 numbers, including that of a CIA officer working undercover at the U.S. Embassy in Rome.

In his testimony, Megale revealed that one telephone number he recognized was that of Robert Seldon Lady, then-CIA station chief in Milan. Lady and Megale had worked together in counter-terrorism investigations. It was a number, Megale said somberly, that he and his team knew.

(Via Talking Points Memo.)

Bad military botnet proposal

An article by Col. Charles W. Williamson III titled "Carpet bombing in cyberspace: Why America needs a military botnet" has been published by the Armed Forces Journal.

Col. Williamson, seeing that miscreants are using compromised machines all over the Internet to create botnets used for malicious purposes, has decided that the military needs to create its own, legitimate botnet. He proposes that this would be used in order to respond to online attacks from foreign countries by attacking the attackers, including both government and civilian attacking machines as necessary. He specifically proposes not using compromised machines (which would be illegal), but using machines on the af.mil (U.S. Air Force) network, including all hosts on the NIPRNet (Nonsecret IP Network).

The proposal doesn't really make any sense to me.

First of all, attacks from hostile compromised machines on the Internet occur on a daily basis and are already handled by network service providers. These attacks are never likely to be initiated specifically from an individual attacking country's systems, but rather from compromised systems all over the world--sometimes including compromised systems belonging to the U.S. military. Second, the best way to respond to attacking systems is not by launching hostile traffic back at them, but by filtering them or nullrouting them. Again, network service providers already do this today, and cooperate with each other in addressing major attacks. Thirdly, if the U.S. military sets up a botnet and uses it to launch denial of service attacks, it will be in violation of its own contracts with its network service providers--I don't know of any network service provider that offers a military exception to its terms of service regarding denial of service attacks. Fourth, if all of the U.S. military bots are on its own network, their aggregate bandwidth still can't exceed the bandwidth of its connections to other networks. Fifth, if there are attacks coming from another country that the U.S. is at war with, the recent subsea cable outages in the Middle East suggest that there are other effective mechanisms for disabling their ability to engage in Internet attacks.

Finally, it's not clear to me what benefit would be obtained from the military setting up its own botnet on its own network using its own IPs. Botnets offer two main benefits--(1) offering a distributed platform for computing and traffic generation and (2) creating a buffer of separation between the agent performing an action and the action itself. The second benefit occurs because the miscreant doesn't own the machines that make up the botnet, lots of other people do. A botnet composed entirely of hosts on the military's network is relatively easy to identify, filter, and block--the second benefit doesn't exist. The first benefit is also mostly lost if you use your own network and hosts. The point of a distributed denial of service attack is to use up the other guy's bandwidth, but not your own. That's very easy to do if you're not using your own resources, which is why distributed denial of service attacks use compromised systems and, sometimes, methods to amplify attacks using other people's servers that send out responses that are larger than the requests that prompt them. But if you're using your own resources on your own networks, you're limited to the bandwidth you have at your network interconnection points, and multiplying hosts inside that perimeter gains you nothing except a guarantee that you can saturate your own internetwork connectivity and cut yourself off from the outside unless your target has less bandwidth than you do. It's ironic that Williamson complains about a "fortress mentality," while making a proposal to create a gigantic bot army inside the military's own perimeter. A million-man army doesn't help you if they're inside a fortress with exits that restrict its ability to be deployed, except when you can win the battle with the number of men who can leave the exits at any one time.

I've also posted a comment on the Armed Forces Journal article at the AFJ's forum where I make a few additional points. I also agree with many of the other critical remarks that have been made in the thread there. "Crass Spektakel"'s point that "Whoever controls BGP and the backbone routers controls the internet" and that most of the control of BGP routing and the routing registries resides in the U.S. is a good one. A similar point could be made about DNS.

Other posts on this subject:

Kevin Poulsen at the Wired blog
Jon Stokes at Ars Technica

UPDATE (May 14, 2008): I may take some heat for even suggesting this, but an idea which actually takes advantage of both of the characteristic benefits of botnets I listed above and would be far, far more effective than Williamson's proposal would be if the military produced bot software along the lines of SETI@Home and Folding@Home, which anyone could volunteer to download and run on their home or corporate machines (or better still, made available to run on XBoxes and Play Station 3s), for use by the military when needed. Some of the abuse worries could be defeated if the activation and deactivation of the software was fully under the control of the end user, and the military obtained appropriate permission from upstream ISPs for activities which would otherwise constitute AUP violations by end users.

I hasten to add that this is still a terrible idea--putting such software out in public makes it a certainty that it would be reverse-engineered, and the probability of it being compromised by third parties for their own abuses would correspondingly increase.

UPDATE: Looks like Paul Raven beat me to the "Milnet@Home" idea, as he dubs it. A commenter at Bruce Schneier's blog also came up with the same idea.

F-Secure's blog also offers some good criticisms of Williamson's proposal.

Bill McCauley, RIP

I was saddened to learn this morning of the death of Bill McCauley, who was my boss when he was Vice President of Operations for GlobalCenter for a year or so around 1999-2000. I last saw him in 2001 at NANOG 21, when he was working for a company called iAsiaWorks, and we chatted briefly. I never knew him well, but when I worked for him he would occasionally chat with me about network security.

Bill had left the technology field to run a food distributorship, Red Rock Foods, and recently opened a coffee shop in Queen Creek called Daily Buzz. Unfortunately, he was having financial troubles, and chose a gruesome and horrible way to end his own life, by backing his car into a storage area at his food distribution business, pouring gasoline behind his car, and setting it on fire. The fire burned him and his dachshund, Millikin, killing his dog and leading to his death in a hospital several hours after firefighters pulled him from his car, mortally injured but still alive.

His death has been reported at the Arizona-Coffee blog where he frequently posted. He apparently left no suicide note. It's very sad that he chose to end his life this way, as well as that of his dog.

April's Trustee's Sale Notices

Based on this chart, Ray Kurzweil would undoubtedly predict that in late 2009 or early 2010, Maricopa County will reach its foreclosure singularity - the moment at which all homes will simultaneously be served notices of foreclosure and beyond which it is impossible to predict what will happen.

April's 6184 notices were yet another unprecedented high.

Scammers scamming scammers

Marco Cova looks in some detail at the contents of some phishing scam kits targeting particular banks that were released to the public recently. These sorts of kits, containing web code, are ordinarily sold to scammers, but these were given away free. It wasn't out of generosity, but part of a larger scam--the code was written using a variety of obfuscation techniques so that the unwary script kiddie who modifies it to send the captured information to their own email address will not receive it. Instead, that information is sent to various email addresses presumably controlled by the distributor of the scammer-scamming phishing kits.

Software awards scam

Andy Brice decided to test various download sites to see which ones would give awards (and expect a banner to be posted by the developer's website with a link back) to a piece of "software" that consisted only of a text file named "awardmestars" containing the words "this program does nothing at all" repeated several times. He submitted it to 1033 sites, of which 218 sites listed it and 421 rejected it. Of those that accepted it, 11% gave it an award (he's currently at 23 awards):

The truth is that many download sites are just electronic dung heaps, using fake awards, dubious SEO and content misappropriated from PAD files in a pathetic attempt to make a few dollars from Google Adwords. Hopefully these bottom-feeders will be put out of business by the continually improving search engines, leaving only the better sites.

He notes the following sites which wrote him to say to stop wasting their time, indicating that they actually check submissions:

www.filecart.com

www.freshmeat.net

www.download-tipp.de (German)

The author wonders whether download sites that certify software as "100% clean" actually scan submitted software for malware, but says to test it would be unethical. Actually, something very much like his test could be done, using the EICAR antivirus test file instead of his text file.

(Via Dave Palmer on the SKEPTIC list.)

Scientology sucks at JavaScript

The Swedish Church of Scientology's online personality test page has a very interesting test for valid zipcodes, phone numbers, and ages, as TheDailyWTF reports. The same checks could each have been done in a single line with an appropriate regular expression.

NSA's data mining and eavesdropping described

The March 10 Wall Street Journal contains a fairly detailed description of the data mining operation being run by the NSA. The program described is more data mining than eavesdropping, though it does involve the collection of transactional data like call detail records for telephone calls, and intercepted Internet data like web search terms and email senders and recipients. Also included is financial transaction data and airline data. I think most of this had already been pieced together, but this is a fairly comprehensive summary in one place. The WSJ story reports that leads generated from the data mining effort are then fed into the Terrorist Surveillance Program, which does warrantless eavesdropping. (An earlier version of this post incorrectly referred to the whole operation as the Terrorist Surveillance Program.)

Interesting articles in The Economist

A few articles of interest from the last couple of issues of The Economist:

February 23, 2008: "Moral thinking," a summary of recent research that sheds light on human moral reasoning processes. Video here. (A related, more in-depth story is Steven Pinker's "The Moral Instinct" which appeared in The New York Times Magazine on January 13.)

March 1, 2008: "Winds of change," a summary of research to use breathalyzer technology to diagnose medical conditions.

"Telltale hairs," about new methods of forensics to use hair analysis to identify a person's location at a given time (based on water consumption--could drinking imported bottled water be used to thwart this?).

RateMyCop

RateMyCop.com is a new website that allows you to rate individual police officers on the basis of your interactions with them, on the attributes of authority, fairness, and satisfaction, for which you can rate them poor, average, or good, and leave specific comments about your interactions. The site describes itself like this:

Welcome to RATEMYCOP.com, the online watchdog organization serving communities nationwide. RATEMYCOP.com is not affiliated with any government agency; we are an independent, privately managed organization.

Our mission is to compile information on cops’ performance and to provide a forum where users can freely share individual accounts. Good, bad or indifferent. Most of all, we would like to hear your stories. Your appreciation and your disapproval. Did you witness a cop doing a good deed, or were you involved in an unfortunate altercation? Tell us about it. Tell others about it. Let it out. Don’t feel intimidated by the badge to remain quiet.

While we respect their authority we are also free to question it. You have the right to remain informed.

The site has lists of 120,000 individual police officers from 450 departments around the country, which the site obtained directly from police departments, asking only for the names of patrol officers who work with the general public, not undercover officers. There are no photos, addresses, or telephone numbers, only names.

The city of Tempe has expressed disapproval and its intention to try to remove this information from the site, according to an ABC 15 News story which claims the site is a danger to officers. Tempe Police Department Officer Tony Miller is quoted in the story raising issues about undercover officers, and the article says that he "feels as though officers like him are scrutinized enough." The article also states that "Tempe officer Brandon Banks says the department's chief, human resources and even the city's prosecutor are looking into the website and fighting it." I don't see that they have a case, this information should all be a matter of public record.

It seems to me that there is potential for abuse (especially in the form of inaccurate ratings and comments, just as on teacher rating websites), but less so than there is from other kinds of public records about all of us that are published on the web. I disagree with Officer Miller's opinion that there is already sufficient accountability for police officers; this blog's previous posts in the "police abuse and corruption" category and the far more numerous and detailed posts from Radley Balko's The Agitator blog and his article "Overkill" are overwhelming evidence to the contrary.

It's worth noting that the courts have repeatedly ruled that there is no duty of police officers to protect individual members of the public, and many states have statutes which prevent individual officers and departments from being held civilly liable for a failure to provide adequate protection, a fact often used by gun advocates to argue for widespread gun ownership for individual protection (e.g., here, here, and here). The U.S. Supreme Court also eliminated a major protection against police abuse in 2006, when it ruled in Hudson v. Michigan (PDF) that evidence from an illegal no-knock raid need not be excluded from trial, because police officers have entered a new realm of "professionalism" in which they recognize civil liberties and can be trusted to investigate and deter their own abuses. In the wake of such decisions and continuing abuses, a website such as RateMyCop.com seems to me like a good idea.

What the site seems to be missing, though, is a way to quickly find officers who have received ratings (very few seem to have any yet), and to sort those in order to find those with favorable or unfavorable ratings.

UPDATE (March 12, 2008): Apparently GoDaddy has pulled the plug on RateMyCop.com's website without notice to the owner, allegedly first for "suspicious activity" and then for exceeding bandwidth limits, and the site is up with a new web hosting provider.

It looks like the ratings are now on a single category, and you can see a list of the most-rated and most-recently-rated on the front page. Another feature that would be nice would be a way to allow registered users to rate the raters for reliability, similar to the way Amazon.com book reviews can be rated as helpful or not helpful. That way, ratings could be weighted based on judgments of the reliability of the raters from the user base, and ratings from those with a personal axe to grind could have their weight minimized.

Looks like Rackspace has also refused to host ratemycop.com.

Interestingly, apparently Gino Sesto of RateMyCop.com was a Bush voter.

Jeremy Jaynes loses appeal on spamming case

Jeremy Jaynes, the spammer who was convicted and sentenced to nine years in prison in 2003 for violating Virginia's anti-spam law, has lost his appeal before the Virginia Supreme Court in a 4-3 ruling. Several of the dissents claimed that Virginia's anti-spam law, which criminalizes unsolicited bulk email with falsified headers, even if it is political or religious in content rather than commercial, is a violation of the First Amendment. The quotations from Justice Elizabeth Lacy and Jaynes' attorney Thomas M. Wolf both state that the law has diminished everyone's freedom by criminalizing "bulk anonymous email, even for the purpose of petitioning the government or promoting religion."

Both Lacy and Wolf misrepresent the law, which makes it a crime to "Falsify or forge electronic mail transmission information or other routing information in any manner in connection with the transmission of unsolicited bulk electronic mail through or into the computer network of an electronic mail service provider or its subscribers."

There is a difference between forging headers and sending anonymous email--the latter does not require the former, and the latter is not prohibited by the law. Jaynes wasn't just trying to be anonymous--he was engaged in fraud, and falsifying message headers and from addresses to try to avoid the consequences of his criminality. He wasn't using anonymous remailers to express a political or religious message, and if he had been, he wouldn't have been able to be charged under this law.

UPDATE (September 12, 2008): The Virginia Supreme Court has reversed itself and struck down Virginia's anti-spam law as unconstitutional, on the grounds that prohibiting false routing information on emails infringes upon the right to anonymous political or religious speech. This is a very bad decision for the reasons I gave above. There are ways to engage in anonymous speech without doing what Jaynes did, falsifying message headers and domain names. The court's argument that one must falsify headers, IP addresses, and domain names in order to be anonymous is factually incorrect. Anonymity doesn't require header falsification, it only requires *omission* of identifying information.

Pakistan takes out YouTube, gets taken out in return

As ZDNet reports, yesterday afternoon, in response to a government order to filter YouTube (AS 36561), Pakistan Telecom (AS 17557, pie.net.pk) announced a more-specific route (/24; YouTube announces a /23) for YouTube's IP space, causing YouTube's Internet traffic to go to Pakistan Telecom. YouTube then re-announced its own IP space in yet more-specific blocks (/25), which restored service to those willing to accept routing announcements for blocks that small. Then Pakistan Telecom's upstream provider, PCCW (AS 3491), which had made the mistake of accepting the Pakistan Telecom /24 announcement for YouTube in the first place, shut off Pakistan Telecom completely, restoring YouTube service to the world minus Pakistan Telecom. They got what they wanted, but not quite in the manner they intended.

Don't mess with the Internet.

Martin Brown gives more detail at the Renesys Blog, including a comment on how this incident shows that it's still a bit too easy for a small ISP to disrupt service by hijacking IPs, intentionally or inadvertently. Danny McPherson makes the same point at the Arbor Networks blog, and also gives a good explanation of how the Pakistan Internet provider screwed up what they were trying to do.

Somebody still needs to update the Wikipedia page on how Pakistan censors the Internet to cover this incident.

UPDATE: BoingBoing reports that the video which prompted this censorship order was an excerpt from Dutch Member of Parliament Geert Wilders' film "Forbidden" criticizing Islam, which was uploaded to YouTube back on January 28. I've added "religion" and "Islam" as labels on this post, accordingly. The two specific videos mentioned by Reporters without Borders as prompting the ban have been removed from YouTube, one due to "terms of use violation" and one "removed by user." The first of these two videos was supposedly the Geert Wilders one; the second was of voters describing election fraud during the February 18 Parliamentary elections in Pakistan. This blog suggests that the latter video was the real source of the attempted censorship gone awry, though the Pakistan media says it was the former. So perhaps the former was the pretext, and the latter was the political motivator.

A "trailer" for Wilders' film is on YouTube here. Wilders speaks about his film on YouTube here and here. Ayaan Hirsi Ali defends Wilders on Laura Ingraham's show on Fox News here. (Contrary to the blog post I've linked to, Hirsi Ali was not in the Theo Van Gogh film "Submission Part One," which can itself be found here, rather, she wrote it. Van Gogh was murdered as a result of it. The beginning and end is in Arabic with Dutch subtitles, but most of it is in English with Dutch subtitles.)

UPDATE (February 26, 2008): This just in, from Reuters--Pakistan "might have been" the cause of the YouTube outage. Way to be on the ball with breaking news, Reuters!

The Onion weighs in on the controversy!

New Mexico InfraGard conference

On Friday, I attended the New Mexico InfraGard Member Alliance's "$-Gard 2008" conference in Albuquerque. It was an excellent one-day conference that should be used as a model by other chapters. The conference was open to the public, and featured an informative and entertaining two-hour seminar on fraud and white collar crimes by Frank Abagnale, author of the autobiographical Catch Me If You Can and anti-fraud books The Art of the Steal and Stealing Your Identity. (Another version of Abagnale's talk can be viewed as an online webinar courtesy of City National Bank.) Abagnale argued that fraud has become much easier today than it was when he was a criminal forger, with numerous examples, and also offered some simple and relatively inexpensive ways for businesses and individuals to protect themselves. For example, he recommended the use of microcut shredders, and observed that his own business keeps shredders near every printer, and no documents get thrown away, everything gets shredded. He recommended the use of a credit monitoring service like Privacy Guard, and that if you write checks, you use a black uniball 207 gel pen, which is resistant to check-washing chemicals. For businesses that accept cash, he recommended training employees in some of the security features of U.S. currency rather than relying on pH testing pens, which are essentially worthless at detecting counterfeit money. By recognizing where bills use optical variable ink, for example, you can easily test for its presence in the time it takes you to accept bills from a customer and transfer them into a cash register. He also recommended that businesses use bank Positive Pay services to avoid having business checks altered. Other speakers included Anthony Clark and Danny Quist of Offensive Computing, who gave a talk on "Malware Secrets," based on their research and collection of 275,000 malware samples. Their talk included an overview of the economics of malware, which I believe is essential for understanding how best to combat it. They looked at the underground economy fairly narrowly focused on malware itself, and the cycle of its production, use, reverse engineering by whitehats, the development of antivirus patterns, and then demand for new undetectible malware, and observed that in that particular cycle it's probably the legitimate security companies such as antivirus and IDS vendors who make the most money. They didn't really look at the broader features of the underground economy, such as how botnets are used as infrastructure for criminal enterprises, or the division of criminal labor into different roles to disperse risk, though they certainly mentioned the use of compromised machines for spamming and phishing attacks. They skipped over some of the technical details of their work on automating the unpacking and decryption of malware, which was probably appropriate given the mixed levels of technical background in this audience. A particularly noteworthy feature of their research was their list of features of antivirus software that should be examined when making a purchase decision--performance, detection rates, miss rates, false positive rates, system intrusiveness, a product's own security, ease of mass deployment, speed, update frequency, use of signatures vs. other detection methods, ability to clean, capabilities with various categories of malware (rootkits, trojans, worms, backdoors, spyware), and ability to detect in real time vs. during a scan. Alex Quintana of Sandia National Labs also spoke about current trends in malware, in the most frightening talk of the conference. He talked about how malware has gone from something that attacks exposed servers on the Internet to something that individual clients pull to their machines from the Internet, usually via drive-by downloads. He demonstrated real examples of malware attacks via web pages and via Shockwave Flash, PowerPoint, and Word documents, and explained how one of his colleagues has coined the word "snares" for emails or web pages that lure individuals into targeted drive-by malware downloads. There was a wealth of interesting detail in his presentation, about trojans that use covert tunnels and hiding techniques, injecting themselves into other running processes, using alternate data streams, and obfuscated information in HTTP headers and on web pages. One trojan he described rides on removable media such as USB thumbdrives and runs when inserted into a PC thanks to Windows Autorun; it drops one component that phones home to accept instructions from a command and control server, and another that causes the malware to be written out on any other removable device inserted into the machine. It's a return of the old-fashioned virus vector of moving from machine to machine via removable media rather than over the network. From law enforcement, there were presentations from Melissa McBee-Anderson of the Internet Crime Complaint Center (IC3, another public-private partnership, which acts as a clearinghouse for Internet crime complaints and makes referrals of complaints to appropriate federal, state, , local, and international law enforcement agencies) and from various agents of the Cyber Squad of the Albuquerque FBI office. These presentations were somewhat disappointing in that they demonstrated how huge the problem is, yet how few prosecutions occur. For example, after the 2004 tsunami disasters, there were over 700 fake online charities set up to prey on people's generosity after a disaster, yet only a single prosecution came of it. In 2005, the number of fake online charities for hurricanes Katrina and Rita was over 7,000, yet only five prosecutions came of those, including one in Albuquerque. Yet even that "successful" prosecution led to no jail time, only community service and probation. Frank Abagnale's presentation also included some woeful statistics about prosecutions for white collar crime and check fraud that explicitly made the same point that was implicit in several of the law enforcement presentations. To IC3's credit, however, the showed an example of a link chart generated from their crime complaint data, a very tiny portion of which was brought to them by a law enforcement agency seeking more information, the rest of which came from multiple received complaints. That link chart showed many interconnected events by five organized fraud gangs. Ms. McBee-Anderson also reported on successful international rosecutions against individuals at Lagos, Nigeria's "walking Wal-Mart," where people were selling goods purchased with stolen credit card information and using forged cashier's checks. (I'm still amazed that anyone actually falls for the Nigerian online fraud schemes, but they do.) The conference did a good job of making clear some specific threats and offering recommendations on necessary (yet unfortunately individually insufficient) defenses. It's quite clear that relying solely on law enforcement to provide you with a remedy after the fact is a bad idea. It's essential that private enterprises take preventative measures to protect themselves, and use a layered, defense-in-depth approach to do so.

UPDATE (23 October 2022): Note that Frank Abagnale's life story of con artistry turned out itself to be a con, as documented in Alan C. Logan's book, The Greatest Hoax on Earth: Catching Truth, While We Can (2020).

Canada busts 17 in botnet ring

This morning Canada arrested 17 people of ages ranging from 17 to 26 years old for running botnets containing "up to one million computers" in 100 countries. They face charges that could result in up to 10 years in prison.

This barely scratches the surface of online criminal activity. Niels Provos of Google did a study (PDF) that found that of 4.5 million websites scanned between March of 2006 and February of 2007, 450,000 of them attempt to load malware on visiting machines. Sophos' similar survey in July of last year that found that 29% of websites host malware, 28% host porn or gambling content, and 19% are spam-related. Drive-by malware installations (where merely visiting a website causes malware to be loaded onto your machine) are definitely the method of choice for creating botnets today. I recommend using Firefox with the NoScript plugin and the MyWOT plugin to help prevent getting infected by such sites.

Tomorrow, I'll be attending a New Mexico InfraGard conference at which I hope to learn more about recent malware trends (and get my copy of Catch Me If You Can and/or The Art of the Steal autographed by their author). This is another one open to the general public, so I expect no talk about "shoot to kill" powers except in jest.

UPDATE (February 22, 2008): I'm quoted in Brian Jackson's article on the Quebec botnet hacker bust on itbusiness.ca. I'm not entirely happy with the quotes attributed to me--I didn't say "tens of millions," though I said there have been botnets with more than a million hosts, and there are multiple millions of compromised hosts out there. If tens of millions is not accurate today, it will be in the future. The other quotation about IRC got a little bit garbled, but is not far off--I made the point that the bots of today have evolved from a combination of IRC bots of the past combined with denial of service attack tools, remote access trojans, and other malware, and many of them still use IRC as their mode of communication.

Malware in digital photo frames

The Mocmex virus and other trojans have been found on digital photo frames from China sold at Target, Costco, Sam's Club, and Best Buy. The photo frames are connected to a computer via USB to load photographs; on a Windows machine this will cause an executable stored on the photo frame to run, infecting the computer.

The SANS Internet Storm Center has documented more details here and here.

As more and more devices have built-in storage and can be connected via USB to PCs, we'll see more and more attacks like this.

Visual depictions of quantity in art

The picture is of a pair of breasts, composed of 32,000 Barbie dolls. 32,000 is the number of elective breast augmentation surgeries in the U.S. in 2006.

This picture, along with a partial zoom and closeup and other similar works by Chris Jordan, may be found at his website. The photos depict such things as 2 million discarded plastic bottles (the number used in the United States every five minutes), a skull made from images of 200,000 packs of cigarettes (the number of Americans who die from cigarette smoking every six months), a version of Seurat's "Sunday Afternoon on the Island of La Grande Jatte" made from 106,000 images of aluminum cans (the number used in the U.S. every 30 seconds), and so forth.

Hat tip to Barry Williams, who posted this on the SKEPTIC list.

UPDATE (June 11, 2009): Jordan gave a TED Talk about his work last year: