Month: May 2007

Fighting 419 scams, the vigilante way

It turns out that an interviewed with Chris Hansen of DateLine is not the worst thing that can happen to a Nigerian fraudster preying on victims on the other side of the world, with promises of getting a cut from non-existent fortunes hidden away in Swiss bank accounts. An article in the June issue of Atlantic Monthly looks at a group of volunteers who have taken art of fighting Internet scams to a new level.

Best exemplified by the site 419 Eater, these vigilantes turn the tables on scammers by playing the part of a gullible/greedy target, with the objective of causing maximum effort, wasted time or humiliation on the con artists. Some of the stories are familiar extensions of the To catch and ID thief TV series: the scammer travels a long distance to close the deal but the victim never shows up, or a payment promised never arrives after multiple creative excuses. Others border on the absurd: a photograph accompanying the article shows a Commodore 64 carved out of wood, by the enterprising scammer, tricked into believing that the victim is collecting items for his art gallery. In fact the self-styled “scambaiters” try to one-up each other with more outrageous exploits by getting scammers to send pictures holding up embarrassing signs, displayed in the Trophy Room. (Most comply, supporting the theory that when it comes to crime we catch the dumb ones. A few respond with amazingly awful and obviously fake digitally retouched pictures, which find a home in the Hall Of Shame on the same website.)

Revenge is good but in the collective frenzy over humiliating pwned spammers, the cyber-vigilante seem to have lost sight of the over-arching goal: reduce total damage from fraud. To the extent that the miscreants waste time and effort chasing scambaiters, there is some benefit because those resources are being tied up in unproductive ways instead of going after truly vulnerable victims.  That distraction is expensive because it also requires that the good guys waste their time keeping up their side of the story– although turning it into a competitive public sport with a web site seems to have turned up no shortage of volunteers. The basic problem is that once a scammer operation is revealed, including an authentic picture of the perpetrators, he/she remains in business. Future victims remain just as vulnerable to wiring money  overseas based on vague hints of a deposed African dictator’s hidden cash.

Parallel situation from phishing: flooding a phishing site with bogus submissions may temporarily reduce its effectiveness or pollute the database sufficiently to reduce the value of the ill-gotten gains. On the other hand, submitting legitimate credentials to a valid “honeypot” account and then carefully monitoring any activity on that account can protect other users. By design, any activity on the account is fraudulent and any IP address used for logging in is suspicious: all activity from that source can be screened to protect users whose data had been obtained in other unrelated scams.

cemp

Identity thiefs tag team with data-sellers to target elderly

In what may be the newest low-point in data-mining and marketing, first-page story from the New York Times last Sunday details how identity thieves are turning their attention to scamming elderly persons living alone, a particularly vulnerable group. This by itself would not be unexpected from the low-lifes hiding out in the comfort of their dysfunctional countries in Africa and Eastern Europe to target US consumers. But the disturbing part is how data-mining and aggregation companies are knowing aiding and abetting the criminal enterprise:

“These people are gullible. They want to believe that their luck can change and it’s just a matter of catching a bit of star dust.”

Comment over-heard on an IRC channel populated by carders?
No, that would be a quote from the official marketing literature for InfoUSA, which sells lists of consumers often collected by dubious schemes such as sweepstakes, where the true purpose of data collection, if disclosed at all, appears in fine-print.

The article titled “Bilking the elderly, with a corporate assist” details the story of one 92 year-old World War II veteran and Purple Heart winner who frequently received calls from telemarketers– and did not mind it, as they provided some solace for a person living alone at home. InfoUSA sold his name/contact information to scamers, who contacted him to extract more information using standard pressure tactics (“your benefits will be canceled unless you provide us your SSN/bank account # etc.”) and proceeded to wipe out his life savings.

This not an isolated incident, and the companies selling the author contends that the companies selling data are fully aware that they are being used by criminals. Quoting a Canadian police officers:

Only one kind of customer wants to buy lists of seniors interested in lotteries and sweepstakes: criminals. If someone advertises a list by saying it contains gullible or elderly people, it’s like putting out a sign saying ‘Thieves welcome here’

In fact internal company documents obtained by NYT show that InfoUSA executives were aware of suspicious activity but knowing continued to profit from the sale of information to criminals. The company has since then posted a response– which is nothing more than a transparent spin attempt, except for the allegation that NYT story is based on events 3 years old– but they could not be bothered to respond to the author who claims they were contacted by phone and email at least thirty times.

InfoUSA is not the only player in this disgraceful episode, published one week before Memorial Day. Wachovia Bank also profited from the criminal activity, hosting the accounts used by the scam artists, where they collected money withdrawn from victims’ accounts. (To the tune of accepting $142 million in deposits with unsigned checks.) Particularly appalling is the fact that often the victim’s bank would detect suspicious activity, protect its own customer and then contact Wachovia to urge them to shut down the accounts. In one case 59% of all checks from a company were returned, in each case Wachovia being informed of the rejection. No action was taken.

Not surprisingly Wachovia declined to comment on the story and issues a content-free statement to the effect that they are continuing to cooperate with authorities. Lesson learned: spin doctoring after a screw up is always easier than protecting customers in the first place.

cemp

Reputation on the web: puzzling persistence of comment spam

Reflections on the pingback and comment flood from 2 weeks ago. Most of the spam has been removed. In retrospect, three issues stand out:

  • WordPress should have stopped this in the first place. All of the track-backs point to the same website, there are multiple ones for each post. That screams “spam;” this was not a subtle attacker trying to stay under the radar.
  • Removing the junk is tedious. Even in mass-edit mode, only 20 at a time are displayed and there is no option to “check all” before hitting the delete button.
  • Marking the comment as spam seems to have no effect on deleting other comments from the same source. This is perhaps the most fundamental problem. Ordinary users do not switch between adding witty comments on one blog to hawking cheap printer cartridges on the next. If one track-back had been flagged as spam by the blog author, chances are 100% are. They should have been removed automatically. In fact if multiple unrelated blogs all flagged the same source as spam, this is a strong hint that future comments need to be blocked.

This is another case of the non-existence of online “reputation”.  It’s as if actions by the same person have no connection to each other. There are no consequences to having a comment tagged as spam or even being black-listed from a blog– miscreants are free to continue doing the same, on a different post.

Lack of a strong identity system is often cited as the reason reputation has not taken hold. A persistent ID is required to attach a reputation. Ability to get a new ID and start from a clean state when things go wrong is not good for accountability. (This is why black-listing email addresses was a pointless anti-spam feature to start with, at best window dressing dreamed up by email providers to comfort annoyed users. Email addresses are  easily acquired/fabricated. Black-listing IP addresses or entire domains is more effective.)

But in this case all the comment spam pointed to the same source. WordPress logs the originating IP address  for comments and links to a whois query, supposedly to trace spam back to its source. Detection and response capabilities are all good but blocking is far more effective.

cemp

Fuel prices and used cars

A growing number of articles are predicting that fuel prices will hit $4/gallon this summer. CNN/Money has recently joined the speculation with an article pointing out that according to one source a new nationwide record had been set last Sunday, exceeding previous $3.05 spike following Hurricane Katrina. It can only get worse from here: refining capacity is still  at historic lows. Meanwhile demand will increase over the summer as more families hit the road, in search of the perfect vacation.

It remains to be seen whether the higher prices will have any affect on the purchasing patterns in the automative industry. In the past, the price of gasoline defied economic theory: demand for driving and for that matter, gas-guzzling SUVs showed no elasticity based on oil prices. “People respond to incentives” goes the theory but during the late 1990s and early years of this decade, it was hard to see any evidence of that. That may be changing now. New York Times reported that in April GM sales are down 2% and Ford down 7%.

“Rick Wagoner, the chief executive of G.M., said during an interview on CNBC, the financial news cable network, citing gas prices that have topped $3 a gallon in many parts of the country as one reason.”

This excuse is slightly more credible than Krispy Kreme blaming Atkins diet for its lack-luster quarterly results. While Detroit can not control fuel prices directly, they should have felt free to adjust their own product line and manufacturing numbers based on projected trends. In the 1990s SUVs were the right business investment, as consumers paid hefty premium for the appearance of a vehicle ready to conquer the wilderness. But once global warming, talk of carbon taxes and higher fuel prices started, focus would have logically shifted to smaller, efficient passenger vehicles and disruptive technologies such as hybrids. (A well managed company is supposed to look ahead  and invest part of the SUV windfall in the next thing.)

A better indication of economic sanity restored to the markets may be in used cars. If fuel prices affect behavior, one would expect to see greater demand in efficient cars and by contrast, a shift away from the gas guzzlers. This is similar to the inverse correlation between interest rates and bond prices. Once hybrids start trading well above their blue-book price, there is an argument that cost of fuel is impacting purchasing decision.

cemp

Comments and track-backs disabled after spam flood

Yesterday was the Random Oracle blog’s turn to become targetted in a track-back spam attack. Each post ended up with a handful of track-backs to articles on the same bogus blog, which appears to be nothing more than an undigested collection of random paragraphs from different WordPress blogs.

Requiring a CAPTCHA solution with each comment/track-back would have solved this problem. Windows Live Spaces (formerly MSN Spaces) has this option. It is far more effective than the alternatives of allowing public commenting or requiring authentication. The latter is not a barrier since the underlying identity system is disconnected from the real world and has no reputation attached. Spammers can register one account, use this to spam hundreds of blogs and move on to start from clean slate when the ID is black-listed. WordPress controls on commenting are primitive by comparison. Ping-backs and track-backs can be disabled, comments can be disabled or held in the queue for moderation. Finally comments can bet limited to users who had a previously approved comment, which creates a boot-strapping problem. Proof-of-work by solving CAPTCHAs is much better suited to this problem: users serious enough to comment on an article will not mind taking a few extra seconds to solve the puzzle. Spammers will give up and move on to the next blog.

cemp

HD-DVD processing key and Internet censorship

More observations:

  • Attempting to suppress information after it has been leaked on the Internet is highly counter-productive. The heavy-handed tactics required to force the hand of web-site owners and publishes across the world only serve to draw more attention to the problem. This is a lesson that DVD Copy Control Association learned the had way with DeCSS.  But it should have been an obvious point to extrapolate from individual experiences. For example Outlook/Exchange have a feature to recall messages– but the “recall” works by sending another message which the recipient must first open, before Outlook will process it to remove the original one. Emails are often sent by mistake; to err is human. But sending a recall only draws attention to the original blunder and virtually guarantees more people will read it. This is because most errors involve sending a message to the wrong audience: not recognizing the subject line or sender, most  busy people may be tempted to ignore the message or file it away for later review. Send a recall message though, and suddenly everyone dropals their work and dig up the original. (Bonus points for sending an additional message on top of the recall: in 2004 an HR person sent email containing salary information to an entire building at MSFT campus. She followed up with a high-priority message admonishing people not to open the original, even kindly explaining the contents of the confidential attachment. )
  • User generated content cuts both ways. It can fuel a website, but it can also bring untold dangers in the way of legal risk. Digg is far from alone here– witness the Viacom litigation over copyrighted content posted to YouTube. This is the trade off associated with riding an economic externality in the form of getting your audience to build your business: the result is a t the whim of users. Trying to shape the externality by weeding out the negatives can back fire. It is difficult to build a sense of ownership unless users feel they can post their choice of content, as opposed to content approved by the omniscient moderators.
  • Commercial ventures have a lot more to lose than individual bloggers. Deeper pockets equals greater incentives to be litigated for perceived wrongs. Digg has decided to take a stand and ignore the C&D letters. Depending on your perspective, this is either a principled stand to be applauded, or unabashed grab for cheap publicity via corporate martyrdom. Developments over the next few days will be interesting. Already there is speculation on whether Digg has any legal ground to stand on. But either way, the decision to stop censoring the content would have been difficult to justify for any reason to an established company.

cemp

Dangerous digits, forbidden Diggs: how not to deal with leaks

The main encryption key protecting all HD-DVD content  against unauthorized copying (“processing key”) was discovered almost 3 months ago in February, and published in the Doom9 forums. In some ways that hack was just a question of time. Software DRM is always vulnerable to reverse engineering. Unlike a true cryptographic  attack, in this case the crown jewels are there, hidden in plain sight shipped with every copy of software capable of playing HD-DVD and BluRay discs. It is quite possible other people had already accomplished the same feat but chose to keep quite and perhaps profit by privately exploiting this information, selling to pirating rings etc.

All of that would be expected. But the truly strange part is that the disclosure issue flared up again yesterday in a storm of protest messages to Digg. Short version of the story:

  • Somebody posted the key in a Digg submission
  • Digg removed it in response to a cease-and-deskist letter, fueling all sorts of conspiracy theories including one allegation that the site had been receiving funding from the HD-DVD association.
  • Users revolted– for 24 hours, every other story on the site featured creative ways to publish the key.
  • Digg admitted the error of its ways and tried to make amends, agreeing to not remove any more user submissions. Damn the torpedoes, full speed ahead.

As quoted in the New York Times article published today:

“You’d rather see Digg go down fighting than bow down to a bigger company,” wrote Kevin Rose, Digg’s founder, in a blog post. “We hear you, and effective immediately we won’t delete stories or comments containing the code and will deal with whatever the consequences might be. If we lose, then what the hell, at least we died trying.”

Jay Adelson, Digg’s chief executive, said in an interview that the site was disregarding the advice of lawyers. “We just decided that it is more important to stand by our users.”

Stepping back for a second, let’s put on the risk management hat and ask what has been accomplished in this campaign asking websites to take down offending posts. Breach of valuable cryptographic key material is a serious problem, even when it was destined to happen with the current DRM design. But arguably there is marginal utility in limiting scope of the disclosure. Now the key itself is not really the dangerous asset, since most users can not write the software required to duplicate content. It is only useful to the select few who have the software but not the key. We can bet that no reputable software vendor will be writing that code, although the success of DeCSS in the past shows commercial involvement is far from necessary to get critical mass. But even granting that there is some good reason for limiting distribution of the key, what purpose did the C&D  letters serve?

  1. Ensuring that the key is even more widespread online than ever before, as indignant users made ahere  point of duplicating the 16 hexadecimal digits everywhere they went online. (And some times offline: it is now on tshirts and mugs. CafePress lists over 1000 products.) In this way the cease & desist letter served to initiate the greatest “distributed content replication” rush seen this far. Some of the entires were quite ironic: in one case the C&D letter itself contained the key, which ended up on Chilling Effects.
  2. Drawing extensive press coverage from mainstream media, including New York Times, Forbes and BBC. At a time when the legitimacy of DRM is in question and Apple has successfully spear-headed a movement to offer DRM-free music, the attempt to compensate for technical failures of AACS with legal tactics is unlikely to win any converts to the content industry viewpoint.
  3. Drawing the ire of customers– it would not be the first time.

This is hardly a success story in limiting the distribution of leaked secrets.

cemp

Ubuntu on Dell OEM machines– the inflection point for Linux?

According to this CNet article picked up everywhere today, Dell will be shipping desktops PCs and laptops pre-installed with Ubuntu.

Dell had already broken ranks with PC manufacturers by shipping PCs without an operating system. These systems are not easy to discover on the main website– one has to select the cryptically named “Open source desktops” option under Products menu, which takes the customer to a page describing the n Series. Strangely enough there is nothing open source about the three models offered, because it ships with the largely irrelevant FreeDOS operating system instead of a proper GNU/Linux system installation. Quote:

“With the n Series desktop, customers have the flexibility to install an alternative operating system (such as a version of Linux® ), and help reduce the price of this system. In addition, the n Series desktop comes with a non-formatted hard drive ready for your custom installation. Dell’s n Series desktop ships with a copy of FreeDosTM , an open-source operating system that is ready to install.”

Shipping Ubuntu can finally put some real momentum behind this half-hearted move. Ubuntu is perhaps the most approachable and usable of all Linux distributions, intended to take the complexity out of setting up a new system out of the box. Web page on the desktop edition promises that it “just works”— exactly the type of language software vendors in the past used to appeal to novice users.

cemp