analysis

9 reasons the Storm botnet is different

From Bruce Schneier’s “Gathering ‘Storm’ Superworm Poses Grave Threat to PC Nets” (Wired: 4 October 2007):

Storm represents the future of malware. Let’s look at its behavior:

1. Storm is patient. A worm that attacks all the time is much easier to detect; a worm that attacks and then shuts off for a while hides much more easily.

2. Storm is designed like an ant colony, with separation of duties. Only a small fraction of infected hosts spread the worm. A much smaller fraction are C2: command-and-control servers. The rest stand by to receive orders. …

3. Storm doesn’t cause any damage, or noticeable performance impact, to the hosts. Like a parasite, it needs its host to be intact and healthy for its own survival. …

4. Rather than having all hosts communicate to a central server or set of servers, Storm uses a peer-to-peer network for C2. This makes the Storm botnet much harder to disable. …

This technique has other advantages, too. Companies that monitor net activity can detect traffic anomalies with a centralized C2 point, but distributed C2 doesn’t show up as a spike. Communications are much harder to detect. …

5. Not only are the C2 servers distributed, but they also hide behind a constantly changing DNS technique called “fast flux.” …

6. Storm’s payload — the code it uses to spread — morphs every 30 minutes or so, making typical AV (antivirus) and IDS techniques less effective.

7. Storm’s delivery mechanism also changes regularly. Storm started out as PDF spam, then its programmers started using e-cards and YouTube invites — anything to entice users to click on a phony link. …

8. The Storm e-mail also changes all the time, leveraging social engineering techniques. …

9. Last month, Storm began attacking anti-spam sites focused on identifying it — spamhaus.org, 419eater and so on — and the personal website of Joe Stewart, who published an analysis of Storm. I am reminded of a basic theory of war: Take out your enemy’s reconnaissance. Or a basic theory of urban gangs and some governments: Make sure others know not to mess with you.

The Chinese Internet threat

From Shane Harris’ “China’s Cyber-Militia” (National Journal: 31 May 2008):

Computer hackers in China, including those working on behalf of the Chinese government and military, have penetrated deeply into the information systems of U.S. companies and government agencies, stolen proprietary information from American executives in advance of their business meetings in China, and, in a few cases, gained access to electric power plants in the United States, possibly triggering two recent and widespread blackouts in Florida and the Northeast, according to U.S. government officials and computer-security experts.

One prominent expert told National Journal he believes that China’s People’s Liberation Army played a role in the power outages. Tim Bennett, the former president of the Cyber Security Industry Alliance, a leading trade group, said that U.S. intelligence officials have told him that the PLA in 2003 gained access to a network that controlled electric power systems serving the northeastern United States. The intelligence officials said that forensic analysis had confirmed the source, Bennett said. “They said that, with confidence, it had been traced back to the PLA.” These officials believe that the intrusion may have precipitated the largest blackout in North American history, which occurred in August of that year. A 9,300-square-mile area, touching Michigan, Ohio, New York, and parts of Canada, lost power; an estimated 50 million people were affected.

Bennett, whose former trade association includes some of the nation’s largest computer-security companies and who has testified before Congress on the vulnerability of information networks, also said that a blackout in February, which affected 3 million customers in South Florida, was precipitated by a cyber-hacker. That outage cut off electricity along Florida’s east coast, from Daytona Beach to Monroe County, and affected eight power-generating stations.

A second information-security expert independently corroborated Bennett’s account of the Florida blackout. According to this individual, who cited sources with direct knowledge of the investigation, a Chinese PLA hacker attempting to map Florida Power & Light’s computer infrastructure apparently made a mistake.

The industry source, who conducts security research for government and corporate clients, said that hackers in China have devoted considerable time and resources to mapping the technology infrastructure of other U.S. companies. That assertion has been backed up by the current vice chairman of the Joint Chiefs of Staff, who said last year that Chinese sources are probing U.S. government and commercial networks.

“The Chinese operate both through government agencies, as we do, but they also operate through sponsoring other organizations that are engaging in this kind of international hacking, whether or not under specific direction. It’s a kind of cyber-militia.… It’s coming in volumes that are just staggering.”

In addition to disruptive attacks on networks, officials are worried about the Chinese using long-established computer-hacking techniques to steal sensitive information from government agencies and U.S. corporations.

Brenner, the U.S. counterintelligence chief, said he knows of “a large American company” whose strategic information was obtained by its Chinese counterparts in advance of a business negotiation. As Brenner recounted the story, “The delegation gets to China and realizes, ‘These guys on the other side of the table know every bottom line on every significant negotiating point.’ They had to have got this by hacking into [the company’s] systems.”

During a trip to Beijing in December 2007, spyware programs designed to clandestinely remove information from personal computers and other electronic equipment were discovered on devices used by Commerce Secretary Carlos Gutierrez and possibly other members of a U.S. trade delegation, according to a computer-security expert with firsthand knowledge of the spyware used. Gutierrez was in China with the Joint Commission on Commerce and Trade, a high-level delegation that includes the U.S. trade representative and that meets with Chinese officials to discuss such matters as intellectual-property rights, market access, and consumer product safety. According to the computer-security expert, the spyware programs were designed to open communications channels to an outside system, and to download the contents of the infected devices at regular intervals. The source said that the computer codes were identical to those found in the laptop computers and other devices of several senior executives of U.S. corporations who also had their electronics “slurped” while on business in China.

The Chinese make little distinction between hackers who work for the government and those who undertake cyber-adventures on its behalf. “There’s a huge pool of Chinese individuals, students, academics, unemployed, whatever it may be, who are, at minimum, not discouraged from trying this out,” said Rodger Baker, a senior China analyst for Stratfor, a private intelligence firm. So-called patriotic-hacker groups have launched attacks from inside China, usually aimed at people they think have offended the country or pose a threat to its strategic interests. At a minimum the Chinese government has done little to shut down these groups, which are typically composed of technologically skilled and highly nationalistic young men.

The military is not waiting for China, or any other nation or hacker group, to strike a lethal cyber-blow. In March, Air Force Gen. Kevin Chilton, the chief of U.S. Strategic Command, said that the Pentagon has its own cyberwar plans. “Our challenge is to define, shape, develop, deliver, and sustain a cyber-force second to none,” Chilton told the Senate Armed Services Committee. He asked appropriators for an “increased emphasis” on the Defense Department’s cyber-capabilities to help train personnel to “conduct network warfare.”

The Air Force is in the process of setting up a Cyberspace Command, headed by a two-star general and comprising about 160 individuals assigned to a handful of bases. As Wired noted in a recent profile, Cyberspace Command “is dedicated to the proposition that the next war will be fought in the electromagnetic spectrum and that computers are military weapons.” The Air Force has launched a TV ad campaign to drum up support for the new command, and to call attention to cyberwar. “You used to need an army to wage a war,” a narrator in the TV spot declares. “Now all you need is an Internet connection.”

The latest on electronic voting machines

From James Turner’s interview with Dr. Barbara Simons, past President of the Association for Computing Machinery & recent appointee to the Advisory Board of the Federal Election Assistance Commission, at “A 2008 e-Voting Wrapup with Dr. Barbara Simons” (O’Reilly Media: 7 November 2008):

[Note from Scott: headers added by me]

Optical Scan: Good & Bad

And most of the voting in Minnesota was done on precinct based optical scan machines, paper ballot which is then fed into the optical scanner at the precinct. And the good thing about that is it gives the voter immediate feedback if there is any problem, such as over-voting, voting twice for a candidate.

Well there’s several problems; one is–well first of all, as you say because these things have computers in them they can be mis-programmed, there can be software bugs. You could conceivably have malicious code. You could have the machines give you a different count from the right one. There was a situation back in the 2004 race where Gephardt in one of the Primaries–Gephardt received a large number of votes after he had withdrawn from the race. And this was done–using paper ballots, using optical scan paper ballots. I don’t know if it was this particular brand or not. And when they were recounted it was discovered that in fact that was the wrong result; that he had gotten fewer votes. Now I never saw an explanation for what happened but my guess is that whoever programmed these machines had mistakenly assigned the slot that was for Kerry to Gephardt and the slot that was for Gephardt to Kerry; that’s my guess. Now I don’t know if that’s true but if that did happen I think there’s very little reason to believe it was malicious because there was really nothing to be gained by doing that. So I think it was just an honest error but of course errors can occur.

DRE Studies

Ohio conducted a major study of electronic voting machines called the Everest Study which was commissioned by the current Secretary of State Bruner, Secretary of State Bruner and this study uncovered huge problems with these–with most of these voting systems, these touch screen voting systems. They were found to be insecure, unreliable, difficult to use; basically a similar study had been studied in California not too much earlier called the Top to Bottom Review and the Ohio study confirmed every–all of the problems that had been uncovered in California and found additional problems, so based on that there was a push to get rid of a lot of these machines.

States Using DREs

Maryland and Georgia are entirely touch screen States and so is New Jersey. In Maryland they’re supposed to replace them with optical scan paper ballots by 2010 but there’s some concern that there may not be the funding to do that. In fact Maryland and Georgia both use Diebold which is now called Premier, paperless touch screen voting machines; Georgia started using them in 2002 and in that race, that’s the race in which Max Cleveland, the Democratic Senator, paraplegic from–the Vietnam War Vet was defeated and I know that there are some people who questioned the outcome of that race because the area polls had showed him winning. And because that race–those machines are paperless there was no way to check the outcome. Another thing that was of a concern in Maryland in 2002 was that–I mean in Georgia in 2002 was that there were last minute software patches being added to the machines just before the Election and the software patches hadn’t really been inspected by any kind of independent agency.

More on Optical Scans

Well I think scanned ballots–well certainly scanned ballots give you a paper trail and they give you a good paper trail. The kind of paper trail you want and it’s not really a paper trail; it’s paper ballots because they are the ballots. What you want is you want it to be easy to audit and recount an election. And I think that’s something that really people hadn’t taken into consideration early on when a lot of these machines were first designed and purchased.

Disabilities

One of the things that was investigated in California when they did the Top to Bottom Review was just how easy is it for people with disabilities to use these touch screen machines? Nobody had ever done that before and these test results came back very negatively. If you look at the California results they’re very negative on these touch screen machines. In many cases people in wheelchairs had a very difficult time being able to operate them correctly, people who were blind sometimes had troubles understanding what was being said or things were said too loudly or too softly or they would get confused about the instructions or some of the ways that they had for manual inputting; their votes were confusing.

There is a–there are these things called Ballot Generating Devices which are not what we generally refer to as touch screen machines although they can be touch screen. The most widely used one is called the Auto Mark. And the way the Auto Mark works is you take a paper ballots, one of these optical scan ballots and you insert it into the Auto Mark and then it operates much the same way that these other paperless–potentially paperless touch screen machines work. It has a headphone–headset so that a blind voter can use it; it has–it’s possible for somebody in a wheelchair to vote, although in fact you don’t have to use this if you’re in a wheelchair; you can vote optical scan clearly. Somebody who has severe mobility impairments can vote on these machines using a sip, puff device where if you sip it’s a zero or one and if you puff it’s the opposite or a yes or a no. And these–the Auto Mark was designed with disability people in mind from early on. And it faired much better in the California tests. What it does is at the end when the voter with disabilities is finished he or she will say okay cast my ballot. At that point the Auto Mark simply marks the optical scan ballot; it just marks it. And then you have an optical scan ballot that can be read by an optical scanner. There should be no problems with it because it’s been generated by a machine. And you have a paper ballot that can be recounted.

Problems with DREs vs Optical Scans

One of the things to keep in–there’s a couple things to keep in mind when thinking about replacing these systems. The first is that these direct recording electronic systems or touch screen systems as they’re called they have to have–the States and localities that buy these systems have to have maintenance contracts with the vendors because they’re very complicated systems to maintain and of course the software is a secret. So some of these contracts are quite costly and these are ongoing expenses with these machines. In addition, because they have software in them they have to be securely stored and they have to be securely delivered and those create enormous problems especially when you have to worry about delivering large numbers of machines to places prior to the election. Frequently these machines end up staying in people’s garages or in churches for periods of time when they’re relatively insecure.

And you need far fewer scanners; the security issues with scanners are not as great because you can do an audit and a recount, so altogether it just seems to me that moving to paper based optical scan systems with precinct scanners so that the voter gets feedback on the ballot if the voter votes twice for President; the ballot is kicked out and the voter can vote a new ballot.

And as I say there is the Auto Mark for voters with disabilities to use; there’s also another system called Populex but that’s not as widely used as Auto Mark. There could be new systems coming forward.

1/2 of DREs Broken in Pennsylvania on Election Day

Editor’s Note: Dr. Simons wrote me later to say: “Many Pennsylvania polling places opened on election day with half or more of their voting machines broken — so they used emergency paper ballots until they could fix their machines.”

The X Window System defined

From Ellen Siever’s “What Is the X Window System” (O’Reilly Media: 25 August 2005):

X was intentionally designed to provide the low-level mechanism for managing the graphics display, but not to have any control over what is displayed. This means that X has never been locked into a single way of doing things; instead, it has the flexibility to be used in many different ways. Both the simplest window manager and the most complex desktop environment can, and do, use the X Window System to manage the display.

When you run the X Window System, the X server manages the display, based on requests from the window manager. The window manager is an application that is itself an X client, with responsibility for managing the appearance and placement of the windows on the screen.

X itself has no role in determining the appearance of the screen, or what users are allowed to do with windows. That is the job of the window manager. For example, some window managers allow you to double-click in a window’s title bar and roll up the window into the title bar like rolling up a window shade (this is referred to as shading). Other window managers don’t have that feature. X doesn’t care; it’s a window manager concern. The X server’s job is to provide the low-level support so the window manager and other applications can shade or not, as they choose.

The X server manages the display hardware. The server captures input events from the user via keyboard or mouse (or other input device) and passes the information to a client application that has requested it. It also receives requests from the application to perform some graphical action. For example, if you use your mouse to move a window on the screen, the X server passes the information to the window manager, which responds by telling the server where to reposition the window, and the X server performs the action. If the client is a calculator, such as xcalc, it might request that digits be displayed into the window as the user clicks on buttons to enter a number.

The window manager controls the general operation of the window system; in particular, it controls the geometry and aesthetics of your X display. With the window manager you can change the size and position of windows on the display, reshuffle windows in a window stack, and so on.

An analysis of splogs: spam blogs

From Charles C. Mann’s “Spam + Blogs = Trouble” (Wired: September 2006):

Some 56 percent of active English-language blogs are spam, according to a study released in May by Tim Finin, a researcher at the University of Maryland, Baltimore County, and two of his students. “The blogosphere is growing fast,” Finin says. “But the splogosphere is now growing faster.”

A recent survey by Mitesh Vasa, a Virginia-based software engineer and splog researcher, found that in December 2005, Blogger was hosting more than 100,000 sploggers. (Many of these are likely pseudonyms for the same people.)

Some Title, the splog that commandeered my name, was created by Dan Goggins, the proud possessor of a 2005 master’s degree in computer science from Brigham Young University. Working out of his home in a leafy subdivision in Springville, Utah, Goggins, his BYU friend and partner, John Jonas, and their handful of employees operate “a few thousand” splogs. “It’s not that many,” Goggins says modestly. “Some people have a lot of sites.” Trolling the Net, I came across a PowerPoint presentation for a kind of spammers’ conference that details some of the earnings of the Goggins-Jonas partnership. Between August and October of 2005, they made at least $71,136.89.

In addition to creating massive numbers of phony blogs, sploggers sometimes take over abandoned real blogs. More than 10 million of the 12.9 million profiles on Blogger surveyed by splog researcher Vasa in June were inactive, either because the bloggers had stopped blogging or because they never got started.

Not only do sploggers create fake blogs or take over abandoned ones, they use robo-software to flood real blogs with bogus comments that link back to the splog. (“Great post! For more on this subject, click here!”) Statistics compiled by Akismet, a system put together by WordPress developer Mullenweg that tries to filter out blog spam, suggest that more than nine out of 10 comments in the blogosphere are spam.

Maryland researcher Finin and his students found that splogs produce about three-quarters of the pings from English-language blogs. Another way of saying this is that the legitimate blogosphere generates about 300,000 posts a day, but the splogosphere emits 900,000, inundating the ping servers.

Another giveaway: Both Some Title and the grave-robbing page it links to had Web addresses in the .info domain. Spammers flock to .info, which was created as an alternative to the crowded .com, because its domain names are cheaper – registrars often let people use them gratis for the first year – which is helpful for those, like sploggers, who buy Internet addresses in bulk. Splogs so commonly have .info addresses that many experts simply assume all blogs from that domain are fake.

Lots of good info about the FBI’s far-reaching wiretapping of US phone systems

From Ryan Singel’s “Point, Click … Eavesdrop: How the FBI Wiretap Net Operates” (Wired News: 29 August 2007):

The FBI has quietly built a sophisticated, point-and-click surveillance system that performs instant wiretaps on almost any communications device, according to nearly a thousand pages of restricted documents newly released under the Freedom of Information Act.

The surveillance system, called DCSNet, for Digital Collection System Network, connects FBI wiretapping rooms to switches controlled by traditional land-line operators, internet-telephony providers and cellular companies. It is far more intricately woven into the nation’s telecom infrastructure than observers suspected.

It’s a “comprehensive wiretap system that intercepts wire-line phones, cellular phones, SMS and push-to-talk systems,” says Steven Bellovin, a Columbia University computer science professor and longtime surveillance expert.

DCSNet is a suite of software that collects, sifts and stores phone numbers, phone calls and text messages. The system directly connects FBI wiretapping outposts around the country to a far-reaching private communications network.

The $10 million DCS-3000 client, also known as Red Hook, handles pen-registers and trap-and-traces, a type of surveillance that collects signaling information — primarily the numbers dialed from a telephone — but no communications content. (Pen registers record outgoing calls; trap-and-traces record incoming calls.)

DCS-6000, known as Digital Storm, captures and collects the content of phone calls and text messages for full wiretap orders.

A third, classified system, called DCS-5000, is used for wiretaps targeting spies or terrorists.

What DCSNet Can Do

Together, the surveillance systems let FBI agents play back recordings even as they are being captured (like TiVo), create master wiretap files, send digital recordings to translators, track the rough location of targets in real time using cell-tower information, and even stream intercepts outward to mobile surveillance vans.

FBI wiretapping rooms in field offices and undercover locations around the country are connected through a private, encrypted backbone that is separated from the internet. Sprint runs it on the government’s behalf.

The network allows an FBI agent in New York, for example, to remotely set up a wiretap on a cell phone based in Sacramento, California, and immediately learn the phone’s location, then begin receiving conversations, text messages and voicemail pass codes in New York. With a few keystrokes, the agent can route the recordings to language specialists for translation.

The numbers dialed are automatically sent to FBI analysts trained to interpret phone-call patterns, and are transferred nightly, by external storage devices, to the bureau’s Telephone Application Database, where they’re subjected to a type of data mining called link analysis.

The numerical scope of DCSNet surveillance is still guarded. But we do know that as telecoms have become more wiretap-friendly, the number of criminal wiretaps alone has climbed from 1,150 in 1996 to 1,839 in 2006. That’s a 60 percent jump. And in 2005, 92 percent of those criminal wiretaps targeted cell phones, according to a report published last year.

These figures include both state and federal wiretaps, and do not include antiterrorism wiretaps, which dramatically expanded after 9/11. They also don’t count the DCS-3000’s collection of incoming and outgoing phone numbers dialed. Far more common than full-blown wiretaps, this level of surveillance requires only that investigators certify that the phone numbers are relevant to an investigation.

In the 1990s, the Justice Department began complaining to Congress that digital technology, cellular phones and features like call forwarding would make it difficult for investigators to continue to conduct wiretaps. Congress responded by passing the Communications Assistance for Law Enforcement Act, or CALEA, in 1994, mandating backdoors in U.S. telephone switches.

CALEA requires telecommunications companies to install only telephone-switching equipment that meets detailed wiretapping standards. Prior to CALEA, the FBI would get a court order for a wiretap and present it to a phone company, which would then create a physical tap of the phone system.

With new CALEA-compliant digital switches, the FBI now logs directly into the telecom’s network. Once a court order has been sent to a carrier and the carrier turns on the wiretap, the communications data on a surveillance target streams into the FBI’s computers in real time.

The released documents suggest that the FBI’s wiretapping engineers are struggling with peer-to-peer telephony provider Skype, which offers no central location to wiretap, and with innovations like caller-ID spoofing and phone-number portability.

Despite its ease of use, the new technology is proving more expensive than a traditional wiretap. Telecoms charge the government an average of $2,200 for a 30-day CALEA wiretap, while a traditional intercept costs only $250, according to the Justice Department inspector general. A federal wiretap order in 2006 cost taxpayers $67,000 on average, according to the most recent U.S. Court wiretap report.

What’s more, under CALEA, the government had to pay to make pre-1995 phone switches wiretap-friendly. The FBI has spent almost $500 million on that effort, but many traditional wire-line switches still aren’t compliant.

Processing all the phone calls sucked in by DCSNet is also costly. At the backend of the data collection, the conversations and phone numbers are transferred to the FBI’s Electronic Surveillance Data Management System, an Oracle SQL database that’s seen a 62 percent growth in wiretap volume over the last three years — and more than 3,000 percent growth in digital files like e-mail. Through 2007, the FBI has spent $39 million on the system, which indexes and analyzes data for agents, translators and intelligence analysts.

China’s increasing control over American dollars

From James Fallows’ “The $1.4 Trillion Question” (The Atlantic: January/February 2008):

Through the quarter-century in which China has been opening to world trade, Chinese leaders have deliberately held down living standards for their own people and propped them up in the United States. This is the real meaning of the vast trade surplus—$1.4 trillion and counting, going up by about $1 billion per day—that the Chinese government has mostly parked in U.S. Treasury notes. In effect, every person in the (rich) United States has over the past 10 years or so borrowed about $4,000 from someone in the (poor) People’s Republic of China. Like so many imbalances in economics, this one can’t go on indefinitely, and therefore won’t. But the way it ends—suddenly versus gradually, for predictable reasons versus during a panic—will make an enormous difference to the U.S. and Chinese economies over the next few years, to say nothing of bystanders in Europe and elsewhere.

When the dollar is strong, the following (good) things happen: the price of food, fuel, imports, manufactured goods, and just about everything else (vacations in Europe!) goes down. The value of the stock market, real estate, and just about all other American assets goes up. Interest rates go down—for mortgage loans, credit-card debt, and commercial borrowing. Tax rates can be lower, since foreign lenders hold down the cost of financing the national debt. The only problem is that American-made goods become more expensive for foreigners, so the country’s exports are hurt.

When the dollar is weak, the following (bad) things happen: the price of food, fuel, imports, and so on (no more vacations in Europe) goes up. The value of the stock market, real estate, and just about all other American assets goes down. Interest rates are higher. Tax rates can be higher, to cover the increased cost of financing the national debt. The only benefit is that American-made goods become cheaper for foreigners, which helps create new jobs and can raise the value of export-oriented American firms (winemakers in California, producers of medical devices in New England).

Americans sometimes debate (though not often) whether in principle it is good to rely so heavily on money controlled by a foreign government. The debate has never been more relevant, because America has never before been so deeply in debt to one country. Meanwhile, the Chinese are having a debate of their own—about whether the deal makes sense for them. Certainly China’s officials are aware that their stock purchases prop up 401(k) values, their money-market holdings keep down American interest rates, and their bond purchases do the same thing—plus allow our government to spend money without raising taxes.

Details on the Storm & Nugache botnets

From Dennis Fisher’s “Storm, Nugache lead dangerous new botnet barrage” (SearchSecurity.com: 19 December 2007):

[Dave Dittrich, a senior security engineer and researcher at the University of Washington in Seattle], one of the top botnet researchers in the world, has been tracking botnets for close to a decade and has seen it all. But this new piece of malware, which came to be known as Nugache, was a game-changer. With no C&C server to target, bots capable of sending encrypted packets and the possibility of any peer on the network suddenly becoming the de facto leader of the botnet, Nugache, Dittrich knew, would be virtually impossible to stop.

Dittrich and other researchers say that when they analyze the code these malware authors are putting out, what emerges is a picture of a group of skilled, professional software developers learning from their mistakes, improving their code on a weekly basis and making a lot of money in the process.

The way that Storm, Nugache and other similar programs make money for their creators is typically twofold. First and foremost, Storm’s creator controls a massive botnet that he can use to send out spam runs, either for himself or for third parties who pay for the service. Storm-infected PCs have been sending out various spam messages, including pump-and-dump stock scams, pitches for fake medications and highly targeted phishing messages, throughout 2007, and by some estimates were responsible for more than 75% of the spam on the Internet at certain points this year.

Secondly, experts say that Storm’s author has taken to sectioning off his botnet into smaller pieces and then renting those subnets out to other attackers. Estimates of the size of the Storm network have ranged as high as 50 million PCs, but Brandon Enright, a network security analyst at the University of California at San Diego, who wrote a tool called Stormdrain to locate and count infect machines, put the number at closer to 20,000. Dittrich estimates that the size of the Nugache network was roughly equivalent to Enright’s estimates for Storm.

“The Storm network has a team of very smart people behind it. They change it constantly. When the attacks against searching started to be successful, they completely changed how commands are distributed in the network,” said Enright. “If AV adapts, they re-adapt. If attacks by researchers adapt, they re-adapt. If someone tries to DoS their distribution system, they DoS back.”

The other worrisome detail in all of this is that there’s significant evidence that the authors of these various pieces of malware are sharing information and techniques, if not collaborating outright.

“I’m pretty sure that there are tactics being shared between the Nugache and Storm authors,” Dittrich said. “There’s a direct lineage from Sdbot to Rbot to Mytob to Bancos. These guys can just sell the Web front-end to these things and the customers can pick their options and then just hit go.”

Once just a hobby for devious hackers, writing malware is now a profession and its products have helped create a global shadow economy. That infrastructure stretches from the mob-controlled streets of Moscow to the back alleys of Malaysia to the office parks of Silicon Valley. In that regard, Storm, Nugache and the rest are really just the first products off the assembly line, the Model Ts of P2P malware.

Google PageRank explained

From Danny Sullivan’s “What Is Google PageRank? A Guide For Searchers & Webmasters” (Search Engine Land: 26 April 2007):

Let’s start with what Google says. In a nutshell, it considers links to be like votes. In addition, it considers that some votes are more important than others. PageRank is Google’s system of counting link votes and determining which pages are most important based on them. These scores are then used along with many other things to determine if a page will rank well in a search.

PageRank is only a score that represents the importance of a page, as Google estimates it (By the way, that estimate of importance is considered to be Google’s opinion and protected in the US by the First Amendment. When Google was once sued over altering PageRank scores for some sites, a US court ruled: “PageRanks are opinions–opinions of the significance of particular Web sites as they correspond to a search query….the court concludes Google’s PageRanks are entitled to full constitutional protection.)

10,000 hours to reach expertise

From Malcolm Gladwell’s “A gift or hard graft?” (The Guardian: 15 November 2008):

This idea – that excellence at a complex task requires a critical, minimum level of practice – surfaces again and again in studies of expertise. In fact, researchers have settled on what they believe is a magic number for true expertise: 10,000 hours.

“In study after study, of composers, basketball players, fiction writers, ice-skaters, concert pianists, chess players, master criminals,” writes the neurologist Daniel Levitin, “this number comes up again and again. Ten thousand hours is equivalent to roughly three hours a day, or 20 hours a week, of practice over 10 years… No one has yet found a case in which true world-class expertise was accomplished in less time. It seems that it takes the brain this long to assimilate all that it needs to know to achieve true mastery.”

Correcting wrong info reinforces false beliefs

From Jonathan M. Gitlin’s “Does ideology trump facts? Studies say it often does” (Ars Technica: 24 September 2008):

We like to think that people will be well informed before making important decisions, such as who to vote for, but the truth is that’s not always the case. Being uninformed is one thing, but having a population that’s actively misinformed presents problems when it comes to participating in the national debate, or the democratic process. If the findings of some political scientists are right, attempting to correct misinformation might do nothing more than reinforce the false belief.

This sort of misinformation isn’t hypothetical; in 2003 a study found that viewers of Fox News were significantly more misinformed about the Iraq war, with far greater percentages of viewers erroneously believing that Iraq possessed WMDs or that there was a credible link between the 9/11 attack and Saddam Hussein than those who got their news from other outlets like NPR and PBS. This has led to the rise of websites like FactCheck and SourceWatch.

Saying that correcting misinformation does little more than reinforce a false belief is a pretty controversial proposal, but the claim is based on a number of studies that examine the effect of political or ideological bias on fact correction. In the studies, volunteers were shown news items or political adverts that contained misinformation, followed by a correction. For example, a study by John Bullock of Yale showed volunteers a political ad created by NARAL that linked Justice John Roberts to a violent anti-abortion group, followed by news that the ad had been withdrawn. Interestingly, Democratic participants had a worse opinion of Roberts after being shown the ad, even after they were told it was false.

Over half (56 percent) of Democratic subjects disapproved of Roberts before the misinformation. That rose to 80 percent afterward, but even after correcting the misinformation, 72 percent of Democratic subjects still had a negative opinion. Republican volunteers, on the other hand, only showed a small increase in disapproval after watching the misinformation (11 percent vs 14 percent).

The 6 stages of political scandal

According to Mickey Kaus’ Why write about the Edwards scandal? (Slate: 4 August 2008), these are the 6 stages of any political scandal:

… the natural progression in cases like this: 1) Too horrible and shocking; it can’t possibly be true; 2) It’s not true; 3) You can’t prove it’s true; 4) Why are you trying to prove it’s true? 5) It’s disgusting that you’ve proved it’s true; 6) What’s the big deal anyway?

The Elizabethans and their love of booze

From Sam Anderson’s “A History of Hooch“, a review of Iain Gately’s Drink: A Cultural History of Alcohol (6 July 2008):

Elizabethan England had a pub for every 187 people. (By 2004, the country was down to one for every 529 people.) The Pilgrims’ Mayflower was actually “a claret ship from the Bordeaux wine trade,” and a group of settlers who came over to join them brought 20,000 gallons of beer and wine but only 3,000 gallons of water.

The Aztecs and their New Year’s Festival

From Sam Anderson’s “A History of Hooch“, a review of Iain Gately’s Drink: A Cultural History of Alcohol (6 July 2008):

Aztecs liked fermented sap, but had a legal drinking age (52) higher than their average life expectancy – although every four years they’d hold a New Year’s festival called “Drunkenness of Children,” at which all citizens, including toddlers, were required to drink.

Fat footers

Jerry wrote this & sent it to a client;

A fat footer is a means of showing secondary navigation, or
showcasing primary navigation, or reinforcing selected pieces of your
navigation. Here are some examples:

On a long-scroll blog page, put some choices at the bottom:
http://bokardo.com/

Put sales and branding at the top and navigation at the bottom:
http://www.dapper.net/

Promote the pages you really want them to visit:
http://www.blog.spoongraphics.co.uk/

Pizazz at the top, decision-making choices at the bottom:
http://www.apple.com/iphone/

We think it’s usually best to have a color change for the footer:
http://billyhughes.oph.gov.au/

Obama, Clinton, Microsoft Excel, and OpenOffice.org

I recently posted this to my local Linux Users Group mailing list:

Thought y’all would find this interesting – from http://machinist.salon.com/blog/2008/05/26/fundraising_excel/index.html:

“A milestone of sorts was reached earlier this year, when Obama, the Illinois senator whose revolutionary online fundraising has overwhelmed Clinton, filed an electronic fundraising report so large it could not be processed by popular basic spreadsheet applications like Microsoft Excel 2003 and Lotus 1-2-3.

Those programs can’t download data files with more than 65,536 rows or 256 columns.

Obama’s January fundraising report, detailing the $23 million he raised and $41 million he spent in the last three months of 2007, far exceeded 65,536 rows listing contributions, refunds, expenditures, debts, reimbursements and other details. It was the first report to confound basic database programs since 2001, when the Federal Election Commission began directly posting candidates’ fundraising reports online in an effort to make political money more accessible and transparent to voters.

By March, the reports filed by Clinton, a New York senator who attributes Obama’s victories in several states to her own lack of money, also could no longer be downloaded into spreadsheets using basic applications.

If you want to comb through Obama or Clinton’s cash, you either need to divide and import their reports section-by-section (a time-consuming and mind-numbing process) or purchase a more powerful database application, such as Microsoft Access or Microsoft Excel 2007, both of which retail for $229.”

Interestingly, OpenOffice.org 2.0 has the same limitation. OpenOffice.org 3 will expand the number of columns to 1024, according to http://www.oooninja.com/2008/03/openofficeorg-30-new-features.html. No idea about how many rows. Anyone know?

OK … looked it up … it appears that the row limit is STILL in place, so you can’t use OOo to open Obama’s or Hillary’s spreadsheets. Of course, you could use MySQL …

Oh yeah … and here’s one more note, from the same Salon article quoted above:

“In a revealing insight into the significant fundraising disparity between the two Democrats and presumptive Republican presidential nominee, Arizona Sen. John McCain, it is still possible to download his reports with plain-old Excel.”

Ouch!

Why brands are declining

From Brian Gibbs’ letter printed in Wired (January 2005):

The explanation that the decline of brands is due to competition, informed consumers, and constant innovation is insufficient. There’s another factor wreaking havoc. Over the years, brands have lost their meaning because advertising campaigns developed by creative types have been clever and witty, but often not relevant.

Once, brands defined the meaning and mode of civilization: fresher-smelling laundry, tastier tuna, et cetera. Tide used to “get dirt out.” Now it “works wonders,” a vacuous, unprovable claim. Do Tide customers think that getting their laundry clean is a miracle? Do they have an unmet psychological need to deify their detergent? Of course not. Creative-led marketing has wrought the empty brand.

What actions change MAC times on a UNIX box?

From Holt Sorenson’s “Incident Response Tools For Unix, Part Two: File-System Tools” (SecurityFocus: 17 October 2003):

Various commands change the MAC [modify, access, and change] times in different ways. The table below shows the effects that some common commands have on MAC times. These tables were created on Debian 3.0 using an ext2 file system contained in a flat file mounted on a loopback device. … Experimenting with your own system to verify the information in the tables below is encouraged. These tables can serve as a general guide, however.

How common commands change MACtimes for a directory (foo):
Action atime ctime mtime
creation (mkdir foo) X X X
directory move (mv foo bar) X X
file creation (touch foo/foo) X X
file creation (dd if=/dev/zero of=foo/foo count=1) X X
list directory (ls foo) X
change directory (cd foo)
file test (-f foo)
file move/rename (mv foo foo_mvd) X X
permissions change (chmod/chown <some_perm> foo) X
file copy (mv foo_mvd foo) X X
file edit (vim foo) X X
file edit (emacs foo) X X X
file edit (nvi/nano foo)
How common commands change MACtimes for a file (f1):
Action atime ctime mtime
creation (touch foo) X X X
creation (dd if=/dev/zero of=foo count=1) X X X
rename (mv foo bar)
permissions change (chmod <some_perm> foo) X
copy (cp foo bar) X
copy overwrite (cp bar foo) X X
append (cat >> foo) X X
overwrite (cat > foo) X X
truncate (cp /dev/null foo) X X
list file (ls foo)
edit (vim/emacs/xemacs/joe/jed foo) X X X
edit (ed/nvi/vi (sun)/vi (obsd)/nano/pico foo) X1 X1 X1
1 – all times changed, but atime is slightly older than mtime and ctime

The ls command can be used to show the modify, access or change times of files. The following table shows various ls commands that sort in reverse order by mtime, atime, or ctime. This causes ls to list the most recent times last.

displaying MACtimes using ls:
Linux (ls from GNU fileutils) OpenBSD Solaris
mtime ls -latr –full-time ls -latTr ls -latr
atime ls -laur –full-time ls -lauTr ls -laur
ctime ls -lacr –full-time ls -lacTr ls -lacr

What in our brains invest memories with emotion?

From Steven Pinker’s “What the F***?” (The New Republic: 9 Octobert 2007):

The mammalian brain contains, among other things, the limbic system, an ancient network that regulates motivation and emotion, and the neocortex, the crinkled surface of the brain that ballooned in human evolution and which is the seat of perception, knowledge, reason, and planning. The two systems are interconnected and work together, but it seems likely that words’ denotations are concentrated in the neocortex, especially in the left hemisphere, whereas their connotations are spread across connections between the neocortex and the limbic system, especially in the right hemisphere.

A likely suspect within the limbic system is the amygdala, an almond-shaped organ buried at the front of the temporal lobe of the brain (one on each side) that helps invest memories with emotion. A monkey whose amygdalas have been removed can learn to recognize a new shape, like a striped triangle, but has trouble learning that the shape foreshadows an unpleasant event like an electric shock. In humans, the amygdala “lights up”–it shows greater metabolic activity in brain scans–when the person sees an angry face or an unpleasant word, especially a taboo word.

Notes on getting into well-guarded events using social engineering

From Bruce Schneier’s “How to Crash the Oscars” (7 March 2006):

If you want to crash the glitziest party of all, the Oscars, here’s a tip from a professional: Show up at the theater, dressed as a chef carrying a live lobster, looking really concerned. …

“The most important technique is confidence,” he said. “Part of it is being dressed the part, looking the part, and acting the part and then lying to get in the door.”

The biggest hole in the elaborate Oscars security plan, Mamlet said, is that while everyone from stagehands to reporters have to wear official credentials, the celebrities and movie executives attending the event do not.

“If you really act like a celebrity, the security guards will worry that they will get into trouble for not recognizing you,” Mamlet said.

From Bruce Schneier’s “Social Engineering Notes” (15 May 2007):

This is a fantastic story of a major prank pulled off at the Super Bowl this year. Basically, five people smuggled more than a quarter of a ton of material into Dolphin Stadium in order to display their secret message on TV.

Given all the security, it’s amazing how easy it was for them to become part of the security perimeter with all that random stuff. But to those of us who follow this thing, it shouldn’t be. His observations are spot on:

1. Wear a suit.
2. Wear a Bluetooth headset.
3. Pretend to be talking loudly to someone on the other line.
4. Carry a clipboard.
5. Be white.