Take over a computer network with an iPod or USB stick

From Bruce Schneier’s “Hacking Computers Over USB” (Crypto-Gram: 15 June 2005):

From CSO Magazine:

“Plug an iPod or USB stick into a PC running Windows and the device can literally take over the machine and search for confidential documents, copy them back to the iPod or USB’s internal storage, and hide them as “deleted” files. Alternatively, the device can simply plant spyware, or even compromise the operating system. Two features that make this possible are the Windows AutoRun facility and the ability of peripherals to use something called direct memory access (DMA). The first attack vector you can and should plug; the second vector is the result of a design flaw that’s likely to be with us for many years to come.” …

Recently I’ve been seeing more and more written about this attack. The Spring 2006 issue of 2600 Magazine, for example, contains a short article called “iPod Sneakiness” (unfortunately, not online). The author suggests that you can innocently ask someone at an Internet cafe if you can plug your iPod into his computer to power it up — and then steal his passwords and critical files.

And about someone used this trick in a penetration test:

“We figured we would try something different by baiting the same employees that were on high alert. We gathered all the worthless vendor giveaway thumb drives collected over the years and imprinted them with our own special piece of software. I had one of my guys write a Trojan that, when run, would collect passwords, logins and machine-specific information from the user’s computer, and then email the findings back to us.

“The next hurdle we had was getting the USB drives in the hands of the credit union’s internal users. I made my way to the credit union at about 6 a.m. to make sure no employees saw us. I then proceeded to scatter the drives in the parking lot, smoking areas, and other areas employees frequented.

“Once I seeded the USB drives, I decided to grab some coffee and watch the employees show up for work. Surveillance of the facility was worth the time involved. It was really amusing to watch the reaction of the employees who found a USB drive. You know they plugged them into their computers the minute they got to their desks.

“I immediately called my guy that wrote the Trojan and asked if anything was received at his end. Slowly but surely info was being mailed back to him. I would have loved to be on the inside of the building watching as people started plugging the USB drives in, scouring through the planted image files, then unknowingly running our piece of software.”

Russian bot herders behind massive increase in spam

From Ryan Naraine’s “‘Pump-and-Dump’ Spam Surge Linked to Russian Bot Herders” (eWeek: 16 November 2006):

The recent surge in e-mail spam hawking penny stocks and penis enlargement pills is the handiwork of Russian hackers running a botnet powered by tens of thousands of hijacked computers.

Internet security researchers and law enforcement authorities have traced the operation to a well-organized hacking gang controlling a 70,000-strong peer-to-peer botnet seeded with the SpamThru Trojan. …

For starters, the Trojan comes with its own anti-virus scanner – a pirated copy of Kaspersky’s security software – that removes competing malware files from the hijacked machine. Once a Windows machine is infected, it becomes a peer in a peer-to-peer botnet controlled by a central server. If the control server is disabled by botnet hunters, the spammer simply has to control a single peer to retain control of all the bots and send instructions on the location of a new control server.

The bots are segmented into different server ports, determined by the variant of the Trojan installed, and further segmented into peer groups of no more than 512 bots. This allows the hackers to keep the overhead involved in exchanging information about other peers to a minimum, Stewart explained.

… the attackers are meticulous about keeping statistics on bot infections around the world.

For example, the SpamThru controller keeps statistics on the country of origin of all bots in the botnet. In all, computers in 166 countries are part of the botnet, with the United States accounting for more than half of the infections.

The botnet stats tracker even logs the version of Windows the infected client is running, down to the service pack level. One chart commandeered by Stewart showed that Windows XP SP2 … machines dominate the makeup of the botnet, a clear sign that the latest version of Microsoft’s operating system is falling prey to attacks.

Another sign of the complexity of the operation, Stewart found, was a database hacking component that signaled the ability of the spammers to target its pump-and-dump scams to victims most likely to be associated with stock trading.

Stewart said about 20 small investment and financial news sites have been breached for the express purpose of downloading user databases with e-mail addresses matched to names and other site registration data. On the bot herder’s control server, Stewart found a MySQL database dump of e-mail addresses associated with an online shop. …

The SpamThru spammer also controls lists of millions of e-mail addresses harvested from the hard drives of computers already in the botnet. …

“It’s a very enterprising operation and it’s interesting that they’re only doing pump-and-dump and penis enlargement spam. That’s probably because those are the most lucrative,” he added.

Even the spam messages come with a unique component. The messages are both text- and image-based and a lot of effort has been put into evading spam filters. For example, each SpamThru client works as its own spam engine, downloading a template containing the spam and random phrases to use as hash-busters, random “from” names, and a list of several hundred e-mail addresses to send to.

Stewart discovered that the image files in the templates are modified with every e-mail message sent, allowing the spammer to change the width and height. The image-based spam also includes random pixels at the bottom, specifically to defeat anti-spam technologies that reject mail based on a static image.

All SpamThru bots – the botnet controls about 73,000 infected clients – are also capable of using a list of proxy servers maintained by the controller to evade blacklisting of the bot IP addresses by anti-spam services. Stewart said this allows the Trojan to act as a “massive distributed engine for sending spam,” without the cost of maintaining static servers.

With a botnet of this size, the group is theoretically capable of sending a billion spam e-mails in a single day.

The HOLLYWOOD sign as multi-user access-control system

From Bruce Schneier’s “Hollywood Sign Security” (Crypto-Gram: 15 January 2005):

In Los Angeles, the “HOLLYWOOD” sign is protected by a fence and a locked gate. Because several different agencies need access to the sign for various purposes, the chain locking the gate is formed by several locks linked together. Each of the agencies has the key to its own lock, and not the key to any of the others. Of course, anyone who can open one of the locks can open the gate.

This is a nice example of a multiple-user access-control system. It’s simple, and it works. You can also make it as complicated as you want, with different locks in parallel and in series.

A new way to steal from ATMs: blow ’em up

From Bruce Schneier’s “News” (Crypto-Gram Newsletter: 15 March 2006):

In the Netherlands, criminals are stealing money from ATM machines by blowing them up. First, they drill a hole in an ATM and fill it with some sort of gas. Then, they ignite the gas — from a safe distance — and clean up the money that flies all over the place after the ATM explodes. Sounds crazy, but apparently there has been an increase in this type of attack recently. The banks’ countermeasure is to install air vents so that gas can’t build up inside the ATMs.

DIY worm kits

From Jose Nazario’s Anatomy of a worm (Computerworld: 15 September 2004):

Now imagine a world where worm attacks frequently occur because hackers and rogue developers have access to “worm kits” or development tools that provide the basic building blocks for rapid worm development.

Historically, worms were basic clones of one another that didn’t change after their original development. Simple mechanisms were used to propagate them, such as mass-mailing worms using a single subject line.

Today’s worms are more sophisticated. They have the ability to mutate after development based on knowledge of how to thwart new security processes. For instance, an early worm, Code Red, attacked only Internet Information Server servers. The Nimda worm, which came later, expanded to include at least three additional attack methodologies: mail-based attacks, file-sharing-based attacks, and attacks against the Internet Explorer Web browser.

The potential for this worm-a-day nightmare comes from several factors: the dozens of vulnerabilities that are ready to be exploited, the availability of worm source code, recycled exploits and the ease of editing existing worms.

Evil twin hot spots

From Dan Ilett’s Evil twin could pose Wi-Fi threat (CNET 21 January 2005):

Researchers at Cranfield University are warning that “evil twin” hot spots, networks set up by hackers to resemble legitimate Wi-Fi hot spots, present the latest security threat to Web users.

Attackers interfere with a connection to the legitimate network by sending a stronger signal from a base station close to the wireless client, turning the fake access point into a so-called evil twin.

Virtual-machine based rootkits

From Samuel T. King, Peter M. Chen, Yi-Min Wang, Chad Verbowski, Helen J. Wang, & Jacob R. Lorch’s “SubVirt: Implementing malware with virtual machines
” [PDF] (: ):

We evaluate a new type of malicious software that gains qualitatively more control over a system. This new type of malware, which we call a virtual-machine based rootkit (VMBR), installs a virtual-machine monitor underneath an existing operating system and hoists the original operating system into a virtual machine. Virtual-machine based rootkits are hard to detect and remove because their state cannot be accessed by software running in the target system. Further, VMBRs support general-purpose malicious services by allowing such services to run in a separate operating system that is protected from the target system. We evaluate this new threat by implementing two proof-of-concept VMBRs. We use our proof-of-concept VMBRs to subvert Windows XP and Linux target systems, and we implement four example malicious services using the VMBR platform. Last, we use what we learn from our proof-of-concept VMBRs to explore ways to defend against this new threat. We discuss possible ways to detect and prevent VMBRs, and we implement a defense strategy suitable for protecting systems against this threat. …

A major goal of malware writers is control, by which we mean the ability of an attacker to monitor, intercept, and modify the state and actions of other software on the system. Controlling the system allows malware to remain invisible by lying to or disabling intrusion detection software.

Control of a system is determined by which side occupies the lower layer in the system. Lower layers can control upper layers because lower layers implement the abstractions upon which upper layers depend. For example, an operating system has complete control over an application’s view of memory because the operating system mediates access to physical memory through the abstraction of per-process address spaces. Thus, the side that controls the lower layer in the system has a fundamental advantage in the arms race between attackers and defenders. If the defender’s security service occupies a lower layer than the malware, then that security service should be able to detect, contain, and remove the malware. Conversely, if the malware occupies a lower layer than the security service, then the malware should be able to evade the security service and manipulate its execution.

Because of the greater control afforded by lower layers in the system, both security services and rootkits have evolved by migrating to these layers. Early rootkits simply replaced user-level programs, such as ps, with trojan horse programs that lied about which processes were running. These user-level rootkits were detected easily by user-level intrusion detection systems such as TripWire [29], and so rootkits moved into the operating system kernel. Kernel-level rootkits such as FU [16] hide malicious processes by modifying kernel data structures [12]. In response, intrusion detectors also moved to the kernel to check the integrity of the kernel’s data structures [11, 38]. Recently, researchers have sought to hide the memory footprint of malware from kernel-level detectors by modifying page protections and intercepting page faults [43]. To combat such techniques, future detectors may reset page protections and examine the code of the page-fault handler. …

Our project, which is called SubVirt, shows how attackers can use virtual-machine technology to address the limitations of current malware and rootkits. We show how attackers can install a virtual-machine monitor (VMM) underneath an existing operating system and use that VMM to host arbitrary malicious software. The resulting malware, which we call a virtual- machine based rootkit (VMBR), exercises qualitatively more control than current malware, supports general-purpose functionality, yet can completely hide all its state and activity from intrusion detection systems running in the target operating system and applications. …

A virtual-machine monitor is a powerful platform for malware. A VMBR moves the targeted system into a virtual machine then runs malware in the VMM or in a second virtual machine. The targeted system sees little to no difference in its memory space, disk space, or execution (depending on how completely the machine is virtualized). The VMM also isolates the malware’s state and events completely from those of the target system, so software in the target system cannot see or modify the malicious software. At the same time, the VMM can see all state and events in the target system, such as keystrokes, network packets, disk state, and memory state. A VMBR can observe and modify these states and events—without its own actions being observed—because it completely controls the virtual hardware presented to the operating system and applications. Finally, a VMBR provides a convenient platform for developing malicious services. A malicious service can benefit from all the conveniences of running in a separate, general-purpose operating system while remaining invisible to all intrusion detection software running in the targeted system. In addition, a malicious service can use virtual-machine introspection to understand the events and states taking place in the targeted system. …

In the overall structure of a VMBR, a VMBR runs beneath the existing (target) operating system and its applications (Figure 2). To accomplish this, a VMBR must insert itself beneath the target operating system and run the target OS as a guest. To insert itself beneath an existing system, a VMBR must manipulate the system boot sequence to ensure that the VMBR loads before the target operating system and applications. After the VMBR loads, it boots the target OS using the VMM. As a result, the target OS runs normally, but the VMBR sits silently beneath it.

To install a VMBR on a computer, an attacker must first gain access to the system with sufficient privileges to modify the system boot sequence. There are numerous ways an attacker can attain this privilege level. For example, an attacker could exploit a remote vulnerability, fool a user into installing malicious software, bribe an OEM or vendor, or corrupt a bootable CD-ROM or DVD image present on a peer-to-peer network. On many systems, an attacker who attains root or Administrator privileges can manipulate the system boot sequence. On other systems, an attacker must execute code in kernel mode to manipulate the boot sequence. We assume the attacker can run arbitrary code on the target system with root or Administrator privileges and can install kernel modules if needed. …

VMBRs use a separate attack OS to deploy malware that is invisible from the perspective of the target OS but is still easy to implement. None of the states or events of the attack OS are visible from within the target OS, so any code running within an attack OS is effectively invisible. The ability to run invisible malicious services in an attack OS gives intruders the freedom to use user-mode code with less fear of detection.

We classify malicious services into three categories: those that need not interact with the target system at all, those that observe information about the target system, and those that intentionally perturb the execution of the target system. In the remainder of this section, we discuss how VMBRs support each class of service.

The first class of malicious service does not communicate with the target system. Examples of such services are spam relays, distributed denial-of-service zombies, and phishing web servers. A VMBR supports these services by allowing them to run in the attack OS. This provides the convenience of user-mode execution without exposing the malicious service to the target OS.

The second class of malicious service observes data or events from the target system. VMBRs enable stealthy logging of hardware-level data (e.g., keystrokes, network packets) by modifying the VMM’s device emulation software. This modification does not affect the virtual devices presented to the target OS. For example, a VMBR can log all network packets by modifying the VMM’s emulated network card. These modifications are invisible to the target OS because the interface to the network card does not change, but the VMBR can still record all network packets. …

The third class of malicious service deliberately modifies the execution of the target system. For example, a malicious service could modify network communication, delete e-mail messages, or change the execution of a target application. A VMBR can customize the VMM’s device emulation layer to modify hardware-level data. A VMBR can also modify data or execution within the target through virtual-machine introspection.

Using our proof-of-concept VMBRs, we developed four malicious services that represent a range of services a writer of malicious software may want to deploy. We implemented a phishing web server, a keystroke logger, a service that scans the target file system looking for sensitive files, and a defense countermeasure that defeats a current virtual-machine detector. …

To avoid being removed, a VMBR must protect its state by maintaining control of the system. As long as the VMBR controls the system, it can thwart any attempt by the target to modify the VMBR’s state. The VMBR’s state is protected because the target system has access only to the virtual disk, not the physical disk.

The only time the VMBR loses control of the system is in the period of time after the system powers up until the VMBR starts. Any code that runs in this period can access the VMBR’s state directly. The first code that runs in this period is the system BIOS. The system BIOS initializes devices and chooses which medium to boot from. In a typical scenario, the BIOS will boot the VMBR, after which the VMBR regains control of the system. However, if the BIOS boots a program on an alternative medium, that program can access the VMBR’s state.

Because VMBRs lose control when the system is powered off, they may try to minimize the number of times full system power-off occurs. The events that typically cause power cycles are reboots and shutdowns. VMBRs handle reboots by restarting the virtual hardware rather than resetting the underlying physical hardware. By restarting the virtual hardware, VMBRs provide the illusion of resetting the underlying physical hardware without relinquishing control. Any alternative bootable medium used after a target reboot will run under the control of the VMBR.

In addition to handling target reboots, VMBRs can also emulate system shutdowns such that the system appears to shutdown, but the VMBR remains running on the system. We use ACPI sleep states [3] to emulate system shutdowns and to avoid system power-downs. ACPI sleep states are used to switch hardware into a low-power mode. This low-power mode includes spinning down hard disks, turning off fans, and placing the monitor into a power-saving mode. All of these actions make the computer appear to be powered off. Power is still applied to RAM, so the system can come out of ACPI sleep quickly with all memory state intact. When the user presses the power button to “power-up” the system, the computer comes out of the low-power sleep state and resumes the software that initiated the sleep. Our VMBR leverage this low-power mode to make the system appear to be shutdown; when the user “powers-up” the system by pressing the power button the VMBR resumes. If the user attempts to boot from an alternative medium at this point, it will run under the control of the VMBR. We implemented shutdown emulation for our VMware-based VMBR. …

We first measure the disk space required to install the VMBR. Our Virtual PC-based VMBR image is 106 MB compressed and occupies 251 MB of disk space when uncompressed. Our VMware-based VMBR image is 95 MB compressed and occupies 228 MB of disk space uncompressed. The compressed VMBR images take about 4 minutes to download on a 3 Mb/s cable modem connection and occupy only a small fraction of the total disk space present on modern systems. …

The installation measurements include the time it takes to uncompress the attack image, allocate disk blocks, store the attack files, and modify the system boot sequence. Installation time for the VMware-based VMBR is 24 seconds. Installation for the Virtual PC-based VMBR takes longer (262 seconds) because the hardware used for this test is much slower and has less memory. In addition, when installing a VMBR underneath Windows XP, we swap the contents of the disk blocks used to store the VMBR with those in the beginning of the Windows XP disk partition, and these extra disk reads/writes further lengthen the installation time.

We next measure boot time, which we define as the amount of time it takes for an OS to boot and reach an initial login prompt. Booting a target Linux system without a VMBR takes 53 seconds. After installing the VMware-based VMBR, booting the target system takes 74 seconds after a virtual reboot and 96 seconds after a virtual shutdown. It takes longer after a virtual shutdown than after a virtual reboot because the VMM must re-initialize the physical hardware after coming out of ACPI sleep. In the uncommon case that power is removed from the physical system, the host OS and VMM must boot before loading the target Linux OS. The VMware-based VMBR takes 52 seconds to boot the host OS and load the VMM and another 93 seconds to boot the target Linux OS. We speculate that it takes longer to boot the target OS after full system power-down than after a virtual reboot because some performance optimizations within the VMware VMM take time to warm up.

Booting a target Windows XP system without a VMBR takes 23 seconds. After installing the Virtual PC-based VMBR, booting the target system takes 54 seconds after a virtual reboot. If power is removed from the physical system, the Virtual PC-based VMBR takes 45 seconds to boot the host OS and load the VMM and another 56 seconds to boot the target Windows XP OS. …

Despite using specialized guest drivers, our current proof-of-concept VMBRs use virtualized video cards which may not export the same functionality as the underlying physical video card. Thus, some high-end video applications, like 3D games or video editing applications, may experience degraded performance.

The physical memory allocated to the VMM and attack OS is a small percentage of the total memory on the system (roughly 3%) and thus has little performance impact on a target OS running above the VMBR. …

In this section, we explore techniques that can be used to detect the presence of a VMBR. VMBRs are fundamentally more difficult to detect than traditional malware because they virtualize the state seen by the target system and because an ideal VMBR modifies no state inside the target system. Nonetheless, a VMBR does leave signs of its presence that a determined intrusion detection system can observe. We classify the techniques that be used to detect a VMBR by whether the detection system is running below the VMBR, or whether the detection system is running above the VMBR (i.e., within the target system). …

There are various ways to gain control below the VMBR. One way to gain control below the VMBR is to use secure hardware. Intel’s LaGrande [25], AMD’s platform for trustworthy computing [2], and Copilot [36] all propose hardware that can be used to develop and deploy low-layer security software that would run beneath a VMBR.

Another way to gain control below the VMBR is to boot from a safe medium such as a CD-ROM, USB drive or network boot server. This boot code can run on the system before the VMBR loads and can view the VMBR’s quiescent disk state. …

A third way to gain control below the VMBR is to use a secure VMM [17]. Like alternative bootable media, secure VMMs gain control of the system before the operating system boots. Running a secure VMM does not by itself stop a VMBR, as a VMBR can still insert itself between the VMM and the operating system. However, a secure VMM does retain control over the system as it runs and could easily add a check to stop a VMBR from modifying the boot sequence above the secure VMM. …

There are several reasons why traditional techniques (e.g., having the target system scan memory or disk) may not be able to detect a VMBR. First, the target system is confined to its virtual machine. Since the VMBR stores its state outside that virtual machine, the target system will see no suspicious changes in its own state. Second, even if the target system did see something amiss, the VMBR could tamper with the execution of the detector and force it to report incorrect results. …

A fundamental perturbation of the VMBR is that it uses machine resources such as CPU time, memory and disk space, and possibly network bandwidth. A VMBR adds CPU overhead to trap and emulate privileged instructions, as well as to run any malicious services. …

In addition to CPU overhead, a VMBR uses memory and disk space. A detector can detect this overhead by running a program that requires the entire machine’s memory or disk space. A VMBR can hide its space overhead in several ways. It can hide its memory overhead by mapping target pages with the same contents to the same physical page [47] or by paging some data to disk. While this extra paging activity may increase the running time of the program, the memory overhead of VMware was too small to measure in our tests. A VMBR can hide its disk overhead by compressing a portion of the disk, sharing disk blocks with the same contents, or pretending that the disk space it uses have bad sectors. …

Another type of perturbation is caused by the variety of I/O devices on the computer. Recall that a VMM typically virtualizes all I/O devices. However, virtualizing the I/O device without changing the target’s view of the device requires one to understand the interface and semantics of each device. This is a formidable task, given the wide variety of I/O devices present on today’s computing platforms. Instead, current VMMs emulate a small number of virtual devices (often with customized interfaces to improve performance [1, 34]). The target OS must then use the drivers for the emulated virtual devices. …

A final source of perturbations are caused by the imperfect virtualization of today’s x86 processors. Sensitive, non-privileged instructions like sidt leak information about the VMM yet do not trap to the VMM [31, 37]. …

We expect future enhancements to the x86 platform to reduce these perturbations. Upcoming virtualization support from Intel [45] and AMD [7] will enable more efficient virtualization. These enhancements eliminate sensitive, non-privileged instructions so they cannot be used from the CPU’s user-mode to detect the presence of a VMM. These enhancements may also accelerate transitions to and from the VMM, and this may reduce the need to run specialized guest drivers. …

However, VMBRs have a number of disadvantages compared to traditional forms of malware. When compared to traditional forms of malware, VMBRs tend to have more state, be more difficult to install, require a reboot before they can run, and have more of an impact on the overall system. Although VMBRs do offer greater control over the compromised system, the cost of this higher level of control may not be justified for all malicious applications.

Search for “high score” told them who stole the PC

From Robert Alberti’s “more on Supposedly Destroyed Hard Drive Purchased In Chicago” (Interesting People mailing list: 3 June 2006):

It would be interesting to analyze that drive to see if anyone else was using it during the period between when it went to Best Buy, and when it turned up at the garage sale. We once discovered who stole, and then returned, a Macintosh from a department at the University of Minnesota with its drive erased. We did a hex search of the drive surface for the words “high score”. There was the name of the thief, one of the janitors, who confessed when presented with evidence.

Google’s number tricks

From “Fuzzy maths” (The Economist: 11 May 2006):

MATHEMATICALLY confident drivers stuck in the usual jam on highway 101 through Silicon Valley were recently able to pass time contemplating a billboard that read: “{first 10-digit prime found in consecutive digits of e}.com.” The number in question, 7427466391, is a sequence that starts at the 101st digit of e, a constant that is the base of the natural logarithm. The select few who worked this out and made it to the right website then encountered a “harder” riddle. Solving it led to another web page where they were finally invited to submit their curriculum vitae.

If a billboard can capture the soul of a company, this one did, because the anonymous advertiser was Google, whose main product is the world’s most popular internet search engine. With its presumptuous humour, its mathematical obsessions, its easy, arrogant belief that it is the natural home for geniuses, the billboard spoke of a company that thinks it has taken its rightful place as the leader of the technology industry, a position occupied for the past 15 years by Microsoft. …

To outsiders, however, googley-ness often implies audacious ambition, a missionary calling to improve the world and the equation of nerdiness with virtue.

The main symptom of this, prominently displayed on the billboard, is a deification of mathematics. Google constantly leaves numerical puns and riddles for those who care to look in the right places. When it filed the regulatory documents for its stockmarket listing in 2004, it said that it planned to raise $2,718,281,828, which is $e billion to the nearest dollar. A year later, it filed again to sell another batch of shares – precisely 14,159,265, which represents the first eight digits after the decimal in the number pi (3.14159265). …

iSee: online map of CCTVs in Manhattan

From Patrick Keefe’s “Camera Shy” (Legal Affairs: July/August 2003):

One extralegal solution is a project called iSee. Launched several years ago, iSee is an online interactive map of the locations of surveillance cameras in Manhattan. To use iSee, you simply open the map of Manhattan and double-click on your point of departure and your destination. After a few moments of computation, iSee generates the “path of least surveillance.”

iSee can be accessed through the website of the organization which created it, the so-called Institute of Applied Autonomy. IAA is a collective of artists, engineers, and scientists who design technologies for the “burgeoning market” of “cultural insurrection.” The organization presents itself as a tech-savvy civil libertarian answer to the Defense Advanced Research Projects Agency, a shadowy R&D wing of the Pentagon. DARPA has recently been in the news for developing the Terrorist Information Awareness project, headed by John Poindexter, which would monitor the everyday transactions of American citizens. Whereas DARPA uses what IAA calls “tools of repression” to take your autonomy away, IAA answers with another set of tools that are intended to give you your autonomy back. …

The history of the Poison Pill

From Len Costa “The Perfect Pill” (Legal Affairs: March/April 2005):

THE MODERN HISTORY OF MERGERS AND ACQUISITIONS divides neatly into two eras marked by a landmark ruling of the Delaware Supreme Court in 1985. Before then, financiers like T. Boone Pickens and Carl Icahn regularly struck terror in the hearts of corporate boards. If these dealmakers wanted to take over a company in a hostile maneuver, break it into pieces, and then spin those pieces off for a profit, it was difficult to stop them. But after a decision by the Delaware court, directors regained control of their companies’ destinies.

The directors’ trump card is a controversial innovation technically called a preferred share purchase rights plan but nicknamed the “poison pill.” Its legality was affirmed unequivocally for the first time in the Delaware ruling of Moran v. Household International. By the unanimous vote of a three-judge panel, the court held that a company could threaten to flood the market with newly issued shares if a hostile suitor started buying up lots of its stock, thus diluting the suitor’s existing holdings and rendering the acquisition prohibitively expensive. …

Still, both sides agree that the poison pill is an ingenious creation. “As a matter of lawyering, it’s absolutely brilliant,” said Stanford University law professor Ronald Gilson, a longstanding critic who nonetheless considers the poison pill to be the most significant piece of corporate legal artistry in the 20th century. …

If a hostile bidder acquires more than a preset share of the target company’s stock, typically 10 to 15 percent, all shareholders-except, crucially, the hostile bidder-can exercise a right to purchase additional stock at a 50 percent discount, thus massively diluting the suitor’s equity stake in the takeover target.

Even worse spam is coming

From Spam Daily News’s “Spam zombies from outer space“:

Spammers could soon use zombie computers in a totally new way. Infected computers could run programs that spy into a person’s email, mine it for information, and generate realistic-looking replies.

John Aycock, an assistant professor of computer science at the University of Calgary, and his student Nathan Friess conducted new research that shows it is possible to create a new type of spam that would likely bypass even the best spam filters and trick experienced computer users who would normally delete suspicious email messages.

There are two key reasons why spam is suspicious to anti-spam filters and human targets alike. First, it often comes from an unrecognized source. Second, it doesn’t look right.

The evolution of spam zombies will change this. These new zombies will mine corpora of email they find on infected machines, using this data to automatically forge and send improved, convincing spam to others.

The next generation of spam could be sent from your friends’ and colleagues’ email addresses – and even mimic patterns that mark their messages as their own (such as common abbreviations, misspellings, capitalization, and personal signatures) – making you more likely to click on a Web link or open an attachment.

What features can be easily extracted from an email corpus? There are four categories:

1. Email addresses. The victim’s email address and any other email aliases they have can be extracted, as can the email addresses of people with whom the victim corresponds.

2. Information related to the victim’s email program and its configuration. For example, the User-Agent, the message encoding as text and/or HTML, automatically-appended signature file, the quoting style used for replies and forwarded messages, etc.

3. Vocabulary. The normal vocabulary used by the victim and the people with whom they correspond.

4. Email style.

  • Line length, as some people never break lines;
  • Capitalization, or lack thereof;
  • Manually-added signatures, often the victim’s name;
  • Abbreviations, e.g., “u” for “you”;
  • Misspellings and typos;
  • Inappropriate synonyms, e.g., “there” instead of “their”;
  • Replying above or below quoted text in replies.

3000 ravers, dancing in silence

From The Sydney Morning Herald‘s’ “Clubbers to get into the silent groove“:

For those seeking tranquillity at Glastonbury Festival, a dance tent packed with clubbers is not an obvious sanctuary. But this will be the silent disco – 3000 festivalgoers are to be issued with headphones this year so they can turn up the volume without waking the neighbours.

The quietest party in town is a response to the problem of noise pollution at the festival, which has traditionally led the district council to issue a licence on the condition that the festival’s main stages and tents shut down on the stroke of midnight.

This year, the council is to grant a late licence for the new dance area on the condition that thumping beats and pounding basslines are put to bed at 12. But, thanks to Glastonbury technicians, clubbers won’t have to. For one night only, they will be given wireless headphones, so they don’t trip up when dancing to whatever record the DJ plays.

“I like the idea of people dancing in total silence,” said Emily Eavis, one of the festival organisers and daughter of the founder Michael Eavis. “Imagine if you were feeling a bit worse for wear and thought, ‘This would be a nice quiet place to sit down’.

“You would be completely freaked out to see 3000 people dancing in silence. It’s certainly quirky, but our big push this year is keeping the noise down because that’s what the council is keen on.”

Projecting a murdered woman’s image on a building

From BBC News’ “Police go big with victim picture“:

Murdered Prostitute A 60ft high picture of a murdered prostitute has been projected onto a derelict block of flats in Glasgow.

Detectives hope it will help to turn up clues about the death of Emma Caldwell, whose body was found in woods in South Lanarkshire on 8 May.

The image was displayed for four hours on the multi-storey flats in Cumberland Street, Hutchesontown on Monday night.

Police said the site had been chosen as it was visible across areas frequented by Emma and other prostitutes.

Israeli car theft scam

From Bruce Schneier’s “Automobile Identity Theft“:

This scam was uncovered in Israel:

1. Thief rents a car.

2. An identical car, legitimately owned, is found and its “identity” stolen.

3. The stolen identity is applied to the rented car and is then offered for sale in a newspaper ad.

4. Innocent buyer purchases the car from the thief as a regular private party sale.

5. After a few days the thief steals the car back from the buyer and returns it to the rental shop.

What ended up happening is that the “new” owners claimed compensation for the theft and most of the damage was absorbed by the insurers.

The Sumitomo Mitsuibank bank heist

From Richard Stiennon’s “Lessons Learned from Biggest Bank Heist in History“:

Last year’s news that thieves had managed to break in to Sumitomo Mitsui Bank’s branch in London and attempt to transfer almost $440 million to accounts in other countries should give CIO’s cause for concern. …

First a recap. Last year it came to light that U.K. authorities had put the kibosh on what would have been the largest bank heist in history.

The story is still developing but this is what we know: Thieves masquerading as cleaning staff with the help of a security guard installed hardware keystroke loggers on computers within the London branch of Sumitomo Mitsui, a huge Japanese bank.

These computers evidently belonged to help desk personnel. The keystroke loggers captured everything typed into the computer including, of course, administrative passwords for remote access.

By installing software keystroke loggers on the PCs that belonged to the bank personnel responsible for wire transfers over the SWIFT (Society for Worldwide Interbank Financial Telecommunication) network, the thieves captured credentials that were then used to transfer 220 million pounds (call it half-a-billion dollars).

Luckily the police were involved by that time and were able to stymie the attack.

From Richard Stiennon’s “Super-Glue: Best practice for countering key stroke loggers“:

… it is reported that Sumitomo Bank’s best practice for avoiding a repeat attack is that they now super-glue the keyboard connections into the backs of their PCs.

The diamond scam

From The Atlantic‘s “Have You Ever Tried to Sell a Diamond?” (February 1982):

The diamond invention – the creation of the idea that diamonds are rare and valuable, and are essential signs of esteem – is a relatively recent development in the history of the diamond trade. Until the late nineteenth century, diamonds were found only in a few riverbeds in India and in the jungles of Brazil, and the entire world production of gem diamonds amounted to a few pounds a year. In 1870, however, huge diamond mines were discovered near the Orange River, in South Africa, where diamonds were soon being scooped out by the ton. Suddenly, the market was deluged with diamonds. …

The major investors in the diamond mines realized that they had no alternative but to merge their interests into a single entity that would be powerful enough to control production and perpetuate the illusion of scarcity of diamonds. The instrument they created, in 1888, was called De Beers Consolidated Mines, Ltd., incorporated in South Africa. As De Beers took control of all aspects of the world diamond trade, it assumed many forms. In London, it operated under the innocuous name of the Diamond Trading Company. In Israel, it was known as “The Syndicate.” In Europe, it was called the “C.S.O.” — initials referring to the Central Selling Organization, which was an arm of the Diamond Trading Company. And in black Africa, it disguised its South African origins under subsidiaries with names like Diamond Development Corporation and Mining Services, Inc. At its height — for most of this century — it not only either directly owned or controlled all the diamond mines in southern Africa but also owned diamond trading companies in England, Portugal, Israel, Belgium, Holland, and Switzerland.

De Beers proved to be the most successful cartel arrangement in the annals of modern commerce. While other commodities, such as gold, silver, copper, rubber, and grains, fluctuated wildly in response to economic conditions, diamonds have continued, with few exceptions, to advance upward in price every year since the Depression. …

The diamond invention is far more than a monopoly for fixing diamond prices; it is a mechanism for converting tiny crystals of carbon into universally recognized tokens of wealth, power, and romance. To achieve this goal, De Beers had to control demand as well as supply. Both women and men had to be made to perceive diamonds not as marketable precious stones but as an inseparable part of courtship and married life. To stabilize the market, De Beers had to endow these stones with a sentiment that would inhibit the public from ever reselling them. The illusion had to be created that diamonds were forever — “forever” in the sense that they should never be resold.

In September of 1938, Harry Oppenheimer, son of the founder of De Beers and then twenty-nine, traveled from Johannesburg to New York City, to meet with Gerold M. Lauck, the president of N. W. Ayer, a leading advertising agency in the United States. …

In Europe, where diamond prices had collapsed during the Depression, there seemed little possibility of restoring public confidence in diamonds. … This left the United States as the only real market for De Beers’s diamonds. In fact, in 1938 some three quarters of all the cartel’s diamonds were sold for engagement rings in the United States. Most of these stones, however, were smaller and of poorer quality than those bought in Europe, and had an average price of $80 apiece. Oppenheimer and the bankers believed that an advertising campaign could persuade Americans to buy more expensive diamonds. …

Specifically, the Ayer study stressed the need to strengthen the association in the public’s mind of diamonds with romance. Since “young men buy over 90% of all engagement rings” it would be crucial to inculcate in them the idea that diamonds were a gift of love: the larger and finer the diamond, the greater the expression of love. Similarly, young women had to be encouraged to view diamonds as an integral part of any romantic courtship.

Since the Ayer plan to romanticize diamonds required subtly altering the public’s picture of the way a man courts — and wins — a woman, the advertising agency strongly suggested exploiting the relatively new medium of motion pictures. Movie idols, the paragons of romance for the mass audience, would be given diamonds to use as their symbols of indestructible love. In addition, the agency suggested offering stories and society photographs to selected magazines and newspapers which would reinforce the link between diamonds and romance. Stories would stress the size of diamonds that celebrities presented to their loved ones, and photographs would conspicuously show the glittering stone on the hand of a well-known woman. Fashion designers would talk on radio programs about the “trend towards diamonds” that Ayer planned to start. …

In addition to putting these plans into action, N. W. Ayer placed a series of lush four-color advertisements in magazines that were presumed to mold elite opinion, featuring reproductions of famous paintings by such artists as Picasso, Derain, Dali, and Dufy. The advertisements were intended to convey the idea that diamonds, like paintings, were unique works of art.

By 1941, The advertising agency reported to its client that it had already achieved impressive results in its campaign. The sale of diamonds had increased by 55 percent in the United States since 1938, reversing the previous downward trend in retail sales. N. W. Ayer noted also that its campaign had required “the conception of a new form of advertising which has been widely imitated ever since. There was no direct sale to be made. There was no brand name to be impressed on the public mind. There was simply an idea — the eternal emotional value surrounding the diamond.” …

N. W. Ayer outlined a subtle program that included arranging for lecturers to visit high schools across the country. “All of these lectures revolve around the diamond engagement ring, and are reaching thousands of girls in their assemblies, classes and informal meetings in our leading educational institutions,” the agency explained in a memorandum to De Beers. …

De Beers needed a slogan for diamonds that expressed both the theme of romance and legitimacy. An N. W. Ayer copywriter came up with the caption “A Diamond Is Forever,” which was scrawled on the bottom of a picture of two young lovers on a honeymoon. Even though diamonds can in fact be shattered, chipped, discolored, or incinerated to ash, the concept of eternity perfectly captured the magical qualities that the advertising agency wanted to attribute to diamonds. Within a year, “A Diamond Is Forever” became the official motto of De Beers. …

N. W. Ayer … set about exploiting the relatively new medium of television by arranging for actresses and other celebrities to wear diamonds when they appeared before the camera. …

N. W. Ayer proposed to apply to the diamond market Thorstein Veblen’s idea, stated in The Theory of the Leisure Class, that Americans were motivated in their purchases not by utility but by “conspicuous consumption.” “The substantial diamond gift can be made a more widely sought symbol of personal and family success — an expression of socio-economic achievement,” N. W. Ayer said in a report. To exploit this desire for conspicuous display, the agency specifically recommended, “Promote the diamond as one material object which can reflect, in a very personal way, a man’s … success in life.” …

Toward the end of the 1950s, N. W. Ayer reported to De Beers that twenty years of advertisements and publicity had had a pronounced effect on the American psyche. “Since 1939 an entirely new generation of young people has grown to marriageable age,” it said. “To this new generation a diamond ring is considered a necessity to engagements by virtually everyone.” …

The campaign to internationalize the diamond invention began in earnest in the mid-1960s. The prime targets were Japan, Germany, and Brazil. … Within ten years, De Beers succeeded beyond even its most optimistic expectations, creating a billion-dollar-a-year diamond market in Japan, where matrimonial custom had survived feudal revolutions, world wars, industrialization, and even the American occupation. …

When the campaign began, in 1967, not quite 5 percent of engaged Japanese women received a diamond engagement ring. By 1972, the proportion had risen to 27 percent. By 1978, half of all Japanese women who were married wore a diamond; by 1981, some 60 percent of Japanese brides wore diamonds. In a mere fourteen years, the 1,500-year Japanese tradition had been radically revised. …

The diamond market had to be further restructured in the mid-1960s to accomodate a surfeit of minute diamonds, which De Beers undertook to market for the Soviets. They had discovered diamond mines in Siberia, after intensive exploration, in the late 1950s: De Beers and its allies no longer controlled the diamond supply, and realized that open competition with the Soviets would inevitably lead, as Harry Oppenheimer gingerly put it, to “price fluctuations,”which would weaken the carefully cultivated confidence of the public in the value of diamonds. Oppenheimer, assuming that neither party could afford risking the destruction of the diamond invention, offered the Soviets a straightforward deal – “a single channel” for controlling the world supply of diamonds. In accepting this arrangement, the Soviets became partners in the cartel, and co-protectors of the diamond invention.

Almost all of the Soviet diamonds were under half a carat in their uncut form, and there was no ready retail outlet for millions of such tiny diamonds. When it made its secret deal with the Soviet Union, De Beers had expected production from the Siberian mines to decrease gradually. Instead, production accelerated at an incredible pace, and De Beers was forced to reconsider its sales strategy. De Beers ordered N. W. Ayer to reverse one of its themes: women were no longer to be led to equate the status and emotional commitment to an engagement with the sheer size of the diamond. …

DeBeers devised the “eternity ring,” made up of as many as twenty-five tiny Soviet diamonds, which could be sold to an entirely new market of older married women. The advertising campaign was based on the theme of recaptured love. Again, sentiments were born out of necessity: older American women received a ring of miniature diamonds because of the needs of a South African corporation to accommodate the Soviet Union. …

N. W. Ayer learned from an opinion poll it commissioned from the firm of Daniel Yankelovich, Inc. that the gift of a diamond contained an important element of surprise. “Approximately half of all diamond jewelry that the men have given and the women have received were given with zero participation or knowledge on the part of the woman recipient,” the study pointed out. …

Women spoke in interviews about large diamonds as “flashy, gaudy, overdone” and otherwise inappropriate. Yet the study found that “Buried in the negative attitudes … lies what is probably the primary driving force for acquiring them. Diamonds are a traditional and conspicuous signal of achievement, status and success.” It noted, for example, “A woman can easily feel that diamonds are ‘vulgar’ and still be highly enthusiastic about receiving diamond jewelry.” The element of surprise, even if it is feigned, plays the same role of accommodating dissonance in accepting a diamond gift as it does in prime sexual seductions: it permits the woman to pretend that she has not actively participated in the decision. She thus retains both her innocence – and the diamond. …

Except for those few stones that have been destroyed, every diamond that has been found and cut into a jewel still exists today and is literally in the public’s hands. Some hundred million women wear diamonds, while millions of others keep them in safe-deposit boxes or strongboxes as family heirlooms. It is conservatively estimated that the public holds more than 500 million carats of gem diamonds, which is more than fifty times the number of gem diamonds produced by the diamond cartel in any given year. Since the quantity of diamonds needed for engagement rings and other jewelry each year is satisfied by the production from the world’s mines, this half-billion-carat supply of diamonds must be prevented from ever being put on the market. The moment a significant portion of the public begins selling diamonds from this inventory, the price of diamonds cannot be sustained. For the diamond invention to survive, the public must be inhibited from ever parting with its diamonds. …

During the periods when production from the mines temporarily exceeds the consumption of diamonds – the balance is determined mainly by the number of impending marriages in the United States and Japan – the cartel can preserve the illusion of price stability by either cutting back the distribution of diamonds at its London “sights,” where, ten times a year, it allots the world’s supply of diamonds to about 300 hand-chosen dealers, called “sight-holders,” or by itself buying back diamonds at the wholesale level. …

Dave Watts summed up the magazine’s experiment by saying, “As an 8-year investment the diamonds that we bought have proved to be very poor.” The problem was that the buyer, not the seller, determined the price. …

In 1976, the Dutch Consumer Association also tried to test the price appreciation of diamonds by buying a perfect diamond of over one carat in Amsterdam, holding it for eight months, and then offering it for sale to the twenty leading dealers in Amsterdam. Nineteen refused to buy it, and the twentieth dealer offered only a fraction of the purchase price. …

Retail jewelers, especially the prestigious Fifth Avenue stores, prefer not to buy back diamonds from customers, because the offer they would make would most likely be considered ridiculously low. The “keystone,” or markup, on a diamond and its setting may range from 100 to 200 percent, depending on the policy of the store; if it bought diamonds back from customers, it would have to buy them back at wholesale prices. Most jewelers would prefer not to make a customer an offer that might be deemed insulting and also might undercut the widely held notion that diamonds go up in value. …

The firm perhaps most frequently recommended by New York jewelry shops is Empire Diamonds Corporation, which is situated on the sixty-sixth floor of the Empire State Building, in midtown Manhattan. Empire’s reception room, which resembles a doctor’s office, is usually crowded with elderly women who sit nervously in plastic chairs waiting for their names to be called. One by one, they are ushered into a small examining room, where an appraiser scrutinizes their diamonds and makes them a cash offer. “We usually can’t pay more than a maximum of 90 percent of the current wholesale price,” says Jack Brod, president of Empire Diamonds. … For example, Brod estimates that a half-carat diamond ring, which might cost $2,000 at a retail jewelry store, could be sold for only $600 at Empire. …

He points out that the setting frequently conceals flaws, and adds, “The sort of flawless, investment-grade diamond one reads about is almost never found in jewelry.” …

When thieves bring diamonds to underworld “fences,” they usually get only a pittance for them. In 1979, for example, New York City police recover stolen diamonds with an insured value of $50,000 which had been sold to a ‘fence’ for only $200. …

While those who attempt to sell diamonds often experience disappointment at the low price they are offered, stories in gossip columns suggest that diamonds are resold at enormous profits. This is because the column items are not about the typical diamond ring that a woman desperately attempts to peddle to small stores and diamond buying services like Empire but about truly extraordinary diamonds that movie stars sell, or claim to sell, in a publicity-charged atmosphere. …

… the “pipeline” through which De Beers’s diamonds flow from the cutting centers in Europe to the main retail markets in America and Japan. This pipeline, a crucial component of the diamond invention, is made up of a network of brokers, diamond cutters, bankers, distributors, jewelry manufacturers, wholesalers, and diamond buyers for retail establishments. Most of the people in this pipeline are Jewish, and virtually all are closely interconnected, through family ties or long-standing business relationships. …

The most serious threat to De Beers is yet another source of diamonds that it does not control – a source so far untapped. Since Cecil Rhodes and the group of European bankers assembled the components of the diamond invention at the end of the nineteenth century, managers of the diamond cartel have shared a common nightmare – that a giant new source of diamonds would be discovered outside their purview. … In the late 1970s, vast deposits of diamonds were discovered in the Argyle region of Western Australia, near the town of Kimberley (coincidentally named after Kimberley, South Africa). Test drillings last year indicated that these pipe mines could produce up to 50 million carats of diamonds a year – more than the entire production of the De Beers cartel in 1981. …

Word of the day: cunctative

Cunctative: Cunc’ta*tive, a. Slow; tardy; dilatory; causing delay.
Cunctator: Cunc*ta’tor, n. [L., lit., a delayer; — applied as a surname to Q. Fabius Maximus.] One who delays or lingers.

From Wikipedia’s “Fabius Maximus“:

Quintus Fabius Maximus Verrucosus (c. 275 BC-203 BC), called Cunctator (the Delayer), was a Roman politician and soldier, born in Rome around 275 BC and died in Rome in 203 BC. He was consul five times (233 BC, 228 BC, 215 BC, 214 BC and 208 BC) and was twice dictator, 221?–219 BC, and 217 BC. His nickname Cunctator (akin to the English noun cunctation) means “delayer” in Latin, and refers to his tactics in deploying the troops during the Second Punic War. His cognomen Verrucosus means warty, a reference to the wart above his upper lip. …

Fabius was well aware of the military superiority of the Carthaginians, and when Hannibal invaded Italy he refused to meet him in a pitched battle. Instead he kept his troops close to Hannibal, hoping to exhaust him in a long war of attrition. Fabius was able to harass the Carthaginian foraging parties, limiting Hannibal’s ability to wreak destruction while conserving his own military force.

The Romans were unimpressed with this defensive strategy and at first gave Fabius his nickname as an insult. The strategy was in part ruined because of a lack of unity in the command of the Roman army: Fabius’ magister equitum, Minucius, was a political enemy of Fabius. … Minucius had been named a co-commander of the Roman forces by Fabius’ detractors in the Senate. Minucius openly claimed that Fabius was cowardly because he failed to confront the Carthaginian forces. Near the present-day town of Larino in the Molise (then called Larinum), Hannibal had taken up position in a town called Gerione. In the valley between Larino and Gerione, Minucius decided to make a broad frontal attack on Hannibal’s troops. Several thousand men were involved on either side. It appeared that the Roman troops were winning but Hannibal had set a trap. Soon the Roman troops were being slaughtered. Fabius, despite Minucius’ earlier arrogance, rushed to his co-commander’s assistance and Hannibal’s forces immediately retreated. After the battle there was some feeling that there would be conflict between Minucius and Fabius. However, the younger soldier marched his men to Fabius’ encampment and he is reported to have said, “My father gave me life. Today you saved my life. You are my second father. I recognize your superior abilities as a commander.”

At the end of Fabius’ dictatorship, the command was given back to the consuls Gnaeus Servilius Geminus and Marcus Atilius Regulus. In the following year, the new consuls Paullus and Varro were defeated at the battle of Cannae, and the wisdom of Fabius’ tactic was understood. Thus Cunctator became an honorific title. This tactic was followed for the rest of the war, as long as Hannibal remained in Italy.

… Later, he became a legendary figure and the model of a tough, courageous Roman. According to Ennius, unus homo nobis cunctando restituit rem – “one man, by delaying, restored the state to us.” While Hannibal is mentioned in the company of history’s greatest generals, military professionals have bestowed Fabius’ name on an entire strategic doctrine known as “Fabian strategy.”

Russian anti-tank dogs

From Damn Interesting’s “Let Slip the Dogs of War“:

Nary does a modern movie depict the way the Romans used mastiffs with razored collars in battle, nor the fully armored Death Hounds … that the medieval knights would loose on a field to snap at the legs of opponents and dispatch the wounded that littered the ground. In fact, dogs have fought alongside their masters through most of history. At the eve of World War II, the Soviets had a fully operational four-legged fighter division, and a dog with a bomb is a potent foe.

The Soviets were unable to address the looming tank problem with any new technologies right away, thus they were forced to contemplate tackling the issue with the means at hand. Landmines were a viable option, but because one couldn’t count on the Nazis seeking out the mines, they had to figure a way to make the mines seek the tanks.

The answer laid in the dog division. The trainers would starve the dogs, then train them to find food under a tank. The dogs quickly learned that being released from their pens meant to run out to where the training tank was parked and find some vittles. Once trained, the dogs would be fitted with a bomb attached to the back, and loosed into a field of oncoming German Panzers. When the dog climbed underneath the tank – where there was no armor – the bomb would detonate and gut the enemy vehicle.

Realization of that plan was a little less successful. The dogs had been trained to look under a Soviet tank for food, and would sometimes be loosed into a battle just to turn around and find a friendly tank to climb under. Sometimes the dogs would spook at the rumble of a running diesel engine and run away from the battle. Sometimes the dogs just decided they didn’t want to go.

Despite the problems, the Anti-tank dogs were successful at disabling a reported 300 Nazi tanks. It was enough of a problem to the Nazi advance that the Germans were compelled to attempt measures at stopping them. The top mounted machine gun proved ineffective due to the relatively small size of the attackers, the fact that there were low to the ground and hard to spot, and that dogs just don’t want to die when they think they’re close to food. … Eventually the Germans began using flame-throwers on the tanks to ward the dogs away, and they were much more successful at dissuading the attacks – but some dogs would stop for neither fear of the fire nor actually being burned.

However, in 1942 one use of the Anti-tank dogs went seriously awry when a large contingent of anti-tank dogs ran amok, thus endangered everyone in the battle and forced the retreat of the entire Soviet division. Soon afterward the Anti-tank dogs were pulled from service.

Phishing by altering the bank’s server

From Computerworld‘s “Florida banks hacked in new spoofing attack“:

Three Florida banks have had their Web sites compromised by hackers in an attack that security experts are calling the first of its type.

Earlier this month, attackers were able to hack servers run by the Internet service provider that hosted the three banks’ Web sites. They then redirected traffic from the legitimate Web sites to a bogus server, designed to resemble the banking sites, according to Bob Breeden, special agent supervisor with the Florida Department of Law Enforcement’s Computer Crime Center.

Users were then asked to enter credit card numbers, PINs and other types of sensitive information, he said.

According to Breeden, the affected banks are Premier Bank, Wakulla Bank and Capital City Bank, all small, regional banks based in Florida.

This attack was similar to phishing attacks that are commonly used against online commerce sites, but in this case hackers had actually made changes to legitimate Web sites, making the scam much harder for regular users to detect.

… Though Breeden said the scam was operational for only “a matter of hours” and probably affected fewer than 20 banking customers, the technique appeared to be very effective at extracting sensitive information.