email

How an email account without passwords can be good for security

From Robert X. Cringely’s “Stream On“:

Mailinator is ad hoc e-mail for those times when just maybe you don’t want to use your regular e-mail address. Say you are snitching on the boss, buying inflatable people, or want 32 different PayPal accounts. Just tell someone—anyone—that your e-mail address is fatman@mailinator.com or skinnykid@mailinator.com, or clueless@mailinator.com or any other address you like at mailinator.com. But this is no dead-end. When people write to you at that address the message will go through. That’s because Mailinator accepts any message going to that domain and automatically assigns an e-mail account to it. But what about passwords? There are none. Anyone can go to Mailinator and check the mail for clueless or any other name. But with so many names and the idea that Mailinator is only for occasional use, who cares?

How an email account without passwords can be good for security Read More »

The email dead drop

From the L.A. Times‘ “Cyberspace Gives Al Qaeda Refuge“:

Simplicity seems to work best. One common method of communicating over the Internet is essentially an e-mail version of the classic dead drop.

Members of a cell are all given the same prearranged username and password for an e-mail account on an Internet service provider, or ISP, such as Hotmail or Yahoo, according to the recent joint report by the Treasury and Justice departments.

One member writes a message, but instead of sending it, he puts it in the ‘draft’ file and then logs off. Someone else can then sign onto the account using the same username and password, read the draft and then delete it.

‘Because the draft was never sent, the ISP does not retain a copy of it and there is no record of it traversing the Internet—it never went anywhere, its recipients came to it,’ the report said.

The email dead drop Read More »

SMS gateways you can use to get around high texting charges

Tired of high SMS charges? Use these SMS gateways, which translate emails & IMs into SMS text messages … for free (well, to the sender, anyway – the recipient still has to pay). And when recipients reply, those replies come back to the sender in the same format; in other words, you email someone, they receive a text, they reply, & you get it back as an email.

One more caveat: you obviously have to know which carrier people are using in order to send them a text message, so ask.

Sprint: phone#@messaging.sprintpcs.com

Verizon: phone#@vtext.com

T-Mobile: phone#@tmomail.com

AT&T: phone#@txt.att.net

AIM: +1phone#

The information here came from “The Great Text Rip-Off”, originally printed in the June 2009 issue of Popular Mechanics.

SMS gateways you can use to get around high texting charges Read More »

A fix for Apple Mail’s inability to search Entire Message

Spotlight
Creative Commons License photo credit: Ti.mo

When using Apple Mail, you should be able to search for a term in From, To, Subject, & Entire Message. However, today I could no longer search Entire Message. It was grayed out & completely unavailable.

I found interesting info on the following pages, with the last being the most helpful:

  • http://discussions.apple.com/message.jspa?messageID=6653445#6653445
  • http://www.bronzefinger.com/archives/2006/04/apple_mail_sear.html
  • http://discussions.apple.com/message.jspa?messageID=5934412#5934412
  • http://forums.macworld.com/message/425508
  • http://www.macosxhints.com/article.php?story=20080201111317585

I closed Mail and tried this, which re-indexes the entire hard drive in Spotlight:

sudo mdutil -E /

But it did nothing. Then I did this, which re-indexes just the Mail folders in Spotlight:

mdimport ~/Library/Mail

That fixed it.

A fix for Apple Mail’s inability to search Entire Message Read More »

Microsoft Exchange is expensive

From Joel Snyder’s “Exchange: Should I stay or should I go?” (Network World: 9 March 2009):

There are many ways to buy Exchange, depending on how many users you need, but the short answer is that none of them cost less than about $75 per user and can run up to $140 per user for the bundles that include Exchange and Windows Server and user licenses for both of those as well as Forefront, Microsoft’s antispam/antivirus service. …

If you really want to make a case for cost, you could also claim that Exchange requires a $90 Outlook license for each user, a Windows XP or Vista license for each user, and more expensive hardware than a similar open source platform might require.

Microsoft Exchange is expensive Read More »

Reasons Windows has a poor security architecture

From Daniel Eran Dilger’s “The Unavoidable Malware Myth: Why Apple Won’t Inherit Microsoft’s Malware Crown” (AppleInsider: 1 April 2008):

Thanks to its extensive use of battle-hardened Unix and open source software, Mac OS X also has always had security precautions in place that Windows lacked. It has also not shared the architectural weaknesses of Windows that have made that platform so easy to exploit and so difficult to clean up afterward, including:

  • the Windows Registry and the convoluted software installation mess related to it,
  • the Windows NT/2000/XP Interactive Services flaw opening up shatter attacks,
  • a wide open, legacy network architecture that left unnecessary, unsecured ports exposed by default,
  • poorly designed network sharing protocols that failed to account for adequate security measures,
  • poorly designed administrative messaging protocols that failed to account for adequate security,
  • poorly designed email clients that gave untrusted scripts access to spam one’s own contacts unwittingly,
  • an integrated web browser architecture that opened untrusted executables by design, and many others.

Reasons Windows has a poor security architecture Read More »

The importance of network effects to social software

From danah boyd’s “Social Media is Here to Stay… Now What?” at the Microsoft Research Tech Fest, Redmond, Washington (danah: 26 February 2009):

Many who build technology think that a technology’s feature set is the key to its adoption and popularity. With social media, this is often not the case. There are triggers that drive early adopters to a site, but the single most important factor in determining whether or not a person will adopt one of these sites is whether or not it is the place where their friends hangout. In each of these cases, network effects played a significant role in the spread and adoption of the site.

The uptake of social media is quite different than the uptake of non-social technologies. For the most part, you don’t need your friends to use Word to find the tool useful. You do need your friends to use email for it to be useful, but, thanks to properties of that medium, you don’t need them to be using Outlook or Hotmail to write to them. Many of the new genres of social media are walled gardens, requiring your friends to use that exact site to be valuable. This has its advantages for the companies who build it – that’s the whole attitude behind lock-in. But it also has its costs. Consider for example the fact that working class and upper class kids can’t talk to one another if they are on different SNSs.

Friendster didn’t understand network effects. In kicking off users who weren’t conforming to their standards, they pissed off more than those users; they pissed off those users’ friends who were left with little purpose to use the site. The popularity of Friendster unraveled as fast as it picked up, but the company never realized what hit them. All of their metrics were based on number of users. While only a few users deleted their accounts, the impact of those lost accounts was huge. The friends of those who departed slowly stopped using the site. At first, they went from logging in every hour to logging in every day, never affecting the metrics. But as nothing new came in and as the collective interest waned, their attention went elsewhere. Today, Friendster is succeeding because of its popularity in other countries, but in the US, it’s a graveyard of hipsters stuck in 2003.

The importance of network effects to social software Read More »

Defining social media, social software, & Web 2.0

From danah boyd’s “Social Media is Here to Stay… Now What?” at the Microsoft Research Tech Fest, Redmond, Washington (danah: 26 February 2009):

Social media is the latest buzzword in a long line of buzzwords. It is often used to describe the collection of software that enables individuals and communities to gather, communicate, share, and in some cases collaborate or play. In tech circles, social media has replaced the earlier fave “social software.” Academics still tend to prefer terms like “computer-mediated communication” or “computer-supported cooperative work” to describe the practices that emerge from these tools and the old skool academics might even categorize these tools as “groupwork” tools. Social media is driven by another buzzword: “user-generated content” or content that is contributed by participants rather than editors.

… These tools are part of a broader notion of “Web2.0.” Yet-another-buzzword, Web2.0 means different things to different people.

For the technology crowd, Web2.0 was about a shift in development and deployment. Rather than producing a product, testing it, and shipping it to be consumed by an audience that was disconnected from the developer, Web2.0 was about the perpetual beta. This concept makes all of us giggle, but what this means is that, for technologists, Web2.0 was about constantly iterating the technology as people interacted with it and learning from what they were doing. To make this happen, we saw the rise of technologies that supported real-time interactions, user-generated content, remixing and mashups, APIs and open-source software that allowed mass collaboration in the development cycle. …

For the business crowd, Web2.0 can be understood as hope. Web2.0 emerged out of the ashes of the fallen tech bubble and bust. Scars ran deep throughout Silicon Valley and venture capitalists and entrepreneurs wanted to party like it was 1999. Web2.0 brought energy to this forlorn crowd. At first they were skeptical, but slowly they bought in. As a result, we’ve seen a resurgence of startups, venture capitalists, and conferences. At this point, Web2.0 is sometimes referred to as Bubble2.0, but there’s something to say about “hope” even when the VCs start co-opting that term because they want four more years.

For users, Web2.0 was all about reorganizing web-based practices around Friends. For many users, direct communication tools like email and IM were used to communicate with one’s closest and dearest while online communities were tools for connecting with strangers around shared interests. Web2.0 reworked all of that by allowing users to connect in new ways. While many of the tools may have been designed to help people find others, what Web2.0 showed was that people really wanted a way to connect with those that they already knew in new ways. Even tools like MySpace and Facebook which are typically labeled social networkING sites were never really about networking for most users. They were about socializing inside of pre-existing networks.

Defining social media, social software, & Web 2.0 Read More »

Why cons work on us

From Damien Carrick’s interview with Nicholas Johnson, “The psychology of conmen” (The Law Report: 30 September 2008):

Nicholas Johnson: I think what I love most about con artists and the world of scammers is that they’re criminals who manage to get their victims to hand over their possessions freely. Most thieves and robbers and the like, tend to use force, or deception, in order for them to take things, whereas a con artist manages to get their victim to freely give up their stuff.

The main thing that really makes people susceptible to con artists is the idea that we’re going to get something for nothing. So it really buys into our greed; it buys into sometimes our lust, and at the same time, sometimes even our sense that we’re going to do something good, so we’re going to get a great feeling from helping someone out, we’re going to make some money, we’re going to meet a beautiful girl—it really ties into our basest desires, and that’s what the con artist relies on.

Most con artists rely on this idea that the victim is in control. The victim is the one who is controlling the situation. So a great example of that is the classic Nigerian email scam, the person who writes to you and says, ‘I’ve got this money that I need to get out of the country, and I need your help.’ So you’re in control, you can help them, you can do a good deed, you can make some money, you’ve got this fantastic opportunity, and the con artist needs your help. It’s not the con artist doing you a favour. So really, you feel like you’re the one who’s controlling the situation when really it’s the con artist who knows the real deal.

I think for a lot of con artists they’re very proud of their work, and they like people to know exactly what they’ve gotten away with.

… for many of [the conmen], they really feel like even if they get caught, or even if they don’t get away with it, they feel like they’re giving their victim a good story, you know, something to dine out over, something to discuss down at the pub. They think that’s OK, you can scam somebody out of a couple of hundred bucks, because they’re getting a good story in return.

My all-time favourite one only makes the con artist a few dollars every time he does it, but I absolutely love it. These guys used to go door-to-door in the 1970s selling lightbulbs and they would offer to replace every single lightbulb in your house, so all your old lightbulbs would be replaced with a brand new lightbulb, and it would cost you, say $5, so a fraction of the cost of what new lightbulbs would cost. So the man comes in, he replaces each lightbulb, every single one in the house, and does it, you can check, and they all work, and then he takes all the lightbulbs that he’s just taken from the person’s house, goes next door and then sells them the same lightbulbs again. So it’s really just moving lightbulbs from one house to another and charging people a fee to do it.

But there’s all sorts of those homemaker scams, people offering to seal your roof so they say, ‘We’ll put a fresh coat of tar on your roof’, or ‘We’ll re-seal your driveway’. In actual fact all they do is get old black sump oil and smooth it over the roof or smooth it over the driveway. You come home and it looks like wet tar, and so ‘Don’t step on it for 24 hours’, and of course 24 hours later they’re long gone with the money, and you’re left with a sticky, smelly driveway.

Why cons work on us Read More »

The future of security

From Bruce Schneier’s “Security in Ten Years” (Crypto-Gram: 15 December 2007):

Bruce Schneier: … The nature of the attacks will be different: the targets, tactics and results. Security is both a trade-off and an arms race, a balance between attacker and defender, and changes in technology upset that balance. Technology might make one particular tactic more effective, or one particular security technology cheaper and more ubiquitous. Or a new emergent application might become a favored target.

By 2017, people and organizations won’t be buying computers and connectivity the way they are today. The world will be dominated by telcos, large ISPs and systems integration companies, and computing will look a lot like a utility. Companies will be selling services, not products: email services, application services, entertainment services. We’re starting to see this trend today, and it’s going to take off in the next 10 years. Where this affects security is that by 2017, people and organizations won’t have a lot of control over their security. Everything will be handled at the ISPs and in the backbone. The free-wheeling days of general-use PCs will be largely over. Think of the iPhone model: You get what Apple decides to give you, and if you try to hack your phone, they can disable it remotely. We techie geeks won’t like it, but it’s the future. The Internet is all about commerce, and commerce won’t survive any other way.

Marcus Ranum: … Another trend I see getting worse is government IT know-how. At the rate outsourcing has been brain-draining the federal workforce, by 2017 there won’t be a single government employee who knows how to do anything with a computer except run PowerPoint and Web surf. Joking aside, the result is that the government’s critical infrastructure will be almost entirely managed from the outside. The strategic implications of such a shift have scared me for a long time; it amounts to a loss of control over data, resources and communications.

Bruce Schneier: … I’m reminded of the post-9/11 anti-terrorist hysteria — we’ve confused security with control, and instead of building systems for real security, we’re building systems of control. Think of ID checks everywhere, the no-fly list, warrantless eavesdropping, broad surveillance, data mining, and all the systems to check up on scuba divers, private pilots, peace activists and other groups of people. These give us negligible security, but put a whole lot of control in the government’s hands.

That’s the problem with any system that relies on control: Once you figure out how to hack the control system, you’re pretty much golden. So instead of a zillion pesky worms, by 2017 we’re going to see fewer but worse super worms that sail past our defenses.

The future of security Read More »

My new book – Google Apps Deciphered – is out!

I’m really proud to announce that my 5th book is now out & available for purchase: Google Apps Deciphered: Compute in the Cloud to Streamline Your Desktop. My other books include:

(I’ve also contributed to two others: Ubuntu Hacks: Tips & Tools for Exploring, Using, and Tuning Linux and Microsoft Vista for IT Security Professionals.)

Google Apps Deciphered is a guide to setting up Google Apps, migrating to it, customizing it, and using it to improve productivity, communications, and collaboration. I walk you through each leading component of Google Apps individually, and then show my readers exactly how to make them work together for you on the Web or by integrating them with your favorite desktop apps. I provide practical insights on Google Apps programs for email, calendaring, contacts, wikis, word processing, spreadsheets, presentations, video, and even Google’s new web browser Chrome. My aim was to collect together and present tips and tricks I’ve gained by using and setting up Google Apps for clients, family, and friends.

Here’s the table of contents:

  • 1: Choosing an Edition of Google Apps
  • 2: Setting Up Google Apps
  • 3: Migrating Email to Google Apps
  • 4: Migrating Contacts to Google Apps
  • 5: Migrating Calendars to Google Apps
  • 6: Managing Google Apps Services
  • 7: Setting Up Gmail
  • 8: Things to Know About Using Gmail
  • 9: Integrating Gmail with Other Software and Services
  • 10: Integrating Google Contacts with Other Software and Services
  • 11: Setting Up Google Calendar
  • 12: Things to Know About Using Google Calendar
  • 13: Integrating Google Calendar with Other Software and Services
  • 14: Things to Know About Using Google Docs
  • 15: Integrating Google Docs with Other Software and Services
  • 16: Setting Up Google Sites
  • 17: Things to Know About Using Google Sites
  • 18: Things to Know About Using Google Talk
  • 19: Things to Know About Using Start Page
  • 20: Things to Know About Using Message Security and Recovery
  • 21: Things to Know About Using Google Video
  • Appendix A: Backing Up Google Apps
  • Appendix B: Dealing with Multiple Accounts
  • Appendix C: Google Chrome: A Browser Built for Cloud Computing

If you want to know more about Google Apps and how to use it, then I know you’ll enjoy and learn from Google Apps Deciphered. You can read about and buy the book at Amazon (http://www.amazon.com/Google-Apps-Deciphered-Compute-Streamline/dp/0137004702) for $26.39. If you have any questions or comments, don’t hesitate to contact me at scott at granneman dot com.

My new book – Google Apps Deciphered – is out! Read More »

The various participants in phishing schemes

From Chapter 2: Botnets Overview of Craig A. Schiller’s Botnets: The Killer Web App (Syngress: 2007):

Christopher Abad provides insight into the phishing economy in an article published online by FirstMonday.org (http://www.firstmonday.org/issues/ issue10_9/abad/). The article, “The economy of phishing: A survey of the operations of the phishing market,” reveals the final phase of the phishing life cycle, called cashing. These are usually not the botherders or the phishers. The phishers are simply providers of credential goods to the cashers. Cashers buy the credential goods from the phishers, either taking a commission on the funds extracted or earned based on the quality, completeness, which financial institution it is from, and the victim’s balance in the account. A high-balance, verified, full-credential account can be purchased for up to $100. Full creden- tials means that you have the credit card number, bank and routing numbers, the expiration date, the security verification code (cvv2) on the back of the card, the ATM pin number, and the current balance. Credit card numbers for a financial institution selected by the supplier can be bought for 50 cents per account. The casher’s commission of this transaction may run as much as 70 percent. When the deal calls for commissions to be paid in cash, the vehicle of choice is Western Union.

The continuation of phishing attacks depends largely on the ability of the casher’s to convert the information into cash. The preferred method is to use the credential information to create duplicate ATM cards and use the cards to withdraw cash from ATM terminals. Not surprisingly the demand for these cards leans heavily in favor of banks that provide inadequate protections of the ATM cards. Institutions like Bank of America are almost nonexistent in the phisher marketplace due to the strong encryption (triple DES) used to protect information on its ATM cards.

The various participants in phishing schemes Read More »

My reply to those “You sent a virus to me!” emails

On Saturday 17 April 2004, I received the following email from someone I didn’t know:

> Hello,
>
> I am not sure who you are but our security detected a Netsky virus in an
> email that you sent. Whether a personal message or a spam, please make
> attention to the fact that you are spreading viruses and have your systems
> checked. Also, when a virus is detected the message does not get through so
> we have no idea who you are or the nature of your message.

My reply

I really wouldn’t bother sending these messages out, or you will find yourself with a full-time job.

Virtually every modern virus spoofs the sender of the email address of the sender. In other words, the virus scans the infected computer for email addresses, and then picks one for the TO field and one for the FROM field. Someone that has both of our email addresses on their computer is infected, and the virus chose your email address for TO and my email address for FROM. That is the extent of it. Unfortunately, we have no way to knowing who really is infected, so emailing the person who appears to have sent the email is a complete waste of your time.

Finally, I could not be infected, as I do not use Windows. I use Linux, which is impervious to the glut of viruses and worms that infect Microsoft’s poorly-coded operating system.

My reply to those “You sent a virus to me!” emails Read More »

Examples of tweaking old technologies to add social aspects

From Clay Shirky’s “Group as User: Flaming and the Design of Social Software” (Clay Shirky’s Writings About the Internet: 5 November 2004):

This possibility of adding novel social components to old tools presents an enormous opportunity. To take the most famous example, the Slashdot moderation system puts the ability to rate comments into the hands of the users themselves. The designers took the traditional bulletin board format — threaded posts, sorted by time — and added a quality filter. And instead of assuming that all users are alike, the Slashdot designers created a karma system, to allow them to discriminate in favor of users likely to rate comments in ways that would benefit the community. And, to police that system, they created a meta-moderation system, to solve the ‘Who will guard the guardians’ problem. …

Likewise, Craigslist took the mailing list, and added a handful of simple features with profound social effects. First, all of Craigslist is an enclosure, owned by Craig … Because he has a business incentive to make his list work, he and his staff remove posts if enough readers flag them as inappropriate. …

And, on the positive side, the addition of a “Nominate for ‘Best of Craigslist'” button in every email creates a social incentive for users to post amusing or engaging material. … The only reason you would nominate a post for ‘Best of’ is if you wanted other users to see it — if you were acting in a group context, in other words. …

Jonah Brucker-Cohen’s Bumplist stands out as an experiment in experimenting the social aspect of mailing lists. Bumplist, whose motto is “an email community for the determined”, is a mailing list for 6 people, which anyone can join. When the 7th user joins, the first is bumped and, if they want to be back on, must re-join, bumping the second user, ad infinitum. … However, it is a vivid illustration of the ways simple changes to well-understood software can produce radically different social effects.

You could easily imagine many such experiments. What would it take, for example, to design a mailing list that was flame-retardant? Once you stop regarding all users as isolated actors, a number of possibilities appear. You could institute induced lag, where, once a user contributed 5 posts in the space of an hour, a cumulative 10 minute delay would be added to each subsequent post. Every post would be delivered eventually, but it would retard the rapid-reply nature of flame wars, introducing a cooling off period for the most vociferous participants.

You could institute a kind of thread jail, where every post would include a ‘Worst of’ button, in the manner of Craigslist. Interminable, pointless threads (e.g. Which Operating System Is Objectively Best?) could be sent to thread jail if enough users voted them down. (Though users could obviously change subject headers and evade this restriction, the surprise, first noted by Julian Dibbell, is how often users respect negative communal judgment, even when they don’t respect the negative judgment of individuals. [ See Rape in Cyberspace — search for “aggressively antisocial vibes.”])

You could institute a ‘Get a room!’ feature, where any conversation that involved two users ping-ponging six or more posts (substitute other numbers to taste) would be automatically re-directed to a sub-list, limited to that pair. The material could still be archived, and so accessible to interested lurkers, but the conversation would continue without the attraction of an audience.

You could imagine a similar exercise, working on signal/noise ratios generally, and keying off the fact that there is always a most active poster on mailing lists, who posts much more often than even the second most active, and much much more often than the median poster. Oddly, the most active poster is often not even aware that they occupy this position (seeing ourselves as others see us is difficult in mediated spaces as well,) but making them aware of it often causes them to self-moderate. You can imagine flagging all posts by the most active poster, whoever that happened to be, or throttling the maximum number of posts by any user to some multiple of average posting tempo.

Examples of tweaking old technologies to add social aspects Read More »

Clay Shirky on flaming & how to combat it

From Clay Shirky’s “Group as User: Flaming and the Design of Social Software” (Clay Shirky’s Writings About the Internet: 5 November 2004):

Learning From Flame Wars

Mailing lists were the first widely available piece of social software. … Mailing lists were also the first widely analyzed virtual communities. …

Flame wars are not surprising; they are one of the most reliable features of mailing list practice. If you assume a piece of software is for what it does, rather than what its designer’s stated goals were, then mailing list software is, among other things, a tool for creating and sustaining heated argument. …

… although the environment in which a mailing list runs is computers, the environment in which a flame war runs is people. …

The user’s mental model of a word processor is of limited importance — if a word processor supports multiple columns, users can create multiple columns; if not, then not. The users’ mental model of social software, on the other hand, matters enormously. For example, ‘personal home pages’ and weblogs are very similar technically — both involve local editing and global hosting. The difference between them was mainly in the user’s conception of the activity. …

… The cumulative effect is to make maximizing individual flexibility a priority, even when that may produce conflict with the group goals.

Netiquette and Kill Files

The first general response to flaming was netiquette. Netiquette was a proposed set of behaviors that assumed that flaming was caused by (who else?) individual users. If you could explain to each user what was wrong with flaming, all users would stop.

This mostly didn’t work. The problem was simple — the people who didn’t know netiquette needed it most. They were also the people least likely to care about the opinion of others …

… Addressing the flamer directly works not because he realizes the error of his ways, but because it deprives him of an audience. Flaming is not just personal expression, it is a kind of performance, brought on in a social context.

… People behave differently in groups, and while momentarily engaging them one-on-one can have a calming effect, that is a change in social context, rather than some kind of personal conversion. …

Another standard answer to flaming has been the kill file, sometimes called a bozo filter, which is a list of posters whose comments you want filtered by the software before you see them. …

… And although people have continually observed (for thirty years now) that “if everyone just ignores user X, he will go away,” the logic of collective action makes that outcome almost impossible to orchestrate — it only takes a couple of people rising to bait to trigger a flame war, and the larger the group, the more difficult it is to enforce the discipline required of all members.

The Tragedy of the Conversational Commons

Briefly stated, the tragedy of the commons occurs when a group holds a resource, but each of the individual members has an incentive to overuse it. …

In the case of mailing lists (and, again, other shared conversational spaces), the commonly held resource is communal attention. The group as a whole has an incentive to keep the signal-to-noise ratio high and the conversation informative, even when contentious. Individual users, though, have an incentive to maximize expression of their point of view, as well as maximizing the amount of communal attention they receive. It is a deep curiosity of the human condition that people often find negative attention more satisfying than inattention, and the larger the group, the likelier someone is to act out to get that sort of attention.

However, proposed responses to flaming have consistently steered away from group-oriented solutions and towards personal ones. …

Weblog and Wiki Responses

… Weblogs are relatively flame-free because they provide little communal space. In economic parlance, weblogs solve the tragedy of the commons through enclosure, the subdividing and privatizing of common space. …

Like weblogs, wikis also avoid the tragedy of the commons, but they do so by going to the other extreme. Instead of everything being owned, nothing is. Whereas a mailing list has individual and inviolable posts but communal conversational space, in wikis, even the writing is communal. … it is actually easier to restore damage than cause it. …

Weblogs and wikis are proof that you can have broadly open discourse without suffering from hijacking by flamers, by creating a social structure that encourages or deflects certain behaviors.

Clay Shirky on flaming & how to combat it Read More »

What kinds of spam are effective?

From Alex Mindlin’s “Seems Somebody Is Clicking on That Spam” (The New York Times: 3 July 2006):

Spam messages promoting pornography are 280 times as effective in getting recipients to click on them as messages advertising pharmacy drugs, which are the next most effective type of spam.

The third most successful variety is spam advertising Rolex watches, 0.0075 percent of which get clicked on, according to an analysis by CipherTrust, a large manufacturer of devices that protect networks from spam and viruses.

What kinds of spam are effective? Read More »

Spammers causing problems to DNS

From Dennis Fisher’s Spammers’ New Tactic Upends DNS (eWeek: 10 January 2005):

One troublesome technique finding favor with spammers involves sending mass mailings in the middle of the night from a domain that has not yet been registered. After the mailings go out, the spammer registers the domain early the next morning.

By doing this, spammers hope to avoid stiff CAN-SPAM fines through minimal exposure and visibility with a given domain. The ruse, they hope, makes them more difficult to find and prosecute.

The scheme, however, has unintended consequences of its own. During the interval between mailing and registration, the SMTP servers on the recipients’ networks attempt Domain Name System look-ups on the nonexistent domain, causing delays and timeouts on the DNS servers and backups in SMTP message queues.

“Anti-spam systems have become heavily dependent on DNS for looking at all kinds of blacklists, looking at headers, all of that,” said Paul Judge, a well-known anti-spam expert and chief technology officer at CipherTrust Inc., a mail security vendor based in Atlanta. “I’ve seen systems that have to do as many as 30 DNS calls on each message. Even in large enterprises, it’s becoming very common to see a large spam load cripple the DNS infrastructure.”

Spammers causing problems to DNS Read More »

Even worse spam is coming

From Spam Daily News’s “Spam zombies from outer space“:

Spammers could soon use zombie computers in a totally new way. Infected computers could run programs that spy into a person’s email, mine it for information, and generate realistic-looking replies.

John Aycock, an assistant professor of computer science at the University of Calgary, and his student Nathan Friess conducted new research that shows it is possible to create a new type of spam that would likely bypass even the best spam filters and trick experienced computer users who would normally delete suspicious email messages.

There are two key reasons why spam is suspicious to anti-spam filters and human targets alike. First, it often comes from an unrecognized source. Second, it doesn’t look right.

The evolution of spam zombies will change this. These new zombies will mine corpora of email they find on infected machines, using this data to automatically forge and send improved, convincing spam to others.

The next generation of spam could be sent from your friends’ and colleagues’ email addresses – and even mimic patterns that mark their messages as their own (such as common abbreviations, misspellings, capitalization, and personal signatures) – making you more likely to click on a Web link or open an attachment.

What features can be easily extracted from an email corpus? There are four categories:

1. Email addresses. The victim’s email address and any other email aliases they have can be extracted, as can the email addresses of people with whom the victim corresponds.

2. Information related to the victim’s email program and its configuration. For example, the User-Agent, the message encoding as text and/or HTML, automatically-appended signature file, the quoting style used for replies and forwarded messages, etc.

3. Vocabulary. The normal vocabulary used by the victim and the people with whom they correspond.

4. Email style.

  • Line length, as some people never break lines;
  • Capitalization, or lack thereof;
  • Manually-added signatures, often the victim’s name;
  • Abbreviations, e.g., “u” for “you”;
  • Misspellings and typos;
  • Inappropriate synonyms, e.g., “there” instead of “their”;
  • Replying above or below quoted text in replies.

Even worse spam is coming Read More »

How terrorists use the Web

From Technology Review‘s “Terror’s Server“:

According to [Gabriel] Weimann [professor of communications at University of Haifa], the number of [terror-related] websites has leapt from only 12 in 1997 to around 4,300 today. …

These sites serve as a means to recruit members, solicit funds, and promote and spread ideology. …

The September 11 hijackers used conventional tools like chat rooms and e-mail to communicate and used the Web to gather basic information on targets, says Philip Zelikow, a historian at the University of Virginia and the former executive director of the 9/11 Commission. …

Finally, terrorists are learning that they can distribute images of atrocities with the help of the Web. … “The Internet allows a small group to publicize such horrific and gruesome acts in seconds, for very little or no cost, worldwide, to huge audiences, in the most powerful way,” says Weimann. …

How terrorists use the Web Read More »