tricks

Eavesdropping with your cell phone

From David S. Bennahum’s “Hope You Like Jamming, Too” (Slate):

…innovative industrial spies, who have several neat new tricks. These days, a boardroom Mata Hari can purchase a specially designed cell phone that will answer incoming calls while appearing to be switched off. In a business meeting, she could casually leave her phone on the table while excusing herself to go to the bathroom. Once she’s gone, she can call the phone she left behind and eavesdrop on what the other side is saying in her absence.

Eavesdropping with your cell phone Read More »

Various confidence scams, tricks, & frauds

From “List of confidence tricks” (Wikipedia: 3 July 2009):

Get-rich-quick schemes

Get-rich-quick schemes are extremely varied. For example, fake franchises, real estate “sure things”, get-rich-quick books, wealth-building seminars, self-help gurus, sure-fire inventions, useless products, chain letters, fortune tellers, quack doctors, miracle pharmaceuticals, Nigerian money scams, charms and talismans are all used to separate the mark from his money. Variations include the pyramid scheme, Ponzi scheme and Matrix sale.

Count Victor Lustig sold the “money-printing machine” which could copy $100 bills. The client, sensing huge profits, would buy the machines for a high price (usually over $30,000). Over the next twelve hours, the machine would produce just two more $100 bills, but after that it produced only blank paper, as its supply of hidden $100 bills would have become exhausted. This type of scheme is also called the “money box” scheme.

The wire game, as depicted in the movie The Sting, trades on the promise of insider knowledge to beat a gamble, stock trade or other monetary action. In the wire game, a “mob” composed of dozens of grifters simulates a “wire store”, i.e., a place where results from horse races are received by telegram and posted on a large board, while also being read aloud by an announcer. The griftee is given secret foreknowledge of the race results minutes before the race is broadcast, and is therefore able to place a sure bet at the wire store. In reality, of course, the con artists who set up the wire store are the providers of the inside information, and the mark eventually is led to place a large bet, thinking it to be a sure win. At this point, some mistake is made, which actually makes the bet a loss. …

Salting or to salt the mine are terms for a scam in which gems or gold ore are planted in a mine or on the landscape, duping the greedy mark into purchasing shares in a worthless or non-existent mining company.[2] During the Gold Rush, scammers would load shotguns with gold dust and shoot into the sides of the mine to give the appearance of a rich ore, thus “salting the mine”. …

The Spanish Prisoner scam – and its modern variant, the advance fee fraud or Nigerian scam – take advantage of the victim’s greed. The basic premise involves enlisting the mark to aid in retrieving some stolen money from its hiding place. The victim sometimes believes he can cheat the con artists out of their money, but anyone trying this has already fallen for the essential con by believing that the money is there to steal (see also Black money scam). …

Many conmen employ extra tricks to keep the victim from going to the police. A common ploy of investment scammers is to encourage a mark to use money concealed from tax authorities. The mark cannot go to the authorities without revealing that he or she has committed tax fraud. Many swindles involve a minor element of crime or some other misdeed. The mark is made to think that he or she will gain money by helping fraudsters get huge sums out of a country (the classic Nigerian scam); hence marks cannot go to the police without revealing that they planned to commit a crime themselves.

Gold brick scams

Gold brick scams involve selling a tangible item for more than it is worth; named after selling the victim an allegedly golden ingot which turns out to be gold-coated lead.

Pig-in-a-poke originated in the late Middle Ages. The con entails a sale of a (suckling) “pig” in a “poke” (bag). The bag ostensibly contains a live healthy little pig, but actually contains a cat (not particularly prized as a source of meat, and at any rate, quite unlikely to grow to be a large hog). If one buys a “pig in a poke” without looking in the bag (a colloquial expression in the English language, meaning “to be a sucker”), the person has bought something of less value than was assumed, and has learned firsthand the lesson caveat emptor.

The Thai gem scam involves layers of con men and helpers who tell a tourist in Bangkok of an opportunity to earn money by buying duty-free jewelry and having it shipped back to the tourist’s home country. The mark is driven around the city in a tuk-tuk operated by one of the con men, who ensures that the mark meets one helper after another, until the mark is persuaded to buy the jewelry from a store also operated by the swindlers. The gems are real but significantly overpriced. This scam has been operating for 20 years in Bangkok, and is said to be protected by Thai police and politicians. A similar scam usually runs in parallel for custom-made suits.

Extortion or false-injury tricks

The badger game extortion is often perpetrated on married men. The mark is deliberately coerced into a compromising position, a supposed affair for example, then threatened with public exposure of his acts unless blackmail money is paid.

The Melon Drop is a scam in which the scammer will intentionally bump into the mark and drop a package containing (already broken) glass. He will blame the damage on the clumsiness of the mark, and demand money in compensation. This con arose when artists discovered that the Japanese paid large sums of money for watermelons. The scammer would go to a supermarket to buy a cheap watermelon, then bump into a Japanese tourist and set a high price.

Gambling tricks

Three-card Monte, ‘Find The Queen’, the “Three-card Trick”, or “Follow The Lady”, is (except for the props) essentially the same as the probably centuries-older shell game or thimblerig. The trickster shows three playing cards to the audience, one of which is a queen (the “lady”), then places the cards face-down, shuffles them around and invites the audience to bet on which one is the queen. At first the audience is skeptical, so the shill places a bet and the scammer allows him to win. In one variation of the game, the shill will (apparently surreptitiously) peek at the lady, ensuring that the mark also sees the card. This is sometimes enough to entice the audience to place bets, but the trickster uses sleight of hand to ensure that they always lose, unless the conman decides to let them win, hoping to lure them into betting much more. The mark loses whenever the dealer chooses to make him lose. This con appears in the Eric Garcia novel Matchstick Men and is featured in the movie Edmond.

A variation on this scam exists in Barcelona, Spain, but with the addition of a pickpocket. The dealer and shill behave in an overtly obvious manner, attracting a larger audience. When the pickpocket succeeds in stealing from a member of the audience, he signals the dealer. The dealer then shouts the word “aqua”, and the three split up. The audience is left believing that “aqua” is a code word indicating the police are coming, and that the performance was a failed scam.

In the Football Picks Scam the scammer sends out tip sheet stating a game will go one way to 100 potential victims and the other way to another 100. The next week, the 100 or so who received the correct answer are divided into two groups and fed another pick. This is repeated until a small population have (apparently) received a series of supernaturally perfect picks, then the final pick is offered for sale. Despite being well-known (it was even described completely on an episode of The Simpsons and used by Derren Brown in “The System”), this scam is run almost continuously in different forms by different operators. The sports picks can also be replaced with securities, or any other random process, in an alternative form. This scam has also been called the inverted pyramid scheme, because of the steadily decreasing population of victims at each stage.

Visitors to Las Vegas or other gambling towns often encounter the Barred Winner scam, a form of advance fee fraud performed in person. The artist will approach his mark outside a casino with a stack or bag of high-value casino chips and say that he just won big, but the casino accused him of cheating and threw him out without letting him redeem the chips. The artist asks the mark to go in and cash the chips for him. The artist will often offer a percentage of the winnings to the mark for his trouble. But, when the mark agrees, the artist feigns suspicion and asks the mark to put up something of value “for insurance”. The mark agrees, hands over jewelry, a credit card or their wallet, then goes in to cash the chips. When the mark arrives at the cashier, they are informed the chips are fake. The artist, by this time, is long gone with the mark’s valuables.

False reward tricks

The glim-dropper requires several accomplices, one of whom must be a one-eyed man. One grifter goes into a store and pretends he has lost his glass eye. Everyone looks around, but the eye cannot be found. He declares that he will pay a thousand-dollar reward for the return of his eye, leaving contact information. The next day, an accomplice enters the store and pretends to find the eye. The storekeeper (the intended griftee), thinking of the reward, offers to take it and return it to its owner. The finder insists he will return it himself, and demands the owner’s address. Thinking he will lose all chance of the reward, the storekeeper offers a hundred dollars for the eye. The finder bargains him up to $250, and departs.…

The fiddle game uses the pigeon drop technique. A pair of con men work together, one going into an expensive restaurant in shabby clothes, eating, and claiming to have left his wallet at home, which is nearby. As collateral, the con man leaves his only worldly possession, the violin that provides his livelihood. After he leaves, the second con man swoops in, offers an outrageously large amount (for example $50,000) for such a rare instrument, then looks at his watch and runs off to an appointment, leaving his card for the mark to call him when the fiddle-owner returns. The mark’s greed comes into play when the “poor man” comes back, having gotten the money to pay for his meal and redeem his violin. The mark, thinking he has an offer on the table, then buys the violin from the fiddle player (who “reluctantly” sells it eventually for, say, $5,000). The result is the two conmen are $5,000 richer (less the cost of the violin), and the mark is left with a cheap instrument.

Other confidence tricks and techniques

The Landlord Scam advertises an apartment for rent at an attractive price. The con artist, usually someone who is house-sitting or has a short-term sublet at the unit, takes a deposit and first/last month’s rent from every person who views the suite. When move-in day arrives, the con artist is of course gone, and the apartment belongs to none of the angry people carrying boxes.

Change raising is a common short con and involves an offer to change an amount of money with someone, while at the same time taking change or bills back and forth to confuse the person as to how much money is actually being changed. The most common form, “the Short Count”, has been featured prominently in several movies about grifting, notably Nueve Reinas, The Grifters and Paper Moon. A con artist shopping at, say a gas station, is given 80 cents in change because he lacks two dimes to complete the sale (say the sale cost is $19.20 and the con man has a 20 dollar bill). He goes out to his car and returns a short time later, with 20 cents. He returns them, saying that he found the rest of the change to make a dollar, and asking for a bill so he will not have to carry coins. The confused store clerk agrees, exchanging a dollar for the 20 cents the conman returned. In essence, the mark makes change twice.

Beijing tea scam is a famous scam in and around Beijing. The artists (usually female and working in pairs) will approach tourists and try to make friends. After chatting, they will suggest a trip to see a tea ceremony, claiming that they have never been to one before. The tourist is never shown a menu, but assumes that this is how things are done in China. After the ceremony, the bill is presented to the tourist, charging upwards of $100 per head. The artists will then hand over their bills, and the tourists are obliged to follow suit.

Various confidence scams, tricks, & frauds Read More »

How security experts defended against Conficker

From Jim Giles’ “The inside story of the Conficker worm” (New Scientist: 12 June 2009):

23 October 2008 … The dry, technical language of Microsoft’s October update did not indicate anything particularly untoward. A security flaw in a port that Windows-based PCs use to send and receive network signals, it said, might be used to create a “wormable exploit”. Worms are pieces of software that spread unseen between machines, mainly – but not exclusively – via the internet (see “Cell spam”). Once they have installed themselves, they do the bidding of whoever created them.

If every Windows user had downloaded the security patch Microsoft supplied, all would have been well. Not all home users regularly do so, however, and large companies often take weeks to install a patch. That provides windows of opportunity for criminals.

The new worm soon ran into a listening device, a “network telescope”, housed by the San Diego Supercomputing Center at the University of California. The telescope is a collection of millions of dummy internet addresses, all of which route to a single computer. It is a useful monitor of the online underground: because there is no reason for legitimate users to reach out to these addresses, mostly only suspicious software is likely to get in touch.

The telescope’s logs show the worm spreading in a flash flood. For most of 20 November, about 3000 infected computers attempted to infiltrate the telescope’s vulnerable ports every hour – only slightly above the background noise generated by older malicious code still at large. At 6 pm, the number began to rise. By 9 am the following day, it was 115,000 an hour. Conficker was already out of control.

That same day, the worm also appeared in “honeypots” – collections of computers connected to the internet and deliberately unprotected to attract criminal software for analysis. It was soon clear that this was an extremely sophisticated worm. After installing itself, for example, it placed its own patch over the vulnerable port so that other malicious code could not use it to sneak in. As Brandon Enright, a network security analyst at the University of California, San Diego, puts it, smart burglars close the window they enter by.

Conficker also had an ingenious way of communicating with its creators. Every day, the worm came up with 250 meaningless strings of letters and attached a top-level domain name – a .com, .net, .org, .info or .biz – to the end of each to create a series of internet addresses, or URLs. Then the worm contacted these URLs. The worm’s creators knew what each day’s URLs would be, so they could register any one of them as a website at any time and leave new instructions for the worm there.

It was a smart trick. The worm hunters would only ever spot the illicit address when the infected computers were making contact and the update was being downloaded – too late to do anything. For the next day’s set of instructions, the creators would have a different list of 250 to work with. The security community had no way of keeping up.

No way, that is, until Phil Porras got involved. He and his computer security team at SRI International in Menlo Park, California, began to tease apart the Conficker code. It was slow going: the worm was hidden within two shells of encryption that defeated the tools that Porras usually applied. By about a week before Christmas, however, his team and others – including the Russian security firm Kaspersky Labs, based in Moscow – had exposed the worm’s inner workings, and had found a list of all the URLs it would contact.

[Rick Wesson of Support Intelligence] has years of experience with the organisations that handle domain registration, and within days of getting Porras’s list he had set up a system to remove the tainted URLs, using his own money to buy them up.

It seemed like a major win, but the hackers were quick to bounce back: on 29 December, they started again from scratch by releasing an upgraded version of the worm that exploited the same security loophole.

This new worm had an impressive array of new tricks. Some were simple. As well as propagating via the internet, the worm hopped on to USB drives plugged into an infected computer. When those drives were later connected to a different machine, it hopped off again. The worm also blocked access to some security websites: when an infected user tried to go online and download the Microsoft patch against it, they got a “site not found” message.

Other innovations revealed the sophistication of Conficker’s creators. If the encryption used for the previous strain was tough, that of the new version seemed virtually bullet-proof. It was based on code little known outside academia that had been released just three months earlier by researchers at the Massachusetts Institute of Technology.

Indeed, worse was to come. On 15 March, Conficker presented the security experts with a new problem. It reached out to a URL called rmpezrx.org. It was on the list that Porras had produced, but – those involved decline to say why – it had not been blocked. One site was all that the hackers needed. A new version was waiting there to be downloaded by all the already infected computers, complete with another new box of tricks.

Now the cat-and-mouse game became clear. Conficker’s authors had discerned Porras and Wesson’s strategy and so from 1 April, the code of the new worm soon revealed, it would be able to start scanning for updates on 500 URLs selected at random from a list of 50,000 that were encoded in it. The range of suffixes would increase to 116 and include many country codes, such as .kz for Kazakhstan and .ie for Ireland. Each country-level suffix belongs to a different national authority, each of which sets its own registration procedures. Blocking the previous set of domains had been exhausting. It would soon become nigh-on impossible – even if the new version of the worm could be fully decrypted.

Luckily, Porras quickly repeated his feat and extracted the crucial list of URLs. Immediately, Wesson and others contacted the Internet Corporation for Assigned Names and Numbers (ICANN), an umbrella body that coordinates country suffixes.

From the second version onwards, Conficker had come with a much more efficient option: peer-to-peer (P2P) communication. This technology, widely used to trade pirated copies of software and films, allows software to reach out and exchange signals with copies of itself.

Six days after the 1 April deadline, Conficker’s authors let loose a new version of the worm via P2P. With no central release point to target, security experts had no means of stopping it spreading through the worm’s network. The URL scam seems to have been little more than a wonderful way to waste the anti-hackers’ time and resources. “They said: you’ll have to look at 50,000 domains. But they never intended to use them,” says Joe Stewart of SecureWorks in Atlanta, Georgia. “They used peer-to-peer instead. They misdirected us.”

The latest worm release had a few tweaks, such as blocking the action of software designed to scan for its presence. But piggybacking on it was something more significant: the worm’s first moneymaking schemes. These were a spam program called Waledac and a fake antivirus package named Spyware Protect 2009.

The same goes for fake software: when the accounts of a Russian company behind an antivirus scam became public last year, it appeared that one criminal had earned more than $145,000 from it in just 10 days.

How security experts defended against Conficker Read More »

Why cons work on us

From Damien Carrick’s interview with Nicholas Johnson, “The psychology of conmen” (The Law Report: 30 September 2008):

Nicholas Johnson: I think what I love most about con artists and the world of scammers is that they’re criminals who manage to get their victims to hand over their possessions freely. Most thieves and robbers and the like, tend to use force, or deception, in order for them to take things, whereas a con artist manages to get their victim to freely give up their stuff.

The main thing that really makes people susceptible to con artists is the idea that we’re going to get something for nothing. So it really buys into our greed; it buys into sometimes our lust, and at the same time, sometimes even our sense that we’re going to do something good, so we’re going to get a great feeling from helping someone out, we’re going to make some money, we’re going to meet a beautiful girl—it really ties into our basest desires, and that’s what the con artist relies on.

Most con artists rely on this idea that the victim is in control. The victim is the one who is controlling the situation. So a great example of that is the classic Nigerian email scam, the person who writes to you and says, ‘I’ve got this money that I need to get out of the country, and I need your help.’ So you’re in control, you can help them, you can do a good deed, you can make some money, you’ve got this fantastic opportunity, and the con artist needs your help. It’s not the con artist doing you a favour. So really, you feel like you’re the one who’s controlling the situation when really it’s the con artist who knows the real deal.

I think for a lot of con artists they’re very proud of their work, and they like people to know exactly what they’ve gotten away with.

… for many of [the conmen], they really feel like even if they get caught, or even if they don’t get away with it, they feel like they’re giving their victim a good story, you know, something to dine out over, something to discuss down at the pub. They think that’s OK, you can scam somebody out of a couple of hundred bucks, because they’re getting a good story in return.

My all-time favourite one only makes the con artist a few dollars every time he does it, but I absolutely love it. These guys used to go door-to-door in the 1970s selling lightbulbs and they would offer to replace every single lightbulb in your house, so all your old lightbulbs would be replaced with a brand new lightbulb, and it would cost you, say $5, so a fraction of the cost of what new lightbulbs would cost. So the man comes in, he replaces each lightbulb, every single one in the house, and does it, you can check, and they all work, and then he takes all the lightbulbs that he’s just taken from the person’s house, goes next door and then sells them the same lightbulbs again. So it’s really just moving lightbulbs from one house to another and charging people a fee to do it.

But there’s all sorts of those homemaker scams, people offering to seal your roof so they say, ‘We’ll put a fresh coat of tar on your roof’, or ‘We’ll re-seal your driveway’. In actual fact all they do is get old black sump oil and smooth it over the roof or smooth it over the driveway. You come home and it looks like wet tar, and so ‘Don’t step on it for 24 hours’, and of course 24 hours later they’re long gone with the money, and you’re left with a sticky, smelly driveway.

Why cons work on us Read More »

My new book – Google Apps Deciphered – is out!

I’m really proud to announce that my 5th book is now out & available for purchase: Google Apps Deciphered: Compute in the Cloud to Streamline Your Desktop. My other books include:

(I’ve also contributed to two others: Ubuntu Hacks: Tips & Tools for Exploring, Using, and Tuning Linux and Microsoft Vista for IT Security Professionals.)

Google Apps Deciphered is a guide to setting up Google Apps, migrating to it, customizing it, and using it to improve productivity, communications, and collaboration. I walk you through each leading component of Google Apps individually, and then show my readers exactly how to make them work together for you on the Web or by integrating them with your favorite desktop apps. I provide practical insights on Google Apps programs for email, calendaring, contacts, wikis, word processing, spreadsheets, presentations, video, and even Google’s new web browser Chrome. My aim was to collect together and present tips and tricks I’ve gained by using and setting up Google Apps for clients, family, and friends.

Here’s the table of contents:

  • 1: Choosing an Edition of Google Apps
  • 2: Setting Up Google Apps
  • 3: Migrating Email to Google Apps
  • 4: Migrating Contacts to Google Apps
  • 5: Migrating Calendars to Google Apps
  • 6: Managing Google Apps Services
  • 7: Setting Up Gmail
  • 8: Things to Know About Using Gmail
  • 9: Integrating Gmail with Other Software and Services
  • 10: Integrating Google Contacts with Other Software and Services
  • 11: Setting Up Google Calendar
  • 12: Things to Know About Using Google Calendar
  • 13: Integrating Google Calendar with Other Software and Services
  • 14: Things to Know About Using Google Docs
  • 15: Integrating Google Docs with Other Software and Services
  • 16: Setting Up Google Sites
  • 17: Things to Know About Using Google Sites
  • 18: Things to Know About Using Google Talk
  • 19: Things to Know About Using Start Page
  • 20: Things to Know About Using Message Security and Recovery
  • 21: Things to Know About Using Google Video
  • Appendix A: Backing Up Google Apps
  • Appendix B: Dealing with Multiple Accounts
  • Appendix C: Google Chrome: A Browser Built for Cloud Computing

If you want to know more about Google Apps and how to use it, then I know you’ll enjoy and learn from Google Apps Deciphered. You can read about and buy the book at Amazon (http://www.amazon.com/Google-Apps-Deciphered-Compute-Streamline/dp/0137004702) for $26.39. If you have any questions or comments, don’t hesitate to contact me at scott at granneman dot com.

My new book – Google Apps Deciphered – is out! Read More »

Matthew, the blind phone phreaker

From Kevin Poulsen’s “Teenage Hacker Is Blind, Brash and in the Crosshairs of the FBI” (Wired: 29 February 2008):

At 4 in the morning of May 1, 2005, deputies from the El Paso County Sheriff’s Office converged on the suburban Colorado Springs home of Richard Gasper, a TSA screener at the local Colorado Springs Municipal Airport. They were expecting to find a desperate, suicidal gunman holding Gasper and his daughter hostage.

“I will shoot,” the gravely voice had warned, in a phone call to police minutes earlier. “I’m not afraid. I will shoot, and then I will kill myself, because I don’t care.”

But instead of a gunman, it was Gasper himself who stepped into the glare of police floodlights. Deputies ordered Gasper’s hands up and held him for 90 minutes while searching the house. They found no armed intruder, no hostages bound in duct tape. Just Gasper’s 18-year-old daughter and his baffled parents.

A federal Joint Terrorism Task Force would later conclude that Gasper had been the victim of a new type of nasty hoax, called “swatting,” that was spreading across the United States. Pranksters were phoning police with fake murders and hostage crises, spoofing their caller IDs so the calls appear to be coming from inside the target’s home. The result: police SWAT teams rolling to the scene, sometimes bursting into homes, guns drawn.

Now the FBI thinks it has identified the culprit in the Colorado swatting as a 17-year-old East Boston phone phreak known as “Li’l Hacker.” Because he’s underage, Wired.com is not reporting Li’l Hacker’s last name. His first name is Matthew, and he poses a unique challenge to the federal justice system, because he is blind from birth.

Interviews by Wired.com with Matt and his associates, and a review of court documents, FBI reports and audio recordings, paints a picture of a young man with an uncanny talent for quick telephone con jobs. Able to commit vast amounts of information to memory instantly, Matt has mastered the intricacies of telephone switching systems, while developing an innate understanding of human psychology and organization culture — knowledge that he uses to manipulate his patsies and torment his foes.

Matt says he ordered phone company switch manuals off the internet and paid to have them translated into Braille. He became a regular caller to internal telephone company lines, where he’d masquerade as an employee to perform tricks like tracing telephone calls, getting free phone features, obtaining confidential customer information and disconnecting his rivals’ phones.

It was, relatively speaking, mild stuff. The teen though, soon fell in with a bad crowd. The party lines were dominated by a gang of half-a-dozen miscreants who informally called themselves the “Wrecking Crew” and “The Cavalry.”

By then, Matt’s reputation had taken on a life of its own, and tales of some of his hacks — perhaps apocryphal — are now legends. According to Daniels, he hacked his school’s PBX so that every phone would ring at once. Another time, he took control of a hotel elevator, sending it up and down over and over again. One story has it that Matt phoned a telephone company frame room worker at home in the middle of the night, and persuaded him to get out of bed and return to work to disconnect someone’s phone.

Matthew, the blind phone phreaker Read More »

How con artists use psychology to work

From Paul J. Zak’s “How to Run a Con” (Psychology Today: 13 November 2008):

When I was in high school, I took a job at an ARCO gas station on the outskirts of Santa Barbara, California. At the time, I drove a 1967 Mustang hotrod and thought I might pick up some tips and cheap parts by working around cars after school. You see a lot of interesting things working the night shift in a sketchy neighborhood. I constantly saw people making bad decisions: drunk drivers, gang members, unhappy cops, and con men. In fact, I was the victim of a classic con called “The Pigeon Drop.” If we humans have such big brains, how can we get conned?

Here’s what happened to me. One slow Sunday afternoon, a man comes out of the restroom with a pearl necklace in his hand. “Found it on the bathroom floor” he says. He followed with “Geez, looks nice-I wonder who lost it?” Just then, the gas station’s phone rings and a man asked if anyone found a pearl necklace that he had purchased as a gift for his wife. He offers a $200 reward for the necklace’s return. I tell him that a customer found it. “OK” he says, “I’ll be there in 30 minutes.” I give him the ARCO address and he gives me his phone number. The man who found the necklace hears all this but tells me he is running late for a job interview and cannot wait for the other man to arrive.

Huum, what to do? The man with the necklace said “Why don’t I give you the necklace and we split the reward?” The greed-o-meter goes off in my head, suppressing all rational thought. “Yeah, you give me the necklace to hold and I’ll give you $100” I suggest. He agrees. Since high school kids working at gas stations don’t have $100, I take money out of the cash drawer to complete the transaction.

You can guess the rest. The man with the lost necklace doesn’t come and never answers my many calls. After about an hour, I call the police. The “pearl” necklace was a two dollar fake and the number I was calling went to a pay phone nearby. I had to fess up to my boss and pay back the money with my next paycheck.

Why did this con work? Let’s do some neuroscience. While the primary motivator from my perspective was greed, the pigeon drop cleverly engages THOMAS (The Human Oxytocin Mediated Attachment System). … THOMAS is a powerful brain circuit that releases the neurochemical oxytocin when we are trusted and induces a desire to reciprocate the trust we have been shown–even with strangers.

The key to a con is not that you trust the conman, but that he shows he trusts you. Conmen ply their trade by appearing fragile or needing help, by seeming vulnerable. Because of THOMAS, the human brain makes us feel good when we help others–this is the basis for attachment to family and friends and cooperation with strangers. “I need your help” is a potent stimulus for action.

How con artists use psychology to work Read More »

The purpose of the Storm botnet? To send spam

From Tim Wilson’s “Researchers Link Storm Botnet to Illegal Pharmaceutical Sales” (DarkReading: 11 June 2008):

“Our previous research revealed an extremely sophisticated supply chain behind the illegal pharmacy products shipped after orders were placed on botnet-spammed Canadian pharmacy Websites. But the relationship between the technology-focused botnet masters and the global supply chain organizations was murky until now,” said Patrick Peterson, vice president of technology at IronPort and a Cisco fellow.

“Our research has revealed a smoking gun that shows that Storm and other botnet spam generates commissionable orders, which are then fulfilled by the supply chains, generating revenue in excess of $150 million per year.”

In fact, the “Canadian Pharmacy” Website, which many Storm emails promote, is estimated to have sales of $150 million per year by itself, the report says. The site offers a customer service phone number that goes into voice mail and buyers usually do receive the drugs — but the shipments include counterfeit pharmaceuticals from China and India, rather than brand-name drugs from Canada, IronPort says.

IronPort’s research revealed that more than 80 percent of Storm botnet spam advertises online pharmacy brands. This spam is sent by millions of consumers’ PCs, which have been infected by the Storm worm via a multitude of sophisticated social engineering tricks and Web-based exploits. Further investigation revealed that spam templates, “spamvertized” URLs, Website designs, credit card processing, product fulfillment, and customer support were being provided by a Russian criminal organization that operates in conjunction with Storm, IronPort says.

However, IronPort-sponsored pharmacological testing revealed that two thirds of the shipments contained the active ingredient but were not the correct dosage, while the others were placebos.

The purpose of the Storm botnet? To send spam Read More »

Craigslist “everything is free!” scams

Robert Salisbury

From “Man scammed by Craigslist ad” (The Seattle Times: 24 March 2008):

The ads popped up Saturday afternoon, saying the owner of a Jacksonville home was forced to leave the area suddenly and his belongings, including a horse, were free for the taking, said Jackson County sheriff’s Detective Sgt. Colin Fagan.

But Robert Salisbury had no plans to leave. The independent contractor was at Emigrant Lake when he got a call from a woman who had stopped by his house to claim his horse.

On his way home he stopped a truck loaded down with his work ladders, lawn mower and weed eater.

“I informed them I was the owner, but they refused to give the stuff back,” Salisbury said. “They showed me the Craigslist printout and told me they had the right to do what they did.”

The driver sped away after rebuking Salisbury. On his way home he spotted other cars filled with his belongings.

Once home he was greeted by close to 30 people rummaging through his barn and front porch.

From “Couple held in Craigslist theft case” (The Seattle Times: 1 April 2008):

Police on Monday arrested a Medford couple who allegedly used hoax postings on Craigslist to cover up their own thefts from a rural Jacksonville residence later inundated by Craigslist readers who thought the house’s contents were free pickings for the taking.

Amber D. Herbert, 28, and Brandon D. Herbert, 29, were taken into custody on burglary, theft and computer crime charges involving the Craigslist hoax that drew international attention and cost the victim several thousand dollars, authorities said.

…the Herberts told police they took several saddles from the property and sold them over the Internet.

Laurie Raye

From “Tacoma woman’s house emptied after craigslist hoax” (The Seattle Times: 5 April 2007):

Laurie Raye said she had everything stripped from her home after someone placed a fake ad on the San Francisco-based Internet site, a collection of online classifieds.

Raye had recently evicted a tenant and cleaned out the rental.

The ad posted last weekend welcomed people to take for free anything they wanted from the home. It has since been pulled from the site, but not before the residence was stripped of light fixtures, the hot water heater and the kitchen sink.

Neighbors said they saw strangers hauling items away, apparently looking for salvage material.

Even the front door and a vinyl window were pilfered, Raye said.

“In the ad, it said come and take what you want. Everything is free,” she said. “Please help yourself to anything on the property.”

From “Woman charged after Craigslist posting resulted in a house stripped” (The Seattle Times: 17 May 2007):

Pierce County prosecutors have filed charges against the niece of a woman whose house was stripped clean after a Craigslist.org posting advertised that everything in the home was free.

Nichole Blackwell, 28, was charged with second-degree burglary, malicious mischief and criminal impersonation for allegedly posting an ad that read, “Moving out … House being demolished. Come and take whatever you want, nothing is off limits,” on the online classifieds Web site, according to charging documents from Pierce County Superior Court.

It wasn’t until six days after the ad was posted that Laurie Raye, owner of the home in the 1200 block of East 64th Street in Tacoma, checked on the house to find it stripped.

Nearly everything that wasn’t bolted down — and some stuff that was — was taken.

People, thinking that they could remove whatever they wanted, grabbed the refrigerator, front door and kitchen sink, among other things, according to the documents.

Police believe Blackwell disliked Raye and was particularly upset because Raye had recently evicted Blackwell’s mother from the house.

Craigslist “everything is free!” scams Read More »

Conservatives are more ruthless than liberals

From Alan Wolfe’s “Why Conservatives Can’t Govern” (The Washington Monthly: July/August 2006):

Political parties expend the time and grueling energy to control government for different reasons. Liberals, while enjoying the perquisites of office, also want to be in a position to use government to solve problems. But conservatives have different motives for wanting power. One is to prevent liberals from doing so; if government cannot be made to disappear, at least it can be prevented from doing any good. The other is to build a political machine in which business and the Republican Party can exchange mutual favors; business will lavish cash on politicians (called campaign contributions) while politicians will throw the money back at business (called public policy). …

Historically and philosophically, liberals and conservatives have disagreed with each other, not only over the ends political systems should serve, but over the means chosen to serve those ends. Whether through the ideas of James Madison, Immanuel Kant, or John Stuart Mill, liberals have viewed violent conflict as regrettable and the use of political institutions as the best way to contain it. Conservatives, from the days of Machiavelli to such twentieth-century figures as Germany’s Carl Schmitt, have, by contrast, viewed politics as an extension of war, complete with no-holds-barred treatment of the enemy, iron-clad discipline in the ranks, cries of treason against those who do not support the effort with full-throated vigor, and total control over any spoils won. From a conservative point of view, separation of powers is divisive, tolerance a luxury, fairness another word for weakness, and cooperation unnecessary. If conservatives will not use government to tame Hobbes’ state of nature, they will use it to strengthen Hobbes’ state of nature. Victory is the only thing that matters, and any tactic more likely to produce victory is justified.

The K Street Project, then, did not arise spontaneously out of the ether. When Republicans in Congress began to inform lobbyists that in return for influence they would have to fire all the Democrats in their firms, they may have broken with long-standing traditions, but they were simply carrying forward politics-as-warfare the way conservative political philosophers have historically understood it. Liberals do not generally have objections to working with conservatives; indeed, having conservatives sign off on any expansion of government adds to the legitimacy of that expansion. But conservatives tend to see working with liberals as corrupting; in the immortal words of conservative activist Grover Norquist, “bipartisanship is another name for date rape.” K Street is to lobbying what Fox News is to journalistic objectivity. In the world that contemporary conservatives have brought into being, rules are not applicable to all parties to a conflict. Rules are part of the conflict, and whoever wins the conflict gets to change the rules.

Conservatives are more ruthless than liberals Read More »

Ubuntu Hacks available now

The Ubuntu distribution simplifies Linux by providing a sensible collection of applications, an easy-to-use package manager, and lots of fine-tuning, which make it possibly the best Linux for desktops and laptops. Readers of both Linux Journal and TUX Magazine confirmed this by voting Ubuntu as the best Linux distribution in each publication’s 2005 Readers Choice Awards. None of that simplification, however, makes Ubuntu any less fun if you’re a hacker or a power user.

Like all books in the Hacks series, Ubuntu Hacks includes 100 quick tips and tricks for all users of all technical levels. Beginners will appreciate the installation advice and tips on getting the most out of the free applications packaged with Ubuntu, while intermediate and advanced readers will learn the ins-and-outs of power management, wireless roaming, 3D video acceleration, server configuration, and much more.

I contributed 10 of the 100 hacks in this book, including information on the following topics:

  • Encrypt Your Email and Important Files
  • Surf the Web Anonymously
  • Keep Windows Malware off Your System
  • Mount Removable Devices with Persistent Names
  • Mount Remote Directories Securely and Easily
  • Make Videos of Your Tech-Support Questions

I’ve been using K/Ubuntu for over a year (heck, it’s only two years old!), and it’s the best distro I’ve ever used. I was really excited to contribute my 10 hacks to Ubuntu Hacks, as this is defintely a book any advanced Linux user would love.

Buy Ubuntu Hacks from Amazon!

Ubuntu Hacks available now Read More »

The way to trick smart people

From Paul’s “The easiest way to fool smart people“:

There’s a saying among con-men that smart people are easier targets, because they don’t think they can be conned.

I’m not sure if that’s true, but there’s one scam that’s almost guaranteed to make smart people switch off their brains and reach for their wallets. It’s a trick that’s used so pervasively in our culture, that once you become aware of it, you start to see it everywhere. …

Most smart people have a hidden weakness and it’s this – they’re absolute suckers for anything that sounds clever.

As soon as you start hitting people with technical terms, fancy graphs, famous names and the like, you’ll immediately increase your credibility. If they’re smart, they’re even more likely to find themselves nodding in agreement. Many intelligent people would rather cut off a finger than admit they don’t know what you’re talking about. …

Even better, they can pretend to be teaching their audience something important. A person who was previously completely ignorant about quantum physics now feels as if they understand something about it – even if that something is absolute baloney. The audience have been fed ideas they’ll now defend even against someone who’s a real expert in that subject. Nobody likes to be told that something they’ve been led to believe is wrong. …

Consultants behave this way because they know that’s how to get a sale. Bombard people with clever-sounding stuff they don’t really understand, and they’ll assume that you’re some kind of genius. It’s a great way of making money.

Stock analysts, economic forecasters, management consultants, futurologists, investment advisors and so on use this tactic all the time. It’s their chief marketing strategy for the simple reason that it works.

The way to trick smart people Read More »

Canals & tolls

From Andrew Odlyzko’s “Pricing and Architecture of the Internet: Historical Perspectives from Telecommunications and Transportation“:

The modern canal era can be said to start with the Duke of Bridgewater’s Canal in England. Originally it was just a means of connecting the Duke’s colliery to Manchester. The parliamentary charter (which enabled him to take over private property, with appropriate compensation) obliged the Duke to carry cargo to Manchester at a maximum charge of 30 pence a ton, and to sell his own coal in Manchester for no more than 80 pence a ton, about half the price that had prevailed before [38,68]. Parliament was determined to obtain substantial benefits for the public from the grant of government powers to the Duke. …

The great financial success of the Duke of Bridgewater’s Canal led to widespread attempts to emulate it. In the early 1790s, there was a canal mania, with a burst of construction that was never to be replicated in Britain. (The U.S. had its canal mania some decades later, following on the great success of the Erie Canal.) The charters of those canals show a general trend towards greater price discrimination. …

Similar toll schedules depending on cargo were also common in the United States. As an example, when parts of the still incomplete Erie Canal were opened in 1820, there was a long list of tolls, concluding with “All articles not enumerated, one cent, per ton, per mile” (Chapter 2 of [81]). The enumerated articles (among those that were measured by the ton) were charged tolls ranging from salt and gypsum at 0.5 cents per ton per mile, to 1 cent for flour, to 2 cents for merchandise, and nothing for fuel to be used in the manufacture of salt (so that it was necessary not only to know the nature of the cargo, but its ultimate use). …

While canal operators were trying to squeeze carriers (who were trying to squeeze merchants, in ways similar to those described below for turnpikes), carriers often attempted to evade tolls. They bribed toll-collectors, misrepresented what the cargo was, or how much there was of it, and in some cases even hid cargo with high toll charges under commodities such as sand for which the fees were low. The countermeasures, just as they are today, and would likely be in the future with electronic communications, were based on both technology and law. Measurements were taken (in many cases there were books available to canal operators, listing canal boats, and the weight of cargo aboard as a function of how deeply in the water they lay), and there were punitive penalties for evasion.

Canals & tolls Read More »

DRM Workaround #18: HP printer cartridges

From “Cartridge Expiration Date Workarounds“:

In light of the lawsuit against Hewlett-Packard over the expiration date of their cartridges, two ways to fix the problem:

1) Remove and reinsert the battery of the printer’s memory chip

2) Preemptive: Change the parameters of the printer driver

Search for hp*.ini … In it there is a parameter something like pencheck. It is set to 0100. … Set it to 0000 in the file and save the file and REBOOT.

DRM Workaround #18: HP printer cartridges Read More »

My new book – Hacking Knoppix – available now

Knoppix is one of the great innovations in open source software in the last few years. Everyone that sees it wants to use it, since it is that rarest of software tools: the true Swiss Army Knife, capable of use by unsophisticated, experienced, and wizardly users, able to perform any of several hundred (if not thousand) tasks in an efficient and powerful way. Best of all, it’s super easy to employ, ultra-portable, and platform- and hardware-agnostic.

Knoppix camps on your system without canceling out your regular installation or messing with your files. And it’s really fun to play with. Hacking Knoppix provides all kinds of ways to customize Knoppix for your particular needs, plus the scoop on various Knoppix distros. Learn to build a Knoppix first-aid kit for repairing cranky Windows and rescuing precious data, or create your own Live CD. In short, Hacking Knoppix will transform your ordinary powerless Knoppix-curious individual into a fearsome Knoppix ninja, able to right wrongs, recover data, and vanquish the forces of ignorance and Windows usage once and for all.

Our approach in Hacking Knoppix is smart, detailed, and fun. We know our stuff, and we want our readers to understand and enjoy all the outrageously cool things that Knoppix makes possible. If a topic is kind of hard to understand, we’ll explain it so that lesser experienced readers get it and more experienced readers still learn something new; if a point needs in-depth explanation, we’ll give it in an interesting fashion; and if it needs a splash of humor to relieve the tedium, we’ll slip in something humorous, like a banana peel in front of Bill Gates.

  • Knoppix is an innovative Linux distribution that does not require installation, making it ideal to use for a rescue system, demonstration purposes, or many other applications
  • Shows hack-hungry fans how to fully customize Knoppix and Knoppix-based distributions
  • Readers will learn to create two different Knoppix-based live CDs, one for children and one for Windows recovery
  • Teaches readers to use Knoppix to work from a strange computer, rescue a Windows computer that won’t boot, repair and recover data from other machines, and more
  • Includes Knoppix Light 4.0 on a ready-to-use, bootable live CD

Read sample excerpts, including Unraveling the Knoppix Toolkit Maze (1.7 MB PDF), the complete Table of Contents (135 kb PDF) & the Index (254 kb PDF).

Buy Hacking Knoppix from Amazon!

My new book – Hacking Knoppix – available now Read More »

Amongst family and friends

From "The Producer" in the 15 October 2001 issue of The New Yorker, an article about the Hollywood producer Brian Grazer:

His creation achieved its brilliant apotheosis a few years ago, when he reconceived Brian Grazer as a form of performance art. He started putting photographs of himself, grinning like a pixie, in dime-store frames and taking them to parties. Unobserved, he would leave his little photo among the grandly framed portraits of the host’s family and famous friends, for the host to discover, to his startled amusement, usually several weeks later. 

Amongst family and friends Read More »