tag:blogger.com,1999:blog-291718622024-03-06T23:31:56.705-08:00The dark side of the InternetThis is a blog dedicated to talk about spam, scam, phishing, fake banks and other nuisances of the Internet. It's also a chance to practice my written english, I need something that forces me to write at least a small bit everyday. Corporate english classes were not helping.
My name is an homage to Wolfenstein, the game that started it all, and Bond. Enjoy (or not...)James Wolfensteinhttp://www.blogger.com/profile/08031255153342501209noreply@blogger.comBlogger27125tag:blogger.com,1999:blog-29171862.post-87237239159942230542007-10-30T14:07:00.000-07:002007-10-30T15:50:34.507-07:00There's a war going onIt's been a while since my last post. Nothing have changed much in the world of the scams in general. But an incredible event took place during the first week of October and is still going on.<br />The Storm Botnet started an attack against anti scam sites like 419Eater, Scamwarners and Artist Against 419.<br /><br />To understand the meaning of this news I'll give you a brief about the Storm Botnet. It may seem to you like a science fiction tale but it's true. A botnet is a network of computers under a centralized control. It seems the description of almost any network of computers belonging to a particular organization. The main difference is that the computers in the botnet have been hijacked to take part of it. The second difference is that the botnets like the Storm have many millions of computers.<br /><br />The Storm Botnet, also known as Zhelatin, is the largest known botnet ever. It's estimated in many millions because there's no way to know how many computers were infected since its creation in January of 2007. The objective of the botnet is to allow its owner to open as many sessions with different origin IPs as computers it has and do with that sessions virtually anything its owner wishes. Botnets are mainly used to spam, generating mail connections from many different IPs that the mail servers can't block (blocking all of them would be like blocking everyone out of email), or DOS (denial of service) attacks. The DOS attack simply open connections to the target server rendering it unusable. It doesn't matter how big is your network structure, you only have resources for a limited number of connections and to serve a limited number of requests. You can put more resources to increase that number but it's going to be a finite number anyway. When one user has the power to generate many millions of connections at the SAME time there's little chance your structure is going to stand it.<br /><br />The first line of defense for a network/server structure is the firewall. My own connection suffers attacks from time to time, not really dangerous but sometimes they take too much bandwidth trying over and over again the same old tricks that they know didn't work before. I can block the IP of the attacker and forget about it. If it bothers me too much, I can call my ISP and request him to block it on the next router and he can make the decision of blocking the IP even further up in the net. But we're talking about one IP, maybe two, maybe a dozen.<br />How do you deal with many millions? You can't.<br />You can't block that many IP numbers and, even if you could, your firewall is going to to respond very very slow with a list of many million rules to check for every packet. It's not practical. And the packets are not easy to identify. A request for a session is the same coming from a botnet or a regular user.<br /><br />A typical zombie PC is a computer belonging to a common user connected to a broadband service. He may spend his whole life as a member of the botnet without knowing it. And this makes an important difference with any other virus, worm or trojan. The botnet doesn't want your computer to fail, it doesn't want to take a look at your personal information, it doesn't want your computer to loose performance. Quite the contrary, the dream zombie for a botnet is a healthy high performance computer with a high speed connection. This makes very difficult to detect the infiltration. Most virus are reported due to the effect they have in the victim, when you don't have a problem you don't have anything to report. Some of the variants of the Storm worm are known and included in anti virus databases. But not all of them have been found, the botnet itself is being used to spread its own worm in new versions and millions of computers are being used without any kind of protection.<br /><br />Eventually, a zombie can be identified (millions) and, once you get to it, it should be easy to watch it closely and trace the commands to the owner of the botnet, shouldn't it?<br />No, it's not like that. The Storm Botnet is using p2p technology to communicate to its members. Meaning that once you get to one zombie you can watch closely, you're going to see traffic to other zombies. And when you get to them, you're going to see more zombies. The number grows fast and by the time you have one connection that may lead to the owner, the number is so high you have no way to check them all. P2p is the technology used by BitTorrent and other file sharing systems that allows you to get the files from many different sources. It changes the concept from a client/server structure (connections many to one or one to many) to a distributed structure (connections many to many). Older botnets were not successful due to this small difference. They were traced to its owners pretty soon while this one probably never will be.<br /><br />Here you can find more information about this attack. The <a href="http://it.slashdot.org/article.pl?sid=07/09/08/1251238">Slashdot</a> report (pretty small...), <a href="http://www.spamnation.info/blog/archives/2007/09/419eater_ddosd.html">Spamnation</a>, <a href="http://www.modemac.com/cgi-bin/wiki.pl/Storm_Botnet">The High Weirdness Project</a>. And for more on the Botnet, here's a rather technical video of how it spreads from <a href="http://www.net-security.org/malware_news.php?id=851">Help Net Security</a> and a video showing a surge in the spread of the worm (that may or may not be related to this attack) from <a href="http://www.youtube.com/watch?v=kH8cS1AkqiI">FSLabs</a>.<br /><br /><br />It's known who owns the Storm Botnet. Maybe not identified to the person or persons themselves, but to the group handling it. They are devoted mostly to spam services and banking fraud over the net. Their "formats" are mostly cell phone sales and service and overpaying for auctions. The reason for the attack is that they know that 419Eater is a place where baiters are coordinating activities against them, Scamwarners is warning and giving advice to their victims and Artist Against 419 is researching, reporting and shutting down their sites.<br />It's bad news and good news too, in a way. It shows that their activities are making a dent on the gang's operations.<br /><br />The attack is still going on. It won't last, they never do that for long periods of time. This is the kind of attack that's done in waves, but even the waves have to slow down and dtop eventually. Every packet sent gives more information that can be used to block them automatically. Every second the botnet is active, it opens the opportunity for a trace. It's unlikely that a trace is going to succeed, the odds seem to be on the gang's side but the stakes are too high. The botnet is a very valuable asset and they're going to so anything to protect it, including giving up on this attack.<br /><br />The good side is that the activities of the attacked sits are not going to stop. The attack may have damaged some baiting activities temporarily but the warnings, the serious research, the scam sites identification and reporting and other activities kept going on throughout the attacks. It's been more difficult at times but not to the point of stopping it all. Most of the people I've contacted during the attacks felt encouraged by it. There are no feelings of defeat, nobody wants to quit, nobody wants a truce, nobody wants to take one step back. The scammers didn't win this battle and they never will. If something changes for them, it's going to be for the worse.<br /><br />Visit the sites, support them, spread the word. If you're aware of the scam there's no way they're going to get you. Everyone who's warned about this is one less potential victim in the market. I hope someday we can take the whole market down.<br /><br />Meanwhile, be careful out there because it's getting dangerous...<br /><br /><a href="http://www.419eater.com/">419 Eater</a><br /><a href="http://scamwarners.com/">Scamwarners</a><br /><a href="http://wiki.aa419.org/index.php/Main_Page">Artists Against 419</a>James Wolfensteinhttp://www.blogger.com/profile/08031255153342501209noreply@blogger.com1tag:blogger.com,1999:blog-29171862.post-45580631936567428802007-03-23T12:25:00.000-07:002007-03-23T15:47:35.292-07:00A Sunday magazineToday I'm going to go through a lot of stuff. Consider this the Sunday magazine (or Saturday depending on your location), one issue with enough material to read all week long.<br /><br />First of all, I want to thank <a href="http://softwareandmusicdownloads.blogspot.com/">Software and Music Downloads Blog</a> who mentioned this blog last week. The post wasn't exactly about hacking but he liked it and that's what matters.<br /><br />On the dark side, I'm not reporting scammers' mail addresses to Yahoo anymore. I've noted that they're not answering nor closing the accounts. So it's a waste of time. I don't blame them, this is not a complaint. They own the server, they offer the service for free, they're entitled to apply any policy they want. Besides, Yahoo was the only one of the mayor players closing the scammers' accounts. Hotmail, Gmail seems to require CSI grade evidence to do something against them. Yet, again, I respect their decisions.<br /><br />However, I think that they could be a little more concern about the problem. They're proffiting from the Internet and this kind of stuff is hurting their marketplace. And there are numbers of affordable solutions to the problem. To start with they can establish a method for questionable accounts. Once they're found to be questionable by observation or report, they can block access to the user and offer a form at login time where he can answer to the claims and provide evidence if needed. If the answer is satisfactory, the user can recover access to the account. But I know that the form would be unnecessary, scammer never complain about blocked accounts, they move to another one. If Yahoo close all the accounts of Mariam Abachas, Charles Soludos, barristers, banks of Nigeria, banks HSBC, banks of any kind, etc. nobody is going to claim them. Yahoo could recover hundreds of thousands of accounts plus all the related disk space. Eventually, one account would be closed that belongs to a decent user. But it wouldn't be so hard to confirm and reinstate.<br /><br />On the other hand, minor players are more concern. I understand that it could be because their resources are more limited and the missuse of the service hurts them more economically. But the truth is that mot of them go beyond closing of the account. This is a typical answer to an abuse report from <a href="http://www.outblaze.com/index.php">Outblaze</a>:<br /><br /><blockquote style="font-weight: bold; color: rgb(51, 51, 255); font-family: arial;">The account you reported is now terminated, along with<br />today's quota of sundry other Nigerian generals, bankers,<br />engineers, attorneys and relatives of dead dictators.</blockquote>They acknowledge the problem (with some humour I may add) instead of giving a crappy corporative legal "violation of TOS" answer.<br />This is another one worth mentioning related to a phishing page hosted at 2ya.com. Check the <a href="http://sekss.2ya.com/">phishing site</a>. The site is gone and that's what most big hosters are doing, closing the site. But <a href="http://2ya.com/">2ya.com</a> keeps the site open with a warning in case someone falls for the phishing message. The good thing is that if you fall for it and the page fails, you may fall for the next one. But if you fall for it and you see the warning, you won't fall ever again. And that's the real thing, education, spread the knowledge. Because the only way to protect yourself is to be aware, to have the knowledge.<br /><br />And that's the idea of this blog. So let's move on to some educational stuff and some fun stuff too.<br /><br />Here's a <a href="http://www.youtube.com/watch?v=ISMgGdaGOJM&mode=related&search=">video from the BBC</a>about the EFCC (Economic and Financial Crimes Commission) raiding a cyber cafe in Lagos, Nigeria. At some point, there's this dialog between the journalist and an EFCC agent<br /><br /><blockquote style="font-family: arial; font-weight: bold; color: rgb(51, 153, 153);">-Do people fall for this?<br />-If they don't we wouldn't be here, would we?</blockquote>This is a key fact of this problem. People do fall for scams. For most of us is obvious that the offers are not real, it's hard to believe that someone could fall for it. But they do and that's why scammers keep doing it.<br /><br />Here's another report, <a href="http://www.youtube.com/watch?v=8PQANsFisvU">part 1</a> and <a href="http://www.youtube.com/watch?v=7PVK0R01tRw">part 2</a>. Brian Ross from 20/20 was also invited to a raid by the EFCC plus he played the part of a victim and followed the trail to the scammer all the way to Lagos. Pay attention to this bit:<br /><br /><blockquote style="font-weight: bold; color: rgb(51, 51, 255); font-family: arial;">One of the first people to be arrested by the EFCC's squad was its boss, the head of the Nigerian police, who was sent to prison for taking bribes from top 419 scammers.</blockquote>You may have noticed that he mentions a music video, you can find it in <a href="http://www.youtube.com/watch?v=AMRjymIvGu4">YouTube</a>. It's a very popular one in Nigeria performed by Osuofia, a nigerian comedian. The name of the song is "I chop your dollar" meaning "I'm going to get your money". It's about a scammer telling his mark how (and why) is he going to fool him. Here's the original lyrics:<br /><br /><blockquote style="font-weight: bold; color: rgb(51, 51, 255);font-family:arial;"><span style="font-size:85%;">I don suffer no be small<br />Upon say I get sense<br />Poverty no good at all, no<br />Na im make I join this business<br />419 no be thief, its just a game<br />Everybody dey play am<br />if anybody fall mugu, ha! my brother I go chop am<br /><br />Chorus<br />National Airport na me get am<br />National Stadium na me build am<br />President na my sister brother<br />You be the mugu, I be the master<br />Oyinbo I go chop your dollar, I go take your money dissapear<br />Video Clip from: Osuofia - I Go Chop Your Dollar - A clip from the video. 419 is just a game, you are the loser I am the winner<br />The refinery na me get am,<br />The contract, na you I go give am<br />But you go pay me small money make I bring am<br />you be the mugu, I be the master… na me be the master ooo!!!!<br /><br />When Oyinbo play wayo, them go say na new style<br />When country man do im own, them go de shout bring am, kill am, die!<br />Oyinbo people greedy, I say them greedy<br />I don see them tire thats why when them fall enter my trap o!<br />I dey show them fire</span></blockquote>And here, the english version (<a href="http://www.africaresource.com/content/view/197/208/">translated by Azuka Nzegwu and Adeolu Ademoyo</a>)<br /><br /><blockquote style="font-weight: bold; color: rgb(51, 51, 255);font-family:arial;"><span style="font-size:85%;">I am suffering greatly<br />and I get this idea (or wise)<br />poverty is not good at all<br />and I decide to join this business (scam)<br /><br />419 is not a criminal act but a game<br />Everybody will play<br />but if you are fool<br />I will chop your money<br /><br />Chorus:<br /><br />I own the National Airport<br />I built the National Stadium<br />The president is my sister's brother<br />You are the fool and I am the master<br /><br />White man, I will eat your dollar<br />I will take your money and disappear<br />419 is just a game, you are the loser and I am the winner<br /><br />I own the refinery<br />I will give you the contract<br />But you will have to pay me a small fee before I bring them<br />You are the fool, I am the master<br />I am the master!!!!<br /><br />When whites scam<br />it is said that it is a new style<br />But when the country man does the same<br />White people shout: bring them, kill them, die!<br /><br />White people are greedy, I say they are greedy<br />I have seen through them deeply (or very well)<br />So, when they fall into my trap<br />I will show them fire (or showing someone who is the real boss by treating them harshly)</span></blockquote>Here's another Brian Ross' <a href="http://www.youtube.com/watch?v=puYEUs18MFI">report</a>. This time he exposes a "wash-wash", a scam where you get your money painted in black and are sold the chemicals to clean it up. Listen carefully, the victims says that he's lost approximately 340,000 us$. And he's not just a grammar school droupout with money. He's a highly educated person, a heart surgeon.<br /><br />And one more report. Here's <a href="http://www.youtube.com/watch?v=eU9WqhCiQ8g">Keith Olbermann</a> exposing another one where scammers impersonate the head of the FBI.<br /><br />Now let's move on to the fun. The music video was posted by one of the top scambaiters. If you want to know him and know what a scambaiter is, here's the Fox's interview to <a href="http://www.youtube.com/watch?v=okE6TRQlZY8">Butch Driveshaft</a>. You can find more about him and his group at <a href="http://www.thescambaiter.com/">The Scambaiter</a> (registration required). Be aware that Butch is extremely loud and use abusive language. <a href="http://www.youtube.com/watch?v=13mw0pahY40">Here's</a> a bit someone made with a compilation of Butch's phone calls and photo trophies and a brief of the <a href="http://www.youtube.com/watch?v=jzz1tNppsIM&NR">Cole bait</a>, a bait where Butch keeps sending trash to Cole and Cole keeps paying for delivery. Again, be aware that Butch is no suitable for a young audience. The great thing about Butch is that he punishes the scammers where it really hurt, their wallets. He also makes them do stupid things for fun but taking their money has a long term effect on the scammers. They will think twice everytime they're on a scam. They'll doubt every victim, they'll be afraid of falling again. Every second wasted, every phone call, every cheque sent, every dollar spent on a scambaiter won't hurt a real victim.<br /><br />Another top scambaiter is Shiver Metimbers. You can read about him and his group's baits in <a href="http://419eater.com/">419 Eater</a> (registration required for the forums). And <a href="http://www.youtube.com/watch?v=0WVRC3-5UdA">here's</a> a video of a scammer waiting for him to show up to get <span style="display: inline;" id="vidDescRemain">£18,000. I guess you figured it out by yourself, but just in case, he didn't showed up. This one went back home empty handed and really bored. Others had some fun while being abused by scambaiters. The next videos show what are the scammers willing to do in order to get some money. Just in case you don't figure it out by yourself, they never get it. I think that most of this videos (if not all) are from 419 Eater's members.<br /><br />A scambaiter named <a href="http://www.youtube.com/watch?v=EiCqefRhZdg">Bombardier</a> offers his "pet" (the scammer) an opportunity to be a stunt man and make big money.<br /><br />Here, <a href="http://www.youtube.com/watch?v=_0DpJu4yKIE">Stargatebaiter</a>'s "pet" Richard auditions for a role in Stargate. And then he does it <a href="http://www.youtube.com/watch?v=tgXY0uA9sGQ&mode=related&search=">again</a>. And <a href="http://www.youtube.com/watch?v=_qWdMfxkQYw">again</a>. Though I think that the last one is for another role...<br /><br />Here, a scammer performs a ceremony to become a "twat" for <a href="http://www.youtube.com/watch?v=i0FV5fW8dXA">Tainenterprises</a>.<br /><br />Another audition, this time <a href="http://www.youtube.com/watch?v=LvyrzQldOKE&mode=related&search=">Monty Python's dead parrot sketch</a>.<br /><br />And it goes on and on and on.<br /><br />I want to make a final comment. At some point during the Brian Ross' report, he said that no matter how many scammers the police arrest, no matter how many scammers 20/20 exposes, there's always another hungry one ready to take his place. It's not the literal quote but that was the meaning. He also mentioned that the average income in Lagos is 1 us$ per WEEK. In a way, he created the idea (or at least it looked to me) that this is a problem created by poverty, that they do it to survive. And I have to totally disagree with him. Those running the scams are not hungry. They may be poor by our standards but they're not struggling to survive. I'm sure that there's poverty in Nigeria but those who are in real need are scrounging for their next meal, not scamming from a cyber cafe. They don't have access to such luxury, they don't have the education required to use a computer, let alone a keyboard. If you see carefully, the scammers on the videos are well fed, no signs of starvation. The wannabe stunt man is wearing expensive running shoes, he has a house in a residential neighborhood, he has a car (I hope is his car, otherwise his neighbor is going to get really pissed). They're not doing scams because they don't have another choice, they're doing it because it's easy money. And they don't care who they scam, they don't care who they hurt, they don't care about the consequences their acts can have on their victims' life. I'm with Butch, I don't feel sorry for them.<br /><br />And, to finish this post on a more lighter mood, here's a video from Ze Frank performing a 419 letter. This is the <a href="http://www.youtube.com/watch?v=qiHZb0kkqQk&mode=related&search=">YouTube link</a>, I couldn't find the link to the original video. If you want to see more of him (totally worth it) visit his web page, <a href="http://www.zefrank.com/theshow/">Ze Frank - The show</a>.<br /><br />This post may come as a surprise to you...</span>James Wolfensteinhttp://www.blogger.com/profile/08031255153342501209noreply@blogger.com4tag:blogger.com,1999:blog-29171862.post-1170453390449763562007-02-02T13:44:00.000-08:002007-02-22T05:58:06.826-08:00ObfuscationThis post is full of technicalities. It's about making things dark and obscure. URL basically and my mood too.<br />Phishers are improving their ways to avoid detection, report and closure of their web pages. It's bad news but it's also good news. It shows that reporting their sites is making a dent on their operation. But it's bad because it's going to make it more difficult for people without the knowledge to report them properly. This way the pages are going to stay up longer, more people is going to fall for it and the phisher is going to have more time to collect the information.<br /><br />I'm going to dissect on that I've received this week. This is the full URL (be careful, at the time of this post it's still active)<br /><blockquote><span style="font-size:85%;"><span style="font-family:courier new;">http://0x42.0x4d.0x3f.0x6e/amazon/redirect.php?http://0x48.0x0e.0xdd.0x67</span><br /><span style="font-family:courier new;">/pagead/iclk?sa=l&ai=Br3ycNQz5Q-fXBJGSiQLU0eDSAueHkArnhtWZAu-FmQWgjlkQAxg</span><br /><span style="font-family:courier new;">FKAg4AEDKEUiFOVD-4r2f-P____8BoAGyqor_A8gBAZUCCapCCqkCxU7NLQH0sz4&amp;amp;amp;amp;amp;amp;amp;amp;num=5&ad</span><br /><span style="font-family:courier new;">url=http://0xd1.0x55.0x7f.0x82/%77%77%77%2E%70%61%79%70%61%6C%2E%63%6F%6D</span><br /><span style="font-family:courier new;">%2E%68%74%6D<br /></span></span></blockquote>Imagine all that in just one line, I formatted it to fit the blog. Believe it or not, this is a valid URL. Not the kind you're used to see daily. Let's take a look at the first part<br /><blockquote style="font-family:courier new;"><span style="font-size:85%;">http://0x42.0x4d.0x3f.0x6e/amazon/redirect.php</span></blockquote>The domain is expressed as IP number in hexadecimal format. If you do the math (you can use your Windows calculator in scientific mode) the real IP number is 66.77.63.110. You can try this IP number and it will take you to Sony Pictures'web site. In that web site there's a directory called amazon, and in there a PHP script called redirect.php. Sony Pictures is not involved in the scam and, most likely, its site wasn't hacked. It's common to have such a script, in this case Sony probably uses it to redirect visitors to Amazon's web site where they can buy Sony's stuff. This redirector script is just that simple, it creates an HTML code that tells your browser to go and load some other page. Try it, pick any URL you want and use this redirector to access it. Luckily, if we piss them off enough they'll secure the script and won't be used for phishing anymore. Try this<br /><blockquote><span style="font-size:85%;">http://0x42.0x4d.0x3f.0x6e/amazon/redirect.php?http://www.google.com</span></blockquote>Or any other page you want. The result is the same, you're redirected to the page you set as parameter for the script. You can also try http://0x42.0x4d.0x3f.0x6e or http://66.77.63.110 or http://www.sonypictures.com/, you'll see Sony Pictures' web site. They're all different ways to link to the same site.<br /><br />But the phishing page is not there nor is Sony involved in this kind of operation. They have a script they use as part of their business and it was left unsecured. The same way we used it for this examples, the phisher uses it to obfuscate the URL pointing to his page. Where's the phishing page then? Let's take a look at the second part of the URL. It's easier now that we know that the script will redirect to the second URL and this is it<br /><blockquote><span style="font-size:85%;"><span style="font-family:courier new;">http://0x48.0x0e.0xdd.0x67</span><span style="font-family:courier new;">/pagead/iclk?sa=l&ai=Br3ycNQz5Q-fXBJGSiQLU0eDSA<br />ueHkArnhtWZAu-FmQWgjlkQAxg</span><span style="font-family:courier new;">FKAg4AEDKEUiFOVD-4r2f-P____8BoAGyqor_A8gBAZUCCa<br />pCCqkCxU7NLQH0sz4&amp;amp;num=5&ad</span><span style="font-family:courier new;">url=http://0xd1.0x55.0x7f.0x82/%77%<br />77%77%2E%70%61%79%70%61%6C%2E%63%6F%6D</span><span style="font-family:courier new;">%2E%68%74%6D<br /></span></span></blockquote>Looks complicated but let's take a look at it part by part. The first thing is the IP number, again it has been obscured by writing it in hexadecimal format. The real number is 72.14.221.103. You can try both, go on, they're both safe.<br /><br />Surprised? Yes, the IP number points to Google. But the phishing page is not in Google's server and they're not related to it. What the URL says is that in that server there's a directory named pagead and in there an object named iclk. No more information about iclk. Most of the time you can assume that the object is what's described by its extension (the .xxx thing at the end), in this case there's no extension. But, most likely it's a script of some kind. Then, there's a set of parameters. sa with value l, ai with a long chain of characters (the part that looks real complicated), num with value 5 and adurl with a URL. If it looks like a redirector to you, you're right. It is. This is part of Google's Adsense program and the object of the script is to count hits for a particular ad (defined by the long chain of characters) and redirect the browser to the URL assigned (defined by the adurl parameter). Try this (I just did). Go to any page with Adsense, Google Adsense or Google anything. Most likely you'll get an Adsense panel or a link to a page with one. Pick any ad you like and copy the URL (right button, copy link location or anything like that depending on your browser). Now paste the link in your browser's URL box. What you see is exactly the same as the URL we've been looking at. Same parameter names, some with different values. Change the URL for anything else and you'll be redirected to that URL of your choice. I wonder how is Adsense counting that "click"? Regardless of that, the point is that the script is out there, is not secured and it's being used to obfuscate phishing URLs (and probably other scam or spam related links).<br /><br />Ok, Google's problems aside, we've finally found the phishing page. It has to be the URL passed to Adsense as adurl parameter, right? Wrong! Let's take a look at it<br /><blockquote><span style="font-size:85%;"><span style="font-family:courier new;"></span><span style="font-family:courier new;">http://0xd1.0x55.0x7f.0x82/%77%77%77%2E%70%61%79%70%61%6C%2E<br />%63%6F%6D</span><span style="font-family:courier new;">%2E%68%74%6D<br /></span></span></blockquote> Again, the IP number has been obscured. The real IP number is 209.85.127.130 and belongs to Everyone Internet in Houston, TX. The rest of the URL is the name of an object. Looks like a very complicated object but it isn't. The same way the IP number is obscured by writing it in hexadecimal format, a text can be obscured by writing it using ASCII codes in hexadecimal format. That's what your looking at. %77 means 77 hexadecimal or 119 decimal or a "w". %2E means 2E hexadecimal or 46 decimal or a ".". I'll save you the pain of going through all this. The name of the object is www.paypal.com.htm and it's not the phishing page. It's an HTML page redirecting to somewhere else. Yes, another redirector. The difference between this one and the two previous ones is that this is a static page while the others are scripts able to generate the page dinamically based on the parameters you give them. Also, the previous ones are legal (in lack of a better term) though insecure scripts used as part of a business operation while this one was written specifically to be used as part of the phishing operation. It's hard to tell how it was set in there. It could be a hacked site or a free web site space or a web site paid from a Paypal account phished on a previous operation.<br /><br />But the phishing page is not this one, this is just the redirector. It's a web page instructing your browser to ignore it and move on to another URL. I'm not going to publish the whole URL here because it's too much code to dissect. The URL is<br /><blockquote><span style="font-size:85%;"><span style="font-family:courier new;">http://0x40.0x1a.0x19.0xfa/www4.4paypal.com/cgi_bin2/webscr.php.cmd<br />=restore-account-login945096845098034938/webscr.php?cmd=_login-run</span></span></blockquote>Again, the IP number is obscured. The real number is 64.26.25.250 and belongs to Hostway Corporation in Chicago, IL. Like the one from Everyone Internet, it's most likely a hosting server and its server is being abuse somehow. The URL looks complicated but it has been created like that to give it a more business like look. The first directory is named www4.4paypal.com to make you think you're connected to a Paypal server while you're not. The second directory name is cgi_bin2. And the third is webscr.php.cmd=restore-account-login945096845098034938. It looks like the script name is webscr.php using a parameter cmd with a complicated value. The character before the cmd should be a "?" but that would make the filename invalid. But it's just the name of another directory, the real page is webscr.php and the real parameter is cmd with value "_login-run". Probably the parameter value means nothing anyway.<br /><br />The obfuscation of the URL works two ways. First, it makes it a lot more complicated to report. You have to go all the way to the phishing page and translate the URLs to find out who to report to. And second, it helps to avoid detection by mail filters. This is done by setting a huge number of different URL pointing to the same phishing page. If one mail is reported and its URL is added to the filter database, it doesn't matter because more messages with different URLs will go through undetected.<br /><br />As you can see, the phishers are going that far to protect their pages. They know that the success of a page depends on the time it can survive, the more the page stays alive, more people will access it and, hopefully, post valuable information.<br /><br />It's bad news that they're evolving into more complex setups but, on the other hand, it shows that the fight against them is making a dent in their operations. So, I'll keep reporting them. At least those that reach my mail box. Meanwhile, if you're a regular user be careful, if you're in charge of a web site be on the lookout for a phishing page or a redirector installed by a hacker and if you have scripts secure them.James Wolfensteinhttp://www.blogger.com/profile/08031255153342501209noreply@blogger.com3tag:blogger.com,1999:blog-29171862.post-1168294475203731152007-01-08T14:13:00.000-08:002007-01-22T10:52:11.913-08:00Guest writerToday is Guest Writer day... actually, I don't have an article to post and this mail from a friend came apropos. She's talking about a previous <a href="http://scam-hell.blogspot.com/2006/08/are-you-safe-are-you-sure.html">article</a> I wrote about Internet safety in general and passwords. I want to say on my behalf that the problem she has was her own fault. You're supposed to create a rule for your passwords AND REMEMBER IT!!!<br /><br />Her mail was too long for a comment and too good to be dissmised, so I decided to post it here. The text was edited to suit the requirements of the <a href="http://www.prisonplanet.com/articles/december2006/151206mccainbill.htm">"Stop the Online Exploitation of Our Children Act"</a> wrote by republican senator (and "freedom lover") John McCain, who doesn't seem to be aware that there's a pesky First Amendment that clearly protects the freedom of speech. Anyway, I've censored an couple words just to keep her safe (and all of your children out there reading this blog). She's my friend and I don't want to turn her in to the feds (but I will if the alternative is to pay $300,000 :-O ).<br /><br />So, without further a due, I give you the Guest Writer of the day, Alex<br /><br /><blockquote style="font-family: georgia; color: rgb(0, 0, 102);">After reading your article on Are you safe? Are you sure? I became, like any normal person would, completely paranoid about the vulnerability of my virtual <span style="font-style: italic; color: rgb(255, 0, 0);">* posterior *</span>ets. You were so right, everything was out there, open to any interested hacker. I've never been the victim of identity theft or any other online crime. But you know what they say . there's always a first time for everything, so I'd rather be safe than sorry!<br />Conscious of the importance and severity of the task ahead, I decided to break my procrastinating habits and do it right away. I had your suggestions, which I could completely follow (why not?), and internet access to all my accounts. What else did I need? Nothing! So I merrily went on my way, updating all my passwords My only personal contribution was to use the nicknames I have for the financial institutions instead of the real name, which usually goes on the address bar, therefore making it easy to guess. Also, for some account types I used 3 letters for the month and for some others the complete month name. Guess one, guess all, you know! I felt immediately gratified and proud of myself.<br />Hackers getting to my accounts? Not now, not ever, no way, Jose!<br />A couple of days later I realized that I also decided not to make any more payments online, so I had a few checks to mail (you can't pay in person here, you know). No problem: checks, envelopes and postage stamps. All set! Like I used to do in prehistoric times, I mailed the checks on Wednesday, knowing they would not reach its destination and post at least until Friday, when my paycheck posts to my account via direct deposit (should I stop that too? Hmmm!). Well, the post office seems to be more efficient now, and some vendors hungrier for money. One of my checks hit my account too early, on Thursday, and bounced for lack of funds. I used to have overdraft protection from my savings account, but I stopped that as a safety precaution. So, there I was, with a delinquent electricity bill and a $30 fee for the bounce. That's okay, I thought, I learned my lesson: don't wait until the deadline, and don't mail ahead of time, you sneaky <span style="font-style: italic; color: rgb(255, 0, 0);">* woman of dubious reputation *</span>!<br />Then came the time to make my mortgage payment. To me, it's the most important one, it's the roof over your head. I checked my bank account, and there was enough money there to cover the payment, so I mailed it.<br />Only to find out that it bounced anyway. Why? Because a couple of the previously sent checks had not posted to my account by the time I checked, therefore inflating my available balance. Thank goodness, the mortgage company didn't really bounce it, they called me. I explained the situation to them, and they waited until Friday (good that I didn't cancel my direct deposit!). Life is good!<br />Then I went on vacation for a week, to a beautiful ranch in the middle of the desert, but with all the amenities of a 5 star hotel. I had a wonderful time, disconnected from every day routine activities, Oh, if it only lasted longer than a week! When I came back, I went online to check my finances. But I found a little problem there, did I call Bank of America BofA? Yes, I think I did. Well, it was really 6Of4 (I also<br />replaced all b's with 6). Now . what the hell was the rest of the password? Did I create it in m4rCh or aPri1? I tried them both, but none of them worked, probably I used something other than 6Of4. Tried 64nKoF4MeRiC4, but that didn't work either. Maybe I used the complete month name? After 3 wrong attempts, the bank blocked my account, so I had to wait until the next day to try it again, but at that point<br />clicking on 'forgot my password'. They sent it to me via email.<br />Another little problem I had was with one of the credit cards. Some crook opened my payment envelope and made a copy of the check before processing it. So, he had my checking account number, my credit card number (memo area of the check, as they instruct you to write it there), and my signature. I had to close that account because of fraudulent charges. The money was returned to my account after a while, but the headache was there.<br />Oh. My God! What a <span style="font-style: italic; color: rgb(255, 0, 0);">* performing of sexual intercourse *</span> nightmare! I was so relieved when I woke up and realized it was just that, a very bad dream! Right there and then I made up my mind: stay with the good-old kiss principle that never failed me so far. I believe that people somehow manage to attract to them the things that happen in their lives. For instance, if you worry too much about losing your job, you're asking for it to happen. Makes sense?<br />Maybe not, but my experience shows me it's true. As far as security, many web sites require more and more intricate passwords, more digits, combinations of characters, etc. Hackers are aware of it, and they will probably try complex combinations instead of a simple and stupid one.<br />I'll keep my simple and stupid<br />Thank you for all your valuable advice. Seriously, I mean it. From now on, I will always look at the address bar.</blockquote>James Wolfensteinhttp://www.blogger.com/profile/08031255153342501209noreply@blogger.com1tag:blogger.com,1999:blog-29171862.post-1166547951475100232006-12-19T09:05:00.000-08:002007-01-03T07:18:35.706-08:00Making money on the InternetThe "payment officer" scam is a huge success lately. At least I think it is because everyone is doing it. A couple months ago I was getting one of this once in a while, now I get a couple everyday.<br /><br />In case you've missed it, the scam work like this:<br />You're offered a job as payment officer (or any other name), your duty is to receive payment from customers and send the money to your boss at headquarters. You get to keep a percentage of every transaction (usually 10%). So far so good, it really sounds like a sweet deal, maybe too sweet. But "entertain no fear my friend" (as nigerians always say), the reason why the company is doing it is because of 9/11, patriot act, laundering controls, etc that makes too complicated for our customers to pay from USA to foreign countries (exactly what you're supossed to do).<br />How this "job" really works? You get bad checks, forged or stolen. The bank usually let you get the money before the check goes all the way round. By the time the check bounces, you've already sent the money to your boss and the bank wants it back. The reason why the bank gives you the money in advance is because you're good for it, they don't care about the check (as far as I know this system applies only to the USA). The scammers knows is and that's why they'll push you to send the money as soon as possible, they know that the time frame is limited before the whole thing blows up.<br /><br />The inside of the "company" it's a band with access to the real stuff and freelance "bosses" recruiting marks over the net. Once your boss gets you on the hook, you're presented to the company as a prospect. If they like what they see (your name, address, ID, job position, etc) they'll contact you as "customers" and start the transactions.<br /><br />Now there's an extra twist to this scam. Instead of a check they make a transfer straight into your account. I'm still wondering about this, because it means that somehow they have control over an account with enough money or credit to do it. I suspect that nigerians scammers are into the phishing business too. If they get hold of a user/password combination for a bank account, they wait for the opportunity to make a transfer to a payment officer's account. If they time the operation properly, the payment officer will send the money before the victim of the phishing finds out. From that point, it's someone's else problem.<br /><br />It's hard to believe how easy it is, but it is. <br /><br />I took many of this jobs. My idea was to make them send the checks to someone who cares and can do something about it, law enforcers I mean. But I'm still trying to find one who does. In the meantime, I made them send the checks to dead ends where they got lost. I don't want to give much details about it in case they read this blog. The good thing is that each check that they send to me is a check that won't hurt someone else. So far, only this year, I catched almost half a million dollars. And this is only those I could get some kind of confirmation.<br />Some of the checks were sent through regular mail and I had no way to confirm them, maybe they were not sent at all. Others were sent by courier, Fedex or UPS, and I verified that using the tracking number. For some, I also received a copy of the original waybill. This is great because it gave me information about how it was sent, from where, how it was paid, etc. The bad news is that they're all dead ends. Paid in cash at the counter (no real name or return address) or charged to a hijacked account (real name and return address but it's just another victim).<br /><br />Transfers are hard to handle for me. A couple times I sent bogus account numbers, some worked (no complains from my boss) some didn't (a lot of complains). I can't tell what happened. It's obvious that if you do a transfer from the bank's web page and the destination number is wrong, the system should warn you about it. But why some seemed to work? Maybe they didn't, the "company" called my bluff and decided to cut my "boss" out of the loop. The chances of typing a good number randomly are incredible low.<br /><br />It's a real problem because transfers is becoming the most popular way to scam. One reason could be that it's a lot more easy for the mark. Most people is reluctant to get checks from strangers, but the transfer is money already in your account. You have to do nothing, sign nothing. It really feels like you're not taking responsibility for it, it's just in there waiting for you. The other reason could be that phishing is working and they have control over many bank accounts. Forged and stolen checks require hard work and are limited, accounts taken by phishing require less work and are coming fresh daily. If I'm right and there's a connection, it's a scary scenario.<br /><br />And probably is. The transfer scam is being used in connection with the advanced fee frauds. If you don't pay the fees for your lottery prize, your inheritance papers or your contract certificates, they will offer you to deal with a financier who's willing to pay for it. But, because the financier is inside the lottery/court/government, he can pay by himself. The payment has to be done from you personally. So the money is sent to you first, then you have to resend it to wherever it is that it has to be sent. And how it's going to be sent to you? A bank transfer.<br /><br />As you can see, it's always about creating a missing link in the money chain. They may have access to the money but if they use it directly or send it to their own accounts, the chain goes to them. When you send the money to them through Western Union or Moneygram (to a fake name somewhere in Africa where they can get it without an ID), the chain is broken and you're the last link.<br /><br />The bank on top of the phishing ranking (at least in my mail accounts) is the Bank of America. I don't think is something about the security level of their online system, it has to be something about the way money can be transferred from their accounts. I've sent them a message with details about it. I think that they should try to catch some of this jobs and make the scammers do the transfers to controlled accounts. The scammers have control over some of their customers accounts and there's no way to find out which ones. Besides, the mark is going to be one of their customers too. If they do it, the hijacked accounts can be secured as soon as they're identified, the customer informed about the situation. I'd like to know that my bank is doing things like this to protect me, the publicity will improve the image of the bank and bring awareness to the general public about the phishing problem. The cost is minimal, I can do it on my free time. A lot more can be done from an organized group working full time. But, so far, no answer.<br /><br />Law enforcers are not interested, neither is your bank. You have to take care of yourself kids. I won't be here watching your backs forever :oPJames Wolfensteinhttp://www.blogger.com/profile/08031255153342501209noreply@blogger.com3tag:blogger.com,1999:blog-29171862.post-1157023749412070962006-08-31T04:28:00.000-07:002007-02-27T07:01:51.163-08:00A Moebius tape of recursivity<span style="color: rgb(0, 0, 0);font-family:Tahoma;font-size:85%;" >Haven't posted articles in a while and I'm sorry about that.<br /><br />After Google disabled my mail account my Blogger account was disabled too. Silly me, I didn't see that coming even knowing that Google and Blogger have unified accounts.<br /><br />Anyway, everything's fine now. I have access to both my mail account and my Blogger account again. But in the meantime I was seting up another blog and re-editing all the articles because I though that my account was as good as gone. And that kept me busy all the time that I could have use to write.<br /><br />I have a lot to write about.<br /><br />Check scams are rising now and I'm going to get back to this issue in a future article. Meanwhile, don't take a job as a "payment officer", don't take a job over the web, don't trust a "company" just because it has a website, don't sell book (or any other thing) to schools or academies in India, Africa or anywhere if they were requested by mail. Believe it or not, the scammers are going to that extent to lure you into taking their "rubber" checks.<br /><br />Phishing is high too. I've seen a lot of mail forms lately. These are the phishing messages where the form to post your data is inside them. No need to click a link and post on a web page, you can do it from the message itself. Which is more tempting and makes the actual phishing web page invisible. In fact the page is only a script that forwards the content of the form to the phiser's mail account. If you call it without the content of a form you get nothing. And that makes it very hard to report to network administrators, because there's nothing to see from the hyperlink.<br /><br />One of the scripts is totally legal, meaning that it was created and it's used legally. But it's open to the general public when it was intended to serve the customers of a hosting service. The administrator was doing some complicated things redirecting the script to eBay if the referrer included a reference to them. But the result was that if you try to access the script manually by yourself, eBay showed up. Bad idea. Let's say that a person suspect that the message is not real. He tries the link manually and eBay shows up. Most likely he'll think that the message is good, fill the form and get his credit card cloned.<br /><br />Some other administrators are doing things differently. I saw a phishing page this week that was replaced with a warning page explaining phishing, in case you are a potential victim, and trashing the phisher. I'll see if I can recover the link for you to see.<br /><br />And I've just contacted another who is taking a strong stand against scammers. But this is for another article.<br /><br />Today I'm writing about human stupidity and how technology makes things worse.<br /><br />Lately I'm seeing that the number of scam messages from LatinMail is increasing. This happens often, a free mail server gets popular among them. Yahoo is still the number one, even when it's also the number one in closing their accounts.<br /><br />The trick nowadays is to send the first message with spam servers with a disposable mail account and, once the contact with the mark has been established, move the operation to the Yahoo account.<br /><br />Sending from a spam server makes the message impossible to report, no mail server would accept it just because the mail allegedly used belongs to them. They want a header showing that the message was generated from their servers.<br /><br />This trick works as a crib, those who suspect the message can't report it and won't pursue matters, and those who answer won't report it.<br /><br />But sometimes, they use a mail server that they know or they think is lenient in its abuse policy, like LatinMail in this case and another that is rising, adinet.com.uy.<br /><br />I started reporting just to see if there was a response. I didn't get one but at least the abuse address didn't bounce, something that's pretty common.<br /><br />Then, a couple messages bounced. That was odd. Most of the time the bounces are because the abuse address doesn't exist at all or its quota has been exceeded, meaning that nobody has checked the account in years. And on both cases the bounce is immediate and for every message.<br /><br />This time only a couple of them bounced. So I took a closer look at the bounce message. And I found this:<br /><br /><b>< latinmail@latinred.net> : host mail.latinred.net[62.37.236.165] said: 451<br />Blocked - see http://www.spamcop.net/bl.shtml?62.37.236.187 (in reply to<br />RCPT TO command)</b><br /><br />SpamCop is an organization working against spam, I guess the name is graphically enough. They take information from user reports and traps they set purposely. From that information, they keep a database of offending IP numbers. The addresses from whee spam messages are originated. The database is public and anyone can use it to check if the source of the message is reported. I'll get back to the details later.<br /><br />Using this database, LatinMail detected that the IP address 62.37.236.165 has ben reported as source of spam several times. So, they blocked the message and buonced it.<br /><br />Nice, isn't it? Well, not really. Because the IP 62.37.236.165 belongs to LatinMail. And it was reported several times, along with others also belonging to LatinMail, because is the source of a lot of spam. Including scam messages.<br /><br />The second minor detail in this story is that the message that I sent wasn't generated or forwarded from that IP. The reference to that IP was in the header of the message I was reporting, which was inside the body of my message.<br /><br />Somehow, their script is unable to understand where the real header ends. Somehow meaning someone did a lousy job, a header has a distinctive boundary.<br /><br />But the bottom line is it's impossible to report abuse to LatinMail. If you take the IP number out, they won't see evidence that the message generated from them. If you let the I number, the message bounces.<br /><br />And I'd applaud a system so efficient in dealing with reports. But this one wasn't meant to work like that. This is just the result of plain stupidity in charge of technology.<br /><br />This is a real Dilbert system, something that Scott Adams talked about on "The way of the weasel". A system so incompetent that looks brilliant in terms of results from a corporative point of view. Their antispam software blocked thousands of messages, showing that's incredible efficient, and thousands of abuse reports never reached them, showing an incredible clean mail server.<br /><br />And going back to SpamCop. The idea is good but I think it's a very complicated solution for a very simple problem. Eventually they'll fill the database with almost all the IP numbers that don't belong to a mail server and some that belong to a mail server. The database is going to be huge, probably it is now. And it doesn't take into account the human factor like this case of LatinMail. Someone using this database to filter its own mail.<br /><br />You can read about my idea on a previous article. A system that's more simple, more efficient and based on information and protocols that ae available now. There's no need to invent new stuff.<br /><br />The idea basically is that every server receiving mail (SMTP) must verify the IP of the sender through the domain name system to see if it's declared as a mail server. It has to receive only from other declared mail servers and terminate immediatly any other attempt. This way it saves storage space and bandwidth. The database to check is smaller, it's efficient and is in use right now. Eventually, the servers can make a second query to another database public or private to check if the sender, even being another mail server, should be banned for any reason.<br /><br />And that's the problem with the world this days. Things are going so bad just because nobody's asking me...<br /></span>James Wolfensteinhttp://www.blogger.com/profile/08031255153342501209noreply@blogger.com2tag:blogger.com,1999:blog-29171862.post-1155595833565710112006-08-14T15:47:00.000-07:002006-08-14T15:55:20.340-07:00Just rant<font style="font-family: Tahoma,Arial,Helvetica,sans-serif; color: rgb(0, 0, 0);" ace="Tahoma" size="2">Today I'm going to rant for a while. So if you don't want to read me ranting you're free to walk away and come back at another time.<br />My first rant is about something I've been talking about in a previous article (Email and us) but this merits an encore.<br />This week I've received yet another mail with a Power Point presentation. I made a rule never to open one of those, I just delete them. And it's not because I think they may be a security risk, I do it because I know it's a waste of time. Of course I receive a few work related PP files, but I can tell easily because I know the source, I requested them or I've been told the they were sent to me previously.<br />I don't know why people feel that a message is more valuable because is presented written in a nice 3D font, with colors, sound effects and animations. It's not. If the message is crappy, meaningless, stupid, nothing will make it better.<br />But this case was somehow different. The subject was "We have to stop Israel!" and the content was just the PP file that I didn't open. Because it was from an employee of a company we buy supplies from and sent to my work account, I felt compelled to answer with "We have to stop spam!"<br />And he answered with "It seems that the bombs are not falling in your home". That was when I almost lost it, but I remembered what I wrote and applied my own rules (don't answer in anger, don't answer if you don't have to) to the case and dropped it.<br />I understand that there's a war there, I'm aware that it's a terrible thing and I agree that the war has to be stopped. But that's not the point. The point is that I don't want to get this garbage in my mail account and I have the right to draw the line and say it.<br />And the real problem with these people is that they trully believe that they have a higher sacred right to send anything. Just because they're talking about life and peace and harmony, their message is more valuable than animated puppies.<br />I can write for a long while about how wrong is to put one's right over someone else's. Besides, it doesn't matter. The message has no value, the sender is not fighting for peace, he's not a saving lifes.<br />It's a whole neew breed of "fat buttocks" warriors. They think that having the Internet they can reach millions and make a difference. And they're doing it, they're annoying millions. Sitting comfortably in front of a computer, they spread THE WORD around and most of the time is not even their own WORD. They use any hot issue to justify a spam crusade. This is something that satisfy their pathetic emotional agenda and that's all the satisfaction they'll get. Because it's not about the issue, it's only about filling their inner void.<br />So, here's my rant to them:<br /><br /><font style="font-weight: bold; color: rgb(0, 0, 102);font-size:85%;" ><br />Wake up!! You're doing nothing!! You're just sitting in your fat posterior forwarding Powerpoints. The israeli government won't stop the war just because you filled its mail box. Hezbollah probably doesn't have one. The phone companies won't lower the prices no matter how many messages you send. Neither the oil companies. Fidel Castro is not resigning because you ask nicely on a message. It's not going to happen. If you take an hot issue from the news, it doesn't make sense to try to bring awareness to the general public. If it's in your newspaper, it's in mine too. If you're watching it on tv, I'm watching it too. And if you really really want to do something about it, go get active on it, do something, move you rear out of that chair. If you want me to listen, at least show me that it's worth enough to make you move away from your bag of chips.<br /></font><br /><br />My second rant is about Gmail. My mail account was "disabled" (whatever that means) and I can't use it anymore. It's not a big deal, the only purpose for that account was to catch scams, spam and phishing. The material that feeds this blog. But it pissed me off all the same. This is not the first account of this kind that I loose, it's maybe the fourth or the fifth. I can only guess but I think they're closed because someone reported them in violation of the TOS (terms of service). And it's easy to report them, all their traffic is related to scams, phishing, etc, and the identity of the user is fake. Obviously, the complainer is one of the scammers. And they have very good reasons to do that, I'm expressing them on my rant to Gmail:<br /><br /><font style="font-weight: bold; color: rgb(0, 0, 102);font-size:85%;" >Hey! From that mail account over one hundred phishing servers were reported, almost all of them were monitored until their closure. With mail address taken from the phishing messages or from files on the phishing servers, many dozens of potential victims were warned. Over three hundred mail accounts of scammers were reported and closed. And from this mail account, fake checks and transfers for over one hundred US dollars were ruined. Nice work Gmail!</font><br /><br />The last thing is what I regret the most. I had two scammers sending fake checks to me and a couple more that were about to enroll me. Every time they write a check with my fake name, they have to pay for that check and there's no way to recover it. It's almost impossible for them to get it back and if they do, my name is on it. Every cent on that checks is one cent they won't get from someone else.<br />Also I was on the verge of shutting down a fake bank used for lottery scams, Financial Alliance something. I wasn't shutting it down myself, I was in contact with the domain name registrar and the hosting service trying to make them understand the problem. I've just checked and www.fiall.com is gone.<br />Not bad after all. The account is dead now but it died in the middle of a fight... and it won that fight!<br /></font>James Wolfensteinhttp://www.blogger.com/profile/08031255153342501209noreply@blogger.com0tag:blogger.com,1999:blog-29171862.post-1155075118767796692006-08-08T15:07:00.000-07:002006-08-09T09:52:26.856-07:00Are you safe? Are you sure?<font style="font-family: Tahoma,Arial,Helvetica,sans-serif; color: rgb(0, 0, 0);" ace="Tahoma" size="2">Most likely you have a lock on the door of your house, probably more than one. Even so, valuables in the house are stored behind more locks. And I bet that you have at least one box with a lock inside a cabinet with a lock.<br>This is basic safety. The things that have value for us are stored in safe places. With locks that require keys. And a key is basically a password. It has a sequence of values, the indentations, in a particular order and if they match the lock all the levers will align and the barrel will turn free.<br>The passwords are the keys to our virtual safe boxes, mail, bank account, blog, etc. And the reason why we use locks for them is that there we store our virtual valuables.<br>The first problem we have with it is that virtual stuff doesn't seem to be too valuable. If your first experience with a password on Internet was your personal mail account, the password was more an annoyance than a safety. Besides playing you a prank, there wasn't much more value in hacking it. <br>But when the banks started to offer services through the Internet, things changed. Now the virtual safe has real valuables inside. And not only banks. There's a lot of services with real value that merit a good lock and key to protect them. <br>Others are not worth a good lock like subscriptions to newsletters, forums, media sites. <br>But what about our email accounts?<br>Somehow our personal mail accounts are being left behind in the security department. It's like the old idea of them being worthless stuck in our minds. In a way it's true because the chain letters, the endless forwarding of stupid jokes and hoaxes or the PowerPoint presentations with puppies are as worthless now as they were 10 years ago. <br>But now that the Internet is full of services with real value that can be measured in terms of cash, our mail accounts turned up to be the sum of all those values. Our mail accounts are the entrance door to all those services. Think about it, any one of them will graciously send your password or a newly generated one to that mail account at your (or anyone else's) request. Your mail account is your key, your ID, your safe box on the virtual world of the Internet.<br>You probably feel safe about it, you have a password, nobody can enter your mailbox without it. So, the rule number one is never ever tell your password to anyone. Have you? <b><i>Are you sure?</i></b><br>Believe it or not, the number one method used to get a password is the most simple one, ask for it. Yes, that's right, exactly as you've read it, the best way to get a password is to ask for it. Of course you won't do such a stupid thing, if I ask you to comment on this article with your user name and password you wouldn't do it, would you? What if I ask you nicely? What if I ask you in a different way? What if I change the tone of my voice? What if I rephrase the question? <br>But you know better than that. You never fell for it, did you? <b><i>Are you sure?</i></b><br><br>Everyday thousand of messages ask users to click and login on a web page and some do. I've been talking about this phishing thing in previous articles. You may say that the ones who fell for it were not the smartest in the pack and I think you're right. But are you sure that each and every page you've logged in was the right one? Did you checked every single one? Are you able to tell the difference?<br>The typical phishing is pretty rough. For starters, it's a business of volume, it doesn't work unless you send several thousands of messages. A lot of them will reach people that haven't an account, they'll be able to tell that something is wrong. For those that have an account, the message looks like any other message they get from that service. Maybe there's a detail or two, like in the case of Paypal. They allways use your first name on every message. The phisher can't do that because he doesn't have that information. This things are explained on Paypal's web page, that part that people don't read. And those who did read it, most likely forget it all by the time they get that message. The only real difference between the fake thing and the real thing is in the source code of the message. Do you check it? Are you able to understand it?<br>This messages are to direct most of the time. For a paranoid like me, the feeling of being pushed into doing something triggers all my alarms at the same time. Someone asking me to login or else... But let's say that you get one message from the auction site with a showcase of products, all of them with links to their pages. Doesn't seem dangerous, is not talking about logging in, no problems with your account. You click and the auction page shows up, it looks fine, just like the one you know so well. Once you settle down, feel comfortable, the login page appears. It has to be the real one, you were on the site already. Or weren't you?<br>And this is just one possible scenario. As you can see, it takes someone with knowledge and skills to tell if the message is real. You know about phishing because is everywhere, everyone is talking about it, it's on the news, you're reading about it right here. So you'll suspect any message asking for your password, asking you to login. But sometime it'll change, the attempts won't ask you for your password directly, they'll be more subtle. Are you prepared for it? <b><i>Are you sure?</i></b><br><br>Once passed the message, you have to face the web page. Most phishing attempts are pretty rough in this part. If you check the navigation bar is evident that you're not on the right place. It could be an IP number or the name of a cigarette fabric in China. Whatever it is, it's not the address of the site you're trying to get into. But how many times do you check it? Do you at all?<br>Most of the time we type the name of the site we want to go to or take it from our bookmarks. We can tell that we're going to the right place, we typed the address ourselves. And you know better than clicking on a link offered by an email message. But what about web pages?<br>This is one of the most popular activities on the Internet, clicking. We go from page to page because it's there, it's easy, it's convenient, it's fun. And it doesn't matter if you're just reading the news. But if at some point you're offered a link to a site where you have an account, one with real value, and you log in there, do you check if you're in the right site?<br>One of the most dangerous sites today, in my opinion, are the auction sites. The links to their products are everywhere. Even worse, they pay webmasters to have pages with selections of products linking to the auction pages. It's a nice trick and I'd like to rant for a week about it. By having those pages, the auction sites multiply their chances of being listed on top of the search engines. Let's say that they have an auction of a consumer product that's very popular, this one would show once on the search engine. But if there are many pages with that product and a link to the auction page on many different web sites, it would show up once for every site. And if they have many auctions of that product, multiply that number for the number of sites linking to it. And my problem with it is that if I want to get information about that product I can't find it, the search list is full of auction pages and pages linking to the same auction pages. Try any popular consumer product and you'll see. <br>But this is topic for another article, the point here is that those pages with selections of products from the auction sites are everywhere, are known and accepted by the common user. So, if you find what you're looking for and you want to comment, ask or offer you'll click the link and login. It's natural, we're used to do this all the time. We click on a couple pages, we end up on the auction page, who's paranoid enough to go and check the navigation bar?<br>Doing a web page resebling a real auction is not really hard, in fact you don't have to actually do it. The phisers don't DO the login page resembling the real one, they just copy it and modifiy it to suit their needs. And it doesn't have to be an auction site, it could be anything. The traps can be set anywhere and take you anywhere else. I mentioned how a links can be disguised on a message, the same technique can be used on a web page. Take a look at this silly example, click on the link, visit <a href="http://www.excite.com">Altavista</a> and come back here. Yes, I know. It's not Altavista. If you put you mouse over the link, and your browser status bar is active, you'll see the real link down there, you'll see that it doesn't match the name I offered you. The point is nobody (or almost nobody) checks the status bar before clicking or the navigation bar after.<br><br>So the navigation bar is important and should be checked if you're logging in. But it's not all. There are a couple tricks to keep you from seeing where you are. One of them is to offer you the login page on a pop up window without the navigation bar. The other is to use a bogus icon image, those little icons that show up on the left side of the navigation bar. One of those totally useless niceties, for us the users, that turn up to be totally usefull for the phishers. The image is supossed to have a fixed size and square shape. But if you create one that's wide enough to cover the URL field of the navigation bar, now the real address is hidden and what you see is the address of the real site that was drawn on that image. Sometimes the font or the font size don't match those of your browser or the alignment is a couple pixels off center. But you have to be a careful observer to note such detail. This trick had its peak last year and I've never saw it again. I guess the new browsers have it fixed... I hope.<br>And the state of the art in deceiving you into going to the wrong site is to intercept your name resolution. In a previous article I explained name resolution in relation to a phishing operation. The name you type on the address field is resolved into an IP number because that's the information the net requires to find the site. Your name resolution is being done by a complex system of distributed servers. If I can hack your server and add a record for Yahoo with the IP of one of my servers, you'll connect to it every time you try for Yahoo and your navigation bar will show Yahoo every time. These servers are not very vulnerable but it may happen. In fact there was a case when the root servers were hacked, the records changed on the root servers were propagated to almost all the DNS servers around the world. The event triggered alarms everywhere, and was detected and fixed in a short time. But it proved the potential of a DNS attack. It can alter the name resolution for the whole world by attacking the root servers, only for a group of computers by attacking its DNS servers or only one computer by feeding it the wrong name information.<br>If you want to try and see how it works, you can do it in your own computer. There's an alternative method to resolve names in your own computer. In fact it's in the chain of resolution and it's top priority. But its lists is empty by default and it's rarely used. There's a file in your system called HOSTS, in the directory %SYSTEM%\Drivers\Etc if you're using Windows and somewhere around /etc/sysconfig if you're using Linux. This file can resolve names for you, all you have to do is put the IP number and name separated by a tab or space, one row per domain name. Try adding this line "208.45.133.23 altavista.com" (without the quotes), and see how Altavista turns into Excite. It may need a restart of your browser if you have the address of Altavista already resolved. To avoid unnecesary traffic, your system checks if the name you're asking for was accessed recently and uses the IP number it has in memory. Remember to delete that line or you won't be able to access Altavista again. This won't work if you're using a proxy server because the server will resolve the name for you.<br>This is not a common method of phishing or hacking. If someone has the access and the privileges to modify that file, there's a lot of ways to get your passwords and credit information from files stored in your computer. If it happens to you, it's more likely a "crime of passion". Someone close to you doesn't like you or is playing you a prank. It's not a common office prank because in most of them the use of a proxy is mandatory.<br><br>If I didn't push you enough into paranoia yet, brace yourself for the next part. Let's say that you were careful enough not to log into a page other than the one you intended to. There's a good chance you didn't actually. Despite the high number of phishing attempts, the number of people falling for them is very small in comparison. And what I'm about to describe hasn't been used as a massive phishing operation, I don't think it will be in the future either. But it's a vulnerability that may expose you to a random act of hacking or, even worse, a targeted one.<br>As part of your Internet experience you take part of different activities that may require a login. Even some that don't really merit one. Imagine that you join a forum, you're requested to register, you're asked for your mail address to send you a verification code, some personal data and a password. Are you using the same password for all your services? Some of you are thinking that this is a stupid question and that's something not worth mentioning. But you're wrong, is unbelievable the number of people that can't handle more than a couple paswords if they're using more than one at all. If you're one of them, think about this. You´ve registered into a site where people unkown to you have your mail address and your password. You may think that they don't know it's the same password you use for your mail account. Let me tell you, I'm not a professional hacker and that would be my first guess. I tried that with a lot of people I know (with their consent) and my success ratio has been over 50%. And if your mail address is exposed, what else do you have in there? Auction site, Paypal, your bank?<br>I'm not saying that there's a forum out there hacking into mail accounts. As a plan is pretty lousy. A forum takes time to build up a group of members and not many have a number of members that can be compared with the number that can be reached with a mail phishing. Even with the higher ratio of success that can be achieved. Besides, it's a one shot operation. People will find out the common link of all the haking events very quickly. Mostly in a forum where people talk about things like this.<br>The problem is not the forum and their administrators, the problem is how good the security of the forum is. I think I mentioned in a previous article that many phishing pages are being set in forums. The phisher are abusing vulnerabilities well known of the most popular forum scripts. And we're talking about maybe two PHP scripts, maybe not even two. Once you find out a vulnerability that suits your needs, all you have to do is find servers running that script with the version you know is vulnerable or one older than that. You wouldn't believe how easy is to do that, just Google for it. Ask for that script and the version number and Google will put in your desk a list of those servers. <br>And this is because forum administrators have that information available on their pages. They have to, is the right thing to do if they use the scripts. The scripts are very good, that's why they're popular, and the administrators who chose them for their forums have to give credit to whom deserves it. It's not their fault.<br>And if it's not the script, is a vulnerability on the web server or the operating system itself. The point is that the user database in that forum has a 50% of the keys to you valuables and that you have no way to know how safe it is. And it doesn't matter if they say that your password can't be read because it's encrypted, I'll show you in a minute that this is only half the truth.<br>I know that having more than one password is a pain in the rear but there's no other way to go. As you can see, once someone can put your mail address and a password together your whole security fortress starts to fall brick by brick. <br>Even if you're not using the same password for your mail account and the forum, how safe is your password?<br><br>The second most effective way to break into someone's account is by password guessing. There are compiled lists of the most popular passwords, some general and some for particular groups. By language of course but also by etnicity, religious beliefs, etc. Those lists are not capricious, they were compiled from real databases of passwords since the beginning of the computer era. Nowadays, most servers have their own list of "popular" passwords and ban them to prevent guessing attempts. Among the top of the list are words like Jesus, God, curse words and, believe it or not, password. Those can be prevented by the server or the user itself, but there's another list that you must take into account, your own list. Your profile in the forum has your name, your birthday, your zip code, your address, your phone number, your city, your country and some other personal details. Which one are you using as password? I hope none, because this is the list that's being used to guess your password and the success rate is amazing. And if you're typing then backwards, forget it, it's on the book too. Your profile is available to the general public in some places and in other only to registered users. Whoever is on the look for your password can register as quick and easy as you just did. But he won't be using his real information.<br>Password guessing has many advantages for the perpetrator. It can be done from the outside, there are many ways to do it without leaving traces, most of the servers don't ban connections based on the number of failed attempts, it's easy to setup a procedure to do it automatically. And it's effective. Try to play the guessing game with family and friends, you'll see that the youngest, who don't have much value on the Internet, have strong passwords while the oldest, who have money and valuable services, have the weakest.<br><br>And this is something that can be done to break into your account without actually breaking into the server. If your password is weak and the perpetrator is lucky, the server won't be able to tell your login from his. The only difference would be that he may need more attempts than you do.<br>But having access to the server, allows the perpetrator to gain access to many passwords all together. He just copy the users file and do the work at home with time. If the server is simple, with lousy security, the users file probably is a plain text file and no more work is needed, the password is right there in the open. If the password is encrypted, it will take some time but it's possible to get the password or something as good as the password.<br>Password are not really encrypted, because the value stored can't be decrypted. The method used is to apply a mathematical function to the password and store the result. The function is such that it has to give the same value for the same password and can't be reversed. One example could be the sum of the digits of the password. Let's say that your password is 1234, the sum of the digits is 10 so the number 10 is stored. There's no way to rebuild the password from this piece of information. When you reenter your password and, applying the same function, it matchs the value stored, then the server can say that you entered the right password. <br>This functions are called hash functions and are a lot more complicated than the example. A good hash algorithm should generate big differences with minimal changes, have an image domain of respectable magnitude and generate the less amount of collisions.<br>The first condition is to avoid password guessing by proximity. Two very similar passwords very similar have to turn up in two very different hash values. You'll see why in a minute.<br>The size of the image domain prevents massive guessing. A small image domain means that the number of possible results of the hash function is limited. Imagine a hash using the last digit of the sum of the digits of the password. There are only ten possible results, all I need to access any account is a list of ten passwords that give the ten possible hash values. The ideal hash function would be one with an infinite image domain. But even one with a relatively limited space is almost as good in practice. A 10 hexadecimal digits hash space has more than one million of millions of different hash values, and I can't write the number for one with 1024 digits. It's a one followed by 1,233 zeros.<br>Being the hash function a one way function, is possible to have the same hash for two different passwords. If the image domain is smaller than the space of possible passwords, it will happen for sure. Because the number of passwords is greater than the number of posible results. The system would let someone login to your account with a password completely different from yours. However, finding that particular password is as much difficult as finding yours.<br><br>This system of not storing password but hash values is efficient and practical. It's not bullet proof safe though. If someone gets the users file and knows the hash function used in that server, there's a method to get either the real password or something good enough to access the account. It's called the dictionary method. <br>To do that, a database is created calculating the hash values of all the words in a dictionary. It's a big database but something that a regular computer can handle. This databse is used to cross check every hash in the users file. If there's a match, the word associated to that hash is a valid password for that account. It could be the real password or not but, either way, it will work.<br>The hashes that don't match a value on the database can't be guessed by proximity, if the hash function complies with the first condition. <br><br>Enough with the bad news, let's talk about the good ones. Things that you can do to improve your paswords.<br><br>Pick strong passwords. Not one word passwords, not only numbers, nothing on your profile, not your name or your address, make them long, change them frequently, and I can keep going on and on forever. These are the recomendation of the experts and I totally agree, but it doesn't help much. Add to that the need to have more than one.<br>The problem is that if they're easy to remember they're easy to guess and if they're hard to guess they're hard to remember. And you shouldn't have them written in stickies around your monitor. So, the best solution is to have a method you can remember. Some kind of password generator algorithm that can make them with a variety of numbers and letters and lenghts but, basically, a method that you can remember. I'll give you an example, not the one I use. The rules are:<br><br>- Put the name of the service, the user and the current month together<br>- Replace all a's for 4's and the i's for 1's<br>- Capitalize the letters on even positions unless they were converted to numbers<br><br>The password for username in Paypal this month would be p4yP4LuSeRn4mE4UgUsT and for the same name in Gmail would be gM41lUsErN4Me4uGuSt. <br>Including the month allows you to change your password monthly without the hassle to go through memorizing it again. The passwords will repeat in a year, unless you throw the year in the mix, but that will be way beyond the ban imposed for most systems. Including the name of the server or any word related to it (auction, mail, bank, etc) allows you to have as many passwords as needed and you don't have to memorize them all, just the set of rules. The last rule seems simple but it's not actually, it's hard to keep count of the positions when you can't see what you're typing. But that's the beauty of this, you can set any rule you like. Capitalize the last letter, or the first or the one in position X. You can change any pair of letters and or numbers. I pick pairs that have some relation, 4 looks like an A, 1 looks like an I. And there's a lot of pairs to use, O and 0, B and 8, S and 5, G and 6. You can change letters for the next in the alphabet or the previous. Try adding a word that only you know, or only a few around you. Like the name of a pet from your childhood, the name of your secret lover, a word from a song that makes you cry when you hear it. This way, even if you write down your rules and leave them on a sticky under your monitor, there's always a piece missing. <br>Be creative but not too much or you'll end up with a set of rules impossible to remember.<br>And try to keep your mail address private, don't spread it around like the plague. Get a disposable mail account for subscribing unsafe places, media web sites, game sites, anything that asks you for a mail account and has no value. And don't link your safe and unsafe mail accounts. If they get to your unsafe one, the safe one is just one step away.<br><br>It's great to have the chance of having valuable services on the net, but I'm too paranoid for that. I like to go to the bank and show my ID. </font>James Wolfensteinhttp://www.blogger.com/profile/08031255153342501209noreply@blogger.com0tag:blogger.com,1999:blog-29171862.post-1154729930996320532006-08-04T15:18:00.000-07:002006-08-08T06:36:35.246-07:00Don't want to say goodbye anymore<font style="font-family: Tahoma,Arial,Helvetica,sans-serif; color: rgb(0, 0, 0);" face="Tahoma" size="2"><br />It would be nice not to say goodbye anymore but it's something I have to do.<br>And I'm aware that it's an exercise in futility. They open more accounts and keep doing what they are wired to do. But in the balance, it's a click to the forward button for me and all the hassle of opening another account plus explaining to their "customers" why the change... it's worth it.<br>Nothing remarkable on this list, just a bunch of scammers.<br><br>I have some news from the phishing front. I saw a new variant where the form to post the personal information is in the message itself. It's interesting because this way the phishing page doesn't have to be too obvious, in fact they don't have to set a visible phishing page at all. The return page could be a blank page with a redirector to the real one (Paypal, eBay, etc).<br>Unfortunately I couldn't see this one working because it was down already so there's not much to comment on this. Maybe the next...<br><br>And here's the list:<br><br><i><b>mariajames2222@yahoo.co.uk<br>idrisumar_hassan@yahoo.com<br>dr_rich19@yahoo.com<br>johnm_19666@yahoo.com<br>laagstbank1980@touchtelindia.net<br>morrisgreen@terra.com.mx<br>ukspecialclaimsagent@yahoo.co.uk<br>idris_suleman201@yahoo.com<br>soludocharles_cbng@yahoo.com<br>mrs_mudisabrown003@yahoo.fr<br>kar_zongo2004@yahoo.co.uk<br>joanbrower904@yahoo.com.br<br>josephsmith4848@yahoo.com<br>honestmanankrah@yahoo.com<br>karimuzongo1@latinmail.com<br>john_william335@latinmail.com<br>michealmensah1@yahoo.co.in<br>agent_dannyalvares49@yahoo.com<br>danijonesconsultant@yahoo.co.uk<br>morrisgreen113@yahoo.com<br>drjohnson_b@yahoo.ca<br>fachonouremy78@yahoo.com<br>infoprocessing01_cbn@yahoo.ca<br>akinbanker@gmail.com<br>edsonclaimofficre@yahoo.com</i></b><br><br>Farewell my friends, I know you'll be back and I'll be waiting for you</font>James Wolfensteinhttp://www.blogger.com/profile/08031255153342501209noreply@blogger.com0tag:blogger.com,1999:blog-29171862.post-1154726406530434742006-08-03T18:23:00.000-07:002007-03-06T11:37:37.616-08:00A sophisticated phishing operation<span style="font-family: Tahoma,Arial,Helvetica,sans-serif; color: rgb(0, 0, 0);font-family:Tahoma;font-size:85%;" >Remeber the Live Messenger installer trojan? Is gone. It doesn't change a bit my article but it's good news.<br />I'd like to add that I had no grudge with Microsoft, at least not only with them.<br />I mentioned in previous articles how the lack of attention of those in charge of networks and servers is helping criminals in their activities. So, the list of people I have a grudge with is really really huge.<br /><br />Today I've received yet another eBay phishing message, this one in particular was the tip of a major phishing operation. I saw one like this before but a lot smaller.<br />The typical phishing page is set on a hacked server, there's no need to take full control of it, just access to create a directory and copy some files is more than enough. Lately I've seen a lot web server running on ADSL or cable networks, almost all of them Apache web servers. My guess is that more people are using Linux and are letting the web server running and serving the public interface. Maybe there's a reason to have the web server on, maybe they're using an administration tool that requires it like Webmin, maybe they're doing web page development. But they don't have to serve the public interface. And I can tell that most of the times the intention wasn't to serve the public interface, because if I go back to the root the Apache default page shows up, there's no page there for users outside.<br />The whole phishing job is to hack a server, set a page, send the messages and wait. The page may have a local data file to store the data collected; nothing fancy, just a text file; or sends the data by mail to a free account controlled by the phisher.<br />The messages are sent with the same techniques used by commercial spam. Which is good, because most spam filters are chatching them.<br />If you want to stop a phishing job, these are the points to attack:<br /><br />* Block the messages, this part is being done already by spam filters. The problem is that they are a doing damage control, the messages were sent already, received and stored into the user's mailbox. And to make matter worse here are some reasons why spam filters are not enough:<br /><br />- Not everyone has a spam filter<br />- Not all spam filter detect all the phishing messages<br />- Some let the message pass because the alleged sender is an authorized mail address for a Paypal user<br />- Some users pick up the message from the spam directory thinking that it was a filter error<br /><br />* Block the access to the page. This is the most effective if done quick. Once the page is blocked or deleted, all the messages are useless. Moreover, the phisher will keep sending messages linked to that page for a while wasting his time. The problem here is the reaction time of the people in charge of servers and networks.<br /><br />* Catch the phisher.<br /><br />There's not much that can be done with the messages unless someone comes up with an effective way to eliminate spam (I know how, just ask me).<br />Going after the phisher is a very complex problem to solve. You can report the message and from it is easy to get the originating IP number. Hopefully, if it's being used legally by the phisher the ISP can identify him, I've seen many of them using a DSL services. But at this point they're only spammers, the ISP may slap his hand or terminate his account. My guess is that it has to be a repeating offender to get to that situation. Let's face the reality, the complainer is someone that could be somewhere on the other side of the planet, the perpetrator is a paying customer.<br />The servers that were hacked most likely are not being supervised properly, that's the reason why they're hacked on the first place. I don't think it will be easy to get an administrative log, when the phisher logs in to set up the page, or even an access log, when the phisher access the data file.<br />At this point, depending on the location of the server and the phisher, they may have a crime. But the owner of the server has not suffer any loss. Most likely, he's not using the web server at all and wasn't aware that it was running. He won't go through the hassle of filing a criminal case in court. He'll be happy to fix his problem and move on.<br />By the time the real crime is commited, with economic loss for the victim, a lot of small links have to be put together to go from the crime to the phisher. The victim has to be able to relate the loss of money from his account with the event of logging on a fake page, someone who wasn't able to tell the difference at that time. Then he has to be able to recover the original message and hope for it to have an IP number linking to the phisher or for the phishing page to be still active. And if the the page is intact, hope for a log showing the phisher activity in any way.<br />Let's say that all this things can be put together, it seems a pretty impressive amount of evidence to support a case. But so far is all bits and bytes, something that I can made up with Notepad on my PC. This is evidence that requires the analysis of experts to be used in court, people able to explain the meaning of it and to certify that it is the real thing.<br />But all this is after the crime has been commited, it does no good for the victims.<br />The most effective way to fight phishing is to attack the pages. They're less than the messages, once thousands of messages are sent they're out of control. There's no way to take action to all of them. The pages, on the other hand are static, they can't move, and they're limited in number.<br />It's all a matter of speed, they have to be eliminated fast to minimize the number of people login in. And if the page has a local data file, it has to be eliminated before the phisher can access it.<br />The first thing is to be aware that the page exists. It seems easy because I've reported so many, but I know about all those that are linked to messages I've received. I've exposed my mail address on purpose to get them and, even so, I'm sure I don't get all of them. The method is pretty good, to be used effectively it would take more than my one man army. Not much more, a small group of people working in shifts to cover a 24 hours per day operation.<br />The other way to get the warning is on the hands of the original sites. I think I said that before but is worth repeating it. The phishing pages are using the images and other elements from the original sites. Every time someone opens the phishing page, is sending requests to the original site for the logos, styles, etc. Every request bears an HTTP-REFERRER tag clearly showing that is not coming from the original site or other site authorized to request that object. So, the first warning, the one that activates every time a victim falls, is being sent to the original sites. This is topic for another long article.<br />Once the page is detected, the real work begins. The page has to be closed, deleted, blocked. The problem here is that the owner of the server itself can't be contacted most of the time. Sometimes, the site hacked is a public web server, one that's serving a public IP interface with a purpose. If you get to the home page, chances are you'll find a contact, email address or phone number. Even if you don't, you can check the contacts for the domain name registration. But this cases are not the most common. Public web servers are, in most cases, under control. The people running them is aware of the dangers of a public interface and have interest in the smooth operation of the servers. So they're either well protected or will answer quick to a report of hacking. There's still a number of servers handled by clueless people that will be hacked for sure and that won't act quick or won't act at all.<br />And they should be added to the most difficult group, those servers that nobody knows that are serving a public interface. Those are the real problem, they're over 90 per cent of the total, there's no way to contact the owner directly and, most likely, the owner doesn't know how to fix it.<br />Here's where the only resource is to contact the ISP in charge of the IP address and hope for the best.<br />The ISP is not going to block the IP completely, and I think they have good reasons for it. Besides the economic balance, unknown complainer against paying customer, the customer is also a victim. His server has been hacked , he's not getting benefits from the phishing.<br />All the ISP can do is contact the customer and tell him what the problem is. Then, it's up to the customer to put a remedy to the situation. And, most likely, he won't be able to fix it immediatly.<br />ISPs don't have firewalls to filter traffic in blocks of public addresses dedicated to customers, it doesn't make sense when the responsibility of the equipment connected to that public address belongs to someone else. With a firewall they'd be able to block the service port for that particular IP address and deal with the problem with time. But it would require high bandwidth equipment with the minimum latency time to filter less than 1 packet in one million.<br />Another alternative would be to force an IP change of the offending connection, if the assignment is dynamic. The ISP has to identify the customer, so he can be notified to fix the problem, force the expiration of the IP lease and reset the connection, forcing the system to request a new IP number. It would be a minor annoyance for the customer but it's a quick solution that could save many from falling into the trap.<br />In systems where the IP number assignment is static, the numbers are fixed for each connection, the solutions for the ISP are more complicated and sometimes there's no other solution than requesting the owner of the server to fix it.<br /><br />And this is basically the way a typical phishing operation works. As you can see, it can be run with almost no resources, besides knowledge and skills, is really hard to fight against it and the chances of being caught are very small. Is the kind of operation that's profitable no matter how poor the results are.<br /><br />Now, the more complex phishing operation. In this one, the phisher obtained two domain names. I don't know if he bought them, maybe paying with an account hacked on a previous operation, or took control of them by other means. One domain name was used for the phishing server and the other for a domain name server. Then he hacked two servers but not to install a phishing page, instead he installed the domain name servers (primary and secondary) and declared it as the start of authority for the other name. The name of the phishing server was amn27d.info and the name of the DNS server was COMNET-US.COM. Here's the trick, the names we use for domains mean nothing to a network, they have to be resolved somehow to an IP number. The domain name servers do that. There isn't a huge database with names and number correspondences, in fact it's a distributed database system. Each name belongs to an authoritative nameserver space depending on its extension (.com, .org, etc). These nameservers have their lists of domain names, but the records don't have the IP numbers for those domains. Each record has a pointer to the domain name server that has authority over that domain. This allows the owner of the domains to have more flexibility in the way they handle their networks. Let's say that you want to change your web server to a new computer, you don't have to ask someone else to change the IP assignment, you change your DNS record. Or if you want to have more than one server, you can tell your DNS to point your domain name to different IP numbers. This may work as a backup system, if A fails point to B, or as a load balance control, point alternative to A and B.<br />Having control of the DNS and the name of the phishing server, the hacker started planting phishing pages in as many servers as he could hack. I counted over 40 of them. As the server were set, they were also assigned to the domain name amn27d.info on both domain name servers. So, now, every time a request was made to amn27d.info the DNS server was able to point to anyone of the over 40 active phishing servers.<br />I said before that the phishing server was a weak point because is at a fixed location and, once detected, it can be shut down rendering all the messages pointing to it completely useless. Well, not anymore. Now all the messages points to amn27d.info and, if one of the servers is down, the DNS will point to any other. In fact, the DNS has no idea if the page is running or not. It reports to the client asking for that name, you or anyone asking for that page, as many IP numbers as it's configured to report. In this case it was configured to give 5 IP numbers picked up randomly from the whole lot. It's up to the client application, your browser, to check if the server is responding and, if not, move to the next IP number.<br />It's a very complex setup, for a phishing operation, but it's totally normal. Many Internet servers are using this kind of setup to improve its performance and uptime ratio.<br />To make matter worse, the hacker set the web servers to respond by domain name and not IP number. This means that if you use http://amn27d.info the server responds, but if you use the IP number http://84.138.129.118, the server doesn't respond or gives you another page. In this case it was a blank page. The reason for that is it makes almost impossible to report the phishing servers. If the ISP checks by name, most likely the IP reported by the DNS server will be different than the one saw previously. The ISP would ignore the complaint because it doesn't belong to his network. If he checks by IP number, there's a blank page, no reason to take any action.<br />I found it by name, I took the name from the phishing message, went to that link and saw the page. Because it was using a name and not an IP number, I assumed that there was a home page with some content. It wasn't, so no contacts there. I checked the name record and started gathering contacts to report to. The name record has info of the owner and also the domain name server that's the start of authority over that name and, making the query, the IP number or numbers.<br />The first funny thing I saw was that the domain name servers of comnet-us.com were in DSL IP numbers and in different networks. It's normal to have DNS servers separated for safety, the IPs on different networks is not so common. But DNS servers on DSL IPs is weird. There's no difference from a network point of view between one IP or another, in fact if you're looking at the IP number only there's no way to know if it has been assigned to a web server or a DSL customer. The network administrators name their IP numbers, all of them whether they're serving to the public or not, for maintenance purposes. So, if you find an IP number with a name like ltown1-1-74.adsl.trix.net, you can tell it was assigned to a DSL customer.<br />Then, I saw that the DNS query for amn27d.info returned a different set of 5 IP numbers every time I requested. I tried and tried and finally compiled a list of more than 40 different IP numbers for that domain. I reported them to all of the ISPs, almost all were DSL connections, but it was useless. Not only I had to explain to them how to verify the phishing page resolving the name by themselves, even if half of the pages were taken down the messages would keep linking to the others without a problem.<br />I tried to focus on the DNS servers but it turned out to be really difficult. One of them was down before I reported it or immediatly after, but with the other still serving it didn't do much difference. And the other kept working for a long time. And the problem was basically that there's nothing wrong with having a DNS server running on your machine with a DSL connection. It's weird, it's a no sense for most applications, but it's not a crime and most likely not a violation of any service contract.<br />I reported it with all the details, the ISP asked for more information and I gave it to them, but I can understand their position. If they focus on their bailiwick, there's no problem. They have to look at the big picture to see the problem and, even if they do, it's not easy to explain how their network is involved on an illegal operation.<br />It's gone now. I don't know what happened (nobody tells me anything) but I guess that the customer was contacted and he fixed it.<br />The moral of the story is that this kind of sophisticated setup is possible, is cheap, is safe, and that we, the Internet community, are not prepared to deal with it. If I've found one, a lot more should be running somewhere even more complex, sophisticated and bigger.<br /><br />I said it before and I'll say it again, I don't want a police control of the Internet, I think it's fine the way it is. But it need more responsibility from the users and I mean all of us. We all take some from it, we should give some too. The merchants have to take care of the marketplace, it's the only reason why they're there. And they have to take care of all the marketplace, right now they are willing to sacrifice a small percentage because they think that percentage is worth less than the cost of taking a little more responsibility. And I'm not saying that they have to save all, I don't think it can be done. But at least they have to try and it's not really expensive. If I can take down one operation like this over my lunch hour, imagine how much they can do with a small team working full time.</span>James Wolfensteinhttp://www.blogger.com/profile/08031255153342501209noreply@blogger.com0tag:blogger.com,1999:blog-29171862.post-1154726367533163482006-07-27T17:41:00.000-07:002006-08-04T14:19:27.636-07:00Some cleanup<font style="font-family: Tahoma,Arial,Helvetica,sans-serif; color: rgb(0, 0, 0);" face="Tahoma" size="2">I have an interesting article to post but it's not finished. I'm trying to make is good enough for not technical people to understand. It's about a phishing operation very well planned and organized. It took a lot of reporting and explaining to ISPs but it was worth it. The whole operation is gone... and it will be back.<br>Meanwhile, I want to remember all the scammers that are trying to login to their mail accounts and can't do it anymore. It's not exactly like that. They have plenty of mail accounts and they can open as many as they want. But every one closed may has meant one victim saved, at least annoying the scammer, and it only takes one click at the forward button.<br>You'll notice on the list that almost all are Yahoo mail accounts. The main reason is that their abuse department sends a notification when it "takes action". Whatever that means, the account is closed. Other mail services may take action or not, I just can infere they did because I don't get more mail from that account. Tracking every report to its final conclusion is a day job and I have one already.<br>Also, you'll notice that a lot of names are similar or the same. Sometimes is the same scammer coming back for more (why dissapoint them?) and some other are names of public personalities like Mariam Abacha (wife of the late nigerian dictator Sani Abacha), Charles Soludo (governor of the Central Bank of Nigeria) or Charles Taylor (ex liberian leader on the run).<br>Good stories needs some undeniable truth underneath to support them. Even if you don't know this personalities, you'll find information about them to confirm that they exist and that the story is possible. <br>Some others are names that are referred somewhere on the web where you can go and verify the story. For example, the names used for inheritance scams are taken from lists of people who died in airplane crashes, train crashes, 9/11. You can go to news web sites and look for this stuff.<br>Lately, there are many scams about US troops finding the money that Hussein (any of them, Saddam, Usay, Who-am-i) had stashed somewhere in Iraq. The names are taken from news too and the most popular seems to be Robert Seidel, a first lieutenant who died in Bagdad. Why did they take this name?, is a mistery. They could have taken any other name or made one up. But it seems that they are unable to come up with a western name. Don't ask me why, when the scammers want to impersonate a western person they're always Smiths and Jones or movie actors (Dr Jack Chan, also known as Jackie, is on the list) or variants of a movie actor name that somehow end up sounding even more fake than the original like Clint Southwood.<br>Other interesting thing is that the mail addresses have number, lots of numbers. Mostly because they use the same names over and over again. I bet that there are at least a thousand Abacha's in Yahoo right now, and I mean the active accounts only. Also, they open mail accounts in series, xxxx01, xxxx02, etc. This way, if one is closed and they have a "work in progress" linked to it, they can move to the next and pretend nothing has happened. <br><br>A sample of the kind of people we're dealing with.<br>Last week I won the Netherlands lottery. I answered the mail in dutch, I though it was a nice touch to use their language as a way to thank them for the price. Actually, it wasn't dutch, I don't speak dutch. But I made it looks like dutch. The agent in charge of my payment asked me to use english. So I replied "I though you'd like me to write in dutch". And he answered "No, we do speak english here, we're not germans" (SIC).<br>It's hard to believe that this kind of person is able to scam money from other but it happens...<br><br>And here's the list in alphabetical order:<br><br><i><b>agatha_denis@yahoo.fr<br>agatha_g5@yahoo.com.au<br>agentgeorgesimmons01@yahoo.com<br>agentgeorgesimmons5@yahoo.com<br>akachi_emego@yahoo.com<br>alart_efcc@yahoo.co.uk<br>angealfred_01@yahoo.ca<br>arafatsuha10@yahoo.com<br>barclaysbankofficials@yahoo.co.uk<br>barister_prince@yahoo.com<br>barr_cemonynana@yahoo.co.uk<br>barri_frankbrightchambers4law@yahoo.com<br>canada_agent_tob2006@yahoo.com<br>cbngov_624_soludo@yahoo.co.uk<br>cbngov_c_soludo@yahoo.com<br>charlesaka_office44@yahoo.co.uk<br>claims_swtbplc@yahoo.com<br>cyrile27_chambers@yahoo.com<br>dallicklucy@yahoo.co.in<br>david_hill06@yahoo.com<br>donalson1060@yahoo.com<br>dr_musahalloma@yahoo.com<br>drjackchan@yahoo.com<br>eminentleo2004@yahoo.com<br>emma5050tg@yahoo.com<br>fmenv_27.3million@yahoo.com<br>goodwill_akanakpa002@yahoo.co.in<br>goodwill_akanakpa02@yahoo.co.in<br>guei@terra.com.mx<br>harrisjames01@yahoo.co.uk<br>hazmanbinharun5@yahoo.com<br>honda_claimsagent1@yahoo.co.uk<br>info_uk1@yahoo.co.uk<br>infoprocessing_cbn@yahoo.ca<br>jackreinschmidt9878@yahoo.com<br>james_benson502@yahoo.ca<br>jimmy_guei@yahoo.fr<br>jnumvette211@yahoo.com<br>john_mercy002@yahoo.com<br>joy_martin007@yahoo.fr<br>joybrown090@yahoo.com<br>kabah_olivier@yahoo.fr<br>king_harry5@yahoo.fr<br>lamine_kone_14@yahoo.com<br>lchristopher4000@yahoo.co.uk<br>mabachah1675@yahoo.com.ar<br>malik_regan2005@yahoo.co.uk<br>maryann_preeety@yahoo.com<br>mudisat_brown06@yahoo.ca<br>my_1jones@yahoo.co.uk<br>nkemyz_tyoli300@yahoo.ca<br>onukelechi_747@yahoo.com<br>petel05@yahoo.com<br>porkar234@yahoo.com<br>prince_ennita@yahoo.ca<br>prof_charlessoludo405@yahoo.com<br>rabikujio@yahoo.fr<br>rev_will_kingsley147@yahoo.com<br>robertseidel2003@yahoo.ca<br>robertseidel2006@yahoo.com.au<br>rosemary_collins543@yahoo.com.sg<br>rosepeterci@yahoo.fr<br>sir_wilkins202@yahoo.com<br>sule_i1@yahoo.com.mx<br>sule_ibrahim_nrc@yahoo.com<br>sule_j_4u@yahoo.com<br>tadiga2006@yahoo.co.in<br>tombrown1024@yahoo.com<br>tonygood102@yahoo.ca<br>tonypaul080@yahoo.com<br>vc_obi@yahoo.co.uk<br>vivian_uk40@yahoo.com<br>zuma_edwards2005@yahoo.ie</b></i><br><br>Farewell my friends, I know you'll be back and I'll be waiting for you</font>James Wolfensteinhttp://www.blogger.com/profile/08031255153342501209noreply@blogger.com0tag:blogger.com,1999:blog-29171862.post-1154726322242536772006-07-23T20:52:00.000-07:002007-02-22T07:47:31.216-08:00Email and us<font style="font-family: Tahoma,Arial,Helvetica,sans-serif; color: rgb(0, 0, 0);" face="Tahoma" size="2">I hate email, sometimes, most of the time, all of the time.<br> Don't get me wrong, I think that email is a great thing, but the way we're using it is turning a useful tool into a carving knife stuck in our backs.<br> The biggest problem with email is that it's too easy to use.<br> Yes, read it again. I'm writing it and I had to read it again. But that's exactly the problem. It sounds confusing because it should be its biggest advantage, and it is. And is also its biggest problem.<br> Not only is easy to the final user. The rules of the email system, its protocol, are simple and easy to understand. We, as users, don't have to deal with it. But if we had to, believe me, anyone with a couple hours of instructions would be able to do it.<br> Let's take a look at some of the consequences of the easiness of email.<br> <br> <center><b>SPAM</b></center><br> <br> Spam is the first one to come to mind. Spam does exist because mail is easy to use. One spammer can send millions of messages pressing one button, no sweat. Of course he has to produce the content, the ad, but he has to do it anyway. Before email, the ad was produced too and the printed, folded, put into an envelope, closed, posted, stamped, etc. There was a considerable number of mechanical procedures and materials involved. Not only it took time and effort, also money. The typical spam ad is under 100 Kbytes, a 1 Mbaud DSL connection may transfer 100 Kbytes per second, assuming that the overhead of the communication is 4 times the size of the data (no way), you can send one message every 4 seconds, 21600 messages if your program run nonstop all day.<br> And this is a very conservative estimate. The overhead is not even close to 4 times the data volume, no decent spammer is working with 1 Mbaud bandwidth, using CC or BCC fields you can send one message one time to a huge number of destinations, and some other factors that increase the estimation to the levels we're seeing this days.<br> No effort, no cost, is like a dream. The worse part is that nobody cares if its efficient, and it's not. But is so cheap to do it and so easy to reach millions that wasting 99% of them is affordable, just getting 1% positive response from the 1% that is actually opened and read is worth the investment because the investment is worth nothing.<br><br>The first attempts to fight spam was based on black lists of senders, not a very successful strategy, and didn't last for long. Today is totally worthless, you don't get a real mail address from the sender and if you do it doesn't belong to the sender, most likely is one taken from the same list where your own mail address is, maybe you own.<br>Then the content analysis method appeared, software to check the content looking for telltales of spam. Words like sex, viagra, pharmacy, that showed up on most of the spam messages were compiled and rated in databases and used to rank each message. For each match, the message gets x points depending on the rate assigned by the database and z less points for each word that doesn't have a match. If the message gets more points than a previously established threshold, is spam. <br>The system is sheer genius, I have to give credit to the guys who invented it, but is not the real solution. The spammers then started to change the words, v14gra, s3x, ph4rmacy. Or cut them like Via gra, s.e.x, phar ma cy. You can read them but for a computer there's no match on the database. Or they sent pictures as inline attachments, no words in the message to rank but you still get an ad that you can read. Or they fill the messages with passages from Shakespeare, Whitman and other authors to decrease the rank of the message.<br>All this tricks were addressed by new versions of the spam filters but the tricks keep changing and the size of the databases of banned words will eventually render the system useless. But that's what we've got today.<br><br>One thing that you should never do with spam is click a link or answer it. This is a NO-NO-NO. Not even if you're interested in the product or service. Most of them are tagged, they have a code linked to your mail address. That option at the bottom you should click if you don't want to receive more, it's a lie, it's a way to confirm that your mail address is good, that is real, that someone is checking it frequently. Same for the links to the product, whether you buy or not they'll know that your mail address is good. Then, your mail address will be ranked higher and more likely to be spammed.<br> <br> <center><b>SCAM</b></center><br> <br> A scam mail is a message with a tempting offer. It's always someone who has money for you that can get just by giving your consent, use your bank account, pose as the heir of the fortune or just take the prize you won on a lottery you don't have a ticket from. The reward is always huge, my personal best was an offer of 425 hundred millions, about the debt of a third world country. And it has to be, because once the small fees and charges start to surface they want you to keep going to get your gold pot at the end of the rainbow. Is not easy to understand how people fall for this but they do. <br>Sometimes the offers don't look that good but they're good enough. Lately is common to see job offers that requires a fee to cover resume processing expenses or that requires you to have a bank account. The first one is pretty obvious but the second is not. The goal is always to get money from you, they'll try anything to make you send some. But the worst of all is when they actually send you a payment, a check or a transfer, because in the USA you're credited that money because you're good for it, not because the check is. This means that the money will be available almost immediatly but the check will keep going its way through the system. With the money at hand, you're supossed to send it to the scammer and keep your cut of the deal. Days later the bank will find out that the check is a fake or stole or something like that, and you'll have to give the money back. The bad news are that you don't have it and that you've just commited a crime because it was you who deposited the check and you can't prove that you received it legally.<br>This trick was (and is) very popular in auctions, the scammer buys your stuff and sends a check in excess of the price agreed. He blames his secretary, assistant or himself and asks you to send the difference to someone else. Different story but the same ending.<br>Email brought us scams because it's so easy for the scammer to reach us now, but also because it's so easy for us to jump in just by answering an email. And that's the next item, not what we get but what we give.<br> <br> <center><b>SENDING MESSAGES</b></center><br> <br> We saw that people fall for scams, not everyone but enough to keep the business running. Email contributes to this lapses of judgement because of its easyness, we have the urge to move on with it now, we feel compelled to answer every single one as they pop up in our mailbox. People don't take the time to think about it and when they type the answer there's no time either, we go so fast through it. Many years ago when mail was almost an art, we took our time reading every letter and writing an answer. Enough time to think about it and ponder each word, I'm sure that the scam business was a lot harder. While people were writing the answer, the excitement of the first impression started to fade and eventually find out the real nature of the offer. Now, we suffer the email fever. And not those who fall for scams, almost all of us do, we answer messages in the heat of the moment. No time to think about it, from reading to writing in a nanosecond, and just a few seconds to type and be ready to send. We can do it all in one breath and regret it for the rest of our lifes.<br>Answering email in haste is a big problem for both personal mail and work mail. I'm sure that any company with hundred of employees are suffering it right now. I know companies with less than 10 with this problem right now.<br>The mail replaces face to face communication. People try to avoid confrontation by using email, in a way they feel detached from the mail they write. Dealing with confrontation in person involves emotions, email somehow has become something totally impersonal. Maybe because the old style letters have material existence, we feel that they can convey our feelings, our moods. Email is not even thin air, it has no material form.<br>We have the feeling that, being physically away, we can do a better job of expressing ourselves. And maybe we can if we try, that's what we used to do with the letters. But there's one big difference in time, the time it takes to write, the time it takes to send. Time that we used to think, to carefully choose words, to go back and re-read, evaluate and correct.<br>We don't do that with email and I think that's the rule number one of email should be take your time. Never answer an email in haste, never start answering right away, never answer in less than one minute. If you take sonetime before answering, you may find a better way to do it. Maybe a more positive, organized, informative answer. Maybe a phone call. Maybe a direct face to face oral answer to the senders who's in the next cubicle.<br>I'd like to see new features on future releases of email software to deal with this problem. It could be a client application that blocks the send button for a period of time after you open a message or a server that sends you back every message with a huge sign saying "Are you sure you want to send this?". It can also check how much time you take from reading to sending and act accordingly, the fastest you do the longer it keeps sending it back for confirmation.<br>It's a joke, but I can imagine a corporation doing it. The bottom line is: take your time, be glad is not a face to face conversation, seize the opportunity. You can take as much time as you want or need without annoying the other party. We regret what we say frequently because we let our mouths open before our brains start to process what we've just hear. Now that we have the chance of revert the situation, we keep making the same mistakes.<br><br><center><b>SENDING MESSAGES... A LOT OF THEM</b></center><br><br>To make matters worse, another nice feature comes in the picture. Back on the days when a xerox wasn't a part of our everyday life, each letter was unique. If it was addressed to more than one person, it was written or typed many times. If the sender wanted to inform someone else about the content of the letter, carbon paper was used to make a copy during the writing process. It was customary to indicate in the footer how many letters were done and how many copies, even the copies were numbered indicating how close they were from the original, something you could tell easily just by looking at the intensity of the print. This number set the hierarchy of the employees the way cubicle to window distance does today. And, if the sender wanted someone to be informed and nobody else to know, it was just a matter of adding another carbon paper and omitting that copy from the count.<br>With email you can address your letter to as many as you want just by adding them in the "to" field. Then copy as many as you want in the "cc" (carbon copy) field or in the "bcc" (blind carbon copy) field. All of them will get exactly the same message. That's why we need different cubicle positions now.<br>But the point is that before it wasn't easy to choose who will get the letter. Making extra originals took time, the number of carbon copies was limited and blind carbon copies were even more limited, because those who were to get one always got the first one.<br>Now, it doesnt' matter. People add and add, anyone on any field. The more, the merrier.<br>In the personal level, this easiness produces chain mail, long messages with one thousand forwarding headers and one silly comment at the end. People use to forward anything, and I mean ANYTHING. Whatever it is that fall into their mailboxes is automatically forwarded to all the contact list, friends, family, ex-anythings, co-workers and the plumber. They feel the compulsion to share those things that move them in any way. Power point presentations with puppies, silly two line jokes, infalible diets and hoaxes of all kind. And send to all the contacts on their lists, lists that haven't been checked in ages. Half of the people in there is dead, half of the rest are out of their life, half of the rest are unkown persons that were listed for unknown reasons and the one that's left is the one who sent the message originally.<br>Besides the use (waste) of resources, like bandwidth and storage, there's a lot of undesirable consequences from this behavior (I could mention annoying me but I doubt it will change my friend's habits). Spreading hoaxes creates the feeling that those stories are real, people are gullible, they want to believe. One probably wouldn't believe one message, but after reading it and hearing someone else talking about it the perception changes. Add to that a reunion where the subject arises and almost everyone is aware of it, and now it has turned into an incontrovertible truth. Of course everyone knows about it, everyone gets the same message, everyone sends it. Nobody is paying for each message you send, not to you not to anyone. All those kids and teenagers are not lost, and if they are, nobody is doing the search through email. There's nothing wrong with all those products that you've been using for ages, and if there is, it has nothing to do with all the things mentioned on the message. It doesn't matter how many keys you press in your cell phone, you won't get more free calls that those allowed by your call plan. <br>I'm sure that you can mention that one exceptional message that was real and useful and important, one in a million. And you're right, maybe that one was worth to be forwarded. But if it was so important, why didn't you erased the forward header? do you realize that after two page downs without finding a message most people trash it? why didn't you choose who to send to? why didn't you read it with enough attention to understand that that one made sense and the other ten thousands didn't?<br>Forwarding aimlessly is a lazy behaviour. If you want to share with a friend, go get some coffee with him and tell him about the message you've just received. Take a copy with you to show him, print it, copy to a floppy, whatever. Send it to him later if that's what he wants. Trust me, it's a better way.<br><br><center><b>MAIL AT WORK</b></center><br><br>It's a lot worse in the work environment where the email has turned into a lethal weapon.<br>Without email, written stuff was final, people met and discussed issues just like today but the written version was for final decisions, things that rarely changed. And it was done that way because writing was expensive in time and resources. I'm sure that meetings were a lot more productives for the same reason, it wasn't like engraving in stone but compared with email it was close to it. Everyone wanted to reach an agreement and that agreement to last forever. Imagine what a change would have meant at that time on a hundred pages specification or a blueprint. Even the smallest changes required all to be written or drawn again.<br>Today, talk is cheap and email is even cheaper. It's not even worth the paper is written into. <br>Drawings, specifications can be changed in minor details and printed over and over. Meetings are not so critical and issues are left to be disscused over email. Almost anything is disscused over email. <br>And, again, email is a wonderful tool but, as most sharp tools, it may turn into a weapon.<br>Discussing over email allows participants to express their ideas more clearly, without interruptions. Those who read have more time to understand the idea entirely, they can go back as many times as needed, take more time to ask for clarification and answer or not. At any time, all the participants can go through the whole discussion in detail. At the end, the messages can be archived for future reference.<br>Sounds nice, doesn't it? However in real life it doesn't work like that. Instead people babble endlessly about anything totally unrelated to the point in discussion. They write like if they were talking with total disregard of grammar and punctuation. It doesn't matter because nobody reads, each participant tries to impose his own ideas. Without face to face confrontation, people feel they can be more assertive, stand their grounds even if they're wrong. Because once you said X, X it is. Otherwise, two of your messages saying opposite things may and will be used against you. We have a natural resistance to acknowledge our mistakes. In oral communications is easier to blame a misscommunication, a missunderstanding. Nobody can really quote you literally and even if he can it's always arguable.<br>With email whatever you said is on everyone else's computer.<br>This is not a typical case. This is an enumeration of all the bad things we do with email. I wouldn't want to see all of them together. Because there are a lot more.<br>Every message includes the previous message which includes the previous message which...<br>Exactly like the aimless forwarding, this conversations grow with each intervention. So everyone has every single message as it was received plus every previous message included on it.<br>It gets worse. In the middle of the conversation, one participant takes the opportunity to add a personal message to another. Just because his name was there, his mail address at hand, the message is sent complete with all its content and on top a comment totally unrelated, an invitation to play tennis or a side comment on the tune of "can you believe this jerk?".<br>And if the receiver is not careful, the conversation may be continued from this message and distributed to everyone. The odd comment may remain unnoticed for a long time, maybe for ever, and if found it may be harmless. But what f it's not? What if the jerk finds out?<br>Sometimes this deviation occurs as part of the same conversation. Like when the input of someone not included initially is required for a particular topic. This person receives each and every single message from the conversation, all in one, with a question addressed to him on top.<br>This is a great opportunity to add to the confusion. Because he's not going to focus on the issue he should, he may or may not answer the question, but he won't limit his intervention to just that. For starters, he's going to read everything from top to bottom. Every single message not meant for him. Because they're there, because he wants to be updated of the situation, because he wants to be sure he's not being set up. After that he may answer only the question he's been asked, comment on any other issue from the conversation, raise any other issue related or not to the conversation or any combination of these. From now on, whatever his intevention adds to the conversation, everything will be kept circulating on every sinlge message among all the original participants plus the outsider who will remain included until the end. <br>Nobody wanted him included on the discussion from the start, whether there was a reason for it or not, and, for the same reasons, nobody would want him to remain included. However, nobody wants to cut him out either. <br>And that brings another issue. As we know, sending one message is the same as sending one thousand in terms of effort. Taking names from the address book is simple, is easy, is fast. No wonder nobody wastes much times trying to figure it out who to send to. When in doubt, add, unlike previous ages when one more copy was expensive and the default choice was don't. As a consequence, a lot of people is included that has nothing to do with the issue in discussion. Not only they get messages they shouldn't, wasting time and resources, also the door is open for them to actively disrupt the conversation with negative input or divert the attention of the group raising totally unrelated issues.<br>Nobody really pays attention to how the message was addressed. If you're listed on the "To" field, the message is meant for you If you're listed on one of the copy fields, the intention of the sender is to keep you updated but your input is not expected, maybe not even desired.<br>It should be a matter of common courtesy, at least, to contact the sender and ask for permission to participate before jumping in. Even by mail, but on a personal message to that person.<br>One would think that, being all this problems so evident, corporations have thousands of professionals dealing with this situation as we speak. And they are, they've been trying to define the problem clearly enough to write the proposal for a specification with rules and procedures to guide users on good and efficient practices in the use of email... over email. The last message I've received was 100 Mb of quotes from the last 5 years and I don't even work for this comitee.<br><br>(Just kidding!)<br></font>James Wolfensteinhttp://www.blogger.com/profile/08031255153342501209noreply@blogger.com0tag:blogger.com,1999:blog-29171862.post-1154726269653365632006-07-21T22:43:00.000-07:002006-08-04T14:17:49.803-07:00Nice support Microsoft<font style="font-family: Tahoma,Arial,Helvetica,sans-serif; color: rgb(0, 0, 0);" face="Tahoma" size="2">This was supossed to be an article about email, but a small incident with Microsoft changed my plans.<br><br>I've been talking here about things that we have to deal with everyday using the Internet. Things that, for whatever reason, are way out of control for the regular user.<br>Scam that can't be identified by the regular user, that can't be reported due to jurisdictions problems, spam that fills our mailboxes and we can't tell from where is coming, etc.<br>In spite of all that, Internet is a huge marketplace, companies want to be there because people are there. Millions spend time on the Internet all day, everyday, and companies that wouldn't have gone too far with that thousand dollars start are now making millions.<br>I don't complain, I think is fine to have a healthy market going on.<br>But the think I don't understand is why those who profit from this market don't do something to protect it. It can't be money, they have plenty, It can't be resources, they have plenty. It can't be the lack of a doable solution, they know how to do the job and if they don't I do, just ask me.<br>Today I had one more evidence of this attitude, this time from Microsoft itself.<br>I've received a message on July 20th with an offer to download an install the new Windows Live Messenger. I'm not posting the message here, besides it's in portuguese. But I can tell you that it looks a lot like a Microsoft web page. Whoever did it, took the icons and the styles from real Microsoft's web pages. This is standard procedure for this kind of traps, the message has to look like the real thing to make you fall for it. <br>Once again, I want to stress the fact that this people is taking the images directly from the real pages. They're not copying the files, they don't have the images stored on their own servers or a hacked one, they're just sending the messages with links to the real thing. Like these<br><br>http://ads.msn.com/ads/pronws/CIQ2055/images/5.gif<br>http://ads.msn.com/ads/pronws/CIQ2055/images/party_icons.jpg<br>http://ads.msn.com/ads/pronws/CIQ2055/pt-br/6.gif<br><br>I took these links from a fake message, as you can see, they are all files in MSN's servers. Same goes to Paypal's and eBAy's phishign messages and web sites. They're all linking to the real files.<br>The companies can use this to their own advantage. The best list of phishing pages and web sites is in their own logs. Every time one of these images is requested, the server's log has the information to identify where it was requested from. If the location is a web page from an adsl IP address, they have to know it's a phishing page. When they're referred from a site in China, Singapore or anywhere else and it's not an image intended to be used by affiliated sites or the address is not one of their affiliates, they have to know that it's a phishing page. <br>They can avoid this too, save their resources from being used by criminals or, beter yet, protect their customers at the same time, the customers that are their reason to exist, those who make the market they're profiting from. <br>The solution is simple, they have to serve images only when the HTTP referrer is their own web page. If it's not, they can either not serve the image or send one with a warning saying "this is not from xxx", "if you're seeing this is because this web page or message is not originally from xxx" or any other that make the user understand that he's not looking at the real thing.<br>Surely, the phishers will start to take the images to another place and link to them. But that's more work for them and more weak links on their chain, every image storage that we can find and shut down will turn a lot of messages and web pages useless. <br>Even if the phishers succeed, the companies can escalate their defenses using dynamically generated images. Something that changes with time, depending on your location, even your own profile. Anything that shows that you're connected to the right server when you see a message or use a web page.<br>All these simple solutions will make the criminals invest more time and resources to keep operating, it will make them more vulnerables. Is not a punishment, is a way to turn the balance of the situation. Today, it's easy to do, it's cheap, it's safe, it's affordable. If they have to invest more time, hack more sites, get more storage space, they'll be more vulnerable, they'll have more weak points on their operation, their cost/benefit ratio will turn to the red side. Hopefully, the activity won't be profitable anymore, I doubt it, but at least it will decrease. The smallest players will be out and the big ones will see their business shrink. And being a small number of them, maybe it would be affordable to pursue them.<br><br>Going back to the Micrsoft support story, this message I've received have a link to download and install the new Live(R) Messenger. Here's the link and a warning. DON'T DOWNLOAD THIS FILE UNLESS YOU KNOW WHAT YOU'RE DOING. DON'T EXECUTE THIS FILE. It's a known trojan and if you want to know about it, all the information is around the web. No need to take a risk for that, go to Grisoft's web page and look for "Trojan horse Downloader.Delf.11.AS".<br><br><font style="font-weight: bold; color: rgb(0, 0, 102);" size="2">http: // descolados.irishost.net / Install_Messenger.scr</font><br><br>The spaces were added to make you think before trying the link. If you have antivirus software (a good one) and your files are updated, you'll get the warning immediatly. <br>So I went to Micrsoft's support page and reported it. Also I reported to the hosting service.<br>Microsoft sent me this answer<br><br><font style="font-weight: bold; color: rgb(0, 0, 102);" size="2">Hi James,<br><br>Thank you for contacting MSN Messenger Technical Support. My name is Jonathan and I'll be glad to assist you with your concern.<br><br>Based on the information I received, I understand that you found a Trojan virus installer advertisement together with Windows Live Messenger.<br><br>Before anything else, please accept my apologies for any inconvenience that you may have experienced because of this issue. Don't worry I will do my best to try to address your concern.<br><br>With respect to this issue, I would need you to send a support request to the Windows Live Messenger technical support queue, as the resolution specialists of the said support queue are tasked to handle concerns such as the one you are currently experiencing. James, I know that going through the process of re-sending a support request would be a bit tedious on your part, but rest assured that doing so will help resolve your concern in the quickest possible time. To send a support request to the Windows Live Messenger technical support queue, please visit: http://support.live.com and click Windows Live Messenger.<br><br>In this light, I hope that I was able to help you with your concern.<br><br>Feel free to contact us through http://support.msn.com if you need further assistance. For additional help, visit http://messenger.msn.com/Help.<br><br>Thank you for contacting MSN Messenger Technical Support. Have a great day.<br><br>Sincerely,<br><br>Jonathan<br>MSN Messenger Technical Support</font><br><br>I have to recognize that they're nice people. First of all, they apologize, it doesn't matter why, they do. I hate that attitude, it seems that if you're contacting support they have to, to make you feel better. Well, it's not working. It doesn't make me feel better. I know they don't mean it, it's just part of the training, it's the procedure. They don't have to apologize for something that's not their fault. The point is they don't pay attention to the customers, they don't listen, they don't take positive action. The procedure is make you feel better and move on.<br>But this is just rant, the real issue is that they don't take it as their problem. As you can see, they want me to go back to the support site but this time to the specific support site for Live Messenger. They know that it "would be a bit tedious", but it will "help resolve my concern". IT'S NOT MY CONCERN!! IT SHOULD BE THEIRS!!<br>Here's my answer.<br><br><font style="font-weight: bold; color: rgb(0, 0, 102);" size="2">Jonathan<br><br>I'm not going to do anything. I don't care. It's not my problem. I was nice enough to warn you about an event that may hurt your users, even Microsoft's image. You go and deal with it, or do nothing. The solution is one phone call away from you but it's a lot easier to put the burden on me and send me to fill other web form that will send me another automated response...<br>Sorry, I won't do it. Microsoft has been informed of the situation and I'm taking this message as the official answer. Thousands of Microsoft users will fall on that page, probably thousands did already, and the solutions was pretty simple. In fact I'm doing it, I'll keep trying to contact the site owner, the IP owner and the domain registrar until one of them takes the page down. They won't listen to me, they don't, they didn't. However, it feels a lot more productive than wasting my time going through Microsoft's corporative support system. <br><br>Have a nice day</font><br><br>Meanwhile, the page is still there...<br><br>PS: I've just send another round of messages to tfisher@irishost.net, jgilmor@irishost.net and abuse@webhostplus.com</font>James Wolfensteinhttp://www.blogger.com/profile/08031255153342501209noreply@blogger.com0tag:blogger.com,1999:blog-29171862.post-1154726225136971742006-07-07T18:07:00.000-07:002006-08-04T14:17:05.306-07:00Big Brother - Part III<font style="font-family: Tahoma,Arial,Helvetica,sans-serif; color: rgb(0, 0, 0);" face="Tahoma" size="2">Back to big brother, is there something that may be called big brother on the Internet?<br>Yes, there is.<br>Is not what you're thinking of, there's not such thing as a huge database with all our names and a log of each and every session we do on the net. At least I hope not. But there are other things that, in the common user perception, are almost as scary as that.<br>Right now you're being under my scope. This blog has a log feature (courtesy of eponym) like any other web server. This log tells me where you come from, your IP address, what browser are you using, the timestamp, what you requested, if you clicked on a link and where was the link, etc. It doesn't say much about you yourself. I wouldn't be able to follow your steps unless you use exactly the same browser from the same IP and even then I wouldn't be sure it's you all the time. The idea of this log is to help the owner administer the site, check resource requirements, adjust the design of the page to serve all the diferent browsers, etc. <br>But let's say that I give you one option to "improve your reading experience", something like choose your own font, choose your own background color. Unless I can identify you, you'll have to repeat the choice every single time. One option for this would be to make you open an account and save your preferences. The other is a "cookie".<br>A "cookie" is a piece of data related to a site that is stored in your computer. The cookie allows the server to recognize you from request to request, remember your preferences and follow your steps.<br>But before going further into this, there's something you have to understand about web servers. Let's say that you log into your webmail or go to a news web page. You spend some time in there and call that a session. The server knows you, because you said who you are, or not in the case of the news page. But in both cases you notice that the service was oriented to you. Your webmail allways shows your inbox with your messages and sends in your name. The news page allways shows those headlines related to the topics you had chosen previously. You don't have to identify yourself or repeat your choices every single time you open a new page.<br>However, from the technical point of view, a web session is a request for one element and one element only. When you open this page, you send a request to the server for the index.htm document. The server sends you that file and you close the session (your browser does). The index.htm file is just the text and the format of the page, you can check it out with the option View Source in your browser. Once your browser has the HTML file, it starts asking for the elements required to build it for you. The images, java scripts, any multimedia file, etc, they're all referred in the HTML file and requested to the server one by one in different sessions. By session I mean a TCP/IP session, your browser opens the session, the server acknowledge your request, your browser sends the message requesting one element, the server sends the element, your browser closes the session. Up to this point, this is what HTTP protocol does, no more, no less.<br>The protocol itself has no way to know that it's you through all those sessions and for the most plain and simple pages it hasn't the need to do so. Like in this page. Any request of any element will be served exactly the same regardless of the client. But if you're using your webmail or your bank account, the server needs to know who you are in order to build a page with the information relevant for you. <br>The cookie does that, the server creates a virtual session, assigns a code to it and sends it to your browser in a cookie. Every time your browser sends a request to the server, it sends the cookie too. The server knows that that particular cookie was generated and sent to you at the time you identified yourself, hence any request bearing that cookie must has come from you. <br>That's a session cookie, is good only during that session. The cookie is created with a short lifespan, in the order of hours or minutes, and should be discarded when the browser closes.<br>There are also persistent cookies, cookies with a long lifespan, even beyond reasonable limits that we can call eternity for practical reasons. Those cookies are the ones used to "improve you browsing experience". They store your site preferences but most of the time is just one code, an ID code. The server stores your preferences and link that set to the ID code sent to you in the cookie. From that point on, all your requests include the cookie, the server looks for you preferences and personalize the page for you. Nice, isn't it.<br>Also now, the server is able to track your steps from session to session. Let's say that you visit your favorite bookstore and spend some time looking for books about gardening. Then, on your next visit, half of the books highlighted in the front page are about gardening. Have they read your mind? Is this a case of Jung's synchronicity? Of course not, your browser now has a cookie and your cookie has been linked to many search requests for "gardening". The server does it to improve you "shopping experience". And to make it more likely that you buy a book.<br>Now this seems intrusive, they're really tracking your every step, what you look for, what are you into. Yes, is true. But unless you open an account with them and identify yourself with your real information, they have no way to know who you are. And, most likely, they don't care.<br>Is that so bad? <br>I bet that there's at least one store where you drop by frequently. A coffee store on the way to work, a deli, a drugstore, a tobacco store. If there is, chances are that you're served before ordering most of the time. The server acknowledge your "cookie", you, the real you, and has it linked to your preferred mokachino, sandwich or cigarette brand. We don't see this as intrusive. However, a stranger is aware of our preferences, where we buy, when we buy, what we buy.<br>The difference is in our minds. The desk clerk is human, the server is not, we have a natural inclination to trust humans and distrust machines. On the other hand, we don't pick up a porn magazine in front of a human clerk but we take it from the server that we distrust. <br>I know, is not easy to understand. But the human mind is too complex to be explained in this blog.<br>Moving forward with Internet and privacy.<br>So far, we've been through some of the ways a server can look over our shoulders. None seems to be really scary. Even a persistent cookie looks harmless, it doesn't carry our identity, is limited to the server who issued it. And you have many ways to avoid them.<br>In you browser settings is an option to set policies for cookies. The options change from one brand or version to the other, but basically are whether accept cookies or not, what to do with them and a list to discriminate servers for specific actions.<br>Nowadays, a policy to reject cookies is a bad idea since most sites involving long sessions, like webmail or shopping sites, rely on cookies to operate. So at least you have to allow session cookies, optionally you can designate the sites you use. Also you can have a list of sites that you want to keep your preferences. Then you either block all the rest or set a policy to delete all cookies when the browser closes or go to your browser settings and delete them yourself.<br>That's a good set of policies if you're worried about cookies. I prefer to delete them myself, but not from my browser settings, I go to the cookies directory and take them all out.<br>So you can do the same, go to your Document and settings directory, there must be one with your profile name and in there a Cookies directory. This is if you're using a 32 bit version of Windows or later, other operating systems and browser may have their own separate directory. Anyway, you'll find a list of files, most likely with your_name@some_domain. Each file is a cookie related to that particular domain, so you'll find there a list of some places you visited and some you didn't. Yes, you've read that right, some that you THINK you didn't. I'm sure that you've never been to 2o7 or doubleclick or zedo or webtrends, and the list is a lot longer than this.<br>Now you must me wondering how this happened, I said that you get a cookie when you visit a site, you only get a cookie related to that particular site and your browser sends cookies only to the site they belong to. And all of this is completely true, at least I hope so. The answer is that you visit a huge number of sites without knowing it. <br>Let's go back for a second to the HTTP session. When you ask for a page, the server sends you the first element, the file of the page itself. It contains all (or most of) the text, formatting information and the references to all the other objects. But those objects could be, or not, on the same server. So you get your page from server A, the HTML text says that an image is required and that is located at server B. Your browser opens a session with server B, exchange cookies if needed, and gets the image. Meanwhile, you've visited a site you didn't explicitly ask for.<br>This is not against any rules, it's totally normal although unexpected for the common user. Some of this links are used just because the page requires that element from other server, for example some forum pages don't allow users to store avatar images on the server. You have to store it somewhere else and configure the link in your profile. Every time a page has to show your avatar, includes the link to the server you designate for that. These cases most likely don't use a cookie.<br>Most of the links that use cookies are advertising, pages that have contracts with doubleclick or zedo are paid for setting a link on their pages. Every time you request a page, a request or more are sent to the advertising server for the elements required to complete the page. Those elements may be allways the same, or changed frequently or rotated among group of ads. Those servers need to keep track of each and every request made to show result to their clients and pay to the page owners. They set cookies for many reasons, they want to know how many different persons were exposed to each ad, they want you to see as many different ads and, if you clicked one, they want to send you those ads that you're more likely to click.<br>Remeber that one rule of the cookies is that they're only related to one site? They are. The cookies from ad server A are and will be exchanged only with server A. The problem is that server A is being referred from sites B, C and D, the sites you're visiting. Now, server A can tell when and where you visit each of these sites, if you pick an ad from B they'll send you related ads when you visit C and D.<br>This is targeted marketing and I doubt they use it for any other evil purpose. In fact most of them just control the number of exposition for each ad, balancing diversity and quotas, showing each user as many different ads as possible and reaching the goals required for each paying advertiser. The selection of topics is done beforehand, porn ads in porn site, foods and wines in epicurean sites, etc. <br>Google does this topic analysis for its AdSense program. The topics are chosen based on the statement of the site owner who subscribe for the program but also by the content. It's not very accurate. Suposse that you have a site about the red lobster of the south Pacific (I have no idea if such thing exists), you're trying to bring awareness to the general public about this creature in danger of extintion due to excessive fishing and habitat degradation by human activities. AdSense could fill your site with ads about lobster restaurants, fresh lobster on sale and lobster recipes. But taking into account the huge number of ads showed up every minute, the results are good. Otherwise, people won't pay for it or take is for their sites.<br>I don't know if Google is doing what I'm about to mention, if it starts to do it I hope they send some money my way. The system gets more accurate as more users choose ads. In the lobster case most users would ignore the ads, making them less likely to be reassigned to that site. On other sites, where the ads match the content of the site and the interest of the visitors, the click rate is high making them more likely to be assigned to that site and others with related content or linked from there.<br>I don't like ad laden sites where you have to dig for the content you're looking for, not mentioning those sites that are ads, no content. But at some point I have to compromise. I like the idea of having free web sites with content I can use, news, recipes, instructions of any kind, reading material. The owners of the sites need an incentive to keep doing it and the money is THE incentive. Web sites with ads are a good thing because they'll keep those sites free for everyone else, however, small sites don't have the mass of visitors required to negociate with advertisers directly. Ad servers filled that gap, dealing with a large number of sites in hand that can provide that mass of visitors for the advertiser.<br>The last group of the unkonwn cookies in your directory (and mine) is the most scary of all. This is the one we can call Big Brother. I know for sure that you have at least one 2o7 cookie. And the reason why I know that is because almost all the most popular sites have links to it. The owner of those cookies is a company called Omniture, probably the biggest of its kind but not the only one. Omniture is doing statistical analysis. They basically count every single time one of their links is requested and relate it to the connected cookie. Each time a link is requested, they know if you have one or more than their cookies (if not they send you one right away), what page you've just opened, the time of the request, the server who served that page, your browser brand, some of the basic options you have set and some other minor information. This information doesn't seem to be valuable at first, it doesn't include your identification and I don't think they really care about it. But if you put it togheter with all the millions of little bits of information, things looks very different. Of course, it takes talent to make out valuable data from such a huge pile of bits and Omniture seems to have it, being the most successful in its class.<br>Evil as it may seems, there's nothing wrong with it. Let me rephrase it, I can think thousand reasons why is wrong to do that, but not one related to the privacy of the users. The owners of the sites has the right to know at least how many times their pages are visited, they even have the right to know who is reading their pages. Some do and request you to register and ask for your name, your address, your phone number. Some even go further and request evidence of your identity to register. But it's your choice to do so. Once you voluntarily access one site, they own that bit of information about you.<br>On the practical side of the matter, your identity means nothing. There's no sense or need to know who you are. Statistics and statistical correlation have no meaning unless the number of events measured is huge. <br>Let's say that you have a die, you know that the odd of having a certain number in a throw is 1 in 6, one sixth. You assume that all of the numbers have the same probability. You throw it once and the probability of having any number is the same for the next throw. However, statistically, the number you've got on the first throw should be slightly less probable because, in the long run, all the numbers should appear about the same number of times. Sounds like a paradox but it isn't, the uniform distribution after a large number of events is a consequence of those events having the same probability. The key here is the large number of events because, as any Yahtzee player knows, rolling the same number many times in a row is possible. But if you roll the same die six thousand times, you should get each number about one thousand times. A small deviation is expected but if you get something beyond 2 or 3 percent, you better get that die checked.<br>Statistical analysis is based on this. Human behavoir can't be calculated in terms of probability, at least not before hand. But if you measure some event a large number of times, you can infer the probability from there.<br>I'll give you one example of correlation. Imagine a graph showing age of the people against a list of sites that people visited for a period of time. After you plot the first 10 points, that's what you've got, 10 points scatered across the graph. While the number increases, you can start to see trends or that there are none. A site with an even distribution of points along all the age scale, has no correlation with it meaning that age is not a factor for that particular site. If a site is more popular among people of a certain age, that part of the line have a higher density of points. And same going across the age's scale, sites more popular for each age segment have a higher density of points. <br>Not so many years ago, statistical correlation wasn't so popular just because it wasn't easy to get large number of measures to analyze. Of course some statistical analysis was done, but on most cases the number were not big enough to make the analysis accurate. <br>Internet changed that. Not only you can get millions of millions of measures, you can get millions of different events. Even more, you can link different events to the same person. It doesn't matter who he or she is, what's important is that those events are related to the same person. And, best of all, recollection of data is done automatically.<br><br>As you can see, someone's looking over your shoulder while you surf around the Internet. I think that marketing is evil, this kind of marketing is even worse than evil. But not because our personal privacy is being violated, I don't think it is, is because our collective privacy is being violated. We, as a human group, are being closely watched, scrutinized and disected. But I won't complain, I'm still feeling that we're far away from 1984.<br><br>One last comment about Omniture. If you go to 2o7.net, you'll get to a page where Omniture explain briefly the meaning of all those links you find on some other site's pointing at 2o7.net. Don't expect an apology. They do this on behalf of their customers, the web sites, so you go check the privacy policy of each of site. And they're right. <br> The funny thing is that they have at the end of the page a link that allows you to opt out the system. If you don't want to be watched by them you just have to click there... and get another cookie.<br> </font>James Wolfensteinhttp://www.blogger.com/profile/08031255153342501209noreply@blogger.com0tag:blogger.com,1999:blog-29171862.post-1154726184960734332006-07-05T18:04:00.000-07:002006-08-04T14:16:25.150-07:00More scammer's mail addresses<font style="font-family: Tahoma,Arial,Helvetica,sans-serif; color: rgb(0, 0, 0);" face="Tahoma" size="2">I've been neglecting those who were kicked out of their mail servers. I'm sure they'll be back soon. Meanwhile I like them to see their names listed here.<br><br>rev_will_kingsley147@yahoo.com<br>k_kelleysassociates@yahoo.co.uk<br>emma5050tg@yahoo.com<br>musa_ali01@latinmail.com<br>favormonic@yahoo.com<br>albert_abossi60@yahoo.com<br>hamar122@yahoo.com<br>john_imoh3@yahoo.com<br>barrister_dede_1@yahoo.co.uk<br>maryann_prety@yahoo.com<br>maryann_preety@yahoo.com<br>louisa_chris24@yahoo.co.uk<br>kietachedom3@yahoo.com<br>sussybangy_001@yahoo.com<br>coleken10@yahoo.com<br>georgekofi40@yahoo.com<br>justice_ng11@yahoo.com<br>larryobe30@yahoo.com<br>julien.kodila@yahoo.com<br>goodwave01@latinmail.com<br>jennifer.stephens17@yahoo.ie<br> brown_walter004@yahoo.co.uk<br>hamar122@yahoo.com<br>zhang_wakenge18@yahoo.co.uk<br>jacob_molak2006@yahoo.ca<br>barristeredwardjones2@yahoo.com<br><br></font>James Wolfensteinhttp://www.blogger.com/profile/08031255153342501209noreply@blogger.com0tag:blogger.com,1999:blog-29171862.post-1154726138831239322006-07-02T22:18:00.000-07:002006-08-04T14:15:39.106-07:00Big Brother - Intermission<font style="font-family: Tahoma,Arial,Helvetica,sans-serif; color: rgb(0, 0, 0);" face="Tahoma" size="2">This is an article out of schedule, I had this topic in mind but for a later time. However, this issue is urgent and requires all our attention today. I'm talking about neutrality.<br>Neutrality is a not a concept easy to understand, mostly because there's no such thing. Neutrality means that each and every packet that goes through the net is treated equally.<br>The Internet doesn't have neutrality, neutrality is natural, not meant or produced by human action. The net is neutral because is doing nothing to avoid it. And the big issue now is that the ISPs want to change that, they want to change the rules and treat some packets differently.<br>Here's the idea. According to the ISPs the major problem with the Internet today is that no bandwidth is enough. Not so many time ago we did fine with a 14 Kbps modem, some of us started with a 300 bps modem, either way we were able to use the net with the services available at that time. Soon we moved to bigger modems, 28 Kbps, 33 Kbps, 56 Kbps. Is arguable why, was it because the technology allows us to do so? was it because the requirements of the services available grew? But the point is that going this way (according to the ISPs) no bandwidth will be enough to insure the quality of the services as their requirements keep growing. Today is not out of the question to have a 2 Mbps Internet connection in your house, think about it, is over one hundred and forty times that old 14 Kbps modem.<br>The solution proposed is to break the neutrality of the network and give some packets priority. This way the services that requires immediate attention will allways work and those with less urgency will be delayed. They can prove mathematically how this works and how happy we'll be with the new improved optimized Internet.<br>On the other side, the neutrality advocates, show a different scenario. The priority of the packets won't be determined by technical service requirements but commercial agreement. The major players of the Internet will pay for priority. This way, the X search engine pays for priority and the Y one doesn't, if you access X you'll get immediate response while if you access Y you'll have to wait. It could be a search engine, a video streaming service, an e-mail service, anything. The point is that those who can pay for priority, and are willing to do so, will have a differential treatment that makes their services more apealling to the final user. The aftermath will be that all the small players will fade and die.<br>You're probably wondering which side I am or thinking that you know already. Either way you're wrong, I'm about to crash both sides.<br>The priority advocates are using the quality of the service as base for their arguments, however, one of them was very clear when he said "Google is making a lot of money using our bandwidth". So, the quality of the service is not the main concern. They see that there are people making money, and making big money, using their infrastructure and they want a piece of the action. But they have it already, they're being paid by Google and all the other content providers, directly or indirectly, and by all of the final users, directly or indirectly. Without all those putting content available for the final users, the business of the network itself wouldn't be what it is today, wouldn't be as profitable as it is today. They just want to get more money, they're not increasing the value of the service, they're about to decrease it by limiting the access to the content.<br>The technical proposal they use to hide their real intentions is asinine to say the least. According to them, giving priority to packets with higer speed requirements will insure the quality of those services and keep the network less cluttered in a way that all the traffic will flow more easily. They mention among those services, the communication of emergency services, remote critical operation (like surgery), video and audio. Let´s take a look at them one by one.<br>I didn´t know that emergency services were using the Internet to communicate. I think is fine, as I said before, Internet is fast, easy to use and reliable. But not for emergency response. There's a lot of things they can do over the Internet like surveillance cameras, web sites for public information, email for non critical communications. For times of emergency they need real time coordinated communications, like the one they have already in radios and telephones. Even if they need networks they can use their own equipment with land lines if they're available or can be set or with wireless communication. They can use the services of the same carriers that want to prioritize the emergency traffic over the Internet, using segments of network not shared with the Internet. In brief, emergency services have their own communications and, if needed, have to develop new ones. Internet may be a non critical support service, even a backup system, but it wasn't designed for that use and shouldn't be used that way.<br>Same goes to the remote operation of surgical instruments. I don't know who was the genius behind this idea, the phrase he used was something like "if there's a human being in the operation table we don't want the packet that will save his life to be late". Well, I don't either, so I have a couple solutions for that. First, if you're about to do surgery in a human, try to be there. If there's no way to get there for physical reasons or your busy schedule and there's no other chance to save his life, the second solution is to get something better than the Internet. There are so many choices, including one that the same people that want to prioritize your traffic can give to you, a private network. Again, the Internet wasn't designed to do that, it's not reliable for that kind of real time critical operation. <br>The other services; not being so critical by itself, like video, audio and telephony; have the same problem. The conversion from a stream of analog data in real time has to be digitalized and packetized to be sent through the Internet and then reconstructed at its destination. If the packets are delayed, the quality of the service is degraded. The video freezes, the audio makes distorted sounds. But that's the way the Internet was designed, it's not reliable for streams. It's not a flaw, it's how it was created. You can't cut your steak with a fork, it's not a flaw of the fork, you need a knife. And we have just the perfect knife. If you want video in real time, easy to operate, cheap and reliable, that technology is available already. It's called TE-LE-VI-SION. If you want audio in real time, easy to operate, cheap and reliable, that technology is available already. It's called RA-DIO. And if you want telephony in real time, easy to operate, cheap and reliable, that technology is available already. It's called TE-LE-PHONE. And the beauty of all this is that all these technologies were designed specifically for that, they're not being adapted, modified or "prioritized" to deliver. They work just fine and have been doing so for many years. Since they were created they have been improved and they'll improve even more in the future. So why are we so eager to painfully transform something not fitted for a job into something able to do it. Even worse, do the maths for the final user. We'll be trading our one hundred television sets for one thousand dollar computers, our ten dollar radios too. What's the point? And don't get me wrong, I think is great to have some video, audio and telephony over the Internet. I'm happy to get so much from a network that wasn't originally designed for that. But if I want to see a movie I go to my TV set, if the movie I want is not on I go to the video club an rent it, and I can do it using the Internet which is cool. If I want to listen to the radio I turn on the radio, if I want to talk to someone I call him over the phone. And if I have the chance to talk with someone too far away using the Internet, great. It's cheaper than the phone too and it makes me so happy that I don't care if the sound is not crisp and crystal clear. It's more than enough to achive communication and that's more than I was expecting from the Internet. What about you?<br>At this point it seems pretty clear that I'm with the neutrality advocates, but I'm not. They want the government to regulate and insure neutrality and I don't want government regulation. The carriers own their networks and as owners they have the right to do with them whatever they want to. If they want to provide traffic prioritized by any rule they want, they're entitled to do so. It's their networks we are talking about. The rest of the world have the choice of buying service from them or not. It's that simple, any other point of view is an outrageous violation of property rights. We are used to it because our own rights are violated on a daily basis, but piling up another violation won't fix the problem. I think we have to let the carriers do what they want to do with their networks, we have to respect their rights. <br>There are also some technical and practical aspects that have to be taken into account. Neutrality advocates would say that my position of defending the rights of the carriers over all the rest will damage the Internet, and I agree in part. But they have to understand too that neutrality doesn't exist today and never really existed.<br>Every owner of a network have the ability to regulate the traffic inside it. I, for example, have full control of my network. My link with the Internet is totally under my control and I can decide how much bandwidth is available for each service or if a particular service is blocked. And I do it, for practical reasons. Services that are not authorized by the company policy are blocked, webmail pages that refresh too often are restricted in the amount of bandwidth they use, services to customers and contractors are prioritized. Your ISP probably is doing the same with a different criteria. Most likely it has a page, a main portal, with links to content, to your webmail, a search engine and advertising. They want you to use it because is the only way to make the advertising space valuable, so they privilege the traffic to and from that portal. It's not a big deal anyway, the portal is inside their network, transit time is practically null, so it will respond (it should) a lot faster that any other page from the outside. Add to that all the sites that are paying for hosting service to your ISP, they all are inside the same network and privileged by that condition over any other site from the outside. In a way, your ISP is breaking the concept of neutrality even if they don't explicitly prioritize the internal traffic. Now take the same case to a whole country. One with a decent backbone, meaning that all traffic from nodes inside the country is handled inside the country. Believe it or not most of the countries don't have such a backbone. Some countries with primitive communication infrastructure grew in satellite links, the lack of landlines made the satellites a more affordable alternative. Two ISPs there, located one next to the other, may be linked to different satellite services. Let's say a country in Africa with a link to a satellite over the Atlantic with land station in the USA and the other to a satellite on the west with land station in Israel. One packet sent across the street will tour around the world. Going back to the country with a decent backbone, all the sites inside that country will be more accesible than the foreign ones. <br>And that's just the technical problem related to the nature of the network, its structure. To that we have to add the difference in bandwidth and processing power between sites. Let's say that you try to set your own search engine in your computer using your 1 Mb Internet connection. You may have the best one, be better than Google, and yet fade and die strangled by your resource limitation. It would take you a million years to visit all the sites in the web, even more time to analyze and store the relevant information for the searchs, you wouldn't have enough space to store it no matter what kind of compression you use plus all the time and overhead processing required to do that. Add to that the main purpose of the site itself, serve customers with information. It's obvious that you won't be able to do it while gathering information but, even not doing it, your capacity would be limited to a few hundreds.<br>Neutrality is broken by the difference in resources between sites. Sites with more processing power, more bandwidth are able to serve more customers faster and with better services. And that's being paid by the sites, they pay the carriers and the ISPs for the privilege of more resources. The bigger the business is, the more need for resources it has, the more chances to grow, hence it will invest even more. Neutrality doesn't exist today, those who can pay more are doing it, they're getting more service for the money they are paying and using that to give more service to the final users. <br>Finally, how are they going to make prioritization to work? I don't want to go all the way back to the very basics of networking. Let's go back to the city analogy. Today the postmen do their rounds at their own pace picking up as many packets as they can and delivering evry time they pass the corresponding door or intersection. If their storage space is full, the packets that can't be picked up have to wait untill the next round, every door or intersection has a queue where the packets are stored for the postman in a certain order. That order is by default the time of arrival, the queue is serviced first in - first out. The methods used to prioritize traffic on a network are basically two. One would be an extra postman dedicated to priority traffic, most likely a faster and bigger one, able to do its round in less time and to carry more packets at once. To do that, the queues at every exchange point are doubled, one for each postmen. The other method is use the same postman but specially trained to be picky about the packets. This postman has to decide at each point which packets pick up first, he can't just take from the top of the pile. He has to go through the queue and pick the priority packets first and then the rest. Also, he can have a separated storage space that's reserved only for priority traffic. If that space is full, he can keep picking up priority traffic using the general storage but never use the reserved space for general traffic. This is way there's a minimum bandwidth allways available for priority traffic no matter how bad is the traffic condition. <br>It seems simple but is not. It works fine for a simple network but the Internet is not. As we saw before, Internet is a huge group of networks interconnected, every one with its own rules and management. As long as they agree in the protocol used to exchange packets (IP Internet Protocol) they can do whatever they want with their own internal network. I do set priority traffic inside my network, I have the means to move certain packets with a minimum of bandwidth guaranteed. But at the point where my ISP is picking up my packets it doesn't matter if I set many queues, my ISP is servicing me with only one postman. I can make an agreement with them to have an extra postman, but that would work up to the point where my ISP network has to exchange those packets with someone else. This kind of agreement with ISPs is very common like in my case. Let's say that I have a branch of my company in a place to far away to do my own network but with access to an access point of my own ISP. Being an extension of my own office I'd like to have that traffic prioritized over our traffic with the rest of the world. My ISP can do that inside its network just setting the configuration of its own postmen. Any other case involving a third network would require another agreement.<br>Suppose that for some reason you want to have priority traffic with certain site located at the other side of the world. You won't find a route from you to that site with less than three different owned networks, in fact you'll go through many more but for the sake of this specific problem we can assume that interconected networks of the same owner can handle priority traffic as if it were only one network. And I said three because is a theoretical minimum for almost every case around the Internet, your ISP, a carrier and the ISP of the destination site. Big sites are usually closer to the backbones in terms of hops (number of times a packet has to be relayed from network to network) because they're serviced by the carriers directly. These sites are the main target of this new idea because they're the ones who can afford to pay for priority and get some advantage from it. If one big carrier gives priority to site A, every ISP connected to that particular carrier would be receiving site A's traffic on top of their queues regardless of the policy they have in their own networks. Even other carriers around the world would get site A's traffic on top. But that's it, from there on, site A's is handled as any other traffic. As you can see, only one network giving prioority traffic is not a huge advantage.<br>If several carriers agree in giving priority to certain packets, the scenario changes just because of the extension of the service. More exchange points will see site A's traffic on top of their queues. The problem here is who's selling priority and how are they sharing the business. In my opinion, if it gets implemented sometime in the future, the system won't go much beyond the United States and its satellites. The number of big carriers in there is limited and, if they get gubernamental support, it's easy to reach an agreement. But once they have to deal with carriers outside of that circle things start to get more complicated. The big players of Internet service are in the USA mostly, Google, Yahoo, Microsoft. They're the ones who would pay for priority. The carriers outside the USA would find themselves giving a valuable service to those sites and nobody to bill for it. I don't think this would make the priority system fail, just keep it contained inside the USA. Because most of the final users that would be benefited (or punished) by priority are in the USA. Plus, the regulations of the USA government won't make much difference outside of it.<br>One last point to think about is how are the sites reacting to this. I can imagine some jumping into the priority wagon without even thinking. But is this such a good idea?<br>Let's take a lok at it from the final user perspective. Let's say that site A wants to improve its service trying to compete with site B. Site B is more popular, has a bigger share of the traffic, has been chosen by the final users by its content, its quality of service. Now with site A being prioritized, packets to and from it goes faster. Site B is still working fine but its packets enqueued behind site A's packets. How much difference would it make? If site B is so popular over A we can expect to have only a few A packets and a lot of B packets. In average the delay generated by those few packets will be hardly noticed. Priority of traffic won't make a quality difference between competing sites. Final users are choosing based on suitability of the service they get from one site or the other. Google is the most popular search engine not because is the faster, it's because people find stuff using it. Once you see it works, that you get what you were looking for, you go over and over to get what you need. If it fails you go somewhere else. Sites with other type of content work the same way, would you read a lousy writer just because its book is available faster? or you'll go to read what you want? do you pick a movie because is just about to start? or you wait for the one you want? <br>To make a real difference of service through priority traffic, two sites have to be of the same service, same popularity, same content, I'd say almost identical. So site A pays to get an edge over B, what if site B decides to sign in for priority too? And once one of them or both pay for priority, how are they going to measure that they're getting it?<br>Of course, if the priority system is established, sites like Microsoft's will sign for it. This is seen by most people as corporative stupidity but it isn't. If you're a small site, you have to evaluate the possible consequences of paying for priority before signing in. And you have to establish a way to measure the result. That's basic management. Microsoft and other big corporation, on the other hand, can waste huge amounts of money in order to stay on top. They won't risk the chance of falling behind, it's more affordable and eficient for them to pay before and analyze later. You can say whatever you want about that policy but the truth is that Microsoft has been the leader in the market of operating systems and productivity tools for decades. But for those who have to evaluate results and get a positive result, paying for priority will be dissapointing. At least that's my view.<br>As a conclusion, I don't aprove gubernamental intervention or regulation. If the carriers want to establish a priority system and charge for it, they're entitled to do so. If sites want to pay for priority they're entitled to do so. In my opinion, the system won't work because is not the solution for something that's not really a problem.<br></font>James Wolfensteinhttp://www.blogger.com/profile/08031255153342501209noreply@blogger.com0tag:blogger.com,1999:blog-29171862.post-1154726086700757012006-06-29T22:11:00.000-07:002006-08-04T14:14:46.796-07:00Big Brother - Part II<font style="font-family: Tahoma,Arial,Helvetica,sans-serif; color: rgb(0, 0, 0);" face="Tahoma" size="2">So, you came back for more?<br><br>Today, I'll start with the good news. There's privacy on the Internet. It's called encryption.<br>Encryption does exactly that, converts each packet with an algorithm before sending them and decode them as they arrive. Plain and simple. In general, not the algorithms. As you can imagine the algorithms are complex and require passwords, passphrases, certificates. Basically, all passwords with different formats and sizes.<br>The way to use it is to agree between the two parties that encryption will be used and which algorithm and certificates will be used. From that point, all packets will be encrypted and unreadable through its transit.<br>Encryption can be aplied at many levels, files, packets, sessions or a whole network. You can type a text message in a code previously agreed with you friend and that message will be unreadable for everyone else. Or you can open a session with a secure protocol like HTTPS and keep all packets in that sessions away from prying eyes. Or you can setup a VPN (Virtual Private Network) and keep all the sessions in that network hidden.<br>The most common case for Internet users is HTTPS, an encryption wrapper for HTTP protocol. Servers using HTTPS keep their traffic with their clients private. You can see it in action in Gmail's login page, when you go to its page it redirects automatically to the secure HTTPS server.<br>But does this means that the sessions with HTTPS are 100% secure? Not even close but I think they're good enough. <br>The main problem is the certificate itself. There are many ways to implement a secure channel between computers using certificates. In the case I mentioned, you turn up into a secure session with a server, but where the certificate came from? You didn't have any at that time. Well, the certificate was sent to you at the beginning of the session. And, most likely, replaced by a new one that is also sent to you but through the session secured by the first certificate. Either way, the key to open all the packets for that session was exposed trough all the transit time. Doesn't seem to make much sense. But, as I said before, is good enough. The only way to get information from that session is to capture absolutely all the session, all of it, because in fact it is a sequence of several different sessions with different addresses. This is not something anyone can do, not something easy to do, so it has to be worth it. Certainly not to access your free email account. At least I hope not, because if someone is after you at this level I want you to walk away from this blog. I don't want them (whoever they are) to get to me through you.<br>To overcome this problem, people that really really want to have a secure session exchange certificates in private. In that case, you have your certificate beforehand and capturing all the traffic for your session is useless.<br>This is what's done to setup up a private network, the certificates are generated by a certification authority (public or private) and, hopefully, exchanged using means other than a public network.<br><br>And now that you're happy with your privacy, let's go back to the bad news.<br>The transit of the packets is not the only weak point for your privacy. Let's talk about e-mail. Not all mail servers have secure sessions, and I'm not talking about the free ones, most of the private mail servers don't. But let's say that you use one that has it, some use it only for the login, after that you're dealing with a plain open session meaning that the content of your messages can be seen. And even if the whole session is secure, where are your messages stored?<br>Think about it, it's not your server, it belongs to someone else. Your messages are stored in there available for anyone with access to that server. <br>But again, who cares about your free mail account? You.<br>The average Internet user cares about his mail account, trust it and expect it to be private and secure. And they are in a broad sense. They work fine and nobody is going through them, really, at least I'm not worried about it. And I'm not worried because that's not the point, I'm aware that the Internet is a like public place and that it has to be used with that image in mind. So, my question is what are you storing in your account? what are you sending and receiving?<br>In a way, the Internet distorted the sense of reality for most people. It's hard to believe the things people write in e-mail, the kind of things they send in pictures, video. And the stuff they save in mailboxes. <br>And that's exactly the point, e-mail boxes are not secure places. They're controlled by people you know nothing about, people that owe you nothing, people that have no responsibility over the content of your mailbox. Of course they all say that they're responsble, that you're mail is safe, that nobody is looking your stuff, an I'm sure they mean it, I trust them and I've never seen evidence that they lie. But you have no way to know, no binding contract, no technical means to verify the integrity of the content in your mailbox. With real life mail, you put your letter inside an envelope and seal it. This way, the letter can't be seen by third parties and if they open the envelope you can tell. With email, the letter is in plain view for anyone to see. Even if you use encryption, the digital envelope, it can be open without you knowing it. And this is one of the main problems of assimiliating the real world and the virtual one. In the real world, things have a physical nature that make them unique. Even if they're made in series, each piece is unique. In the virtual world, there are no physical things. The packets you send are replicated over and over until they reach its destination and all of them are exactly the same as the first one (not exactly, but the difference goes beyond the reach of this article). At each relay, the packet is destroyed and recreated. The same way, they could have been replicated, stored, recreated and sent without leaving a hint of a trace.<br>With all this in mind, what would you use your e-mail account for?<br>E-mail is great, is usefull, is fast, is easy. But is not something where you can put all your hopes and dreams. Not something where all your assets can be managed. Not the key to your bank account.<br>Going back to the phishing thing, you can see how easy is to get access to your bank online service, your Paypal or eBay account, etc, all things with value, monetary value. And it doesn't stop here. I'm sure that if 90% of those that fell for a phishing scam are using the same password for everything. Now the phisher has the mail address or the user name for that service, if it's just the user name he can get the mail address from the settings of the account. He has the pasword for the service and chances are the same password works for the mail address. Once inside the mailbox, chances are some other valuable services are linked to the same account and the traces of those services are in there, newsletters, subscription confirmations, etc. He just has to try them one by one with the same password, check the messages for the passwords because many of them will send the passwords in plain text over e-mail, or go to the login page and request the password to be sent to the mailbox. Scary, isn't it? Just one little hole in the wall and your whole world is invaded.<br>The problem is not that we're helpless in the virtual world of the Internet, the problem is that we've lost the perspective of the true meaning of the Internet. I said in a previous article that the main thing that keeps the Intermet togheter is a set of technical rules, and there's nothing in that set trying to make the Internet secure for your privacy or your assets. This is not a flaw on the Internet, it's a flaw in our perception of the Internet. Because it wasn't created for all this, nobody at that time was thinking about it, nobody was able to imagine the incredible growth of the last 20 years, nobody was able to predict that .<br>The Internet is a great thing, it was meant as a way to connect several computer networks online in order to exchange information fast and easily, to allow access to papers and other files to people in remote locations, to communicate people by means of e-mail, to connect computers that share information to do a job togheter and many other things. It fullfilled al its goals, gave us a lot more than that and keeps delivering. <br>The Internet is not the problem, we are.</font>James Wolfensteinhttp://www.blogger.com/profile/08031255153342501209noreply@blogger.com0tag:blogger.com,1999:blog-29171862.post-1154726027110953222006-06-28T17:43:00.000-07:002006-08-04T14:13:47.363-07:00Big Brother - Part I<font style="font-family: Tahoma,Arial,Helvetica,sans-serif; color: rgb(0, 0, 0);" face="Tahoma" size="2">Haved you had the nagging feeling that someone's looking over your shoulder while your're browsing the net?<br><br>In a way, someone is. But don't get crazy just yet. The first part of the article is a brief (very brief) description of what's the Internet so you can understand the second part.<br><br>The thing we call Internet, THE net, is not really a network. In a broad sense it is, but actually is a huge number of networks interconnected between them. Sounds confusing because, after all, a group of networks interconnected forms a network, a bigger one but a network all the same. The difference is that the Internet has no identity of its own, no owner, no ruler.<br>Internet is controlled by two things. One is a set of rules, technical rules, and we should be glad they are technical. The other is commercial agreements at every single point where two networks are linked.<br>Let's start from your own computer, wheter is alone in your house or part of a LAN in your office, it's on a network. It has one IP address, meaning it has an identity on that network, and a phisical connection. If you're on a private network, at some point that network is connected to the public network. If you're a home user, most likely your computer is on the public network already. The main difference is that from a private network you have to connect at least on point of it to a public network. But one way or the other, at that point you have an agreement with an ISP (Internet Service Provider) that lets you access the Internet. The ISP provides you an IP public address and from there you can open sessions with any other public address. I may add, most likely you can and you'll see why in a minute. <br>Your ISP is basically another network, without a connection to other networks the only thing you're allowed to do is connect to other public address on your ISP network. At some point, your ISP is connected to other or others, and those are also conneted to others. All they need to make the whole Internet work is to know where each public address is. They don't actually, every network knows about their own public addresses, some addresses of the networks directly connected to them and one or more connections where they send every packet not included in the previous groups. <br>Of course the lists of IP addresses are not extensive, they don't have to store information for each one. They're handled by blocks, groups of IP addresses that can be masked easily. This way every time they have to route a packet, all they do is to identify the block it belongs to and take the action assigned to that particular block.<br>Let's say that the Internet is like a city. If you live in an apartment building, you have a private address, the number on your door. All traffic to your door is handled by the doorman, if it's between apartments he can do it all by itself inside the building, if it's to or from another place outside the building he has to go to the front door and interface with the rest of the world. The front door of the building is public, it has a public address and is "connected" to the street, your ISP. If you live in a house, you have a public address and don't need the doorman to handle your traffic.<br>The street, your ISP, has a postman going up and down exchanging packets with every public address on the street. He's not allowed to go anywhere else. The traffic bewtween public addresses on the street are handled directly by him but packets to another street, city or country have to be handled to someone else. The street, crosses other streets, one or many, and the postman has a routing instruction saying at which intersection drop each packet and one or more last resource intersection where he drops all packets without specific routing rules. At those intersections, he also picks up packets addressed to his own street. The last resource intersections allows the postman to reach every address on the net without knowing where is it. That intersection could be served by a bigger postman, like one in an avenue with more intersections, or a high speed postman serving a highway, where there are no home or buildings, only intersections with streets, avenues or other highways. One thing that you may be wondering about is how postmen deliver when they have alternative routes for a packet. As you can imagine, postmen are not humans but computers, and they need precise non ambiguous instructions. The alternative routes can be used as a backup in case the main one fails or to balance load. In the last case, the postmen uses one or the other based on a measureof the traffic. <br>The beauty of all this is that there's no central control, manager or government. All the postman and doormans agree in the technical aspects, proper addressing and uniform instructions sheets. This way everyone knows what to do with each packet without knowing what's beyond their own bailiwick.<br>I want to add a small note here, the system is not perfect. Eventually you may find that certain address is unavailable to you while your friend, who's in an address available to you, can reach it. The routing istructions change everyday either for technical reasons or commercial ones. Sometimes the changes on a network requires its neighbors to change too, and that may take some time. Sometimes there's no routing intruction at all for a combination of addresses, oversight, commercial restriction (it's not worth to pay for, no traffic expected, etc) or just a technical problem.<br>The other side of what keeps the net togheter is the commercial agreement between postmen and doormen at each intersection. The agreement could be of any kind, pay by packet size, pay by speed, just pay. The agreement could also include address restrictions, alternative routes, guaranteed uptime, etc. <br>But the bottom line is it works, believe it or not the fact is the Internet works and if you're reading it you have all the evidence you need.<br>Now going back to the subject of this article, is somebody looking over your shoulder? <br>Every single packet that you send or receive is handled by many doormen and postmen. They're not human but they're ran by some and they're all independent. What stops them from snooping into you packets?<br>The answer is simple, nothing. <br>Let's say that I'm a major carrier, a highway in the city analogy, and for some reason I want to look at all the packets going through one of my intersections. It's my equipment, it's my wire, and even if I have a non snooping clause in my agreement with other networks (there's nosuch clause), nobody is controlling me, there's no way to know that I'm doing it from the outside.<br>And now that I've freaked you out, I'll put you back togheter. Because now you're thinking that everyone knows what you read, what you see and who you talk to. Forget it, is not happening. But what if it is?<br>Have you ever been in a mall? Were you worried that someone may note which displays you see? While you were having a drink, someone checking what you have, how, what you were reading? At the post office, the postman checking who you write to or who writes you?<br>At this point, you either turned into a complete paranoid or realized that the Internet is a public place like a mall or even the street. More like a mall I'd say, because is owned by many private parties. But the point is Internet is public not because of the ownership but because of its nature, its history and its technical limitations. Internet wasn't designed for security, security was insured phisically by not allowing access to equipment and wires. But once it grew into a network too large to be confined, with too many players to be controlled, physical security became impossible.<br><br>But is it such a big deal? All your packets in the hands of people you know nothing about?<br>Let's go back to the mall analogy, you're going through a public place, do you expect privacy? Why do you expect privacy on the Internet then?<br>The structure of the net makes it impossible to control if someone takes a look at your traffic, I'm sure your ISP will say that no one is doing it, but I'm pretty sure that they won't give you a signed warranty. Even if they're to be trusted, once they pass the packet to the next network is out of their control and yours too.<br>But are they doing it? Is someone out there checking all your traffic?<br>I think not, I'm sure not. At least not in that sense. I mean, there's no way to check every single packet, no way to store it for later analysis, no way to keep up with the constant flow. I know that because I do that frequently. I'm in control of the doorman in my building and from time to time I have to check the traffic. Because something is not working or I suspect foul play from the outside or the inside or anything else. And is not a huge building. However I have no way to check it all and there's no automated system able to do it. You can try by yourself if you want, go get a sniffer, a program that allows you to see all the traffic in your network connection. There are some nice sniffers for free out there like NetworkActiv or Ethereal. Once you have it, let it go for one hour and do your regular use of the Internet. Then try to make some sense of the traffic for one hour. How far can you go?<br>It's a trick test because you probably don't know enough to understand what's in there. But besides that, nobody can check in one hour a one hour traffic file (average traffic). Even with a machine doing it, there are too many variables and the kind of information that would make sense to a human like text, pictures, sound and video can't be properly evaluated by a machine. Imagine that if it can't be done with the traffic of one machine, is a lot more difficult with thousands or millions. So, I can say for sure that nobody is checking the traffic of the Internet sistematically.<br>However, I can imagine someone looking for something very specific. Let's say that I want to know who's using a specific mail server from my building, my network. I can set my doorman to report connections to that server. The amount of information would be easy to handle. I can do that by content too, specific words, even by media type. <br>And if you think that your government is able to do it, think again. I can do it because I have just one door in my building. Imagine how many different access points are in one country and how much traffic is going through them, it's impossible to handle. <br>In conclusion, I wouldn't worry about someone looking at my traffic. However, the Internet is like a public place and I have to assume that my activity may be seen. Do what you do in public, don't do things you don't want others to see.<br><br>Of course there's privacy on the Internet but that's for part II where I'll tell you about more scary things. Relax, enjoy.</font>James Wolfensteinhttp://www.blogger.com/profile/08031255153342501209noreply@blogger.com0tag:blogger.com,1999:blog-29171862.post-1154725404242428542006-06-16T13:11:00.000-07:002006-08-04T14:03:25.910-07:00What can be done about phishing<font style="font-family: Tahoma,Arial,Helvetica,sans-serif; color: rgb(0, 0, 0);" face="Tahoma" size="2">Yesterday I was upset about the attitude of everyone about phishing, the same attitude that everyone has about scams and spam and fake banks, etc. Two main reasons for this are the problem is too big and those who fall for it are gullible people that everyone else deem as stupid and worthless of consideration. Yes, I know it sounds harsh but that's the way most people think.<br>They have the right to think anyway the want but from a practical point of view, don't the service providers want the gullible people as customers? Gullible people make a great market, they support shopping TV channels. Who wouldn't want to sell to them?<br>But this is a blog about phishing and other things around the Internet, gullible people and market place is theme for another blog.<br>What I want to write about today is ways to reduce phishing, ways that can be implemented by the service providers whoever they are. None of this recomendations are technically impossible nor complicated. In fact some of them are out there right now, someone is using them already.<br>Here they are<br><br>First of all we have to understand how phishing works. The phisher goes to the original login page and save a copy, then download the copy to a server somewhere else. The original page takes the username and password, checks against a database and grants or denies access. The phisher changes this, stores the username and password and, in most of them, directs the user to a page where his/her personal information has to be verified for security reasons. There is where you have to put your address, credit card number, PINs, etc. Then it forwards you to the original home page, an error page (try again in a couple minutes), or any other he can think of. It doesn't matter, by that time your personal information is compromised already.<br>I'd like to start from the email, but there's a lot of stuff that I have in another article about spam and I don't want to duplicate it. So I'm going to start from the phishing page.<br>The first problem here is that the page looks like the original one, in fact most of the components of the page are the originals. <br>A web page is basically a file with instructions to build the page, it says what text is included, how it should be organized, format information, etc. It doesn't include the images, it just says what images are required to build the page, how to put them in the page and the link where the images are stored. Your browser asks the server for the image. In fact there's an option in your web browser to prevent it, it was included many years ago for people using low speed dial up access so they could see the content of the page without downloading all the images.<br>The phisher can download all the images and set a server just like the original, is easier now that any browser has the ability to save a full web page in one command. Before that you'd have to save them one by one. But they don't, I think the reason is that is a lot easier to keep the links and let the original server to do the job. Having the images stored on their own servers won't help finding them, they're not more incriminating that the page itself, so I have to assume that the main reason is because they're lazy.<br>On the other hand, we have the original server. Its serving the images for the offending site for free, keeping them and paying for the bandwidth everytime a mark falls in the trap. It doesn't make sense to me.<br> Why aren't they doing something about it? And here's a list of simple silly things that can be done.<br><br>- Don't serve images if they're referred from another server. Even when the session itself is from your browser to the server, your browser tells the server where the link comes from, this is something that the phisher can avoid. A lot of sites are doing this, it's a simple solution. I'm not saying that you can do that just checking a flag on a configuration, someone has to work it out. But it's worth it.<br><br>- Serve the images but with a twist. When you ask for an image to a web server, it sends you the file. All the URL that you see is basically a directory path just like the ones you use in your own machine. The server goes through the path, finds the file you want and sends it. An alternative to this is to use an image serving script, an active page that checks what file are you asking for and serves it. The difference is that this scripts can check the referral and decides wheter to serve the file or not or serve another. And that option is a very good one, they can serve an image file that, instead of the original logo, bears one that's obviously fake. Better yet, an image with a text saying "you're about to login into a fake server". Eventually the phishers will copy all the images and serve them from their own sites but it will make things harder for them, they'll need more time, they'll need more resources, it will give the hosts a good way to detect the phishing pages automatically, at least it will reduce the problem. Yahoo is doing even more, they change the images of their webmail login page. And not only the images, they're changing the look of it frequently. If you're a frequent user, you probably got used to it by now. The idea (I guess) is that if the user sees an old page he'll suspect that something's wrong and won't login.<br><br>- While they're not doing it, having the log of referrals they can identify without a shadow of a doubt any phishing page as it's being accessed. The second someone opens that page and request the image file, the server is able to tell that it was referred from a site other than the original. Maybe they're not logging that but I'm sure they can, any web server has a log service. The logs are or would be huge surely, but they don't have to read them line by line. A computer can do that, and even if they have to set a computer to do just that all day everyday is worth it. All they need is to compile a list of the sites from where a reference to the images is done other than their own servers. And that's it, they'd have the most efficient early warning system ever. Every page I've seen lately is using the original image files, every single one. The phishers are literally ringing a bell every time they set up a page. However, the service providers are sitting there waiting for you to report a phishing page. And in return you have a nice preformated thank you message with tips to recognize phishing pages and protect yourself, what for? You're reporting the page, you don't need that. "Common sense is the less common of the senses", I don't know if it makes any sense in english but never before that phrase was more appropiate. - In adition to the image problem, most of these services are using links to other services. Doubleclick, Omniture, BBOnline, Verisign, etc. Each one with an specific purpose. Doubleclick manages targeted advertising, BBOnline and Verising do certification of the site, Omniture runs statistical analysis. I'm making a complete article about Omniture, don't miss it. They can apply the same criteria if some elements are referred from that page. But they can also certify that you're connected to the right server. The verification that Verisign or BBOnline do is useless for the final user, the seal at the bottom of the page has an ID code assigned to the original site and you can use it anywhere you want. In fact you can try these:<br><br><font style="font-weight: bold; color: rgb(0, 0, 102);" size="2">https://seal.verisign.com/splash?form_file=fdf/splash.fdf&dn=WWW.AMERICARX.COM〈=en<br><br>http://www.bbbonline.org/cks.asp?id=20111061155818568</font><br><br>You can try them from here, copy and paste in your browser or do your own page with the link. Anyway they won't certify that the site from where you're clicking it is the real one. They certify security (internal), business standards, etc of the site whose ID you're asking about. Why aren't they certifying the site from where you're clicking? Why aren't they selling that service? As a user I'd like to have that service, the other certification is fine too but I want one to help me know that I'm on the right site. And I know that it can be fooled, I wouldn't sell it as a 100% safe method because I know is not, but at least it can tell you 100% sure that it isn't the right site.<br><br>- Research more each phishing case. I don't think they're doing it. At most they're requesting the closure of the offending site and I don't think they're doing it either. I closed more sites last week than they did ever. Closing the site itself is good but not enough, each phisher opens many of them at the same time and doesn't expect them to live for long. If they do, great, but just a couple days is more than good enough. People that fall for this do it almost immediatly, they get the message, they click, they login, it's done. Even one day is good enough, half a day or less too. Heck, I bet the phisher is happy if he gets one good hit. But they're doing a lot better than that, if you've read the previous article you may have seen that I found one page with less than a day of life and close to 10 good logins. Today I've just found another, half a day of life and almost 10 good logins. By the time the page is close, most likely the phisher already cropped it. Add to that all the pages that have been running for weeks, months. The phisher now can keep sending messages linking to them forever. And the worse part is that even if the page is closed fast most of them are not storing the information in the same server. I want to explain this in detail because it seems simple but is not. The page itself is weak, the phisher knows that it will be closed (most likely) and that it won't last much. He has two choices, check it out often enough to make it worth before is closed or store the data somewhere else. The last option has many advantages, he can stay away from the page for a long period of time without risking his position, the information is safe meanwhile is the page is closed, all his pages report to only one site and, best of all, he knows that nobody cares, the host of the page will shut it down, erase all the content and move on. After that, there's no link between the phishing message, the phishing page and the site holding the database. I'm seeing this set up often lately, the pages holding a local file with the logins are uncommon now. Getting the database down would make all the pages linked to it worthless, and we're talking about almost all of them linked to a relatively small number of servers. And, again, I know it takes time and resources to do it. But I think that I can do it by myself if I want to, and once you get to the server it should be easy to take any measures to close it, block it, take legal action, anything. But is worth it, is something that the service providers owe their customers.<br><br>I have suggestions more complicated, not impossible but more difficult to implement. I think I can do them, that's why I know that they can be done, but the complexity is such that some are impossible to do with the resources the phishers use to host their pages and some would put out of business a good part of them.<br>Like dynamically generated images. How about the logo with the date and time? The image can be generated dinamically but if you have access only to a web server, even with scripting capabilities, is close to impossible. The phisher will have to move to more complex setups that would be easier to find and shutdown, even worse, they'd give more evidence to track the phisher.<br><br>And the best of all, they can hire me. After all, among all those who are talking and talking and talking about phishing, I'm the one who can show results... just a though.<br><br></font>James Wolfensteinhttp://www.blogger.com/profile/08031255153342501209noreply@blogger.com0tag:blogger.com,1999:blog-29171862.post-1154725342630406342006-06-14T18:49:00.000-07:002006-08-04T14:02:22.763-07:00The surreal world we're living in<font style="font-family: Tahoma,Arial,Helvetica,sans-serif; color: rgb(0, 0, 0);" face="Tahoma" size="2">Today I was planning to post something about spam and the constant fight between spammers and filters, but something happened that changed my day completely.<br>Well, not really, my day hasn't changed at all, only the time I had reserved for the blog. Is just that the events developed in a way that I think now I have something more interesting to write about.<br>It began at lunch time while I was doing my spam/scam/phishing mail check and, as usual, a Paypal phishing message was there waiting for me. I have almost an automated procedure for them, I report to the owner of the IP where the message comes from, the host of the phishing page and the owner of the IP block where the page is. I can get over with it in less than a minute and usually the page is gone by the end of the day. Unless is hosted in Romania, China and some other places where they really don't care about it. Anyway, this page was hosted somewhere in Comcast. I reported it through their web page and received a pre-formated response saying that an IP number is not enough to report the incident and asking for a log from my firewall. The answer didn't apply to this case, I guess is one they have for intrusion reports that have not enough information. But is this case there was no intrusion, the phishing page is a pasive trap, is the victim who goes to it so no firewall can have that recorded properly. But the point is I was upset because they didn't even care to read the report, they assumed that it was about intrusion, not enough information was included, sent the preformated answer, went back to coffee. At least that's how I felt at that time, so I went back to the phishing site to see what else can be reported. Sometimes is a site with a "legal" page on it and it can help to identify the owner, sometimes there's more than one phishing page in the same site, etc.<br>And I was in for a big surprise, while I was looking around I found out that the server had directory browsing enabled. This means that you can see the content of the site like you see the content of your own disk. The site was pretty simple, I didn't find other phishing page nor another page of any kind, I dind't want to go inside the code of the page and it wouldn't have helped to prove it was phishing. Then I fell into a text file that I though it may contain useful info. And it did. It was the file where the page stored all the data gathered from the page.<br>I was shocked, there in front of my eyes I had mail addresses, passwords, credit card numbers and PINs from all those who fell into that trap. Of course some were just garbage, people aware of the trap filled it with non sense. But some other looked real.<br>But now I had a huge problem, what to do?<br>My first reaction was to close the file and I did, but what's next?<br>I knew that Comcast eventually would close the page, actually they did after (I have to say almost inmediatly to be fair) I sent them another message explaining the previous report. But meanwhile the file was sitting there for everyone to see. Of course is not like it was published in the front page of a popular site, but the same way I fell into it anyone could. Plus, the one who was ready to use it, the phisher, knew where if was and how to get to it.<br>I was unable to erase it, I hope Comcast did, and I had no way to know if the phisher had taken it already.<br>It was a terrible situation because while I didn't want to know about the content, the same content was the only way to do something for the victims of the phisher. Comcast wouldn't warn them, they'd shutdown the site and that's it.<br>I though about Paypal and report to them too, usually is an exercise in futility because they have no control over the page. I guess they report to the same people I do to close the page or block the sender of the messages. But in this case they had a chance to get the file and protect their users.<br>Then I started to have second thoughs. I don't know what Paypal did, they sent me a thank you answer, "we'll contact you if we need more information", and that's all. I don't think they warned the victims and I don't think they will. And the problem here is not only their Paypal accounts were on the line, their credit cards too.<br>So, I had no choice (I did but I didn't want to take it). I went back to the site, opened the file and took note of the mail accounts ONLY. Then I erased my browser cache and sent a warning to each and everyone in that list. Not many, they were about 10. I tried to make the message as clear as posible, not scary but enough to make them react and move fast before the damage is done. I don't know what's the right thing to do in a case like this. Of course you have to change your password, now! But what about the credit card? The information they take from you, is enough to go and do some shopping over the net? If that's so, it should be treated the same way you do when you loose your card and that's not easy nor painless. Anyway, I feel sorry for them and for me too, being the messenger carrying the bad news is not nice.<br>Some things that surprised me today<br><br>How fast this thing works. From the reception of the message to the time I ran into that file it couldn't be more than 2 to 3 hours. Maybe the site had been running for a longer period, I din't check the dates of the files and directories (take a mental note for the next time). But I have to asssume that in that short period of time about 20 persons logged in and 10 of them used their real personal data. Amazing.<br><br>How clueless some people are. After I sent the warnings, one of the victims answered asking me to close his Paypal account. So you have this person that gets a forged message asking him to login and provide all his personal data and complies, then when he gets a warning message automatically assumes that is from Paypal without even looking at the address of the sender. Amazing again.<br><br>And yet again, how clueless some people are. Some other sent me this:<br><br><font style="font-weight: bold; color: rgb(0, 0, 102);" size="2">What's that supposed to mean? That all the Paypal security letters I've been receiving have been fradulent?</font><br><br>And I swear is a cut and paste of the original message. I was in total awe thinking that this person was login in to the phishing pages every single time posting all the information over and over again. But it was worse than that, and I know, how could it be worse?<br><br><font style="font-weight: bold; color: rgb(0, 0, 102);" size="2">For weeks I've been receving alerts from Paypal, saying my account is in danger. After many urgent responses I concluded that perhaps there's somebody trying to get into my account..."</font><br><br>So, instead of thinking that so many messages from Paypal were a sign that something was wrong, she took it as a confirmation that everything was right. And to top all this, she suspected me but at the same time asked me what to do. Instead of going to those she believes (at much as you believe your account officer, I don't trust mine at all), she goes to the total stranger who she thinks is the fraudster. Amazing, amazing, amazing.<br><br>I don't blame her or any other. When you face one of those messages or the page it takes technical knowledge to recognize the signs that something. The page look just like the original, the images, the look, the text, the form. In fact is taken from the original, how could it looks different. But on the other hand, with all the media coverage of this issue, with all the mouth to mouth around you, is hard to believe they didn't see it coming. Internet grew up to be popular before we were ready for it. It's not like other technologies that exceeds our comprehension but are manageable. Internet exceeds the comprehension of each and everyone and nobody can manage it.<br><br>They say live and learn but I think we have come to times where if you want to live, you'll have to learn first.<br><br><br>PS: One think that Paypal, eBay and others can do to help, or at least to make the work of the phishers harder, is to block external referrals of their images. All the phishing pages are taking images from the original sites. They don't even have to store the images, they just use the links and Paypal provides the images, pay for the storage and the bandwidth. It's insane. Because avoiding it is not something so complicated that can't be done. It's work, it takes time, for sure. But is doable and makes sense.</font>James Wolfensteinhttp://www.blogger.com/profile/08031255153342501209noreply@blogger.com0tag:blogger.com,1999:blog-29171862.post-1154725227213819642006-06-13T15:45:00.000-07:002006-08-04T14:00:35.436-07:00What's in a header<font style="font-family: Tahoma,Arial,Helvetica,sans-serif; color: rgb(0, 0, 0);" face="Tahoma" size="2">The protocol we use to transmit email was created many decades ago to be used by the military and the academics who ran the net that we know today as the Internet.<br>I guess that having computers connected and remote access to storage, someone came up with the idea of setting a directory structure for local users where others could save a file, a message, for that particular user. Eventually, SMTP was developed to perform that job in an orderly, practical and automatic way. SMTP stands for Simple Mail Transport Protocol, and it's exactly that, a simple protocol to pass mail files.<br>The file is built from the text you write, once is done the rest of the information is piled on top of it. Once you're done with your text, the mail application (or the server if you're dealing directly with it) will start adding information like who are you (FROM field), who is the mail addressed to (TO field), what is the message about (SUBJECT field), timestamp (DATE field), size of the message, carbon copy, blind carbon copy, etc. None of these fields are mandatory nor enforced, in fact there's a way to send a message without a TO field, even a blank message without any field at all. But almost all the mail client applications we use, including web interfaces, take good care of it. So, if you check the source code of any of your messages, you'll see that most of the fields are there.<br>Here's an example<br><br><font style="font-weight: bold; color: rgb(0, 0, 102);" size="2">Date: Tue, 13 Jun 2006 10:30:43 -0700 (PDT)<br>From: Barrister jones <barristeredwardjones2@yahoo.com><br>Subject: REPLY ASAP.<br>To: jwolfy@gmail.com<br>(Message follows..........)</font><br><br>So far this is what's contained in a message file (almost all) at the time it's stored by your SMTP mail server. From this point up, is all routing. Every line added will say who received the file, from whom, when and how. The first line should be your SMTP server saying that he's got the message from you.<br><font style="font-weight: bold; color: rgb(0, 0, 102);" size="2">Received: from [196.3.62.3] by web55407.mail.re4.yahoo.com via HTTP; Tue, 13 Jun 2006 10:30:43 PDT</font><br><br>In this case, web55407 is the Yahoo's web interface from where Barrister Jones sent this message. His IP address is there, 196.3.62.3, and according to AFRINIC is in Ebene, Mauritius. The user itself could be somewhere else. In this case I think he's in Nigeria because the phone number he gave me is there, probably he's using a satellite link with an earth station in Mauritius or something like that.<br><br>Once the message is complete, Yahoo will try to get to the destination server. They actually pass the message to another process<br><br><font style="font-weight: bold; color: rgb(0, 0, 102);" size="2">Received: (qmail 20439 invoked by uid 60001); 13 Jun 2006 17:30:44 -0000</font><br><br>and that process sends to the destination server<br><br><font style="font-weight: bold; color: rgb(0, 0, 102);" size="2">Received: from web55407.mail.re4.yahoo.com (web55407.mail.re4.yahoo.com [206.190.58.201])<br> by mx.gmail.com with SMTP id 37si1451863nzf.2006.06.13.10.30.44;<br> Tue, 13 Jun 2006 10:30:45 -0700 (PDT)</font><br><br>Then Gmail passes it through two other servers, they're all in its local network (check the IP address with first octect 10), I can't say why but it has to do with their system structure. My guess is that they have a front end connected to the Internet (mx.gmail.com, most likely more than one server) who passes the message to a hub (10.37.15.13) who knows where each mailbox is located and passes the message to its final destination (10.36.250.24 in this case).<br><br><font style="font-weight: bold; color: rgb(0, 0, 102);" size="2">Received: by 10.36.250.24 with SMTP id x24cs7453nzh;<br> Tue, 13 Jun 2006 10:30:45 -0700 (PDT)<br>Received: by 10.37.15.13 with SMTP id s13mr11224004nzi;<br> Tue, 13 Jun 2006 10:30:45 -0700 (PDT)</font><br><br>Remember that the lines are added on top, so now you're looking at them in chronological order but going through the file upward.<br>In the middle you'll find some other information that servers add to improve the quality of the service like a message id, a Delivered-to field in case the To field doesn't exist or the destination address is in BCC (blind carbon copy), etc.<br>Yahoo adds a signature to each message (DomainKey-Signature) that allows them to check that each message is valid when passed from server to server through its network and, in case of an abuse report, that the message was originated from its servers.<br><br>As you can see, SMTP is very simple but also unsafe and unreliable. No one is to blame, the people who designed it in the first place was trying to solve a problem they had at that time and safety wasn't an issue.<br>In this example, Yahoo verified the "identity" of the sender by means of a password. Gmail took the message from Yahoo in good faith, it's not checking if it's really Yahoo sending nor can it verify the identity of the sender inside Yahoo.<br>In fact, take a look at this routing<br><br><font style="font-weight: bold; color: rgb(0, 0, 102);" size="2">Received: (qmail 11191 invoked by uid 0); 30 May 2006 17:51:46 -0000<br>Received: from unknown (HELO 89-178-30-158.broadband.corbina.ru) (89.178.30.158)<br> by 0 with SMTP; 30 May 2006 17:51:46 -0000<br>Received: by nyf15.pamico.com id 86jo739p33c9 for <user@server.com>; Tue, 30 May 2006 19:51:44 +0100 (envelope-from <BerniceClark@kertel.com>)<br>Received: (qmail 15334invoked from network); Tue, 30 May 2006 19:51:44 +0100<br>Date: Tue, 30 May 2006 19:51:44 +0100<br>Subject: Erection problems can be fixed Franklin<br>From: "Reyes" <BerniceClark@kertel.com><br>To: user@server.com</font><br><br>There was a lot of telltale in the header to identify this as spam, but I stripped it down to focus on the routing.<br>user@server.com is my mail address, the message was generated and addressed to me. Reyes, with the email address <font style="font-weight: bold; color: rgb(0, 0, 102);" size="2">BerniceClark@kertel.com</font>, sent it and amazingly he/she knows about my erection problems though he/she doesn't know my name.<br>The message is timestamped and sent to a process qmail, it doesn't identify the sending node and my best guess is that they're both on the same machine.<br>Then the message is sent to nyf15.pamico.com, a domain hosted by GoDaddy somewhere in Arizona. Remeber this because is important.<br>Next, my server (unknown) receives it from 89-178-30-158.broadband.corbina.ru, Moscow Russia, and passes it to qmail, a process that stores the message in its final destination.<br>I know the last part by heart, is my server and I know how it's configured.<br>But the odd thing is how a message sent to me goes through Arizona and Russia.<br>The answer is it doesn't, is a fake header. The message was generated by a client of Corbina broadband service in Moscow Russia.<br>The mass mailer aplication creates a fake header to make it harder to trace the source, it's silly because the people that take the time to trace won't fall for it.<br>And the other small detail is that <font style="font-weight: bold; color: rgb(0, 0, 102);" size="2">BerniceClark@kertel.com</font> didn't do it. It could have been any other mail address including yours, typically the spammer takes one from the lot he's spamming to.<br>So, how this routing must be read to know where it came from?<br>The routing is a list of declarations where everyone involved in the transit of the message takes custody of it. So we have to start from the one we believe, our own server.<br>It can be fooled but only up to some extent.<br>If you check the line where unknown receives the message, there's a HELO. This is a literal copy of the declaration the sender does at the start of the SMTP session, typically HELO and its name (smtp.server.com), but it could say anything. Is up to the sending server and is not mandatory nor enforced.<br>Besides that, there's also the IP number. My server logged it regardless of the sending server declaration.<br>And this is the starting point, my server says that it received the message from 89.178.30.158 and at this point is the only one I can trust.<br>Checking the IP number (you can try any "whois" web page online), I see that the name declared matches the IP number. In some other cases the spammer uses a domain name, that may or may not exist but not related to the IP, or nothing at all.<br>Here's one with a fake domain name, the name exist but there are no server running under it, with an IP belonging to Telenet in Bulgaria<br><br><font style="font-weight: bold; color: rgb(0, 0, 102);" size="2">Received: from unknown (HELO coy.slivnica.com) (213.169.59.20)</font><br><br>In this one the server identifies itself as Yahoo Argentina but the IP belongs to Cablevision Argentina (cable TV and ISP)<br><br><font style="font-weight: bold; color: rgb(0, 0, 102);" size="2">Received: from unknown (HELO yahoo.com.ar) (200.114.224.55)</font><br><br>This one has an empty HELO<br><br><font style="font-weight: bold; color: rgb(0, 0, 102);" size="2">Received: from unknown (HELO) (68.161.93.166)</font><br><br>And this one, anything<br><br><font style="font-weight: bold; color: rgb(0, 0, 102);" size="2">Received: from unknown (HELO 4736EC68) (221.168.136.188)</font><br><br>I think that this is a good point to control spam, all the receiving server has to do is check that the HELO declaration matches the IP of the sender. That alone would cut half of the spam, and some "legal"mail too. But that's easy to fix, all they have to do is use a proper HELO.<br>Then we can raise the bar a notch and check that there's an MX record for the sender's IP, just to filter those who doesn't lie in the HELO declaration.<br>An MX record is an entry in a domain name database (DNS, the service that turns the names we understand into the IP numbers the network understands) saying where's the server handling mail for a domain.<br>All mail servers should have an MX record and most do. The problem is with huge mail services that have many servers and they handle either reception or delivery. Most likely the receiving servers have MX records but the sending ones don't. I still think that's easy to fix.<br>And then we can raise the bar yet another notch and start banning servers that don't lie their HELO declaration, that matches their IPs and that have an MX record but spam like crazy.<br><br>Wouldn't it be nice?<br><br>Today we say goodbye to this users, may the ceiling fall over their heads<br><br><font style="font-weight: bold; color: rgb(0, 0, 102);" size="2">drmahmoudoffice@yahoo.fr<br>hamar1233@yahoo.co.uk<br>niclosedem@yahoo.co.in<br>john_wilson1947@yahoo.com<br>divinefoundation01@yahoo.com<br>legalmatterzng@yahoo.com</font><br><br>And a special dedication to my case officer, inspector Jonhson. I guess that without his e-mail account I'm free from my e-arrest<br><br><font style="font-weight: bold; color: rgb(0, 0, 102);" size="2">inspectorjonhson_britishpolice@yahoo.co.uk</font></font>James Wolfensteinhttp://www.blogger.com/profile/08031255153342501209noreply@blogger.com0tag:blogger.com,1999:blog-29171862.post-1154724991365255172006-06-12T18:20:00.000-07:002006-08-04T13:58:20.306-07:00I'm in trouble<font style="font-family: Tahoma,Arial,Helvetica,sans-serif; color: rgb(0, 0, 0);" face="Tahoma" size="2">Today I had the most surreal Internet email related experience. I'm under e-arrest!!<br>Here's the story.<br><br>In a previous post I've been talking about check scams, but it seems I fall into a new one that I didn't know about.<br>The scam works like this. You're offered a part time job as a "payment representative", your job basically is to receive checks for this company, deposit them in your account, take your cut and send the remaining amount to the company by Western Union or Moneygram.<br>In the previous "modality" (nigerian scammers love this word), the scammer do send you a check that will bounce after you cash it and send the money. With this new "modality", they never send you one. They say they do, they scan the check for you to see and after a while they come up with this new twist: the agent in charge of sending the check has been arrested for money laundering.<br>At first is not a big deal, just a small missunderdstanding, everything is being worked out but there is this small problem that may get you in trouble. The agent has mentioned your name (he sang like a canary) and the police may want to investigate you, however their lawyers have everything under control, paying a small fine all will be settled. So you have to send the money for the fine and you can get it back from the next payment.<br>As you can imagine, I don't want to pay the fine. I had no choice but to turn myself in to the local police, I told my employer that I did and that the FBI is also interested in the case. They checked all the evidence I've got, all the email messages, etc. They are reporting to the Nigeria police department and I'm really confused about it, aren't they in the UK?<br>I though that they'd get at least a bit curious about it but this guys are real pros, not even the smallest reaction. They moved on with the script I guess, they put some pressure on me and I didn't gave so they called the UK police to take over. And they did, Inspector Johnson Johanson mailed me from a Yahoo free mail account and (I assume) put me under e-arrest.<br>The hilarious part of all this stupid story is that I've been read my Miranda rights by the UK police over email.<br><br><font style="font-weight: bold; color: rgb(0, 0, 102);" size="2">Dear James,<br>You have the right to remain silent as whatever you say will used against you.<br>We are working in collaboration with your government.<br>We are out for you. I have given an option to your partner in crime and both of you refused to cooperate.<br>Please be aware that Mr Imodu Innocent is right here under out custody and has made conffessional statement as regard your ilicit deal with Mr Jones.<br>Please cooperate and get freed.</font><br><br>Maybe there's a Miranda act in UK that I don't know about but my guess is that this idiotic morons are spending too much time in front of the tube.<br><br>Anyway, my plan was to get some checks and now that I see they're not going to send any is time to close shop and move on.<br>Darn scammers, they're not even good to have some fun.<br><br>Today we say goodbye to:<br><br><font style="font-weight: bold; color: rgb(0, 0, 102);" size="2">nelsonatems@yahoo.com<br>barristeranthony@walla.com<br>un.project_2006@yahoo.com<br>ayalasystem@yahoo.com<br>ecpromo1@yahoo.co.uk<br>linux_bankplc@linuxmail.org<br>emmanuel_agent044@yahoo.co.uk<br>emmanuel_agent04@yahoo.co.uk<br></font><br>May their e-souls rest in hell...</font>James Wolfensteinhttp://www.blogger.com/profile/08031255153342501209noreply@blogger.com0tag:blogger.com,1999:blog-29171862.post-1149800645699656232006-06-08T13:30:00.000-07:002006-10-05T14:19:16.500-07:00I WON! I WON! Here's my wining certificate.<br /><br /><div style="text-align: left;"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://photos1.blogger.com/blogger/1387/3101/1600/WIN.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="http://photos1.blogger.com/blogger/1387/3101/320/WIN.jpg" alt="" border="0" /></a>I'm sorry, but I've never won anything in my life. Even knowing that it's not true, I don't know, it makes me fell all excited.<br />Anyway, you can see that the scammers are pretty good at Photoshop (or whatever they're using, I'm into GIMP). The text usually is poorly written and utterly stupid, like a death certificate I've received once saying that "...the deceased has died...", just like that. No cause of death, no nothing. The document was as decorated as my winning certificate but in the end it only said "...the deceased has died...".<br />To compensate for the poor content, they do this documents huge in size. My original winning certificate is 1513 x 1169, I scaled it to avoid you a 3 minutes page download.<br />That's all. I'm sure I don't have to tell you that it doesn't matter how many certificates they send you, you haven't won a lottery and you never will unless you go and buy a ticket.<br /><br /></div><br /><span style="font-family:arial;font-size:85%;"><span style="font-size:larger;"><br /><br /><br /><br />Today we say goodbye to:<br /><br />microsoftwordgateway@yahoo.co.uk<br /></span><span style="font-size:larger;">smithnet202@yahoo.co.nz<br /></span><span style="font-size:larger;">un_lottery103@yahoo.com</span><br /><span style="font-size:larger;">haj4555@yahoo.com<br /></span><span style="font-size:larger;">suzzy2williams@yahoo.co.uk<br /></span><span style="font-size:larger;">claimsverifiercentre@yahoo.co.uk<br /></span><span style="font-size:larger;">john_55moore@yahoo.fr<br /></span><span style="font-size:larger;">ruth_garang11@yahoo.co.uk<br /></span><span style="font-size:larger;">m2_lindax@yahoo.com<br /></span><span style="font-size:larger;">engr_umaru.umar239@yahoo.com<br /></span><span style="font-size:larger;">monicagezi_7000@yahoo.com<br /></span><span style="font-size:larger;">albertgregfudiciaryagent@yahoo.com<br /></span></span><span style="font-size:larger;"><span style="font-family: arial;font-size:85%;" >smithnet101@yahoo.com<br /></span><b><br /></b></span>James Wolfensteinhttp://www.blogger.com/profile/08031255153342501209noreply@blogger.com0tag:blogger.com,1999:blog-29171862.post-1149510951992083882006-06-05T05:24:00.000-07:002006-08-04T14:12:23.450-07:00Hook, line and sinker...<font style="font-family: Tahoma,Arial,Helvetica,sans-serif; color: rgb(0, 0, 0);" face="Tahoma" size="2">Here's a list of phishing links from the last week. This is a list of the URL where you're sent when you click on the link the phishing message offers you. This URL is hidden inside the code of the message this way<br><br><font style="font-weight: bold; color: rgb(0, 0, 102);" size="2"><a href="http://3417902702:12345/webscrr/index.php"><br>https://www.paypal.com/cgi-bin/webscr?cmd=_login-run<br></a></font><br><br>The second line is the text you see on the message, the href value on the first line is the URL where you're taken to.<br><br><font style="font-weight: bold; color: rgb(0, 0, 102);" size="2"><a href="http://provis.pbro.moph.go.th/paypalDLLUPDATE/index.html"<br> onmouseover="a('https://https://www.paypal.com/cgi-bin/webscr?cmd=_login-run');return true"<br> onmouseout="b()"><br>https://www.paypal.com/cgi-bin/webscr?cmd=_login-run<br></a></font><br><br>This is a more sophisticated version, not only you're fooled with the text of the link. When you put your mouse over a link, some browsers show the real link where you're going to. With this little java script, a tooltip appears showing you the fake URL again. The real link will show anyway (depending on your browser and its settings) in the bar at the bottom of the window. But having the tooltip open in front of your eyes will divert your attention.<br><br>And here's the list<br><br><font style="font-weight: bold; color: rgb(0, 0, 102);" size="2">http://wmail.namliong.com.tw/<wbr>~kevin/www.paypal.com/update/cgi-bin/index.htm<br>http://218.54.71.27/ebay/ws/eBayISAPI.dll.html<br>http://gheghehackingstyle.com/index.php<br>http://203.115.11.234/.paypal-sk/update-paypal/cgi-bin/secure/login/login.html<br>http://3631585476/pennfence/catalog/images/.secure/.server/.www.paypal.com/<br>.cgi-bin/us/webscr.php?cmd=_login-run<br>http://3417902702:12345/webscrr/index.php<br>http://164.125.38.52/webscr/cgi_bin=secure_login/<br>http://www.chaika-plaza.ru/icons/www.paypal.com-nRg/cgi-bin/webscrcmd_login.php http://www.aafe.cn/img/Protect.html<br>http://220.227.132.138/.cgi-bin/.webscr/secure-login/%20/%20/.paypal.com/index.htm<br>http://65.120.152.239:81/webscr/index.php<br>http://flykingmail.com/images/paypal/error.html<br>http://221.134.127.10/.paypal-sk/update-paypal/cgi-bin/secure/login/login.html<br>http://hsbc-uk.110mb.com/1/2/personal/pib-home/<br>http://24.169.138.210/fnb/</font><br><br>As you can see, there's a little bit of everything. Let's take a closer look at some<br><br><font style="font-weight: bold; color: rgb(0, 0, 102);" size="2">http://wmail.namliong.com.tw/~kevin/www.paypal.com/update/cgi-bin/index.htm</font><br>Namliong.com.tw exists and (I hope) is a legal site, the address is the one of their webmail server. We can assume that an unloyal employee named Kevin is using his system privileges to set up the phishing page under his root directory. I'll never know, the page is down now but there was no way to contact Namliong. I reported to the hosting service and the owner of the IP block, I guess one of them contacted Namliong and they deleted the page.<br><br><font style="font-weight: bold; color: rgb(0, 0, 102);" size="2">http://gheghehackingstyle.com/index.php</font><br>Believe it or not, this page was hosted by Yahoo. Someone actually paid to have this space available and used it for the phishing page. Why is so unbelievable? because the chances for a phishing page to survive for an extended period of time is pretty low. As a matter of fact, Yahoo took it down inmediatly. And not only the page, Yahoo was the domain name registrar and deleted the record. So, if you want the name <font style="font-weight: bold; color: rgb(0, 0, 102);" size="2">gheghehackingstyle.com</font>, hurry up. It's available now.<br><font style="font-weight: bold; color: rgb(0, 0, 102);" size="2">http://hsbc-uk.110mb.com/1/2/personal/pib-home/</font><br>A different case of hosting, 110Mb is a free hoster. Something more reasonable if you don't expect the page to stay up for long. But not safer than Yahoo, 110Mb acted as fast and the page is gone.<br><br><font style="font-weight: bold; color: rgb(0, 0, 102);" size="2">http://3631585476/pennfence/catalog/images/.secure/.server/.www.paypal.com/<br> .cgi-bin/us/webscr.php?cmd=_login-run<br>http://3417902702:12345/webscrr/index.php</font><br>Weird IP, isn't it? The IP number is there but in a format that a screening program wouldn't understand (unless is aware of this). The first page is gone but the other is still alive if you want to check it out. So how does this format work? Take the first one, 3631585476, if you turn it into hexadecimal format you'll get D87598C4. You can do that with Windows calculator in scientific mode, enter the number in Dec mode and turn to Hex mode. Any number in this format will give you 8 hexadecimal digits, now take them in groups of 2 and convert to decimal again. D8 is 216, 75 is 117, 98 is 152 and C4 is an explosive... sorry, 196. Ok, now you deobfuscated the addres and can use any of them. Try using one and then the other, this page is hosted at Geminios and if you do you'll get redirected to their 404 (page not found) page. Or try <font style="font-weight: bold; color: rgb(0, 0, 102);" size="2">http://3631585476/pennfence</font>, this is Penn Fencing Inc the legal owner of the site. In this case the site was hacked, most likely, due to management interface vulnerability.<br>The second page is inside the site of a company named Leader Smart in Hong Kong. According to them <font style="font-weight: bold; color: rgb(0, 0, 102);" size="2">"Leader Smart (Hong Kong) Limited is a young progressive firm committed to providing information technology solutions"</font>. However, they don't seem to be good at keeping their own site safe... or it's part of the business. I've sent them many messages about this and they didn't even care to answer.<br><font style="font-weight: bold; color: rgb(0, 0, 102);" size="2">http://www.chaika-plaza.ru/icons/www.paypal.com-nRg/cgi-bin/webscrcmd_login.php <br>http://www.aafe.cn/img/Protect.html</font><br>Two more hacked sites, at least I think so. The first one seems to be a russian commercial building. The other is <font style="font-weight: bold; color: rgb(0, 0, 102);" size="2">"The academy of armoured force engenering"</font> (SIC). And even with the scary front page, with all the cannons aiming at you, it was hacked.<br><br>Today we say good bye to the following mail users<br><br><font style="font-weight: bold; color: rgb(0, 0, 102);" size="2">Victorialuis@yahoo.com<br>fudiciaryagentwilliamcole@yahoo.com<br>mariam4555@yahoo.com<br>alui_isa17@hotmail.fr<br>eclubspromo1@yahoo.co.uk<br>austlottoagentclock@yahoo.com<br>monicagezi_7000@yahoo.com<br>engr_umaruumar239@yahoo.com<br></font> </font>James Wolfensteinhttp://www.blogger.com/profile/08031255153342501209noreply@blogger.com0tag:blogger.com,1999:blog-29171862.post-1149290109049507422006-06-02T15:10:00.000-07:002006-08-04T14:09:59.610-07:00Money for nothing - Do you accept checks?<font style="font-family: Tahoma,Arial,Helvetica,sans-serif; color: rgb(0, 0, 0);" face="Tahoma" size="2">I love that song (Dire Straits). Is also the reason why scams work so well (for the scammers).<br><br>The key of a good scam is to make the bait tasty and easy to get. Some of the most common are:<br><br>- Some member of a government in Africa or Middle East have money (millions) stashed somewhere. He/she needs your help to transfer it to your country, you'll get xx% for your help (but you have to pay the expenses).<br><br>- Dying person repents for being so selfish all his life and wants you to take his money and give it to charities (you have to pay for the transfer).<br><br>- Religious group wants some money to build a church, feed the poors, etc. I usually forward to them the messages from the dying guy.<br><br>- Bank officer finds out that an account is about to be closed because his owner dies in a car accident with all his close family, relatives, friends and neighbors (heck of a car). The account has a balance of several millions and your last name (what a surprise) is the same of the dead guy. You can pose as a far realtive and cash all of it (paying the expenses).<br><br>- Job offer!! Who would reject a good job offer? Nothing to do but cash checks and get your cut. Sweet deal.<br><br>This is the one I want to talk about today. Because there's been an increase in the number of these offers. Is a surprise for me because is not like the other scams, you need more preparation for this one, you need the checks and they have to be good enough to be deposited.<br>But let's start from the begining. The trick works like this, for whatever reason they'll send you checks. They can deposit them for the lamest excuses you could imagine, it doesn't matter. The point is that is a lot better for them if you deposit them, get the money, take your cut (usually 10%, if you get this offer ask for more) and send the rest by Western Union or Moneygram.<br>The check will bounce (obviously) and the bank will want its money back (but we're talking about your money now). Is hard for me to understand how does it work in the USA, in my country no bank would give me the cash before the check is completely cleared. Anyway, it works and that's why they scammers are doing it. This trick is common too in online auctions, with a twist. The scammer buys from you, he sends you the money up front, not because they trust you, just because they're eager to get the scam rolling. The check exceeds the amount you asked for, he blames his secretary, wife, whatever, who mixed up the checks and sent you the one meant for Mr X. But you don't have to worry about it, he trust you so much that he'll let you cash the check without sending the goods. All he wants in return is for you to make him a little favor and send the excess to Mr X (himself). You send the money, the check bounces...<br><br>The scam is getting popular now and I wonder why, how do they get all the checks?<br>I've got about 10 the last 2 weeks and they were all from UK. Unfortunately I reported the mail addresses of some and lost contact with them. I'm enrolling a couple to see how it works. Not sure what to do with the checks though, if I deposit them I may be commiting a crime.<br>I've tried UK police, I though they would be interested. If they can see the crime in progress they can trace the scammers, be in control all the time. I have their phone numbers too, all cell phones though.<br>But the police said no, report to the local authorities and stay away. Something I can't do, the local authorities doesn't want to take a report of a crime not commited yet in a place outside their bailiwick. And the crime is not going to happen because I'm not going to do it. Worse yet, it will happen when and where the police is not looking, by then it will be too late. An inocent person will get hurt and turn into a guilty one, the scammer will get his money and walk away.<br><br>I'll keep trying, at least if I make them send the checks anywhere and they get lost is the scammer's loss.<br><br><br>Today we say good bye to the following mail users (scam mail accounts closed by Yahoo for TOS violation)<br><br><font style="font-weight: bold; color: rgb(0, 0, 102);" size="2">dan7000b@yahoo.fr<br>dianenet101@yahoo.com<br>gov_prof_soludo_charles_cbn01@yahoo.com<br>mathew_alfred2004@yahoo.it<br>uhunu01sandra@yahoo.co.in<br>db_rown@yahoo.com<br>barristeralexduke1@yahoo.com<br>fredrickalworld@yahoo.com<br>engr_umaruumar239@yahoo.com</font></font>James Wolfensteinhttp://www.blogger.com/profile/08031255153342501209noreply@blogger.com0