Tuesday, May 31, 2005

Offshore Firms Handling US Privacy Data

(Picture credit http://www.esecretary.net)
Excel-web sharing of spreadsheetsIn early May, I noted Northwestern Mutual's new policy of shipping customer data overseas. The announcement, made at Gartner's Outsourcing Conference, noted that offshore contractors would have access to sensitive customer data in order to facilitate greater cost savings.

Security measures?

...Beyond secure lines and dumb terminals, the company insisted that Infosys put additional physical security measures in place. A guard is posted on the floor of the Infosys facility where Northwestern Mutual's work is performed, and employees aren't allowed to take any documents or media with them after they clock out...

Offshoring Management notes, as we did, that Northwestern Mutual has not notified customers of their new data-sharing practices:

...Northwestern’s terminals are even more restrictive than the terminals of yesteryear. They do not allow users to alter, record, or print the data they see on their monitors. The Indian workers are connected to Northwestern’s servers in Milwaukee via high-speed lines. They can monitor and test the company’s applications and perform maintenance operations but they can’t record or manipulate sensitive client data. Northwestern’s CIO Barbara Piehler told TechWeb that the company came up with the plan because it was not maximizing its savings from offshoring. As part of the plan, IT service workers are not allowed to take any documents or media with them at the completion of their shift, so the company also requires its contractor, Infosys, to post guards on the floors where its sensitive applications are serviced. Northwestern does not inform its customers that their personal information is being viewed by IT workers a world away. “It’s just the way we do business now,” Ms Piehler told the publication.

Northwestern Mutual still teeters on the precipice of a major security debacle. Consider a malicious employee at the offshore firm who is able to record U.S. identity data (SSN, name, birth date, etc.) using pen and paper, secrete it on their person and then sell it.

Short of cavity searches for all of the outsourcers, identity theft from these venues is all but certain.

The data kidnappers

(Picture credit http://www.n-tv.de)
Excel-web sharing of spreadsheetsThe previous post references Bruce Schneier's discussion of "data kidnapping" malware. As reported by CNN, this malicious payload encrypts files on the victim's computer and then "holds the files hostage". A ransom note is prominently displayed on the PC, which includes an email address and a demand for $200 for the decryption key.

One of the blog comments noted the history of these sorts of "data kidnappers":

On Slashdot, there was mention of the "Casino.2330" virus that existed years ago. This virus erased the FAT (file allocation table) from the disk after copying it into memory. The virus then displayed a slot machine game and invited the user to play. The user had to win the game for their FAT to be restored. See http://www.avp.ch/avpve/file/c/casino.stm.

In 1989, a mailing consisting of a floppy disk and a license was sent to 20,000 recipients. The software on the disk provided an assessment of the user's risk from HIV/AIDS. Users were encouraged to install the software. However, a hidden mechanism in the software would encrypt and hide files on the user's system after a delay had passed. The included license warned (in very small print) of "most serious consequences" for violating the license. Users were supposed to send a license fee to a PO box in Panama for "PC Cyborg Corporation." A one-off license cost $189 and a lifetime license cost $378. Those who paid the license fee would receive a "renewal software package." The originator of the software was located but was found unfit to stand trial. See the "AIDS Diskette" entry at http://www.virusbtn.com/resources/malwareDirectory/about/history.xml.

[Regarding extortion] ...There was an incident where an individual was trying to extort money from a dairy company. They had already carried out an act of product tampering against this company. The individual demanded that bank card details for an account be embedded in an image file. This image file was to be posted on a public web site. Sometime afterwards, the image file was downloaded via an anonymity proxy service. However, the anonymity service cooperated and identified the individual who had downloaded the image. See http://www.theregister.co.uk/2004/03/24/dutch_internet_blackmailer_gets/

The data kidnappers

Monday, May 30, 2005

Schneier on Internet attacks

Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueFour key sentences in Bruce Schneier's latest:

Internet attacks have changed over the last couple of years. They're no longer about hackers. They're about criminals. And we should expect to see more of this sort of thing in the future.

Two-Factor Authentication won't stop Phishing

Picture credit: http://www.sachsreport.com
Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueThe Association for Payment Clearing Services (APACS), a banking industry organization, is putting the final touches on its plan to make online transactions "secure". Their approach uses two-factor authentication.

Two-factor authentication (TFA) utilizes the principles of "something you know" and "something you have." The classic embodiment of TFA is a SecurID card that provides a random, time-sensitive password when a PIN is entered into it. The time-sensitive password is matched up to a central server's version. If the password is used later, it won't work.

What's driving the adoption of TFA? And, more importantly, will it work?

To answer the first question, one need only read this blurb from Finextra:

BoA is currently embroiled in a legal challenge from a Miami businessman over $90,000 he says was stolen from his online banking account by Latvian cybercriminals. He says the thieves authorised a wire transfer out of his account using access details acquired by a Trojan keylogging device on his infected PC.

Under some circumstances, TFA will help repel key-loggers that capture users' sign-in names and static passwords. The crooks won't be able to save the password for later use.

But the key-logger could easily notify the bad guy or open up a session for him. The bad guy just needs to man his computer, waiting for these time-sensitive notifications. Once he has hijacked a session, he's still free to perpetrate the same kinds of criminal acts that static passwords facilitated.

Will Two-Factor Authentication Help Fight Phishing?

BankOfAmerica has announced a system that they believe will, if not prevent, then dramatically reduce phishing:

The service will also provide customers with a way to confirm that the bank Web site they visit is legitimate. The PassMark is displayed during log in to a banking site and if the image is correct customers will know the site is genuine and that it is safe to enter passwords.

I'm not sure I see much of a benefit to these measures. In an earlier, more complete critique, I summarized some of its problems.

Basically, the new BofA measures appear susceptible to a simple man-in-the-middle attack. That is, a phishing site -- a false store-front, if you will -- can simply act as a proxy server to capture a victim's authentication data. If the BofA site presents a special image or a custom challenge, the "evil proxy" just relays that information to the victim.

The victim can't tell the difference between the proxy and the real site (after all, it looks correct!). Therefore, the victim provides the evil proxy with suitable sign-in data, the proxy relays it to the BofA site, and the phisher has now hijacked the session.

The only benefit I can deduce in BofA's new approach is time-sensitivity. That is, the hijacked session is only valid for a relatively short period of time. Thus, the phisher has to man a control computer, waiting for successful hijackings. The static sign-in ID and password is no longer quite as useful as it once was.

A longer-term approach? Customer education is paramount. I've also proposed an anti-fraud checklist that a financial institution could place on their website. This checklist would make it considerably tougher for a phisher to construct a false store-front.

That said, I don't think there are any silver bullets that can rid us of the phishing problem once and for all. The BofA approach is a baby step in the right direction, but many vulnerabilities remain.

Hacking phishing sites

Picture credit: http://news.bbc.co.uk
Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueThe latest development in the war on phishing: vigilante hackers are defacing the phishers' false store-fronts. It's an interesting idea, though probably illegal in most venues. The vigilante hackers are likely using the same exploits the phishers employed.

The ironic upshot? The phisher now must consider patching any vulnerabilities on a target machine to ensure the store-front doesn't get defaced! Who'd have thunk it - phishers patching machines to remove vulnerabilities...

Call them modern Robin Hoods, hackers who use their skills to take down Web sites used in phishing scams. Several sites that at one point hosted fraudulent Web pages designed to trick usres into giving out personal data have been defaced, according to Netcraft, an Internet services company in Bath, England.

The hackers replaced the phishing sites with a warning page. Netcraft has posted several screenshots of purported defaced phishing sites.

Phishing sites often are hosted on hacked Web servers. It appears the defacers used the same server weaknesses that were exploited by the phishers to remove the phishing Web sites...

News.com: Hacking Phishing Sites

Sunday, May 29, 2005

Phishing: How Banks can Fight Back

Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueTrue to yesterday's promise, here are several suggestions for banks to more effectively combat the scourge of phishing. If you're unfamiliar with the 'phishing' concept, please refer to this primer. In short, phishing emails claim to be from a reputable financial website and encourage the victim to sign-in. The phisher puts up a false "store-front" that appears to be the real financial website and then captures the victim's sign-in data. The phisher then uses the victim's sign-in for a variety of nefarious purposes including theft of funds, identity theft, etc.

Yesterday's post discussed the pros and cons of Bank of America's new SiteKey anti-fraud measures. I gave BofA a C on their report card, primarily because their countermeasures could be spoofed by a false store-front smart enough to proxy the user's transactions.

In other words, BofA's SiteKey could be effectively defeated by a false store-front that accepted the user's log-in data, proxied it to the real site, and then presented the real site's page and images back to the user as if it were genuine.

Pictured above is how I think BofA's website should appear to the end-user. Note the topmost banner, which is a dynamically generated image. It consists of a checklist that users should read before signing in. I suspect most users would actually check this out due to its prominence on the page.

Here's how it works. The user would enter an online ID (user name) on the initial screen - there would be no password, PIN, or other truly 'secret' data entered on the first page. The screen pictured above would be the second page of the sign-in. The anti-fraud checklist on the topmost banner consists of three items. Let's review each.

1) The first line reads If your address bar does not read https://www.bankofamerica.com DO NOT SIGN IN. The address in the address bar -- the simplest anti-fraud measure -- is seldom noted on financial websites. It's the most crucial element in combatting phishing. If the address bar doesn't match up... don't sign in! It's... just... that... simple.

2) The second line reads You appear to be signed in from Sandy Springs, GA USA. If that's not correct DO NOT SIGN IN. The physical location that the customer appears to be connecting from can be deduced (in most cases) from the customer's IP address. A geographic IP address location algorithm can be used to generate this sentence. This prevents a false store-front from acting as a proxy (a false store-front brokering requests to the real site would yield a different geographic location in Taiwan, Russia, etc.). A false store-front would therefore have to compute this information itself and paste it into a dynamically created image 'on the fly'. Do-able, but considerably more difficult.

3) The third line reads A recent check number that you wrote was 2046. If that's not correct DO NOT SIGN IN. A shared secret (in this case, a recent check number) is used to further authenticate the genuine site to the user. The bank will have the customer's recently cleared check numbers. The phisher won't.

Yes, a dedicated and tech-savvy phisher could construct a false store-front that proxies the initial sign-in page, grabs the resulting JPEG, looks up the geographic location from the IP address, pastes that in (while matching fonts)

But critical to this checklist is the fact that the typeface (font face) is chosen randomly. Now, the typeface will be consistent for the three items on each banner, but the typeface will vary randomly for each sign-in. Thus, if the false store-front goes to the trouble of painstakingly constructing the checklist itself, it will also have to match fonts to stick the correct location into the image.

The randomly selected typeface makes cutting and pasting text from the dynamically created image considerably -- considerably -- more difficult for the phisher! And interspersing a shared secret (the check number) ensures that the false store-front must (a) proxy the transaction, (b) compute the victim's real geographic location; and (c) match typefaces correctly in order to make the false storefront realistic.

That's quite a task.

Thus, we've turned the sign-in process into a bit of a captcha problem for phishers. I don't think this approach would be easy for the bad guys to defeat... but feel free to poke holes in this strategy, using the comments link.

Defusing Nuclear Terror

Picture credit: http://www.nationalterroralert.com
Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueHighly interesting -- and nerve-wracking -- reading from the Bureau of Atomic Scientists regarding the history of nuclear terror threats and the founding of the Nuclear Emergency Search Team (NEST).

...in the summer of 1972, the terrorist group Black September seized, and ultimately murdered, nine members of the Israeli Olympic team. Among those who became seriously concerned over the prospect of nuclear terrorism was James Schlesinger, then chairman of the Atomic Energy Commission (AEC). He held a series of meetings exploring whether terrorists could steal plutonium and make a bomb with it, whether they could steal a bomb, and whether the United States would be able to locate it. In 1974, while those issues were being considered and investigated, the FBI received a note demanding that $200,000 be left at a particular location in Boston or a nuclear device would be detonated somewhere in the city. This note was not part of an exercise, but the real thing (New York Times Magazine, December 14, 1980).

William Chambers, a Los Alamos nuclear physicist who was studying the detection issue, was instructed by the AEC and FBI to assemble the best team he could and head for Boston to search the city. The operation reflected its ad hoc origins. The group rented a fleet of mail vans to carry concealed equipment that could detect the emissions of a plutonium or uranium weapon. But the team found that they did not have the necessary drills to install the detectors in the vans. NEST field director Jerry Doyle recalled, "If they were counting on us to save the good folk of Boston . . . well, it was bye-bye Boston." ...

Bulletin of the Atomic Scientists: Defusing nuclear terror

Throw Bolton Under the Bus

Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueHugh Hewitt, writing in the World, exposes John McCain as a simple, publicity-seeking missile headed directly towards the 2008 primaries. That he underestimated the rage of the GOP base at his so-called "deal" is certain. Less certain is what will become of John Bolton, now that filibusters are to be used only for "exceptional" circumstances.

...great Americans can be lousy senators and terrible Republicans, and once again Mr. McCain has proven to be both. He has now done for the judicial nomination and confirmation process what he did for campaign finance reform. He brought the country George Soros and the scourge of the 527s, and with his leadership on the deal that threw at least two of George Bush's nominees under the bus in exchange for the most ambiguous of promises, the senator has once again turned his back on a core constitutional value in order to advance his own agenda...

In the old days, when the Democrats controlled both the Senate Judiciary Committee and the White House, the GOP uniformly accepted the President's judicial nominations. Now that they are in a decided minority, the Democrats have embarked on a course of wanton obstructionism. That such a course is unwise can be confirmed by one Tom Daschle, ex-communicated by South Dakotans.

If the Democrats want to control judicial nominations, here's a suggestion (paraphrasing Hugh Hewitt): win some elections for a change.

Hugh Hewitt: A house on fire

Are you free, woman? Take this fun, easy quiz!

Picture credit: http://www.amitiesquebec-israel.org
Sharia and the stoning of women in IranThe crew at Pow3rline points us to this exceptional shredding of Erica Jong at, of all places, the Huffington Post.

...I've never understood why women’s groups weren't out front cheering the wars against the Taliban in Afghanistan and Saddam Hussein's Iraq. Were there ever more feminist wars than these? You'd think the National Organization for Women would be egging the administration on to Saudi Arabia and Iran. But no, and for the same reason that organized feminists have refused to applaud George Bush’s historic appointments of women to positions of high office, including most recently his nomination of two women, one of them black, to appellate judgeships. Bush is a Republican. The organized feminists are Democrats. It's as simple as that.

Still, I wouldn’t think the feminist worldview could be quite SO simple as to equate the oppression of women who live under repressive and murderous regimes in the Islamic world with the condition of women in the United States. For HP bloggers and readers who have trouble telling the difference, I’ve prepared the following quiz:

1. Are you allowed to drive a car? Y/N
2. Must you be accompanied at all times in public by a male escort? Y/N
3. If you were to say "what the hell" and drive to the mall by yourself, would you be immediately surrounded by bat-wielding male police officers? Y/N
4. Could you be beaten for saying “what the hell”? Y/N
5. When you go outside on a hot summer day, can you wear shorts and a t-shirt? Y/N ...

As Frontpage Magazine points out, stoning a woman to death in Iran is not illegal; but using the wrong-sized stone is.

It should go without saying - read both articles.

Danielle Crittenden: Are you free, woman? Take this fun, easy quiz!

Banafsheh Zand-Bonazzi: Tehran's Killing Fields

Saturday, May 28, 2005

Bank of America takes on cyberscams: a report card

Picture credit: http://www.pbs.org
Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueThe Bank of America will be rolling out a series of anti-fraud measures to combat the wave of phishing attempts roiling cyberspace.

Let's take a look at some of their new, and hopefully improved, anti-phishing countermeasures:

When people register for SiteKey, they pick an image from a list and type in their own phrase to be associated with their account. When they enter their login name and hit the SiteKey button on the Bank of America site, that same image and phrase are displayed in response, Gupta said. This verifies that the user is in fact on the real Bank of America Web site, he said.

Let's break this down. You visit the BofA site and enter your login name. The BofA site displays your personal, pre-selected image (say, a picture of your hero, John Bolton). You examine the image and decide that it's correct, so you enter your password. *Voila* - a fraud-proof login? Or is it?

It certainly renders the typical false store-front approach more difficult. In the past, the phishers only needed to put up a welcome-and-login page, capture the credentials at login time, and redirect the victim to the proper site.

But a new, "improved" phishing storefront approach is still feasible with SiteKey. Consider the following sequence of events:

1) Phishing site presents a false store-front to victim
2) Victim enters login name at false store-front
3) Behind the scenes, false store-front visits real site, enters victim's login name at real site, and captures returned web page, SiteKey image, etc.
4) False store-front now presents victim with its captured web page and SiteKey image
5) Victim verifies image and enters password into false store-front
6) False store-front notifies crook that a valid session is active

In other words, the false store-front simply brokers a bit more of the authentication sequence transpiring between the victim and the genuine site. Put simply, this is just a minor technical challenge for the phishers.

Personal image countermeasure - Grade: C, primarily for the effort... not the effectiveness.

In another feature, SiteKey links the customer's PC to the online banking service. If the service is later accessed from a different computer, the account holder is prompted to answer one of three previously selected challenge questions... Additional PCs, such as an office computer, can be linked to the bank's Web site so a customer doesn't have to keep answering challenge questions.

There are really two ways that BofA could "tie" the customer PC to the site: via source IP addresses or via cookies. IP addresses are problematic. A customer using AOL, for instance, can appear to be coming from multiple IP addresses, all in one transaction. This is the case because AOL uses an entire bank of proxy servers to broker web traffic for its customers. So I suspect IP addresses would not be suitable for "tying" the PC to the bank.

Cookies are the more likely candidate. Once the user successfully performs a "full login" (complete with challenge/response), a cookie is delivered to the PC to speed subsequent logins.

A couple of vulnerabilities with this approach: a cross-site scripting hack could deliver the real session cookie to the phishing site. Or, more likely, a false store-front would simply broker the full authentication sequence -- including the challenge -- thereby gaining access to the account.

Only a truly diligent customer would likely notice that extra challenge. I'm guessing that's less than 5% of the entire customer audience. And that's the only reason I'll give this countermeasure a slightly higher grade - the extra 5% of customers who'll notice something fishy.

PC-to-site tying countermeasure - Grade: C+

In short, these are decent -- but half-hearted -- efforts at phish-fighting. I'll post some additional ideas regarding phish combat later.

Diversity in these approaches among the various financial institutions would be a good thing. With diversity, the phishers will need to build different infrastructure for each false-storefront. But build it they will, as the cyberwar between crooks and institutions continues unabated.

News.com: BofA takes on Cyberscams

Friday, May 27, 2005

George Galloway: Bluster and Fabrication

Picture credit: http://news.bbc.co.uk
Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueYou may remember George Galloway's testimony in front of the Senate committee investigating the UN Oil-for-Food debacle. In a manner more accustomed to Parliament's House of Commons, the MP went on offense, blustering, accusatory, and piercing.

For a brief, shining moment, Galloway became an icon of the mainstream media/DNC (a singular noun). The San Francisco Chronicle went so far as to label him a "media hero".

Galloway's bluster couldn't obscure the facts, however. Galloway was in front of the Senate because he ran the controversial Mariam Appeal, which raised enormous amounts of money and then (apparently) disappeared. The Mariam Appeal, according to Sexion, was the political organization set up to "protest" the Iraq sanctions.

According to the Telegraph, Saddam's precious oil-for-food vouchers included the names of intended beneficiaries. Among the parties listed: Zureikat, Galloway and "Mariam's Appeal".

And, coincidentally, "Galloway moved the financial statements and other documents of the Mariam Appeal from the UK to the Middle East".

The seedy involvement with Oil-for-Food financier Zureikat was the question before the MP on the day of his testimony. Let's listen in.

SEN. COLEMAN: So Mr. Galloway, you would have this committee believe that your designated representative from the Mariam's Appeal becomes the chair of the Mariam's Appeal, was listed in Iraqi documents as obviously doing business, oil deals with Iraq, that you never had a conversation with him in 2001 or whether he was doing oil business with Iraq.

GALLOWAY: No, I'm doing better than that. I'm telling you that I knew that he was doing a vast amount of business with Iraq... He was an extremely wealthy businessman doing very extensive business in Iraq.

Not only did I know that, but I told everyone about it. I emblazoned it in our literature, on our Web site, precisely so that people like you could not later credibly question my bonafides in that regard. So I did better than that.

Galloway, knowing full well that his website was down, told the Senate committee that he had "emblazoned" on his website that his partner in the organization had extensive business dealings with Iraq and was a donator to the campaign. Thus he most likely believed that there would be no way to check if he was lying or not.

He couldn't have been more wrong.

Using an awesome website called the Internet Archive Wayback Machine, we can look up how the Mariam Appeal website appeared throughout the past few years. I'm fairly certain that Mr. Galloway was not aware of this, for if he was, I'm not certain he would have made the statements he made...

Sexion effectively tears Galloway's testimony to shreds... in a manner reminiscent of Genghis Kahn. It would appear that Galloway's ersatz indignation was as genuine as his testimony. Which is to say his statements were as valuable as a Hillary Clinton three dollar bill.

It goes without saying: read the whole thing and suckle at the teat of wisdom.

Seixon: With all due RESPECT, Mr. Galloway…

Thursday, May 26, 2005

My Food Pyramid

Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueI received startling news this week that an esteemed colleague had suffered a massive heart attack on Sunday. Only in his late forties, he'd apparently tip-toed on the precipice of eternity. The ICU nurses mentioned that when he'd arrived, it appeared to be a 90% chance-of-fatality case. The chaplain was called in, perhaps to counsel his wife. It was that dire.

He'd been camping and hiking on Saturday. He felt sufficiently lousy that by Sunday, he'd cut short his trip and headed home. In front of the computer on Sunday, relaxing, he suffered a massive heart-attack. When his wife called 9-1-1, apparently the paramedics were too busy watching Deadwood or were otherwise indisposed. Somehow, the gravity of the situation escaped them. So his wife gathered him up in the car and took him to a nearby hospital.

On two fronts, he was fortunate: his home is only a few miles away and the hospital in question is highly rated for cardiac care. He received, I think, a balloon and then a stent to open up the blockage and save his life.

I saw him today to bring him some mail and reading material. He is still in an ICU room, but is mobile. He's off most of the various tubes, contraptions and machines, and is talking about getting back home over the weekend. All in all, lucky and tough.

His episode reminded me of my Dad's heart attack nearly a decade ago. Put it this way, the heart history among the males in our family is decidedly lousy. For instance, my Dad's brother has survived a couple of heart attacks, the first in his forties. I found out recently that his son, my cousin, was also rushed to the hospital for an angioplasty. He's only in his mid-forties.

After my Dad's heart attack, which he thankfully survived, I completely changed my diet. My cholesterol was in the 220 range. Prior to that my weight was around 215. I was in the mode of heavy weightlifting and the commensurate mindset of carbo loading (described in excruciating detail in an earlier blog post).

I got my weight down to 178 while continuing to work out hard. A new diet was the key. Here's a pretty typical day:

Breakfast: All-bran mixed with Ka-shi Protein Crunch Cereal
Lunch: Can of chunk light tuna (hold the mercury, please!) in salt-free tomato sauce, heated up 90 seconds in microwave
Dinner: Salmon fillet served with sliced tomatos garnished with Tuscan seasoning (my wife brought this stuff back from Italy... delicioso, if that's Italian). Couple of apples or a pineapple for dessert.

Tangent: I was checking out of the grocery store the other day and through utter coincidence had only two items: an extra-large box of All-Bran and a giant package of toilet paper. Now that's a tad embarassing. Maybe I should have gone through the checkout twice to have avoided the stares. Nothing to see here, folks. Nothing at all.

A lot of my friends and colleagues do make fun of me for my odd diet.

Dessert? What's that? I haven't had a real dessert since my Dad's heart attack. Seriously. Actually, I have had one. We went on a cruise a while back. In the formal dining room, the Maitre'D ripped the menu out of my hands and said, "no, no... you don't eat from these desserts... I make you a special dessert." I guess he talked like Poppy on Seinfeld.

He brought us a bread pudding or something like that. My wife loved it. I forced myself to eat most of it. How could I refuse?

Everyone thinks I'm highly disciplined, but I'm not. The rich foods -- cookies, chocolates, pies, cakes -- don't appeal to me at all now. Maybe it's been so long that I've avoided them, that I no longer care.

Or, more likely, it's still this overriding fear of the family heart history. Every time I look at a piece of chocolate cake, I see the dripping, unprocessed fat... the ride to the emergency room... the Nurses holding me down while someone rubs the electric plates together and the surgeon yells "Clear!!". Yes, I'm a cheery dining partner.

If someone at the table gets served bread, I'll ask, "you do know that bread is the work of the devil?"

Or if someone asks me if I want some butter, I'll raise an eyebrow, "Butter? I didn't have an angiogram scheduled tomorrow..."

But now, after my colleague's episode, I'm really paranoid. I'm really going to watch what I eat now.

A bunch of us go to a fast-food restaurant from time to time. I used to order the Chicken Wrap, with no sauce and no cheese. Now I guess I'll order the Chicken Wrap, with no sauce, no cheese and no wrap.

Now my cholesterol is 170. My ratio is 2.5, which is in a very desirable range. I work out four to five times a week, twice on resistance training, twice on the heavy bag and floor-ceiling bag, with some elliptical training thrown on as an added bonus.

My food pyramid, above, breaks down the diet for you. Tomatos are the key, you see, as the lycopene keeps your body's resistance high. I don't know if anyone else could or would want to follow this diet. I do know that it seems to be working for me. Every time you see some sweets, just imagine a bug crawling inside it. Maybe that'll cut down on the chocoholism.

On a more serious note: One thing I have learned from these events... it's easy to overlook some chest pain and try to 'gut it out'. My Dad did it. My colleague did it. It almost cost both their lives. If you're at any risk whatsoever and encounter chest pain, get it checked out, fast. Your family and friends don't want to attend a funeral. They'd rather be visiting you as you recuperate in the hospital.


Why email addresses shouldn't be login names...

Excel-web sharing of spreadsheetsThe following news blurb highlights another   reason publicly accessible web sites should allow users to login using a personally chosen handle, not an email address. The first reason, of course, is simple portability: what happens when the user's email address changes?

This technique, as described by News.com, is exploited by phishers who profile users by running their email addresses against the large number of web sites that authenticate users via email address, not randomly chosen handle.

The term for this attack? Hostile profiling.

In the technique described in the report, spammers and phishers automatically run thousands of e-mail addresses through Web site registration and password-reminder tools. Because many online businesses return a specific message when an e-mail address is registered with the site, attackers can find out whether that address represents a valid customer...

...By matching e-mail addresses with Web sites, cybercriminals can uncover the gender, sexual preference, political orientation, geographic location, hobbies and the online stores that have been used by the person behind an e-mail address...

News.com: Phishers get personal

Wednesday, May 25, 2005

Microsoft: It's okay to write your passwords down

Picture credit: http://www.primasia.com
Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueThe senior program manager for security at policy at Microsoft, Jesper Johansson, has some pragmatic advice. He recently told attendees of an AusCERT conference that it's okay for companies to let employees write their passwords down.

"I claim that is absolutely wrong. I claim that password policy should say you should write down your password. I have 68 different passwords. If I am not allowed to write any of them down, guess what I am going to do? I am going to use the same password on every one of them."

According to Johansson, use of the same password reduces overall security.

"Since not all systems allow good passwords, I am going to pick a really crappy one, use it everywhere and never change it," Johansson said. "If I write them down and then protect the piece of paper--or whatever it is I wrote them down on--there is nothing wrong with that. That allows us to remember more passwords and better passwords."

Johansson said the security industry had been giving out the wrong advice about passwords for 20 years.

Just don't tape them to your monitor, okay?

Microsoft security guru: Jot down your passwords

Tuesday, May 24, 2005

Okrent's Startling Admission

Picture credit: http://www.thevillager.com
Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueThe indispensible Powerline notes the following back-biting by the Times' Daniel Okrent as he exits, stage left:

Daniel Okrent is stepping down as "public editor" of the New York Times. He seems like a pretty good guy; after all, he apparently invented rotisserie league fantasy baseball. (My team has tailed off after a red-hot start.) In his farewell column, he itemizes "13 Things I Meant to Write About but Never Did". The most interesting is number two:

Op-Ed columnist Paul Krugman has the disturbing habit of shaping, slicing and selectively citing numbers in a fashion that pleases his acolytes but leaves him open to substantive assaults. Maureen Dowd was still writing that Alberto R. Gonzales "called the Geneva Conventions 'quaint' " nearly two months after a correction in the news pages noted that Gonzales had specifically applied the term to Geneva provisions about commissary privileges, athletic uniforms and scientific instruments. Before his retirement in January, William Safire vexed me with his chronic assertion of clear links between Al Qaeda and Saddam Hussein, based on evidence only he seemed to possess.

No one deserves the personal vituperation that regularly comes Dowd's way, and some of Krugman's enemies are every bit as ideological (and consequently unfair) as he is. But that doesn't mean that their boss, publisher Arthur O. Sulzberger Jr., shouldn't hold his columnists to higher standards.

I didn't give Krugman, Dowd or Safire the chance to respond before writing the last two paragraphs. I decided to impersonate an opinion columnist.

He's wrong about Safire, of course; there were amply documented links between Saddam's Iraq and al Qaeda and other terrorist groups, which we've written about many times. The interesting one, to me, is Okrent's comment about Krugman, which suggests that Krugman may be as insufferable in the flesh as he is in print.

Powerline: A Startling Admission

The Smug Delusion of Base Expectations

Excel web sharing - spreadsheet collaboration... with BadBlueThe National Review's Andrew McCarthy weighs in on the victimhood of Newsweek in the aftermath of the rioting:

I inhabit a world in which my government seeks accommodation with Saudi Arabia and China and Egypt, places where the practice of Christianity results in imprisonment... or worse; in which Jews have been driven from almost every country in the Middle East, and in which the goal of destroying their country, Israel, is viewed by much of the globe as legitimate foreign policy; and in which being a Christian, an animist, or the wrong kind of Muslim in Sudan is grounds for genocide - something the vaunted United Nations seems to regard as more of a spectator sport than a cause of action.

In my world, militant Muslims, capitalizing on the respectful deference of others, have been known tactically to desecrate the Koran themselves: by rigging it with explosives, by using it to secrete and convey terrorist messages, and, yes, even by toilet-flushing parts of it for the nuisance value of flooding the bathrooms at Guantanamo Bay. Just as they have used mosques as sanctuaries, as weapons depots, and as snipers' nests.

There's a problem here. But it's not insensitivity, and it's not media bias. Those things are condemnable, but manageable. The real problem here is a culture that either cannot or will not rein in a hate ideology that fuels killing. When we go after Newsweek, we're giving it a pass. Again.

Andrew McCarthy: The Smug Delusion of Base Expectations

Confirm John Bolton

Picture credit: http://defensa.com/
Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueEver wondered what John Bolton did that so energized the Democrats in their opposition to his appointment? Frank Gaffney, Jr. explains:

When John Bolton sought in early 2002 to give a speech that addressed, among other things, the capability for offensive biological weapons inherent in Cuba’s advanced biotech industry, he did it by the book. Since the draft speech drew on available intelligence, his office – represented by a staffer, Fred Fleitz, who is himself a career CIA analyst – sought Intelligence Community clearance.

Although intelligence did indeed support Mr. Bolton’s proposed statement, as Thomas Fingar, then-Deputy Assistant Secretary of State for Intelligence and Research (INR) put it: “[INR analyst Christian Westermann] tried to flag to Fred where he thought the draft was going beyond the IC consensus as conveyed in a DIA-led briefing on the Hill.”

Westermann then proceeded – in a manner the Foreign Relations Committee record confirms Mr. Fingar and two of Westermann’s other INR supervisors agreed was improper – to try to sabotage clearance of the Bolton speech by the Intelligence Community. When confronted with evidence he had done so, Westermann lied to Mr. Bolton. The result was that Bolton understandably felt he could not trust the analyst, a sentiment he conveyed to Westermann’s ultimate boss, Assistant Secretary of State Carl Ford.

As part of a scathing personal attack on Mr. Bolton, Ford testified to the Committee that he had “the impression that I had been asked to fire the analyst.” But under questioning he was unable to say that was what Bolton actually asked for. And two of his subordinates explicitly told the Committee that Bolton had not sought to have Westermann fired, simply given other duties.

Mr. Ford might have ascertained this to be the case had he bothered to make inquiries. He told the Committee, however, that he had not done so. And, in any event, Westermann’s immediate supervisor testified that he was “not aware” of Mr. Bolton’s response to the analyst’s misconduct making people in INR “antsy” about working with Sec. Bolton. So much for the latter’s purported “chilling effect” on intelligence with which he disagreed and those who generated it.

A second analyst, the then-National Intelligence Officer for Latin America, Fulton Armstrong, similarly earned Mr. Bolton’s ire when he took it upon himself to disparage the Under Secretary of State in a meeting with three Senators shortly after the Cuba speech was given. Armstrong asserted that Mr. Bolton had not properly cleared the speech within the Intelligence Community. The Foreign Relations Committee has established, however, that this claim was untrue, a fact documented by a coordination sheet properly signed off on by every relevant agency and by Carl Ford’s testimony.

Perhaps if Voinovich had found time to attend one of the sixteen committee meetings he missed, he'd have heard this firsthand.

And if this is the best that partisan shills like Trudy Rubin can come up with, the ramifications are crystal clear: Confirm Bolton.

Confirm Bolton

Monday, May 23, 2005

Trey Jackson's must-see videos

Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueTrey Jackson, video-blogger extraordinaire, has assembled an incredible collection of videos on his site. Here are three of the best. Watch 'em. I laughed. I cried. They changed my life.

Video: Laura Bush steals the show at the White House Correspondents' Dinner

Video: Maureen Dowd; a Moonbat visits Meet the Press

Video: The Daily Show - How to be a New Journalist, with Jay Rosen

Sunday, May 22, 2005

Al Qaeda's Bio-weapon Plans

Picture credit: http://news.bbc.co.uk/
Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueFor the life of me, I cannot figure out why there hasn't been more mainstream media coverage of Al Qaeda's recently FOIA-outed anthrax plot. Here's a bioterrorism effort that threatened the U.S. civilian population. And, by and large, the mainstream media hasn't found the time to cover it in any depth.

Yes, Eric Lipton had a brief Times article entitled, "Qaeda Letters Are Said to Show Pre-9/11 Anthrax Plans".

But a Google News search reveals an amazing paucity of coverage. How vulnerable is the U.S. to bioterror? How close did AQ come to weaponizing anthrax? Are other terrorist outfits the beneficiaries of their research, or did the war in Afghanistan terminate the plot (with extreme prejudice)?

These and other questions are the sort of thing the clods at Newsweek should be covering... but aren't. Of course, that would require them to actually do the research required of a real story, not a "fake but accurate" one.

And such a story might also involve casting the U.S. military in a positive light, which doesn't appear to be any part of their everyday agenda.

Al Qaeda operatives in Afghanistan began to assemble the equipment necessary to build a rudimentary biological weapons laboratory before the Sept. 11, 2001, attacks, letters released by the Defense Department show...

The letters, recently made public as a result of a Freedom of Information Act request, detail a visit by an unnamed Qaeda scientist to a laboratory at an unspecified location where he was shown "a special confidential room" with thousands of samples of biological substances.

The scientist tried to buy anthrax vaccines, which would be necessary to protect any Qaeda members working with the material. He also bought a sterilizer, a respirator and an air-contamination detector, one letter said.

"The conference was found to be highly beneficial for our future work," the letter said. "I finalized all the accessories required for the smooth running of our bioreactor."

Qaeda Letters Are Said to Show Pre-9/11 Anthrax Plans

Update: speaking of newsweek (little "n"), Charles at LGF points us to this nearly unbelievable story on Newsweek's international edition. You won't believe the anti-U.S. tripe they're spewing abroad, all the while covering hard news like "Oscar Confidential" here at home. It's hard to imagine a more two-faced, anti-American stance.

Cross-site scripting (XSS) Cheat Sheet

Picture credit: http://tuxick.net
Visit AmazonHa.ckers.org has a great compendium of cross-site scripting hacks. Who ever said the information security business was easy?

If you're unfamiliar with cross-site scripting, in a nutshell: it's a weakness or hole in a server application that allows an evil user to steal an innocent user's cookie. XSS can also be used for other nefarious purposes, but cookie theft is the predominant category of exploitation.

How can an evil-doer use someone else's cookie? It depends upon the server that issued the cookie. It might be possible to hijack an innocent user's shopping-cart, complete with credit-card info already stored on the server. The malicious user could add items to the cart and receive the purchased items, for instance.

If you've got a complex web application, protecting against all possible XSS hacks is no easy business. It's like trying to avoid moisture during monsoon season.

Want to check out a wide variety of XSS hacks? If you're a web developer, it will be a sobering experience.

XSS cheatsheet, Esp: for filter evasion

Friday, May 20, 2005

Irony, thy name is IBM

Picture credit: http://www.inthesetimes.com/
Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueIBM and North Carolina's Research Park Triangle are whining and moaning about the paucity of students entering computer science.

With a critical shortage of [IT] workers projected in the coming years, it's crucial that [universities] attract top students to the field, a local IBM official said...

Irony, thy name is IBM. Allow me to quote from another article, dated May 19th:

IBM's headcount in India is inching closer to the 25,000 mark as the Big Blue has ramped up its operations aggressively over the last few quarters. IBM increased its India employee base to 23,000 as of end-2004 compared to 9,000 at end-2003, a growth of some 150 per cent, said Shanker Annaswamy, Managing Director, IBM India...

Gee, I wonder if IBM's Everest-sized outsourcing effort has dampened the enthusiasm of any would-be computer science majors? Or whether IBM's recent announcement that they'd be slashing 10,000 or so jobs has had an impact?

Gina Poole, vice president of IBM's Academic Initiative, told about 120 university educators that an additional 2.2 million people will be needed in information technology-related professions by 2010. "A lot of today's students will be filling those needs," Poole said. "The demand is building up, but the supply isn't building up fast enough."

Hey, Gina: do you think IBM could take the time to clearly outline some career paths for Computer Science grads in the age of low-cost IT labor?

I perfectly understand the need to source from the lowest-cost provider able to meet IT's requirements. That's called "capitalism". We all need to accept that. What I don't understand are IT firms constantly harping on a C.S. talent shortage while shipping jobs overseas faster than Ben Johnson on Dianabol.

If these firms expect to attract beautiful minds to the computer science world, they better enunciate a career path: how the best and brightest Americans can coexist with cheaper, foreign talent.

Look, I'm a fortunate guy. I was weaned on real-time, Intel assembly code, moved on to mass-market consumer software products, and then migrated to large-scale enterprise IT and eBusiness. I worked for and with some of the smartest folks on the planet at places like Procter & Gamble.

But I also had to create my own Computer Science career path, with no guidance whatsoever. It's alot to ask a 19 year-old, picking a major, to go into a field where ostensible competitors may be earning $12,000 a year.

And, not to be maudlin, but it's also a national security issue. Information processing and information security will be two of the most strategic areas for the U.S. as it meets the challenges of the 21st century.

But it would behoove both industry and academia to explain just how C.S. graduates can coexist with labor dredged from the lowest-cost pools on the planet.

My oldest daughter is preparing for college. In the tenth grade, she scored something around a 1350 on the SAT's (old scoring - out of 1600), with no practice whatsoever. She's stubborn, brilliant, and a logical thinker. I'm recommending she consider law school.

Herald-Sun: IBM, colleges: More top students needed

Thursday, May 19, 2005

Preventing Surprise Attacks

Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueThe crew at Powerline noted Richard Posner's book, "Preventing Surprise Attacks." If you're at all concerned with the ramifications of the 9/11 Report and the subsequent rush to reorganize the intelligence community, it appears chock full of valuable insights.

Reviewers have pointed to its astounding clarity. Shouldn't the commission have studied other surprise attacks before coming to a variety of sweeping conclusions, including centralization of the U.S. intelligence apparatus?

For example, the Arab nations surprised Israel in the Yom Kippur War. An Israeli commission determined, after the fact, that the reason for the surprise was lack of decentralization in its intelligence services. The 9/11 Commission, on the other hand, determined the surprise of 9/11 was due to not enough centralization. The fact that there are divergent views on this matter is not surprising. What is surprising is that the 9/11 Commission failed to even investigate them.

In other words, Posner recognizes that the Commission's study was superficial and its organizational emphasis weak.

The commission, followed by Congress, exaggerated the benefits of centralizing control over intelligence; neglected the relevant scholarship dealing with surprise attacks, organization theory, the principles of intelligence, and the experience of foreign nations, some of which have a longer history of fighting terrorism than the United States; and as a result ignored the psychological, economic, historical, sociological, and comparative dimensions of the issue of intelligence reform.

Luckily, Posner posits, all is not lost. One outcome of the inevitable politicking related to intelligence reform: the actual reorganization parameters were left vacuous and vague, leaving it up to the President to shape any new intelligence structure.

Richard Posner: Preventing Surprise Attacks

Reaction: The Deadly Newsweek Riots

Picture credit: http://www.jimcarreyonline.com
Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueHerein a collection of reactions to the Newsweek Riots. But first, it's worth noting the pronounced 'circle the wagons' effect we're seeing. Former Time Magazine bureau chief Margaret Carlson is simply the latest (ABC and CNN included) of those defending a horrid practice in her latest offering: "Newsweek Blunder Doesn't Absolve White House". Yes, I'm sure it's all the administration's fault... or perhaps Karl Rove is behind the curtain...

When ace reporter Michael Isikoff had the scoop of the decade, a thoroughly sourced story about the president of the United States having an affair with an intern and then pressuring her to lie about it under oath, Newsweek decided not to run the story. Matt Drudge scooped Newsweek, followed by The Washington Post.

When Isikoff had a detailed account of Kathleen Willey's nasty sexual encounter with the president in the Oval Office, backed up with eyewitness and documentary evidence, Newsweek decided not to run it. Again, Matt Drudge got the story...

...Why no pause for reflection when Isikoff had a story about American interrogators at Guantanamo flushing the Quran down the toilet?


First, we all can agree that flushing a Koran down a toilet, if physically possible, would be both insensitive and rude, though Westerners generally have a higher tolerance threshold for such offenses. Put it this way: You could flush a Bible down the toilet in front of Goober in Kabul, and it's unlikely that Mayberry suddenly would be awash in blood.


Back in November 2003, Newsweek complained in a cover story that Vice President Dick Cheney "bought into shady assumptions" leading into the Iraq war, partly because of his "dire view of the terrorist threat." In its Koran story, Newsweek itself bought into shady assumptions, partly because of the media's dire view of the U.S. military. And so the media party continues its decline.


If the forged documents at CBS and the phony story at Newsweek were just isolated mistakes, that would be one thing... [this week's ceremony honoring] Dan Rather makes it easier for the public to see that the forged documents and the fake story were not just odd things that happened to a couple of people but were symptomatic of a mindset...

Someone referred to the story about George Bush's National Guard service as "too good to check." ... That is almost certainly what happened with the story about Americans flushing the Koran down the toilet at the Guantanamo prison.

...All this goes back to a more fundamental problem with the mainstream media. Too many journalists see their work as an opportunity to promote their own pet political notions, rather than a responsibility to inform the public and let their readers and viewers decide for themselves.


How many eerie parallels are there between the CBS scandal and the Newsweek scandal?

1. Both stories caused liberal media types to hunt for years to prove the urban legends dear to the hearts of the Bush-bashers...
2. Both stories relied on a single anonymous source. In CBS's case, he was "unimpeachable"; in Newsweek's, "reliable." ...
3. Both outlets made comical claims about their professionalism in a time of crisis...
4. Both stories were incorrectly declared to be "confirmed" by outside sources...
5. In both cases, the story, left unchallenged, would prove highly damaging to the Bush administration...
6. When both stories crumbled, the media outlets were initially reluctant to retract anything...
7. But even after the official retraction, the spin control continued. Dan Rather continued to insist, and other reporters followed suit, that while the documents may have been fabricated, the National Guard story was true. Newsweek's liberal media friends united around the theme that Newsweek will be proven right, that Koran-flushing was not "beyond the realm of possibility," as CNN's Anderson Cooper put it. On "Nightline," ABC's John Donvan intoned, "What really goes on at Guantanamo Bay, no one really knows."...


The nature of the war -- a battle against faceless terrorism instead of enemy armies -- changes the nature of the job. The same for the seeming inexhaustibility of the present enemy. On and on this enterprise goes; where it stops, nobody knows.

Factor all that into the equation and still excuses aren't possible for a media establishment that displays, through what it tells and what it omits to tell, its dark suspicions of the policy to which its country has committed itself.

So Newsweek "regrets" having gotten "part" of its Guantanamo story wrong! It's a start, no doubt. But, oh, the cost of it in terms we haven't begun to tote up.


Wednesday, May 18, 2005

Breaking Down another Phishing Scam

(Picture credit http://www.bbc.co.uk)
Excel-web sharing of spreadsheetsHere's another phishing scam-mail I just received. Let's break it down in a manner reminiscent of Genghis Kahn (or, at the very least, like an earlier blog entry).

I received an email from "Associated Bank, NA" with the subject heading "Account Notification". Let's take a look at the email source, which you can also view in your own email client by using "Show original message", "View Source", or similar means. I've abridged the email slightly for readability, but what you see here is essentially what I received.

From: "Associated Bank, N.A" <alerts@associatedbank.com>
To: xxx@att.net
Subject: Account Notification
Date: Wed, 18 May 2005 14:54:17 +0000

Well, this looks... okay. So far, so good.

Received: from 12-222-1-154.client.insightBB.com ([])
by worldnet.att.net (mtiwmxc18) with SMTP
id <2005051814541701800592k0e>; Wed, 18 May 2005 14:54:17 +0000
X-Originating-IP: [] ...
Received: from pfjklc (xg39.plumb-crazy.co.za [])
by web2.plumb-crazy.co.za id <7BAFU4-096Ni4-00>
Wed, 18 May 2005 16:55:54 +0100
Received: from ISXU-74-951-325-210.plumb-crazy.co.za (localhost.localdomain []) by creole.plumb-crazy.co.za with Internet Mail Service (5.5.2657.72)
id <5Y9H11976I>; Wed, 18 May 2005 14:49:54 -0100
Message-ID: <20053669421256.81294.web@me18.zkw.plumb-crazy.co.za>
Date: Wed, 18 May 2005 17:53:54 +0200
From: "Associated Bank, N.A" <alerts@associatedbank.com>
To: xxx@att.net
Subject: Account Notification
MIME-version: 1.0

Hmmm... I wonder why Associated Bank is routing messages through a South African mail server owned by the domain "plumb-crazy"?

Hey, wait just a minute, mister... you can't fool me...

This is a multi-part message in MIME format.

Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit

WASHINGTON - Hiring around the country picked up briskly in April, with employers boosting payrolls by 274,000 and raising hopes of better days ahead for jobseekers and the economy as a whole. The unemployment rate held steady at 5.2 percent. The latest snapshot of the nation's...

This is the first part of the email message content, which we were never intended to see. It's used for one purpose alone... to defeat spam filters. It does so by retrieving news content -- a valid news article -- that will help fool the filter into thinking it's legit.

Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: 7bit

...<p>Online Customer,
<p>To protect the safety of your access, employs some of the most advanced security online systems in the world and our anti-fraud teams regularly scan the Bank system for fraud activity.Associated Bank, NA, is committed to maintaining a safe environment for our online customers. %</p><p>In accordance with Associated Bancorp's Customer Agreement and to guarantee that your account hasn't been compromised, internet access to your savings account was limited. Your account access will remain limited until this problem has been resolved. Customer Support are remind you that on May 18, 2005 our Account Review Team identified some unusual activity in your account. Account Support recommend you to log in and perform the steps requisite to return your account access as soon as possible. Allowing your online access to remain blocked for a long period of time may effect in further restrictions on the use of your Debit Card account and possible account closure.<p><a id="MALL" href="http://www.graphicjester.com/redir.html"></a></p><div><a href="https://rolb.associatedbank.com/SITE/welcomeie.asp"><table><caption><a href="https://rolb.associatedbank.com/SITE/welcomeie.asp"><label for="MALL"><u style="cursor: pointer; color: blue">https://rolb.associatedbank.com/SITE/</u></label></a></caption></table></a></div></p>
<p>Please understand that this is a safety measure meant to help protect you and your Debit Card account. Thank you for your attention to this problem. Review Team apologize for any inconvenience.</p>
<p>Best regards,</p>
<p>Associated Bancorp, Banking Support</p>

Hmmm... there's a link to a site called "graphicjester.com"? Hey, wait a minute......

Hopefully that helps you understand how to analyze phishing emails and to detect their attempts to grab your private data.
With more publicity like this, maybe phishing emails will become as common as Dolph Lundgren sightings at the Oscars.

Weapons in Space

Picture credit: http://www.fantastic-plastic.com
Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueThe Gray Lady reports that the Air Force is seeking President Bush's approval of a national security directive that would permit deployment of space-based weapons.

The proposed change would be a substantial shift in American policy. It would almost certainly be opposed by many American allies and potential enemies, who have said it may create an arms race in space.

These are probably the same people who opposed Reagan's plans in the eighties. Don't these people read history books? Actually, it would help circumvent an arms race in space just as Ronald Reagan's massive commitment to defense spending, and SDI in particular, ended the Cold War.

Any deployment of space weapons would face financial, technological, political and diplomatic hurdles, although no treaty or law bans Washington from putting weapons in space, barring weapons of mass destruction.

Let me guess what that means: the U.N. will oppose it. All the more reason to send John Bolton to Kofiville.

The focus of the process is not putting weapons in space," said Maj. Karen Finn, an Air Force spokeswoman, who said that the White House, not the Air Force, makes national policy. "The focus is having free access in space."

Exactly. Should we have abstained from developing nuclear weapons during World War II for fear of inciting a nuclear arms race with the Nazis? The United States is the greatest country on the face of the earth, inherently and provably peaceful, and it is imperative that we stay ahead of those whose intentions are opaque.

With little public debate, the Pentagon has already spent billions of dollars developing space weapons and preparing plans to deploy them.

The point being: this effort is probably underway.

The Air Force believes "we must establish and maintain space superiority," Gen. Lance Lord, who leads the Air Force Space Command, told Congress recently. "Simply put, it's the American way of fighting." Air Force doctrine defines space superiority as "freedom to attack as well as freedom from attack" in space.

Exactly. If we can't ensure the safety of our space-based platforms (e.g., satellite reconaissance), we place ourselves at the mercy of those would might blind us during hostilities.

A new Air Force strategy, Global Strike, calls for a military space plane carrying precision-guided weapons armed with a half-ton of munitions. General Lord told Congress last month that Global Strike would be "an incredible capability" to destroy command centers or missile bases "anywhere in the world..."

...In April, the Air Force launched the XSS-11, an experimental microsatellite with the technical ability to disrupt other nations' military reconnaissance and communications satellites.

Another Air Force space program, nicknamed Rods From God, aims to hurl cylinders of tungsten, titanium or uranium from the edge of space to destroy targets on the ground, striking at speeds of about 7,200 miles an hour with the force of a small nuclear weapon.

A third program would bounce laser beams off mirrors hung from space satellites or huge high-altitude blimps, redirecting the lethal rays down to targets around the world. A fourth seeks to turn radio waves into weapons whose powers could range "from tap on the shoulder to toast," in the words of an Air Force plan.

That's what I'm talking about.

Senior military and space officials of the European Union, Canada, China and Russia have objected publicly to the notion of American space superiority.

They think that "the United States doesn't own space - nobody owns space," said Teresa Hitchens, vice president of the Center for Defense Information, a policy analysis group in Washington that tends to be critical of the Pentagon. "Space is a global commons under international treaty and international law."

Fine. But until you get the U.N.'s Space Police patrolling up there, we'll take responsibility for maintaining order.

No nation will "accept the U.S. developing something they see as the death star," Ms. Hitchens told a Council on Foreign Relations meeting last month. "I don't think the United States would find it very comforting if China were to develop a death star, a 24/7 on-orbit weapon that could strike at targets on the ground anywhere in 90 minutes."

Better the U.S. with a death star... than China. That much is certain.

NY Times: Air Force Seeks Bush's Approval for Space Weapons Programs

Tuesday, May 17, 2005

When Outsourcing Makes Sense

(Picture credit http://www.mirasoft.com.ua)
Excel-web sharing of spreadsheetsHere's an example of a situation where it make perfect sense to outsource. Consider the criteria and guess who I'm describing:

  • when the quality of the product is already exceedingly low

  • when the outsourcers can't help but do as well as (or better than) internal staff

  • when customer expectations have already sunk to Marianas Trench-level depths

  • Yes, of course, I'm talking about Reuters! Or, rather, Al Reuters   is the term they prefer, I believe. In any event, their unionized employees are ramping up a campaign against the outsourcing of U.S. jobs:

    ...To support their position that outsourcing undermines the quality of Reuters' journalism, union activists point to a string of high-profile errors, most originating from a small newsroom set up last year in Bangalore, India. The errors include misidentification of the Polish city of Krakow as being in Portugal and saying Army Reservist Lynndie England, who was involved in the prisoner abuse scandal in Iraq, was commander of her unit rather than a private...

    The entire concept of 'undermining the quality of Reuters' journalism' seems like an oxymoron. If an outfit reports stories like a fabricated holy-book-flushing incident or John Kerry's re-energized 2008 Presidential campaign... well, hey, we all make misstakes [sic] sometimes!

    Truthfully it all sounds pretty much par for the course for Al Reuters   - I really don't see the problem here, do you? Given that the whole MSM has outsourced much of their fact-checking work to the blogosphere, does this really come as a surprise?

    Perhaps Dan Rather, Eason Jordan, and -- soon, perhaps -- Michael Isikoff could comment on the news outsourcing trend from their perspective.

    Newsday: Union protests over Outsourced News

    Big Business Turns its Back on Outsourcing

    Picture credit: http://cpsu.org.au
    Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueFrom Silicon.com's management pages comes this interesting rehash of a Deloitte Consulting report on outsourcing. Bottom line: the companies that jumped on the outsourcing bandwagon first are now the fastest to jump off the wagon.

    The interesting aspect, of course, is the cost-savings factor that never materialized. And why would businesses generally not save any money outsourcing?

    Consider the geographic, language and time disconnects between business customers and development teams. With those disconnects in place, you'd better have world-class business analysts, architects, and project-managers acting as liaisons. And we all know how prevalent those folks are. They're about as common as $150K starter homes in Beverly Hills, California.

    More than two thirds of respondents to the Deloitte survey said they have had "significant" negative experiences with outsourcing projects.

    One in four participants have brought operations back in-house after realising that they could be provided better – and in some cases at a lower cost – internally.

    Cost savings expected from outsourcing did not materialise for 44 per cent of respondents, and nearly two out of three ended up paying for services they thought were included in the contracts with vendors...

    Silicon: Big Businesses Turn Their Backs on Outsourcing

    .NET pros and Cons

    Picture credit: Amazon UK
    Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueTim Anderson's IT writing site has an interesting discussion board that lists .NET pros and cons. I've summarized some of the topics, below, to give a sense of the broad discussion areas. Of course, the fact that it's running on a PHP-based forum sends some sort of message...

    For: No-touch/Click-once deployment
    Against: The Microsoft factor
    For: Code access security
    Against: Executables easily decompiled
    For: Supports multiple languages
    Against: GUI applications are slow
    For: Linux support with Mono
    Against: Large runtime needed
    For: Easy component sharing
    Against: Memory usage is huge

    .NET Pros and Cons

    Monday, May 16, 2005

    The Iterative Phishing Scam

    (Picture credit Microsoft Corporation)
    Excel-web sharing of spreadsheetsThe crooks known as phishers have a brand new scam, according to News.com:

    ...the phishing e-mails arrive at bank customers' in-boxes featuring accurate account information, including the customer's name, e-mail address and full account number. The messages are crafted to appear as if they have been sent by the banks in order to verify other account information, such as an ATM personal-identification number or a credit card CVD code, a series of digits printed on the back of most cards as an extra form of identification.

    This is an especially dangerous scam because it leverages real consumer data that the bad guys may have already collected through other means. Consider the ChoicePoint debacle, for example, or any one of another recent mass-disclosures of consumer data.

    One hypothetical scenario: a bogus merchant who has already collected consumer data from ChoicePoint is now mass-mailing these phishing messages. The intent would be to collect even more data from victims. This time, perhaps they'll get an ATM PIN to augment the bank account number they've already stolen.

    Just a reminder: if you're interested in seeing how to detect phishing and fight back against the phishers themselves, check out this previous blog entry.

    In the mean time, I'd double-check every email from a supposed financial institution by voice-calling the firm.

    News.com: New phishing attack uses real ID hooks